[go: up one dir, main page]

CN101640669B - Method, system and device for SIP policy control authentication - Google Patents

Method, system and device for SIP policy control authentication Download PDF

Info

Publication number
CN101640669B
CN101640669B CN200810134586A CN200810134586A CN101640669B CN 101640669 B CN101640669 B CN 101640669B CN 200810134586 A CN200810134586 A CN 200810134586A CN 200810134586 A CN200810134586 A CN 200810134586A CN 101640669 B CN101640669 B CN 101640669B
Authority
CN
China
Prior art keywords
policy
control authentication
user agent
policy control
authentication information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200810134586A
Other languages
Chinese (zh)
Other versions
CN101640669A (en
Inventor
任兰芳
贾科
尹瀚
位继伟
王绍斌
马骥
江为强
谷勇浩
辛阳
李茜
杨亚涛
李雪莲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Original Assignee
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, Beijing University of Posts and Telecommunications filed Critical Huawei Technologies Co Ltd
Priority to CN200810134586A priority Critical patent/CN101640669B/en
Publication of CN101640669A publication Critical patent/CN101640669A/en
Application granted granted Critical
Publication of CN101640669B publication Critical patent/CN101640669B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a method for SIP policy control authentication, which comprises the following steps that: a policy server receives a subscription request from a user agent; the policy server generates policy control authentication information according to the subscription request; and the policy server sends the policy control authentication information to the user agent. In the embodiment of the invention, by performing security enhancement on an SIP policy control mechanism, a policy control authentication mechanism is designed, and a client is ensured to initiate a session request in strict accordance with a policy prescription so that the security of a session is enhanced.

