CN101977383A - Authentication processing method, system, client side and server for network access - Google Patents
Authentication processing method, system, client side and server for network access Download PDFInfo
- Publication number
- CN101977383A CN101977383A CN2010102444776A CN201010244477A CN101977383A CN 101977383 A CN101977383 A CN 101977383A CN 2010102444776 A CN2010102444776 A CN 2010102444776A CN 201010244477 A CN201010244477 A CN 201010244477A CN 101977383 A CN101977383 A CN 101977383A
- Authority
- CN
- China
- Prior art keywords
- client
- authentication
- identification information
- additional identification
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an authentication processing method, system, client side and server for network access. The method comprises: receiving an authentication request message sent by the client side; carrying an authentication additional identification message in the request message; verifying the preset local-computing additional identification message and the authentication additional identification message; and when the authentication additional identification message is not consistent with the preset additional identification message, indentifying an illegal access client side. The network access server comprises a receiver module, a verification module and an identification module. The client side comprises a transmitter module, a verification trigger module and an identification trigger module. The invention also provides an authentication processing system for network access. The invention solves the problem of wireless network access safety when a user name and a password are adopted for wireless network identity authentication and greatly improves the safety for users to carry out network access in the wireless network.
Description
Technical field
The present invention relates to network security technology, relate in particular to a kind of authentication method, system, client and server of network insertion.
Background technology
Along with the continuous development of radio network technique, the popularity rate of wireless network is more and more higher, and more enterprise and unit begin to adopt wireless network to carry out access to netwoks.Industry generally adopts the 802.1X agreement to carry out wireless networking inspection, promptly adopts username and password to carry out authentication before user access network, and the user who only has legal identity just can be linked in the network.Yet, because radio network technique is intrinsic, promptly needing to be undertaken the propagation of wireless telecommunications message by wireless signal, wireless network is compared with finite element network, has natural safety problem.Be vulnerable to attack as wireless network; User's network insertion number of the account may be stolen and trespass in the network by victim; After number of the account was lost, the user also can't in time find, and can't position problem etc.
In the prior art, for the problems referred to above that exist in the authentication techniques that solve the 802.1X agreement, the fail safe that improves network by the following method usually: the mandatory requirement user adopts than complex password and improves Cipher Strength, passes through initiatively binding IP address and medium access control (Media Access Control on wireless exchange board; Hereinafter to be referred as: MAC) address carry out IP address or MAC Address filtration, the forbidding DynamicHost agreement (Dynamic Host Configuration Protocol is set; Hereinafter to be referred as: DHCP) service or service set (Service Set Identifier; Hereinafter to be referred as: SSID) broadcasting etc.
Yet, said method of the prior art still exist implementation cost height, network management workload big, can't thoroughly solve wireless network secure etc., cause the access security of wireless network still to be on the hazard.
Summary of the invention
The invention provides a kind of authentication method, system, client and server of network insertion, carry out the safety problem that the existing wireless network of wireless network authentication inserts in order to solve the available technology adopting username and password, improve the fail safe that the user networks and inserts in the wireless network.
The invention provides a kind of authentication method of network insertion, comprising:
Receive the authentication request message that client sends, in described authentication request message, carry the authentication additional identification information;
Described authentication additional identification information and the local additional identification information that presets that generates of calculating are carried out checking treatment;
When described authentication additional identification information and the described additional identification information that presets when inconsistent, the client of illegal access is discerned processing.
The invention provides a kind of network access server, comprising:
Receiver module is used to receive the authentication request message that client sends, and carries the authentication additional identification information in described authentication request message;
The verification module is used for described authentication additional identification information and the local additional identification information that presets that generates of calculating are carried out checking treatment;
Identification module is used for when described authentication additional identification information and the described additional identification information that presets when inconsistent the client of illegal access being discerned processing.
The invention provides a kind of client, comprising:
Sending module is used for sending authentication request message to network access server, carries the authentication additional identification information in described authentication request message;
The verification trigger module is used to trigger described network access server described authentication additional identification information and the local additional identification information that presets that generates of calculating is carried out checking treatment;
The identification trigger module is used for triggering described network access server the client of illegal access being discerned processing when described authentication additional identification information and the described additional identification information that presets when inconsistent.
The present invention also provides a kind of authentication processing system of network insertion, comprises the network equipment, above-mentioned network access server and above-mentioned client.
The authentication method of network insertion of the present invention, system, client and server, network access server is by extracting the authentication additional identification information the authentication request message that sends from client, and the additional identification information that presets that generates is calculated in this authentication additional identification information and this locality carry out checking treatment, when check errors, the client of illegal access is discerned processing; Present embodiment has solved the available technology adopting username and password and has carried out the safety problem that the existing wireless network of wireless network authentication inserts, and has improved the fail safe that the user networks and inserts in the wireless network greatly.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of the authentication method embodiment one of network insertion of the present invention;
Fig. 2 is the signaling diagram of the authentication method embodiment two of network insertion of the present invention;
Fig. 3 is the message format schematic diagram of authentication request message among the authentication method embodiment two of network insertion of the present invention;
Fig. 4 is the message format schematic diagram of authentication response message among the authentication method embodiment two of network insertion of the present invention;
Fig. 5 is the structural representation of network access server embodiment one of the present invention;
Fig. 6 is the structural representation of network access server embodiment two of the present invention;
Fig. 7 is the structural representation of client implementation example one of the present invention;
Fig. 8 is the structural representation of client implementation example two of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In wireless network, the wireless telecommunications message is propagated in air by wireless signal, therefore no matter the identity of wireless user's client how, can carry out network insertion as long as cover the place that obtains at wireless signal, the client that promptly means any access network all can be attacked and the stealing of confidential information by wireless network, and the fail safe of the subscription client in the wireless network is subjected to very big threat.Although industry generally adopts the 802.1X agreement to carry out wireless networking inspection at present, promptly adopt the authentication of supporting user's user name password based on the PEAP-MSCHAP V2 of 802.1X, the user who only has legal identity could access of radio network.Yet because the network user of service does not generally have awareness of safety; general password all is provided with fairly simplely; and the protection of the number of the account of not paying attention to surfing the Net; therefore be easy to make some unique disabled users to get access to row information by various means; Brute Force means for example; under the table carry out the invasion of wireless network then, to steal capsule information.Even and user's account number cipher is lost, the user also is difficult in time discover, and the network manager also can't get access to the information of any tracking, is difficult to disabled user's attack is positioned processing, can't do reference for the raising of follow-up raising wireless network secure.
