[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2016050133A1 - Authentication credential replacement method and apparatus - Google Patents

Authentication credential replacement method and apparatus Download PDF

Info

Publication number
WO2016050133A1
WO2016050133A1 PCT/CN2015/089048 CN2015089048W WO2016050133A1 WO 2016050133 A1 WO2016050133 A1 WO 2016050133A1 CN 2015089048 W CN2015089048 W CN 2015089048W WO 2016050133 A1 WO2016050133 A1 WO 2016050133A1
Authority
WO
WIPO (PCT)
Prior art keywords
credential
account
new
password
terminal device
Prior art date
Application number
PCT/CN2015/089048
Other languages
French (fr)
Chinese (zh)
Inventor
张旭武
张进生
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016050133A1 publication Critical patent/WO2016050133A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for authenticating credentials.
  • firewalls or a NAT Network Address Translation
  • UEs user equipments
  • TURN Traversal Using Relay Network Address Translation
  • the basic principle of the TURN scheme is that the terminal device is connected to the relay server in the public network through one or more NATs; the relay server allocates a public network address (ie, a media relay address allocation phase) to the terminal device through a certain mechanism, and the terminal The device uses the public network address to determine a media relay path (ie, a media relay path connectivity check phase) with the communication peer end (ie, another terminal device), and sends data to the communication peer end through the media relay path.
  • a media relay path ie, a media relay path connectivity check phase
  • the relay server In order to prevent illegal access, when the TURN connection is established between the terminal device and the relay server, the relay server needs to authenticate the terminal device.
  • a long-term credential mechanism for authenticating terminal devices is defined in the TURN protocol.
  • the so-called long-term credential authentication mechanism means that both the terminal device and the relay server pre-store a fixed account number and password, and each time the terminal device accesses the relay server, the fixed account and password are used for login, that is, each During the secondary TURN connection, the relay server authenticates the terminal device with a fixed account number and password.
  • the long-term authentication mechanism In the process of authenticating the terminal device by using the long-term authentication mechanism, since the terminal device uses a fixed account and password to log in, the account and the password are easily broken offline, and the security risk is large. In addition, since the long-term authentication mechanism needs to store a fixed account and password in the terminal device, it may cause application limitations; for example, the long-term authentication mechanism does not apply to WebRTC (Web Real-Time Communication). Letter) in the scene.
  • WebRTC Web Real-Time Communication
  • the communication control function of the terminal device is generally implemented by the JavaScript scripting language, and the account and password stored in the terminal device are directly read by JavaScript, and the JavaScript is not compiled and encrypted, and can be read in plaintext. Therefore, it is easy to cause the stored account and password to be leaked. Therefore, the long-term authentication mechanism that needs to save a fixed account and password in the terminal device is not suitable for use in the WebRTC scenario.
  • An embodiment of the present invention provides a method and an apparatus for authenticating an authentication credential, which solves the problem of a large security risk caused by a terminal device using a fixed account and password for logging in in the prior art, and a need for the terminal device The problem of application limitations caused by saving a fixed account and password.
  • a method for replacing an authentication credential comprising:
  • the relay server receives the first account and the second credential sent by the signaling server, where the first account is the first used by the relay server to authenticate the terminal device in the media relay address allocation phase.
  • the second voucher is a voucher generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
  • the new first credential is a credential used when the relay server authenticates the terminal device in a next media relay address allocation phase, The first voucher is replaced.
  • the method further includes:
  • the generating, according to the second credential, a new first credential comprises: using the second credential As a new first credential; or, generating a new first credential according to the first credential and the second credential.
  • the first credential further includes a first password
  • the second credential further includes a second password
  • the new first credential includes a new first password; the generating the new first credential according to the first credential and the second credential, comprising: generating according to the first password and the second password The new first password.
  • the generating the new first password according to the first password and the second password includes: The first password and the second password are subjected to a one-way function calculation to obtain the new first password.
  • the new first credential further includes a new first account; And generating, by the first credential and the second credential, a new first credential, further comprising: generating the new first account according to the first account and the second account.
  • the generating, by the first account and the second account, the new first account including: The first account and the second account perform a one-way function calculation to obtain the new first account.
  • a method for replacing an authentication credential including:
  • the relay server receives an update request message that is sent by the terminal device and includes the first account and the second account.
  • the first account is that the relay server performs the terminal device in the media relay address allocation phase.
  • the account number in the first certificate used for the authentication, the second account is used by the signaling server, and is used by the relay server to authenticate the terminal device during the media relay path connectivity check phase.
  • the method further includes:
  • the generating, according to the second credential, a new first credential comprises: using the second credential as a new first credential; or, according to the first credential and the second credential Generate a new first credential.
  • a relay server including:
  • a receiving unit configured to receive a first account and a second credential sent by the signaling server, where the first account is used by the relay server to authenticate the terminal device in the media relay address allocation phase An account in the first credential; the second credential is a credential generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
  • a replacement unit configured to generate a new first credential according to the second credential; wherein the new first credential is when the relay server authenticates the terminal device in a next media relay address allocation phase A voucher used to replace the first voucher.
  • the relay server further includes:
  • a sending unit configured to send, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
  • the replacing unit is specifically configured to:
  • a relay server including:
  • a receiving unit configured to receive, by the terminal device, an update request message that includes a first account and a second account, where the first account is the relay server to the terminal in the media relay address allocation phase
  • the account number in the first certificate used by the device for authentication, the second account is generated by the signaling server, and the relay server authenticates the terminal device during the media relay path connectivity check phase.
  • An authentication unit configured to authenticate the terminal device by using the second credential
  • a replacement unit configured to generate a new first credential according to the second credential after the authentication unit is successfully authenticated; wherein the new first credential is the relay in a next media relay address allocation phase
  • the server used to authenticate the terminal device The certificate is used to replace the first voucher.
  • a fifth aspect provides a terminal device, including:
  • An obtaining unit configured to obtain a first account; wherein the first account is an account in a first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase;
  • a receiving unit configured to receive a second account that is sent by the signaling server, where the second account is the relay server that is generated by the signaling server and is in the media relay path connectivity check phase An account in the second credential used by the terminal device for authentication;
  • a sending unit configured to send, to the relay server, an update request message that includes the first account and the second account, where the update request message is used to enable the relay server to perform the second credential according to the second credential Generating a new first credential;
  • the new first credential is a credential used by the relay server to authenticate the terminal device in a next media relay address allocation phase, for replacing the first credential.
  • the sending unit is further configured to send a credential indication message to the signaling server, where the credential indication message is used to generate the signaling server The second credential.
  • the receiving unit is further configured to receive an update indication message sent by the relay server;
  • the terminal device further includes: a replacement unit, configured to generate the new first credential according to the second credential.
  • the relay server generates a new first used to replace the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase.
  • Credentials thereby enabling dynamic replacement of authentication credentials.
  • the method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential).
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • FIG. 1 is a flowchart of a method for replacing an authentication credential according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for replacing an authentication credential according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for replacing an authentication credential according to Embodiment 3 of the present invention
  • Embodiment 4 is a flowchart of a method for replacing an authentication credential provided by Embodiment 1 of the present invention
  • FIG. 5 is a flowchart of a method for replacing an authentication credential according to Embodiment 2 of the present invention.
  • FIG. 6 is a schematic structural diagram of a relay server according to Embodiment 4 of the present invention.
  • FIG. 7 is a schematic structural diagram of another relay server according to Embodiment 4 of the present invention.
  • FIG. 8 is a schematic structural diagram of a relay server according to Embodiment 5 of the present invention.
  • FIG. 9 is a schematic structural diagram of another relay server according to Embodiment 5 of the present invention.
  • FIG. 10 is a schematic structural diagram of a relay server according to Embodiment 6 of the present invention.
  • FIG. 11 is a schematic structural diagram of another relay server according to Embodiment 6 of the present invention.
  • FIG. 12 is a schematic structural diagram of a relay server according to Embodiment 7 of the present invention.
  • FIG. 13 is a schematic structural diagram of another relay server according to Embodiment 7 of the present invention.
  • FIG. 14 is a schematic structural diagram of a terminal device according to Embodiment 8 of the present invention.
  • FIG. 15 is a schematic structural diagram of another terminal device according to Embodiment 8 of the present invention.
  • FIG. 16 is a schematic structural diagram of a terminal device according to Embodiment 9 of the present invention.
  • the technical solution provided by the embodiment of the present invention may be applied to a firewall/NAT traversal scenario in an IP (Internet Protocol) multimedia communication process, and may be applied to establish a TURN connection between the terminal device and the relay server in the scenario.
  • IP multimedia communication may be a VoIP (Voice over Internet Protocol) session, an IP video communication, or the like.
  • TURN control There are two kinds of logical channels in the process of TURN connection, one is the TURN data channel for carrying the upper layer VoIP media, and the other is the control information channel for establishing the data channel (hereinafter referred to as "TURN control").
  • Channel "); TURN connection process includes media relay address allocation phase and media relay path connectivity check phase.
  • the media relay address allocation phase is a phase in which the relay server allocates a media relay address to the terminal device, and specifically includes: the terminal device sends a media relay address request message to the relay server; and the relay server terminal device allocates the media. a relay address; wherein the media relay address is used for media session negotiation between the terminal device and the communication peer.
  • the "media relay path connectivity check phase” means that the terminal device sends a media relay path connectivity check (Connectivity Check) request message, and then determines whether the media relay path is available by whether the connectivity check response message can be received. stage.
  • the media relay path connectivity check request message includes: create permission request (create permission request) message, TURN data channel binding request message (Channel Bind request), and STUN (Simple Traversal of UDP through NAT, simple NAT of UDP packet) Traversing the STUN binding request message.
  • create permission request message is used to enable the relay server to know the address of the communication peer end of the media relay address that is allowed to access the terminal device;
  • the TURN data channel binding request message is used to create a link between the terminal device and the relay server.
  • the TURN data channel is used to determine whether the message between the terminal device and the communication peer end can reach the communication peer end through the media relay path between the terminal device and the communication peer end.
  • the interaction message between the relay server and the terminal device follows the TURN protocol, and the interaction message is referred to as a TURN control message.
  • the TURN protocol stipulates that the relay server needs to authenticate the terminal device after receiving each TURN control message sent by the terminal device; the relay server needs to return the request message for each TURN control message sent by the terminal device. Response message.
  • the above “media relay address allocation stage Each TURN control message in the "section" and “media relay path connectivity check phase” follows the TURN protocol.
  • the relay server in the process of each TURN connection, can use the first credential and the second credential to authenticate the terminal device; to ensure the information security of the terminal device, any The first credential used in the two TURN connections may be different, and the second credential used in any two TURN connections may be different.
  • the "first voucher” described below refers to the first voucher used in the process of the current TURN connection
  • the "second voucher” refers to the second voucher used in the process of the current TURN connection. .
  • the “relay server authenticates the terminal device” in the embodiment of the present invention may be: the relay server performs TURN authentication on the terminal device.
  • the "relay server” in the embodiment of the present invention may be a TURN server or the like;
  • the “signaling server” may be a VoIP server or the like, wherein the VoIP server may be a SIP server or a WebRTC server.
  • a method for replacing an authentication credential provided by an embodiment of the present invention includes:
  • the relay server receives the first account and the second certificate sent by the signaling server, where the first account is used when the relay server authenticates the terminal device in the media relay address allocation phase.
  • the account number in the first voucher; the second voucher is a voucher generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase.
  • the first credential includes a first account number and a first password.
  • the first credential may be a credential generated by the relay server when the account opening service is issued to the terminal device; in the process of the nth (n ⁇ 2, n is an integer) TURN connection,
  • the first voucher may be a new first voucher generated by using the technical solution provided by the embodiment of the present invention in the process of the n-1th TURN connection.
  • the process of two adjacent TURN connections may be for the same kind of IP multimedia communication (for example, both VoIP sessions), or for different kinds of IP multimedia communication (for example, the process of one TURN connection is for a VoIP session, and the other is a TURN connection.
  • the process is for IP video communication, etc.).
  • the first credential may be stored in the relay server and the terminal device before the current TURN connection process, and has no relationship with the current TURN connection process.
  • the second credential includes a second account number and a second password.
  • the second credential can be a signaling server Short-term credential generated for the ICE (Interactive Connectivity Establishment) client; of course, other credentials.
  • the second certificate is temporarily generated by the signaling server for the TURN connection, and has a relationship with the current TURN connection; in addition, when the TURN connection is completed, the first Two credentials can be deleted to save storage space.
  • the method may further include: the terminal device sending a credential indication message to the signaling server, so that the signaling server generates the second credential according to the credential indication message.
  • the terminal device may send the first account account in the credential indication message to the signaling server, so that the signaling server identifies the first account by identifying the credential indication message; further, the signaling server The first account and the second credential are sent to the relay server such that the relay server identifies the second credential by identifying the first account.
  • the signaling server may carry the first account and the second credential in the same message, and may also carry the first account and the second credential in different messages.
  • the signaling server may send the first account and the second credential to a relay server in a message (for example, an H.248 message, etc.) in the prior art.
  • the method may further include: establishing an interface between the relay server and the signaling server; wherein the interface is used to transmit an interaction message between the relay server and the signaling server.
  • the method may further include: sending an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new according to the second credential First voucher.
  • the present embodiment does not limit the sequence in which the relay server performs the "send update indication message to the terminal device" and the execution step 102.
  • the information used to indicate the update indication message may be carried in a message in the prior art, or may be newly defined, in order to reduce the number of signaling and improve the utilization of resources. a message.
  • the update rule may include an update rule, where the update rule may include, but is not limited to, any one of the following: update mode, update object, and more New algorithms, etc.
  • the update mode may be the mode 1) or the mode 2) exemplified in the following step 102;
  • the update object may be the first password and/or the first account;
  • the update algorithm may be a “one-way function” algorithm or the like described below.
  • the relay server may send the update indication message to the terminal device according to the update rule used in the implementation process of updating the first credential by itself, so that the implementation process of the relay server updating the first credential is the same as the implementation process of the terminal device updating the first credential;
  • the relay server may negotiate the update rule with the terminal device in advance, and the terminal device updates the first certificate by using the negotiated update rule when receiving the message under the update indication sent by the relay server.
  • the new first credential is a credential used when the relay server authenticates the terminal device in a next media relay address allocation phase Used to replace the first voucher.
  • step 102 may include, but is not limited to, implemented in the following two manners:
  • Method 1 the second credential is taken as a new first credential.
  • Method 2 Generate a new first credential according to the first credential and the second credential.
  • the new first credential includes a new first password
  • the manner 2) may include: generating the new first password according to the first password and the second password.
  • the new first credential further includes a new first account
  • the method 2) may further include: generating the new first account according to the first account and the second account.
  • the “calculating the new first password according to the first password and the second password” may include: performing a one-way function calculation on the first password and the second password, to obtain the The new first password.
  • the calculating the new first account by using the first account and the second account may include: performing a one-way function calculation on the first account and the second account, to obtain the The new first account.
  • the one-way function may be a hash function or the like.
  • the relay server replaces the first credential with the new first credential.
  • the relay server replaces the first credential with the new first credential.
  • the relay server In the method for replacing the authentication credential provided by the embodiment of the present invention, the relay server generates a new one for replacing the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase.
  • the first credential thereby achieving dynamic replacement of the authentication credential.
  • the method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be offline.
  • the security risk is small; in addition, since the authentication mechanism using the authentication credential replacement method only needs to store the first credential in the terminal device, and the first credential is dynamically updated, the method of replacing the authentication credential is used.
  • the authentication mechanism does not need to save a fixed account and password in the terminal device, so the application scope is large.
  • a method for replacing an authentication credential provided by an embodiment of the present invention includes:
  • the relay server receives an update request message that is sent by the terminal device and includes the first account and the second account.
  • the first account is the relay server to the terminal in the media relay address allocation phase.
  • the account number in the first certificate used by the device for authentication, the second account is generated by the signaling server, and the relay server authenticates the terminal device during the media relay path connectivity check phase.
  • the step 201 may be implemented as follows: the relay server receives the media relay path connectivity check request message sent by the terminal device, and the media relay path connectivity check request message Contains information for indicating an update request message.
  • the media relay path connectivity check request message may be specifically: a create permission request message or a TURN data channel binding request message, and the like.
  • the update request message may also be a newly defined message.
  • the method may further include: sending an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new according to the second credential First voucher.
  • the update indication message is used to enable the terminal device to generate the new according to the second credential First voucher.
  • the embodiment of the present invention does not limit the authentication method in step 202, and may use the authentication method in the prior art.
  • the method may further include: receiving the second credential sent by the signaling server; the step 102 may include: acquiring the second credential to which the second account belongs according to the second account included in the update indication message, The terminal device is authenticated by using the second credential.
  • “generating a new first credential according to the second credential” may include, but is not limited to, implemented in the following two manners:
  • Method 1 the second credential is taken as a new first credential.
  • Method 2 Generate a new first credential according to the first credential and the second credential.
  • the new first credential includes a new first password
  • the manner 2) may include: generating the new first password according to the first password and the second password.
  • the new first credential further includes a new first account
  • the method 2) may further include: generating the new first account according to the first account and the second account.
  • the “calculating the new first password according to the first password and the second password” may include: performing a one-way function calculation on the first password and the second password, to obtain the The new first password.
  • the calculating the new first account by using the first account and the second account may include: performing a one-way function calculation on the first account and the second account, to obtain the The new first account.
  • the one-way function may be a hash function or the like.
  • the relay server replaces the first credential with the new first credential.
  • the relay server replaces the first credential with the new first credential.
  • the method may further include: the relay server sending a response message of the authentication failure to the terminal device.
  • the relay server sending a response message of the authentication failure to the terminal device.
  • the relay server when receiving the TURN control message that is sent by the terminal device and includes the second account, uses the second voucher to perform the terminal device. Certification. As specified in the TURN protocol, the relay server needs to authenticate the terminal device after receiving each TURN control message sent by the terminal device; therefore, each TURN control message sent by the terminal device to the relay server includes one The account number is such that the relay server authenticates the terminal device according to the certificate to which the account belongs.
  • the TURN control message can also The reference quantity corresponding to the account number is included, and the explanation and usage method of the “reference quantity” can be referred to the related description below.
  • the relay server In the method for replacing the authentication credential provided by the embodiment of the present invention, the relay server generates a new one for replacing the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase.
  • the first credential thereby achieving dynamic replacement of the authentication credential.
  • the method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential).
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • a method for replacing an authentication credential provided by an embodiment of the present invention includes:
  • the terminal device obtains the first account, where the first account is an account in the first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase.
  • the method may further include: sending a credential indication message to the signaling server; wherein the credential indication message is used to cause the signaling server to generate the second credential.
  • the credential indication message may be carried in a session call request message.
  • Step 302 can be implemented as: receiving a second credential sent by the signaling server, where the second credential includes a second credential.
  • the second credential may be carried in the session call response message.
  • the method may further include: receiving an update indication message sent by the relay server; and generating the new first certificate according to the second certificate.
  • the terminal device replaces the first credential with the new first credential.
  • the terminal device replaces the first credential with the new first credential.
  • the “generating the new first credential according to the second credential” may include, but is not limited to, implemented in the following two manners:
  • Method 1 the second credential is taken as a new first credential.
  • Method 2 Generate a new first credential according to the first credential and the second credential.
  • the new first credential includes a new first password
  • the manner 2) may include: generating the new first password according to the first password and the second password.
  • the new first credential further includes a new first account
  • the method 2) may further include: generating the new first account according to the first account and the second account.
  • the “calculating the new first password according to the first password and the second password” may include: performing a one-way function calculation on the first password and the second password, to obtain the The new first password.
  • the calculating the new first account by using the first account and the second account may include: performing a one-way function calculation on the first account and the second account, to obtain the The new first account.
  • the one-way function may be a hash function or the like.
  • the relay server In the method for replacing the authentication credential provided by the embodiment of the present invention, the relay server generates a new one for replacing the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase.
  • the first credential thereby achieving dynamic replacement of the authentication credential.
  • the method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential).
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • an authentication method provided in this embodiment includes:
  • the terminal device sends a media relay address request message to the relay server, where the allocated media relay address request message includes a first account and a reference quantity corresponding to the first account.
  • the reference quantity corresponding to the first account is a value or a range of values determined by the value obtained by the terminal device by using the first password and the random number according to the preset authentication algorithm, and the value is determined by the calculated value;
  • the authentication algorithm is an algorithm pre-agreed by the terminal device and the relay server for performing hash calculation using the first password.
  • Step 401 can include: the terminal device sends a distribution media relay address request message to the relay server by using a TURN protocol.
  • the "first account" can be carried by the username attribute in the existing TURN protocol attribute.
  • the relay server acquires the first credential according to the first account, and authenticates the terminal device by using the first credential and the reference quantity corresponding to the first account.
  • Step 402 may include: the relay server acquires the first password by using the first account, calculates the first password by using a preset authentication algorithm, and obtains a calculation result; when the reference quantity is a value, determines whether the calculation result is the same as the reference quantity. If yes, the authentication is successful; if not, the authentication fails; when the reference quantity is a range of values, it is judged whether the calculation result is within the numerical range, and if so, the authentication is successful; if not, the authentication fails. If the authentication succeeds, the terminal device is legal, and step 403 is performed; if the authentication failure indicates that the terminal device is invalid, the response message of the authentication failure is returned to the terminal device.
