[go: up one dir, main page]

WO2007051394A1 - Structure and method of realizing privacy protection in mobile application - Google Patents

Structure and method of realizing privacy protection in mobile application Download PDF

Info

Publication number
WO2007051394A1
WO2007051394A1 PCT/CN2006/002726 CN2006002726W WO2007051394A1 WO 2007051394 A1 WO2007051394 A1 WO 2007051394A1 CN 2006002726 W CN2006002726 W CN 2006002726W WO 2007051394 A1 WO2007051394 A1 WO 2007051394A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
privacy
user
service
layer
Prior art date
Application number
PCT/CN2006/002726
Other languages
French (fr)
Chinese (zh)
Inventor
Lan Chen
Yuanping Zhou
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Publication of WO2007051394A1 publication Critical patent/WO2007051394A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]

Definitions

  • the present invention relates to mobile communications or, in particular, to privacy protection techniques in mobile communications.
  • BACKGROUND OF THE INVENTION In mobile applications, since the terminal is related to personal information, it is inevitable to involve protection of personal privacy. In a multi-participating mobile application, the system must ensure that either party can protect information related to its privacy, such as location information, in accordance with individual will.
  • the protection of privacy in mobile applications involves two aspects of authentication, including: Question 1: Identification of end users; Question 2: Identification of initiators and originating services. Specifically, question 1: To confirm whether the end user is the user himself or herself; Question 2: To confirm whether the requester of the information and the service used are allowed by the information provider.
  • the prior art uses a single privacy authentication module, that is, a single module method to solve the problem 2, that is, all privacy-related authentication is processed by one module, and the module needs to solve the increase and deletion of user privacy.
  • the present invention provides an architecture for implementing privacy protection in a mobile application.
  • the architecture that implements privacy protection performs distributed layer setting on privacy authentication, including: service authentication layer, providing user privacy control policy for specific services; integrated service authentication layer, providing user privacy related to user's service agreement Control policy; user privacy authentication layer, providing the user's privacy control policy for the called party to the service provider and the called user to the calling party.
  • the present invention provides a method of implementing privacy protection in a mobile application.
  • the privacy protection method performs distributed processing on the privacy authentication, and the following steps are performed: Step 1: The user initiates the use request; Step 2: The service authentication layer performs the privacy right of the specific service level according to the user's use request. Step 3: The service authentication layer passes the usage request to the integrated service authentication layer.
  • Step 4 The integrated service authentication layer performs the user and service usage agreement level according to the service authentication layer authentication result and the use request.
  • Privacy authentication Step 5: The user service authentication layer is passed through the use request of the integrated service authentication layer authentication;
  • the above steps can be flexibly performed, skipping several steps in actual use. Further, when the integrated service authentication is passed, the usage request may be deemed to have met the privacy condition, the user privacy authentication step is skipped, and the related service module is directly sent to perform the service processing.
  • the present invention provides a method of implementing privacy protection in a mobile application.
  • the privacy protection method performs distributed processing on the privacy authentication, including the following step stamps: Step 1: The user initiates the use request; Step 2: The service authentication layer performs privacy authentication at the specific service level according to the user's use request; 3: The service authentication layer passes the use request to the user privacy authentication layer; Step 4: The user privacy authentication layer initiates the integrated service authentication, and the integrated service authentication layer according to the service authentication layer authentication result and the use request Perform privacy authentication at the user and service usage protocol level; Step 5: Enter the user privacy authentication layer through the use request of the integrated service authentication layer authentication; Step 6: The user privacy authentication layer is authenticated according to the integrated service authentication layer The result and the use request are used to perform the privacy authentication of the called party to the service provider and the called user to the calling party; Step 7: Send the related service module to the request by using the authentication.
  • the above steps can be flexibly performed, skipping several steps in actual use. Further, when the integrated service authentication is passed, the usage request may be deemed to have met the privacy condition, the user privacy authentication step is skipped, and the related service module is directly sent to perform the service processing.
  • the privacy of the present invention is compared with the existing single module privacy authentication technology.
  • the protection architecture and method adopt a layered mode with clear logic, clear module relationship, high maintainability, and easy development and maintenance.
  • FIG. 1 is a schematic diagram of a prior art single module privacy authentication mode in accordance with the present invention
  • FIG. 2 is a block diagram of an architecture for implementing privacy protection in a mobile application in accordance with the present invention
  • FIG. 3 is in accordance with the present invention.
  • FIG. 4 is a flowchart of a method for implementing privacy protection in a mobile application according to the present invention
  • FIG. 5 is a schematic diagram of a privacy authentication mode according to an embodiment of the present invention
  • FIG. 7 is a flow chart of a short message manner of a service ordering process according to an embodiment of the present invention
  • FIG. 8 is a flow chart of a short message mode according to a service usage flow according to an embodiment of the present invention
  • the architecture for implementing privacy protection in a mobile application performs distributed layer setting on privacy authentication, including: a service authentication layer, which is used to provide user privacy control of a specific service, and is legal for a specific service. Authentication is performed; the integrated service authentication layer is used to provide user privacy control related to the user's service agreement; and the user privacy authentication layer is used to provide the called user to the service provider and the called user to the calling party.
  • User privacy 4 is empty.
  • the user privacy control performed by the user privacy authentication layer includes access control to any service provider/requester, division of time slots, and notification to the user when the service is in use.
  • a method for implementing privacy protection in a mobile application performs distributed processing on privacy authentication, including the following steps: Step 1: A user initiates a use request; Step 2: A service authentication layer according to a user's use request , performing privacy authentication at a specific service level; Step 3: The use authentication request passed by the service authentication layer is transferred to the integrated service authentication layer; Step 4: The integrated service authentication layer is based on the service authentication layer authentication result and the use request , the user and the business use ten-party level of privacy authentication; Step 5: The comprehensive service authentication layer authentication through the use request is not determined to meet the privacy conditions, enter the user privacy authentication layer; Step six The user privacy authentication layer performs privacy authentication on the calling party to the service provider and the called user according to the authentication result and the use request of the integrated service authentication layer; Step 7:
  • step 5 if the use request passed by the integrated service authentication layer authentication is determined to have met the privacy condition, the user privacy authentication layer is not authenticated, and the use request is directly sent to the relevant service module for processing.
  • step 6 the privacy authentication performed by the user privacy authentication layer includes access control for any service provider/excited requester, division of time slots, and notification of the user when the service is used. Referring to FIG.
  • a method for implementing privacy protection in a mobile application performs privacy authentication on distributed processing, including the following steps: Step 1: User initiates a use request; Step 2: The service authentication layer is based on The user's use request, perform privacy authentication at a specific service level; Step 3: The use authentication request passed by the service authentication layer is transferred to the user privacy authentication layer; Step 4: The user privacy authentication layer initiates the integrated service authentication, so that the integrated service authentication layer performs the privacy authentication of the user and the service use protocol level according to the service authentication layer authentication result and the use request; Step 5: Comprehensive service The use request passed by the right layer authentication enters the user privacy authentication layer if it is not determined that the privacy condition has been met; Step 6: The user privacy authentication layer performs the authentication result based on the integrated service authentication layer and the use request.
  • Step 7 The request is sent to the relevant service module through the use request of the authentication.
  • step 5 if the use request passed by the integrated service authentication layer authentication is determined to have met the privacy condition, the user privacy authentication layer is not authenticated, and the use request is directly sent to the relevant service module for processing.
  • step 6 the privacy authentication performed by the user privacy authentication layer includes access control to any service provider/requester, division of time slots, and notification of the user when the service is in use.
