[go: up one dir, main page]

WO2010127539A1 - Method and system for authenticating accessing to stream media service - Google Patents

Method and system for authenticating accessing to stream media service Download PDF

Info

Publication number
WO2010127539A1
WO2010127539A1 PCT/CN2009/075256 CN2009075256W WO2010127539A1 WO 2010127539 A1 WO2010127539 A1 WO 2010127539A1 CN 2009075256 W CN2009075256 W CN 2009075256W WO 2010127539 A1 WO2010127539 A1 WO 2010127539A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
mobile terminal
request packet
authentication request
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2009/075256
Other languages
French (fr)
Chinese (zh)
Inventor
惠毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2010127539A1 publication Critical patent/WO2010127539A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a method and system for access authentication of a streaming media service. Background technique
  • mobile terminals can not only support traditional voice calling functions, but also provide more business functions, entertainment functions and industrial applications.
  • mobile phone streaming media services can complete industrial applications and business functions including real-time information broadcast, technical lectures, education and training, and become a hot spot in the industry.
  • the user can access the streaming media service platform through the streaming media live client on the mobile terminal to obtain streaming media data and use the streaming media service.
  • the first step of the mobile terminal accessing the streaming media service platform is to authenticate and authenticate the mobile terminal, and the existing streaming media service platform accesses the mobile terminal through the wireless local area network.
  • the security of authentication and authentication is poor, and it is impossible to effectively prevent illegal terminals from accessing the streaming media service platform through the wireless local area network.
  • the technical problem to be solved by the present invention is to overcome the deficiencies of the prior art, and provide a streaming media service access authentication method and system that can improve access security, so that a legitimate mobile terminal can securely access the media through a wireless local area network.
  • Service Platform The technical problem to be solved by the present invention is to overcome the deficiencies of the prior art, and provide a streaming media service access authentication method and system that can improve access security, so that a legitimate mobile terminal can securely access the media through a wireless local area network.
  • the present invention provides an access authentication party for a streaming media service.
  • the method includes:
  • the authentication server of the access service platform of the streaming media service platform After receiving the access authentication request packet sent by the mobile terminal, the authentication server of the access service platform of the streaming media service platform performs certificate verification;
  • the AP When the certificate verification result is that the mobile terminal certificate is a legal certificate, the AP generates a random number N 2 and sends the generated random number N 2 to the mobile terminal;
  • the mobile terminal encrypts the random number N 2 using the private key of the mobile terminal certificate, generates a signature value of the mobile terminal, and sends the signature value of the mobile terminal to the AP;
  • the AP decrypts the signature value of the mobile terminal by using the public key of the mobile terminal certificate.
  • the decrypted result is equal to the random number N 2 , the mobile terminal is allowed to access the streaming media service platform through the AP.
  • the certificate authentication request packet further includes an AP certificate; the method further includes:
  • the authentication server verifies the AP certificate, and sends the certificate verification result and the signature of the authentication server to the mobile terminal through the AP;
  • the mobile terminal determines whether the AP certificate is a legal certificate according to the received certificate verification result and the signature of the authentication server. When the AP certificate is a legal certificate, the mobile terminal accesses the streaming media service platform through the AP certificate.
  • the accessing the streaming media service platform by using the AP certificate further includes: after determining that the AP certificate is a legal certificate, the mobile terminal generates a random number N l and sends the generated random number Ni to the AP;
  • the AP encrypts the random number by using the private key of the AP certificate, generates a signature value of the AP, and sends the signature value to the mobile terminal.
  • the mobile terminal decrypts the signature value of the AP by using the public key of the AP certificate, and accesses the streaming media service platform through the AP certificate when the decrypted result is equal to the random number Ni.
  • the access authentication request packet further includes a current system time; , further comprising:
  • the certificate authentication request packet further includes a current system time.
  • the authentication server performs the certificate verification after receiving the certificate authentication request packet, and further includes: whether the certificate authentication request packet is a repeatedly sent packet.
  • the certificate verification operation is performed when the certificate authentication request packet is not a packet that is repeatedly transmitted.
  • the present invention also provides an access authentication system for a streaming media service, the system comprising: a mobile terminal and a streaming media service platform; the streaming media service platform includes: an AP and an authentication server; wherein the authentication server is configured to After receiving the certificate authentication request packet sent by the AP, verifying the certificate included in the packet, and transmitting the certificate verification result to the AP;
  • the AP after receiving the access authentication request packet sent by the mobile terminal,
  • the mobile terminal is configured to encrypt the random number N 2 by using a private key of the mobile terminal certificate, generate a signature value of the mobile terminal, and send the signature value of the mobile terminal to the AP.
  • the certificate authentication request packet further includes an AP certificate
  • the authentication server is further configured to verify the AP certificate and verify the certificate
  • the mobile terminal is further configured to determine, according to the received certificate verification result and the signature of the authentication server, whether the UI certificate is a legal certificate, and when the UI certificate is a legal certificate, access the streaming media by using the UI Service Platform.
  • the mobile terminal is further configured to generate a random number N l and send the generated random number Ni to the AP;
  • the AP is further configured to encrypt the random number N! by using a private key of the AP certificate, generate a signature value of the AP, and send the signature value to the mobile terminal;
  • the mobile terminal is further configured to decrypt the signature value of the AP by using a public key of the AP certificate, and access the streaming media service platform by using the AP when the decrypted result is equal to the random number.
  • the access authentication request packet further includes a current system time
  • the AP is further configured to determine, according to the current system time included in the access authentication request packet, whether the access request packet is a repeatedly sent packet, where the access authentication request packet is not a repeatedly sent packet, Sending the certificate authentication request packet to the authentication server.
  • the certificate authentication request packet further includes a current system time; a pre-system time, determining whether the certificate authentication request packet is a repeatedly transmitted packet, and when the certificate authentication request packet is not a repeatedly transmitted packet, performing the certificate Verify the operation.
  • the method and system of the present invention only a mobile terminal holding a legal certificate can access the streaming media service platform, thereby preventing the illegal mobile terminal from accessing the streaming media service platform to damage the security of the system and occupy network resources. It effectively protects the security and quality of service of streaming media services by legitimate mobile terminals and protects the interests of streaming service providers.
  • the method and system of the present invention can also prevent the mobile terminal from accessing the illegal AP and causing information leakage.
  • FIG. 1 is a flowchart of a method for accessing a streaming media service according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of an access authentication system for a streaming media service according to an embodiment of the present invention.
  • the Wireless Local Area Network Authentication and Privacy Infrastructure (WAPI) is a security issue for the WEP (Wried Equivalent Privacy) protocol in IEEE802.il, which is repeatedly demonstrated by multiple parties.
  • WEP Wired Equivalent Privacy
  • the present invention applies the WAPI technical idea to the access authentication of the streaming media service to solve the defect of poor access security of the existing streaming media service platform.
  • FIG. 1 is a flowchart of a method for accessing a streaming media service according to an embodiment of the present invention. As shown in Figure 1, the method includes the following steps:
  • Step 101 The mobile terminal starts a streaming media service, and sends an access authentication request packet to an access point (AP, Access Point) of the streaming media service platform.
  • AP Access Point
  • the access authentication request packet includes a mobile terminal certificate; in addition, the packet may further include a current system time of the mobile terminal.
  • the mobile terminal certificate is issued by an authentication server (AS) of the streaming media service platform, and may be an X.509 v3 certificate or a national standard substance (GBW) certificate; the mobile terminal certificate includes a public key of the mobile terminal and identity information of the mobile terminal, The public key of the mobile terminal is the public key of the mobile terminal certificate.
  • AS authentication server
  • GW national standard substance
  • the purpose of including the current system time in the access authentication request packet is to prevent the illegal terminal from using the access authentication request packet previously sent by the legal terminal to initiate a replay attack to the AP.
  • Step 102 After receiving the foregoing access authentication request packet, the AP according to the packet includes The pre-system time determines whether the access authentication request packet is a repeatedly transmitted packet, and if it is not a repeatedly transmitted packet, saves the mobile terminal certificate included in the packet, and sends a certificate authentication request packet to the AS; if it is a repeatedly transmitted packet , the access authentication request packet is discarded, and the process ends.