In the follow-up research process to wireless network secure, at the safety problem of above-mentioned existence, industry has also proposed multiple solution.For example improve internet security by improving Cipher Strength, the mandatory requirement Internet user must adopt the username and password more than 8, improves the difficulty that the rogue attacks user carries out Brute Force; The Internet user is provided with so long password but the keeper is difficult to pressure, and because memory is relatively more difficult, if the Internet user records other places with account number cipher, has increased insecurity on the contrary; Simultaneously, this method can't prevent that also the disabled user from obtaining account number cipher information by other means, as means such as wooden horses.Perhaps on wireless exchange board, carry out the filtration of IP address and MAC Address, because the disabled user can obtain IP address and MAC Address by intercepting and capturing and crack the wireless signal of propagating in the air, IP address and the MAC Address just can retouching operation system accesses network used; Therefore this method can not address the above problem fully, and it need carry out active to IP address and MAC Address one by one and bind, and workload is bigger, and exploitativeness is not strong yet.Perhaps, make the disabled user need attempt various means and visit network, and illegal user can just can obtain Internet user employed IP address or available SSID easily by modes such as wireless packet capturings by forbidding DHCP service or SSID broadcast mode; Forbid the DHCP service method simultaneously and require wireless network to adopt static ip address, it will make the workload of network management improve greatly.Perhaps adopt certificate verification, authenticate as adopting EAP-TLS, and the sign that does not adopt the user name password to be used as authenticating; But certificate can be stolen equally, if adopt the U-KEY certificate to solve the problem that certificate is stolen, then has problem with high costs, and then this method can't be popularized; Adopt certificate verification need build corresponding system simultaneously and carry out certificate management, handle and certificate revocation processing etc. as certificate request, legitimacy verification, certificate expired, cause with high costs, also very high to keeper's requirement.This shows that at present all there are various problems in the whole bag of tricks that adopts of industry, mainly show as implementation cost height, network management workload big, can't thoroughly solve network security problem etc.And the embodiment of the invention of following introduction will solve the variety of issue that exists in the above-mentioned prior art one by one, improve the fail safe of network insertion.
Fig. 1 is the flow chart of the authentication method embodiment one of network insertion of the present invention, and as shown in Figure 1, present embodiment provides a kind of authentication method of network insertion, can specifically comprise the steps:
Present embodiment is primarily aimed at the network insertion application scenarios in the wireless network, client herein is mainly wireless client, and network access server can be specially remote authentication dial-in customer service (Remote Authentication Dial-In User Service; Hereinafter to be referred as: RADIUS) server.When client was carried out the authentication of network insertion, client sent authentication request message to network access server earlier, and client can specifically send this authentication request message by the network equipment to network access server.Wherein, the network equipment can be specially switch, access point (Access Point; Hereinafter to be referred as: AP) etc., in the authentication request message that client sends, carry the authentication additional identification information.Authentication additional identification information in the present embodiment can be used for this client to be certified of unique identification.
Network access server is after request message is asked in the authentication that receives the client transmission, from this authentication request message, extract the authentication additional identification information of wherein carrying, this authentication additional identification information and the local additional identification information that presets that generates of calculating of network access server are carried out checking treatment.Wherein, preset additional identification information and be network access server and when client is authenticated, calculate in network access server this locality according to the client identification that obtains, this preset additional identification information for and the current corresponding additional identification information of client to be certified.
Particularly, network access server can specifically obtain client identification by active arrangement mode or automatic mode of learning, network access server is after getting access to client identification, client identification is kept at network access server this locality, when client authenticates, preset additional identification information according to the challenging value calculating generation of this client identification and generation at random again.When network access server obtains client identification by the active arrangement mode, can register or initiatively obtain the client identification of client to be certified first by the user in modes such as client operation related softwares.When network access server obtains client identification by automatic mode of learning, can from the authentication request message first that client sends, extract this client clients corresponding sign.This step is that network access server carries out checking treatment to the additional identification information that presets of current authentication additional identification information that receives and the local correspondence that calculates, and promptly relatively whether the two is consistent.
Network access server is through the comparison to authenticating additional identification information and presetting additional identification information, when judging that the two is consistent, then proceed the verification of follow-up user name password, if verification succeeds, then this client is linked in the wireless network, the user can carry out normal wireless network access by this client, it is not carried out any restriction.And when the authentication additional identification information with preset additional identification information when inconsistent, the i.e. additional identification check errors of this client, the online number of the account that shows this client correspondence is used unusual, then network access server no longer carries out the checking procedure of follow-up user name password, still allow this Internet user by this client access of radio network, but need discern processing to the client of illegal access, as obtaining the positional information of the client of illegal access according to authentication reciprocal process before, information such as corresponding switch or router, the follow-up network process of going up to the client of illegal access is monitored, and it is positioned etc.