  • the present invention is directed to a framework mode for comprehensively and quickly solving privacy authentication problems.
  • the present invention provides an architecture for implementing privacy protection in a mobile application, including the following parts: a service authentication layer, providing a user privacy control policy for a specific service; and an integrated service authentication layer providing user privacy related to a service usage agreement of the user Control policy; user privacy authentication layer, providing the user's privacy control policy for the called party to the service provider and the called user to the calling party.
  • the arrangement of the architecture of the present invention is completely different from the prior art.
  • the architectural mode of the present invention fully considers the source of the demand, and the problem is summarized into three levels.
  • the business authentication level is directly related to the business, such as user classification, organizational structure, and this part will be processed first.
  • the first winner of this part of the demand is the service provider.
  • the integrated service authentication level is related to the subscription/use agreement logic.
  • the user privacy authentication layer is the core part of privacy authentication. It provides the most detailed user-to-service provider, called user privacy control policy for the calling party, including access control to any SP/requester, time period. Divide, whether to notify the user when the business is used, this is the last step, its execution logic has a dependency on the results of the first two steps, the first winner of this part of the demand is the business engine.
  • FIG. 5 it is a schematic diagram of a privacy authentication mode of the present invention.
  • the privacy authentication process uses the following mode: First, the user initiates a use request. In the second step, the service authentication layer (SERVICE-AUTH) performs privacy authentication at a specific service level according to the user's use request; and the third step, the service authentication layer passes the use request to the integrated service authentication layer.
  • SESOICE-AUTH service authentication layer
  • the integrated service authentication layer performs privacy authentication on the user-service agreement level according to the service authentication layer authentication result and the use request; and the fifth step, the integrated service authentication layer authentication
  • the user request authentication layer (USER_PRIVACY_AUTH) is passed through the use request; in the sixth step, the user privacy authentication layer performs the called user to the service provider and the called user to the main user according to the integrated service authentication layer authentication result and the use request.
  • the privacy authentication of the layer is called; the seventh step is to send the relevant service module to the processing through the use request of the authentication.
  • FIG. 6 it is another schematic diagram of the privacy authentication mode of the present invention.
  • the privacy authentication process uses the following mode: First, the user initiates the use.
  • the service authentication layer performs the privacy response of the specific service level according to the user's use request;
  • the third step the service authentication layer passes the use request to the user privacy authentication;
  • the user privacy authentication layer initiates the integrated service authentication, and the integrated service authentication layer performs the privacy authentication of the user and the service use protocol level according to the service authentication layer authentication result and the use request;
  • the authentication request passed by the authentication layer enters the user privacy authentication layer.
  • the user privacy authentication layer performs the called user to the service provider and the called user to the primary according to the integrated service authentication layer authentication result and the use request.
  • the privacy authentication of the layer is called; the seventh step is to send the relevant service module to the processing through the use request of the authentication.
  • the difference between the two modes shown in Fig. 5 and Fig. 6 is that the initiators of the integrated service rights are different.
  • Figure 5 is directly initiated by the service authentication layer.
  • Figure 6 is initiated by the user privacy authentication layer and can be flexibly selected according to the trust relationship.
  • Authentication related to specific services such as user grouping, organizational structure, placed in the business authentication layer; authentication related to the user/service usage agreement, such as the matching of the subscription relationship, is implemented in the integrated service authentication layer;
  • the authentication related to the trust relationship between the user/user and the user/service provider is handled in the user privacy authentication layer.
  • each of these three levels can be flexibly configured at each level, skips several levels in the actual use, and the order of each level in the process can also be adjusted.
  • the integrated service authentication when it is passed, it can be considered that the privacy condition has been met, so the user privacy authentication level can be skipped, such as finding a friend service in the virtual community, when the two parties pass the business authentication and integrated service. After authentication, they can be considered to be mutual trust, and the business can be executed immediately without having to authenticate the user.
  • the following is a detailed description of the implementation of the technical solution by referring to two specific service cases in conjunction with FIG. 7 and FIG. 8.
  • the modes adopted by the two embodiments are embodied in the manner described in FIG. 6, because the integrated service authentication in the existing network. There is a trust relationship with user privacy authentication, but no trust for business authentication.
  • the user sends a subscription request to the integrated service authentication layer
  • the integrated service authentication layer determines whether the request is a community-based service
  • the integrated service authentication layer If the integrated service authentication layer returns successfully, the subscription relationship is generated.
  • the user privacy authentication layer is required to determine whether there is a trust relationship between the master and the called party, so as to ensure that the user privacy authentication can be passed during use, but in this application. Because the users in the same community have mutual trust relationship, it is not necessary to do user privacy authentication, so you can skip this step.
  • 8 is a flow chart of a short message method in a service usage flow according to the first embodiment.
  • the user issues a usage request
  • the service authentication layer performs service-related privacy authentication on the user request
  • the user privacy authentication layer forwards the request to the integrated service authentication layer (transferred from the user privacy authentication layer because the service authentication layer is not trusted);
  • the integrated service authentication layer determines whether the service is a community service according to the service ID in the request sent by the user privacy authentication layer, and if so, whether the calling user and the called user both subscribe to the service, and then to the user.
  • the privacy authentication layer sends the discriminating result;
  • the user privacy authentication layer obtains the authentication result of the integrated service authentication layer, according to the service genus sexually decide whether to perform user privacy authentication. If it is a community-based service and the integrated service authentication layer is successfully authenticated, the user privacy authentication layer is skipped and the positioning process is directly entered.
  • the service authentication layer implements a set of user management logic and user authentication procedures
  • the integrated business authentication layer 4 generates the ordering relationship for the application for the enterprise
  • the business authentication layer establishes a set of user information and sets logical relationships for the enterprise. Privacy authentication execution steps:
  • the user authentication request is processed by the service authentication layer according to the user authentication of the application;
  • the user privacy authentication layer sends an authentication request to the integrated service authentication layer, and the integrated service authentication layer authenticates the subscription relationship between the calling party and the service (the service type must be 'enterprise application, and both the calling and the called are ordered. This business can only be passed);
  • the user privacy authentication layer ⁇ ⁇ judges whether the enterprise application is based on the authentication result of the integrated service authentication layer. If the authentication result is determined to be an enterprise application and the application is configured not to the user privacy authentication layer privacy authentication, the positioning is immediately started. If the authentication result is determined to be an enterprise application and the application is configured to perform user privacy authentication layer privacy authentication, it is determined whether to start the positioning process according to the user privacy authentication result.
  • the layered mode of the present invention is much clearer in logic, the complexity of the module is greatly reduced, the maintainability is improved, and the requirements can be clearly defined due to the clear structure. Implementation, improved development efficiency and code stability.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A structure and method of realizing privacy protection in mobile application. The structure of realizing privacy protection sets distributed layers for the privacy authentication, involves: service authentication layer, providiing the user's privacy control of the specific service, authenticating the validity of the specific service; integrated service authentication layer, providing the user's privacy control relative to user and the usage protocol of the service; user's privacy authentication layer, providing the privacy control of the called user to service supplier and the called user to calling user.