  • the repeatedly sent packet is: the access authentication request packet is a packet previously intercepted by the illegal terminal.
  • the foregoing certificate authentication request packet includes: a mobile terminal certificate, an AP certificate, and an AP signature; in addition, the packet may further include an AP current system time.
  • the AP certificate is issued by the AS and can be an X.509 v3 certificate or a GBW certificate.
  • the AP certificate contains the public key of the AP and the identity information of the AP.
  • the public key of the AP is: the public key of the AP certificate.
  • the purpose of including the system time in the certificate authentication request packet is to prevent the illegal AP from using the certificate authentication request packet previously sent by the legal AP to initiate a replay attack to the AS.
  • the illegal AP is: or an illegal terminal.
  • Step 103 After receiving the certificate authentication request packet, the AS determines, according to the current system time included in the packet, whether the certificate authentication request packet is a repeatedly transmitted packet, and if it is not a repeatedly transmitted packet, the mobile terminal included in the packet The certificate, the AP certificate, and the signature of the AP are verified. If the received certificate authentication request packet is a repeatedly transmitted packet, the certificate authentication request packet is discarded, and the process ends.
  • the packet that is repeatedly sent is: the certificate authentication request packet is a packet that is previously intercepted by the illegal AP/illegal terminal.
  • the AS can use the public key of the AP certificate to authenticate the signature of the AP.
  • the authentication operation of the AS for the mobile terminal certificate and the AP certificate includes: verifying whether the certificate has been revoked, verifying whether the certificate has expired, etc., and the specific verification method See document RFC3280.
  • Step 104 If the AS verifies the mobile terminal certificate, the AP certificate, and the signature of the AP as follows: The mobile terminal certificate and the AP certificate are valid certificates, and the signature of the AP is correct, the AS sends the certificate verification result and the AS to the AP. Signature certificate authentication response packet, above The certificate verification result includes: the mobile terminal certificate is a legal certificate and the AP certificate is a legal certificate; otherwise, the AS discards the certificate authentication request packet, and the process ends.
  • Step 105 After receiving the certificate authentication response packet, the AP verifies that the signature of the AS is correct. If the signature of the AS is incorrect, the response packet is discarded, and the process ends. If the signature of the AS is legal, if the mobile terminal certificate is legal, Then, the AP certificate, the certificate authentication result, and the signature of the AS are included in the access authentication response packet and sent to the mobile terminal. If the certificate of the mobile terminal is invalid, the AP discards the certificate authentication response packet, and the process ends.
  • Step 106 After receiving the access authentication response packet, the mobile terminal determines, according to the signature of the AS and the certificate verification result included in the response packet, whether the AP certificate is a valid certificate, and if yes, performing the subsequent steps; if the AP certificate is not legal Certificate, then the process ends.
  • the mobile terminal and the AP complete the verification of the mutual certificate by interacting with the AS.
  • the mobile terminal and the AP can further verify whether the other party is a legitimate owner of the certificate.
  • Step 107 the mobile terminal transmits to the AP private key verification request packet, the packet contains a random number generated by the mobile terminal requests the AP to N l ⁇ signed random number, to verify whether it has a private key AP AP certificate, the AP verification i.e. Whether it is the legal owner of the AP certificate.
  • the signing is performed by: using a private key of the AP certificate to encrypt the random number to generate a ciphertext.
  • Step 108 After receiving the private key verification request packet, the AP encrypts the random number Ni included in the request packet by using the private key of the AP certificate to generate a ciphertext, and sends a private key verification response packet to the mobile terminal, where the response packet is in the response packet.
  • the signature value corresponding to the random number ⁇ and the random number N 2 generated by the AP are included.
  • the ciphertext generated by the encryption is: a signature value corresponding to the random number ⁇ .
  • Step 109 After receiving the private key verification response packet sent by the AP, the mobile terminal decrypts the signature value included in the response packet by using the public key of the AP certificate, and determines whether the decrypted result is equal to the random number ⁇ : if they are equal, Then, the AP has the private key of the AP certificate, that is, the AP is on the AP. The legal owner of the AP certificate; if not equal, it is determined that the AP does not own the private key of the AP certificate, that is, the AP is not the legal owner of the AP certificate.
  • Step 110 The mobile terminal encrypts the random number N 2 using the private key of the mobile terminal certificate to generate a ciphertext, and sends a private key verification acknowledgement packet to the AP, where the packet includes a signature value corresponding to the random number N 2 .
  • the ciphertext generated by the encryption is: a signature value corresponding to the random number N 2 .
  • Step 111 After receiving the private key verification confirmation packet, the AP decrypts the signature value included in the packet by using the public key of the mobile terminal certificate, and determines whether the decrypted result is equal to the random number N 2 : if equal, the mobile is determined to be The terminal owns the private key of the mobile terminal certificate, that is, the mobile terminal is the legal owner of the mobile terminal certificate; if not, it determines that the mobile terminal does not own the private key of the mobile terminal certificate, that is, the mobile terminal is not the legal owner of the mobile terminal certificate. .
  • Step 112 If the mobile terminal determines that the AP is the legal owner of the AP certificate, and the AP determines that the mobile terminal is the legal owner of the mobile terminal certificate, the mobile terminal accesses the streaming media service platform through the AP to perform signaling of the streaming media service. And the transmission of data; otherwise, the access fails.
  • the mobile terminal and the AP in the streaming media service platform perform two-way access authentication, that is, the mobile terminal verifies the validity of the AP certificate through the AS, and uses the public key of the AP certificate to verify whether the AP is a certificate.
  • the legal owner at the same time, the AP verifies the mobile legal owner through the AS.
  • step 105 the certificate verification result and the signature of the AS may not be included in step 105, and step 106 may be omitted; in addition, the mobile terminal does not need to send the random number to the AP.
  • FIG. 2 is a schematic structural diagram of an access authentication system for a streaming media service according to an embodiment of the present invention. and the following will be described in conjunction with FIG. 2.
  • the access authentication system of the streaming media service of the present invention includes: a mobile terminal and Streaming media service platform;
  • Streaming media service platform includes: AP and AS;
  • the AS After receiving the certificate authentication request packet sent by the AP, the AS verifies the certificate included in the packet, and sends the certificate verification result to the AP.
  • the AP After receiving the access authentication request packet sent by the mobile terminal, the AP is configured to use the mobile terminal certificate as a legal certificate, and then generate a random number N 2 and send it to the mobile terminal.
  • the mobile terminal is configured to encrypt the random number N 2 using the private key of the mobile terminal certificate, generate a signature value of the mobile terminal, and send the signature value to the AP.
  • the AP is further configured to decrypt the signature value of the mobile terminal by using the public key of the mobile terminal certificate, and if the decrypted result is equal to the random number N 2 , the mobile terminal is allowed to access the streaming media service through the AP, and the certificate authentication request packet is further
  • the AS can also include an AP certificate; correspondingly, the AS is also used to activate the terminal; correspondingly, the mobile terminal is further configured to determine, according to the received certificate verification result and the signature of the AS, whether the AP certificate is a legal certificate, and when the AP certificate is a legal certificate, Access the streaming media service platform through the AP.
  • the mobile terminal is further configured to generate a random number N l and send it to the AP; correspondingly, the AP is further configured to encrypt the random number by using the private key of the AP certificate, generate a signature value of the AP, and send the signature value.
  • the mobile terminal is further configured to decrypt the signature value of the AP by using the public key of the AP certificate, and access the streaming service platform through the AP when the decrypted result is equal to the random number Ni.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the present invention discloses a method and a system for authenticating accessing to stream media service, wherein an access point(AP) of the stream media service platform puts the mobile terminal certificate which is included in the access authentication request group into the certificate authentication request group, sends to an authentication server of the stream media service platform to make certificate authentication; when the result of the certificate authentication is that the mobile terminal certificate is a legal certificate, the AP generates a random number N2 and sends it to the mobile terminal; the mobile terminal encrypts the random number N2 by the private key of the mobile terminal certificate in order to generate the signature value of the mobile terminal and sends the signature value to the AP; the AP decrypts the signature value by the public key of the mobile terminal certificate; when the result of the decryption is equal to the random number N2, the mobile terminal is permitted to access to the stream media service platform through the AP. Using the method and the system of the present invention, it is ensured that the legal mobile terminal can safely access to the stream media service platform.