  • each TURN control message sent by the terminal device to the relay server includes an account. And a reference quantity calculated by using a password corresponding to the account, so that the relay server authenticates the terminal device according to the certificate to which the account belongs.
  • the relay server allocates a media relay address to the terminal device according to the allocated media relay address request message.
  • the specific implementation method of the step 403 can refer to the prior art, and is not described here.
  • the relay server sends a media relay address response message to the terminal device, where the media relay address response message includes a media relay address allocated by the relay server for the terminal device.
  • Steps 401-404 are specific implementation processes in which the relay server allocates a media relay address phase to the terminal device.
  • the terminal device sends a session call request message to the signaling server, where the session call request message includes a media relay address allocated by the relay server for the terminal device, information used to represent the credential request message, and the first account.
  • the signaling server generates a second credential for the terminal device according to the information used to represent the credential request message.
  • the second credential includes the second credential and the second credential.
  • the signaling server sends a session call response message to the terminal device, where the session call response message includes the second credential.
  • the signaling server sends an association request message to the relay server, where the association request message includes the first account and the second certificate.
  • step 407 and step 408 are not limited in the embodiment of the present invention.
  • step 407 may be performed before step 408, or step 408 may be performed first, and step 407 may be performed first, and step 407 may be performed simultaneously.
  • step 408 may be performed before step 408, or step 408 may be performed first, and step 407 may be performed first, and step 407 may be performed simultaneously.
  • the signaling server may delete the second credential to save storage space.
  • the relay server establishes an association relationship between the first account and the second account.
  • the “establishing the association relationship between the first account and the second account” specifically refers to binding the first account and the second account that jointly identify a terminal device, so that the relay server utilizes the media relay path connectivity check phase. And authenticating the terminal device with the second credential to which the second account bound to the first account belongs; and when the credential is replaced, the relay server binds the second account by using the second credential to which the second account belongs The first certificate to which the first account belongs is updated.
  • the relay server since the relay server stores the first account and the second account of the plurality of terminal devices connected thereto, the relay server needs to associate the first account that jointly identifies the terminal device with the second account. To realize management of the first account and the second account of different terminal devices.
  • the terminal device sends a create permission request message to the relay server, where the creation permission request message includes a reference quantity corresponding to the second account and the second account.
  • the explanation of the reference quantity corresponding to the second account may be referred to the explanation of the reference quantity corresponding to the first account in the foregoing sixth embodiment.
  • the relay server acquires the second credential according to the second account, and authenticates the terminal device by using the second credential and the reference quantity corresponding to the second account.
  • the terminal device calculates a new first credential according to the first credential and the second credential, where the new first credential is the credential used in the process of the next TURN connection; and replaces the first credential with the new first credential.
  • the first certificate used in the process of the current TURN connection is invalid.
  • the method for calculating the update of the first account and the first password is not limited in the embodiment of the present invention.
  • the following provides a calculation method as an example:
  • the first account update calculation method can be:
  • Username_f_new PDF(username_f_old, username_s), where username_f_new represents the new first account, PDF represents the function name of the one-way function, and also represents an algorithm, username_f_old represents the first account, and username_s represents the second account.
  • PWD_f_new represents a new first password
  • KDF represents a function name of a one-way function, and also represents an algorithm (for example, may be MD5 (Message-Digest Algorithm 5), etc.)
  • PWD_f_old indicates A password
  • PWD_s is represented as a second password
  • other parameters are optional parameters, for example, may be a transaction id or a NONCE parameter in the association response message.
  • the relay server calculates a new first credential according to the first credential and the second credential, where the new first credential is the credential used in the process of the next TURN connection; and replaces the first credential with the new first credential. .
  • step 414 For the specific update calculation method of step 414, reference may be made to step 413.
  • the relay server may send an update indication message to the terminal device according to the update rule used in the implementation process of updating the first credential by itself, so as to ensure that the relay server updates the first credential implementation process and the terminal device updates the first credential.
  • the relay server may negotiate the update rule with the terminal device in advance, and the terminal device updates the first certificate by using the negotiated update rule when receiving the indication of updating the first certificate sent by the relay server.
  • Steps 412-413 are a process for the terminal device to update the first credential.
  • the process may be performed in any step before the end of the current TURN connection process after the terminal device learns the association relationship between the first account and the second account.
  • Step 414 is a process for the relay server to update the first credential.
  • the process may be performed in any step before the end of the current TURN connection process after the relay server establishes the association relationship between the first account and the second account.
  • the process of updating the first credential by the terminal device and the execution sequence of the process of updating the first credential by the relay server are not limited.
  • the relay server uses the second credential to authenticate the terminal device when receiving the other TURN control message in the process of the current TURN connection.
  • the TURN control message in step 415 may include: a refresh request message, a TURN data channel binding request message, and the like.
  • the relay server authenticates the terminal device by using the double credential (the first credential and the second credential), thereby improving the information security of the terminal device.
  • the first credential in the process of the TURN connection is updated by using the second credential in the process of the current TURN connection by using the association relationship between the first account and the second account, and the next TURN connection is obtained.
  • the first credential in the process thereby implementing a dynamic update of the authentication credential.
  • the authentication method provided by this embodiment does not easily cause the account and password to be offlinely cracked, and the security risk is small; in addition, the authentication mechanism using the method of replacing the authentication credential only needs to be The first credential is stored in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is large.
  • the authentication method provided in this embodiment utilizes the interaction signaling used in the message carrying authentication process in the prior art, which reduces the number of signaling and improves the utilization of resources.
  • the authentication method provided in this embodiment implements control of the VoIP call signaling to the media relay path connectivity check phase.
  • an authentication method provided in this embodiment includes:
  • Steps 501-504 are the same as the above steps 401-404. For details, refer to Embodiment 1, and details are not described herein again. Steps 501-504 are to assign a media address level to the terminal device for the relay server. The specific implementation process of the segment.
  • the terminal device sends a session call request message to the signaling server, where the session call request message includes a media relay address allocated by the relay server for the terminal device and information used to represent the credential request message.
  • the interaction message between the terminal device and the signaling server is called a SIP message
  • the terminal device and the signaling server use the SDP (Session Description Protocol) in the SIP message to negotiate the session information of the two parties.
  • the session information may include: a media address, codec information, and ICE related parameters.
  • SIP messages need to be encrypted by TLS (Transport Layer Security) or IPSec (Internet Protocol Security).
  • TLS Transport Layer Security
  • IPSec Internet Protocol Security
  • the signaling server generates a second credential according to the information used to represent the credential request message.
  • the second credential includes a second account and a second credential.
  • the second credential may be a credential randomly generated by the signaling server.
  • the signaling server sends a session call response message to the terminal device, where the session call response message includes the second credential.
  • the second account in the second credential may be carried by the ICE-ufrag in the existing SDP attribute
  • the second password in the second credential may be carried by the ICE-passwd attribute in the existing SDP attribute.
  • the second voucher is specifically carried by a newly defined SDP attribute line.
  • the signaling server sends the second credential to the relay server.
  • the step 508 may include: the signaling server directly sends the second credential to the relay server through an interface between the signaling server and the relay server; or the pre-shared secret between the signaling server and the relay server.
  • the key the signaling server encrypts the second credential by using the key, and then sends the encrypted information to the terminal device by using the SDP message, and the terminal device forwards the encrypted information to the relay server by using a TURN control message.
  • the second certificate is solved by the server through the key.
  • step 507 may be performed before step 508, or step 508 may be performed first, and step 507 may be performed first, and step 507 and step 508 may be performed simultaneously.
  • the signaling server may delete the Second voucher to save storage space.
  • the terminal device sends a create permission request message to the relay server, where the request permission message includes information for indicating an association request message, where the association request message includes the first account and the second account.
  • the first account and the second account in the association request message may be carried in the following two manners:
  • the first account can be carried by a newly defined TURN protocol attribute
  • the second account is carried by the username attribute in the existing TURN protocol attribute.
  • the manner of carrying the first account and the second account in the association request message may be other manners.
  • the foregoing two methods are only exemplary descriptions.
  • the first account and the second account may both be newly defined by the TURN protocol. Property carrying, etc.
  • the relay server obtains the second credential to which the second account belongs by using the second account carried in the association request message, and authenticates the terminal device by using the second credential.
  • the relay server After the authentication succeeds, the relay server establishes an association relationship between the first account and the second account.
  • the relay server sends a create permission response message to the terminal device, where the creation permission response message includes information for indicating an update indication message, where the update indication message includes information for indicating the association relationship.
  • the information used to indicate the update indication message may be carried by the existing TURN protocol attribute or a specially defined TURN protocol attribute.
  • the update indication message may further include an update rule, etc., and the description of the update rule may refer to the above. .
  • Steps 513-515 are the same as steps 413-415. For details, refer to Embodiment 1, and details are not described herein again.
  • the relay server authenticates the terminal device by using the double credential (the first credential and the second credential), thereby improving the information security of the terminal device.
  • the first credential in the process of the TURN connection is updated by using the second credential in the process of the current TURN connection by using the association relationship between the first account and the second account, and the next TURN connection is obtained.
  • the first voucher in the process thereby achieving authentication Dynamic update of the certificate.
  • the authentication method provided by this embodiment does not easily cause the account and password to be offlinely cracked, and the security risk is small; in addition, the authentication mechanism using the method of replacing the authentication credential only needs to be The first credential is stored in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is large.
  • the authentication method provided in this embodiment utilizes the interaction signaling used in the message carrying authentication process in the prior art, which reduces the number of signaling and improves the utilization of resources.
  • the authentication method provided in this embodiment implements control of the VoIP call signaling to the media relay path connectivity check phase.
  • the embodiment of the present invention provides a method for the relay server 60 to perform the authentication credential replacement provided in the foregoing method embodiment.
  • the relay server 60 includes:
  • the receiving unit 601 is configured to receive the first account and the second credential sent by the signaling server, where the first account is used when the relay server authenticates the terminal device in the media relay address allocation phase.
  • the second voucher is a voucher generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase ;
  • a replacement unit 602 configured to generate a new first credential according to the second credential; wherein the new first credential is that the relay server authenticates the terminal device in a next media relay address allocation phase The voucher used to replace the first voucher.
  • the relay server 60 further includes:
  • the sending unit 603 is configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
  • the replacing unit 602 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
  • the first credential further includes a first password
  • the second credential further includes a second password
  • the new first credential includes a new first password
  • the replacement unit 602 includes:
  • the first generating sub-unit 6021 is configured to generate the new first password according to the first password and the second password.
  • the first generating sub-unit 6021 is configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  • the new first credential further includes a new first account; as shown in FIG. 7, the replacing unit 602 further includes:
  • the second generating sub-unit 6022 is configured to generate the new first account according to the first account and the second account.
  • the second generating sub-unit 6022 is configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
  • the relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential).
  • a double credential a first credential and a second credential.
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • the sending unit in Embodiment 4 may be a transmitter, the receiving unit may be a receiver, and the transmitter and the receiver may be integrated to form a transceiver; the replacing unit may be embedded or independent in hardware form.
  • the processor of the relay server it may also be stored in the memory of the relay server in software, so that the processor calls to perform operations corresponding to the above units, and the processor may be a central processing unit (CPU), micro processing. , microcontroller, etc.
  • a relay server 80 is provided to perform the method for performing authentication credential replacement provided by the foregoing method embodiment.
  • the relay server 80 includes: a receiver 801, a memory 802, and a processing. 803 and bus system 804.
  • the receiver 801, the memory 802 and the processor 803 are coupled together by a bus system 804.
  • the bus system 804 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 804 in the figure.
  • the receiver 801 is configured to receive the first account and the second credential sent by the signaling server, where the first account is used when the relay server authenticates the terminal device in the media relay address allocation phase.
  • the second voucher is a credential generated by the signaling server and used by the relay server to authenticate the terminal device during the media relay path connectivity check phase;
  • the memory 802 is configured to store a set of codes, and the code stored in the memory 802 is used to control the processor 803 to generate a new first credential according to the second credential; wherein the new first credential is the next media relay A voucher used by the relay server to authenticate the terminal device in the address allocation phase, for replacing the first credential.
  • the relay server further includes:
  • the sender 805 is configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
  • the processor 803 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
  • the first credential further includes a first password
  • the second credential further includes a second password
  • the new first credential includes a new first password
  • the processor 803 is specifically configured to: The first password and the second password generate the new first password.
  • the processor 803 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  • the new first credential further includes a new first account; the processor 803 is specifically configured to: generate the new first account according to the first account and the second account.
  • the processor 803 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
  • the relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential).
  • a double credential a first credential and a second credential.
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • the relay server 100 includes:
  • the receiving unit 1001 is configured to receive, by the terminal device, the first account and the second account.
  • the update request message of the number wherein the first account is an account in the first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase, the second
  • the account number is an account number generated by the signaling server and used in the second credential used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
  • the authentication unit 1002 is configured to perform authentication on the terminal device by using the second credential
  • the replacing unit 1003 is configured to generate, according to the second credential, a new first credential after the authentication unit is successfully authenticated; wherein the new first credential is in the next media relay address allocation phase a credential used by the server to authenticate the terminal device for replacing the first credential.
  • the relay server further includes: a sending unit 1004, configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to perform The second voucher generates the new first voucher.
  • a sending unit 1004 configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to perform The second voucher generates the new first voucher.
  • the replacing unit 1003 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
  • the first credential further includes a first password
  • the second credential further includes a second password
  • the new first credential includes a new first password
  • the replacing unit 1003 is specifically configured to: The first password and the second password generate the new first password.
  • the replacing unit 1003 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  • the new first credential further includes a new first account; the replacing unit 1003 is specifically configured to: generate the new first account according to the first account and the second account.
  • the replacing unit 1003 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
  • the relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential).
  • a double credential a first credential and a second credential.
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • the receiving unit in the sixth embodiment may be a receiver; the authentication unit and the replacement unit may be embedded in the hardware of the relay server or may be stored in the relay server in software.
  • the processor in order to facilitate the processor to perform the operations corresponding to the above units, the processor may be a central processing unit (CPU), a microprocessor, a single chip microcomputer, or the like.
  • the relay server 120 includes: a receiver 1201, a memory 1202, and a processing.
  • the receiver 1201, the memory 1202 and the processor 1203 are coupled together by a bus system 1204.
  • the bus system 1204 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 1204 in the figure.
  • the receiver 1201 is configured to receive, by the terminal device, an update request message that includes the first account and the second account, where the first account is the relay server in the current media relay address allocation phase.
  • the account in the first credential used by the terminal device for authentication, the second account is generated by the signaling server, and the relay server authenticates the terminal device in the media relay path connectivity check phase.
  • the memory 1202 is configured to store a set of codes, and the code stored in the memory 1202 is used by the control processor 1203 to perform the following actions: the terminal device is authenticated by using the second credential; after the authentication is successful, according to the second credential Generating a new first credential; wherein the new first credential is a credential used when the relay server authenticates the terminal device in a next media relay address allocation phase, and is used to replace the first credential certificate.
  • the relay server 120 further includes: a sender 1205, configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to The second credential generates the new first credential.
  • a sender 1205 configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to The second credential generates the new first credential.
  • the processor 1203 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
  • the first credential further includes a first password
  • the second credential further includes a second password
  • the new first credential includes a new first password
  • the processor 1203 is specifically configured to: The first password and the second password generate the new first password.
  • the processor 1203 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  • the new first credential further includes a new first account; the processor 1203 is specifically configured to: generate the new first account according to the first account and the second account.
  • the processor 1203 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
  • the relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential).
  • a double credential a first credential and a second credential.
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • the terminal device 140 includes:
  • the obtaining unit 1401 is configured to obtain the first account, where the first account is an account in the first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase;
  • the receiving unit 1402 is configured to receive a second account that is sent by the signaling server, where the second account is the relay server that is generated by the signaling server and is in the media relay path connectivity check phase.
  • the sending unit 1403 is configured to send, to the relay server, an update request message that includes the first account and the second account, where the update request message is used to enable the relay server according to the second
  • the voucher generates a new first voucher; the new first voucher is a voucher used when the relay server authenticates the terminal device in a next media relay address allocation phase, and is used to replace the first credential .
  • the sending unit 1403 is further configured to send a credential indication message to the signaling server, where the credential indication message is used to enable the signaling server to generate the second credential.
  • the receiving unit 1402 is further configured to: receive an update indication message sent by the relay server; as shown in FIG. 15, the terminal device 140 further includes: an replacing unit 1404, according to the second The voucher generates the new first voucher.
  • the replacing unit 1404 is specifically configured to: use the second credential as the new first credential; or generate the new first credential according to the first credential and the second credential .
  • the first credential further includes a first password
  • the second credential further includes a second password
  • the new first credential includes a new first password
  • FIG. 1404 includes: a first generating subunit 14041, configured to generate the new first password according to the first password and the second password.
  • the first generating sub-unit 14041 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  • the new first credential further includes a new first account; as shown in FIG. 15, the replacing unit 1404 further includes: a second generating subunit 14042, configured to use the first account and the The second account generates the new first account.
  • the second generating sub-unit 14042 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
  • the terminal device provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential).
  • a double credential a first credential and a second credential.
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • the sending unit in Embodiment 8 may be a transmitter, the receiving unit may be a receiver, and the transmitter and the receiver may be integrated to form a transceiver; the acquiring unit and the replacing unit may be embedded in hardware.
  • the processor may be stored in the memory of the terminal device in software, or may be stored in a memory of the terminal device, so that the processor may perform operations corresponding to the above units, and the processor may be a central processing unit (CPU) or a micro Processor, microcontroller, etc.
  • a terminal device 160 is provided for performing according to an embodiment of the present invention.
  • the method for replacing the authentication credential provided in the foregoing method embodiment includes: a receiver 1601, a transmitter 1602, a memory 1603, a processor 1604, and a bus system 1605.
  • the receiver 1601, the transmitter 1602, the memory 1603, and the processor 1604 are coupled together by a bus system 1605.
  • the bus system 1605 may include a power bus, a control bus, and a status signal in addition to the data bus. Bus, etc. However, for clarity of description, various buses are labeled as bus system 1605 in the figure.
  • the memory 1603 is configured to store a set of codes, and the code stored in the memory 1603 is used to control the processor 1604 to obtain a first account.
  • the first account is a relay server to the terminal in the media relay address allocation phase.
  • the receiver 1601 is configured to receive a second account that is sent by the signaling server, where the second account is the relay server that is generated by the signaling server and is in the media relay path connectivity check phase.
  • the sender 1602 is configured to send, to the relay server, an update request message that includes the first account and the second account, where the update request message is used to enable the relay server according to the second
  • the voucher generates a new first voucher; the new first voucher is a voucher used when the relay server authenticates the terminal device in a next media relay address allocation phase, and is used to replace the first credential .
  • the sender 1602 is further configured to send a credential indication message to the signaling server, where the credential indication message is used to enable the signaling server to generate the second credential.
  • the receiver 1601 is further configured to receive an update indication message sent by the relay server, where the processor 1604 is further configured to generate the new first certificate according to the second certificate.
  • the processor 1604 is specifically configured to: use the second credential as the new first credential; or generate the new first credential according to the first credential and the second credential .
  • the first credential further includes a first password
  • the second credential further includes a second password
  • the new first credential includes a new first password
  • the processor 1604 is specifically configured to: The first password and the second password generate the new first password.
  • the processor 1604 is configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  • the new first credential further includes a new first account; the processor 1604 is specifically configured to: generate the new first account according to the first account and the second account.
  • the processor 1604 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
  • the terminal device provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential).
  • a double credential a first credential and a second credential.
  • the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential.
  • the mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
  • the embodiment of the present invention further provides a system for replacing the authentication credential, including: the signaling server and any one of the relay servers provided in Embodiment 4 to Embodiment 7 above. It should be noted that the introduction of each functional module of the relay server can be referred to the above, and details are not described herein again. In addition, one or more terminal devices may also be included in the system.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium.
  • the above software functional unit is stored in a storage medium, A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform some of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, and the program code can be stored. Medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Telephonic Communication Services (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are an authentication credential replacement method and apparatus, which relate to the field of communications and are used for solving the problem of a larger safety risk due to the fact that a terminal device uses a fixed account and password to login, and the problem of an application limitation due to the fact that the fixed account and password need to be stored in the terminal device in the prior art. The method provided in the embodiments of the present invention comprises: receiving, by a relay server, a first account and a second certificate sent by a signalling server; and generating a new first certificate according to the second certificate, wherein the new first certificate is a certificate used in a process of the relay server authenticating the terminal device in a next media relay address allocation stage, and is used for replacing a first certificate. The technical solution provided in the embodiments of the present invention can be applied in a multimedia communication process.