Description

一种在移动应用中实现隐私保护的  A privacy protection in mobile applications
架构及其方法  Architecture and method
技术领域 本发明涉及移动通信领 i或, 尤其涉及移动通信中的隐私保护技术。 背景技术 在移动应用中, 由于终端是和个人信息相关的, 所以不可避免的牵 涉到个人隐私的保护。 在多方参与的移动应用中 , 系统必须保证任何一方 都能够按照个人意志保护与自己隐私相关的信息, 比如位置信息。 移动应用中对隐私的保护牵涉到两个方面的鉴别问题, 包括: 问题 1 : 对终端使用者的鉴別; 问题 2: 对发起者和发起业务的鉴别。 具体说 就是, 问题 1 : 要确认终端使用者是否为用户本人; 问题 2: 要确认信息 的请求者和使用的业务是否为信息提供者所允许的。 现有技术中, 为了解决这两个问题, 采用如下手段: 对于问题 1 , 需要加入第三方鉴权, 比如运营商特服号鉴权。 问题 1 是个相对比较容易解决的问题, 在此不再赘述。 对于问题 2, 需要对主叫、 被叫、 使用业务进行综合的控制, 即, 主叫能够针对不同的被叫和具体业务决定自己的信息是否被使用。 如图 1 所示, 现有技术使用单一隐私鉴权模块, 即单模块方式来解 决问题 2 , 即所有的隐私相关的鉴权都由一个模块处理完成, 此模块需要 解决用户隐私的增加、 删除、 修改、 保存, 需要区别每个用户对不同的应 用请求者、应用、应用提供者的信任关系, 同时还需要考虑许多相关因子, 比如时间段等等。 这些关系由于应用的多样性而变得极其复杂, 因此单模 块方式导致隐私鉴权模块本身越来越庞杂, 效率及可维护性都不断下降, 更为严重的是, 业务需求的本质就包含不断变动的因素, 单模块方式无法 应对如此快速的变动, 同时在多方联合开发中, 单模块耦合度过大, 难以 再做划分, 导致进度瓶颈, 而且多方合作中任何一方都无法完全及时了解 所有需求, 这种信息上的滞后也会导致开发效率的低下。 发明内容 本发明的主要目的在于提供一种在移动应用中实现隐私保护的架构 和方法, 用于克 现有移动应用中的单模块隐私鉴权方案可维护性差、 响 应緩慢、 多方联合开发难度大等缺陷, 能够全面快速解决移动应用中的隐 私鉴权问题。 为了实现上述目的, 根据本发明的第一方面, 本发明提供了一种在 移动应用中实现隐私保护的架构。实现隐私保护的架构对隐私鉴权进行分 布式层面设置, 包括: 业务鉴权层, 提供具体业务的用户隐私控制策略; 综合业务鉴权层, 提供用户与业务的 4吏用协议相关的用户隐私控制 策略; 用户隐私鉴权层, 提供被叫用户对业务提供商和被叫用户对主叫的 用户隐私控制策略。 进一步地, 上述三个层面可以灵活配置, 在实际使用中兆过若干层 面。 进一步地, 当综合业务鉴权通过时可认为已满足隐私条件, 跳过用 户隐私鉴权层。 为了实现上述目的, 根据本发明的第二方面, 本发明提供了一种在 移动应用中实现隐私保护的方法。实现隐私保护的方法对隐私鉴权进行分 布式处理, 包 ^以下步 : 步聚一: 用户发起使用请求; 步骤二: 业务鉴权层才 据用户的使用请求, 进行具体业务层面的隐 私赛权; 步骤三: 业务鉴权层鉴权通过的使用请求转到综合业务鉴权层; 步驟四: 综合业务鉴权层根据业务鉴权层鉴权结果和使用请求, 进 行用户与业务使用协议层面的隐私鉴权; 步骤五: 综合业务鉴权层鉴权通过的使用请求进入用户隐私鉴权层; 步骤六: 用户隐私鉴权层根据综合业务鉴权层鉴权结果和使用请求, 进 4亍被叫用户对业务提供商和被叫用户对主叫层面的隐私鉴权; 步驟七: 通过鉴权的使用请求送相关业务模块处理。 进一步地, 上述步骤可以灵活执行, 在实际使用中跳过若干步骤。 进一步地, 当综合业务鉴权通过时可认为使用请求已满足隐私条件, 跳过用户隐私鉴权步骤, 直接送相关业务模块进行业务处理。 为了实现上述目的, ^^据本发明的第三方面, 本发明提供了一种在 移动应用中实现隐私保护的方法。实现隐私保护的方法对隐私鉴权进行分 布式处理, 包括以下步戳: 步骤 1 : 用户发起使用请求; 步骤 2: 业务鉴权层根据用户的使用请求, 进行具体业务层面的隐 私鉴权; 步骤 3: 业务鉴权层鉴权通过的使用请求转到用户隐私鉴权层; 步驟 4: 用户隐私鉴权层发起综合业务鉴权, 综合业务鉴权层根据 业务鉴权层鉴权结果和使用请求,进行用户与业务使用协议层面的隐私鉴 权; 步骤 5: 综合业务鉴权层鉴权通过的使用请求进入用户隐私鉴权层; 步骤 6: 用户隐私鉴权层根据综合业务鉴权层鉴权结果和使用请求, 进行被叫用户对业务提供商, 被叫用户对主叫层面的隐私鉴权; 步骤 7: 通过鉴权的使用请求送相关业务模块处理。 进一步地, 上述步骤可以灵活执行, 在实际使用中跳过若干步骤。 进一步地, 当综合业务鉴权通过时可认为使用请求已满足隐私条件, 跳过用户隐私鉴权步骤, 直接送相关业务模块进行业务处理。 通过上述技术方案, 和现有单模块隐私鉴权技术相比, 本发明隐私 保护架构和方法采取分层模式, 逻辑清晰、 模块关系明了、 可维护性高, 易于开发和维护。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的 一部分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本 发明的不当限定。 在附图中: 图 1是根据本发明的现有的单模块隐私鉴权模式示意图; 图 2是根据本发明的在移动应用中实现隐私保护的架构的框图; 图 3是根据本发明的在移动应用中实现隐私保护的方法的流程图; 图 4是根据本发明的在移动应用中实现隐私保护的方法的流程图; 图 5是才 据本发明实施例的隐私鉴权模式示意图; 图 6是根据本发明实施例的隐私鉴权模式示意图; 图 7是根据本发明实施例的业务订购流程的短信方式流程图; 图 8是才艮据本发明实施例的业务使用流程的短信方式流程图。 具体实施方式 下面将参考附图详细说明本发明。 参照图 2 , 才 据本发明的在移动应用中实现隐私保护的架构对隐私 鉴权进行分布式层面设置, 包括: 业务鉴权层, 用于提供具体业务的用户 隐私控制, 对具体业务的合法性进行鉴权; 综合业务鉴权层, 用于提供用 户与业务的使用协议相关的用户隐私控制; 用户隐私鉴权层, 用于提供被 叫用户对业务提供商以及被叫用户对主叫的用户隐私 4空制。 用户隐私鉴权层进行的用户隐私控制包括对任意业务提供商 /请求 者的接入控制、 时段的划分、 是否在业务使用时通知用户。 当业务鉴权层的鉴权通过时, 进入综合业务鉴权层的鉴权。 当综合业务鉴权层的鉴权通过时, 如果认定已满足隐私条件, 则隐 私保护过程完成, 否则, 进入用户隐私鉴权层的鉴权。 参照图 3 , 根据本发明的在移动应用中实现隐私保护的方法对隐私 鉴权进行分布式处理, 包括以下步骤: 步骤一: 用户发起使用请求; 步骤二: 业务鉴权层根据用户的使用请求, 进行具体业务层面的隐 私鉴权; 步骤三: 业务鉴权层鉴权通过的使用请求转到综合业务鉴权层; 步驟四: 综合业务鉴权层根据业务鉴权层鉴权结果和使用请求, 进 行用户与业务使用十办议层面的隐私鉴权; 步骤五: 综合业务鉴权层鉴权通过的使用请求在未被认定巳满足隐 私条件的情况下, 进入用户隐私鉴权层; 步驟六: 用户隐私鉴权层根据综合业务鉴权层鉴权结果和使用请求, 进行被叫用户对业务提供商以及被叫用户对主叫层面的隐私鉴权; 步骤七: 通过鉴权的使用请求送相关业务模块处理。 在步驟五中 , 如果综合业务鉴权层鉴权通过的使用请求被认定已满 足隐私条件, 则不进行用户隐私鉴权层的鉴权, 直接将使用请求送相关业 务模块处理。 在步驟六中, 用户隐私鉴权层进行的隐私鉴权包括对任意业务提供 商 /奇求者的接入控制、 时段的划分、 是否在业务使用时通知用户。 参照图 4, 根据本发明的在移动应用中实现隐私保护的方法对隐私 鉴权进 4于分布式处理, 包括以下步 -骤: 步骤 1: 用户发起使用请求; 步骤 2: 业务鉴权层根据用户的使用请求, 进行具体业务层面的隐 私鉴权; 步骤 3: 业务鉴权层鉴权通过的使用请求转到用户隐私鉴权层; 步骤 4: 用户隐私鉴权层发起综合业务鉴权, 使得综合业务鉴权层 根据业务鉴权层鉴权结果和使用请求,进行用户与业务使用协议层面的隐 私鉴权; 步骤 5: 综合业务鉴权层鉴权通过的使用请求在未被认定已满足隐 私条件的情况下, 进入用户隐私鉴权层; 步骤 6: 用户隐私鉴权层根据综合业务鉴权层鉴权结果和使用请求, 进行被叫用户对业务提供商以及被叫用户对主叫层面的隐私鉴权; 步骤 7: 通过鉴权的使用请求送相关业务模块处理。 在步骤 5 中, 如果综合业务鉴权层鉴权通过的使用请求被认定已满 足隐私条件 , 则不进行用户隐私鉴权层的鉴权, 直接将使用请求送相关业 务模块处理。 在步驟 6 中, 用户隐私鉴权层进行的隐私鉴权包括对任意业务提供 商 /请求者的接入控制、 时段的划分、 是否在业务使用时通知用户。 下面结合附图具体说明本发明的详细实施。 因为业务内容多变, 目前的单模块隐私鉴权方案复杂程度不断增加, 可维护性不断下降, 而且对于变化的响应非常緩慢, 在多方联合开发中任 务划分也成问题。 由于隐私鉴权问题的多面性, 所以必须加以分割, 采用 分层的模式, 让系统中的各个角色分别承担部分隐私鉴权的功能, 以达到 全面适应多种具体需要, 并可快速灵活的应对具体应用的变化。 本发明就 是旨在给出一种针对全面快速解决隐私鉴权问题的构架模式。 本发明提供一种在移动应用中实现隐私保护的架构, 包括以下部分: 业务鉴权层, 提供具体业务的用户隐私控制策略; 综合业务鉴权层, 提供 用户与业务的使用协议相关的用户隐私控制策略; 用户隐私鉴权层, 提供 被叫用户对业务提供商和被叫用户对主叫的用户隐私控制策略。 本发明架构的设置方式和现有技术是完全不同的, 本发明的构架模 式充分考虑了需求的来源, 将问题归纳为三个层面。 业务鉴权层面是与业 务直接相关的, 如用户分类, 组织结构, 这部分会首先被处理, 这部分的 需求的最先获得者是业务提供商。 综合业务鉴权层面是与订购 /使用协议 相关逻辑, 这部分并不直接与隐私相关, 但是可以借助来做用户群组的划 分, 帮助用户隐私鉴权层面进行更细致的隐私鉴权, 这部分的需求的最先 获得者是运营商。 用户隐私鉴权层面是隐私鉴权的核心部分, 它提供最细 致的用户对业务提供商, 被叫用户对主叫的用户隐私控制策略, 包括对任 意 SP/请求者的接入控制, 时段的划分, 是否在业务使用时通知用户, 这 是最后进行的步骤, 它的执行逻辑和前两步的结果有依赖关系, 这部分的 需求的最先获得者是业务引擎。 如图 5所示, 是本发明的一种隐私鉴权模式示意图, 当某用户使用 一个需要隐私鉴权的业务时, 隐私鉴权流程会采用如下的模式进行: 第一步, 用户发起使用请求; 第二步, 业务鉴权层(SERVICE— AUTH )根据用户的使用请求, 进 行具体业务层面的隐私鉴权; 第三步, 业务鉴权层鉴权通过的使用请求转到综合业务鉴权层 ( INTEGRATED_SERVICE_AUTH ); 第四步, 综合业务鉴权层根据业务鉴权层鉴权结果和使用请求, 进 行用户与业务 4吏用协议层面的隐私鉴权; 第五步, 综合业务鉴权层鉴权通过的使用请求进入用户隐私鉴权层 ( USER_PRIVACY_AUTH ); 第六步, 用户隐私鉴权层根据综合业务鉴权层鉴权结果和使用请求, 进行被叫用户对业务提供商, 被叫用户对主叫层面的隐私鉴权; 第七步, 通过鉴权的使用请求送相关业务模块处理。 如图 6所示, 是本发明的另一种隐私鉴权模式示意图, 当某用户使 用一个需要隐私鉴权的业务时, 隐私鉴权流程会采用如下的模式进行: 第一步, 用户发起使用清求; 第二步, 业务鉴权层根据用户的使用请求, 进行具体业务层面的隐 私答权; 第三步, 业务鉴权层鉴权通过的使用请求转到用户隐私鉴权; 第四步, 用户隐私鉴权层发起综合业务鉴权, 综合业务鉴权层根据 业务鉴权层鉴权结果和使用请求,进行用户与业务使用协议层面的隐私鉴 权; 第五步, 综合业务鉴权层通过的使用请求进入用户隐私鉴权层; 第六步, 用户隐私鉴权层根据综合业务鉴权层鉴权结果和使用请求, 进行被叫用户对业务提供商, 被叫用户对主叫层面的隐私鉴权; 第七步, 通过鉴权的使用请求送相关业务模块处理。 图 5和图 6这两种模式体现的差别在于综合业务赛权的发起者不同, 图 5由业务鉴权层直接发起, 图 6由用户隐私鉴权层发起, 可以根据信任 关系灵活选取。 与具体业务相关的鉴权, 如用户分组, 組织结构, 放在业务鉴权层 处理; 与用户 /业务使用协议相关的鉴权, 如订购关系的匹配, 放在综合 业务鉴权层实现; 与用户 /用户, 用户 /业务提供者之间信任关系相关的鉴 权放在用户隐私鉴权层中处理。 同时这三个层面每个层面是否起作用可以灵活配置, 在实际 4吏用中 跳过若干层面, 同时各个层面在流程中的先后秩序也可做调整。 比如某些 情况当综合业务鉴权通过时可以认为已经满足了隐私条件,故可将用户隐 私鉴权层面跳过, 如虚拟社区中的找朋友业务, 当交友双方通过了业务鉴 权和综合业务鉴权后就可以认为他们是相互信任的, 业务可以立即执行, 不必再 #丈用户隐私鉴权。 下面结合图 7和图 8, 联系两个具体业务案例对技术方案的实施作 进一步的详细描述, 这两个实施例采用的模式体现为图 6描述的方式, 原 因在于现网中综合业务鉴权对用户隐私鉴权存在信任关系,而对业务鉴权 不信任。 TECHNICAL FIELD The present invention relates to mobile communications or, in particular, to privacy protection techniques in mobile communications. BACKGROUND OF THE INVENTION In mobile applications, since the terminal is related to personal information, it is inevitable to involve protection of personal privacy. In a multi-participating mobile application, the system must ensure that either party can protect information related to its privacy, such as location information, in accordance with individual will. The protection of privacy in mobile applications involves two aspects of authentication, including: Question 1: Identification of end users; Question 2: Identification of initiators and originating services. Specifically, question 1: To confirm whether the end user is the user himself or herself; Question 2: To confirm whether the requester of the information and the service used are allowed by the information provider. In the prior art, in order to solve these two problems, the following means are adopted: For the problem 1, a third-party authentication, such as an operator's special service number authentication, needs to be added. Question 1 is a relatively easy problem to solve and will not be repeated here. For question 2, comprehensive control of the calling, called, and using services is required, that is, the calling party can determine whether its own information is used for different called and specific services. As shown in FIG. 1 , the prior art uses a single privacy authentication module, that is, a single module method to solve the problem 2, that is, all privacy-related authentication is processed by one module, and the module needs to solve the increase and deletion of user privacy. , modify, save, need to distinguish each user's trust relationship with different application requesters, applications, application providers, but also need to consider many related factors, such as time period and so on. These relationships become extremely complex due to the diversity of applications. Therefore, the single-module approach leads to the complexity of the privacy authentication module itself, and the efficiency and maintainability are declining. More seriously, the essence of business requirements includes constant The changing factor, the single-module approach can't cope with such rapid changes. At the same time, in multi-party joint development, the single-module coupling is too large, it is difficult to divide, which leads to the progress bottleneck, and neither party can fully understand all the requirements in time. This lag in information can also lead to low development efficiency. SUMMARY OF THE INVENTION The main