CN102006567B

CN102006567B - Push-message processing method and system and equipment for implementing push-message processing method

Info

Publication number: CN102006567B
Application number: CN201010545591.2A
Authority: CN
Inventors: 加雄伟
Original assignee: China United Network Communications Group Co Ltd
Current assignee: China United Network Communications Group Co Ltd
Priority date: 2010-11-15
Filing date: 2010-11-15
Publication date: 2013-03-27
Anticipated expiration: 2030-11-15
Also published as: CN102006567A

Abstract

The invention discloses a push message processing method, a system and equipment for realizing the push message processing method. The push message processing method includes: a message receiving device receives a push message containing a push application identifier sent by a message sending system; The push application identifier matches the corresponding application client, and it is judged whether the matched application client has been registered, and whether the push message response capability file generated by the matched application client has been signed; if the matched application client has Register, and its push message response capability file is signed, start the matching application client to process the received push message; if the matching application client is not registered, or its push message response capability file has not been signed, then Refuse to process received push messages. This makes the application client that processes push messages safe and controllable, and improves the security of push message processing.

Description

The pushing news processing method, be used for to realize system and the equipment of pushing news processing method

Technical field

The present invention relates to the communication technology, relate in particular to a kind of pushing news processing method, be used for to realize system and the equipment of pushing news processing method.

Background technology

Mobile network's pushing news (PUSH message) business is the basic business among the mobile network.

Mobile Network Operator (perhaps value added service provider) can pass through the PUSH messaging service, sends the message of control type to mobile network's terminal.For example, when mobile phone users (originating party user) sends Multimedia Message (MMS) to other mobile phone users (debit user), mobile network's operation system can send the PUSH message of extracting MMS message to debit's user terminal, debit's user terminal extracts MMS message according to the prompting of PUSH message to the network address of agreement.In addition, mobile network's value added service provider sends the multimedia advertisement link information to debit user, after debit's user terminal receives relevant information, according to the agreement of information, application software is play in the advertisement that starts in the terminal, and advertisement is play application software by the information broadcast advertisement of agreement.

The PUSH message handling system comprises: message transmission system (equipment), message delivery system and message sink equipment.Mobile Network Operator (perhaps value added service provider) generates and sends PUSH message to the message delivery system by message transmission system (equipment), the message delivery system with the PUSH message push to message sink equipment such as debit's user terminal.

But also there is Communication Security Problem in the transmission of PUSH message, and whether from the malice sender, whether PUSH message itself safety etc. such as PUSH message.

In the prior art, application number is 200610137955.7 Chinese patent application " a kind of method for checking PUSH message and transmit leg identity thereof ", by push initiator (PUSH Initiator, PI) IP address or PI are at certificate verification center (Certificate Authority, CA) identity of the digital certificate checking PI of registration acquisition, and the integrality of the digital signature authentication PUSH message by PUSH message, in case any attack in the stop-pass letter process realizes the fail safe in the PUSH message transmitting process.

In addition, in order to guarantee safety, mobile network's operator is the not transmission route of open PUSH message usually, with for the situation of not unifying controling mechanism in existing PUSH Message Processing technology and the standard, determines that PUSH message sends safety.

The defective that prior art exists is at least: although said method can both guarantee the fail safe in the PUSH message transmitting process, can't guarantee that all the processing safety of PUSH message is controlled.Such as an entity (for example, Mobile Network Operator, value added service provider, be called the originating party entity) to another entity (for example, the mobile service user, be called debit's entity) transmission PUSH message, when applications client is the malicious application client, under the triggering of PUSH message, can carry out such as with attacks such as the capsule information in the message sink equipment send.

Summary of the invention

The invention provides a kind of pushing news processing method, be used for to realize system and the equipment of pushing news processing method, in order to solve the low problem of fail safe of message sink device processes pushing news in the prior art, realize that pushing news processes the raising of fail safe.

The invention provides a kind of pushing news processing method, comprising:

Message sink equipment receipt message transmitting system sends comprises the pushing news that pushes away application identities;

Message sink equipment mates corresponding applications client according to the described application identities that pushes away, and judges whether the applications client of coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature;

If the applications client of described coupling is registered, and its pushing news responding ability file acquisition signature, the applications client that starts described coupling is processed the pushing news that receives; If the applications client of described coupling is unregistered, or its pushing news responding ability file do not obtain signature, and then refusal is processed the pushing news receive.

The present invention also provides a kind of message safety management system be used to realizing above-mentioned pushing news processing method, comprising:

Application management and service module are used for the pushing news responding ability file of using client is signed, and described applications client is registered, and verified the signature of the pushing news responding ability file of described applications client;

Trusted application list management and service module, for setting up and safeguard the trusted application tabulation, described trusted application tabulation is for passing through the applications client information list of registration and signature.

The present invention also provides a kind of message sink equipment be used to realizing above-mentioned pushing news processing method, comprising:

The message sink client is for the pushing news that pushes away application identities that comprises of receipt message transmitting system transmission;

Message safety management visitor end, link to each other with described message sink client, be used for the application identities that pushes away according to the pushing news of described message sink client, mate corresponding applications client, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature, if the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news;

Applications client links to each other with described message safety administrative client, is used for starting and process the pushing news of described message sink client under the calling of described message safety administrative client.

The present invention also provides a kind of pushing news treatment system, comprises message transmission system, message delivery system, wherein, also comprises: above-mentioned message safety management system and above-mentioned message sink equipment;

Described message safety management system is connected with described message transmission system, message delivery system and message sink devices communicating;

Described message transmission system is by described message delivery system, the pushing news that pushes away application identities that comprises that generates is sent to described message sink equipment, described message sink equipment is used for mating corresponding applications client according to the described application identities that pushes away, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature; If the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news.

The present invention also provides a kind of method for above-mentioned pushing news treatment system application letter of identity, comprising:

Message transmission system, message delivery system or message sink equipment send application information to the message safety management system, the application letter of identity, and described application information comprises at least: user name, user cipher, user profile and COS;

Described message safety management system generates letter of identity and corresponding key according to described application information, feeds back to described message transmission system, message delivery system or message sink equipment.

The present invention also provides a kind of method for above-mentioned pushing news treatment system applications client signature, comprising:

Applications client generates and comprises at least the pushing news responding ability file that pushes away application identities and applications client sign; Described applications client sends the signature request of described pushing news responding ability file;

The message safety management system is supported to calculate the document of described pushing news responding ability file in the situation of signature request; Described message safety management system employing self certificate private key is encrypted described document;

Described message safety management system adds the document of encrypting in the described pushing news responding ability file; The pushing news responding ability file reverse that described message safety management system will be signed the result and added the document of the encrypting described applications client of feeding.