Description

A kind of method of SIP policy control authentication, system and equipment
Technical field
The embodiment of the invention relates to communication technical field, relates in particular to a kind of method, system and equipment of SIP policy control authentication.
Background technology
SIP (Session Initial Protocol, session initiation protocol) calling need be carried out policy control, for example, whether uses certain Media Stream coded format or certain Media Stream type according to type of service of calling out or network condition decision.
In the prior art, SIP policy control mechanism is to work out corresponding strategy according to the difference of call request, thereby controls the operation of whole network, and is as shown in Figure 1, may further comprise the steps:
Step 101, the user agent sends solicited message to acting server;
After step 102, acting server are received this solicited message, return 488 responses to the user agent, the prompting user agent needs acquisition strategy information;
Step 103; After the user agent receives 488 responses; According to SDP (Session DescriptionProtocol; Session Description Protocol) message body produces MPDF (Media Policy Dataset Format, Media Stream policy data form) message body, sends the subscribe request of carrying MPDF message body to strategic server then.
Step 104, strategic server returns subscribing notification according to conversation description to the user agent, carries amended MPDF message body in this notice;
Step 105; After the user agent receives this strategy assignment messages; Inspection MPDF message body is also carried out corresponding session parameter modification, in request message, increases the Policy-Id parameter and also sends a request message to acting server again, and wherein Policy-Id is the address of strategic server;
Step 106, acting server check whether Policy-Id is correct, when correct, transmit this solicited message to the purpose user.
Yet; Do not have the policy data authentication mechanism in the said method, sip proxy server can't know whether the solicited message of acquisition has carried out correct policy mechanism, therefore is easy to attack to policy mechanism; For example; The user agent has revised strategies such as confined Media Stream type or bandwidth in the step 105, thereby obtains unlawful interests, harm user or network.
In realizing process of the present invention, the inventor finds to exist in the prior art following shortcoming:
In the prior art, have no tactful authentication mechanism, can't guarantee the authenticity and integrity of policy information.The user can not forge Policy-Id information through the appointment of strategic server, calls out thereby carry out illegal SIP through corresponding acting server; In addition, malicious attacker can be distorted MPDF message body, revises the policy information that strategic server sends, thereby reaches the purpose that endangers user and network security or obtain unlawful interests.
Summary of the invention
The embodiment of the invention provides a kind of method, system and equipment of SIP policy control authentication, to guarantee the safe operation of SIP policy mechanism.
The embodiment of the invention provides a kind of method of SIP policy control authentication, may further comprise the steps:
Strategic server receives the subscribe request from the user agent;
Said strategic server is according to said subscribe request generation strategy control authentication information;
Said strategic server sends to said user agent with said policy control authentication information.
The embodiment of the invention also provides a kind of system of SIP policy control authentication, comprises strategic server, acting server and user agent:
Said strategic server is used to receive the subscribe request from the user agent, according to said subscribe request generation strategy control authentication information, sends said policy control authentication information to said user agent;
Said acting server; Be used to receive the new invitation message that comprises policy control authentication information from said user agent; Said policy control authentication information is verified,, then transmitted said new invitation message to the invitation message recipient if the checking result is correct; If the checking result is a mistake, then send failure response message to said user agent;
Said user agent; Be used to receive the response message that carries policing type from said acting server; Construct said subscribe request according to the said response message that carries policing type; Send said subscribe request to said strategic server, receive policy control authentication information from said strategic server.
The embodiment of the invention also provides a kind of strategic server, comprising:
The subscribe request receiving element is used to receive the subscribe request from the user agent;
The subscribe request processing unit is used for the subscribe request generation strategy control authentication information that receives according to said subscribe request receiving element;
The policy control authentication information transmitting unit is used for sending the policy control authentication information that said subscribe request processing unit generates to said user agent.
The embodiment of the invention also provides a kind of acting server, comprising:
The invitation message receiving element is used to receive the invitation message from the user agent, and said invitation message comprises policy control authentication information;