objective of the present invention is to provide an architecture and method for implementing privacy protection in a mobile application. The single module privacy authentication scheme used in the existing mobile application is poor in maintainability, slow in response, and difficult to jointly develop. Such defects can fully and quickly solve the privacy authentication problem in mobile applications. In order to achieve the above object, according to a first aspect of the present invention, the present invention provides an architecture for implementing privacy protection in a mobile application. The architecture that implements privacy protection performs distributed layer setting on privacy authentication, including: service authentication layer, providing user privacy control policy for specific services; integrated service authentication layer, providing user privacy related to user's service agreement Control policy; user privacy authentication layer, providing the user's privacy control policy for the called party to the service provider and the called user to the calling party. Further, the above three levels can be flexibly configured, and sever in several levels in actual use. Further, when the integrated service authentication is passed, the privacy condition may be considered to be satisfied, and the user privacy authentication layer is skipped. In order to achieve the above object, according to a second aspect of the present invention, the present invention provides a method of implementing privacy protection in a mobile application. The privacy protection method performs distributed processing on the privacy authentication, and the following steps are performed: Step 1: The user initiates the use request; Step 2: The service authentication layer performs the privacy right of the specific service level according to the user's use request. Step 3: The service authentication layer passes the usage request to the integrated service authentication layer. Step 4: The integrated service authentication layer performs the user and service usage agreement level according to the service authentication layer authentication result and the use request. Privacy authentication; Step 5: The user service authentication layer is passed through the use request of the integrated service authentication layer authentication; Step 6: The user privacy authentication layer enters the called user according to the integrated service authentication layer authentication result and the use request. The provider and the called user authenticate the privacy of the calling party; Step 7: Send the relevant service module to the request through the authentication request. Further, the above steps can be flexibly performed, skipping several steps in actual use. Further, when the integrated service authentication is passed, the usage request may be deemed to have met the privacy condition, the user privacy authentication step is skipped, and the related service module is directly sent to perform the service processing. In order to achieve the above object, according to a third aspect of the present invention, the present invention provides a method of implementing privacy protection in a mobile application. The privacy protection method performs distributed processing on the privacy authentication, including the following step stamps: Step 1: The user initiates the use request; Step 2: The service authentication layer performs privacy authentication at the specific service level according to the user's use request; 3: The service authentication layer passes the use request to the user privacy authentication layer; Step 4: The user privacy authentication layer initiates the integrated service authentication, and the integrated service authentication layer according to the service authentication layer authentication result and the use request Perform privacy authentication at the user and service usage protocol level; Step 5: Enter the user privacy authentication layer through the use request of the integrated service authentication layer authentication; Step 6: The user privacy authentication layer is authenticated according to the integrated service authentication layer The result and the use request are used to perform the privacy authentication of the called party to the service provider and the called user to the calling party; Step 7: Send the related service module to the request by using the authentication. Further, the above steps can be flexibly performed, skipping several steps in actual use. Further, when the integrated service authentication is passed, the usage request may be deemed to have met the privacy condition, the user privacy authentication step is skipped, and the related service module is directly sent to perform the service processing. Through the above technical solution, the privacy of the present invention is compared with the existing single module privacy authentication technology. The protection architecture and method adopt a layered mode with clear logic, clear module relationship, high maintainability, and easy development and maintenance. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a schematic diagram of a prior art single module privacy authentication mode in accordance with the present invention; FIG. 2 is a block diagram of an architecture for implementing privacy protection in a mobile application in accordance with the present invention; FIG. 3 is in accordance with the present invention. A flowchart of a method for implementing privacy protection in a mobile application; FIG. 4 is a flowchart of a method for implementing privacy protection in a mobile application according to the present invention; FIG. 5 is a schematic diagram of a privacy authentication mode according to an embodiment of the present invention; FIG. 7 is a flow chart of a short message manner of a service ordering process according to an embodiment of the present invention; FIG. 8 is a flow chart of a short message mode according to a service usage flow according to an embodiment of the present invention; . DETAILED DESCRIPTION OF THE INVENTION The present invention will be described in detail below with reference to the accompanying drawings. Referring to FIG. 2, the architecture for implementing privacy protection in a mobile application according to the present invention performs distributed layer setting on privacy authentication, including: a service authentication layer, which is used to provide user privacy control of a specific service, and is legal for a specific service. Authentication is performed; the integrated service authentication layer is used to provide user privacy control related to the user's service agreement; and the user privacy authentication layer is used to provide the called user to the service provider and the called user to the calling party. User privacy 4 is empty. The user privacy control performed by the user privacy authentication layer includes access control to any service provider/requester, division of time slots, and notification to the user when the service is in use. When the authentication of the service authentication layer is passed, the authentication of the integrated service authentication layer is entered. When the authentication of the integrated service authentication layer is passed, if it is determined that the privacy condition has been met, then The private protection process is completed, otherwise, the authentication of the user privacy authentication layer is entered. Referring to FIG. 3, a method for implementing privacy protection in a mobile application according to the present invention performs distributed processing on privacy authentication, including the following steps: Step 1: A user initiates a use request; Step 2: A service authentication layer according to a user's use request , performing privacy authentication at a specific service level; Step 3: The use authentication request passed by the service authentication layer is transferred to the integrated service authentication layer; Step 4: The integrated service authentication layer is based on the service authentication layer authentication result and the use request , the user and the business use ten-party level of privacy authentication; Step 5: The comprehensive service authentication layer authentication through the use request is not determined to meet the privacy conditions, enter the user