Particularly, this step 103 can be specially: when the additional identification information check errors, network access server can issue to the network equipment isolates strategy, by this network equipment the network insertion process of this client is monitored and isolation processing.Be that the network equipment is monitored and isolation processing the follow-up access process to wireless network of this client according to the isolation strategy that receives, specifically can control this client, make it can only visit the specific wireless network that does not comprise any secret resource, it has been monitored and isolate and can not perceive by the disabled user that this client is carried out wireless network access.This shows, present embodiment is by the verification of this additional identification information, this disabled user can't visit the wireless network that comprises secret resource when check errors, can effectively solve the safety problem of the wireless network access that the online number of the account of validated user loses, and directly do not refuse disabled user's internet behavior, and its follow-up internet behavior is monitored, for follow-up location to the disabled user lays the first stone.
Present embodiment provides a kind of authentication method of network insertion, network access server is by extracting the authentication additional identification information the authentication request message that sends from client, and the additional identification information that presets that generates is calculated in this authentication additional identification information and this locality carry out checking treatment, when check errors, the client of illegal access is discerned processing; Present embodiment has solved the available technology adopting username and password and has carried out the safety problem that the existing wireless network of wireless network authentication inserts, and has improved the fail safe that the user networks and inserts in the wireless network greatly.And present embodiment is compared with the method for raising Cipher Strength in the prior art, directly the additional identification information of the client by the unique identification validated user is carried out authentication, adopt complicated user name password and need not force users, solved simultaneously because weak password and user account are lost the safety problem of bringing.And present embodiment is than the method for carrying out IP address and mac address filter on switch, obtain and the verification of all additional identification information are finished automatically by the network access server backstage, Unsupervised member's active operation does not increase any network management workload.In addition, present embodiment is compared with forbidding DHCP service or SSID broadcasting, can thoroughly solve the problem of disabled user's invasion, and need not to build any Verification System with high costs.
Fig. 2 is the signaling diagram of the authentication method embodiment two of network insertion of the present invention, as shown in Figure 2, present embodiment provides a kind of authentication method of network insertion, present embodiment specifically obtains the application scenarios that presets additional identification information at network access server by automatic mode of learning, can specifically comprise the steps:
Step 201, client sends authentication request message first to the network equipment, is carrying client identification in the authentication request message first.
Carry out in client before the network access authentication of wireless network, network access server obtains client identification by automatic mode of learning, and concrete elder generation obtains to the process that network access server authenticates for the first time by client.In the present embodiment, the verification process first time of client does not comprise the verification to additional identification information.Client is uploaded client identification by the network equipment to network access server.The specific client end sends authentication request message first to the network equipment earlier, is carrying client identification in the authentication request message first.
Step 202, network equipment authentication request message first is forwarded to network access server.
The network equipment after receiving the authentication request message first that client sends, with this first authentication request message be forwarded on the network access server, carry the unique clients corresponding sign of this client to be certified in the authentication request message first at this.
Step 203, network access server is kept at this locality with client identification.
Network access server is after the authentication request message first that receives network equipment forwarding, extract the client identification that wherein carries the authentication request message first from this, and this client identification is kept at network access server this locality, calculate additional identification information in the subsequent process and use to give over to.In the present embodiment, client identification is the unique sign that has of client to be certified, and it can be selected to be provided with according to the situation of reality by the implementer, is configured as the correlated characteristic according to our unit or individual.For example, client identification can be check code, the management (Administrator of certain service customer end of the antivirus software sequence number of the registration code of the operating system of our unit's centralized purchasing, appointment, our unit's independent development; Hereinafter to be referred as: AD) the one or more combination in the information such as the domain name in territory, Hostname sign suffix, can use the hard disk sequence number as client identification usually.
Step 204, when client was carried out access authentication, network access server generated a challenging value, and challenging value is kept at this locality.
Network access server can be when client authenticates, generate a challenging value (Challenge value) in this locality, promptly generate a random number at random, and this challenging value is kept at network access server this locality, use to give over to calculating additional identification information in the subsequent process.
Step 205, network access server issues application data message to the network equipment, carries challenging value in application data message.
When network access server is kept at this locality with the challenging value that generates, also this challenging value is issued to client to be certified by the network equipment, specifically can send application data message to the network equipment earlier, this challenging value is carried in this application data message.
Step 206, the network equipment is transmitted application data message to client.
The network equipment is forwarded to client to be certified with this application data message after receiving the application data message of carrying challenging value that network access server issues, the challenging value that generates before carrying in this application data message.
Step 207, client generates the authentication additional identification information according to self client identification and challenging value calculating.
Client extracts the challenging value that network access server generates from this application data message after the application data message that receives network equipment forwarding.Client is obtained the client identification of self from this locality, client adopts cryptographic algorithm, as md5-challenge (message-digest algorithm 5 according to this client identification and challenging value; Hereinafter to be referred as: MD5) calculating generates one 16 authentication additional identification information.Authentication additional identification information herein is an additional identification information in the present embodiment, and it is just distinguished for the additional identification information that presets that calculates with the subsequent network access server, does not represent other implications.
Step 208, client sends authentication request message to the network equipment, carries the authentication additional identification information in authentication request message.