Description

一种认证凭证更替的方法及装置Method and device for replacing certificate voucher
本申请要求了2014年9月30日提交的、申请号为201410525806.2、发明名称为“一种认证凭证更替的方法及装置”的中国申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese application filed on Sep. 30, 2014, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本发明涉及通信领域,尤其涉及一种认证凭证更替的方法及装置。The present invention relates to the field of communications, and in particular, to a method and apparatus for authenticating credentials.
背景技术Background technique
在Internet(互联网)网络环境中,私有网络与公网之间一般设置有防火墙或NAT(Network Address Translation,网络地址转换),因此,不同私有网络中的两个终端设备(User Equipment,UE)进行通信时一般需要穿越防火墙/NAT。目前,一种实现防火墙/NAT穿越的方案为TURN(Traversal Using Relay Network Address Translation,通过Relay方式穿越NAT)方案。TURN方案的基本原理为:终端设备通过一个或多个NAT与公网中的中继服务器连接;中继服务器通过某种机制为终端设备分配公网地址(即媒体中继地址分配阶段),终端设备利用该公网地址确定与通信对端(即另一终端设备)的媒体中继路径(即媒体中继路径连通性检查阶段),并通过该媒体中继路径向通信对端发送数据。In the Internet (Internet) network environment, a firewall or a NAT (Network Address Translation) is generally configured between the private network and the public network. Therefore, two user equipments (UEs) in different private networks perform Communication usually needs to traverse the firewall/NAT. Currently, a scheme for implementing firewall/NAT traversal is TURN (Traversal Using Relay Network Address Translation). The basic principle of the TURN scheme is that the terminal device is connected to the relay server in the public network through one or more NATs; the relay server allocates a public network address (ie, a media relay address allocation phase) to the terminal device through a certain mechanism, and the terminal The device uses the public network address to determine a media relay path (ie, a media relay path connectivity check phase) with the communication peer end (ie, another terminal device), and sends data to the communication peer end through the media relay path.
为了防止非法接入,终端设备与中继服务器之间建立TURN连接时,中继服务器需要对终端设备进行认证。目前TURN协议中定义了一种对终端设备进行认证的长期认证凭证(Long-term Credential)机制。所谓长期凭证认证机制是指,终端设备和中继服务器均预先保存一个固定的账号和密码,终端设备每次接入中继服务器时均采用该固定的账号和密码进行登录,也就是说,每次TURN连接的过程中,中继服务器均利用固定的账号和密码对终端设备进行认证。In order to prevent illegal access, when the TURN connection is established between the terminal device and the relay server, the relay server needs to authenticate the terminal device. Currently, a long-term credential mechanism for authenticating terminal devices is defined in the TURN protocol. The so-called long-term credential authentication mechanism means that both the terminal device and the relay server pre-store a fixed account number and password, and each time the terminal device accesses the relay server, the fixed account and password are used for login, that is, each During the secondary TURN connection, the relay server authenticates the terminal device with a fixed account number and password.
上述利用长期认证机制对终端设备进行认证的过程中,由于终端设备使用固定的账号和密码进行登录,因此容易导致账号和密码被离线破解,安全风险较大。另外,由于长期认证机制需要在终端设备存储固定的账号和密码,因此会造成应用上的局限性;例如,长期认证机制不适用于WebRTC(Web Real-Time Communication,网页实时通 信)场景中。In the process of authenticating the terminal device by using the long-term authentication mechanism, since the terminal device uses a fixed account and password to log in, the account and the password are easily broken offline, and the security risk is large. In addition, since the long-term authentication mechanism needs to store a fixed account and password in the terminal device, it may cause application limitations; for example, the long-term authentication mechanism does not apply to WebRTC (Web Real-Time Communication). Letter) in the scene.
需要说明的是,由于在WebRTC场景中,终端设备的通信控制功能一般由JavaScript脚本语言实现,存储在终端设备的账号和密码直接由JavaScript读取,而JavaScript没有被编译和加密,可以被明文读取,因此容易造成存储的账号和密码泄露,因此需要在终端设备保存固定的账号和密码的长期认证机制不适合在WebRTC场景中使用。It should be noted that, in the WebRTC scenario, the communication control function of the terminal device is generally implemented by the JavaScript scripting language, and the account and password stored in the terminal device are directly read by JavaScript, and the JavaScript is not compiled and encrypted, and can be read in plaintext. Therefore, it is easy to cause the stored account and password to be leaked. Therefore, the long-term authentication mechanism that needs to save a fixed account and password in the terminal device is not suitable for use in the WebRTC scenario.
发明内容Summary of the invention
本发明的实施例提供一种认证凭证更替的方法及装置,用以解决现有技术中因终端设备使用固定的账号和密码进行登录而导致的安全风险较大的问题,以及因需要在终端设备保存固定的账号和密码而导致的应用局限性的问题。An embodiment of the present invention provides a method and an apparatus for authenticating an authentication credential, which solves the problem of a large security risk caused by a terminal device using a fixed account and password for logging in in the prior art, and a need for the terminal device The problem of application limitations caused by saving a fixed account and password.
为了达到上述目的,本发明实施例提供了如下技术方案:In order to achieve the above objective, the embodiments of the present invention provide the following technical solutions:
第一方面,提供一种认证凭证更替的方法,包括:In a first aspect, a method for replacing an authentication credential is provided, comprising:
中继服务器接收信令服务器发送的第一账号和第二凭证;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对终端设备进行认证时使用的第一凭证中的账号;所述第二凭证为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的凭证;The relay server receives the first account and the second credential sent by the signaling server, where the first account is the first used by the relay server to authenticate the terminal device in the media relay address allocation phase. An account in the voucher; the second voucher is a voucher generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。Generating a new first credential according to the second credential; wherein the new first credential is a credential used when the relay server authenticates the terminal device in a next media relay address allocation phase, The first voucher is replaced.
结合第一方面,在第一种可能的实现方式中,在所述中继服务器接收信令服务器发送的第一账号和第二凭证之后,所述方法还包括:With the first aspect, in a first possible implementation, after the relay server receives the first account and the second credential sent by the signaling server, the method further includes:
向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。And sending, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
结合第一方面或第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述根据所述第二凭证生成新的第一凭证,包括:将所述第二凭证作为新的第一凭证;或,根据所述第一凭证和所述第二凭证生成新的第一凭证。With the first aspect or the first possible implementation of the first aspect, in a second possible implementation, the generating, according to the second credential, a new first credential comprises: using the second credential As a new first credential; or, generating a new first credential according to the first credential and the second credential.
结合第一方面的第二种可能的实现方式,在第三种可能的实现方式中,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码, 所述新的第一凭证包括新的第一密码;所述根据所述第一凭证和所述第二凭证生成新的第一凭证,包括:根据所述第一密码和所述第二密码生成所述新的第一密码。With reference to the second possible implementation of the first aspect, in a third possible implementation, the first credential further includes a first password, and the second credential further includes a second password, The new first credential includes a new first password; the generating the new first credential according to the first credential and the second credential, comprising: generating according to the first password and the second password The new first password.
结合第一方面的第三种可能的实现方式,在第四种可能的实现方式中,所述根据所述第一密码和所述第二密码生成所述新的第一密码,包括:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。With reference to the third possible implementation of the first aspect, in a fourth possible implementation, the generating the new first password according to the first password and the second password includes: The first password and the second password are subjected to a one-way function calculation to obtain the new first password.
结合第一方面的第三种可能的实现方式或第四种可能的实现方式,在第五种可能的实现方式中,所述新的第一凭证还包括新的第一账号;所述根据所述第一凭证和所述第二凭证生成新的第一凭证,还包括:根据所述第一账号和所述第二账号生成所述新的第一账号。With reference to the third possible implementation manner of the first aspect, or the fourth possible implementation manner, in a fifth possible implementation manner, the new first credential further includes a new first account; And generating, by the first credential and the second credential, a new first credential, further comprising: generating the new first account according to the first account and the second account.
结合第一方面的第五种可能的实现方式,在第六种可能的实现方式中,所述根据所述第一账号和所述第二账号生成所述新的第一账号,包括:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation, the generating, by the first account and the second account, the new first account, including: The first account and the second account perform a one-way function calculation to obtain the new first account.
第二方面,提供一种认证凭证更替的方法,包括:In a second aspect, a method for replacing an authentication credential is provided, including:
中继服务器接收终端设备发送的包含第一账号和第二账号的更新请求消息;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的第一凭证中的账号,所述第二账号为信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;The relay server receives an update request message that is sent by the terminal device and includes the first account and the second account. The first account is that the relay server performs the terminal device in the media relay address allocation phase. The account number in the first certificate used for the authentication, the second account is used by the signaling server, and is used by the relay server to authenticate the terminal device during the media relay path connectivity check phase. The account number in the second voucher;
利用所述第二凭证对所述终端设备进行认证;And authenticating the terminal device by using the second credential;
认证成功后,根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。After the authentication succeeds, generating a new first credential according to the second credential; wherein the new first credential is used when the relay server authenticates the terminal device in a next media relay address allocation phase a voucher for replacing the first voucher.
结合第二方面,在第一种可能的实现方式中,在所述中继服务器接收终端设备发送的包含第一账号和第二账号的更新请求消息之后,所述方法还包括:With reference to the second aspect, in a first possible implementation, after the relay server receives the update request message that is sent by the terminal device and includes the first account and the second account, the method further includes:
向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。And sending, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
结合第二方面或第二方面的第一种可能的实现方式,在第二种可 能的实现方式中,所述根据所述第二凭证生成新的第一凭证,包括:将所述第二凭证作为新的第一凭证;或,根据所述第一凭证和所述第二凭证生成新的第一凭证。In combination with the second aspect or the first possible implementation of the second aspect, in the second In an implementation manner, the generating, according to the second credential, a new first credential comprises: using the second credential as a new first credential; or, according to the first credential and the second credential Generate a new first credential.
第三方面,提供一种中继服务器,包括:In a third aspect, a relay server is provided, including:
接收单元,用于接收信令服务器发送的第一账号和第二凭证;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对终端设备进行认证时使用的第一凭证中的账号;所述第二凭证为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的凭证;a receiving unit, configured to receive a first account and a second credential sent by the signaling server, where the first account is used by the relay server to authenticate the terminal device in the media relay address allocation phase An account in the first credential; the second credential is a credential generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
更替单元,用于根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。And a replacement unit, configured to generate a new first credential according to the second credential; wherein the new first credential is when the relay server authenticates the terminal device in a next media relay address allocation phase A voucher used to replace the first voucher.
结合第三方面,在第一种可能的实现方式中,所述中继服务器还包括:With reference to the third aspect, in a first possible implementation, the relay server further includes:
发送单元,用于向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。And a sending unit, configured to send, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
结合第三方面或第三方面的第一种可能的实现方式,在第二种可能的实现方式中,所述更替单元具体用于:With reference to the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner, the replacing unit is specifically configured to:
将所述第二凭证作为新的第一凭证;或,Using the second voucher as a new first voucher; or
根据所述第一凭证和所述第二凭证生成新的第一凭证。Generating a new first credential based on the first credential and the second credential.
第四方面,提供一种中继服务器,包括:In a fourth aspect, a relay server is provided, including:
接收单元,用于接收终端设备发送的包含第一账号和第二账号的更新请求消息;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的第一凭证中的账号,所述第二账号为信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;a receiving unit, configured to receive, by the terminal device, an update request message that includes a first account and a second account, where the first account is the relay server to the terminal in the media relay address allocation phase The account number in the first certificate used by the device for authentication, the second account is generated by the signaling server, and the relay server authenticates the terminal device during the media relay path connectivity check phase. The account number in the second voucher used;
认证单元,用于利用所述第二凭证对所述终端设备进行认证;An authentication unit, configured to authenticate the terminal device by using the second credential;
更替单元,用于在所述认证单元认证成功后,根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭 证,用于更替所述第一凭证。And a replacement unit, configured to generate a new first credential according to the second credential after the authentication unit is successfully authenticated; wherein the new first credential is the relay in a next media relay address allocation phase The server used to authenticate the terminal device The certificate is used to replace the first voucher.
第五方面,提供一种终端设备,包括:A fifth aspect provides a terminal device, including:
获取单元,用于获得第一账号;其中,所述第一账号为在本次媒体中继地址分配阶段中中继服务器对终端设备进行认证时使用的第一凭证中的账号;An obtaining unit, configured to obtain a first account; wherein the first account is an account in a first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase;
接收单元,用于接收信令服务器发送的第二账号;其中,所述第二账号为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;a receiving unit, configured to receive a second account that is sent by the signaling server, where the second account is the relay server that is generated by the signaling server and is in the media relay path connectivity check phase An account in the second credential used by the terminal device for authentication;
发送单元,用于向所述中继服务器发送包含所述第一账号和所述第二账号的更新请求消息;其中,所述更新请求消息用于使所述中继服务器根据所述第二凭证生成新的第一凭证;所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。a sending unit, configured to send, to the relay server, an update request message that includes the first account and the second account, where the update request message is used to enable the relay server to perform the second credential according to the second credential Generating a new first credential; the new first credential is a credential used by the relay server to authenticate the terminal device in a next media relay address allocation phase, for replacing the first credential.
结合第五方面,在第一种可能的实现方式中,所述发送单元还用于,向所述信令服务器发送凭证指示消息;其中,所述凭证指示消息用于使所述信令服务器生成所述第二凭证。With reference to the fifth aspect, in a first possible implementation, the sending unit is further configured to send a credential indication message to the signaling server, where the credential indication message is used to generate the signaling server The second credential.
结合第五方面或第五方面的第一种可能的实现方式,在第二种可能的实现方式中,所述接收单元还用于,接收所述中继服务器发送的更新指示消息;With the fifth aspect or the first possible implementation manner of the fifth aspect, in a second possible implementation, the receiving unit is further configured to receive an update indication message sent by the relay server;
所述终端设备还包括:更替单元,用于根据所述第二凭证生成所述新的第一凭证。The terminal device further includes: a replacement unit, configured to generate the new first credential according to the second credential.
本发明实施例提供的技术方案,中继服务器利用本次媒体中继路径连通性检查阶段中的第二凭证生成用于更替本次媒体中继地址分配阶段中的第一凭证的新的第一凭证,从而实现认证凭证的动态更替。该方法应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。 According to the technical solution provided by the embodiment of the present invention, the relay server generates a new first used to replace the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase. Credentials, thereby enabling dynamic replacement of authentication credentials. The method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.
图1为本发明实施例一提供的一种认证凭证更替的方法流程图;1 is a flowchart of a method for replacing an authentication credential according to Embodiment 1 of the present invention;
图2为本发明实施例二提供的一种认证凭证更替的方法流程图;2 is a flowchart of a method for replacing an authentication credential according to Embodiment 2 of the present invention;
图3为本发明实施例三提供的一种认证凭证更替的方法流程图;3 is a flowchart of a method for replacing an authentication credential according to Embodiment 3 of the present invention;
图4为本发明实施例1提供的一种认证凭证更替的方法流程图;4 is a flowchart of a method for replacing an authentication credential provided by Embodiment 1 of the present invention;
图5为本发明实施例2提供的一种认证凭证更替的方法流程图;FIG. 5 is a flowchart of a method for replacing an authentication credential according to Embodiment 2 of the present invention; FIG.
图6为本发明实施例四提供的一种中继服务器的结构示意图;FIG. 6 is a schematic structural diagram of a relay server according to Embodiment 4 of the present invention; FIG.
图7为本发明实施例四提供的另一种中继服务器的结构示意图;FIG. 7 is a schematic structural diagram of another relay server according to Embodiment 4 of the present invention;
图8为本发明实施例五提供的一种中继服务器的结构示意图;FIG. 8 is a schematic structural diagram of a relay server according to Embodiment 5 of the present invention;
图9为本发明实施例五提供的另一种中继服务器的结构示意图;FIG. 9 is a schematic structural diagram of another relay server according to Embodiment 5 of the present invention;
图10为本发明实施例六提供的一种中继服务器的结构示意图;10 is a schematic structural diagram of a relay server according to Embodiment 6 of the present invention;
图11为本发明实施例六提供的另一种中继服务器的结构示意图;FIG. 11 is a schematic structural diagram of another relay server according to Embodiment 6 of the present invention;
图12为本发明实施例七提供的一种中继服务器的结构示意图;FIG. 12 is a schematic structural diagram of a relay server according to Embodiment 7 of the present invention;
图13为本发明实施例七提供的另一种中继服务器的结构示意图;FIG. 13 is a schematic structural diagram of another relay server according to Embodiment 7 of the present invention;
图14为本发明实施例八提供的一种终端设备的结构示意图;FIG. 14 is a schematic structural diagram of a terminal device according to Embodiment 8 of the present invention;
图15为本发明实施例八提供的另一种终端设备的结构示意图;FIG. 15 is a schematic structural diagram of another terminal device according to Embodiment 8 of the present invention;
图16为本发明实施例九提供的一种终端设备的结构示意图。FIG. 16 is a schematic structural diagram of a terminal device according to Embodiment 9 of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表 示前后关联对象是一种“或”的关系。The term "and/or" in this context is merely an association describing the associated object, indicating that there may be three relationships, for example, A and / or B, which may indicate that A exists separately, and both A and B exist, respectively. B these three situations. In addition, the character "/" in this article, the general table The context of the context is an "or" relationship.
本发明实施例提供的技术方案可以应用在IP(Internet Protocol,网络协议)多媒体通信过程中的防火墙/NAT穿越场景中,具体可以应用在该场景中终端设备与中继服务器之间建立TURN连接的过程中。其中,IP多媒体通信可以为VoIP(Voice over Internet Protocol,网络电话)会话、IP视频通信等。The technical solution provided by the embodiment of the present invention may be applied to a firewall/NAT traversal scenario in an IP (Internet Protocol) multimedia communication process, and may be applied to establish a TURN connection between the terminal device and the relay server in the scenario. In the process. The IP multimedia communication may be a VoIP (Voice over Internet Protocol) session, an IP video communication, or the like.
TURN连接的过程中存在两种逻辑通道,一种是用于承载上层VoIP媒体的TURN数据通道(TURN data channel),另外一种是用于建立数据通道的控制信息通道(下文称为“TURN控制通道”);TURN连接的过程包括媒体中继地址分配阶段和媒体中继路径连通性检查阶段。There are two kinds of logical channels in the process of TURN connection, one is the TURN data channel for carrying the upper layer VoIP media, and the other is the control information channel for establishing the data channel (hereinafter referred to as "TURN control"). Channel "); TURN connection process includes media relay address allocation phase and media relay path connectivity check phase.
“媒体中继地址分配阶段”是指中继服务器为终端设备分配媒体中继地址的阶段,具体可以包括:终端设备向中继服务器发送分配媒体中继地址请求消息;中继服务器终端设备分配媒体中继地址;其中,该媒体中继地址用于使终端设备与通信对端进行媒体会话协商。The media relay address allocation phase is a phase in which the relay server allocates a media relay address to the terminal device, and specifically includes: the terminal device sends a media relay address request message to the relay server; and the relay server terminal device allocates the media. a relay address; wherein the media relay address is used for media session negotiation between the terminal device and the communication peer.
“媒体中继路径连通性检查阶段”是指:终端设备发送媒体中继路径连通性检查(Connectivity Check)请求消息,然后通过是否能够接收到连通性检查响应消息来确定媒体中继路径是否可用的阶段。其中,媒体中继路径连通性检查请求消息包括:创建允许请求(create Permission request)消息、TURN数据通道绑定请求消息(Channel Bind request)和STUN(Simple Traversal of UDP through NAT,UDP包的简单NAT穿越)绑定请求(STUN binding request)消息。其中,创建允许请求消息用于使中继服务器获知允许接入该终端设备的媒体中继地址的通信对端的地址;TURN数据通道绑定请求消息用于在终端设备与中继服务器之间创建一条TURN数据通道;STUN绑定请求消息用于确定终端设备与通信对端之间的报文是否能够通过终端设备到通信对端之间的媒体中继路径到达通信对端。The "media relay path connectivity check phase" means that the terminal device sends a media relay path connectivity check (Connectivity Check) request message, and then determines whether the media relay path is available by whether the connectivity check response message can be received. stage. The media relay path connectivity check request message includes: create permission request (create permission request) message, TURN data channel binding request message (Channel Bind request), and STUN (Simple Traversal of UDP through NAT, simple NAT of UDP packet) Traversing the STUN binding request message. Wherein, the create permission request message is used to enable the relay server to know the address of the communication peer end of the media relay address that is allowed to access the terminal device; the TURN data channel binding request message is used to create a link between the terminal device and the relay server. The TURN data channel is used to determine whether the message between the terminal device and the communication peer end can reach the communication peer end through the media relay path between the terminal device and the communication peer end.
需要说明的是,中继服务器与终端设备之间的交互消息遵循TURN协议,将该交互消息称为TURN控制消息。TURN协议规定:中继服务器在接收到终端设备发送的每条TURN控制消息后,均需要对终端设备进行认证;中继服务器对终端设备发送的每条TURN控制消息,均需要返回针对该请求消息的响应消息。上述“媒体中继地址分配阶 段”和“媒体中继路径连通性检查阶段”中的每条TURN控制消息均遵循TURN协议。It should be noted that the interaction message between the relay server and the terminal device follows the TURN protocol, and the interaction message is referred to as a TURN control message. The TURN protocol stipulates that the relay server needs to authenticate the terminal device after receiving each TURN control message sent by the terminal device; the relay server needs to return the request message for each TURN control message sent by the terminal device. Response message. The above "media relay address allocation stage Each TURN control message in the "section" and "media relay path connectivity check phase" follows the TURN protocol.
利用本发明实施例提供的认证凭证更替的方法,在每次TURN连接的过程中,中继服务器均可以使用第一凭证和第二凭证对终端设备进行认证;为了保证终端设备的信息安全,任意两次TURN连接的过程中使用的第一凭证可以不同,任意两次TURN连接的过程中使用的第二凭证可以不同。如果不加说明,下文中描述的“第一凭证”均是指本次TURN连接的过程中使用的第一凭证,“第二凭证”均是指本次TURN连接的过程中使用的第二凭证。With the method of the authentication credential replacement provided by the embodiment of the present invention, in the process of each TURN connection, the relay server can use the first credential and the second credential to authenticate the terminal device; to ensure the information security of the terminal device, any The first credential used in the two TURN connections may be different, and the second credential used in any two TURN connections may be different. If not stated, the "first voucher" described below refers to the first voucher used in the process of the current TURN connection, and the "second voucher" refers to the second voucher used in the process of the current TURN connection. .
本发明实施例中的“中继服务器对终端设备进行认证”具体可以为:中继服务器对终端设备进行TURN认证。本发明实施例中的“中继服务器”可以为TURN服务器等;“信令服务器”可以为VoIP服务器等,其中,VoIP服务器可以为SIP服务器或WebRTC服务器。Specifically, the “relay server authenticates the terminal device” in the embodiment of the present invention may be: the relay server performs TURN authentication on the terminal device. The "relay server" in the embodiment of the present invention may be a TURN server or the like; the "signaling server" may be a VoIP server or the like, wherein the VoIP server may be a SIP server or a WebRTC server.