Description

一种流媒体业务的接入认证方法及系统 技术领域  Access authentication method and system for streaming media service

本发明涉及移动通讯领域, 尤其涉及一种流媒体业务的接入认证方法 及系统。 背景技术  The present invention relates to the field of mobile communications, and in particular, to a method and system for access authentication of a streaming media service. Background technique

伴随着 3G网络的成熟以及移动终端性能的提升,运营商和用户都希望 移动终端不仅能够支持传统的语音通话功能, 更能够提供更多的商务功能、 娱乐功能和行业应用。 手机流媒体业务作为一种典型的 3G应用, 可以完成 包括实时信息直播、 技术讲座、 教育培训等行业应用和商务功能, 越来越 成为行业关注的一个热点。  With the maturity of 3G networks and the improvement of the performance of mobile terminals, operators and users hope that mobile terminals can not only support traditional voice calling functions, but also provide more business functions, entertainment functions and industrial applications. As a typical 3G application, mobile phone streaming media services can complete industrial applications and business functions including real-time information broadcast, technical lectures, education and training, and become a hot spot in the industry.

通过在无线局域网中部署流媒体服务平台, 用户可以通过移动终端上 的流媒体直播客户端接入流媒体服务平台, 获取流媒体数据, 使用流媒体 业务。  By deploying the streaming media service platform in the WLAN, the user can access the streaming media service platform through the streaming media live client on the mobile terminal to obtain streaming media data and use the streaming media service.

为了保证接入的合法性和安全性, 移动终端接入流媒体服务平台的第 一步就是需要对移动终端进行鉴权和认证, 而现有的流媒体服务平台在移 动终端通过无线局域网接入时的鉴权和认证方面的安全性较差, 无法有效 地防止非法终端通过无线局域网接入流媒体服务平台。 发明内容  In order to ensure the legitimacy and security of the access, the first step of the mobile terminal accessing the streaming media service platform is to authenticate and authenticate the mobile terminal, and the existing streaming media service platform accesses the mobile terminal through the wireless local area network. The security of authentication and authentication is poor, and it is impossible to effectively prevent illegal terminals from accessing the streaming media service platform through the wireless local area network. Summary of the invention

本发明所要解决的技术问题是, 克服现有技术的不足, 提供一种可提 高接入安全性的流媒体业务接入认证方法及系统, 以便使合法的移动终端 通过无线局域网安全地接入媒体服务平台。  The technical problem to be solved by the present invention is to overcome the deficiencies of the prior art, and provide a streaming media service access authentication method and system that can improve access security, so that a legitimate mobile terminal can securely access the media through a wireless local area network. Service Platform.

为了解决上述技术问题, 本发明提供了一种流媒体业务的接入认证方 法, 该方法包括: In order to solve the above technical problem, the present invention provides an access authentication party for a streaming media service. Method, the method includes:

接收到移动终端发送的接入认证请求分组后, 流媒体服务平台的接入 体服务平台的认证服务器进行证书验证;  After receiving the access authentication request packet sent by the mobile terminal, the authentication server of the access service platform of the streaming media service platform performs certificate verification;

证书验证结果为移动终端证书为合法证书时, AP生成随机数 N2, 并将 生成的随机数 N2发送给移动终端; When the certificate verification result is that the mobile terminal certificate is a legal certificate, the AP generates a random number N 2 and sends the generated random number N 2 to the mobile terminal;

移动终端使用移动终端证书的私钥对随机数 N2进行加密, 生成移动终 端的签名值, 并将所述移动终端的签名值发送给 AP; The mobile terminal encrypts the random number N 2 using the private key of the mobile terminal certificate, generates a signature value of the mobile terminal, and sends the signature value of the mobile terminal to the AP;

AP使用移动终端证书的公钥对所述移动终端的签名值进行解密, 解密 的结果等于随机数 N2时, 允许移动终端通过 AP接入流媒体服务平台。 The AP decrypts the signature value of the mobile terminal by using the public key of the mobile terminal certificate. When the decrypted result is equal to the random number N 2 , the mobile terminal is allowed to access the streaming media service platform through the AP.

此外, 所述证书认证请求分组中进一步包含 AP证书; 该方法进一步包 括:  In addition, the certificate authentication request packet further includes an AP certificate; the method further includes:

认证服务器对所述 AP证书进行验证,并将证书验证结果以及认证服务 器的签名通过 AP发送给移动终端;  The authentication server verifies the AP certificate, and sends the certificate verification result and the signature of the authentication server to the mobile terminal through the AP;

移动终端根据接收到的证书验证结果以及认证服务器的签名, 判断 AP 证书是否为合法证书, 当 AP证书为合法证书时, 通过所述 AP证书接入流 媒体服务平台。  The mobile terminal determines whether the AP certificate is a legal certificate according to the received certificate verification result and the signature of the authentication server. When the AP certificate is a legal certificate, the mobile terminal accesses the streaming media service platform through the AP certificate.

此外, 所述通过 AP证书接入流媒体服务平台, 进一步包括: 判定 AP证书为合法证书后, 移动终端生成随机数 Nl 并将生成的随 机数 Ni发送给 AP; In addition, the accessing the streaming media service platform by using the AP certificate further includes: after determining that the AP certificate is a legal certificate, the mobile terminal generates a random number N l and sends the generated random number Ni to the AP;

AP使用 AP证书的私钥对随机数 进行加密, 生成 AP的签名值, 并 将该签名值发送给移动终端;  The AP encrypts the random number by using the private key of the AP certificate, generates a signature value of the AP, and sends the signature value to the mobile terminal.

移动终端使用 AP证书的公钥对 AP的签名值进行解密, 当解密的结果 等于随机数 Ni时, 通过所述 AP证书接入流媒体服务平台。  The mobile terminal decrypts the signature value of the AP by using the public key of the AP certificate, and accesses the streaming media service platform through the AP certificate when the decrypted result is equal to the random number Ni.

此外, 所述接入认证请求分组中进一步包含当前系统时间; 所述 AP接 器, 进一步包括: In addition, the access authentication request packet further includes a current system time; , further comprising:

AP根据所述接入认证请求分组中包含的当前系统时间, 判断所述接入 请求分组是否为重复发送的分组; 当所述接入认证请求分组不是重复发送 的分组时, 向认证服务器发送所述证书认证请求分组。  Determining, by the AP, whether the access request packet is a repeatedly transmitted packet according to the current system time included in the access authentication request packet; and sending, when the access authentication request packet is not a repeatedly sent packet, to the authentication server The certificate authentication request packet.

此外, 所述证书认证请求分组中进一步包含当前系统时间; 所述认证 服务器接收到所述证书认证请求分组后进行所述证书验证, 进一步包括: 所述证书认证请求分组是否为重复发送的分组, 当所述证书认证请求分组 不是重复发送的分组时, 进行所述证书验证操作。  In addition, the certificate authentication request packet further includes a current system time. The authentication server performs the certificate verification after receiving the certificate authentication request packet, and further includes: whether the certificate authentication request packet is a repeatedly sent packet. The certificate verification operation is performed when the certificate authentication request packet is not a packet that is repeatedly transmitted.