The invitation message authentication unit; The policy control authentication information of the new invitation message that is used for said invitation message receiving element is received is verified; If the checking result is correct; Then transmit said new invitation message,, then return failure response message to said user agent if the checking result is a mistake to the invitation message recipient.
The embodiment of the invention also provides a kind of network equipment, comprising:
Receiving element is used to receive the response message that carries policing type from acting server;
Structural unit is used for the response message structure subscribe request of carrying policing type that receives according to said receiving element;
Transmitting element is used for sending the subscribe request that said structural unit is constructed to strategic server.
In the embodiments of the invention,, designed policy control authentication mechanism, guaranteed that client initiates a session request in strict accordance with the strategy regulation, has strengthened security of conversation through SIP policy control mechanism has been carried out safe enhancing.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the method flow diagram that a kind of SIP policy control mechanism is called out in the prior art;
Fig. 2 is the method flow diagram of a kind of SIP policy control authentication in the embodiment of the invention;
Fig. 3 is the concrete grammar flow chart that a kind of SIP policy control mechanism is called out in the embodiment of the invention;
Fig. 4 is a kind of network architecture figure in the embodiment of the invention;
Fig. 5 is a kind of strategic server structure chart in the embodiment of the invention;
Fig. 6 is a kind of acting server structure chart in the embodiment of the invention;
Fig. 7 is a kind of network equipment structure chart in the embodiment of the invention.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
The embodiment of the invention provides a kind of method of SIP policy control authentication, is applied to comprise the user agent, and in the network of acting server and three network entities of strategic server, said method is as shown in Figure 2, may further comprise the steps:
Step 201, strategic server receives the subscribe request from the user agent;
Step 202, said strategic server is according to said subscribe request generation strategy control authentication information;
Step 203, said strategic server sends to said user agent with said policy control authentication information.
The concrete grammar of SIP policy control mechanism being called out below in conjunction with concrete embodiment is elaborated, and is as shown in Figure 3:
Step 301, the user agent sends invitation message to acting server.
Step 302, acting server are not found the Policy-Id header field after receiving the invitation message that the user agent sends, and then return 488 responses to this user agent, have carried the policing type of strategic server in this response, and the form of this response message is following:
INVITE sip:bobbiloxi.somewhere.com SIP/2.0
Supported:policy
From:Alice<sip:aliceatlanta.example.com>;tag=9fxced76sl
To:Bob<sip:bobbiloxi.somewhere.com>
Call-ID:rt4353gs2egfatlanta.example.com
CSeq:1INVITE
Policy-Contact:<sip:policyatlanta.example.com>;policy=session-spec-policy
Content-Length:0
Step 303; Whether the user agent adds < sip-parameters>label information according to the policing type decision in subscribe request; If policing type is session-spec-policy (a session specific policy); Then label information need be added,, then label information need be do not added if policing type is session-independent-policy (the irrelevant strategy of session).Send subscribe request to strategic server then.< sip-parameters>label information comprises Request-URI (policy server address); From (solicited message promoter); To (solicited message recipient); Method (request type), Contact fields such as (ROL request-online people), the form that < sip-parameters>label information is joined MPDF message body generation subscribe request is following:
<property-set>
<sip-parameters>
<sip-parameter>
<sip-parameter-name>
</sip-parameter-name>
</sip-parameter>
</sip-parameters>
</property-set>
Respectively the SIP header field being filled up in the corresponding label, is (only providing relevant header field) like the invitation message of Fig. 2:
INVITE sip:bobbiloxi.somewhere.com SIP/2.0
From:Alice<sip:aliceatlanta.example.com>;tag=8675309
To:bob<sip:bobbiloxi.somewhere.com>
Call-ID:rt4353gs2eggatlanta.example.com
CSeq:1INVITE
Contact:<sip:aliceatlanta.example.com>
Corresponding tag message is:
SUBSCRIBE sip:policyatalanta.example.com SIP/2.0
From:Alice<sip:aliceatlanta.example.com>;tag=8675309
To:PS<sip:policyatlanta.example.com>
Call-ID:rt4353gs2eggpc.biloxi.example.com
CSeq:1SUBSCRIBE
Contact:<sips:alicepc.biloxi.example.com>
Expires:7200
Event:session-spec-policy
Accept:application/media-policy-dataset+xml
Content-Type:application/media-policy-dataset+xml
Content-Length:...
MPDF message body is:
<property-set>
... (other policing parameter)
<sip-parameters>
<sip-parameter><request-uri> sip:bobbiloxi.somewhere.com</request-uri></sip-parameter>
<sip-parameter><from> sip:alice atlanta.example.com<from></sip-parameter>
<sip-parameter><to>sip:bobbiloxi.somewhere.com</to></sip-parameter>
<sip-parameter><method>INVITE</method></sip-parameter>
<sip-parameter><contact> sip:alice atlanta.example.com</contact></sip-parameter>
</sip-parameters>
... (other policing parameter)
</property-set>
Step 304, strategic server is according to said subscribe request generation strategy control authentication information.