实施例一Embodiment 1
如图1所示,为本发明实施例提供的一种认证凭证更替的方法,包括:As shown in FIG. 1 , a method for replacing an authentication credential provided by an embodiment of the present invention includes:
101:中继服务器接收信令服务器发送的第一账号和第二凭证;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对终端设备进行认证时使用的第一凭证中的账号;所述第二凭证为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的凭证。The relay server receives the first account and the second certificate sent by the signaling server, where the first account is used when the relay server authenticates the terminal device in the media relay address allocation phase. The account number in the first voucher; the second voucher is a voucher generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase.
第一凭证包括第一账号和第一密码。在第1次TURN连接的过程中,第一凭证可以为中继服务器在对终端设备进行开户业务发放时生成的凭证;在第n(n≥2,n为整数)次TURN连接的过程中,第一凭证可以为第n-1次TURN连接的过程中采用本发明实施例提供的技术方案生成的新的第一凭证。其中,相邻两次TURN连接的过程可以针对相同种类的IP多媒体通信(例如均为VoIP会话),也可以针对不同种类的IP多媒体通信(例如一次TURN连接的过程针对VoIP会话,另一次TURN连接的过程针对IP视频通信等)。一般地,第一凭证可以在本次TURN连接的过程之前即存储在中继服务器和终端设备中,与本次TURN连接的过程无关联关系。The first credential includes a first account number and a first password. In the process of the first TURN connection, the first credential may be a credential generated by the relay server when the account opening service is issued to the terminal device; in the process of the nth (n≥2, n is an integer) TURN connection, The first voucher may be a new first voucher generated by using the technical solution provided by the embodiment of the present invention in the process of the n-1th TURN connection. The process of two adjacent TURN connections may be for the same kind of IP multimedia communication (for example, both VoIP sessions), or for different kinds of IP multimedia communication (for example, the process of one TURN connection is for a VoIP session, and the other is a TURN connection. The process is for IP video communication, etc.). Generally, the first credential may be stored in the relay server and the terminal device before the current TURN connection process, and has no relationship with the current TURN connection process.
第二凭证包括第二账号和第二密码。第二凭证可以为信令服务器 为ICE(Interactive Connectivity Establishment,交互式连接建立)客户端生成的短期凭证(short-term credential);当然还可以为其他凭证。一般地,第二凭证在本次TURN连接的过程中,由信令服务器为本次TURN连接临时生成的凭证,与本次TURN连接有关联关系;另外,当本次TURN连接结束后,该第二凭证可以被删除,以节省存储空间。The second credential includes a second account number and a second password. The second credential can be a signaling server Short-term credential generated for the ICE (Interactive Connectivity Establishment) client; of course, other credentials. Generally, in the process of the TURN connection, the second certificate is temporarily generated by the signaling server for the TURN connection, and has a relationship with the current TURN connection; in addition, when the TURN connection is completed, the first Two credentials can be deleted to save storage space.
在步骤101之前,该方法还可以包括:终端设备向信令服务器发送凭证指示消息,以使得信令服务器根据该凭证指示消息生成第二凭证。Before the step 101, the method may further include: the terminal device sending a credential indication message to the signaling server, so that the signaling server generates the second credential according to the credential indication message.
需要说明的是,第一账号和第二账号用于标识同一终端设备,但是由于第一账号是中继服务器生成的,第二账号是信令服务器生成的,因此中继服务器无法识别第二账号,信令服务器无法识别第一账号。基于此,具体实现时,终端设备可以将第一账号包含在该凭证指示消息中发送给信令服务器,以使得信令服务器通过识别该凭证指示消息而识别第一账号;进一步地,信令服务器向中继服务器发送第一账号和第二凭证,以使得中继服务器通过识别第一账号而识别第二凭证。It should be noted that the first account and the second account are used to identify the same terminal device, but since the first account is generated by the relay server and the second account is generated by the signaling server, the relay server cannot identify the second account. The signaling server cannot recognize the first account. Based on this, in a specific implementation, the terminal device may send the first account account in the credential indication message to the signaling server, so that the signaling server identifies the first account by identifying the credential indication message; further, the signaling server The first account and the second credential are sent to the relay server such that the relay server identifies the second credential by identifying the first account.
其中,信令服务器可以在同一消息中携带第一账号和第二凭证,也可以在不同消息中携带第一账号和第二凭证。为了减少信令条数,提高资源的利用率,信令服务器可以将第一账号和第二凭证携带在现有技术中的一消息(例如,H.248消息等)中发送给中继服务器。The signaling server may carry the first account and the second credential in the same message, and may also carry the first account and the second credential in different messages. In order to reduce the number of signaling and improve the utilization of resources, the signaling server may send the first account and the second credential to a relay server in a message (for example, an H.248 message, etc.) in the prior art.
另外需要说明的是,具体实现时,该方法还可以包括:在中继服务器和信令服务器之间建立接口;其中,该接口用于传输中继服务器和信令服务器之间的交互消息。In addition, the method may further include: establishing an interface between the relay server and the signaling server; wherein the interface is used to transmit an interaction message between the relay server and the signaling server.
可选的,在步骤101之后,该方法还可以包括:向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。Optionally, after the step 101, the method may further include: sending an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new according to the second credential First voucher.
示例性的,本实施例对中继服务器执行“向所述终端设备发送更新指示消息”与执行步骤102的先后顺序不进行限定。为了减少信令条数,提高资源的利用率,在利用上述方式一实现步骤101时,用于表示更新指示消息的信息可以在现有技术中的一消息中携带;另外,也可以为新定义的一消息。Exemplarily, the present embodiment does not limit the sequence in which the relay server performs the "send update indication message to the terminal device" and the execution step 102. The information used to indicate the update indication message may be carried in a message in the prior art, or may be newly defined, in order to reduce the number of signaling and improve the utilization of resources. a message.
需要说明的是,“更新指示消息”中可以包括更新规则,其中,该更新规则可以包括但不限于以下任一种:更新方式、更新对象、更 新算法等。其中,更新方式可以为下述步骤102中示例的方式1)或方式2);更新对象可以为第一密码和/或第一账号;更新算法可以为下述的“单向函数”算法等。中继服务器可以按照自身更新第一凭证的实现过程中使用的更新规则向终端设备发送更新指示消息,以使中继服务器更新第一凭证的实现过程与终端设备更新第一凭证的实现过程相同;另外,中继服务器可以预先与终端设备协商好更新规则,终端设备在接收到中继服务器发送的更新指示下消息时,即利用该已协商好更新规则对第一凭证进行更新。It should be noted that the update rule may include an update rule, where the update rule may include, but is not limited to, any one of the following: update mode, update object, and more New algorithms, etc. The update mode may be the mode 1) or the mode 2) exemplified in the following step 102; the update object may be the first password and/or the first account; the update algorithm may be a “one-way function” algorithm or the like described below. The relay server may send the update indication message to the terminal device according to the update rule used in the implementation process of updating the first credential by itself, so that the implementation process of the relay server updating the first credential is the same as the implementation process of the terminal device updating the first credential; In addition, the relay server may negotiate the update rule with the terminal device in advance, and the terminal device updates the first certificate by using the negotiated update rule when receiving the message under the update indication sent by the relay server.
102:根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。102: Generate a new first credential according to the second credential; wherein the new first credential is a credential used when the relay server authenticates the terminal device in a next media relay address allocation phase Used to replace the first voucher.
可选的,步骤102可以包括但不限于通过以下两种方式实现:Optionally, step 102 may include, but is not limited to, implemented in the following two manners:
方式1)、将所述第二凭证作为新的第一凭证。Method 1), the second credential is taken as a new first credential.
方式2)、根据所述第一凭证和所述第二凭证生成新的第一凭证。Method 2): Generate a new first credential according to the first credential and the second credential.
示例性的,所述新的第一凭证包括新的第一密码,该方式2)可以包括:根据所述第一密码和所述第二密码生成所述新的第一密码。进一步地,所述新的第一凭证还包括新的第一账号,该方式2)还可以包括:根据所述第一账号和所述第二账号生成所述新的第一账号。Exemplarily, the new first credential includes a new first password, and the manner 2) may include: generating the new first password according to the first password and the second password. Further, the new first credential further includes a new first account, and the method 2) may further include: generating the new first account according to the first account and the second account.
可选的,“根据所述第一密码和所述第二密码计算所述新的第一密码”可以包括:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。可选的,“根据所述第一账号和所述第二账号计算所述新的第一账号”可以包括:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。其中,该单向函数可以为哈希函数(hash function)等。Optionally, the “calculating the new first password according to the first password and the second password” may include: performing a one-way function calculation on the first password and the second password, to obtain the The new first password. Optionally, the calculating the new first account by using the first account and the second account may include: performing a one-way function calculation on the first account and the second account, to obtain the The new first account. The one-way function may be a hash function or the like.
可选的,中继服务器用新的第一凭证更替第一凭证。更替的方式不限,可以全部更替;也可以只更替变化的内容,比如账号或密码。Optionally, the relay server replaces the first credential with the new first credential. There is no limit to the way to replace, you can replace them all; you can also change only the changed content, such as account number or password.
本发明实施例提供的认证凭证更替的方法,中继服务器利用本次媒体中继路径连通性检查阶段中的第二凭证生成用于更替本次媒体中继地址分配阶段中的第一凭证的新的第一凭证,从而实现认证凭证的动态更替。该方法应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线 破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。In the method for replacing the authentication credential provided by the embodiment of the present invention, the relay server generates a new one for replacing the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase. The first credential, thereby achieving dynamic replacement of the authentication credential. The method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be offline. Cracking, the security risk is small; in addition, since the authentication mechanism using the authentication credential replacement method only needs to store the first credential in the terminal device, and the first credential is dynamically updated, the method of replacing the authentication credential is used. The authentication mechanism does not need to save a fixed account and password in the terminal device, so the application scope is large.
实施例二Embodiment 2
如图2所示,为本发明实施例提供的一种认证凭证更替的方法,包括:As shown in FIG. 2, a method for replacing an authentication credential provided by an embodiment of the present invention includes:
201:中继服务器接收终端设备发送的包含第一账号和第二账号的更新请求消息;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的第一凭证中的账号,所述第二账号为信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号。201: The relay server receives an update request message that is sent by the terminal device and includes the first account and the second account. The first account is the relay server to the terminal in the media relay address allocation phase. The account number in the first certificate used by the device for authentication, the second account is generated by the signaling server, and the relay server authenticates the terminal device during the media relay path connectivity check phase. The account number in the second voucher used.
本实施例中相关内容的解释可以参考本文中的其他实施例中的描述。The explanation of the related content in this embodiment can be referred to the description in other embodiments herein.
为了节省信令条数,提高资源利用率,可选的,步骤201可以实现为:中继服务器接收终端设备发送的媒体中继路径连通性检查请求消息,该媒体中继路径连通性检查请求消息中包含用于表示更新请求消息的信息。示例性的,在该可选的方式中,媒体中继路径连通性检查请求消息具体可以为:创建允许请求消息或TURN数据通道绑定请求消息等。另外,更新请求消息还可以为新定义的一消息。In order to save the number of signaling and improve the resource utilization, the step 201 may be implemented as follows: the relay server receives the media relay path connectivity check request message sent by the terminal device, and the media relay path connectivity check request message Contains information for indicating an update request message. Exemplarily, in the optional mode, the media relay path connectivity check request message may be specifically: a create permission request message or a TURN data channel binding request message, and the like. In addition, the update request message may also be a newly defined message.
可选的,在步骤201之后,该方法还可以包括:向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。示例性的,该可选的方式中的相关内容的解释可以参考本文中的其他实施例中的描述。Optionally, after step 201, the method may further include: sending an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new according to the second credential First voucher. For an explanation of the relevant content in this alternative manner, reference may be made to the description in other embodiments herein.
202:利用所述第二凭证对所述终端设备进行认证。202: Authenticate the terminal device by using the second credential.
本发明实施例对步骤202中的认证方法不进行限定,可以利用现有技术中的认证方法。The embodiment of the present invention does not limit the authentication method in step 202, and may use the authentication method in the prior art.
在步骤101之后步骤102之前,该方法还可以包括:接收信令服务器发送的第二凭证;步骤102可以包括:根据更新指示消息中包含的第二账号获取该第二账号所属的第二凭证,利用该第二凭证对终端设备进行认证。 Before the step 101, the method may further include: receiving the second credential sent by the signaling server; the step 102 may include: acquiring the second credential to which the second account belongs according to the second account included in the update indication message, The terminal device is authenticated by using the second credential.
203:认证成功后,根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。203: After the authentication is successful, generate a new first credential according to the second credential; wherein the new first credential is that the relay server authenticates the terminal device in a next media relay address allocation phase. The voucher used to replace the first voucher.
可选的,“根据所述第二凭证生成新的第一凭证”可以包括但不限于通过以下两种方式实现:Optionally, “generating a new first credential according to the second credential” may include, but is not limited to, implemented in the following two manners:
方式1)、将所述第二凭证作为新的第一凭证。Method 1), the second credential is taken as a new first credential.
方式2)、根据所述第一凭证和所述第二凭证生成新的第一凭证。Method 2): Generate a new first credential according to the first credential and the second credential.
示例性的,所述新的第一凭证包括新的第一密码,该方式2)可以包括:根据所述第一密码和所述第二密码生成所述新的第一密码。进一步地,所述新的第一凭证还包括新的第一账号,该方式2)还可以包括:根据所述第一账号和所述第二账号生成所述新的第一账号。Exemplarily, the new first credential includes a new first password, and the manner 2) may include: generating the new first password according to the first password and the second password. Further, the new first credential further includes a new first account, and the method 2) may further include: generating the new first account according to the first account and the second account.
可选的,“根据所述第一密码和所述第二密码计算所述新的第一密码”可以包括:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。可选的,“根据所述第一账号和所述第二账号计算所述新的第一账号”可以包括:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。其中,该单向函数可以为哈希函数(hash function)等。Optionally, the “calculating the new first password according to the first password and the second password” may include: performing a one-way function calculation on the first password and the second password, to obtain the The new first password. Optionally, the calculating the new first account by using the first account and the second account may include: performing a one-way function calculation on the first account and the second account, to obtain the The new first account. The one-way function may be a hash function or the like.
可选的,中继服务器用新的第一凭证更替第一凭证。更替的方式不限,可以全部更替;也可以只更替变化的内容,比如账号或密码。Optionally, the relay server replaces the first credential with the new first credential. There is no limit to the way to replace, you can replace them all; you can also change only the changed content, such as account number or password.
具体实现时,若步骤202中的认证结果为认证失败,则该方法还可以包括:中继服务器向终端设备发送认证失败的响应消息。另外,根据现有TURN协议,在媒体中继路径的连通性检查阶段中,若在某一时间段内中继服务器无法完成对终端设备的认证,则会释放分配给该终端设备的媒体中继地址,并中断与终端设备之间的TURN连接,以节省资源。In a specific implementation, if the authentication result in step 202 is an authentication failure, the method may further include: the relay server sending a response message of the authentication failure to the terminal device. In addition, according to the existing TURN protocol, in the connectivity check phase of the media relay path, if the relay server cannot complete the authentication of the terminal device within a certain period of time, the media relay assigned to the terminal device is released. Address and interrupt the TURN connection with the terminal device to save resources.
需要说明的是,本次TURN连接的过程中,中继服务器在接收到所述终端设备发送的包含所述第二账号的TURN控制消息时,均利用所述第二凭证对所述终端设备进行认证。由于TURN协议中规定,中继服务器在接收到终端设备发送的每条TURN控制消息后,均需要对终端设备进行认证;因此终端设备向中继服务器发送的每条TURN控制消息中均包含有一个账号,以使得中继服务器根据该账号所属的凭证对终端设备进行认证。另外,具体实现时,TURN控制消息中还可以 包含该账号对应的参考量,其中,关于“参考量”的解释和使用方法可以参考下文中的相关描述。It should be noted that, in the process of the TURN connection, when receiving the TURN control message that is sent by the terminal device and includes the second account, the relay server uses the second voucher to perform the terminal device. Certification. As specified in the TURN protocol, the relay server needs to authenticate the terminal device after receiving each TURN control message sent by the terminal device; therefore, each TURN control message sent by the terminal device to the relay server includes one The account number is such that the relay server authenticates the terminal device according to the certificate to which the account belongs. In addition, in the specific implementation, the TURN control message can also The reference quantity corresponding to the account number is included, and the explanation and usage method of the “reference quantity” can be referred to the related description below.
本发明实施例提供的认证凭证更替的方法,中继服务器利用本次媒体中继路径连通性检查阶段中的第二凭证生成用于更替本次媒体中继地址分配阶段中的第一凭证的新的第一凭证,从而实现认证凭证的动态更替。该方法应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。In the method for replacing the authentication credential provided by the embodiment of the present invention, the relay server generates a new one for replacing the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase. The first credential, thereby achieving dynamic replacement of the authentication credential. The method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
实施例三Embodiment 3
如图3所示,为本发明实施例提供的一种认证凭证更替的方法,包括:As shown in FIG. 3, a method for replacing an authentication credential provided by an embodiment of the present invention includes:
301:终端设备获得第一账号;其中,所述第一账号为在本次媒体中继地址分配阶段中中继服务器对终端设备进行认证时使用的第一凭证中的账号。301: The terminal device obtains the first account, where the first account is an account in the first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase.
本实施例中相关内容的解释可以参考本文中的其他实施例中的描述。The explanation of the related content in this embodiment can be referred to the description in other embodiments herein.
302:接收信令服务器发送的第二账号;其中,所述第二账号为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号。302: Receive a second account that is sent by the signaling server, where the second account is generated by the signaling server, and the relay server is used by the relay server in the media relay path connectivity check phase. The account number in the second voucher used for authentication.
可选的,在步骤302之前,该方法还可以包括:向所述信令服务器发送凭证指示消息;其中,所述凭证指示消息用于使所述信令服务器生成所述第二凭证。具体实现时,为了节省信令开销,该凭证指示消息可以携带在会话呼叫请求消息中。步骤302可以实现为:接收信令服务器发送的第二凭证,其中,该第二凭证中包括第二账号。具体实现时,为了节省信令开销,该第二凭证可以携带在会话呼叫响应消息中。Optionally, before step 302, the method may further include: sending a credential indication message to the signaling server; wherein the credential indication message is used to cause the signaling server to generate the second credential. In a specific implementation, in order to save signaling overhead, the credential indication message may be carried in a session call request message. Step 302 can be implemented as: receiving a second credential sent by the signaling server, where the second credential includes a second credential. In a specific implementation, in order to save signaling overhead, the second credential may be carried in the session call response message.
303:向所述中继服务器发送包含所述第一账号和所述第二账号的更新请求消息;其中,所述更新请求消息用于使所述中继服务器根据 所述第二凭证生成新的第一凭证;所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。303: Send an update request message that includes the first account and the second account to the relay server, where the update request message is used to enable the relay server to The second credential generates a new first credential; the new first credential is a credential used by the relay server to authenticate the terminal device in a next media relay address allocation phase, and is used for replacing Said the first voucher.
可选的,在步骤302之后,该方法还可以包括:接收所述中继服务器发送的更新指示消息;根据所述第二凭证生成所述新的第一凭证。Optionally, after the step 302, the method may further include: receiving an update indication message sent by the relay server; and generating the new first certificate according to the second certificate.
可选的,终端设备用新的第一凭证更替第一凭证。更替的方式不限,可以全部更替;也可以只更替变化的内容,比如账号或密码。Optionally, the terminal device replaces the first credential with the new first credential. There is no limit to the way to replace, you can replace them all; you can also change only the changed content, such as account number or password.
可选的,“根据所述第二凭证生成所述新的第一凭证”可以包括但不限于通过以下两种方式实现:Optionally, the “generating the new first credential according to the second credential” may include, but is not limited to, implemented in the following two manners:
方式1)、将所述第二凭证作为新的第一凭证。Method 1), the second credential is taken as a new first credential.
方式2)、根据所述第一凭证和所述第二凭证生成新的第一凭证。Method 2): Generate a new first credential according to the first credential and the second credential.
示例性的,所述新的第一凭证包括新的第一密码,该方式2)可以包括:根据所述第一密码和所述第二密码生成所述新的第一密码。进一步地,所述新的第一凭证还包括新的第一账号,该方式2)还可以包括:根据所述第一账号和所述第二账号生成所述新的第一账号。Exemplarily, the new first credential includes a new first password, and the manner 2) may include: generating the new first password according to the first password and the second password. Further, the new first credential further includes a new first account, and the method 2) may further include: generating the new first account according to the first account and the second account.
可选的,“根据所述第一密码和所述第二密码计算所述新的第一密码”可以包括:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。可选的,“根据所述第一账号和所述第二账号计算所述新的第一账号”可以包括:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。其中,该单向函数可以为哈希函数(hash function)等。Optionally, the “calculating the new first password according to the first password and the second password” may include: performing a one-way function calculation on the first password and the second password, to obtain the The new first password. Optionally, the calculating the new first account by using the first account and the second account may include: performing a one-way function calculation on the first account and the second account, to obtain the The new first account. The one-way function may be a hash function or the like.
本发明实施例提供的认证凭证更替的方法,中继服务器利用本次媒体中继路径连通性检查阶段中的第二凭证生成用于更替本次媒体中继地址分配阶段中的第一凭证的新的第一凭证,从而实现认证凭证的动态更替。该方法应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。In the method for replacing the authentication credential provided by the embodiment of the present invention, the relay server generates a new one for replacing the first credential in the media relay address allocation phase by using the second credential in the media relay path connectivity check phase. The first credential, thereby achieving dynamic replacement of the authentication credential. The method is applied to an authentication mechanism for authenticating a terminal device using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
下面通过两个具体的实施例(实施例1和实施例2)对上文提供的 认证凭证更替方法应用于认证方法中进行说明。需要说明的是,该两个具体的实施例提供认证方法的场景均为一次TURN连接的过程中该两个具体的实施例中的相关内容的解释均可以参考上文。The following provides the above by two specific embodiments (Embodiment 1 and Example 2) The authentication voucher replacement method is applied to the authentication method for explanation. It should be noted that the scenarios in which the two specific embodiments provide the authentication method are all related to the content of the two specific embodiments in the process of the TURN connection.
实施例1Example 1
如图4所示,为本实施例提供的一种认证方法,包括:As shown in FIG. 4, an authentication method provided in this embodiment includes:
401、终端设备向中继服务器发送分配媒体中继地址请求消息;其中,该分配媒体中继地址请求消息中包含第一账号和该第一账号对应的参考量。401. The terminal device sends a media relay address request message to the relay server, where the allocated media relay address request message includes a first account and a reference quantity corresponding to the first account.