本发明还提供一种流媒体业务的接入认证系统, 该系统包含: 移动终 端和流媒体服务平台; 所述流媒体服务平台包含: AP和认证服务器; 其中, 所述认证服务器, 用于在接收到所述 AP发送的证书认证请求分组后, 对该分组中包含的证书进行验证, 并将证书验证结果发送给所述 AP;  The present invention also provides an access authentication system for a streaming media service, the system comprising: a mobile terminal and a streaming media service platform; the streaming media service platform includes: an AP and an authentication server; wherein the authentication server is configured to After receiving the certificate authentication request packet sent by the AP, verifying the certificate included in the packet, and transmitting the certificate verification result to the AP;

所述 AP, 用于在接收到所述移动终端发送的接入认证请求分组后, 将  The AP, after receiving the access authentication request packet sent by the mobile terminal,

生成随机数 N2, 并生成的随机数 N2其发送给所述移动终端; 值进行解密, 解密的结果等于所述随机数 N2时, 允许所述移动终端通过所 述 AP接入所述流媒体服务平台; Generating a random number N 2 and generating a random number N 2 that is sent to the mobile terminal; the value is decrypted, and when the result of the decryption is equal to the random number N 2 , allowing the mobile terminal to access the AP through the AP Streaming media service platform;

所述移动终端用于使用所述移动终端证书的私钥对所述随机数 N2进行 加密,生成移动终端的签名值,并将所述移动终端的签名值发送给所述 AP。 The mobile terminal is configured to encrypt the random number N 2 by using a private key of the mobile terminal certificate, generate a signature value of the mobile terminal, and send the signature value of the mobile terminal to the AP.

此外, 所述证书认证请求分组中进一步包含 AP证书;  In addition, the certificate authentication request packet further includes an AP certificate;

所述认证服务器, 进一步用于对所述 AP证书进行验证, 并将证书验证 所述移动终端, 进一步用于根据接收到的证书验证结果以及认证服务 器的签名判断所述 ΑΡ证书是否为合法证书,当所述 ΑΡ证书为合法证书时, 通过所述 ΑΡ接入所述流媒体服务平台。 The authentication server is further configured to verify the AP certificate and verify the certificate The mobile terminal is further configured to determine, according to the received certificate verification result and the signature of the authentication server, whether the UI certificate is a legal certificate, and when the UI certificate is a legal certificate, access the streaming media by using the UI Service Platform.

此外, 所述移动终端, 进一步用于生成随机数 Nl 并将生成的随机数 Ni发送给所述 AP; In addition, the mobile terminal is further configured to generate a random number N l and send the generated random number Ni to the AP;

所述 AP, 进一步用于使用 AP证书的私钥对所述随机数 N!进行加密, 生成 AP的签名值, 并将该签名值发送给所述移动终端;  The AP is further configured to encrypt the random number N! by using a private key of the AP certificate, generate a signature value of the AP, and send the signature value to the mobile terminal;

所述移动终端, 进一步用于使用 AP证书的公钥对所述 AP的签名值进 行解密, 当解密的结果等于所述随机数^时, 通过所述 AP接入所述流媒 体服务平台。  The mobile terminal is further configured to decrypt the signature value of the AP by using a public key of the AP certificate, and access the streaming media service platform by using the AP when the decrypted result is equal to the random number.

此外, 所述接入认证请求分组中进一步包含当前系统时间;  In addition, the access authentication request packet further includes a current system time;

所述 AP, 进一步用于根据所述接入认证请求分组中包含的当前系统时 间, 判断所述接入请求分组是否为重复发送的分组, 所述接入认证请求分 组不是重复发送的分组时, 向所述认证服务器发送所述证书认证请求分组。  The AP is further configured to determine, according to the current system time included in the access authentication request packet, whether the access request packet is a repeatedly sent packet, where the access authentication request packet is not a repeatedly sent packet, Sending the certificate authentication request packet to the authentication server.

此外, 所述证书认证请求分组中进一步包含当前系统时间; 前系统时间, 判断所述证书认证请求分组是否为重复发送的分组, 所述证 书认证请求分组不是重复发送的分组时, 进行所述证书验证操作。  In addition, the certificate authentication request packet further includes a current system time; a pre-system time, determining whether the certificate authentication request packet is a repeatedly transmitted packet, and when the certificate authentication request packet is not a repeatedly transmitted packet, performing the certificate Verify the operation.

综上所述, 采用本发明的方法及系统, 只有持有合法证书的移动终端 才能够接入流媒体服务平台, 防止了非法移动终端接入流媒体服务平台破 坏系统的安全性并占用网络资源, 有效地保护了合法移动终端使用流媒体 业务的安全性和服务质量, 并保护了流媒体业务服务提供商的利益。 此外, 本发明的方法及系统还可以防止移动终端接入非法 AP而造成信息泄漏。 附图说明 In summary, with the method and system of the present invention, only a mobile terminal holding a legal certificate can access the streaming media service platform, thereby preventing the illegal mobile terminal from accessing the streaming media service platform to damage the security of the system and occupy network resources. It effectively protects the security and quality of service of streaming media services by legitimate mobile terminals and protects the interests of streaming service providers. In addition, the method and system of the present invention can also prevent the mobile terminal from accessing the illegal AP and causing information leakage. DRAWINGS

图 1为本发明实施例流媒体业务的接入方法流程图;  1 is a flowchart of a method for accessing a streaming media service according to an embodiment of the present invention;

图 2是本发明实施例流媒体业务的接入认证系统的结构示意图。 具体实施方式 无线局域网鉴别与保密基础结构( WAPI , Wireless Local Area Network Authentication and Privacy Infrastructure )是针对 IEEE802.i l中有线等效隐 私(WEP, Wried Equivalent Privacy )协议的安全问题, 经多方反复论证, 充分考虑各种应用模式,在中国无线局域网国家标准 GB15629.i l中提出的 无线局域网 (WLAN, Wireless Local Area Networks )安全解决方案。 本发 明就是将 WAPI的技术思想应用于流媒体业务的接入认证, 以解决现有的 流媒体业务平台的接入安全性差的缺陷。  2 is a schematic structural diagram of an access authentication system for a streaming media service according to an embodiment of the present invention. DETAILED DESCRIPTION The Wireless Local Area Network Authentication and Privacy Infrastructure (WAPI) is a security issue for the WEP (Wried Equivalent Privacy) protocol in IEEE802.il, which is repeatedly demonstrated by multiple parties. Consider the various application modes, the wireless local area network (WLAN) security solution proposed in the Chinese wireless local area network standard GB15629.il. The present invention applies the WAPI technical idea to the access authentication of the streaming media service to solve the defect of poor access security of the existing streaming media service platform.

下面将结合附图和实施例对本发明进行详细描述。  The invention will now be described in detail in conjunction with the drawings and embodiments.

图 1是本发明实施例流媒体业务的接入方法流程图。 如图 1所示, 该 方法包括如下步骤:  FIG. 1 is a flowchart of a method for accessing a streaming media service according to an embodiment of the present invention. As shown in Figure 1, the method includes the following steps:

步骤 101 :移动终端启动流媒体业务,向流媒体服务平台的接入点(AP, Access Point )发送接入认证请求分组。  Step 101: The mobile terminal starts a streaming media service, and sends an access authentication request packet to an access point (AP, Access Point) of the streaming media service platform.

上述接入认证请求分组中包含移动终端证书; 此外, 该分组中还可以 包含移动终端的当前系统时间。  The access authentication request packet includes a mobile terminal certificate; in addition, the packet may further include a current system time of the mobile terminal.

上述移动终端证书由流媒体服务平台的认证服务器(AS )颁发, 可以 是 X.509 v3证书或国家标准物质(GBW )证书; 移动终端证书中包含移动 终端的公钥和移动终端的身份信息, 其中所述移动终端的公钥即为移动终 端证书的公钥。  The mobile terminal certificate is issued by an authentication server (AS) of the streaming media service platform, and may be an X.509 v3 certificate or a national standard substance (GBW) certificate; the mobile terminal certificate includes a public key of the mobile terminal and identity information of the mobile terminal, The public key of the mobile terminal is the public key of the mobile terminal certificate.

在接入认证请求分组中包含当前系统时间的目的是: 防止非法终端使 用合法终端先前发送的接入认证请求分组向 AP发起重放攻击。  The purpose of including the current system time in the access authentication request packet is to prevent the illegal terminal from using the access authentication request packet previously sent by the legal terminal to initiate a replay attack to the AP.