In client when network access server carries out network access authentication, send authentication request message by the network equipment to network access server, client sends to the network equipment with authentication request message earlier, carries in this authentication request message and calculates the authentication additional identification information that generates in the above-mentioned steps 207.Fig. 3 is the message format schematic diagram of authentication request message among the authentication method embodiment two of network insertion of the present invention, as shown in Figure 3, in the present embodiment, the authentication additional identification information uploaded to network access server of client can be carried in the authentication request message.Particularly, field Type takies 1 byte among the figure, and its value is necessary for 26, expression MSCHAPV2 type; Field opCode takies 1 byte, and its value is necessary for 2; Field MS-CHAPV2-ID takies 1 byte; Field MS-Length takies 2 bytes; Field value-size takies 1 byte, and its value is necessary for 0x31; Field response takies 49 bytes, and the content of response can be with reference to agreement<draft-kamath-pppext-eap-mschapv2-02.txt〉chapters and sections 2.2 are about the description part of response; Field name be used for representing the surfing the Net user name of account number, it can be the character of indefinite length, in the present embodiment, can add uploading to network access server and carry out the needed additional identification information of verification in this field.
Step 209, the network equipment is forwarded to network access server with this authentication request message.
The network equipment is forwarded to network access server with this authentication request message after the authentication request message that receives the client transmission, carry the authentication additional identification information in this authentication request message.
Step 210, network access server presets additional identification information according to the client identification of this locality preservation and the challenging value calculating generation of generation.
Network access server extracts the unique clients corresponding sign of the client of wherein carrying the authentication request message first from this after receiving the authentication request message first of client upload.Network access server generates and is kept at local challenging value calculating generation according to calculating in this client identification and the step 204 and presets additional identification information, and identical method was calculated generation and preset additional identification information when client was calculated the authentication additional identification information in the network access server employing step 207.The additional identification information that presets herein is a additional identification information in the present embodiment, and it is just distinguished for the authentication additional identification information that calculates with client before, does not represent other implications.Network access server presets additional identification information with this and is kept at this locality after additional identification information is preset in the calculating generation, uses when handling in order to subsequent check.
Step 211, network access server is to authenticating additional identification information and presetting additional identification information and carry out checking treatment.
Network access server extracts the authentication additional identification information from this authentication request message after receiving the authentication request message that client uploads by the network equipment.Network access server carries out checking treatment to the additional identification information that presets of this authentication additional identification information and this client correspondence of calculate generating in this locality, judges whether the two is consistent.
Step 212, when the authentication additional identification information with preset additional identification information when inconsistent, network access server issues to the network equipment isolates strategy.
Through after the checking treatment, inconsistent when authenticating additional identification information and presetting additional identification information, be that verification is when correct, network access server just carries out real online number of the account verification, promptly the user name password to the user carries out verification, after verification succeeds, show that this user is validated user, the user can carry out the visit of normal wireless network by this client.Inconsistent when authenticating additional identification information and presetting additional identification information, when being check errors, show that this online number of the account use is unusual, probably because self the client identification that client is obtained is different with the client identification of legitimate client, the authentication additional identification information that causes calculating changes, with upload to before network access server to preset additional identification information different, then network access server no longer carries out follow-up online number of the account verification, but still allows this user's access of radio network.At this moment, network access server issues to the network equipment and isolates strategy.
Step 213, the network equipment is monitored and isolation processing the network insertion process of client according to isolating strategy.
The network equipment is monitored and isolation processing the follow-up network insertion process of this client according to this isolation strategy after receiving the isolation strategy that network access server issues.The network equipment is controlled the internet behavior of client according to isolating strategy, makes the user pass through the wireless network that this client can only be visited no any secret resource of appointment, and makes the invador can not aware its monitored and isolation.Present embodiment can solve the wireless network access safety problem that the online account number is lost by the mode to the additional identification information verification, and not follow-up location disabled user lays the first stone.Because before carrying out cryptographic check, need carry out the verification of additional identification information earlier, and since additional identification information can't verification by the time, can not carry out real username and password verification, so present embodiment can prevent that also the disabled user from carrying out the attack of weak password by Brute Force.
Step 214, network access server in the authentication daily record, and send alarm notification to the keeper with the access authentication check errors process record of client.
Behind the additional identification information check errors, network access server also carries out record to this access authentication check errors process of client, and it is recorded in the authentication daily record.Promptly find that the user is when using certain number of the account to authenticate when network access server, when causing the Internet user to be isolated owing to the check errors of additional identification information, network access server is recorded in this situation in the authentication daily record, uses during in order to subsequent query or audit.Simultaneously, network access server also sends alarm notification to the network manager, specifically can notify the keeper by modes such as note or Email.
Step 215, network access server is audited to the internet behavior of the client of illegal access according to described authentication daily record, and the client of described illegal access is positioned processing.
Behind the additional identification information check errors, network access server is also audited to the internet behavior of the client of illegal access according to the authentication daily record of record, and the relevant information uploaded to network access server of the additional identification information of uploading to network access server according to client and the network equipment, as MAC Address of SSID, AP etc., perhaps adopt other popular wireless location technologies of industry, this illegal user who inserts is positioned processing, to arrest this rogue attacks user.
Step 216, network access server issues authentication response message by the network equipment to legitimate client, carries information in authentication response message.