“第一账号对应的参考量”为终端设备根据预设认证算法使用第一密码和随机数进行哈希计算,由该计算后得到的值所确定的一个数值或一个数值范围;其中,预设认证算法为终端设备与中继服务器预先约定的、用于使用第一密码进行哈希计算的算法。The reference quantity corresponding to the first account is a value or a range of values determined by the value obtained by the terminal device by using the first password and the random number according to the preset authentication algorithm, and the value is determined by the calculated value; The authentication algorithm is an algorithm pre-agreed by the terminal device and the relay server for performing hash calculation using the first password.
步骤401可以包括:终端设备通过TURN协议向中继服务器发送分配媒体中继地址请求消息。“第一账号”可以由现有的TURN协议属性中的username属性携带。Step 401 can include: the terminal device sends a distribution media relay address request message to the relay server by using a TURN protocol. The "first account" can be carried by the username attribute in the existing TURN protocol attribute.
402、中继服务器根据第一账号获取第一凭证,利用第一凭证和第一账号对应的参考量对终端设备进行认证。402. The relay server acquires the first credential according to the first account, and authenticates the terminal device by using the first credential and the reference quantity corresponding to the first account.
步骤402可以包括:中继服务器通过第一账号获取第一密码,利用预设认证算法对第一密码进行计算,得到计算结果;当参考量是一个数值时,判断该计算结果与参考量是否相同,若是,则认证成功;若否,则认证失败;当参考量是一个数值范围时,判断该计算结果是否在该数值范围内,若是,则认证成功;若否,则认证失败。认证成功说明该终端设备合法,则执行步骤403;认证失败说明该终端设备不合法,则向终端设备返回认证失败的响应消息。Step 402 may include: the relay server acquires the first password by using the first account, calculates the first password by using a preset authentication algorithm, and obtains a calculation result; when the reference quantity is a value, determines whether the calculation result is the same as the reference quantity. If yes, the authentication is successful; if not, the authentication fails; when the reference quantity is a range of values, it is judged whether the calculation result is within the numerical range, and if so, the authentication is successful; if not, the authentication fails. If the authentication succeeds, the terminal device is legal, and step 403 is performed; if the authentication failure indicates that the terminal device is invalid, the response message of the authentication failure is returned to the terminal device.
需要说明的是,由于中继服务器接收到终端设备发送的每条TURN控制消息后,均需要对终端设备进行认证;因此终端设备向中继服务器发送的每条TURN控制消息中均包含有一个账号和与使用该账号对应密码计算出来的参考量,以使得中继服务器根据该账号所属的凭证对终端设备进行认证。It should be noted that, after receiving the TURN control message sent by the terminal device, the relay server needs to authenticate the terminal device; therefore, each TURN control message sent by the terminal device to the relay server includes an account. And a reference quantity calculated by using a password corresponding to the account, so that the relay server authenticates the terminal device according to the certificate to which the account belongs.
403、认证成功后,中继服务器根据分配媒体中继地址请求消息为终端设备分配媒体中继地址。403. After the authentication succeeds, the relay server allocates a media relay address to the terminal device according to the allocated media relay address request message.
该步骤403的具体实现方法可以参考现有技术,此处不再描述。 The specific implementation method of the step 403 can refer to the prior art, and is not described here.
404、中继服务器向终端设备发送分配媒体中继地址响应消息;其中,该分配媒体中继地址响应消息中包含中继服务器为该终端设备分配的媒体中继地址。404. The relay server sends a media relay address response message to the terminal device, where the media relay address response message includes a media relay address allocated by the relay server for the terminal device.
步骤401-404即为中继服务器为终端设备分配媒体中继地址阶段的具体实现过程。Steps 401-404 are specific implementation processes in which the relay server allocates a media relay address phase to the terminal device.
405、终端设备向信令服务器发送会话呼叫请求消息,会话呼叫请求消息中包含中继服务器为该终端设备分配的媒体中继地址、用于表示凭证请求消息的信息和第一账号。405. The terminal device sends a session call request message to the signaling server, where the session call request message includes a media relay address allocated by the relay server for the terminal device, information used to represent the credential request message, and the first account.
406、信令服务器根据用于表示凭证请求消息的信息为终端设备生成第二凭证;其中,第二凭证包括第二账号和第二密码。406. The signaling server generates a second credential for the terminal device according to the information used to represent the credential request message. The second credential includes the second credential and the second credential.
407、信令服务器向终端设备发送会话呼叫响应消息;其中,该会话呼叫响应消息中包含第二凭证。407. The signaling server sends a session call response message to the terminal device, where the session call response message includes the second credential.
408、信令服务器向中继服务器发送关联请求消息,该关联请求消息中包含第一账号和第二凭证。408. The signaling server sends an association request message to the relay server, where the association request message includes the first account and the second certificate.
具体实现时,本发明实施例对步骤407和步骤408的执行顺序不作限定,例如,可以先执行步骤407再执行步骤408,也可以先执行步骤408再执行步骤407,还可以同时执行步骤407和步骤408。In a specific implementation, the execution sequence of step 407 and step 408 is not limited in the embodiment of the present invention. For example, step 407 may be performed before step 408, or step 408 may be performed first, and step 407 may be performed first, and step 407 may be performed simultaneously. Step 408.
另外,在执行步骤407和步骤408之后,信令服务器可以删除该第二凭证,以节省存储空间。In addition, after performing step 407 and step 408, the signaling server may delete the second credential to save storage space.
409、中继服务器建立第一账号与第二账号之间的关联关系。409. The relay server establishes an association relationship between the first account and the second account.
“建立第一账号与第二账号之间的关联关系”具体是指绑定共同标识一终端设备的第一账号和第二账号,以使得中继服务器在媒体中继路径连通性检查阶段中利用与该第一账号所绑定的第二账号所属的第二凭证对终端设备进行认证;以及在凭证更替时,中继服务器利用第二账号所属的第二凭证对该第二账号所绑定的第一账号所属的第一凭证进行更新。The “establishing the association relationship between the first account and the second account” specifically refers to binding the first account and the second account that jointly identify a terminal device, so that the relay server utilizes the media relay path connectivity check phase. And authenticating the terminal device with the second credential to which the second account bound to the first account belongs; and when the credential is replaced, the relay server binds the second account by using the second credential to which the second account belongs The first certificate to which the first account belongs is updated.
需要说明的是,由于中继服务器中存储有与其连接的多个终端设备的第一账号和第二账号,因此,中继服务器需要将共同标识一终端设备的第一账号与第二账号进行关联,以实现对不同终端设备的第一账号和第二账号的管理。It should be noted that, since the relay server stores the first account and the second account of the plurality of terminal devices connected thereto, the relay server needs to associate the first account that jointly identifies the terminal device with the second account. To realize management of the first account and the second account of different terminal devices.
410、终端设备向中继服务器发送创建允许请求消息;其中,所述创建允许请求消息中包含第二账号和该第二账号对应的参考量。 410. The terminal device sends a create permission request message to the relay server, where the creation permission request message includes a reference quantity corresponding to the second account and the second account.
示例性的,第二账号对应的参考量的解释可以参考上述实施例六中对第一账号对应的参考量的解释。For example, the explanation of the reference quantity corresponding to the second account may be referred to the explanation of the reference quantity corresponding to the first account in the foregoing sixth embodiment.
411、中继服务器根据第二账号获取第二凭证,并利用第二凭证和第二账号对应的参考量对终端设备进行认证。411. The relay server acquires the second credential according to the second account, and authenticates the terminal device by using the second credential and the reference quantity corresponding to the second account.
412、认证成功后,向终端设备发送创建允许响应消息;其中,该创建允许响应消息中包含用于表示更新指示消息的信息,更新指示消息中包含用于表示该关联关系的信息。412. After the authentication is successful, send a create permission response message to the terminal device, where the create permission response message includes information for indicating an update indication message, where the update indication message includes information indicating the association relationship.
413、终端设备根据第一凭证和第二凭证计算新的第一凭证,该新的第一凭证即为下一次TURN连接的过程中使用的凭证;并使用新的第一凭证更替第一凭证。413. The terminal device calculates a new first credential according to the first credential and the second credential, where the new first credential is the credential used in the process of the next TURN connection; and replaces the first credential with the new first credential.
执行步骤413之后,本次TURN连接的过程中使用的第一凭证失效。After performing step 413, the first certificate used in the process of the current TURN connection is invalid.
本发明实施例对第一账号和第一密码的更新计算方法不进行限定,以下提供了一种计算方法作为示例:The method for calculating the update of the first account and the first password is not limited in the embodiment of the present invention. The following provides a calculation method as an example:
第一账号更新计算方法可以为:The first account update calculation method can be:
Username_f_new=PDF(username_f_old,username_s),其中,username_f_new表示新的第一账号,PDF表示单向函数的函数名称,同时也代表一种算法,username_f_old表示第一账号,username_s表示第二账号。Username_f_new=PDF(username_f_old, username_s), where username_f_new represents the new first account, PDF represents the function name of the one-way function, and also represents an algorithm, username_f_old represents the first account, and username_s represents the second account.
第一密码的更新计算方法可以为:PWD_f_new=KDF(PWD_f_old,PWD_s,,其他参数)。其中,PWD_f_new表示新的第一密码,KDF表示单向函数的函数名称,同时也代表一种算法(例如可以为MD5(Message-Digest Algorithm5,一种单向散列算法)等),PWD_f_old表示第一密码,PWD_s表示为第二密码,其他参数为可选参数,例如可以为关联响应消息中的transaction id或者NONCE参数等。The update calculation method of the first password may be: PWD_f_new=KDF (PWD_f_old, PWD_s, other parameters). Among them, PWD_f_new represents a new first password, KDF represents a function name of a one-way function, and also represents an algorithm (for example, may be MD5 (Message-Digest Algorithm 5), etc.), PWD_f_old indicates A password, PWD_s is represented as a second password, and other parameters are optional parameters, for example, may be a transaction id or a NONCE parameter in the association response message.
414、中继服务器根据第一凭证和第二凭证计算新的第一凭证,该新的第一凭证即为下一次TURN连接的过程中使用的凭证;并使用新的第一凭证更替第一凭证。414. The relay server calculates a new first credential according to the first credential and the second credential, where the new first credential is the credential used in the process of the next TURN connection; and replaces the first credential with the new first credential. .
步骤414的具体更新计算方法可以参考步骤413。For the specific update calculation method of step 414, reference may be made to step 413.
需要说明的是,中继服务器可以按照自身更新第一凭证的实现过程中使用的更新规则向终端设备发送更新指示消息,以保证中继服务器更新第一凭证的实现过程与终端设备更新第一凭证的实现过程相 同;另外,中继服务器可以预先与终端设备协商好更新规则,终端设备在接收到中继服务器发送的更新第一凭证的指示时,即利用已协商好更新规则对第一凭证进行更新。It should be noted that the relay server may send an update indication message to the terminal device according to the update rule used in the implementation process of updating the first credential by itself, so as to ensure that the relay server updates the first credential implementation process and the terminal device updates the first credential. Implementation process In addition, the relay server may negotiate the update rule with the terminal device in advance, and the terminal device updates the first certificate by using the negotiated update rule when receiving the indication of updating the first certificate sent by the relay server.
步骤412-413为终端设备更新第一凭证的过程,该过程可以在终端设备获知第一账号与第二账号之间的关联关系之后、本次TURN连接的过程结束之前的任一步骤中执行;步骤414为中继服务器更新第一凭证的过程,该过程可以在中继服务器建立第一账号与第二账号之间的关联关系之后、本次TURN连接的过程结束之前的任一步骤中执行。另外,本发明实施例对终端设备更新第一凭证的过程和中继服务器更新第一凭证的过程的执行顺序不作限定。Steps 412-413 are a process for the terminal device to update the first credential. The process may be performed in any step before the end of the current TURN connection process after the terminal device learns the association relationship between the first account and the second account. Step 414 is a process for the relay server to update the first credential. The process may be performed in any step before the end of the current TURN connection process after the relay server establishes the association relationship between the first account and the second account. In addition, in the embodiment of the present invention, the process of updating the first credential by the terminal device and the execution sequence of the process of updating the first credential by the relay server are not limited.
415、中继服务器在本次TURN连接的过程中,在接收到其他TURN控制消息时,均利用该第二凭证对终端设备进行认证。415. The relay server uses the second credential to authenticate the terminal device when receiving the other TURN control message in the process of the current TURN connection.
示例性的,步骤415中的TURN控制消息可以包括:刷新请求(Refresh request)消息、TURN数据通道绑定请求消息等。Exemplarily, the TURN control message in step 415 may include: a refresh request message, a TURN data channel binding request message, and the like.
本发明实施例提供的认证方法,中继服务器利用双凭证(第一凭证和第二凭证)对终端设备进行认证,提高了终端设备的信息安全。本实施例通过第一账号与第二账号之间的关联关系,利用本次TURN连接的过程中的第二凭证对本次TURN连接的过程中的第一凭证进行更新,得到下一次TURN连接的过程中的第一凭证,从而实现认证凭证的动态更新。与现有技术中的长期认证机制相比,本实施例提供的认证方法不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。同时,本实施例提供的认证方法利用现有技术中的消息携带认证过程中所使用的交互信令,减少了信令数目,提高了资源的利用率。另外,本实施例提供的认证方法实现了VoIP呼叫信令对媒体中继路径连通性检查阶段的控制。In the authentication method provided by the embodiment of the present invention, the relay server authenticates the terminal device by using the double credential (the first credential and the second credential), thereby improving the information security of the terminal device. In this embodiment, the first credential in the process of the TURN connection is updated by using the second credential in the process of the current TURN connection by using the association relationship between the first account and the second account, and the next TURN connection is obtained. The first credential in the process, thereby implementing a dynamic update of the authentication credential. Compared with the long-term authentication mechanism in the prior art, the authentication method provided by this embodiment does not easily cause the account and password to be offlinely cracked, and the security risk is small; in addition, the authentication mechanism using the method of replacing the authentication credential only needs to be The first credential is stored in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is large. In the meantime, the authentication method provided in this embodiment utilizes the interaction signaling used in the message carrying authentication process in the prior art, which reduces the number of signaling and improves the utilization of resources. In addition, the authentication method provided in this embodiment implements control of the VoIP call signaling to the media relay path connectivity check phase.
实施例2Example 2
如图5所示,为本实施例提供的一种认证方法,包括:As shown in FIG. 5, an authentication method provided in this embodiment includes:
步骤501-504与上述步骤401-404相同,具体可参考实施例1,在此不再赘述。步骤501-504即为中继服务器为终端设备分配媒体地址阶 段的具体实现过程。The steps 501-504 are the same as the above steps 401-404. For details, refer to Embodiment 1, and details are not described herein again. Steps 501-504 are to assign a media address level to the terminal device for the relay server. The specific implementation process of the segment.
505、终端设备向信令服务器发送会话呼叫请求消息,会话呼叫请求消息中包含中继服务器为该终端设备分配的媒体中继地址和用于表示凭证请求消息的信息。505. The terminal device sends a session call request message to the signaling server, where the session call request message includes a media relay address allocated by the relay server for the terminal device and information used to represent the credential request message.
需要说明的是,终端设备与信令服务器之间的交互消息称为SIP消息,终端设备与信令服务器使用SIP消息中的SDP(Session Description Protocol,会话描述协议)协商双方的会话信息,其中,该会话信息可以包括:媒体地址、编解码信息和ICE相关参数等。现有技术中SIP消息需要通过TLS(Transport Layer Security,安全传输层协议)或者IPSec(Internet Protocol Security,互联网安全协议)进行加密,在该实施例中假设所有SIP消息已经通过TLS或者IPSec进行了加密;其中,具体的加密方法可以参考现有技术。It should be noted that the interaction message between the terminal device and the signaling server is called a SIP message, and the terminal device and the signaling server use the SDP (Session Description Protocol) in the SIP message to negotiate the session information of the two parties. The session information may include: a media address, codec information, and ICE related parameters. In the prior art, SIP messages need to be encrypted by TLS (Transport Layer Security) or IPSec (Internet Protocol Security). In this embodiment, it is assumed that all SIP messages have been encrypted by TLS or IPSec. Wherein, the specific encryption method can refer to the prior art.
506、信令服务器根据用于表示凭证请求消息的信息生成第二凭证;其中,第二凭证包括第二账号和第二密码。506. The signaling server generates a second credential according to the information used to represent the credential request message. The second credential includes a second account and a second credential.
示例性的,第二凭证可以为信令服务器随机生成的一凭证。Exemplarily, the second credential may be a credential randomly generated by the signaling server.
507、信令服务器向终端设备发送会话呼叫响应消息;其中,该会话呼叫响应消息中包含第二凭证。507. The signaling server sends a session call response message to the terminal device, where the session call response message includes the second credential.
具体实现时,第二凭证中的第二账号可以通过现有SDP属性中的ICE-ufrag携带,第二凭证中的第二密码可以通过现有SDP属性中ICE-passwd属性携带,当然,也可以通过新定义的一个SDP属性行专门携带第二凭证。In a specific implementation, the second account in the second credential may be carried by the ICE-ufrag in the existing SDP attribute, and the second password in the second credential may be carried by the ICE-passwd attribute in the existing SDP attribute. The second voucher is specifically carried by a newly defined SDP attribute line.
508、信令服务器向中继服务器发送第二凭证。508. The signaling server sends the second credential to the relay server.
具体实现时,步骤508可以包括:信令服务器通过信令服务器与中继服务器器之间的接口直接向中继服务器发送第二凭证;或者,信令服务器与中继服务器之间预共享一个密钥,信令服务器使用该密钥对第二凭证进行加密,然后通过SDP消息将该加密后的信息发送给终端设备,终端设备通过TURN控制消息将该加密后的信息转发给中继服务器,中继服务器通过该密钥解出第二凭证。In a specific implementation, the step 508 may include: the signaling server directly sends the second credential to the relay server through an interface between the signaling server and the relay server; or the pre-shared secret between the signaling server and the relay server The key, the signaling server encrypts the second credential by using the key, and then sends the encrypted information to the terminal device by using the SDP message, and the terminal device forwards the encrypted information to the relay server by using a TURN control message. The second certificate is solved by the server through the key.
本发明实施例对步骤507和步骤508的执行顺序不作限定,例如,可以先执行步骤507再执行步骤508,也可以先执行步骤508再执行步骤507,还可以同时执行步骤507和步骤508。The embodiment of the present invention does not limit the execution sequence of step 507 and step 508. For example, step 507 may be performed before step 508, or step 508 may be performed first, and step 507 may be performed first, and step 507 and step 508 may be performed simultaneously.
另外,在执行步骤507和步骤508之后,信令服务器可以删除该 第二凭证,以节省存储空间。In addition, after performing step 507 and step 508, the signaling server may delete the Second voucher to save storage space.
509、终端设备向中继服务器发送创建允许请求消息,该创建允许请求消息中包含用于表示关联请求消息的信息,该关联请求消息中包含第一账号和第二账号。509. The terminal device sends a create permission request message to the relay server, where the request permission message includes information for indicating an association request message, where the association request message includes the first account and the second account.
具体实现时,上述关联请求消息中的第一账号与第二账号可以通过以下两种方式携带:In a specific implementation, the first account and the second account in the association request message may be carried in the following two manners:
1)、第一账号和第二账号均由现有的TURN协议属性中的username属性携带,第一账号和第二账号通过约定的符号来区分,例如username=“第二账号”||“第一账号”。1) The first account and the second account are carried by the username attribute in the existing TURN protocol attribute, and the first account and the second account are distinguished by the agreed symbols, for example, username=“second account”||“ An account number."
2)、第一账号可以通过新定义的一个TURN协议属性携带,第二账号由现有的TURN协议属性中的username属性携带。2) The first account can be carried by a newly defined TURN protocol attribute, and the second account is carried by the username attribute in the existing TURN protocol attribute.
当然,关联请求消息中的第一账号与第二账号的携带方式还可以是其他方式,上述两种方式只是示例性说明,例如,还可以第一账号和第二账号均由新定义的TURN协议属性携带等。Certainly, the manner of carrying the first account and the second account in the association request message may be other manners. The foregoing two methods are only exemplary descriptions. For example, the first account and the second account may both be newly defined by the TURN protocol. Property carrying, etc.
510、中继服务器通过关联请求消息中携带的第二账号,获取第二账号所属的第二凭证,利用第二凭证对终端设备进行认证。510. The relay server obtains the second credential to which the second account belongs by using the second account carried in the association request message, and authenticates the terminal device by using the second credential.
具体认证过程可参考步骤502。For the specific authentication process, refer to step 502.
511、认证成功后,中继服务器建立第一账号与第二账号之间的关联关系。511. After the authentication succeeds, the relay server establishes an association relationship between the first account and the second account.
512、中继服务器向终端设备发送创建允许响应消息;其中,该创建允许响应消息中包含用于表示更新指示消息的信息,更新指示消息中包含用于表示该关联关系的信息。512. The relay server sends a create permission response message to the terminal device, where the creation permission response message includes information for indicating an update indication message, where the update indication message includes information for indicating the association relationship.
“用于表示更新指示消息的信息”可以通过现有的TURN协议属性或者专门新定义的一个TURN协议属性携带;另外,更新指示消息还可以包括更新规则等,关于更新规则的描述可以参考上文。The information used to indicate the update indication message may be carried by the existing TURN protocol attribute or a specially defined TURN protocol attribute. In addition, the update indication message may further include an update rule, etc., and the description of the update rule may refer to the above. .
步骤513-515与步骤413-415相同,具体可参考实施例1,在此不再赘述。Steps 513-515 are the same as steps 413-415. For details, refer to Embodiment 1, and details are not described herein again.
本发明实施例提供的认证方法,中继服务器利用双凭证(第一凭证和第二凭证)对终端设备进行认证,提高了终端设备的信息安全。本实施例通过第一账号与第二账号之间的关联关系,利用本次TURN连接的过程中的第二凭证对本次TURN连接的过程中的第一凭证进行更新,得到下一次TURN连接的过程中的第一凭证,从而实现认证凭 证的动态更新。与现有技术中的长期认证机制相比,本实施例提供的认证方法不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。同时,本实施例提供的认证方法利用现有技术中的消息携带认证过程中所使用的交互信令,减少了信令数目,提高了资源的利用率。另外,本实施例提供的认证方法实现了VoIP呼叫信令对媒体中继路径连通性检查阶段的控制。In the authentication method provided by the embodiment of the present invention, the relay server authenticates the terminal device by using the double credential (the first credential and the second credential), thereby improving the information security of the terminal device. In this embodiment, the first credential in the process of the TURN connection is updated by using the second credential in the process of the current TURN connection by using the association relationship between the first account and the second account, and the next TURN connection is obtained. The first voucher in the process, thereby achieving authentication Dynamic update of the certificate. Compared with the long-term authentication mechanism in the prior art, the authentication method provided by this embodiment does not easily cause the account and password to be offlinely cracked, and the security risk is small; in addition, the authentication mechanism using the method of replacing the authentication credential only needs to be The first credential is stored in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is large. In the meantime, the authentication method provided in this embodiment utilizes the interaction signaling used in the message carrying authentication process in the prior art, which reduces the number of signaling and improves the utilization of resources. In addition, the authentication method provided in this embodiment implements control of the VoIP call signaling to the media relay path connectivity check phase.
实施例四Embodiment 4
如图6所示,为本发明实施例提供一种中继服务器60,用以执行上述方法实施例中提供的认证凭证更替的方法,该中继服务器60包括:As shown in FIG. 6, the embodiment of the present invention provides a method for the relay server 60 to perform the authentication credential replacement provided in the foregoing method embodiment. The relay server 60 includes:
接收单元601,用于接收信令服务器发送的第一账号和第二凭证;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对终端设备进行认证时使用的第一凭证中的账号;所述第二凭证为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的凭证;The receiving unit 601 is configured to receive the first account and the second credential sent by the signaling server, where the first account is used when the relay server authenticates the terminal device in the media relay address allocation phase. The account number in the first voucher; the second voucher is a voucher generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase ;
更替单元602,用于根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。a replacement unit 602, configured to generate a new first credential according to the second credential; wherein the new first credential is that the relay server authenticates the terminal device in a next media relay address allocation phase The voucher used to replace the first voucher.