Strategic server is checked the subscribe request that receives, and according to session parameter, network condition etc. MPDF message body is strategically revised, and generates new MPDF message body;
Strategic server generates the Policy-Scope header field according to subscribe request, through calculating signing messages;
Strategic server is according to said new MPDF message body, Policy-Scope header field and signing messages generation strategy control authentication information.
Wherein, policy control authentication information can comprise following content:
Policy-Id: in this header field, added the signature parameter.
Policy-Scope: be worth and be session-spec-policy or session-independent-policy; Calculative different content when two kinds of policing types of corresponding draft-ietf-sip-session-policy-framework definition, corresponding simultaneously signature.Can also also comprise parameter etime, named policer expired time in this header field in addition.
Wherein, the signature calculation formula is signature=DigestAlgorithm (content).Wherein, the content character string of being signed.
If policing type is session-spec-policy,
Content=Request-URI|From|To|Method|Contact|Policy-Id|Pol icy-Scope|SDP message body,
If policing type is session-independent-policy,
Content=Policy-Id|Policy-Scope|SDP message body,
Wherein " | " is concatenation operator, with the synthetic character string of each field.
In the process of compute signature, strategic server can be converted into corresponding SDP message body with new MPDF message body, carries out signature calculation then.
Step 305, strategic server sends subscribing notification to the user agent, comprises policy control authentication information in the subscribing notification.
Subscribing notification according to embodiment of the invention definition (omits irrelevant header field) as follows:
NOTIFY sip:aliceatlanta.example.com SIP/2.0
From:PS<sip:policyatlanta.example.com>;tag=31451098
To:Alice<sip:aliceatlanta.example.com>;tag=8675309
Call-ID:rt4353gs2eggalice.example.com
CSeq:1NOTIFY
Policy-Scope:session-spec-policy;etime=Thu,21Feb 2008 13:05:03 GMT
Policy-Id:
PS<sip:policyatlanta.example.com>;signature=″ZYNBbHC00VMZr2kZt6
VmCvPonWJMGvQTBDqghoWeLxJfzB2a1pxAr3VgrB0SsSAaifsRdiOPoQ
ZYOy2wrVghuhcsMbHWUSFxI6p6q5TOQXHMmz6uEo3svJsSH49thyGnF
VcnyaZ++yRlBYYQTLqWzJ+KVhPKbfU/pryhVn9Yc6U=″
Event:session-spec-policy
Subscription-State:active;expires=7200
Content-Type:application/media-policy-dataset+xml
Content-Length:...
[MPDF policy data (summary)]
Step 306, the user agent comprises according to said policy control authentication information structuring and the new invitation message of policy control authentication information said new invitation message is sent to said acting server.
After the user agent receives subscribing notification; Check that new MPDF message body makes amendment to SDP, the user agent need be with the Policy-Scope in the subscribing notification, and the Policy-Id header field copies in the invitation message; Resend invitation message to acting server then, this request message format is:
INVITE sip:bobbiloxi.somewhere.com SIP/2.0
Supported:policy
From:Alice<sip:aliceatlanta.example.com>;tag=9fxced76sl
To:Bob<sip:bobbiloxi.somewhere.com>
Call-ID:rt4353gs2egfatlanta.example.com
CSeq:1INVITE
Contact:<sip:aliceatlanta.example.com>
Policy-Scope:session-spec-policy;etime=Thu,21Feb 2008 13:05:03 GMT
Policy-Id:<sip:policyatlanta.example.com>;signature=″ZYNBbHC00VMZr
2kZt6VmCvPonWJMGvQTBDqghoWeLxJfzB2a1pxAr3VgrB0SsSAaifsRdi
OPoQZYOy2wrVghuhcsMbHWUSFxI6p6q5TOQXHMmz6uEo3svJsSH49th
yGnFVcnyaZ++yRlBYYQTLqWzJ+KVhPKbfU/pryhVn9Yc6U=″
Content-Type:application/sdp
Content-Length:...
[SDP message body (summary)]
Step 307, acting server receives the new invitation message that comprises policy control authentication information from the user agent, and said policy control authentication information is verified.
Acting server carries out signature calculation according to policy control authentication information earlier, then signing messages is verified.If the checking result correctly then change step 308, the incorrect step 309 of then changeing.
Wherein, the signing messages that carries in the signing messages that acting server obtains said calculating and the said policy control authentication information compares checking, if the result is consistent, then verify correctly, if the result is inconsistent, and authentication error then.
Wherein, to carry out the computing formula of signature calculation consistent with the signature calculation formula of strategic server in the step 304 for acting server.Strategic server and the acting server certificate that uses public-key carries out signature calculation.Acting server possibly need the public key certificate of acquisition strategy server, so that correctly carry out signature calculation.If the acting server result calculated is consistent with signature parameter among the Policy-Id, represent that then the policing parameter that strategic server provides is not distorted, this conversation request is legal.
Step 308, acting server is transmitted said new invitation message to the invitation message recipient.
Step 309, acting server returns failure response message to said user agent.
In the embodiments of the invention; Through a kind of method of SIP policy control authentication is provided, SIP policy control mechanism has been carried out safe enhancing, designed policy control authentication mechanism; Guaranteed that client initiates a session request in strict accordance with the strategy regulation, has strengthened security of conversation.
The embodiment of the invention provides three header field Policy-Id, the define method of Policy-Scope and Policy-Contact, and its grammer is distinguished as follows:
Policy-Id=″Policy-Id″HCOLON policyURI*(COMMA policyURI)
policyURI=(SIP-URI/SIPS-URI/absoluteURI)[SEMI
signature-param]*(SEMI generic-param)
signature-param=″signature=″signature
Policy-Scope=″Policy-Scope″HCOLON policy-scope*(COMMA
policy-scope)
policy-scope=
(″session-spec-policy″/″session-independent-policy″)[SEMI
etime-param]*(SEMI generic-param)
etime-param=″etime=″etime
Policy-Contact=″Policy-Contact″HCOLON policyURI*(COMMA
policyURI)
policyURI=(SIP-URI/SIPS-URI/absoluteURI)[SEMI policy-param]
*(SEMI generic-param)
policy-param=″policy=″policy-value
policy-value=″session-spec-policy″/″session-independent-policy″
The embodiment of the invention also provides a kind of network system, and is as shown in Figure 4, comprise with strategic server 401, and acting server 402, the user agent 403.Strategic server 401 is used to receive the subscribe request from the user agent, according to said subscribe request generation strategy control authentication information, sends said policy control authentication information to said user agent; Acting server 402; Be used to receive the new invitation message that comprises policy control authentication information from said user agent; Said policy control authentication information is verified,, then transmitted said new invitation message to the invitation message recipient if the checking result is correct; If the checking result is a mistake, then send failure response message to said user agent; The user agent 403; Be used to receive the response message that carries policing type from said acting server; Construct said subscribe request according to the said response message that carries policing type; Send said subscribe request to said strategic server, receive the policy control authentication information that said strategic server returns.
Wherein, the user agent 403, also are used for according to the new invitation message of said policy control authentication information structuring said new invitation message being sent to said acting server, receive the failure response message from said acting server.
In the embodiments of the invention,, SIP policy control mechanism has been carried out safe enhancing, designed policy control authentication mechanism, guaranteed that client initiates a session request in strict accordance with the strategy regulation, has strengthened security of conversation through a kind of network system is provided.
The embodiment of the invention also provides a kind of strategic server, and is as shown in Figure 5, comprising: subscribe request receiving element 501 is used to receive the subscribe request from the user agent; Subscribe request processing unit 502 is used for the subscribe request generation strategy control authentication information that receives according to said subscribe request receiving element; Policy control authentication information transmitting unit 503 is used for sending the policy control authentication information that said subscribe request processing unit generates to said user agent.
Wherein, state subscribe request processing unit 502 and comprise: MPDF handles subelement 504, is used for the MPDF information of said subscribe request is made amendment, and generates new MPDF message body; Signature calculation subelement 505 is used for generating the Policy-Scope header field according to said subscribe request, through calculating signing messages; Authentication information generates subelement 506, is used for generating said policy control authentication information according to said new MPDF message body, said Policy-Scope header field and said signing messages.
In the embodiments of the invention, through a kind of strategic server is provided, generated policy control authentication information, guaranteed the successful realization of policy control authentication mechanism according to user agent's subscribe request.
The embodiment of the invention also provides a kind of acting server, and is as shown in Figure 6, comprising: invitation message receiving element 601, be used to receive invitation message from the user agent, and said invitation message comprises the new invitation message of policy control authentication information; Invitation message authentication unit 602; The policy control authentication information of the new invitation message that is used for said invitation message receiving element is received is verified; If the checking result is correct; Then transmit said new invitation message,, then return failure response message to said user agent if the checking result is a mistake to the invitation message recipient.
Wherein, said invitation message authentication unit 602 can comprise: signature calculation subelement 603, be used to carry out signature calculation, and obtain signing messages; Signature verification subelement 604, the signing messages that is used for said signature calculation subelement is obtained compares checking with the signing messages that said policy control authentication information is carried, if the result is consistent, then verifies correctly, if the result is inconsistent, authentication error then.
In the embodiments of the invention,, the policy control authentication information is verified, guaranteed the successful realization of policy control authentication mechanism through a kind of acting server is provided.
The embodiment of the invention also provides a kind of network equipment, and is as shown in Figure 7, comprising: receiving element 701 is used to receive the response message that carries policing type from acting server; Structural unit 702 is used for the response message structure subscribe request of carrying policing type that receives according to said receiving element; Transmitting element 703 is used for sending the subscribe request that said structural unit is constructed to strategic server.