Behind the additional identification information check errors, when legal Internet user carries out wireless network access next time, network access server issues authentication response message by the network equipment to this legal Internet user's client, carry information in this authentication response message, this information is used to point out its number of the account of legal Internet user to be stolen.Like this, legal Internet user can find in time that just number of the account is stolen, and the user name password is made amendment.Fig. 4 is the message format schematic diagram of authentication response message among the authentication method embodiment two of network insertion of the present invention, and as shown in Figure 4, in the present embodiment, client can be carried in the authentication response message to the information that network access server issues.Particularly, field is similar accordingly among field type, field opCode, field MS-CHAPV2-ID and field MS-Length and above-mentioned Fig. 3 among the figure, repeats no more herein.In the present invention, adopt field Message to issue information and warn legal its account number of Internet user stolen, require it that username and password is made amendment.
It is to be noted, there is not inevitable sequential relationship between above-mentioned each step in the present embodiment, as the implementation of above-mentioned step 201-203 and the implementation of step 204-210 can be independently, promptly verification process is not to be right after after authentication first just to carry out for the second time, step 216 is not to be right after after step 215 to carry out yet for another example, this step is what just carry out when validated user authenticates, present embodiment focuses among the figure just these implementations in order more intactly the solution of the present invention to be described, but the implementation of each step is not limited to above-mentioned each sequential relationship in the technical scheme of the present invention.
In the present embodiment, because the transmission of messages in the PEAP-MSCHAP V2 verification process is to be encapsulated in Transport Layer Security (transport layer security; Hereinafter to be referred as: TLS) realize in the tunnel, so the rogue attacks user can't know the specifying information of transmission, therefore also can't crack by the intercepting message.Increased the key element that challenge is used as calculating owing in the additional identification information simultaneously, so the rogue attacks user also can't forge this unique identifier by modes such as playbacks.In addition, because being based on, PEAP-MSCHAP V2 agreement can expand (the Extension Authentication Protocol of authentication association; Hereinafter to be referred as: EAP), and can be carried in the radius protocol.Therefore, the network access server in the present embodiment is for supporting the radius server of PEAP-MSCHAP V2 agreement, and the MAC Address of SSID and AP is uploaded by the RADIUS message.
Present embodiment provides a kind of authentication method of network insertion, network access server is by extracting the authentication additional identification information the authentication request message that sends from client, and this authentication additional identification information and the local additional identification information of calculating that presets carried out checking treatment, when check errors, isolate strategy by issuing, the network insertion process of this client is monitored and isolation processing according to this isolation strategy to the network equipment; Present embodiment has solved the available technology adopting username and password and has carried out the safety problem that the existing wireless network of wireless network authentication inserts, improved the fail safe that the user networks and inserts in the wireless network greatly, and the network manager can examine, localization process to the behavior of rogue attacks and invasion wireless network.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 5 is the structural representation of network access server embodiment one of the present invention, and as shown in Figure 5, present embodiment provides a kind of network access server, can specifically carry out each step among the said method embodiment one, repeats no more herein.The network access server that present embodiment provides can comprise receiver module 501, verification module 502 and identification module 503.Wherein, receiver module 501 is used to receive the authentication request message that client sends, and carries the authentication additional identification information in described authentication request message.Verification module 502 is used for described authentication additional identification information and the local additional identification information that presets that generates of calculating are carried out checking treatment.Identification module 503 is used for when described authentication additional identification information and the described additional identification information that presets when inconsistent the client of illegal access being discerned processing.
Fig. 6 is the structural representation of network access server embodiment two of the present invention, and as shown in Figure 6, present embodiment provides a kind of network access server, can specifically carry out each step among the said method embodiment two, repeats no more herein.The network access server that present embodiment provides can also comprise the generation module 601 and first computing module 602 on the basis of above-mentioned embodiment shown in Figure 5.Wherein, generation module 601 was used for before described client authenticates, and generated a challenging value, described challenging value is issued to described client, and preserves in this locality.Described client identification and described challenging value that first computing module 602 is used for preserving according to this locality calculate the described additional identification information that presets of generation.Wherein, the authentication additional identification information of carrying in the authentication request message that receiver module 501 receives is generated from client identification that self obtains and the described challenging value that receives by the client basis.
Further, the network access server that present embodiment provides can also comprise acquisition module 603, acquisition module 603 was used for before described client authenticates, from the authentication request message first that the described client that receives sends, extract client identification or obtain client identification in advance from described client, and described client identification is preserved in this locality by the active arrangement mode.
Further, identification module 503 in the network access server that present embodiment provides can specifically comprise isolated location 513, isolated location 513 is used for issuing the isolation strategy to the network equipment, triggers the described network equipment and according to described isolation strategy the network insertion process of described client is monitored and isolation processing.
Further, the identification module 503 in the network access server that provides of present embodiment can also specifically comprise log record unit 523 and positioning unit 533.Wherein, log record unit 523 is used for the access authentication check errors process record of client self to the authentication daily record, and sends alarm notification to the keeper.Positioning unit 533 is used for according to described authentication daily record the internet behavior of the client of illegal access being audited, and the client of described illegal access is positioned processing.
Present embodiment provides a kind of network access server, by extracting the authentication additional identification information the authentication request message that sends from client, and this authentication additional identification information and the local additional identification information of calculating that presets carried out checking treatment, when check errors, the client of illegal access is discerned processing; Present embodiment has solved the available technology adopting username and password and has carried out the safety problem that the existing wireless network of wireless network authentication inserts, improved the fail safe that the user networks and inserts in the wireless network greatly, and the network manager can examine, localization process to the behavior of rogue attacks and invasion wireless network.