可选的,如图7所示,所述中继服务器60还包括:Optionally, as shown in FIG. 7, the relay server 60 further includes:
发送单元603,用于向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。The sending unit 603 is configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
可选的,所述更替单元602具体用于:将所述第二凭证作为新的第一凭证;或,根据所述第一凭证和所述第二凭证生成新的第一凭证。Optionally, the replacing unit 602 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
可选的,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;如图7所示,所述更替单元602包括:Optionally, the first credential further includes a first password, the second credential further includes a second password, where the new first credential includes a new first password; as shown in FIG. 7, the replacement unit 602 includes:
第一生成子单元6021,用于根据所述第一密码和所述第二密码生成所述新的第一密码。 The first generating sub-unit 6021 is configured to generate the new first password according to the first password and the second password.
可选的,所述第一生成子单元6021具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Optionally, the first generating sub-unit 6021 is configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
可选的,所述新的第一凭证还包括新的第一账号;如图7所示,所述更替单元602还包括:Optionally, the new first credential further includes a new first account; as shown in FIG. 7, the replacing unit 602 further includes:
第二生成子单元6022,用于根据所述第一账号和所述第二账号生成所述新的第一账号。The second generating sub-unit 6022 is configured to generate the new first account according to the first account and the second account.
可选的,所述第二生成子单元6022具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。Optionally, the second generating sub-unit 6022 is configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
本发明实施例提供的中继服务器应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。The relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
实施例五Embodiment 5
在硬件实现上,实施例四中的发送单元可以为发送器,接收单元可以为接收器,且该发送器和接收器可以集成在一起构成收发器;更替单元可以以硬件形式内嵌于或独立于中继服务器的处理器中,也可以以软件形式存储于中继服务器的存储器中,以便于处理器调用执行以上各个单元对应的操作,该处理器可以为中央处理单元(CPU)、微处理器、单片机等。In hardware implementation, the sending unit in Embodiment 4 may be a transmitter, the receiving unit may be a receiver, and the transmitter and the receiver may be integrated to form a transceiver; the replacing unit may be embedded or independent in hardware form. In the processor of the relay server, it may also be stored in the memory of the relay server in software, so that the processor calls to perform operations corresponding to the above units, and the processor may be a central processing unit (CPU), micro processing. , microcontroller, etc.
如图8所示,为本发明实施例提供的一种中继服务器80,用以执行上述方法实施例提供的认证凭证更替的方法,该中继服务器80包括:接收器801、存储器802、处理器803和总线系统804。As shown in FIG. 8, a relay server 80 is provided to perform the method for performing authentication credential replacement provided by the foregoing method embodiment. The relay server 80 includes: a receiver 801, a memory 802, and a processing. 803 and bus system 804.
其中,接收器801、存储器802和处理器803之间是通过总线系统804耦合在一起的,其中总线系统804除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统804。The receiver 801, the memory 802 and the processor 803 are coupled together by a bus system 804. The bus system 804 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 804 in the figure.
接收器801,用于接收信令服务器发送的第一账号和第二凭证;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对终端设备进行认证时使用的第一凭证中的账号;所述第二凭证为 所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的凭证;The receiver 801 is configured to receive the first account and the second credential sent by the signaling server, where the first account is used when the relay server authenticates the terminal device in the media relay address allocation phase. The account number in the first voucher; the second voucher is a credential generated by the signaling server and used by the relay server to authenticate the terminal device during the media relay path connectivity check phase;
存储器802,用于存储一组代码,存储器802中存储的代码用于控制处理器803根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。The memory 802 is configured to store a set of codes, and the code stored in the memory 802 is used to control the processor 803 to generate a new first credential according to the second credential; wherein the new first credential is the next media relay A voucher used by the relay server to authenticate the terminal device in the address allocation phase, for replacing the first credential.
可选的,如图9所示,所述中继服务器还包括:Optionally, as shown in FIG. 9, the relay server further includes:
发送器805,用于向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。The sender 805 is configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
可选的,所述处理器803具体用于:将所述第二凭证作为新的第一凭证;或,根据所述第一凭证和所述第二凭证生成新的第一凭证。Optionally, the processor 803 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
可选的,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述处理器803具体用于:根据所述第一密码和所述第二密码生成所述新的第一密码。Optionally, the first credential further includes a first password, the second credential further includes a second password, the new first credential includes a new first password, and the processor 803 is specifically configured to: The first password and the second password generate the new first password.
可选的,所述处理器803具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Optionally, the processor 803 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
可选的,所述新的第一凭证还包括新的第一账号;所述处理器803具体用于:根据所述第一账号和所述第二账号生成所述新的第一账号。Optionally, the new first credential further includes a new first account; the processor 803 is specifically configured to: generate the new first account according to the first account and the second account.
可选的,所述处理器803具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。Optionally, the processor 803 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
本发明实施例提供的中继服务器应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。The relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
实施例六Embodiment 6
如图10所示,为本发明实施例提供一种中继服务器100,用于上述方法实施例提供的认证凭证更替的方法,该中继服务器100包括:As shown in FIG. 10, a method for the authentication server to be replaced by the relay server 100 is provided in the embodiment of the present invention. The relay server 100 includes:
接收单元1001,用于接收终端设备发送的包含第一账号和第二账 号的更新请求消息;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的第一凭证中的账号,所述第二账号为信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;The receiving unit 1001 is configured to receive, by the terminal device, the first account and the second account. The update request message of the number; wherein the first account is an account in the first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase, the second The account number is an account number generated by the signaling server and used in the second credential used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
认证单元1002,用于利用所述第二凭证对所述终端设备进行认证;The authentication unit 1002 is configured to perform authentication on the terminal device by using the second credential;
更替单元1003,用于在所述认证单元认证成功后,根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。The replacing unit 1003 is configured to generate, according to the second credential, a new first credential after the authentication unit is successfully authenticated; wherein the new first credential is in the next media relay address allocation phase a credential used by the server to authenticate the terminal device for replacing the first credential.
可选的,如图11所示,所述中继服务器还包括:发送单元1004,用于向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。Optionally, as shown in FIG. 11, the relay server further includes: a sending unit 1004, configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to perform The second voucher generates the new first voucher.
可选的,所述更替单元1003具体用于:将所述第二凭证作为新的第一凭证;或,根据所述第一凭证和所述第二凭证生成新的第一凭证。Optionally, the replacing unit 1003 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
可选的,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述更替单元1003具体用于:根据所述第一密码和所述第二密码生成所述新的第一密码。Optionally, the first credential further includes a first password, the second credential further includes a second password, the new first credential includes a new first password, and the replacing unit 1003 is specifically configured to: The first password and the second password generate the new first password.
可选的,所述更替单元1003具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Optionally, the replacing unit 1003 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
可选的,所述新的第一凭证还包括新的第一账号;所述更替单元1003具体用于:根据所述第一账号和所述第二账号生成所述新的第一账号。Optionally, the new first credential further includes a new first account; the replacing unit 1003 is specifically configured to: generate the new first account according to the first account and the second account.
可选的,所述更替单元1003具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。Optionally, the replacing unit 1003 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
本发明实施例提供的中继服务器应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。 The relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
实施例七Example 7
在硬件实现上,实施例六中的接收单元可以为接收器;认证单元、更替单元可以以硬件形式内嵌于或独立于中继服务器的处理器中,也可以以软件形式存储于中继服务器的存储器中,以便于处理器调用执行以上各个单元对应的操作,该处理器可以为中央处理单元(CPU)、微处理器、单片机等。In the hardware implementation, the receiving unit in the sixth embodiment may be a receiver; the authentication unit and the replacement unit may be embedded in the hardware of the relay server or may be stored in the relay server in software. In the memory, in order to facilitate the processor to perform the operations corresponding to the above units, the processor may be a central processing unit (CPU), a microprocessor, a single chip microcomputer, or the like.
如图12所示,为本发明实施例提供一种中继服务器120,用以执行上述方法实施例中提供的认证凭证更替的方法,该中继服务器120包括:接收器1201、存储器1202、处理器1203和总线系统1204。As shown in FIG. 12, a method for performing the authentication credential replacement provided in the foregoing method embodiment is provided in the embodiment of the present invention. The relay server 120 includes: a receiver 1201, a memory 1202, and a processing. The device 1203 and the bus system 1204.
其中,接收器1201、存储器1202和处理器1203之间是通过总线系统1204耦合在一起的,其中总线系统1204除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1204。The receiver 1201, the memory 1202 and the processor 1203 are coupled together by a bus system 1204. The bus system 1204 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 1204 in the figure.
接收器1201,用于接收终端设备发送的包含第一账号和第二账号的更新请求消息;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的第一凭证中的账号,所述第二账号为信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;The receiver 1201 is configured to receive, by the terminal device, an update request message that includes the first account and the second account, where the first account is the relay server in the current media relay address allocation phase. The account in the first credential used by the terminal device for authentication, the second account is generated by the signaling server, and the relay server authenticates the terminal device in the media relay path connectivity check phase. The account number in the second voucher used;
存储器1202,用于存储一组代码,存储器1202中存储的代码用于控制处理器1203执行以下动作:利用所述第二凭证对所述终端设备进行认证;认证成功后,根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。The memory 1202 is configured to store a set of codes, and the code stored in the memory 1202 is used by the control processor 1203 to perform the following actions: the terminal device is authenticated by using the second credential; after the authentication is successful, according to the second credential Generating a new first credential; wherein the new first credential is a credential used when the relay server authenticates the terminal device in a next media relay address allocation phase, and is used to replace the first credential certificate.
可选的,如图13所示,所述中继服务器120还包括:发送器1205,用于向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。Optionally, as shown in FIG. 13, the relay server 120 further includes: a sender 1205, configured to send an update indication message to the terminal device, where the update indication message is used to enable the terminal device to The second credential generates the new first credential.
可选的,所述处理器1203具体用于:将所述第二凭证作为新的第一凭证;或,根据所述第一凭证和所述第二凭证生成新的第一凭证。Optionally, the processor 1203 is specifically configured to: use the second credential as a new first credential; or generate a new first credential according to the first credential and the second credential.
可选的,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述处理器1203具体用于:根据所述第一密码和所述第二密码生成所述新的第一密码。 Optionally, the first credential further includes a first password, the second credential further includes a second password, the new first credential includes a new first password, and the processor 1203 is specifically configured to: The first password and the second password generate the new first password.
可选的,所述处理器1203具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Optionally, the processor 1203 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
可选的,所述新的第一凭证还包括新的第一账号;所述处理器1203具体用于:根据所述第一账号和所述第二账号生成所述新的第一账号。Optionally, the new first credential further includes a new first account; the processor 1203 is specifically configured to: generate the new first account according to the first account and the second account.
可选的,所述处理器1203具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。Optionally, the processor 1203 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
本发明实施例提供的中继服务器应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。The relay server provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
实施例八Example eight
如图14所示,为本发明实施例提供一种终端设备140,用以执行上述方法实施例中提供的认证凭证更替的方法,该终端设备140包括:As shown in FIG. 14, a method for the terminal device 140 to perform the authentication credential replacement provided in the foregoing method embodiment is provided. The terminal device 140 includes:
获取单元1401,用于获得第一账号;其中,所述第一账号为在本次媒体中继地址分配阶段中中继服务器对终端设备进行认证时使用的第一凭证中的账号;The obtaining unit 1401 is configured to obtain the first account, where the first account is an account in the first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase;
接收单元1402,用于接收信令服务器发送的第二账号;其中,所述第二账号为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;The receiving unit 1402 is configured to receive a second account that is sent by the signaling server, where the second account is the relay server that is generated by the signaling server and is in the media relay path connectivity check phase. An account in the second credential used by the terminal device for authentication;
发送单元1403,用于向所述中继服务器发送包含所述第一账号和所述第二账号的更新请求消息;其中,所述更新请求消息用于使所述中继服务器根据所述第二凭证生成新的第一凭证;所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。The sending unit 1403 is configured to send, to the relay server, an update request message that includes the first account and the second account, where the update request message is used to enable the relay server according to the second The voucher generates a new first voucher; the new first voucher is a voucher used when the relay server authenticates the terminal device in a next media relay address allocation phase, and is used to replace the first credential .
可选的,所述发送单元1403还用于,向所述信令服务器发送凭证指示消息;其中,所述凭证指示消息用于使所述信令服务器生成所述第二凭证。 Optionally, the sending unit 1403 is further configured to send a credential indication message to the signaling server, where the credential indication message is used to enable the signaling server to generate the second credential.
可选的,所述接收单元1402还用于,接收所述中继服务器发送的更新指示消息;如图15所示,所述终端设备140还包括:更替单元1404,用于根据所述第二凭证生成所述新的第一凭证。Optionally, the receiving unit 1402 is further configured to: receive an update indication message sent by the relay server; as shown in FIG. 15, the terminal device 140 further includes: an replacing unit 1404, according to the second The voucher generates the new first voucher.
可选的,所述更替单元1404具体用于:将所述第二凭证作为所述新的第一凭证;或,根据所述第一凭证和所述第二凭证生成所述新的第一凭证。Optionally, the replacing unit 1404 is specifically configured to: use the second credential as the new first credential; or generate the new first credential according to the first credential and the second credential .
可选的,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;如图15所示,所述更替单元1404包括:第一生成子单元14041,用于根据所述第一密码和所述第二密码生成所述新的第一密码。Optionally, the first credential further includes a first password, the second credential further includes a second password, and the new first credential includes a new first password; as shown in FIG. 1404 includes: a first generating subunit 14041, configured to generate the new first password according to the first password and the second password.
可选的,所述第一生成子单元14041具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Optionally, the first generating sub-unit 14041 is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
可选的,所述新的第一凭证还包括新的第一账号;如图15所示,所述更替单元1404还包括:第二生成子单元14042,用于根据所述第一账号和所述第二账号生成所述新的第一账号。Optionally, the new first credential further includes a new first account; as shown in FIG. 15, the replacing unit 1404 further includes: a second generating subunit 14042, configured to use the first account and the The second account generates the new first account.
可选的,所述第二生成子单元14042具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。Optionally, the second generating sub-unit 14042 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
本发明实施例提供的终端设备应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。The terminal device provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
实施例九Example nine
在硬件实现上,实施例八中的发送单元可以为发送器,接收单元可以为接收器,且该发送器和接收器可以集成在一起构成收发器;获取单元、更替单元可以以硬件形式内嵌于或独立于终端设备的处理器中,也可以以软件形式存储于终端设备的存储器中,以便于处理器调用执行以上各个单元对应的操作,该处理器可以为中央处理单元(CPU)、微处理器、单片机等。In hardware implementation, the sending unit in Embodiment 8 may be a transmitter, the receiving unit may be a receiver, and the transmitter and the receiver may be integrated to form a transceiver; the acquiring unit and the replacing unit may be embedded in hardware. The processor may be stored in the memory of the terminal device in software, or may be stored in a memory of the terminal device, so that the processor may perform operations corresponding to the above units, and the processor may be a central processing unit (CPU) or a micro Processor, microcontroller, etc.
如图16所示,为本发明实施例提供的一种终端设备160,用以执 行上述方法实施例中提供的认证凭证更替的方法,该终端设备160包括:接收器1601、发送器1602、存储器1603、处理器1604和总线系统1605。As shown in FIG. 16, a terminal device 160 is provided for performing according to an embodiment of the present invention. The method for replacing the authentication credential provided in the foregoing method embodiment includes: a receiver 1601, a transmitter 1602, a memory 1603, a processor 1604, and a bus system 1605.
其中,接收器1601、发送器1602、存储器1603和处理器1604之间是通过总线系统1605耦合在一起的,其中总线系统1605除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统1605。The receiver 1601, the transmitter 1602, the memory 1603, and the processor 1604 are coupled together by a bus system 1605. The bus system 1605 may include a power bus, a control bus, and a status signal in addition to the data bus. Bus, etc. However, for clarity of description, various buses are labeled as bus system 1605 in the figure.
存储器1603,用于存储一组代码,存储器1603中存储的代码用于控制处理器1604获得第一账号;其中,所述第一账号为在本次媒体中继地址分配阶段中中继服务器对终端设备进行认证时使用的第一凭证中的账号;The memory 1603 is configured to store a set of codes, and the code stored in the memory 1603 is used to control the processor 1604 to obtain a first account. The first account is a relay server to the terminal in the media relay address allocation phase. The account number in the first voucher used by the device for authentication;
接收器1601,用于接收信令服务器发送的第二账号;其中,所述第二账号为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;The receiver 1601 is configured to receive a second account that is sent by the signaling server, where the second account is the relay server that is generated by the signaling server and is in the media relay path connectivity check phase. An account in the second credential used by the terminal device for authentication;
发送器1602,用于向所述中继服务器发送包含所述第一账号和所述第二账号的更新请求消息;其中,所述更新请求消息用于使所述中继服务器根据所述第二凭证生成新的第一凭证;所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。The sender 1602 is configured to send, to the relay server, an update request message that includes the first account and the second account, where the update request message is used to enable the relay server according to the second The voucher generates a new first voucher; the new first voucher is a voucher used when the relay server authenticates the terminal device in a next media relay address allocation phase, and is used to replace the first credential .
可选的,所述发送器1602还用于,向所述信令服务器发送凭证指示消息;其中,所述凭证指示消息用于使所述信令服务器生成所述第二凭证。Optionally, the sender 1602 is further configured to send a credential indication message to the signaling server, where the credential indication message is used to enable the signaling server to generate the second credential.
可选的,所述接收器1601还用于,接收所述中继服务器发送的更新指示消息;处理器1604具体还用于,根据所述第二凭证生成所述新的第一凭证。Optionally, the receiver 1601 is further configured to receive an update indication message sent by the relay server, where the processor 1604 is further configured to generate the new first certificate according to the second certificate.
可选的,所述处理器1604具体用于:将所述第二凭证作为所述新的第一凭证;或,根据所述第一凭证和所述第二凭证生成所述新的第一凭证。Optionally, the processor 1604 is specifically configured to: use the second credential as the new first credential; or generate the new first credential according to the first credential and the second credential .
可选的,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述处理器1604具体用于:根据所述第一密码和所述第二密码生成所述新的第一密码。 Optionally, the first credential further includes a first password, the second credential further includes a second password, the new first credential includes a new first password, and the processor 1604 is specifically configured to: The first password and the second password generate the new first password.
可选的,所述处理器1604具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Optionally, the processor 1604 is configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
可选的,所述新的第一凭证还包括新的第一账号;所述处理器1604具体用于:根据所述第一账号和所述第二账号生成所述新的第一账号。Optionally, the new first credential further includes a new first account; the processor 1604 is specifically configured to: generate the new first account according to the first account and the second account.
可选的,所述处理器1604具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。Optionally, the processor 1604 is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
本发明实施例提供的终端设备应用于利用双凭证(第一凭证和第二凭证)对终端设备进行认证的认证机制中。与现有技术中的长期认证机制相比,使用了该认证凭证更替的方法的认证机制不容易导致账号和密码被离线破解,安全风险小;另外,由于使用了该认证凭证更替的方法的认证机制只需要在终端设备中存储第一凭证,而第一凭证是动态更新的,因此使用了该认证凭证更替的方法的认证机制不需要在终端设备中保存固定的账号和密码,因此应用范围较大。The terminal device provided by the embodiment of the present invention is applied to an authentication mechanism for authenticating a terminal device by using a double credential (a first credential and a second credential). Compared with the long-term authentication mechanism in the prior art, the authentication mechanism using the method of replacing the authentication credential does not easily cause the account and password to be broken offline, and the security risk is small; in addition, the authentication is performed by using the method of replacing the authentication credential. The mechanism only needs to store the first credential in the terminal device, and the first credential is dynamically updated, so the authentication mechanism using the method of replacing the authentication credential does not need to save a fixed account and password in the terminal device, so the application scope is relatively Big.
另外,本发明实施例还提供了一种认证凭证更替的系统,包括:信令服务器和上述实施例四至实施例七中提供的任一种中继服务器。需要说明的是,该中继服务器的各功能模块的介绍可以参考上文,此处不再赘述。另外,该系统中还可以包括一个/多个终端设备。In addition, the embodiment of the present invention further provides a system for replacing the authentication credential, including: the signaling server and any one of the relay servers provided in Embodiment 4 to Embodiment 7 above. It should be noted that the introduction of each functional module of the relay server can be referred to the above, and details are not described herein again. In addition, one or more terminal devices may also be included in the system.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理包括,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中, 包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称ROM)、随机存取存储器(Random Access Memory,简称RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-described integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium. The above software functional unit is stored in a storage medium, A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform some of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, and the program code can be stored. Medium.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and are not limited thereto; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that The technical solutions described in the foregoing embodiments are modified, or the equivalents of the technical features are replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (32)