The present invention also provides a kind of method for above-mentioned pushing news treatment system applications client registration, comprise: when applications client is installed to message sink equipment, submit registration information to the message safety administrative client, comprise pushing news responding ability file in the described registration information;

Described message safety administrative client is examined the pushing news responding ability file in the described registration information; If audit is passed through, then described message safety administrative client inquiry and renewal trusted application are tabulated, and described trusted application is tabulated and is the information list of the applications client of registering by the message safety management system and signing; If audit is not passed through, then finish registration, feedback registration failure result;

If include the information of the applications client of submitting registration information in the described trusted application tabulation, then described message safety administrative client records the log-on message of the applications client of described submission registration information, and feeds back the result that succeeds in registration; If described trusted application tabulation does not comprise the information of the applications client of described submission registration information, then feed back the registration failure result.

Pushing news processing method provided by the invention, be used for to realize system and the equipment of pushing news processing method, obtain in the situation of signature by and pushing news responding ability file registered in the applications client that pushes away the application identities coupling, the applications client that starts coupling is processed the pushing news that receives, otherwise refusal is processed pushing news, guaranteed to process the security reliability of the applications client of pushing news, so that it is controlled to process the applications client safety of pushing news, improved the fail safe that pushing news is processed.

Description of drawings

The flow chart of the pushing news processing method that Fig. 1 provides for the embodiment of the invention;

The structural representation of the message safety management system that Fig. 2 provides for the embodiment of the invention;

Fig. 3 was provided for the embodiment of the invention can be used for of providing by the structural representation of the message sink equipment of above-mentioned pushing news processing method;

The structural representation of the pushing news treatment system that Fig. 4 provides for the embodiment of the invention;

The structural representation of message transmission system in the pushing news treatment system that Fig. 5 provides for the embodiment of the invention;

The structural representation of message delivery system in the pushing news treatment system that Fig. 6 provides for the embodiment of the invention;

The flow chart of the embodiment of the method for application letter of identity in the pushing news treatment system that Fig. 7 provides for the embodiment of the invention;

The signaling process figure of message transmission system application letter of identity in the pushing news treatment system that Fig. 8 provides for the embodiment of the invention;

The flow chart of the embodiment of the method for applications client signature in the pushing news treatment system that Fig. 9 provides for the embodiment of the invention;

Figure 10 is the signaling process figure corresponding with Fig. 9;

The flow chart of the embodiment of the method for applications client registration in the pushing news treatment system that Figure 11 A provides for the embodiment of the invention;

Figure 11 B is the signaling process figure corresponding with Figure 11 A;

The pushing news treatment system that Figure 12 provides for the embodiment of the invention is sent the flow chart of pushing news;

The flow chart of message sink device processes pushing news in the pushing news treatment system that Figure 13 provides for the embodiment of the invention.

Embodiment

For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.

The flow chart of the pushing news processing method that Fig. 1 provides for the embodiment of the invention.As shown in Figure 1, the pushing news processing method comprises:

Step 11, message sink equipment receipt message transmitting system send comprises the pushing news that pushes away (PUSH) application identities;

Step 12, message sink equipment mate corresponding applications client according to the described application identities that pushes away, and judge whether the applications client of coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature;

If the applications client of the described coupling of step 13 is registered, and its pushing news responding ability file acquisition signature, the applications client that starts described coupling is processed the pushing news that receives; If the applications client of described coupling is unregistered, or its pushing news responding ability file do not obtain signature, and then refusal is processed the pushing news receive.

In the present embodiment, message sink equipment obtains in the situation of signature by and pushing news responding ability file registered in the applications client that pushes away the application identities coupling, the applications client that starts coupling is processed the pushing news that receives, otherwise refusal is processed pushing news, guaranteed to process the security reliability of the applications client of pushing news, so that it is controlled to process the applications client safety of pushing news, improved the fail safe that pushing news is processed.

In the above-mentioned steps 11, pushing news also can further comprise the applications client sign, at this moment, in the step 12, message sink equipment mates corresponding applications client and comprises according to the described application identities that pushes away: message sink equipment is according to described application identities and the marking matched corresponding applications client of applications client of pushing away.

When pushing away application identities coupling a plurality of applications client arranged, can directly match the applications client that the message transmission system expectation is used by the applications client sign, process pushing news.

Wherein, push away application identities and refer in PUSH messages application standard, be used for the application identities string (text-string) of sign applications client program.Push away application identities by Open Mobile Alliance (OMA) organizational protection.Same applications client can respond a plurality of application identities that push away simultaneously.

The applications client sign refers to can use global user ID (GUID) to identify as applications client for the identification string of sign applications client.

In the above-mentioned steps 11, message transmission system sends comprises the pushing news that pushes away application identities, also can comprise eap-message digest, and this eap-message digest can be the summary through described message transmission system signature.

When eap-message digest is the summary of the described message transmission system signature of process, also can further comprise before the above-mentioned steps 12: the summary that message sink equipment is signed through described message transmission system according to described pushing news is the identity that digest is verified described message transmission system, if checking is passed through, then message sink equipment mates corresponding applications client according to the described application identities that pushes away; If checking is not passed through, then refusal is processed described pushing news.Guarantee in the insecure situation of message sender, to avoid processing the pushing news that receives, alleviated the processing load of message sink equipment, improved efficient and the fail safe of processing pushing news.

Thought based on pushing news processing method in above-described embodiment, the embodiment of the invention provides message safety management system and the message safety administrative client that can be used for realizing above-mentioned pushing news processing method, wherein the message safety management system is carried out safety management to using client, be responsible for guaranteeing the security reliability of applications client, the message safety administrative client is installed in the message sink equipment, is used for assisting the message safety management system to guarantee the security reliability of applications client.

The structural representation of the message safety management system that Fig. 2 provides for the embodiment of the invention, as shown in Figure 2, the message safety management system comprises: application management and service module 21 and trusted application list management and service module 22.

Application management and service module 21 are used for the pushing news responding ability file of using client is signed, and described applications client is registered, and verified the signature of the pushing news responding ability file of described applications client.Wherein, applications client can directly be initiated the application of registration and signature to the message safety management system, also can transmit the application that sends registration and front to the message safety management system by message transmission system.

Trusted application list management and service module 22 are used for foundation and safeguard the applications client information list that passes through registration and signature, for ease of description, and will be by registration and the applications client information list called after trusted application of signing tabulation (together lower).When applications client registration and signature PUSH message response capability file, the trusted application tabulation is revised and safeguarded to the message safety management system.Only have the application client client information by registration and Digital signature service just to be written into the trusted application tabulation.The message safety administrative client can regularly be downloaded the trusted application tabulation (or irregularly) from the message safety management system, the registration of applications client is installed to be used for message sink equipment, and for calling and starting reliable applications client processing pushing news, see the description in the registration of following message sink apparatus embodiments and applications client, the pushing news Processing Example for details.

In the present embodiment, the message safety management system is the security infrastructure of PUSH message handling system, and the what's new that can be used as the message delivery system is arranged at the message delivery system, also can arrange separately.