Wherein, said structural unit 702 can also be used for basis from the new invitation message of the policy control authentication information structuring of said strategic server; Said transmitting element 703 can also be used for sending the new invitation message that said structural unit is constructed to said acting server; Said receiving element 701 can also be used to receive the failure response message that said acting server returns.
In the embodiments of the invention,, constituted the new invitation message that comprises policy control authentication information, guaranteed the successful realization of policy control authentication mechanism through a kind of network equipment is provided.
Method, system and the equipment of embodiments of the invention through a kind of SIP policy control authentication is provided; SIP policy control mechanism has been carried out safe enhancing; Designed policy control authentication mechanism, guaranteed that client initiates a session request in strict accordance with the strategy regulation, has strengthened security of conversation
Description through above execution mode; Those skilled in the art can be well understood to the present invention and can realize through hardware, also can realize that based on such understanding technical scheme of the present invention can be come out with the embodied of software product by the mode that software adds necessary general hardware platform; It (can be CD-ROM that this software product can be stored in a non-volatile memory medium; USB flash disk, portable hard drive etc.) in, comprise that some instructions are with so that a computer equipment (can be a personal computer; Server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
In a word, the above is merely preferred embodiment of the present invention, is not to be used to limit protection scope of the present invention.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1.一种会话初始协议SIP策略控制认证的方法,其特征在于,包括: 1. A method for session initiation protocol SIP policy control authentication, characterized in that, comprising: 策略服务器接收来自用户代理的订阅请求; The policy server receives the subscription request from the user agent; 所述策略服务器根据所述订阅请求生成策略控制认证信息; The policy server generates policy control authentication information according to the subscription request; 所述策略服务器将所述策略控制认证信息发送给所述用户代理; The policy server sends the policy control authentication information to the user agent; 所述策略服务器根据所述订阅请求生成策略控制认证信息包括: The policy server generating policy control authentication information according to the subscription request includes: 所述策略服务器对所述订阅请求中的媒体流策略数据格式MPDF消息体进行修改,生成新的媒体流策略数据格式消息体; The policy server modifies the media stream policy data format MPDF message body in the subscription request to generate a new media stream policy data format message body; 所述策略服务器根据所述订阅请求生成Policy-Scope头域,通过计算得到签名信息; The policy server generates a Policy-Scope header field according to the subscription request, and obtains signature information through calculation; 所述策略服务器根据所述新的媒体流策略数据格式消息体、所述Policy-Scope头域和所述签名信息生成策略控制认证信息。 The policy server generates policy control authentication information according to the message body of the new media stream policy data format, the Policy-Scope header field and the signature information. 2.如权利要求1所述的SIP策略控制认证的方法,其特征在于,所述策略服务器接收来自用户代理的订阅请求之前,还包括: 2. The method for SIP policy control authentication as claimed in claim 1, wherein, before the policy server receives the subscription request from the user agent, it also includes: 所述用户代理接收来自代理服务器的携带策略类型的响应消息; The user agent receives a response message carrying a policy type from the proxy server; 所述用户代理根据所述携带策略类型的响应消息构造所述订阅请求; The user agent constructs the subscription request according to the response message carrying the policy type; 所述用户代理向所述策略服务器发送所述订阅请求。 The user agent sends the subscription request to the policy server. 3.如权利要求2所述的SIP策略控制认证的方法,其特征在于,所述用户代理根据所述携带策略类型的响应消息构造所述订阅请求包括: 3. The method for SIP policy control authentication as claimed in claim 2, wherein the user agent constructs the subscription request according to the response message carrying the policy type comprising: 所述用户代理根据所述策略类型确定是否在发送给所述策略服务器的订阅请求中添加标签信息,如果所述策略类型为会话特定策略,则添加所述标签信息,如果所述策略类型为会话无关策略,则不添加所述标签信息。 The user agent determines whether to add tag information in the subscription request sent to the policy server according to the policy type, if the policy type is a session specific policy, then add the tag information, if the policy type is a session If the policy is irrelevant, the tag information will not be added. 4.如权利要求1所述的SIP策略控制认证的方法,其特征在于,所述通过计算得到签名信息包括: 4. the method for SIP policy control authentication as claimed in claim 1, is characterized in that, described obtaining signature information by calculation comprises: 通过对所述Policy-Scope头域、Policy-Id头域、所述订阅请求中的标签信息和所述新的MPDF消息体进行计算,得到所述签名信息;或 Obtain the signature information by calculating the Policy-Scope header field, the Policy-Id header field, the label information in the subscription request, and the new MPDF message body; or 通过对所述Policy-Scope头域、Policy-Id头域和所述新的MPDF消息体进行计算,得到所述签名信息。 The signature information is obtained by calculating the Policy-Scope header field, Policy-Id header field and the new MPDF message body. 5.如权利要求1所述的SIP策略控制认证的方法,其特征在于,所述策略服务器将所述策略控制认证信息发送给所述用户代理之后,还包括: 5. The method for SIP policy control authentication as claimed in claim 1, wherein, after the policy server sends the policy control authentication information to the user agent, further comprising: 所述用户代理根据所述策略控制认证信息,构造包括所述策略控制认证信息的新的邀请消息,将所述新的邀请消息发送给代理服务器。 