步骤 102: AP收到上述接入认证请求分组后, 根据该分组中包含的当 前系统时间判断该接入认证请求分组是否为重复发送的分组, 如果不是重 复发送的分组, 则保存该分组中包含的移动终端证书, 并向 AS发送证书认 证请求分组; 如果是重复发送的分组, 则丟弃该接入认证请求分组, 本流 程结束。 其中, 所述重复发送的分组即为: 该接入认证请求分组为非法终 端先前截获的分组。 Step 102: After receiving the foregoing access authentication request packet, the AP according to the packet includes The pre-system time determines whether the access authentication request packet is a repeatedly transmitted packet, and if it is not a repeatedly transmitted packet, saves the mobile terminal certificate included in the packet, and sends a certificate authentication request packet to the AS; if it is a repeatedly transmitted packet , the access authentication request packet is discarded, and the process ends. The repeatedly sent packet is: the access authentication request packet is a packet previously intercepted by the illegal terminal.

上述证书认证请求分组中包含: 移动终端证书、 AP证书和 AP的签名; 此外, 该分组中还可以包含 AP的当前系统时间。  The foregoing certificate authentication request packet includes: a mobile terminal certificate, an AP certificate, and an AP signature; in addition, the packet may further include an AP current system time.

上述 AP证书由 AS颁发, 可以是 X.509 v3证书或 GBW证书; AP证 书中包含 AP的公钥及 AP的身份信息。 其中, 所述 AP的公钥即为: AP 证书的公钥。  The AP certificate is issued by the AS and can be an X.509 v3 certificate or a GBW certificate. The AP certificate contains the public key of the AP and the identity information of the AP. The public key of the AP is: the public key of the AP certificate.

在证书认证请求分组中包含系统时间的目的是:防止非法 AP使用合法 AP先前发送的证书认证请求分组向 AS发起重放攻击。其中,所述非法 AP 即为: 或非法终端。  The purpose of including the system time in the certificate authentication request packet is to prevent the illegal AP from using the certificate authentication request packet previously sent by the legal AP to initiate a replay attack to the AS. The illegal AP is: or an illegal terminal.

步骤 103: 接收到证书认证请求分组后, AS根据该分组中包含的当前 系统时间判断该证书认证请求分组是否为重复发送的分组, 如果不是重复 发送的分组, 则对该分组中包含的移动终端证书、 AP证书以及 AP的签名 进行验证; 如果接收到的证书认证请求分组是重复发送的分组, 则丟弃该 证书认证请求分组, 本流程结束。 其中, 所述重复发送的分组即为: 该证 书认证请求分组是非法 AP/非法终端先前截获的分组。  Step 103: After receiving the certificate authentication request packet, the AS determines, according to the current system time included in the packet, whether the certificate authentication request packet is a repeatedly transmitted packet, and if it is not a repeatedly transmitted packet, the mobile terminal included in the packet The certificate, the AP certificate, and the signature of the AP are verified. If the received certificate authentication request packet is a repeatedly transmitted packet, the certificate authentication request packet is discarded, and the process ends. The packet that is repeatedly sent is: the certificate authentication request packet is a packet that is previously intercepted by the illegal AP/illegal terminal.

本步骤中, AS可以使用 AP证书的公钥对 AP的签名进行认证; AS对 移动终端证书、 AP证书的验证操作包括: 验证证书是否已被吊销、 验证证 书是否已过期等, 具体的验证方法可以参照文档 RFC3280。  In this step, the AS can use the public key of the AP certificate to authenticate the signature of the AP. The authentication operation of the AS for the mobile terminal certificate and the AP certificate includes: verifying whether the certificate has been revoked, verifying whether the certificate has expired, etc., and the specific verification method See document RFC3280.

步骤 104: 如果 AS对移动终端证书、 AP证书以及 AP的签名进行验证 的结果为: 移动终端证书、 AP证书均为合法证书, 且 AP的签名正确, 则 AS向 AP发送包含证书验证结果和 AS的签名的证书认证响应分组, 上述 证书验证结果中包含:移动终端证书为合法证书以及 AP证书为合法证书等 信息; 否则 AS丟弃证书认证请求分组, 本流程结束。 Step 104: If the AS verifies the mobile terminal certificate, the AP certificate, and the signature of the AP as follows: The mobile terminal certificate and the AP certificate are valid certificates, and the signature of the AP is correct, the AS sends the certificate verification result and the AS to the AP. Signature certificate authentication response packet, above The certificate verification result includes: the mobile terminal certificate is a legal certificate and the AP certificate is a legal certificate; otherwise, the AS discards the certificate authentication request packet, and the process ends.

步骤 105: 接收到证书认证响应分组后, AP验证 AS的签名是否正确, 如果 AS的签名错误, 则丟弃该响应分组, 本流程结束; 如果 AS的签名正 是否合法, 如果移动终端证书合法, 则将 AP证书、 证书认证结果和 AS的 签名包含在接入认证响应分组中发送给移动终端; 如果移动终端的证书不 合法, 则 AP丟弃证书认证响应分组, 本流程结束。  Step 105: After receiving the certificate authentication response packet, the AP verifies that the signature of the AS is correct. If the signature of the AS is incorrect, the response packet is discarded, and the process ends. If the signature of the AS is legal, if the mobile terminal certificate is legal, Then, the AP certificate, the certificate authentication result, and the signature of the AS are included in the access authentication response packet and sent to the mobile terminal. If the certificate of the mobile terminal is invalid, the AP discards the certificate authentication response packet, and the process ends.

步骤 106: 接收到接入认证响应分组后, 移动终端根据该响应分组中包 含的 AS的签名和证书验证结果判断 AP证书是否为合法的证书, 如果是, 则执行后续步骤; 如果 AP证书不是合法证书, 则本流程结束。  Step 106: After receiving the access authentication response packet, the mobile terminal determines, according to the signature of the AS and the certificate verification result included in the response packet, whether the AP certificate is a valid certificate, and if yes, performing the subsequent steps; if the AP certificate is not legal Certificate, then the process ends.

至此, 移动终端和 AP通过与 AS进行交互, 完成了双方证书的验证。 在后续步骤中,移动终端和 AP还可以进一步验证对方是否为证书的合法拥 有者。  At this point, the mobile terminal and the AP complete the verification of the mutual certificate by interacting with the AS. In the subsequent steps, the mobile terminal and the AP can further verify whether the other party is a legitimate owner of the certificate.

步骤 107: 移动终端向 AP发送私钥验证请求分组, 该分组中包含移动 终端生成的随机数 Nl 请求 AP对随机数^进行签名, 以验证 AP是否拥 有 AP证书的私钥, 也就是验证 AP是否是 AP证书的合法拥有者。 其中, 所述进行签名即为: 使用 AP证书的私钥对随机数 ^加密生成密文。 Step 107: the mobile terminal transmits to the AP private key verification request packet, the packet contains a random number generated by the mobile terminal requests the AP to N l ^ signed random number, to verify whether it has a private key AP AP certificate, the AP verification i.e. Whether it is the legal owner of the AP certificate. The signing is performed by: using a private key of the AP certificate to encrypt the random number to generate a ciphertext.

步骤 108: AP接收到私钥验证请求分组后, 使用 AP证书的私钥对该 请求分组中包含的随机数 Ni进行加密生成密文, 并向移动终端发送私钥验 证响应分组, 该响应分组中包含与随机数 ^对应的签名值以及 AP生成的 随机数 N2。其中,进行所述加密生成的密文即为: 随机数 ^对应的签名值。 Step 108: After receiving the private key verification request packet, the AP encrypts the random number Ni included in the request packet by using the private key of the AP certificate to generate a ciphertext, and sends a private key verification response packet to the mobile terminal, where the response packet is in the response packet. The signature value corresponding to the random number ^ and the random number N 2 generated by the AP are included. The ciphertext generated by the encryption is: a signature value corresponding to the random number ^.