The message safety management system that the embodiment of the invention provides also can further comprise certificate management and service module 23, be used for the application information according to message transmission system, message delivery system or the transmission of message sink equipment, the key of letter of identity and correspondence is provided for the application information of message transmission system, message delivery system or message sink equipment, and verify the letter of identity of described message transmission system, message delivery system or message sink equipment, further to guarantee to send in the pushing news treatment system, send and receive the security reliability of the functional entity of links.Especially for message transmission system, as long as by obtain letter of identity and corresponding key to the application of message safety management system, and the authentication by the message safety management system, just can become the transmit leg of pushing news, both guarantee the fail safe of transmit leg, guaranteed again the opening that pushing news sends.

Wherein, application information comprises at least: the information such as user name, user cipher, user profile and COS.Described letter of identity comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.Certificate format and version can adopt X.509 form; The certificate coding method can be used BASE64; Signature algorithm can use RSA Algorithm; Digest algorithm can adopt miniature nomography (SHA-1); Certificate serial number is generated by the message safety management system, can be random number; Certificate subject can comprise country's sign, applicant's type etc.; The signature mechanism sign of certificate is the sign of message safety management system; Certificate profile is for detection of certificate.The PKI that letter of identity is corresponding is stored in the letter of identity, and the private key that letter of identity is corresponding is stored in the safe storage place of corresponding function entity such as message transmission system, message delivery system, message sink equipment etc., and can store in the mode of encrypting.

Fig. 3 realizes the structural representation of the message sink equipment of above-mentioned pushing news processing method for the embodiment of the invention can be used for of providing, and as shown in Figure 3, message sink equipment comprises message sink client 31, message safety administrative client 32 and applications client 33.

Message sink client 31 is used for the pushing news that pushes away application identities that comprises of receipt message transmitting system transmission, and particularly, the pushing news that message transmission system sends can be by the message delivery system forwards to message sink client 31.

After message sink client 31 receives PUSH message, the PUSH message push to message safety administrative client 32, is carried out subsequent treatment by 32 pairs of PUSH message of message safety administrative client.And message sink client 31 also is used for the result of receipt message safety management client 32.

Message safety administrative client 32 links to each other with described message sink client 31, the application identities that pushes away for the pushing news that receives according to described message sink client 31, mate corresponding applications client, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature, if the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news.If comprise the applications client sign in the pushing news, then processing mode sees the explanation among the said method embodiment for details, or further sees description hereinafter for details.

Applications client 33 can have a plurality of, and to be used for the processing of different pushing news, certainly, a pushing news also can be brought in processing by different application client.The applications client 33 of coupling is under the calling of message safety administrative client 32, and the PUSH message content that starts also processing messages safety management client 32 transmission is the pushing news that message sink client 31 receives.

Applications client 33 need to be registered to the message safety management system before being distributed to message sink equipment, and the request message safety management system is signed to the PUSH message response capability file of using client 33 generations.

When applications client 33 is installed in message sink equipment, need to be to the registration information of message safety administrative client 32 submissions, registration PUSH message response capability.Registration information comprises at least: the complete trails of pushing news responding ability file, applications client installation path and applications client main program behind the signature.Message safety administrative client 32 is registered the applications client of submitting this registration information to according to institute's registration information.All be safe and reliable with the applications client in the further assurance message sink equipment, thereby improve the fail safe that pushing news is processed in the message sink equipment.

When registration, applications client 33 need to provide the PUSH message response capability file of being signed by the message safety management system to message safety administrative client 32.

If applications client 33 does not generate PUSH message response capability file, perhaps this ability file is not signed by the message safety management system, perhaps applications client 33 is not registered in message sink equipment, then this applications client 33 will not possess the ability that receives and process PUSH message, that is to say that message safety administrative client 32 can not call this applications client 33 and process PUSH message.

Message safety administrative client 32 can be regarded as the extension of message safety management system in message sink equipment, collaborative message safety management system, the safety problem of solution PUSH message.

When summary is signed in the pushing news that message sink client 31 receives, message safety administrative client 32 also is used for the digest according to the pushing news of described message sink client 31 receptions, the message transmission system that sends described pushing news is carried out authentication, if authentication is passed through, then mate corresponding applications client, call and start the described pushing news of applications client 33 processing of coupling; If authentication is not passed through, then refusal is processed described pushing news.

In the pushing news that message sink client 31 receives, include the applications client sign, show that message sender selected to process the applications client of this pushing news, then described message safety administrative client 32 also can be used for directly mating corresponding applications client by described applications client sign, to satisfy the requirement of message transmission system.

When whether 32 audits of message safety administrative client accept the registration request of applications client, can work in coordination with the message safety management system.The applications client of only registering in the message safety management system just can be accepted registration by message safety administrative client 32.

Message safety administrative client 32 can regularly obtain the trusted application tabulation from the message safety management system (or irregularly), whether to accept the important evidence of applications client registration request as message safety administrative client 32.

The message sink equipment that the embodiment of the invention provides also can comprise: identity application module 34, and be used for to the application of message safety management system and obtain letter of identity and corresponding key, also safe and reliable to guarantee the message sink equipment in the pushing news treatment system.

In the present embodiment, message sink equipment receives by the message safety administrative client and comes from the PUSH message that message sink client 31 pushes.Message safety administrative client 32 is according to the application identities that pushes away of PUSH message, in the registered applications client tabulation of message sink equipment, search the applications client of coupling, find and start the applications client of coupling, and the delivery of content in the PUSH message is given the applications client of the coupling that starts.Wherein, registered applications client tabulation is the tabulation of mounted applications client in the message sink equipment.Obviously, information is kept at the applications client in this applications client tabulation, and its information is inevitable correspondingly to be kept in the trusted application tabulation.And the applications client that information is kept in the trusted application tabulation not necessarily is installed in the message sink equipment, therefore, when the message safety administrative client calls applications client processing pushing news, also to check whether the applications client that will call is mounted according to registered client application tabulation, otherwise, also unavailable even this application client client information is kept in the trusted application tabulation.Also not this registered applications client tabulation in the message sink equipment, in this case, can pass through in this application client client information of message safety administrative client preservation in local trusted application tabulation, increase mounted sign, representing whether believable applications client is installed in the message sink equipment, also is also to include applications client in the local trusted application tabulation whether to be installed in local information.When PUSH message also comprises the applications client sign, then message safety administrative client 32 can directly identify according to applications client, in registered applications client tabulation, find and start the applications client of coupling, the pushing news that processing receives, the fail safe of applications client and the fail safe of Message Processing have been guaranteed, and the applications client of message sink device processes pushing news can be controlled by message transmission system.

Message safety management system, message safety administrative client and message sink equipment that the pushing news treatment system that the embodiment of the invention provides provides by introducing above-described embodiment are realized above-mentioned pushing news processing method.

The structural representation of the pushing news treatment system that Fig. 4 provides for the embodiment of the invention.As shown in Figure 4, the pushing news treatment system comprises message transmission system 41, message delivery system 42, message safety management system 43 and message sink equipment 44.

Message safety management system 43 and described message transmission system 41,

message delivery system

42 and 44 communication connections of message sink equipment.