Fig. 7 is the structural representation of client implementation example one of the present invention, and as shown in Figure 7, present embodiment provides a kind of client, can specifically comprise sending module 701, verification trigger module 702 and identification trigger module 703.Wherein, sending module 701 is used for sending authentication request message to network access server, carries the authentication additional identification information in described authentication request message.Verification trigger module 702 is used to trigger described network access server described authentication additional identification information and the local additional identification information that presets that generates of calculating is carried out checking treatment.Identification trigger module 703 is used for triggering described network access server the client of illegal access being discerned processing when described authentication additional identification information and the described additional identification information that presets when inconsistent.
Fig. 8 is the structural representation of client implementation example two of the present invention, as shown in Figure 8, the client that present embodiment provides is on the basis of above-mentioned client shown in Figure 7, can also comprise that second computing module, 801, the second computing modules 801 are used for calculating the described authentication additional identification information of generation according to client identification that obtains from client self and the challenging value that issues from described network access server that receives.
Present embodiment provides a kind of authentication processing system of network insertion, can comprise the network equipment, above-mentioned Fig. 5 or network access server shown in Figure 6, and above-mentioned Fig. 7 or client shown in Figure 8.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (14)
1. the authentication method of a network insertion is characterized in that, comprising:
Receive the authentication request message that client sends, in described authentication request message, carry the authentication additional identification information;
Described authentication additional identification information and the local additional identification information that presets that generates of calculating are carried out checking treatment;
When described authentication additional identification information and the described additional identification information that presets when inconsistent, the client of illegal access is discerned processing.
2. method according to claim 1 is characterized in that, also comprises:
Generate a challenging value, described challenging value is issued to described client, and preserves in this locality;
Client identification and the described challenging value preserved according to this locality calculate the described additional identification information that presets of generation.
3. method according to claim 1 and 2 is characterized in that, before described client authenticates, also comprises:
From the authentication request message first that the described client that receives sends, extract client identification or obtain client identification in advance from described client, and described client identification is preserved in this locality by the active arrangement mode.
4. method according to claim 2 is characterized in that, described authentication additional identification information is generated from client identification that self obtains and the described challenging value that receives by described client basis.
5. method according to claim 1 is characterized in that, described client to illegal access is discerned to handle and comprised:
Issue the isolation strategy to the network equipment, according to described isolation strategy the network insertion process of described client is monitored and isolation processing by the described network equipment.
6. method according to claim 1 is characterized in that, described client to illegal access is discerned to handle and comprised:
The access authentication check errors process record of described client in the authentication daily record, and is sent alarm notification to the keeper;
According to described authentication daily record the internet behavior of the client of illegal access is audited, and the client of described illegal access is positioned processing.
7. a network access server is characterized in that, comprising:
Receiver module is used to receive the authentication request message that client sends, and carries the authentication additional identification information in described authentication request message;
The verification module is used for described authentication additional identification information and the local additional identification information that presets that generates of calculating are carried out checking treatment;
Identification module is used for when described authentication additional identification information and the described additional identification information that presets when inconsistent the client of illegal access being discerned processing.
8. server according to claim 7 is characterized in that, also comprises:
Generation module is used to generate a challenging value, described challenging value is issued to described client, and preserves in this locality;
First computing module, the client identification and the described challenging value that are used for preserving according to this locality calculate the described additional identification information that presets of generation.
9. according to claim 7 or 8 described servers, it is characterized in that, also comprise:
Acquisition module, be used for before described client authenticates, from the authentication request message first that the described client that receives sends, extract client identification or obtain client identification in advance from described client, and described client identification is preserved in this locality by the active arrangement mode.
10. server according to claim 7 is characterized in that, described identification module comprises:
Isolated location is used for issuing the isolation strategy to the network equipment, triggers the described network equipment and according to described isolation strategy the network insertion process of described client is monitored and isolation processing.
11. server according to claim 7 is characterized in that, described identification module comprises:
The log record unit is used for the access authentication check errors process record of client self to the authentication daily record, and sends alarm notification to the keeper;
Positioning unit is used for according to described authentication daily record the internet behavior of the client of illegal access being audited, and the client of described illegal access is positioned processing.
12. a client is characterized in that, comprising:
Sending module is used for sending authentication request message to network access server, carries the authentication additional identification information in described authentication request message;
The verification trigger module is used to trigger described network access server described authentication additional identification information and the local additional identification information that presets that generates of calculating is carried out checking treatment;
The identification trigger module is used for triggering described network access server the client of illegal access being discerned processing when described authentication additional identification information and the described additional identification information that presets when inconsistent.
13. client according to claim 12 is characterized in that, also comprises:
Second computing module is used for calculating the described authentication additional identification information of generation according to client identification that obtains from client self and the challenging value that issues from described network access server that receives.