privacy authentication layer; Step six The user privacy authentication layer performs privacy authentication on the calling party to the service provider and the called user according to the authentication result and the use request of the integrated service authentication layer; Step 7: Sending the request by using the authentication Related business module processing. In step 5, if the use request passed by the integrated service authentication layer authentication is determined to have met the privacy condition, the user privacy authentication layer is not authenticated, and the use request is directly sent to the relevant service module for processing. In step 6, the privacy authentication performed by the user privacy authentication layer includes access control for any service provider/excited requester, division of time slots, and notification of the user when the service is used. Referring to FIG. 4, a method for implementing privacy protection in a mobile application according to the present invention performs privacy authentication on distributed processing, including the following steps: Step 1: User initiates a use request; Step 2: The service authentication layer is based on The user's use request, perform privacy authentication at a specific service level; Step 3: The use authentication request passed by the service authentication layer is transferred to the user privacy authentication layer; Step 4: The user privacy authentication layer initiates the integrated service authentication, so that the integrated service authentication layer performs the privacy authentication of the user and the service use protocol level according to the service authentication layer authentication result and the use request; Step 5: Comprehensive service The use request passed by the right layer authentication enters the user privacy authentication layer if it is not determined that the privacy condition has been met; Step 6: The user privacy authentication layer performs the authentication result based on the integrated service authentication layer and the use request. The user is asked to authenticate the privacy of the calling party to the service provider and the called user. Step 7: The request is sent to the relevant service module through the use request of the authentication. In step 5, if the use request passed by the integrated service authentication layer authentication is determined to have met the privacy condition, the user privacy authentication layer is not authenticated, and the use request is directly sent to the relevant service module for processing. In step 6, the privacy authentication performed by the user privacy authentication layer includes access control to any service provider/requester, division of time slots, and notification of the user when the service is in use. The detailed implementation of the present invention will be specifically described below with reference to the accompanying drawings. Because of the variety of business content, the current single-module privacy authentication scheme is increasing in complexity, maintainability is declining, and the response to changes is very slow. In multi-party joint development, task partitioning is also a problem. Due to the multi-faceted nature of privacy authentication, it is necessary to divide and adopt a layered model, so that each role in the system can undertake part of the privacy authentication function to achieve a comprehensive adaptation to a variety of specific needs, and can respond quickly and flexibly. Changes in specific applications. The present invention is directed to a framework mode for comprehensively and quickly solving privacy authentication problems. The present invention provides an architecture for implementing privacy protection in a mobile application, including the following parts: a service authentication layer, providing a user privacy control policy for a specific service; and an integrated service authentication layer providing user privacy related to a service usage agreement of the user Control policy; user privacy authentication layer, providing the user's privacy control policy for the called party to the service provider and the called user to the calling party. The arrangement of the architecture of the present invention is completely different from the prior art. The architectural mode of the present invention fully considers the source of the demand, and the problem is summarized into three levels. The business authentication level is directly related to the business, such as user classification, organizational structure, and this part will be processed first. The first winner of this part of the demand is the service provider. The integrated service authentication level is related to the subscription/use agreement logic. This part is not directly related to privacy, but can be used to make user group mapping. To help users with more detailed privacy authentication at the privacy authentication level, the first to get the demand for this part is the operator. The user privacy authentication layer is the core part of privacy authentication. It provides the most detailed user-to-service provider, called user privacy control policy for the calling party, including access control to any SP/requester, time period. Divide, whether to notify the user when the business is used, this is the last step, its execution logic has a dependency on the results of the first two steps, the first winner of this part of the demand is the business engine. As shown in FIG. 5, it is a schematic diagram of a privacy authentication mode of the present invention. When a user uses a service that requires privacy authentication, the privacy authentication process uses the following mode: First, the user initiates a use request. In the second step, the service authentication layer (SERVICE-AUTH) performs privacy authentication at a specific service level according to the user's use request; and the third step, the service authentication layer passes the use request to the integrated service authentication layer. (INTEGRATED_SERVICE_AUTH); In the fourth step, the integrated service authentication layer performs privacy authentication on the user-service agreement level according to the service authentication layer authentication result and the use request; and the fifth step, the integrated service authentication layer authentication The user request authentication layer (USER_PRIVACY_AUTH) is passed through the use request; in the sixth step, the user privacy authentication layer performs the called user to the service provider and the called user to the main user according to the integrated service authentication layer authentication result and the use request. The privacy authentication of the layer is called; the seventh step is to send the relevant service module to the processing through the use request of the authentication. As shown in FIG. 6 , it is another schematic diagram of the privacy authentication mode of the present invention. When a user uses a service that requires privacy authentication, the privacy authentication process uses the following mode: First, the user initiates the use. In the second step, the service authentication layer performs the privacy response of the specific service level according to the user's use request; the third step, the service authentication layer passes the use request to the user privacy authentication; In the fourth step, the user privacy authentication layer initiates the integrated service authentication, and the integrated service authentication layer performs the privacy authentication of the user and the service use protocol level according to the service authentication layer authentication result and the use request; The authentication request passed by the authentication layer enters the user privacy authentication layer. In the sixth step, the user privacy authentication layer performs the called user to the service provider and the called user to the primary according to the integrated service authentication layer authentication result and the use request. The privacy authentication of the layer is called; the seventh step is to send the relevant service module to the processing through the use request of the authentication. The difference between the two modes shown in Fig. 5 and Fig. 6 is that the initiators of the integrated service rights are different. Figure 