Described message transmission system 41 is by described message delivery system 42, the pushing news that pushes away application identities that comprises that generates is sent to described message sink equipment 44, described message sink equipment 44 is used for mating corresponding applications client according to the described application identities that pushes away, whether the applications client of judging coupling is registered, and whether the pushing news responding ability file that the applications client of described coupling generates obtains signature; If the pushing news responding ability file that the applications client of described coupling is registered and generate obtains signature, then call and the applications client that starts described coupling is processed described pushing news.

Above-mentioned any message safety management system that provides embodiment illustrated in fig. 2 is provided message safety management system 43, it is the Core System in the pushing news treatment system, have the relevant management function of PUSH message safety, comprising: the registration Digital signature service of applications client, trusted application list management and service etc.Letter of identity and key management and the service of other functional entity also can be provided further.

Message transmission system 41 is used for sending PUSH message to the user, specifically can send PUSH message to message sink equipment 44 by message delivery system 42, also can provide the service function of arranging in the PUSH message simultaneously.For example, in the PUSH message that message transmission system 41 sends to the user, comprise the information of the webpage of inviting user's access constraints, then message transmission system can be to the provide support WEB service of described webpage of user.When message transmission system 41 only was used for realizing above-mentioned functions, the message transmission system in the available existing pushing news treatment system substituted.When the function such as sending, letter of identity obtains when message transmission system 41 has message, as shown in Figure 5, the structural representation of message transmission system in the pushing news treatment system that Fig. 5 provides for the embodiment of the invention.Message transmission system 41 can comprise: message transmission module 51, application service module 52 and identity application module 53.

Message transmission module 51 is used for sending the pushing news that generates to the message delivery system.In the PUSH message that message transmission system generates, comprise and push away application identities, see the explanation in above-described embodiment for details, be used for message sink equipment according to the one or more applications client that push away the application identities coupling and can be used to process pushing news.

The service that comprises in the PUSH message that message transmission system 41 generates can be provided by application service module 52, also can be provided by other application system.For example, comprise the service of accessing certain WEB webpage in the PUSH message, this WEB webpage can be provided by the WEB application service of message transmission system, also can be provided by other WEB application service.

Identity application module 53 is used for to the application of message safety management system and obtains letter of identity and corresponding key, and letter of identity sees the explanation in above-described embodiment for details.

Message transmission system 41 also can further comprise applications client management and service module 54, be used for the synergistic application client and sign to the pushing news responding ability file of 43 pairs of described applications client of described message safety management system, and register to described message safety management system 43 for collaborative described applications client.

Applications client management and service module 54 also are used for record and register and the information of the applications client of signing to message safety management system 43, so that from the information of the applications client of record, select corresponding applications client when sending pushing news, and the applications client sign of the applications client selected is arranged in the pushing news, Indication message receiving equipment 44 starts the applications client of selecting and processes pushing news, to guarantee the fail safe of Message Processing.

Message transmission system 41 also can further comprise digest module 55, for the letter of identity that uses described identity application module 53 to obtain and corresponding key, the eap-message digest of the pushing news that described message transmission system 41 is generated is signed, so that message safety management system 43, message sink equipment 44 can confirm to send the identity of the message transmission system 41 of pushing news, guarantee that the transmit leg of pushing news is safe and reliable.

Message transmission system 41 also can comprise client identification add-on module 56, be used for the pushing news in described message transmission system 41 generations, be provided for Indication message receiving equipment 44 and start the applications client sign that corresponding applications client is processed described pushing news, to guarantee that message sink equipment 44 is used for processing the applications client of pushing news, the message transmission system that is the transmission pushing news is known, and the processing of pushing news is safe.Be can also comprise the applications client sign in the pushing news that sends of message transmission module 51, like this, message transmission system 41 can clearly indicate the PUSH message of generation and be processed by the applications client of appointment.

Message transmission system 41 is not limited to said structure, it also can be the Capacity extension to existing message transmission system (equipment), as long as the basis at existing message transmission system increases following function: message transmission system (equipment) has to the certificate of message safety management system application system (equipment) and corresponding key, and supports the function of related credentials and key algorithm; PUSH responding ability file with collaborative registered application client and applications client, and the function of the information of record applications client; Has when generating PUSH message attendant applications client identification in PUSH message; When having the PUSH of generation message, subsidiary PUSH eap-message digest in PUSH message, the function of the private key signature of the certificate of this eap-message digest use message transmission system (equipment) and correspondence.

Message delivery system 42 is used for the PUSH message that receipt message transmitting system 41 sends, and by the transmission requirement, this PUSH message push to message sink equipment 44.As shown in Figure 6, the major function of message delivery system 42 comprises: service management, Message Processing, message sink, message delivery.

Message delivery system 42 can be the improvement to the message delivery system in the existing PUSH Message Processing system.The sending before the PUSH message of existing PUSH message delivery system, to 43 requests of message safety management system this PUSH message and sender are done audit such as message delivery system 42, the PUSH message by audit just can be pushed to message sink equipment 44.

Message delivery system 42 can also store the PUSH message of sending.In described PUSH message, comprise sender of the message's (message transmission system) to the digest of PUSH message, when message safety management system 43 is arranged in the message delivery system 42 as the part of message delivery system 42, message delivery system 42 itself can be by the sender of this digest acknowledge message, to strengthen the message delivery system to tracking and the monitoring capacity of PUSH message.

Message delivery system 42 can be the Capacity extension to existing message delivery system, namely increased following function on the basis of existing message delivery system: can be to certificate and the corresponding key of message safety management system 43 application systems, and support the function of related credentials and key algorithm; When sending PUSH message, examine by message safety management system 43 first, and determine whether further to send the function of PUSH message according to the latter's auditing result; The PUSH message that record is sent, and can according to the digest of PUSH message, search and verify the function of the actual sending entity of PUSH message.

Message delivery system 42 can also increase on the basis of existing message delivery system identity application module 61, be used for sending application information to described message safety management system 43, and be used for obtaining letter of identity and corresponding key from described message safety management system 43, to guarantee the reliability of message delivery system, improve pushing news and sending the fail safe of link.Described application information comprises at least: user name, user cipher, user profile and COS, described letter of identity comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.

Message delivery system 42 is before sending PUSH message, to 43 requests of message safety management system this PUSH message and sender are done audit, PUSH message by 43 audits of message safety management system just can be pushed to message sink equipment 44, guarantee the reliability of informed source, strengthened tracking and the monitoring capacity of 43 pairs of PUSH message of message safety management system.

Message sink equipment 44 is also referred to as user terminal, is used for receiving and processing PUSH message.Message sink client message in the message sink equipment 44, then notification message safety management client, applications client by message safety administrative client calling convention is processed PUSH message, namely calls corresponding applications client according to the sign of the applications client in the pushing news and processes this pushing news.Above-mentioned any message sink equipment that provides embodiment illustrated in fig. 3 is provided message sink equipment 44.