14. the authentication processing system of a network insertion is characterized in that, comprises each described network access server and aforesaid right requirement 12 or 13 described clients among the network equipment, the aforesaid right requirement 7-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102444776A CN101977383A (en) | 2010-08-03 | 2010-08-03 | Authentication processing method, system, client side and server for network access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102444776A CN101977383A (en) | 2010-08-03 | 2010-08-03 | Authentication processing method, system, client side and server for network access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101977383A true CN101977383A (en) | 2011-02-16 |
Family
ID=43577223
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102444776A Pending CN101977383A (en) | 2010-08-03 | 2010-08-03 | Authentication processing method, system, client side and server for network access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101977383A (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158483A (en) * | 2011-03-11 | 2011-08-17 | 青岛海信传媒网络技术有限公司 | Method and system for authenticating access of intelligent television, intelligent television and authentication server |
| CN102546636A (en) * | 2012-01-10 | 2012-07-04 | 北京邮电大学 | Protected resource monitoring method and device |
| CN102752305A (en) * | 2011-03-29 | 2012-10-24 | 英特尔公司 | Techniques enabling efficient synchronized authenticated network access |
| CN103095702A (en) * | 2013-01-11 | 2013-05-08 | 大唐移动通信设备有限公司 | Request message reporting and processing method and device thereof |
| CN103166702A (en) * | 2013-02-05 | 2013-06-19 | 何建亿 | Method and device for configuring wireless network in voice frequency mode |
| CN103179127A (en) * | 2013-03-28 | 2013-06-26 | 华为技术有限公司 | Method, apparatus and system for handling message |
| CN103384249A (en) * | 2013-07-08 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network access authentication method, device and system and authentication server |
| WO2014139097A1 (en) * | 2013-03-13 | 2014-09-18 | Intel Corporation | Systems and methods for account recovery using a platform attestation credential |
| CN104660405A (en) * | 2013-11-21 | 2015-05-27 | 中国移动通信集团公司 | Business equipment authentication method and equipment |
| CN105188055A (en) * | 2015-08-14 | 2015-12-23 | 中国联合网络通信集团有限公司 | Wireless network access method, wireless access point and server |
| CN105847234A (en) * | 2016-03-11 | 2016-08-10 | 中国联合网络通信集团有限公司 | Suspicious terminal access pre-warning method, gateway management platform and gateway device |
| CN106375301A (en) * | 2016-08-30 | 2017-02-01 | 成都源知信息技术有限公司 | Network device authentication method and device |
| CN106954216A (en) * | 2017-04-28 | 2017-07-14 | 北京北信源软件股份有限公司 | Authentication method and system based on 802.1X agreements |
| CN106992958A (en) * | 2016-01-21 | 2017-07-28 | 阿里巴巴集团控股有限公司 | A kind of method and system that malice account is positioned by losing account |
| CN107360095A (en) * | 2017-07-13 | 2017-11-17 | 惠州高盛达科技有限公司 | The implementation method of port forwarding in the router based on client host title |
| CN108882240A (en) * | 2018-07-11 | 2018-11-23 | 北京奇安信科技有限公司 | The implementation method and device of mobile device access network |
| CN111031540A (en) * | 2019-11-22 | 2020-04-17 | 儒庭信息技术(上海)有限公司 | Wireless network connection method and computer storage medium |
| CN111130797A (en) * | 2019-12-23 | 2020-05-08 | 深圳市永达电子信息股份有限公司 | Security protection system, method and storage medium based on challenge response |
| WO2021087973A1 (en) * | 2019-11-08 | 2021-05-14 | Zte Corporation | Wireless communication method for registration procedure |
| US11816195B2 (en) * | 2019-08-14 | 2023-11-14 | Nec Corporation | Information processing apparatus, information processing method, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549526A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing radio local area network authentication |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN101621801A (en) * | 2009-08-11 | 2010-01-06 | 深圳华为通信技术有限公司 | Method, system, server and terminal for authenticating wireless local area network |
| CN101867929A (en) * | 2010-05-25 | 2010-10-20 | 北京星网锐捷网络技术有限公司 | Authentication method, system, authentication server and terminal equipment |
-
2010
- 2010-08-03 CN CN2010102444776A patent/CN101977383A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549526A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing radio local area network authentication |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN101621801A (en) * | 2009-08-11 | 2010-01-06 | 深圳华为通信技术有限公司 | Method, system, server and terminal for authenticating wireless local area network |
| CN101867929A (en) * | 2010-05-25 | 2010-10-20 | 北京星网锐捷网络技术有限公司 | Authentication method, system, authentication server and terminal equipment |
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158483A (en) * | 2011-03-11 | 2011-08-17 | 青岛海信传媒网络技术有限公司 | Method and system for authenticating access of intelligent television, intelligent television and authentication server |
| CN102752305A (en) * | 2011-03-29 | 2012-10-24 | 英特尔公司 | Techniques enabling efficient synchronized authenticated network access |
| CN102752305B (en) * | 2011-03-29 | 2016-08-03 | 英特尔公司 | It is capable of the technology of the certification network insertion of high efficiency synchronous |
| US9521108B2 (en) | 2011-03-29 | 2016-12-13 | Intel Corporation | Techniques enabling efficient synchronized authenticated network access |
| CN102546636A (en) * | 2012-01-10 | 2012-07-04 | 北京邮电大学 | Protected resource monitoring method and device |
| CN103095702A (en) * | 2013-01-11 | 2013-05-08 | 大唐移动通信设备有限公司 | Request message reporting and processing method and device thereof |
| CN103166702A (en) * | 2013-02-05 | 2013-06-19 | 何建亿 | Method and device for configuring wireless network in voice frequency mode |
| US9600671B2 (en) | 2013-03-13 | 2017-03-21 | Intel Corporation | Systems and methods for account recovery using a platform attestation credential |