5 is directly initiated by the service authentication layer. Figure 6 is initiated by the user privacy authentication layer and can be flexibly selected according to the trust relationship. Authentication related to specific services, such as user grouping, organizational structure, placed in the business authentication layer; authentication related to the user/service usage agreement, such as the matching of the subscription relationship, is implemented in the integrated service authentication layer; The authentication related to the trust relationship between the user/user and the user/service provider is handled in the user privacy authentication layer. At the same time, whether each of these three levels can be flexibly configured at each level, skips several levels in the actual use, and the order of each level in the process can also be adjusted. For example, in some cases, when the integrated service authentication is passed, it can be considered that the privacy condition has been met, so the user privacy authentication level can be skipped, such as finding a friend service in the virtual community, when the two parties pass the business authentication and integrated service. After authentication, they can be considered to be mutual trust, and the business can be executed immediately without having to authenticate the user. The following is a detailed description of the implementation of the technical solution by referring to two specific service cases in conjunction with FIG. 7 and FIG. 8. The modes adopted by the two embodiments are embodied in the manner described in FIG. 6, because the integrated service authentication in the existing network. There is a trust relationship with user privacy authentication, but no trust for business authentication.
[第一实施例] 虚拟社区的交友应用 需求特点: 社区内用户互相信任, 相互关系由业务鉴权层控制, 用 户隐私鉴权层不必故严格约束。 方案实施: 综合业务鉴权层中对定位业务增加一个属性标志 , 指示其是否社区 类应用,在业务申请时, SP (业务提供商)需要增加填写业务的一个属性, 表明这个业务是否是社区类业务, 这个属性将在数据库中存储。 在订购和 使用过程中综合业务鉴权层通过判断此属性向用户隐私鉴权层返回鉴权 结果, 用户隐私鉴权层对社区类业务不再进行隐私鉴权。 图 7是第一实施例业务订购流程的短信方式流程图,主要步骤包括: [First Embodiment] The characteristics of the dating application of the virtual community: The users in the community trust each other, and the mutual relationship is controlled by the business authentication layer, and the user privacy authentication layer is not strictly restricted. Solution implementation: In the integrated service authentication layer, an attribute flag is added to the positioning service to indicate whether it is a community application. When the service is applied, the SP (service provider) needs to add an attribute of the service to indicate whether the service is a community class. Business, this property will be stored in the database. During the ordering and use process, the integrated service authentication layer returns the authentication result to the user privacy authentication layer by judging this attribute, and the user privacy authentication layer no longer performs privacy authentication on the community type service. 7 is a flow chart of a short message method in a service ordering process of the first embodiment, and the main steps include:
1、 用户向综合业务鉴权层发送订购请求; 1. The user sends a subscription request to the integrated service authentication layer;
2、 综合业务鉴权层判断此请求是否为社区类业务; 2. The integrated service authentication layer determines whether the request is a community-based service;
3、 综合业务鉴权层返回成功, 则订购关系生成。 在通常情况下, 订购定位业务时是需要用户隐私鉴权层参与的, 用 来确定主, 被叫之间是否存在信任关系, 从而保证使用时的用户隐私鉴权 可以通过, 但在此应用中, 由于同社区下的用户都互为信任关系, 不必做 用户隐私鉴权, 所以可以跳过此步。 图 8是第一实施例业务使用流程的短信方式流程图, 当业务鉴权层 向用户隐私鉴权层发定位请求时,用户隐私鉴权层会向综合业务鉴权层发 鉴权请求, 需要综合业务鉴权层判别用户订购关系, 主要步骤包括: 3. If the integrated service authentication layer returns successfully, the subscription relationship is generated. In the normal case, when the location service is ordered, the user privacy authentication layer is required to determine whether there is a trust relationship between the master and the called party, so as to ensure that the user privacy authentication can be passed during use, but in this application. Because the users in the same community have mutual trust relationship, it is not necessary to do user privacy authentication, so you can skip this step. 8 is a flow chart of a short message method in a service usage flow according to the first embodiment. When the service authentication layer sends a location request to the user privacy authentication layer, the user privacy authentication layer sends an authentication request to the integrated service authentication layer. The integrated service authentication layer discriminates the user subscription relationship. The main steps include:
1、 用户发出使用请求; 1. The user issues a usage request;
2、 业务鉴权层对用户请求进行业务相关的隐私鉴权; 2. The service authentication layer performs service-related privacy authentication on the user request;
3、 业务鉴权层鉴权通过, 将请求发用户隐私鉴权层; 3. After the authentication of the service authentication layer is passed, the user will be sent a privacy authentication layer;
4、 用户隐私鉴权层将请求转综合业务鉴权层(由用户隐私鉴权层中 转是因为业务鉴权层并不可信任 ); 4. The user privacy authentication layer forwards the request to the integrated service authentication layer (transferred from the user privacy authentication layer because the service authentication layer is not trusted);
5、 综合业务鉴权层根据用户隐私鉴权层发来的请求中的业务 ID判 别业务是否是社区类业务, 若是, 则判別主叫用户和被叫用户是否均订购 了此业务, 然后向用户隐私鉴权层送交判别结果; 5. The integrated service authentication layer determines whether the service is a community service according to the service ID in the request sent by the user privacy authentication layer, and if so, whether the calling user and the called user both subscribe to the service, and then to the user. The privacy authentication layer sends the discriminating result;
6、 用户隐私鉴权层得到综合业务鉴权层鉴权结果后, 根据其业务属 性决定是否进行用户隐私鉴权,如果是社区类业务并且综合业务鉴权层鉴 权成功, 则跳过用户隐私鉴权层, 直接进入定位流程。 6. After the user privacy authentication layer obtains the authentication result of the integrated service authentication layer, according to the service genus Sexually decide whether to perform user privacy authentication. If it is a community-based service and the integrated service authentication layer is successfully authenticated, the user privacy authentication layer is skipped and the positioning process is directly entered.
[第二实 例] 艮踪车辆使用情况的企业定位应用 需求特点: 企业应用内用户互相信任, 相互关系由业务鉴权层控制, 但是应用与时间有关连, 工作时段用户隐私鉴权不做约束; 其余时段用户 隐私鉴权依旧有效。 具体实现流程 口下: 前置条件: [Second example] Enterprise positioning application demand characteristics of vehicle usage: The users in the enterprise application trust each other, and the relationship is controlled by the business authentication layer, but the application is related to time, and the user privacy authentication during working hours is not restricted; User privacy authentication remains valid for the rest of the period. Specific implementation process Under the mouth: Preconditions:
1、 业务鉴权层实现一套用户管理逻辑和用户鉴权流程; 1. The service authentication layer implements a set of user management logic and user authentication procedures;
2、 综合业务鉴权层 4比量的为企业生成对应用的订购关系; 2. The integrated business authentication layer 4 generates the ordering relationship for the application for the enterprise;
3、 业务鉴权层为企业建立一套用户信息并设定逻辑关系。 隐私鉴权执行步骤: 3. The business authentication layer establishes a set of user information and sets logical relationships for the enterprise. Privacy authentication execution steps:
1、 由业务鉴权层按照其应用的用户鉴权处理用户定位请求; 1. The user authentication request is processed by the service authentication layer according to the user authentication of the application;
2、 如果业务鉴权通过, 向用户隐私鉴权层发送用户定位请求; 2. If the service authentication passes, send a user location request to the user privacy authentication layer;
3、 用户隐私鉴权层向综合业务鉴权层发送鉴权请求, 综合业务鉴权 层对主被叫与业务的订购关系进行鉴权 (必须业务类型为'企业应用,且主 被叫都订购了此业务才能通过); 3. The user privacy authentication layer sends an authentication request to the integrated service authentication layer, and the integrated service authentication layer authenticates the subscription relationship between the calling party and the service (the service type must be 'enterprise application, and both the calling and the called are ordered. This business can only be passed);