The pushing news treatment system that above-described embodiment provides can generate PUSH message by message transmission system, the PUSH message push to the message delivery system, the PUSH message of receiving by message safety management system or message delivery system audit, then the PUSH message push by audit to message sink equipment; After message sink equipment receives PUSH message, search and start the applications client of arranging in the PUSH message, then the PUSH message content is pushed to the applications client that is activated.The applications client that starts is according to the PUSH message content, the application service system of access constraints.

The flow chart of the embodiment of the method for application letter of identity in the pushing news treatment system that Fig. 7 provides for the embodiment of the invention.As shown in Figure 7, message transmission system 41, message delivery system 42 or message sink equipment 44 comprise to the method for message safety management system 43 application letters of identity:

Step 71, message transmission system 41, message delivery system 42 or message sink equipment 44 send application information to message safety management system 43, the application letter of identity.Described application information sees the explanation of above-described embodiment for details, comprises at least: user name, user cipher, user profile and COS;

Step 72, described message safety management system 43 generate letter of identity and corresponding key according to described application information, feed back to message transmission system 41, message delivery system 42 or message sink equipment 44.Letter of identity sees the explanation of above-described embodiment for details, comprises at least: signature mechanism sign and the certificate profile of certificate format and version, certificate coding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate.

Described message safety management system 43 generates letter of identity according to described application information and corresponding key also comprises before:

Described message safety management system 43 is verified the identity of described message transmission system 41, message delivery system 42 or message sink equipment 44 according to described application information, if checking is not passed through, then refuse the application of described message transmission system 41, message delivery system 42 or message sink equipment 44; If checking is passed through, judge then whether described message transmission system 41, message delivery system 42 or message sink equipment 44 is registered, because the requesting party may apply for repeatedly, if described message transmission system 41, message delivery system 42 or message sink equipment 44 are registered, if namely the requesting party successfully applied for (namely successfully registering), before being described, requesting party's letter of identity and corresponding key generated, then the letter of identity that generated of message safety management system 43 direct feedbacks and the key of correspondence; If described message transmission system 41, message delivery system 42 or message sink equipment 44 are unregistered, then registration message transmitting system 41, message delivery system 42 or message sink equipment 44 generate and store corresponding letter of identity and corresponding key.

The key of 43 application letters of identity and correspondence is as example take message transmission system 41 to the message safety management system, and concrete steps comprise as shown in Figure 8:

Step 81, message transmission system 41 send application information to message safety management system 43, with application letter of identity and corresponding key.

Message transmission system 41 comprises to the application information that message safety management system 43 sends: the information such as the user name of message transmission system, user cipher, user profile, COS.

Step 82, message safety management system 43 check, and generate letter of identity and corresponding key.

Described message safety management system 43 is verified the identity of described message transmission system 41 according to described application information, if checking is not passed through, then refuse the application of described message transmission system 41, go to application result and related causes that step 83 feedback refusal provides letter of identity; If checking is passed through, then the message safety management system checks whether described message transmission system 41 exists active registration, check namely whether this message transmission system 41 successfully applies for letter of identity and corresponding key, if there is active registration, the then letter of identity of the described message transmission system 41 that generated of message safety management system 43 direct feedbacks and corresponding key, and execution in step 83, the letter of identity and the corresponding key that directly generate to described message transmission system 41 feedbacks.

If there is not active registration in described message transmission system 41, then the registration message transmitting system 41, generate and store letter of identity and the corresponding key of message transmission system 41, then go to the application result that step 83 feedback provides letter of identity.

Step 83, message safety management system 43 are to message transmission system 41 feedback application results.If message safety management system 43 provides letter of identity and key for message transmission system 41, letter of identity and corresponding key that message safety management system 43 generates to message transmission system 41 feedbacks; If message safety management system 43 determines that not for message transmission system 41 provides letter of identity and key then message safety management system 43 provides application result and the related causes of letter of identity to message transmission system 41 feedback refusals.

The step of the key of message delivery system 42 application letters of identity and correspondence is similar to above-mentioned steps 81～step 83, and the application main body changes the message delivery system into and gets final product.Similarly, the step of the key of message sink equipment 44 application letters of identity and correspondence is similar to above-mentioned steps 81～step 83, and the application main body changes message sink equipment into and gets final product.

The flow chart of the embodiment of the method for applications client signature in the pushing news treatment system that Fig. 9 provides for the embodiment of the invention.As shown in Figure 9, the method for applications client signature comprises:

Step 91, applications client generate and comprise at least the pushing news responding ability file that pushes away application identities and applications client sign.Push away application identities and applications client and identify the explanation that sees for details in above-described embodiment.

Step 92, described applications client send the signature request of described pushing news responding ability file.

Applications client can directly be initiated signature request to message safety management system 43, also can bind with message transmission system 41, perhaps applications client and message transmission system 41 are individual system, then initiate signature request by message transmission system 41, as shown in figure 10, applications client described in the step 101 sends signature request to message transmission system 41, and in the step 102, message transmission system 41 is transmitted to message safety management system 43 with signature request.

Except pushing news responding ability file, the signature request of applications client can also comprise: the information such as copyright, size, application description.

The letter of identity that message transmission system 41 utilizations obtain and message safety management system 43 are set up secured communication channel, and (for example, HTTPS), interactive information under the environment of safety sends to message safety management system 43 to the signature request of applications client.

Step 93, message safety management system 43 are supported to calculate the document of described pushing news responding ability file in the situation of signature request.

Message safety management system 43 audit message transmission systems 41, and the signature request of applications client determine whether to support association requests.If message safety management system 43 is not supported association requests, then feedback processing result and Reason For Denial.

If message safety management system 43 is supported association requests, then take the content of described pushing news responding ability file as the basis, adopt the digest algorithm (for example SHA-1) of agreement, calculate the document of described pushing news responding ability file.

Step 94, message safety management system 43 employings self certificate private key are encrypted described document, namely with the described ability document of encrypted private key corresponding to self certificate, generate new ability document.

Step 95, message safety management system 43 add the document of encrypting in the described pushing news responding ability file, namely newly-generated ability document is joined appointed position in the described pushing news responding ability file, as join the positions such as afterbody of pushing news responding ability file.

The pushing news responding ability file reverse that step 96, message safety management system 43 will be signed the result and added the document of the encrypting described applications client of feeding.

Particularly, when applications client directly asked for an autograph to message safety management system 43, then the message safety management system 43 pushing news responding ability file that directly will sign the result and add the document of encrypting sent to described applications client; When applications client asked for an autograph by message transmission system 41, message safety management system 43 was transmitted to applications client by message transmission system 41 again to the signature result of the described ability file of message transmission system 41 feedbacks.At this moment, if message safety management system 43 is returned the pushing news responding ability file behind the signature, then the method for the applications client signature that provides of the embodiment of the invention also can further comprise:

Step 97, the described pushing news responding ability file that has added the document of encrypting of described message transmission system 41 storages, i.e. pushing news responding ability file behind the storage signature.Like this, message transmission system 41 to select to process the applications client of pushing news, guarantees the fail safe that pushing news is processed generating, when sending pushing news, can using the ability fileinfo of storage.