The user agent constructs a new invitation message including the policy control authentication information according to the policy control authentication information, and sends the new invitation message to the proxy server. 6.如权利要求5所述的SIP策略控制认证的方法,其特征在于,所述用户代理根据所述策略控制认证信息,构造包括所述策略控制认证信息的新的邀请消息,将所述新的邀请消息发送给所述代理服务器之后,还包括: 6. The method for SIP policy control authentication as claimed in claim 5, characterized in that, said user agent constructs a new invitation message comprising said policy control authentication information according to said policy control authentication information, and sends said new After the INVITE message is sent to the proxy server, it also includes: 所述代理服务器接收来自所述用户代理的包括所述策略控制认证信息的新的邀请消息,对所述策略控制认证信息进行验证; The proxy server receives a new invitation message including the policy control authentication information from the user agent, and verifies the policy control authentication information; 如果验证结果为正确,所述代理服务器向邀请消息接收者转发所述新的邀请消息; If the verification result is correct, the proxy server forwards the new invitation message to the recipient of the invitation message; 如果验证结果为错误,所述代理服务器向所述用户代理返回失败响应消息。 If the verification result is an error, the proxy server returns a failure response message to the user agent. 7.如权利要求6所述的SIP策略控制认证的方法,其特征在于,所述代理服务器接收来自所述用户代理的包括策略控制认证信息的新的邀请消息,对所述策略控制认证信息进行验证包括: 7. The method for SIP policy control authentication as claimed in claim 6, characterized in that, the proxy server receives a new invitation message comprising policy control authentication information from the user agent, and performs a process on the policy control authentication information Verification includes: 所述代理服务器进行签名计算,获得签名信息; The proxy server performs signature calculation to obtain signature information; 所述代理服务器将所述计算获得的签名信息与所述策略控制认证信息中携带的签名信息进行对比验证,如果结果一致,则验证正确,如果结果不一致,则验证错误。 The proxy server compares and verifies the signature information obtained by the calculation with the signature information carried in the policy control authentication information. If the results are consistent, the verification is correct, and if the results are inconsistent, the verification is wrong. 8.一种网络系统,其特征在于,包括: 8. A network system, characterized in that it comprises: 策略服务器,用于接收来自用户代理的订阅请求,根据所述订阅请求生成策略控制认证信息,向所述用户代理发送所述策略控制认证信息; A policy server, configured to receive a subscription request from a user agent, generate policy control authentication information according to the subscription request, and send the policy control authentication information to the user agent; 代理服务器,用于接收来自所述用户代理的包括策略控制认证信息的新的邀请消息,对所述策略控制认证信息进行验证,如果验证结果为正确,则向邀请消息接收者转发所述新的邀请消息,如果验证结果为错误,则向所述用户代理发送失败响应消息;  The proxy server is configured to receive a new invitation message including policy control authentication information from the user agent, verify the policy control authentication information, and forward the new invitation message to the recipient of the invitation message if the verification result is correct. An invitation message, if the verification result is an error, a failure response message is sent to the user agent; 用户代理,用于接收来自所述代理服务器的携带策略类型的响应消息,根据所述携带策略类型的响应消息构造所述订阅请求,向所述策略服务器发送所述订阅请求。 The user agent is configured to receive the response message carrying the policy type from the proxy server, construct the subscription request according to the response message carrying the policy type, and send the subscription request to the policy server. 9.如权利要求8所述网络系统,其特征在于,所述用户代理,还用于根据所述策略控制认证信息构造新的邀请消息,将所述新的邀请消息发送给所述代理服务器。 9. The network system according to claim 8, wherein the user agent is further configured to construct a new invitation message according to the policy control authentication information, and send the new invitation message to the proxy server. 10.一种策略服务器,其特征在于,包括: 10. A policy server, comprising: 订阅请求接收单元,用于接收来自用户代理的订阅请求; a subscription request receiving unit, configured to receive a subscription request from the user agent; 订阅请求处理单元,用于根据所述订阅请求接收单元接收的订阅请求生成策略控制认证信息; A subscription request processing unit, configured to generate policy control authentication information according to the subscription request received by the subscription request receiving unit; 策略控制认证信息发送单元,用于向所述用户代理发送所述订阅请求处理单元生成的策略控制认证信息; a policy control authentication information sending unit, configured to send the policy control authentication information generated by the subscription request processing unit to the user agent; 所述订阅请求处理单元包括: The subscription request processing unit includes: 媒体流策略数据格式处理子单元,用于对所述订阅请求中的媒体流策略数据格式信息进行修改,生成新的媒体流策略数据格式消息体; The media stream policy data format processing subunit is used to modify the media stream policy data format information in the subscription request to generate a new media stream policy data format message body; 签名计算子单元,用于根据所述订阅请求生成Policy-Scope头域,通过计算得到签名信息; A signature calculation subunit, configured to generate a Policy-Scope header field according to the subscription request, and obtain signature information through calculation; 认证信息生成子单元,用于根据所述新的媒体流策略数据格式消息体、所述Policy-Scope头域和所述签名信息生成所述策略控制认证信息。  The authentication information generation subunit is configured to generate the policy control authentication information according to the message body of the new media stream policy data format, the Policy-Scope header field and the signature information. the
CN200810134586A 2008-07-29 2008-07-29 Method, system and device for SIP policy control authentication Expired - Fee Related CN101640669B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810134586A CN101640669B (en) 2008-07-29 2008-07-29 Method, system and device for SIP policy control authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810134586A CN101640669B (en) 2008-07-29 2008-07-29 Method, system and device for SIP policy control authentication