步骤 109: 接收到 AP发送的私钥验证响应分组后, 移动终端用 AP证 书的公钥对该响应分组中包含的签名值进行解密, 并判断解密的结果是否 与随机数^相等: 如果相等, 则判定 AP拥有 AP证书的私钥, 即 AP是上 述 AP证书的合法拥有者; 如果不相等, 则判定 AP不拥有 AP证书的私钥, 即 AP不是上述 AP证书的合法拥有者。 Step 109: After receiving the private key verification response packet sent by the AP, the mobile terminal decrypts the signature value included in the response packet by using the public key of the AP certificate, and determines whether the decrypted result is equal to the random number ^: if they are equal, Then, the AP has the private key of the AP certificate, that is, the AP is on the AP. The legal owner of the AP certificate; if not equal, it is determined that the AP does not own the private key of the AP certificate, that is, the AP is not the legal owner of the AP certificate.

步骤 110: 移动终端使用移动终端证书的私钥对随机数 N2进行加密生 成密文, 并向 AP发送私钥验证确认分组, 该分组中包含与随机数 N2对应 的签名值。 其中, 进行所述加密生成的密文即为: 随机数 N2对应的签名值。 Step 110: The mobile terminal encrypts the random number N 2 using the private key of the mobile terminal certificate to generate a ciphertext, and sends a private key verification acknowledgement packet to the AP, where the packet includes a signature value corresponding to the random number N 2 . The ciphertext generated by the encryption is: a signature value corresponding to the random number N 2 .

步骤 111: 接收到私钥验证确认分组后, AP使用移动终端证书的公钥 对该分组中包含的签名值进行解密, 并判断解密的结果是否与随机数 N2相 等: 如果相等, 则判定移动终端拥有移动终端证书的私钥, 即移动终端是 移动终端证书的合法拥有者; 如果不相等, 则判定移动终端不拥有移动终 端证书的私钥, 即移动终端不是上述移动终端证书的合法拥有者。 Step 111: After receiving the private key verification confirmation packet, the AP decrypts the signature value included in the packet by using the public key of the mobile terminal certificate, and determines whether the decrypted result is equal to the random number N 2 : if equal, the mobile is determined to be The terminal owns the private key of the mobile terminal certificate, that is, the mobile terminal is the legal owner of the mobile terminal certificate; if not, it determines that the mobile terminal does not own the private key of the mobile terminal certificate, that is, the mobile terminal is not the legal owner of the mobile terminal certificate. .

步骤 112: 如果移动终端判定 AP是 AP证书的合法拥有者、 且 AP判 定移动终端是移动终端证书的合法拥有者,则移动终端通过该 AP接入流媒 体服务平台, 进行流媒体业务的信令及数据的传输; 否则, 接入失败。  Step 112: If the mobile terminal determines that the AP is the legal owner of the AP certificate, and the AP determines that the mobile terminal is the legal owner of the mobile terminal certificate, the mobile terminal accesses the streaming media service platform through the AP to perform signaling of the streaming media service. And the transmission of data; otherwise, the access fails.

在上述实施例中,移动终端和流媒体服务平台中的 AP进行了双向的接 入认证, 即移动终端通过 AS验证了 AP证书的合法性, 并使用 AP证书的 公钥验证 AP是否为证书的合法拥有者; 同时, AP通过 AS验证了移动终 合法拥有者。  In the above embodiment, the mobile terminal and the AP in the streaming media service platform perform two-way access authentication, that is, the mobile terminal verifies the validity of the AP certificate through the AS, and uses the public key of the AP certificate to verify whether the AP is a certificate. The legal owner; at the same time, the AP verifies the mobile legal owner through the AS.

在实际使用中, 可以只进行单向的接入认证, 即仅由 AP验证移动终端 证书的合法性, 并验证移动终端是否是证书的合法拥有者。 在这种情况下, 步骤 105中可以不包含证书验证结果和 AS的签名, 步骤 106可以省略; 此 外, 移动终端也无需将随机数 发送给 AP。  In actual use, only one-way access authentication may be performed, that is, only the AP verifies the validity of the mobile terminal certificate, and verifies whether the mobile terminal is the legal owner of the certificate. In this case, the certificate verification result and the signature of the AS may not be included in step 105, and step 106 may be omitted; in addition, the mobile terminal does not need to send the random number to the AP.

图 2是本发明实施例流媒体业务的接入认证系统的结构示意图; 下面 将结合图 2对该系统进行筒要描述。  2 is a schematic structural diagram of an access authentication system for a streaming media service according to an embodiment of the present invention; and the following will be described in conjunction with FIG. 2.

如图 2所示, 本发明的流媒体业务的接入认证系统包含: 移动终端和 流媒体服务平台; 流媒体服务平台包含: AP和 AS; 其中: As shown in FIG. 2, the access authentication system of the streaming media service of the present invention includes: a mobile terminal and Streaming media service platform; Streaming media service platform includes: AP and AS;

AS用于在接收到 AP发送的证书认证请求分组后, 对该分组中包含的 证书进行验证, 并将证书验证结果发送给 AP。  After receiving the certificate authentication request packet sent by the AP, the AS verifies the certificate included in the packet, and sends the certificate verification result to the AP.

AP用于在接收到移动终端发送的接入认证请求分组后, 将该分组中包 果证书验证结果为移动终端证书为合法证书, 则生成随机数 N2, 并将其发 送给移动终端。 After receiving the access authentication request packet sent by the mobile terminal, the AP is configured to use the mobile terminal certificate as a legal certificate, and then generate a random number N 2 and send it to the mobile terminal.

移动终端用于使用移动终端证书的私钥对随机数 N2进行加密, 生成移 动终端的签名值, 并将该签名值发送给 AP。 The mobile terminal is configured to encrypt the random number N 2 using the private key of the mobile terminal certificate, generate a signature value of the mobile terminal, and send the signature value to the AP.

AP还用于使用移动终端证书的公钥对移动终端的签名值进行解密, 如 果解密的结果等于随机数 N2, 则允许移动终端通过 AP接入流媒体服务平 此外, 证书认证请求分组中还可以包含 AP证书; 相应地, AS还用于 动终端; 相应地,移动终端还用于根据接收到的证书验证结果以及 AS的签 名判断 AP证书是否为合法证书, 当 AP证书为合法证书时才通过 AP接入 流媒体服务平台。 The AP is further configured to decrypt the signature value of the mobile terminal by using the public key of the mobile terminal certificate, and if the decrypted result is equal to the random number N 2 , the mobile terminal is allowed to access the streaming media service through the AP, and the certificate authentication request packet is further The AS can also include an AP certificate; correspondingly, the AS is also used to activate the terminal; correspondingly, the mobile terminal is further configured to determine, according to the received certificate verification result and the signature of the AS, whether the AP certificate is a legal certificate, and when the AP certificate is a legal certificate, Access the streaming media service platform through the AP.

此外,移动终端还用于生成随机数 Nl 并将其发送给 AP;相应地, AP 还用于使用 AP证书的私钥对随机数 进行加密, 生成 AP的签名值, 并 将该签名值发送给移动终端; 相应地,移动终端还用于使用 AP证书的公钥 对 AP的签名值进行解密, 当解密的结果等于随机数 Ni时才通过 AP接入 流媒体服务平台。 In addition, the mobile terminal is further configured to generate a random number N l and send it to the AP; correspondingly, the AP is further configured to encrypt the random number by using the private key of the AP certificate, generate a signature value of the AP, and send the signature value. Correspondingly, the mobile terminal is further configured to decrypt the signature value of the AP by using the public key of the AP certificate, and access the streaming service platform through the AP when the decrypted result is equal to the random number Ni.

本发明的流媒体业务的接入认证系统中各网元的详细功能以及各网元 间的连接关系, 即消息交互关系详见以上对本发明的方法进行描述的部分。  The detailed functions of the network elements in the access authentication system of the streaming media service of the present invention and the connection relationship between the network elements, that is, the message interaction relationship are described in detail in the above description of the method of the present invention.