Above-mentioned steps 97 can be carried out in the implementation of step 96, also can carry out after step 96.

After the above-mentioned steps 96, also can further comprise:

Step 98, described applications client will add the pushing news responding ability file of the document of encrypting as self part, be distributed to message sink equipment 44.

Above-mentioned steps 97 and the requirement of step 98 out-of-order can be carried out simultaneously, also can first execution in step 97 rear execution in step 98, and perhaps first execution in step 98 execution in step 97 again.

If message safety management system 43 refusal signatures, message transmission system 41 is to the denial of service information of applications client feedback message safety management system 43.

Applications client is installed to message sink equipment 44.Applications client need to be registered to the message safety administrative client of message sink equipment 44 ability information of oneself when mounted.Applications client just can be called by the message safety administrative client after only having successfully registration, to process PUSH message.The flow chart of the embodiment of the method for applications client registration in the pushing news treatment system that Figure 11 A provides for the embodiment of the invention.Figure 11 B is the signaling process figure corresponding with Figure 11 A.Shown in Figure 11 A, Figure 11 B, the method for applications client registration comprises:

When step 111, applications client are installed to message sink equipment 44, submit registration information to the message safety administrative client, comprise pushing news responding ability file in the described registration information.

The registration information of submitting to comprises at least: the complete trails of the pushing news responding ability file behind the described signature, applications client installation path, applications client main program (the full name that comprises path and main program).Can also comprise the method that main program starts, for example, the literary style of parameter etc. when main program is carried out.

Step 112, message safety administrative client judge whether applications client is registered.

Particularly, the message safety administrative client check this applications client whether registered foundation can be whether the complete trails of applications client main program and the ability file behind the signature exist.If exist, and identical with registration information, then forward step 116 to, the information that directly succeeds in registration to the applications client feedback avoiding the applications client repeated registration, and improves the registration request treatment effeciency.For the equal unregistered situation of applications client, this step 112 can be saved.

Step 113, described message safety administrative client are examined the pushing news responding ability file in the described registration information.

Because the message safety administrative client has certificate and the PKI of message safety management service system 43, the message safety administrative client can be by the digest calculations method of message safety management service system 43, the pushing news responding ability file of submitting to take applications client is as basis, the document A of generative capacity file.

In addition, the message safety administrative client extracts the document B of pushing news responding ability file from the pushing news responding ability file that applications client is submitted to.

The message safety administrative client uses the PKI of message safety management system 43, and abstracts of declassified documents B obtains document C.

Message safety administrative client comparison document summary A and document C.If both are identical, think that then the ability file that applications client is submitted to is legal and effective, audit is passed through; Otherwise, to think illegally or invalid, audit is not passed through, and turns to step 116, processes unsuccessfully reaching reason to applications client feedback registration request,, if audit is not passed through, then finishes registration that is, feeds back the registration failure result.

If step 114 audit is passed through, then described message safety administrative client inquiry and the tabulation of renewal trusted application, described trusted application tabulation sees the explanation of above-described embodiment for details, and the message safety management system is registered and the information list of the applications client of signature in order to pass through.

Described trusted application tabulation is the backup of trusted application tabulation in message sink equipment 44 in the message safety management system 43.Described trusted application tabulation is generated and is safeguarded by message safety management system 43.In described trusted application tabulation, (namely examining through message safety management system 43) application client client information that storing message safety management system 43 is trusted, relevant information comprises: applications client push away ability file behind application identities, applications client sign, the signature and the out of Memory of applications client.

Applications client if message safety management system 43 is accepted the request of applications client, then can be added the information of described applications client in the trusted application tabulation of oneself when request message safety management system 43 signature pushing news responding ability file.

The message safety administrative client regularly check with download message safety management system 43 in trusted application tabulation, the trusted application tabulation in the maintain message receiving equipment 44.The message safety administrative client also can be when needed (for example, the trusted application tabulation does not exist, perhaps in the situation such as expired), to message safety management system 43 submit applications, downloads up-to-date trusted application and tabulate.Can adopt the protocol interaction data such as HTTPS between message safety administrative client and the message safety management system 43.

The message safety administrative client is inquired about the information that whether includes the applications client of submitting registration information in the local existing trusted application tabulation, if do not exist, then download up-to-date trusted application tabulation from the message safety management system this locality is upgraded, and the inquiry packet of tabulating again of the trusted application after renewal contains the information of the applications client of submitting registration information to.

If include the information of the applications client of submitting registration information in the described trusted application tabulation of step 115, the applications client that is request registration is credible, then described message safety administrative client records the log-on message of the applications client of described submission registration information, and continue execution in step 116, feed back the result that succeeds in registration; If described trusted application tabulation does not comprise the information of the applications client of described submission registration information, then go to step 116, feedback registration failure result.

Step 116, message safety administrative client feed back the result of registration request to applications client.

If the message safety administrative client is accepted the registration request of applications client, then feed back the result's that succeeds in registration information to applications client; Otherwise, the information of message safety administrative client feedback registration failure.

The method of the applications client registration that the embodiment of the invention provides also can further comprise:

The log information of step 117, the management of described message safety administrative client record security, and regularly submit log information to described message safety management system 43.

The pushing news treatment system that Figure 12 provides for the embodiment of the invention is sent the flow chart of pushing news.As shown in figure 12, message transmission system 41 generates PUSH message, is delivered to message delivery system 42, and whether message delivery system 42 can send by 43 audits of message safety management system, if of course, then message delivery system 42 message push to message sink equipment 44.The key step of message delivery comprises:

Step 121, message transmission system 41 generate PUSH message.

In the described PUSH message, comprise at least and push away application identities.If message transmission system 41 is wished the applications client of the described PUSH message of designated treatment, then can in described PUSH message, add the applications client sign.

In the described PUSH message, also comprise the PUSH eap-message digest that generates according to the PUSH message content.By described PUSH eap-message digest, can assert that then described PUSH message is that described message transmission system generates.This is the important method under the sign PUSH message.This PUSH eap-message digest (for example, SHA-1) generates, then use this PUSH eap-message digest of encrypted private key of message transmission system 41, and the summary after the encryption is as the part of PUSH message by message transmission system 41 digest algorithm according to a preconcerted arrangement.The form of described PUSH message can adopt the agreement that has PUSH message specification system now.

Step 122, message transmission system 41 send to message delivery system 42 with described PUSH message, ask its further transmission.

Between message transmission system 41 and the message delivery system 42, can adopt the protocol interaction data such as HTTPS.

Because the safety of PUSH message and message sink equipment 44, and the operation security of business operation system is closely related, therefore, message delivery system 42 before sending described PUSH message, can the request message safety management system the described message transmission system of the 43 audits described PUSH message of whether having the ability to send.

Step 123, message delivery system 42 check and process PUSH message to 43 requests of message safety management system.Carry out authentication such as the sender to PUSH message.

Step 124, message safety management system 43 check and process PUSH message.

Step 125, message safety management system 43 are fed back the result of PUSH message to message delivery system 42.