  1. 一种认证凭证更替的方法,其特征在于,包括:A method for authenticating certificate credentials, comprising:
    中继服务器接收信令服务器发送的第一账号和第二凭证;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对终端设备进行认证时使用的第一凭证中的账号;所述第二凭证为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的凭证;The relay server receives the first account and the second credential sent by the signaling server, where the first account is the first used by the relay server to authenticate the terminal device in the media relay address allocation phase. An account in the voucher; the second voucher is a voucher generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
    根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。Generating a new first credential according to the second credential; wherein the new first credential is a credential used when the relay server authenticates the terminal device in a next media relay address allocation phase, The first voucher is replaced.
  2. 根据权利要求1所述的方法,其特征在于,在所述中继服务器接收信令服务器发送的第一账号和第二凭证之后,所述方法还包括:The method according to claim 1, wherein after the relay server receives the first account and the second credential sent by the signaling server, the method further includes:
    向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。And sending, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
  3. 根据权利要求1或2所述的方法,其特征在于,所述根据所述第二凭证生成新的第一凭证,包括:The method according to claim 1 or 2, wherein the generating the new first credential according to the second credential comprises:
    将所述第二凭证作为新的第一凭证;或,Using the second voucher as a new first voucher; or
    根据所述第一凭证和所述第二凭证生成新的第一凭证。Generating a new first credential based on the first credential and the second credential.
  4. 根据权利要求3所述的方法,其特征在于,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述根据所述第一凭证和所述第二凭证生成新的第一凭证,包括:The method according to claim 3, wherein said first credential further comprises a first password, said second credential further comprises a second password, said new first credential comprising a new first password; Generating a new first credential according to the first credential and the second credential, including:
    根据所述第一密码和所述第二密码生成所述新的第一密码。Generating the new first password according to the first password and the second password.
  5. 根据权利要求4所述的方法,其特征在于,所述根据所述第一密码和所述第二密码生成所述新的第一密码,包括:The method according to claim 4, wherein the generating the new first password according to the first password and the second password comprises:
    对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Performing a one-way function calculation on the first password and the second password to obtain the new first password.
  6. 根据权利要求4或5所述的方法,其特征在于,所述新的第一凭证还包括新的第一账号;所述根据所述第一凭证和所述第二凭证生成新的第一凭证,还包括:The method according to claim 4 or 5, wherein said new first voucher further comprises a new first account number; said generating a new first voucher based on said first voucher and said second voucher ,Also includes:
    根据所述第一账号和所述第二账号生成所述新的第一账号。Generating the new first account according to the first account and the second account.
  7. 根据权利要求6所述的方法,其特征在于,所述根据所述第一 账号和所述第二账号生成所述新的第一账号,包括:The method of claim 6 wherein said first according to said first The account and the second account generate the new first account, including:
    对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。Performing a one-way function calculation on the first account and the second account to obtain the new first account.
  8. 一种认证凭证更替的方法,其特征在于,包括:A method for authenticating certificate credentials, comprising:
    中继服务器接收终端设备发送的包含第一账号和第二账号的更新请求消息;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的第一凭证中的账号,所述第二账号为信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;The relay server receives an update request message that is sent by the terminal device and includes the first account and the second account. The first account is that the relay server performs the terminal device in the media relay address allocation phase. The account number in the first certificate used for the authentication, the second account is used by the signaling server, and is used by the relay server to authenticate the terminal device during the media relay path connectivity check phase. The account number in the second voucher;
    利用所述第二凭证对所述终端设备进行认证;And authenticating the terminal device by using the second credential;
    认证成功后,根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。After the authentication succeeds, generating a new first credential according to the second credential; wherein the new first credential is used when the relay server authenticates the terminal device in a next media relay address allocation phase a voucher for replacing the first voucher.
  9. 根据权利要求8所述的方法,其特征在于,在所述中继服务器接收终端设备发送的包含第一账号和第二账号的更新请求消息之后,所述方法还包括:The method according to claim 8, wherein after the relay server receives the update request message that is sent by the terminal device and includes the first account and the second account, the method further includes:
    向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。And sending, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
  10. 根据权利要求8或9所述的方法,其特征在于,所述根据所述第二凭证生成新的第一凭证,包括:The method according to claim 8 or 9, wherein the generating the new first credential according to the second credential comprises:
    将所述第二凭证作为新的第一凭证;或,Using the second voucher as a new first voucher; or
    根据所述第一凭证和所述第二凭证生成新的第一凭证。Generating a new first credential based on the first credential and the second credential.
  11. 根据权利要求10所述的方法,其特征在于,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述根据所述第一凭证和所述第二凭证生成新的第一凭证,包括:The method according to claim 10, wherein said first credential further comprises a first password, said second credential further comprises a second password, said new first credential comprising a new first password; Generating a new first credential according to the first credential and the second credential, including:
    根据所述第一密码和所述第二密码生成所述新的第一密码。Generating the new first password according to the first password and the second password.
  12. 根据权利要求11所述的方法,其特征在于,所述根据所述第一密码和所述第二密码生成所述新的第一密码,包括:The method according to claim 11, wherein the generating the new first password according to the first password and the second password comprises:
    对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。Performing a one-way function calculation on the first password and the second password to obtain the new first password.
  13. 一种中继服务器,其特征在于,包括: A relay server, comprising:
    接收单元,用于接收信令服务器发送的第一账号和第二凭证;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对终端设备进行认证时使用的第一凭证中的账号;所述第二凭证为所述信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的凭证;a receiving unit, configured to receive a first account and a second credential sent by the signaling server, where the first account is used by the relay server to authenticate the terminal device in the media relay address allocation phase An account in the first credential; the second credential is a credential generated by the signaling server and used by the relay server to authenticate the terminal device in the media relay path connectivity check phase;
    更替单元,用于根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。And a replacement unit, configured to generate a new first credential according to the second credential; wherein the new first credential is when the relay server authenticates the terminal device in a next media relay address allocation phase A voucher used to replace the first voucher.
  14. 根据权利要求13所述的中继服务器,其特征在于,所述中继服务器还包括:The relay server according to claim 13, wherein the relay server further comprises:
    发送单元,用于向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。And a sending unit, configured to send, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
  15. 根据权利要求13或14所述的中继服务器,其特征在于,所述更替单元具体用于:The relay server according to claim 13 or 14, wherein the replacement unit is specifically configured to:
    将所述第二凭证作为新的第一凭证;或,Using the second voucher as a new first voucher; or
    根据所述第一凭证和所述第二凭证生成新的第一凭证。Generating a new first credential based on the first credential and the second credential.
  16. 根据权利要求15所述的中继服务器,其特征在于,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述更替单元包括:The relay server according to claim 15, wherein said first credential further comprises a first password, said second credential further comprises a second password, said new first credential comprising a new first password The replacement unit includes:
    第一生成子单元,用于根据所述第一密码和所述第二密码生成所述新的第一密码。a first generating subunit, configured to generate the new first password according to the first password and the second password.
  17. 根据权利要求16所述的中继服务器,其特征在于,所述第一生成子单元具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。The relay server according to claim 16, wherein the first generating sub-unit is configured to: perform a one-way function calculation on the first password and the second password to obtain the new one A password.
  18. 根据权利要求16或17所述的中继服务器,其特征在于,所述新的第一凭证还包括新的第一账号;所述更替单元还包括:The relay server according to claim 16 or 17, wherein the new first credential further comprises a new first account; the replacing unit further comprises:
    第二生成子单元,用于根据所述第一账号和所述第二账号生成所述新的第一账号。a second generating subunit, configured to generate the new first account according to the first account and the second account.
  19. 根据权利要求18所述的中继服务器,其特征在于,所述第二生成子单元具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。The relay server according to claim 18, wherein the second generating sub-unit is configured to: perform a one-way function calculation on the first account and the second account, to obtain the new An account.
  20. 一种中继服务器,其特征在于,包括: A relay server, comprising:
    接收单元,用于接收终端设备发送的包含第一账号和第二账号的更新请求消息;其中,所述第一账号为在本次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的第一凭证中的账号,所述第二账号为信令服务器生成的、在本次媒体中继路径连通性检查阶段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;a receiving unit, configured to receive, by the terminal device, an update request message that includes a first account and a second account, where the first account is the relay server to the terminal in the media relay address allocation phase The account number in the first certificate used by the device for authentication, the second account is generated by the signaling server, and the relay server authenticates the terminal device during the media relay path connectivity check phase. The account number in the second voucher used;
    认证单元,用于利用所述第二凭证对所述终端设备进行认证;An authentication unit, configured to authenticate the terminal device by using the second credential;
    更替单元,用于在所述认证单元认证成功后,根据所述第二凭证生成新的第一凭证;其中,所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。And a replacement unit, configured to generate a new first credential according to the second credential after the authentication unit is successfully authenticated; wherein the new first credential is the relay in a next media relay address allocation phase A credential used by the server to authenticate the terminal device for replacing the first credential.
  21. 根据权利要求20所述的中继服务器,其特征在于,所述中继服务器还包括:The relay server according to claim 20, wherein the relay server further comprises:
    发送单元,用于向所述终端设备发送更新指示消息,其中,所述更新指示消息用于使所述终端设备根据所述第二凭证生成所述新的第一凭证。And a sending unit, configured to send, to the terminal device, an update indication message, where the update indication message is used to enable the terminal device to generate the new first credential according to the second credential.
  22. 根据权利要求20或21所述的中继服务器,其特征在于,所述更替单元具体用于:The relay server according to claim 20 or 21, wherein the replacement unit is specifically configured to:
    将所述第二凭证作为新的第一凭证;或,Using the second voucher as a new first voucher; or
    根据所述第一凭证和所述第二凭证生成新的第一凭证。Generating a new first credential based on the first credential and the second credential.
  23. 根据权利要求22所述的中继服务器,其特征在于,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述更替单元具体用于:根据所述第一密码和所述第二密码生成所述新的第一密码。The relay server according to claim 22, wherein said first credential further comprises a first password, said second credential further comprises a second password, said new first credential comprising a new first password The replacing unit is specifically configured to: generate the new first password according to the first password and the second password.
  24. 根据权利要求23所述的中继服务器,其特征在于,所述更替单元具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。The relay server according to claim 23, wherein the replacing unit is configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  25. 一种终端设备,其特征在于,包括:A terminal device, comprising:
    获取单元,用于获得第一账号;其中,所述第一账号为在本次媒体中继地址分配阶段中中继服务器对终端设备进行认证时使用的第一凭证中的账号;An obtaining unit, configured to obtain a first account; wherein the first account is an account in a first credential used by the relay server to authenticate the terminal device in the media relay address allocation phase;
    接收单元,用于接收信令服务器发送的第二账号;其中,所述第二账号为所述信令服务器生成的、在本次媒体中继路径连通性检查阶 段中所述中继服务器对所述终端设备进行认证时使用的第二凭证中的账号;a receiving unit, configured to receive a second account sent by the signaling server, where the second account is a connectivity check generated by the signaling server and in the media relay path connectivity check An account in a second credential used by the relay server to authenticate the terminal device;
    发送单元,用于向所述中继服务器发送包含所述第一账号和所述第二账号的更新请求消息;其中,所述更新请求消息用于使所述中继服务器根据所述第二凭证生成新的第一凭证;所述新的第一凭证为在下一次媒体中继地址分配阶段中所述中继服务器对所述终端设备进行认证时使用的凭证,用于更替所述第一凭证。a sending unit, configured to send, to the relay server, an update request message that includes the first account and the second account, where the update request message is used to enable the relay server to perform the second credential according to the second credential Generating a new first credential; the new first credential is a credential used by the relay server to authenticate the terminal device in a next media relay address allocation phase, for replacing the first credential.
  26. 根据权利要求25所述的终端设备,其特征在于,所述发送单元还用于,向所述信令服务器发送凭证指示消息;其中,所述凭证指示消息用于使所述信令服务器生成所述第二凭证。The terminal device according to claim 25, wherein the sending unit is further configured to send a credential indication message to the signaling server, where the credential indication message is used to generate the signaling server Said second voucher.
  27. 根据权利要求25或26所述的终端设备,其特征在于,A terminal device according to claim 25 or 26, characterized in that
    所述接收单元还用于,接收所述中继服务器发送的更新指示消息;The receiving unit is further configured to receive an update indication message sent by the relay server;
    所述终端设备还包括:更替单元,用于根据所述第二凭证生成所述新的第一凭证。The terminal device further includes: a replacement unit, configured to generate the new first credential according to the second credential.
  28. 根据权利要求27所述的终端设备,其特征在于,所述更替单元具体用于:The terminal device according to claim 27, wherein the replacement unit is specifically configured to:
    将所述第二凭证作为所述新的第一凭证;或,Using the second voucher as the new first voucher; or
    根据所述第一凭证和所述第二凭证生成所述新的第一凭证。Generating the new first credential according to the first credential and the second credential.
  29. 根据权利要求28所述的终端设备,其特征在于,所述第一凭证还包括第一密码,所述第二凭证还包括第二密码,所述新的第一凭证包括新的第一密码;所述更替单元包括:The terminal device according to claim 28, wherein the first credential further comprises a first password, the second credential further comprises a second password, and the new first credential comprises a new first password; The replacement unit includes:
    第一生成子单元,用于根据所述第一密码和所述第二密码生成所述新的第一密码。a first generating subunit, configured to generate the new first password according to the first password and the second password.
  30. 根据权利要求29所述的终端设备,其特征在于,所述第一生成子单元具体用于:对所述第一密码和所述第二密码进行单向函数计算,得到所述新的第一密码。The terminal device according to claim 29, wherein the first generating sub-unit is specifically configured to perform a one-way function calculation on the first password and the second password to obtain the new first password.
  31. 根据权利要求29或30所述的终端设备,其特征在于,所述新的第一凭证还包括新的第一账号;所述更替单元还包括:The terminal device according to claim 29 or 30, wherein the new first credential further comprises a new first account; the replacing unit further comprises:
    第二生成子单元,用于根据所述第一账号和所述第二账号生成所述新的第一账号。a second generating subunit, configured to generate the new first account according to the first account and the second account.
  32. 根据权利要求31所述的终端设备,其特征在于,The terminal device according to claim 31, characterized in that
    所述第二生成子单元具体用于:对所述第一账号和所述第二账号进行单向函数计算,得到所述新的第一账号。 The second generating sub-unit is specifically configured to perform a one-way function calculation on the first account and the second account to obtain the new first account.
PCT/CN2015/089048 2014-09-30 2015-09-07 Authentication credential replacement method and apparatus WO2016050133A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410525806.2 2014-09-30
CN201410525806.2A CN105516070B (en) 2014-09-30 2014-09-30 A kind of method and device that Service Ticket substitutes