4、用户隐私鉴权层^ ^据综合业务鉴权层鉴权结果判断是否为企业应 用,如果鉴权结果判断为企业应用并且应用配置为不 用户隐私鉴权层隐 私鉴权, 则立即开始定位流程; 如果鉴权结果判断为企业应用并且应用配 置为做用户隐私鉴权层隐私鉴权,则根据用户隐私鉴权结果决定是否开始 定位流程。 采用本发明所述分层模式, 与现有单模块技术相比, 在逻辑上清晰 了很多, 模块的复杂度大大减小, 可维护性提高了, 由于结构的清晰, 对 于需求可以明确的加以落实, 提高了开发效率和代码的稳定性。 同时在多 方合作开发时, 分层方式很容易实现任务划分, 实现并行的开发, 从而实 现对进度的保证。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对 于本领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的 精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发 明的保护范围之内。 4. The user privacy authentication layer ^ ^ judges whether the enterprise application is based on the authentication result of the integrated service authentication layer. If the authentication result is determined to be an enterprise application and the application is configured not to the user privacy authentication layer privacy authentication, the positioning is immediately started. If the authentication result is determined to be an enterprise application and the application is configured to perform user privacy authentication layer privacy authentication, it is determined whether to start the positioning process according to the user privacy authentication result. Compared with the existing single-module technology, the layered mode of the present invention is much clearer in logic, the complexity of the module is greatly reduced, the maintainability is improved, and the requirements can be clearly defined due to the clear structure. Implementation, improved development efficiency and code stability. At the same time, when multi-party cooperation is developed, the layered method is easy to realize task division and realize parallel development. Now the guarantee of progress. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求书 一种在移动应用中实现隐私保护的架构, 其特征在于 , 对隐私鉴权 进行分布式层面设置, 包括: Claims An architecture for implementing privacy protection in a mobile application, characterized in that the distributed level setting of privacy authentication comprises:
业务鉴权层, 用于提供具体业务的用户隐私控制, 对具体业 务的合法性进行鉴权;  The service authentication layer is used to provide user privacy control for specific services, and to authenticate the legality of specific services;
综合业务鉴权层, 用于提供用户与业务的使用协议相关的用 户隐私控制;  An integrated service authentication layer for providing user privacy control related to the user's usage agreement;
用户隐私鉴权层, 用于提供被叫用户对业务提供商以及被叫 用户 十主叫的用户隐私控制。 根据权利要求 1所述的架构, 其特征在于, 所述用户隐私鉴权层进 行的所述用户隐私控制包括对任意业务提供商 /请求者的接入控制、 时段的划分、 是否在业务使用时通知用户。 根据权利要求 1所述的架构, 其特征在于, 当所述业务鉴权层的鉴 权通过时, 进入所述综合业务鉴权层的鉴权。 根据权利要求 1或 3所述的架构, 其特征在于, 当所述综合业务鉴 权层的鉴权通过时, 如果认定已满足隐私条件, 则隐私保护过程完 成, 否则, 进入所述用户隐私鉴权层的鉴权。 一种在移动应用中实现隐私保护的方法, 其特征在于, 对隐私鉴权 进行分布式处理, 包括以下步腺:  The user privacy authentication layer is configured to provide user privacy control of the called user to the service provider and the called user. The architecture according to claim 1, wherein the user privacy control performed by the user privacy authentication layer includes access control to any service provider/requestor, time division, and whether the service is in use. Notify the user. The architecture according to claim 1, wherein when the authentication of the service authentication layer passes, the authentication of the integrated service authentication layer is entered. The architecture according to claim 1 or 3, wherein when the authentication of the integrated service authentication layer is passed, if the privacy condition is determined to have been met, the privacy protection process is completed, otherwise, the user privacy policy is entered. Authorization of the right level. A method for implementing privacy protection in a mobile application, characterized in that distributed processing of privacy authentication includes the following steps:
步驟一: 用户发起使用请求;  Step 1: The user initiates a use request;
步驟二: 业务鉴权层根据所述用户的使用请求, 进行具体业 务层面的隐私鉴权;  Step 2: The service authentication layer performs privacy authentication at a specific service level according to the usage request of the user;
步驟三: 所述业务鉴权层鉴权通过的所述使用请求转到综合 业务鉴权层;  Step 3: The use request that is passed by the service authentication layer is transferred to the integrated service authentication layer;
步骤四: 所述综合业务鉴权层 4艮据所述业务鉴权层鉴权结果 和所述使用请求, 进行用户与业务使用协议层面的隐私鉴权;  Step 4: The integrated service authentication layer 4 performs privacy authentication on the user-service agreement level according to the service authentication layer authentication result and the use request.
步 五: 所述综合业务鉴杈层鉴权通过的所述使用请求在未 被认定已满足隐私条件的情况下, 进入用户隐私鉴权层; 步骤六: 所述用户隐私鉴权层才艮据所述综合业务鉴权层鉴权 结果和所述使用请求, 进行被叫用户对业务提供商以及被叫用户对 主叫层面的隐私鉴权; Step 5: The use request of the comprehensive service authentication layer authentication is not If it is determined that the privacy condition has been met, the user privacy authentication layer is entered; Step 6: The user privacy authentication layer performs the called user according to the integrated service authentication layer authentication result and the use request. Privacy authentication of the calling party to the service provider and the called party;
步骤七: 通过鉴权的所述使用请求送相关业务模块处理。  Step 7: The related service module is processed by the use request of the authentication.
6. 根据权利要求 5所述的方法, 其特征在于, 在步骤五中, 如果所述 综合业务鉴权层鉴权通过的所述使用请求被认定已满足隐私条件, 则不进行所述用户隐私鉴权层的鉴权, 直接将所述使用请求送相关 业务模块处理。 The method according to claim 5, wherein in step 5, if the usage request passed by the integrated service authentication layer authentication is determined to have met a privacy condition, the user privacy is not performed. The authentication of the authentication layer directly sends the use request to the relevant service module for processing.
7. 根据权利要求 5所述的方法, 其特征在于, 在步骤六中, 所述用户 隐私鉴权层进行的隐私鉴权包括对任意业务提供商 /请求者的接入 控制、 时段的划分、 是否在业务使用时通知用户。 The method according to claim 5, wherein in step 6, the privacy authentication performed by the user privacy authentication layer includes access control to any service provider/requester, time division, Whether to notify the user when the business is in use.
8. 一种在移动应用中实现隐私保护的方法, 其特征在于, 对隐私鉴权 进行分布式处理, 包括以下步马聚: A method for implementing privacy protection in a mobile application, characterized in that distributed processing of privacy authentication includes the following steps:
步骤 1: 用户发起使用请求;  Step 1: The user initiates a use request;
步骤 2: 业务鉴权层根据所述用户的使用请求, 进行具体业务 层面的隐私鉴权;  Step 2: The service authentication layer performs privacy authentication at a specific service level according to the usage request of the user;
步骤 3: 所述业务鉴权层鉴权通过的所述使用请求转到用户隐 私鉴权层;  Step 3: The use request that is passed by the service authentication layer is forwarded to the user privacy authentication layer;
步骤 4: 所述用户隐私鉴权层发起综合业务鉴权, 使得综合业 务鉴权层根据所述业务鉴权层鉴权结果和所述使用请求, 进行用户 与业务使用协议层面的隐私鉴权;  Step 4: The user privacy authentication layer initiates the integrated service authentication, so that the integrated service authentication layer performs the privacy authentication of the user and the service use protocol level according to the service authentication layer authentication result and the use request.
步驟 5: 所述综合业务鉴权层鉴权通过的所述使用请求在未被 认定已满足隐私条件的情况下, 进入所述用户隐私鉴权层;  Step 5: The use request that is passed by the integrated service authentication layer authentication enters the user privacy authentication layer if it is not determined that the privacy condition has been met;
步骤 6:所述用户隐私鉴权层 ^据所述综合业务鉴权层鉴权结 果和所述使用请求, 进行被叫用户对业务提供商以及被叫用户对主 叫层面的隐私鉴权;  Step 6: The user privacy authentication layer performs privacy authentication on the calling party to the service provider and the called user according to the integrated service authentication layer authentication result and the use request.
步驟 7: 通过鉴权的所述使用请求送相关业务模块处理。 Step 7: The related service module is processed by the use request for authentication.
9. 根据权利要求 8所述的方法, 其特征在于, 在步骤 5中, 如果所述 综合业务鉴权层鉴权通过的所述使用请求被认定已满足隐私条件, 则不进行所述用户隐私鉴权层的鉴权, 直接将所述使用请求送相关 业务模块处理。 The method according to claim 8, wherein in step 5, if the usage request passed by the integrated service authentication layer authentication is determined to have met a privacy condition, the user privacy is not performed. The authentication of the authentication layer directly sends the use request to the relevant service module for processing.
10. 根据权利要求 8所述的方法, 其特征在于, 在步 6中, 所述用户 隐私鉴权层进行的隐私鉴权包括对任意业务提供商 /ΐ會求者的接入 控制、 时段的划分、 是否在业务使用时通知用户。 10. The method according to claim 8, wherein in step 6, the privacy authentication performed by the user privacy authentication layer includes access control, time period of any service provider/requester Divide, notify the user when the business is in use.
PCT/CN2006/002726 2005-11-01 2006-10-17 Structure and method of realizing privacy protection in mobile application WO2007051394A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2005100951351A CN1960559A (en) 2005-11-01 2005-11-01 Architecture and method in use for implementing privacy protection in mobile application
CN200510095135.1 2005-11-01