When message safety management system 43 is arranged in the message delivery system 42, during as the partial function of message delivery system 42, can omit step 123 to step 125, check and process PUSH message by message delivery system 42.

Step 126, in step 125 feedback result for by the time, message delivery system 42 described PUSH message push to message sink equipment 44.

Message delivery system 42 can be by the standard system of existing PUSH message push, the PUSH message push to message sink equipment 44.Step 126 is asynchronous.

Step 127, message delivery system 42 are to message transmission system 41 feedback PUSH message delivery results.

Message delivery system 42 can be by the standard system of existing PUSH message push, to message transmission system 41 feedback processing results.Step 127 is asynchronous.

The flow chart of message sink device processes pushing news in the pushing news treatment system that Figure 13 provides for the embodiment of the invention.As shown in figure 13, the message sink client of message sink equipment 44 is processed the PUSH message push after PUSH message to the message safety administrative client.The message safety administrative client is according to pushing away application identities and applications client sign in the PUSH message, searches and starts the target application client, by the described PUSH message of target application client process.The key step of message sink device processes PUSH message comprises:

Step 131, message sink client PUSH message.

The method of message sink client PUSH message can be processed by existing PUSH message delivery and reception technique.

The PUSH message push that step 132, message sink client handle receive is to the message safety administrative client.

In the described PUSH message, comprise at least the described application identities that pushes away, if do not comprise, then go to step 136, feedback can't be processed described PUSH message.

Step 133, message safety administrative client are searched the applications client of coupling from local trusted application tabulation.

When storing registered applications client tabulation in the message sink equipment 44, this step can be omitted, and directly carries out next step 134.Not this registered applications client tabulation in message sink equipment 44, but mounted applications client message identification in local trusted application tabulation the time, is carried out this step, judge at first whether the target application client is reliable.

The message safety administrative client is searched the described application client client information that pushes away application identities of coupling in local trusted application tabulation.By associative search, the applications client that finds may exist, and also may not exist, and also may exist simultaneously a plurality of.If there is no, then forward step 136 to, feedback can operate described PUSH message without applications client.

If in the described PUSH message, also comprise described applications client sign, then the message safety administrative client further mates described applications client sign.If find and mate simultaneously the described applications client that pushes away application identities and described applications client sign, then go to step 134, if do not find the applications client of the described applications client sign of coupling, then can further process according to service needed, for example, termination is called, and perhaps selects one to call etc.

Step 134, message safety administrative client check the validity of target application client.

Particularly, the message safety administrative client further checks whether physical presence of target application client, and namely the message safety administrative client checks by registered applications client tabulation whether this target application client has been installed in message sink equipment 44.When storing registered applications client tabulation in the message sink equipment, if the target application client is installed, the information of target application client is arranged in the registered applications client tabulation then, also be target application client physical presence.If there is no, then go to step 136, feedback is without the described PUSH message of effective application client process.

When the applications client message identification of installing in the message sink equipment is in local trusted application tabulation, if the information of target application client has been kept in the local trusted application tabulation when carrying out above-mentioned steps 133, then further carry out this step, judge in the local trusted application tabulation and whether comprise the mounted sign of target application client in the target application client-side information, if comprise sign is installed, target application client physical presence is described; If comprise sign is not installed, illustrates that the target application client does not exist, then go to step 136, feedback is without the described PUSH message of effective application client process.

Step 135, message safety administrative client start the target application client by the rule of agreement.

Particularly, the method for agreement starts the target application client during the according to target applications client registration of message safety administrative client, and described PUSH message is sent to the target application client process.

Step 136, message safety administrative client are to message sink client feedback Message Processing result.

Step 137, message safety administrative client recording messages are processed daily record, and regularly submit to message safety management system 43.Step 137 is asynchronous, and is optional.

The above embodiment of the present invention is not only applicable to the mobile network, is applicable to other network yet, and for example, broadband fixed network, the Internet etc. on the basis of the existing PUSH Message Processing technology of compatibility, have strengthened fail safe and opening that pushing news is processed.

One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.

It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims

1. A push message processing method, characterized in that, comprising:

The message receiving device receives the push message containing the push application identifier sent by the message sending system;

The message receiving device matches the corresponding application client according to the push application identifier, determines whether the matched application client has been registered, and whether the push message response capability file generated by the matched application client has obtained a signature;

If the matching application client is registered, and its push message response capability file is signed, start the matching application client to process the received push message; if the matching application client is not registered, or its push message If the message responsiveness file is not signed, it refuses to process the received push message.

2. The push message processing method according to claim 1, wherein the message receiving device receiving the push message sent by the message sending system comprising the push application identifier comprises: the message receiving device receiving the push message sent by the message sending system including the push application identifier and Apply the push message identified by the client;

The message receiving device matching the corresponding application client according to the pushed application identifier includes: the message receiving device matching the corresponding application client according to the pushed application identifier and the application client identifier.

3. The push message processing method according to claim 2, wherein the application client ID is a global user ID.

4. The push message processing method according to any one of claims 1-3, characterized in that, the push message sent by the message sending system that includes the push application identifier also includes a message digest, and the message digest is the message sent through the message. A digest of the system signature;

Before the message receiving device matches the corresponding application client according to the push application identifier, it also includes:

Verify the identity of the message sending system according to the digest signed by the message sending system in the push message, if the verification is passed, the message receiving device matches the corresponding application client according to the push application identifier; if the verification fails, then refuse to process the push message.

5. A message security management system for implementing the push message processing method described in any one of claims 1-4, characterized in that it includes:

The application management and service module is used to sign the push message response capability file of the application client, register the application client, and verify the signature of the push message response capability file of the application client;

The trusted application list management and service module is used to establish and maintain a trusted application list, and the trusted application list is a list of application client information through registration and signature.

6. The message security management system according to claim 5, further comprising:

The certificate management and service module is used to provide identity certificates and corresponding keys for the message sending system, message delivery system or message receiving device according to the application information sent by the message sending system, message delivery system or message receiving device, and verify The identity certificate of the message sending system, message delivery system or message receiving device.

7. The message security management system according to claim 6, wherein the application information at least includes: user name, user password, user description and service type;

The identity certificate at least includes: certificate format and version, certificate encoding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate signing authority identification and certificate digest.

8. The message security management system according to any one of claims 5-7, further comprising:

The message processing log receiving module is configured to receive the message processing log sent by the message receiving device.

9. A message receiving device for implementing the push message processing method according to any one of claims 1-4, characterized in that it comprises:

The message receiving client is used to receive the push message sent by the message sending system and including the push application identifier;

The message security management client is connected to the message receiving client, and is used to match the corresponding application client according to the push application identifier in the push message received by the message receiving client, and determine whether the matched application client has been registered , and whether the push message response capability file generated by the matching application client has been signed, if the matching application client has been registered and the generated push message response capability file has been signed, then call and start the matching application The client processes the push message,

The application client is connected with the message security management client, and is used to start and process the push message received by the message receiving client under the invocation of the message security management client.