Publications (1)

Publication Number Publication Date
WO2016050133A1 true WO2016050133A1 (en) 2016-04-07

Family

ID=55629416

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/089048 WO2016050133A1 (en) 2014-09-30 2015-09-07 Authentication credential replacement method and apparatus

Country Status (2)

Country Link
CN (1) CN105516070B (en)
WO (1) WO2016050133A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018063041A1 (en) * 2016-09-28 2018-04-05 Telefonaktiebolaget Lm Ericsson (Publ) Methods and arrangements for binding a device application to a web service
CN106603245A (en) * 2017-01-03 2017-04-26 上海金融云服务集团安全技术有限公司 Equipment replacement method based on out-of-band mixed biological authentication technology
TWI763176B (en) * 2020-12-14 2022-05-01 中華電信股份有限公司 System and method for identity authentication
CN115242521A (en) * 2022-07-25 2022-10-25 深圳市潮流网络技术有限公司 Password authentication method and device and communication method for initiating call by terminal equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7006436B1 (en) * 2001-11-13 2006-02-28 At&T Corp. Method for providing voice-over-IP service
CN1747457A (en) * 2005-09-09 2006-03-15 北京中星微电子有限公司 Communication for spanning gateway
CN102196423A (en) * 2010-03-04 2011-09-21 腾讯科技(深圳)有限公司 Safety data transferring method and system
CN102457580A (en) * 2010-10-18 2012-05-16 中兴通讯股份有限公司 NAT traversal method and system
CN103607345A (en) * 2013-11-21 2014-02-26 浙江宇视科技有限公司 Method and system for setting up routing information by monitoring node

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571328B (en) * 2010-12-30 2016-01-27 中国移动通信集团公司 The service calling method of user terminal, system and user terminal
CN103731266B (en) * 2012-10-12 2017-05-10 北京微智全景信息技术有限公司 Method and system for authenticating electronic certificate
CN103236935B (en) * 2013-05-21 2016-04-13 北京梅泰诺电子商务有限公司 A kind of two-dimension code user registration certification system and method thereof
CN103401852B (en) * 2013-07-23 2016-08-03 徐华 Quick Response Code intelligent business card system based on certification and method for designing
CN103780397B (en) * 2014-02-25 2016-09-14 中国科学院信息工程研究所 A kind of multi-screen multiple-factor convenient WEB identity authentication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7006436B1 (en) * 2001-11-13 2006-02-28 At&T Corp. Method for providing voice-over-IP service
CN1747457A (en) * 2005-09-09 2006-03-15 北京中星微电子有限公司 Communication for spanning gateway
CN102196423A (en) * 2010-03-04 2011-09-21 腾讯科技(深圳)有限公司 Safety data transferring method and system
CN102457580A (en) * 2010-10-18 2012-05-16 中兴通讯股份有限公司 NAT traversal method and system
CN103607345A (en) * 2013-11-21 2014-02-26 浙江宇视科技有限公司 Method and system for setting up routing information by monitoring node

Also Published As

Publication number Publication date
CN105516070A (en) 2016-04-20
CN105516070B (en) 2019-01-11

Similar Documents

Publication Publication Date Title
US11399044B2 (en) System and method for connecting a communication to a client
US9130935B2 (en) System and method for providing access credentials
US9131026B2 (en) Method and system for establishing media channel based on relay
CN110800331B (en) Network verification method, related equipment and system
US8725885B1 (en) Securely establishing ice relay connections
CN106233704B (en) Method and apparatus by Relay mode network address translation hole punching voucher are provided
KR102021213B1 (en) End-to-end service layer authentication
WO2016155668A1 (en) Method for unified application authentication in trunking system, server and terminal
CN111373712A (en) Method and system for authenticating Application Program Interface (API) callers
WO2017124837A1 (en) Proxy method, server and client for sslvpn, and processing method thereof
US20140289839A1 (en) Resource control method and apparatus
JP2020080530A (en) Data processing method, device, terminal, and access point computer
US20150113588A1 (en) Firewall Limiting with Third-Party Traffic Classification
US9350711B2 (en) Data transmission method, system, and apparatus
US20140108668A1 (en) Secured wireless session initiate framework
WO2016107454A1 (en) Turn relay service reuse for nat traversal during media session resumption
US20160156623A1 (en) Method and System for Transmitting and Receiving Data, Method and Device for Processing Message
WO2016050133A1 (en) Authentication credential replacement method and apparatus
CN109936515B (en) Access configuration method, information providing method and device
WO2013053305A1 (en) Identification network end-to-end security establishing method, network side device and system
WO2016066027A1 (en) Media transmission method and device
US10182037B2 (en) Method for the transmission of a message by a server of an IMS multimedia IP core network, and server
WO2014201783A1 (en) Encryption and authentication method, system and terminal for ad hoc network
US20160080276A1 (en) Methods and arrangement for adapting quality of service for a private channel based on service awareness
JP2023088290A (en) Remote access with man-in-the-middle attack prevention

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15845799

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15845799

Country of ref document: EP

Kind code of ref document: A1