Claims

权利要求书 Claim 1、 一种流媒体业务的接入认证方法, 其特征在于, 该方法包括: 接收到移动终端发送的接入认证请求分组后, 流媒体服务平台的接入 体服务平台的认证服务器进行证书验证; A method for access authentication of a streaming media service, the method comprising: after receiving an access authentication request packet sent by a mobile terminal, the authentication server of the access service platform of the streaming media service platform performs certificate verification ; 验证结果为移动终端证书为合法证书时, AP生成随机数 N2, 并将生成 的随机数 N2发送给移动终端; When the verification result is that the mobile terminal certificate is a legal certificate, the AP generates a random number N 2 and sends the generated random number N 2 to the mobile terminal; 移动终端使用移动终端证书的私钥对随机数 N2进行加密, 生成移动终 端的签名值, 并将所述移动终端的签名值发送给 AP; The mobile terminal encrypts the random number N 2 using the private key of the mobile terminal certificate, generates a signature value of the mobile terminal, and sends the signature value of the mobile terminal to the AP; AP使用移动终端证书的公钥对所述移动终端的签名值进行解密, 解密 结果等于随机数 N2时, 允许移动终端通过 AP接入流媒体服务平台。 The AP decrypts the signature value of the mobile terminal by using the public key of the mobile terminal certificate. When the decryption result is equal to the random number N 2 , the mobile terminal is allowed to access the streaming media service platform through the AP. 2、 根据权利要求 1所述的方法, 其特征在于, 所述证书认证请求分组 中进一步包含 AP证书; 该方法进一步包括:  The method according to claim 1, wherein the certificate authentication request packet further includes an AP certificate; the method further includes: 认证服务器对所述 AP证书进行验证,并将证书验证结果以及认证服务 器的签名通过 AP发送给移动终端;  The authentication server verifies the AP certificate, and sends the certificate verification result and the signature of the authentication server to the mobile terminal through the AP; 移动终端根据接收到的证书验证结果以及认证服务器的签名, 判断 AP 证书是否为合法证书, 当 AP证书为合法证书时, 通过所述 AP证书接入流 媒体服务平台。  The mobile terminal determines whether the AP certificate is a legal certificate according to the received certificate verification result and the signature of the authentication server. When the AP certificate is a legal certificate, the mobile terminal accesses the streaming media service platform through the AP certificate. 3、 根据权利要求 2所述的方法, 其特征在于, 所述通过 AP证书接入 流媒体服务平台, 进一步包括:  The method according to claim 2, wherein the accessing the streaming media service platform by using the AP certificate further includes: 判定 AP证书为合法证书后, 移动终端生成随机数 Nl 并将生成的随 机数 发送给 AP; After determining that the AP certificate is a legal certificate, the mobile terminal generates a random number N l and sends the generated random number to the AP; AP使用 AP证书的私钥对随机数 进行加密, 生成 AP的签名值, 并 将该签名值发送给移动终端; 移动终端使用 AP证书的公钥对 AP的签名值进行解密, 当解密的结果 等于随机数 Ni时, 通过所述 AP证书接入流媒体服务平台。 The AP encrypts the random number by using the private key of the AP certificate, generates a signature value of the AP, and sends the signature value to the mobile terminal. The mobile terminal decrypts the signature value of the AP by using the public key of the AP certificate, and accesses the streaming media service platform through the AP certificate when the decrypted result is equal to the random number Ni. 4、 根据权利要求 1至 3任一项所述的方法, 其特征在于, 所述接入认 证请求分组中进一步包含当前系统时间;所述 AP接收所述接入认证请求分  The method according to any one of claims 1 to 3, wherein the access authentication request packet further includes a current system time; and the AP receives the access authentication request score AP根据所述接入认证请求分组中包含的当前系统时间, 判断所述接入 请求分组是否为重复发送的分组; 当所述接入认证请求分组不是重复发送 的分组时, 向认证服务器发送所述证书认证请求分组。 Determining, by the AP, whether the access request packet is a repeatedly transmitted packet according to the current system time included in the access authentication request packet; and sending, when the access authentication request packet is not a repeatedly sent packet, to the authentication server The certificate authentication request packet. 5、 根据权利要求 1至 3任一项所述的方法, 其特征在于, 所述证书认 证请求分组中进一步包含当前系统时间; 所述认证服务器接收到所述证书 认证请求分组后进行所述证书验证, 进一步包括: 所述证书认证请求分组是否为重复发送的分组, 当所述证书认证请求分组 不是重复发送的分组时, 进行所述证书验证操作。  The method according to any one of claims 1 to 3, wherein the certificate authentication request packet further includes a current system time; and the authentication server performs the certificate after receiving the certificate authentication request packet. The verification further includes: whether the certificate authentication request packet is a repeatedly transmitted packet, and when the certificate authentication request packet is not a repeatedly transmitted packet, performing the certificate verification operation. 6、 一种流媒体业务的接入认证系统, 该系统包含: 移动终端和流媒体 服务平台; 所述流媒体服务平台包含: AP和认证服务器; 其中,  An access authentication system for a streaming media service, the system comprising: a mobile terminal and a streaming media service platform; the streaming media service platform comprises: an AP and an authentication server; wherein 所述认证服务器, 用于在接收到所述 AP发送的证书认证请求分组后, 对该分组中包含的证书进行验证, 并将证书验证结果发送给所述 AP;  The authentication server is configured to: after receiving the certificate authentication request packet sent by the AP, verify the certificate included in the packet, and send the certificate verification result to the AP; 所述 AP, 用于在接收到所述移动终端发送的接入认证请求分组后, 将 该分组中包含的移动终端证书包含在证书认证请求分组中, 发送给所述认 证服务器进行证书验证, 验证结果为所述移动终端证书为合法证书时, 生 成随机数 N2, 并将生成的随机数 N2发送给所述移动终端; 值进行解密, 解密结果等于所述随机数 N2时, 允许所述移动终端通过所述 AP接入所述流媒体服务平台; 所述移动终端, 用于使用所述移动终端证书的私钥对所述随机数 Ν2进 行加密, 生成移动终端的签名值, 并将所述移动终端的签名值发送给所述 ΑΡ。 The AP is configured to: after receiving the access authentication request packet sent by the mobile terminal, include the mobile terminal certificate included in the packet in a certificate authentication request packet, and send the certificate to the authentication server for certificate verification and verification. The result is that when the mobile terminal certificate is a legal certificate, a random number N 2 is generated, and the generated random number N 2 is sent to the mobile terminal; the value is decrypted, and when the decrypted result is equal to the random number N 2 , the permission is allowed. The mobile terminal accesses the streaming media service platform through the AP; The mobile terminal is configured to encrypt the random number 使用2 by using a private key of the mobile terminal certificate, generate a signature value of the mobile terminal, and send the signature value of the mobile terminal to the UI. 7、 根据权利要求 6所述的系统, 其特征在于, 所述证书认证请求分组 中进一步包含 ΑΡ证书;  The system according to claim 6, wherein the certificate authentication request packet further includes a certificate; 所述认证服务器, 进一步用于对所述 ΑΡ证书进行验证, 并将证书验证 所述移动终端, 进一步用于根据接收到的证书验证结果以及认证服务 器的签名判断所述 ΑΡ证书是否为合法证书,当所述 ΑΡ证书为合法证书时, 通过所述 ΑΡ接入所述流媒体服务平台。  The authentication server is further configured to verify the authentication certificate, and the certificate is used to verify the mobile terminal, and further configured to determine, according to the received certificate verification result and the signature of the authentication server, whether the certificate is a legal certificate. And when the ΑΡ certificate is a legal certificate, accessing the streaming media service platform by using the ΑΡ. 8、 如权利要求 7所述的系统, 其特征在于, 所述移动终端, 进一步用 于生成随机数 Nl 并将生成的随机数 发送给所述 AP; The system of claim 7, wherein the mobile terminal is further configured to generate a random number N l and send the generated random number to the AP; 所述 AP, 进一步用于使用 AP证书的私钥对所述随机数 Ni进行加密, 生成 AP的签名值, 并将该签名值发送给所述移动终端;  The AP is further configured to encrypt the random number Ni by using a private key of the AP certificate, generate a signature value of the AP, and send the signature value to the mobile terminal; 所述移动终端, 进一步用于使用 AP证书的公钥对所述 AP的签名值进 行解密, 当解密的结果等于所述随机数^时, 通过所述 AP接入所述流媒 体服务平台。  The mobile terminal is further configured to decrypt the signature value of the AP by using a public key of the AP certificate, and access the streaming media service platform by using the AP when the decrypted result is equal to the random number. 9、 根据权利要求 6至 8任一项所述的系统, 其特征在于, 所述接入认 证请求分组中进一步包含当前系统时间;  The system according to any one of claims 6 to 8, wherein the access authentication request packet further includes a current system time; 所述 AP, 进一步用于根据所述接入认证请求分组中包含的当前系统时 间, 判断所述接入请求分组是否为重复发送的分组, 所述接入认证请求分 组不是重复发送的分组时, 向所述认证服务器发送所述证书认证请求分组。  The AP is further configured to determine, according to the current system time included in the access authentication request packet, whether the access request packet is a repeatedly sent packet, where the access authentication request packet is not a repeatedly sent packet, Sending the certificate authentication request packet to the authentication server. 10、 根据权利要求 6至 8任一项所述的系统, 其特征在于, 所述证书 认证请求分组中进一步包含当前系统时间; 前系统时间, 判断所述证书认证请求分组是否为重复发送的分组, 所述证 书认证请求分组不是重复发送的分组时, 进行所述证书验证操作。 The system according to any one of claims 6 to 8, wherein the certificate authentication request packet further includes a current system time; The pre-system time is determined whether the certificate authentication request packet is a repeatedly transmitted packet, and when the certificate authentication request packet is not a repeatedly transmitted packet, the certificate verification operation is performed.
PCT/CN2009/075256 2009-05-06 2009-12-02 Method and system for authenticating accessing to stream media service Ceased WO2010127539A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910136535.0 2009-05-06
CN2009101365350A CN101552986B (en) 2009-05-06 2009-05-06 Access authentication method and system of streaming media service