Publications (1)

Publication Number Publication Date
WO2007051394A1 true WO2007051394A1 (en) 2007-05-10

Family

ID=38005437

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002726 WO2007051394A1 (en) 2005-11-01 2006-10-17 Structure and method of realizing privacy protection in mobile application

Country Status (2)

Country Link
CN (1) CN1960559A (en)
WO (1) WO2007051394A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9215548B2 (en) 2010-09-22 2015-12-15 Ncc Group Security Services, Inc. Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002001827A2 (en) * 2000-06-26 2002-01-03 Intel Corporation Establishing network security using internet protocol security policies
CN1452735A (en) * 2000-05-19 2003-10-29 网景通信公司 Adaptive multi-tier authentication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1452735A (en) * 2000-05-19 2003-10-29 网景通信公司 Adaptive multi-tier authentication system
WO2002001827A2 (en) * 2000-06-26 2002-01-03 Intel Corporation Establishing network security using internet protocol security policies

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9215548B2 (en) 2010-09-22 2015-12-15 Ncc Group Security Services, Inc. Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms

Also Published As

Publication number Publication date
CN1960559A (en) 2007-05-09

Similar Documents

Publication Publication Date Title
CN109587187B (en) Method, device and system for calling network function service
CN102196035B (en) For providing the method and system of unified web service discovery
US7653933B2 (en) System and method of network authentication, authorization and accounting
US8365298B2 (en) Comprehensive security architecture for dynamic, web service based virtual organizations
CN102625310B (en) Wireless network access method, authentication method and device
US9603171B2 (en) Contact information management methods and apparatus
CN107493280A (en) Method, intelligent gateway and the certificate server of user authentication
CN1745356A (en) Single sign-on secure service access
US20180109502A1 (en) System and method for providing a proxied contact management system
JP2013175226A (en) Method and system for executing delegation of resource
WO2014071725A1 (en) Soft sim card activating method and network-joining method and terminal, and network access device
WO2007079698A1 (en) An entity authentication method and system, an authentication method and system of end to end and an authentication center
WO2016165505A1 (en) Connection control method and apparatus
WO2008034355A1 (en) The method, device and system for network service authenticating
CN113901432A (en) Blockchain identity authentication method, device, storage medium and computer program product
CN102893579B (en) For provide method, node and the equipment of bill in communication system
US8516602B2 (en) Methods, apparatuses, and computer program products for providing distributed access rights management using access rights filters
CN103124252B (en) Client application access authentication treating method and apparatus
CN102972005B (en) Pay authentication method
JP5697758B2 (en) Control connections between devices
CN1705267A (en) Method for using server resources by client via a network
CN103069767B (en) Consigning authentication method
CN105392112B (en) Guard method, equipment and the system of MTC device information
US9232078B1 (en) Method and system for data usage accounting across multiple communication networks
CN114786170B (en) Uplink data security processing entity switching method, terminal, USIM and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06804945

Country of ref document: EP

Kind code of ref document: A1