视频监控设备身份认证机制的设计与实现

针对视频监控系统接入层中前端设备的身份安全问题,通过对会话初始协议(Session Initia-tion Protocol,SIP)进行研究和扩展,设计并改进了一种基于超文本传输协议(Hyper Text Transfer Pro-tocol,HTTP)摘要访问认证的SIP安全机制.前端设备在接入视频监控系统前,需要通过该安全机制与系统安全管理平台上的SIP服务器进行身份认证.认证双方基于公钥基础设施数字证书认证体系(Public Key Infrastructure/Certificate Authority,PKI/CA)获取对方的数字证书后解析公钥,在摘要认证的基础上使用公钥加密和私钥签名来保护认证序列的安全性,解密认证序列后通过异或校验和摘要校验实现双向身份认证.测试与分析结果表明,改进的安全机制能够抵御常见的SIP安全风险,实现设备与安管平台间的双向身份认证,在适当损失效率的情况下确保接入系统的设备身份合法可信.

Design and implementation of equipment identity authentication mechanism in video surveillance

For the identity security of the front end equipment in the access layer of video surveillance system,a session initiation protocol(SIP) security mechanism based on Hyper Text Transfer Protocol(HTTP) access digest authentication is designed and improved by studying and extending the SIP.The front end equipment needs to be authenticated with the SIP server on the system security management platform through a security mechanism before accessing the video surveillance system.Based on the public key infrastructure digital certificate authentication system(PKI/CA),both parties obtain the digital certificate of the other party and parse the public key.According to the digest authentication,public key encryption and private key signature are combined to protect the security of the authentication sequence,and then the authentication sequence is decrypted and the bidirectional identity authentication is implemented through exclusive OR check and digest check.The test and analysis results show that the improved mechanism can resist common SIP security risks and implement the bidirectional identity authentication between the equipment and the management platform,ensuring that the identity of the equipment accessing the system is legal and credible under the condition of proper loss of efficiency.