Publications (1)

Publication Number Publication Date
WO2010127539A1 true WO2010127539A1 (en) 2010-11-11

Family

ID=41156905

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075256 Ceased WO2010127539A1 (en) 2009-05-06 2009-12-02 Method and system for authenticating accessing to stream media service

Country Status (2)

Country Link
CN (1) CN101552986B (en)
WO (1) WO2010127539A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656504A (en) * 2016-10-27 2017-05-10 飞天诚信科技股份有限公司 Signature device and system and working method thereof
CN113691516A (en) * 2021-08-16 2021-11-23 深圳市商汤科技有限公司 Streaming media data transmission method and device, electronic equipment and storage medium
CN114928486A (en) * 2022-05-18 2022-08-19 浙江木链物联网科技有限公司 Industrial control protocol safety ferrying method, device and system based on digital certificate and storage medium

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552986B (en) * 2009-05-06 2011-04-20 中兴通讯股份有限公司 Access authentication method and system of streaming media service
CN102143134B (en) * 2010-08-05 2014-04-30 华为技术有限公司 Method, device and system for distributed identity authentication
CN103179086B (en) * 2011-12-21 2016-05-18 中国电信股份有限公司 Remote storage processing method and the system of data
CN105635062B (en) * 2014-10-31 2019-11-29 腾讯科技(上海)有限公司 The verification method and device of network access equipment
CN107426724B (en) * 2017-08-09 2020-12-22 台州智奥通信设备有限公司 Method and system, terminal and authentication server for smart home appliance to access wireless network
CN107454595A (en) * 2017-09-28 2017-12-08 上海盈联电信科技有限公司 Authentication method for Commercial Complex wireless connection
CN107948140B (en) * 2017-11-10 2020-09-15 广州杰赛科技股份有限公司 Portable equipment verification method and system
CN108280917A (en) * 2018-03-21 2018-07-13 首创置业股份有限公司 A kind of access control system and equipment based on Internet of Things public service platform
CN109333538B (en) * 2018-11-01 2021-01-26 北京万通易居环保设备科技有限公司 A control system for photovoltaic intelligent robot
CN112073421B (en) * 2020-09-14 2022-07-08 深圳市腾讯计算机系统有限公司 Communication processing method, communication processing device, terminal and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1708018A (en) * 2004-06-04 2005-12-14 华为技术有限公司 Method for switching in radio local-area network mobile terminal
CN1992594A (en) * 2005-12-31 2007-07-04 中兴通讯股份有限公司 URL extension method for streaming media system
CN101552986A (en) * 2009-05-06 2009-10-07 中兴通讯股份有限公司 Access authentication method and system of streaming media service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1708018A (en) * 2004-06-04 2005-12-14 华为技术有限公司 Method for switching in radio local-area network mobile terminal
CN1992594A (en) * 2005-12-31 2007-07-04 中兴通讯股份有限公司 URL extension method for streaming media system
CN101552986A (en) * 2009-05-06 2009-10-07 中兴通讯股份有限公司 Access authentication method and system of streaming media service

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656504A (en) * 2016-10-27 2017-05-10 飞天诚信科技股份有限公司 Signature device and system and working method thereof
CN106656504B (en) * 2016-10-27 2019-06-18 飞天诚信科技股份有限公司 A signature device, system and working method thereof
CN113691516A (en) * 2021-08-16 2021-11-23 深圳市商汤科技有限公司 Streaming media data transmission method and device, electronic equipment and storage medium
CN114928486A (en) * 2022-05-18 2022-08-19 浙江木链物联网科技有限公司 Industrial control protocol safety ferrying method, device and system based on digital certificate and storage medium
CN114928486B (en) * 2022-05-18 2023-10-17 浙江木链物联网科技有限公司 Industrial control protocol security ferrying method, device and system based on digital certificate and storage medium

Also Published As

Publication number Publication date
CN101552986A (en) 2009-10-07
CN101552986B (en) 2011-04-20

Similar Documents

Publication Publication Date Title
WO2010127539A1 (en) Method and system for authenticating accessing to stream media service
US8533461B2 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
CN105554747B (en) Wireless network connecting method, apparatus and system
US8745396B2 (en) Method for implementing the real time data service and real time data service system
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
US8881305B2 (en) Methods and apparatus for maintaining secure connections in a wireless communication network
CN111885602A (en) A batch handover authentication and key agreement method for heterogeneous networks
CN101442402B (en) Method, system and apparatus for authenticating access point equipment
JP2017535998A5 (en)
WO2010012203A1 (en) Authentication method, re-certification method and communication device
KR20070122460A (en) Appropriate Access Authentication Method for Wired and Wireless Networks
KR20050072789A (en) A method for the access of the mobile terminal to the wlan and for the data communication via the wireless link securely
WO2008034360A1 (en) A network access authentication and authorization method and an authorization key updating method
WO2011020274A1 (en) Security access control method and system for wired local area network
WO2012068922A1 (en) Ims multimedia communication method and system, terminal and ims core network
WO2015100974A1 (en) Terminal authentication method, device and system
WO2009152749A1 (en) A binding authentication method, system and apparatus
CN102036238A (en) Method for realizing user and network authentication and key distribution based on public key
CN102547701A (en) Authentication method and wireless access point as well as authentication server
WO2012174959A1 (en) Group authentication method, system and gateway in machine-to-machine communication
WO2011041962A1 (en) Method and system for end-to-end session key negotiation which support lawful interception
CN103795728A (en) EAP authentication method capable of hiding identities and suitable for resource-constrained terminal
CN100370772C (en) A method for wireless local area network mobile terminal access
CN112399407B (en) 5G network authentication method and system based on DH ratchet algorithm
WO2011015060A1 (en) Extensible authentication protocol authentication method, base station and authentication server thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09844291

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09844291

Country of ref document: EP

Kind code of ref document: A1