10. The message receiving device according to claim 9, wherein the message security management client is further configured to receive the registration request information submitted by the application client during installation, and submit the registration request information according to the registration request information. The application client of the registration request information is registered.

11. The message receiving device according to claim 10, wherein the registration request information at least includes: a signed push message response capability file, an installation path of the application client, and a full path of the main program of the application client.

12. The message receiving device according to claim 9, wherein the message security management client is further configured to verify the identity of the sender of the push message according to the digest signature in the push message, and if the authentication passes, Then match the corresponding application client, if the authentication fails, then refuse to process the push message.

13. The message receiving device according to claim 9, wherein the push message includes an application client identifier, and the message security management client is further configured to directly match the corresponding application client identifier through the application client identifier. App client.

14. The message receiving device according to any one of claims 9-13, wherein the message security management client is further configured to record a message processing log, and periodically send the message processing log to the message security management system.

15. The message receiving device according to any one of claims 9-13, further comprising:

The identity application module is used to apply for and obtain an identity certificate and a corresponding key from the message security management system.

16. The message receiving device according to any one of claims 9 to 13, wherein the message security management client is further configured to download a trusted application list from the message security management system, and the trusted application list is Information list of application clients registered and signed by the message security management system.

17. A push message processing system, including a message sending system and a message delivery system, characterized in that it also includes: the message security management system according to any one of claims 5-7 and the message security management system described in any one of claims 9-12 The message receiving device mentioned in item;

The message security management system is communicatively connected with the message sending system, the message delivery system and the message receiving device;

The message sending system sends the generated push message including the push application identifier to the message receiving device through the message delivery system, and the message receiving device is configured to match the corresponding application client according to the push application identifier, Judging whether the matching application client is registered, and whether the push message response capability file generated by the matching application client is signed; if the matching application client is registered and the generated push message response capability file is signed, Then call and start the matching application client to process the push message.

18. The push message processing system according to claim 17, wherein any one or combination of the message sending system, message delivery system and message receiving equipment also includes:

An identity application module, configured to send application information to the message security management system, and to obtain an identity certificate and a corresponding key from the message security management system, the application information at least including: user name, user password, user description and service type, the identity certificate at least includes: certificate format and version, certificate encoding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, certificate signing authority identification and certificate digest.

19. push message processing system according to claim 17, is characterized in that, described message sending system also comprises:

The application client management and service module is used to cooperate with the application client to sign the push message response capability file of the application client to the message security management system, and to cooperate with the application client to register with the message security management system ;

Wherein, the collaborative application client signs the push message response capability file of the application client to the message security management system includes:

Forwarding the signature request sent by the application client to the message security management system;

Forwarding the signature processing result of the capability file fed back by the message security management system to the application client. the

20. The push message processing system according to claim 19, wherein the application client management and service module is further configured to record the information of the application client for signing and registration.

21. push message processing system according to claim 18, is characterized in that, described message sending system also comprises:

A digest signature module, configured to use the identity certificate and the corresponding key obtained by the identity application module to sign the message digest of the push message generated by the message sending system.

22. The push message processing system according to any one of claims 17-21, wherein the message sending system further comprises:

The client identification additional module is configured to set, in the push message generated by the message sending system, the application client identification used to indicate that the message receiving equipment does not start the corresponding application client to process the push message.

23. A method for applying for an identity certificate in the push message processing system according to any one of claims 17 to 22, characterized in that it comprises:

The message sending system, message delivery system or message receiving device sends application information to the message security management system to apply for an identity certificate, and the application information includes at least: user name, user password, user description and service type;

The message security management system generates an identity certificate and a corresponding key according to the application information, and feeds back to the message sending system, message delivery system or message receiving device.

24. The method for applying for an identity certificate according to claim 23, wherein the message security management system further includes before generating the identity certificate and the corresponding key according to the application information:

The message security management system verifies the identity of the message sending system, message delivery system or message receiving device according to the application information, and rejects the application information to verify the identity of the message sending system, message delivery system or message receiving device if the verification fails. Application for a message receiving device; if the verification is passed, it is judged whether the message sending system, message delivery system or message receiving device has been registered, and if the message sending system, message delivery system or message receiving device is registered, then the direct feedback is Generated identity certificate and corresponding key; if the message sending system, message delivery system or message receiving device is not registered, then register the message sending system, message delivery system or message receiving device, generate and store the corresponding identity Certificate and corresponding key.

25. The method for applying for an identity certificate according to claim 23 or 24, wherein the identity certificate at least includes: certificate format and version, certificate encoding method, signature algorithm, digest algorithm, certificate serial number, certificate subject, The certificate signing authority ID and certificate digest.

26. A method for applying a client signature in the push message processing system according to any one of claims 17 to 22, characterized in that it comprises:

The application client generates a push message response capability file including at least the push application identifier and the application client identifier;

The application client sends a signature request for the push message response capability file;

When the message security management system supports the signature request, calculate the file digest of the push message response capability file;

The message security management system encrypts the file summary with its own certificate private key;

The message security management system adds the encrypted file summary to the push message response capability file;

The message security management system feeds back the signature result and the push message response capability file added with the encrypted file digest to the application client.

27. The method for signing an application client according to claim 26, wherein the sending of the signature request of the push message response capability file by the application client comprises:

The application client sends the signature request of the push message response capability file to the message security management system through the message sending system;

The message security management system feeds back the signature result and the push message response capability file with the encrypted file digest to the application client, including:

The message security management system feeds back the signature result and the push message response capability file added with the encrypted file digest to the application client through the message sending system.

28. The method for applying a client signature according to claim 27, further comprising:

The message sending system stores the push message response capability file added with the encrypted file digest.

29. The method for applying client signature according to any one of claims 26-28, characterized in that, the message security management system feeds back the signature result and the push message response capability file added with the encrypted file digest to the After the above application client also includes:

The application client distributes the push message response capability file added with the encrypted file digest as part of itself to the message receiving device.

30. A method for application client registration in the push message processing system according to any one of claims 17-22, characterized in that it comprises:

When the application client is installed on the message receiving device, it submits registration request information to the message security management client, and the registration request information includes a push message response capability file;

The message security management client audits the push message response capability file in the registration request information;

If the audit is passed, the message security management client queries and updates the trusted application list, and the trusted application list is the information list of the application client registered and signed by the message security management system; if the audit is not passed, the registration is terminated , Feedback registration failure result;

If the trusted application list includes information about the application client that submitted the registration request information, the message security management client records the registration information of the application client that submitted the registration request information, and feeds back a successful registration result; if If the trusted application list does not include the information of the application client that submitted the registration request information, a result of registration failure will be fed back.

31. The method for registering an application client according to claim 30, wherein the message security management client further includes before reviewing the push message response capability file in the registration request information:

Judging whether the application client has been registered, if registered, directly feeding back the successful registration result to the application client; if not, reviewing the registration request information. the

32. The method for registering an application client according to claim 30 or 31, further comprising:

The message security management client records security management log information, and regularly submits log information to the message security management system. the