Publications (2)

Publication Number Publication Date
CN101640669A CN101640669A (en) 2010-02-03
CN101640669B true CN101640669B (en) 2012-08-29

Family

ID=41615463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810134586A Expired - Fee Related CN101640669B (en) 2008-07-29 2008-07-29 Method, system and device for SIP policy control authentication

Country Status (1)

Country Link
CN (1) CN101640669B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270747B (en) * 2016-12-30 2021-08-13 杭州华为企业通信技术有限公司 Authentication method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716953A (en) * 2004-06-28 2006-01-04 华为技术有限公司 Method for identifying conversation initial protocol
CN1889562A (en) * 2005-06-28 2007-01-03 华为技术有限公司 Method for identifying equipment for receiving initial session protocol request information
CN1913432A (en) * 2006-07-27 2007-02-14 华为技术有限公司 Method and system of card number service using SIP authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1716953A (en) * 2004-06-28 2006-01-04 华为技术有限公司 Method for identifying conversation initial protocol
CN1889562A (en) * 2005-06-28 2007-01-03 华为技术有限公司 Method for identifying equipment for receiving initial session protocol request information
CN1913432A (en) * 2006-07-27 2007-02-14 华为技术有限公司 Method and system of card number service using SIP authentication

Also Published As

Publication number Publication date
CN101640669A (en) 2010-02-03

Similar Documents

Publication Publication Date Title
CN109905405B (en) Security method for lawful interception
Rosenberg et al. Best current practices for third party call control (3pcc) in the session initiation protocol (SIP)
US7426271B2 (en) System and method for establishing secondary channels
CN1863214B (en) Service network system and server device
CN1697552B (en) Techniques for performing server user proxy authentication using SIP (session initiation protocol) messages
US9648006B2 (en) System and method for communicating with a client application
TWI711293B (en) Method of identity authentication for voice over internet protocol call and related device
CN103297445B (en) A kind of web terminal communication method and system based on IP multi-media networks
KR20060045393A (en) SPI message processing method
MX2007016219A (en) Secure instant messaging.
EP1527579A1 (en) Method and system for registering and automatically retrieving digital-certificates in voice over internet protocol (voip) communications
US8713634B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
US7752315B2 (en) Method for extending the use of SIP (session initiated protocol) for providing debug services
WO2011131055A1 (en) Method, system and apparatus for implementing secure call forwarding
WO2009109093A1 (en) Method, device and system for certifying response message
Camarillo et al. Early media and ringing tone generation in the Session Initiation Protocol (SIP)
US20090113063A1 (en) Authentication method and apparatus for integrating ticket-granting service into session initiation protocol
EP2071806B1 (en) Receiving/transmitting agent method of session initiation protocol message and corresponding processor
CN111835675A (en) Method and related device for verifying network call identity
CN110035083A (en) Communication means, equipment and the computer readable storage medium of dialogue-based key
CN101640669B (en) Method, system and device for SIP policy control authentication
CN106713308B (en) Method and device for real-time transmission of media stream
CN109257368A (en) A kind of conversational communication method for building up based on embedded device
JP2015091125A (en) Method of expanding application interface for future application
CN102006567B (en) Push-message processing method and system and equipment for implementing push-message processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120829

Termination date: 20130729