| WO2014139097A1 (en) * | 2013-03-13 | 2014-09-18 | Intel Corporation | Systems and methods for account recovery using a platform attestation credential |
| US9378371B2 (en) | 2013-03-13 | 2016-06-28 | Intel Corporation | Systems and methods for account recovery using a platform attestation credential |
| CN103179127B (en) * | 2013-03-28 | 2016-03-02 | 华为技术有限公司 | A kind of method of processing messages, Apparatus and system |
| CN103179127A (en) * | 2013-03-28 | 2013-06-26 | 华为技术有限公司 | Method, apparatus and system for handling message |
| CN103384249A (en) * | 2013-07-08 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network access authentication method, device and system and authentication server |
| CN104660405A (en) * | 2013-11-21 | 2015-05-27 | 中国移动通信集团公司 | Business equipment authentication method and equipment |
| CN104660405B (en) * | 2013-11-21 | 2018-06-12 | 中国移动通信集团公司 | A kind of business device authentication method and equipment |
| CN105188055A (en) * | 2015-08-14 | 2015-12-23 | 中国联合网络通信集团有限公司 | Wireless network access method, wireless access point and server |
| CN105188055B (en) * | 2015-08-14 | 2018-06-12 | 中国联合网络通信集团有限公司 | wireless network access method, wireless access point and server |
| CN106992958B (en) * | 2016-01-21 | 2020-11-06 | 阿里巴巴集团控股有限公司 | Method and system for positioning malicious account through lost account |
| CN106992958A (en) * | 2016-01-21 | 2017-07-28 | 阿里巴巴集团控股有限公司 | A kind of method and system that malice account is positioned by losing account |
| CN105847234A (en) * | 2016-03-11 | 2016-08-10 | 中国联合网络通信集团有限公司 | Suspicious terminal access pre-warning method, gateway management platform and gateway device |
| CN105847234B (en) * | 2016-03-11 | 2018-11-20 | 中国联合网络通信集团有限公司 | Suspicious terminal access method for early warning, gateway management platform and gateway |
| CN106375301B (en) * | 2016-08-30 | 2020-01-03 | 成都源知信息技术有限公司 | Network equipment authentication method and authentication equipment |
| CN106375301A (en) * | 2016-08-30 | 2017-02-01 | 成都源知信息技术有限公司 | Network device authentication method and device |
| CN106954216A (en) * | 2017-04-28 | 2017-07-14 | 北京北信源软件股份有限公司 | Authentication method and system based on 802.1X agreements |
| CN106954216B (en) * | 2017-04-28 | 2020-07-14 | 北京北信源软件股份有限公司 | Authentication method and system based on 802.1X protocol |
| CN107360095A (en) * | 2017-07-13 | 2017-11-17 | 惠州高盛达科技有限公司 | The implementation method of port forwarding in the router based on client host title |
| CN107360095B (en) * | 2017-07-13 | 2020-06-23 | 惠州高盛达科技有限公司 | Method for realizing port forwarding in router based on client host name |
| CN108882240A (en) * | 2018-07-11 | 2018-11-23 | 北京奇安信科技有限公司 | The implementation method and device of mobile device access network |
| CN108882240B (en) * | 2018-07-11 | 2021-08-17 | 奇安信科技集团股份有限公司 | Method and device for realizing network access of mobile equipment |
| US11816195B2 (en) * | 2019-08-14 | 2023-11-14 | Nec Corporation | Information processing apparatus, information processing method, and storage medium |
| WO2021087973A1 (en) * | 2019-11-08 | 2021-05-14 | Zte Corporation | Wireless communication method for registration procedure |
| CN111031540A (en) * | 2019-11-22 | 2020-04-17 | 儒庭信息技术(上海)有限公司 | Wireless network connection method and computer storage medium |
| CN111130797A (en) * | 2019-12-23 | 2020-05-08 | 深圳市永达电子信息股份有限公司 | Security protection system, method and storage medium based on challenge response |
| CN111130797B (en) * | 2019-12-23 | 2022-09-09 | 深圳市永达电子信息股份有限公司 | Security protection system, method and storage medium based on challenge response |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101977383A (en) | Authentication processing method, system, client side and server for network access | |
| EP3453136B1 (en) | Methods and apparatus for device authentication and secure data exchange between a server application and a device | |
| EP1834451B1 (en) | Network infrastructure validation of network management frames | |
| WO2016141856A1 (en) | Verification method, apparatus and system for network application access | |
| CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
| CN104283848B (en) | Terminal access method and device | |
| CN104869102B (en) | Authorization method, device and system based on xAuth agreement | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| CN104125565A (en) | Method for realizing terminal authentication based on OMA DM, terminal and server | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN106559785B (en) | Authentication method, device and system, access device and terminal | |
| CN109347875A (en) | Internet of things equipment, platform of internet of things and the method and system for accessing platform of internet of things | |
| CN104754571A (en) | User authentication realizing method, device and system thereof for multimedia data transmission | |
| WO2011063744A1 (en) | Method, system and device for identity authentication in extensible authentication protocol (eap) authentication | |
| CN105099686B (en) | Data synchronous method, server, terminal and system | |
| EP4274192A1 (en) | Access control method and apparatus, and network-side device, terminal and blockchain node | |
| CA3058180A1 (en) | Secure media casting bypassing mobile devices | |
| CN103036906B (en) | The authentication method of the network equipment, device, access device and controllable device | |
| CN111314269B (en) | Address automatic allocation protocol security authentication method and equipment | |
| KR100957044B1 (en) | Method and system for providing mutual authentication using kerberos | |
| CN104580154A (en) | Web service security access method, system and corresponding server | |
| KR20130057678A (en) | Apparatus for verifying certificate and method thereof, and recording medium storing program for executing method of the same in computer | |
| KR101692161B1 (en) | System and method for authorization using beacon transmitter and one-time password | |
| Mallik et al. | Understanding Man-in-the-middle-attack through Survey of Literature | |
| CN105790932A (en) | Encryption method through using machine codes as bases |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110216 |