CN102624744B - Authentication method, device and system of network device and network device - Google Patents
Authentication method, device and system of network device and network device Download PDFInfo
- Publication number
- CN102624744B CN102624744B CN201210100152.XA CN201210100152A CN102624744B CN 102624744 B CN102624744 B CN 102624744B CN 201210100152 A CN201210100152 A CN 201210100152A CN 102624744 B CN102624744 B CN 102624744B
- Authority
- CN
- China
- Prior art keywords
- certificate
- network equipment
- equipment
- message
- request packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an authentication method, device and system of a network device and a network device. The authentication method comprises the following steps of: after the network device is communicated with an upstream device of the network device physically, receiving the upstream device a transmitted challenge message after the authentication of the upstream device succeeds; and transmitting an authentication request message to the upstream device. Wherein the authentication request message transmitted by the network device carries a certificate obtained by the network device; and receiving an authentication response message transmitted by the upstream device, and forwarding the received data message by the network device when the authentication response message carries indication information of authentication success. According to the authentication method, device and system of the network device and the network device, disclosed by the invention, the authority of the network device can be realized, and the safety of a network is improved; in addition, the certificate obtained by the network device is conveniently transmitted to a certificate verifying device to be verified through network, and the usability is higher.
Description
Technical field
The present invention relates to information security technology, relate in particular to a kind of authentication method, device, System and Network equipment of the network equipment, belong to communication technical field.
Background technology
PKIX (Public Key Infrastructure; Hereinafter to be referred as: PKI) be a kind of key management platform of following set standard, can provide cryptographic service and necessary key and the certificate management systems such as encryption and digital signature for all-network application, in simple terms, PKI is exactly the infrastructure that security service is provided of utilizing PKI theory and technology to set up.The core technology of PKI round the application of digital certificate, the whole life cycle such as issue, use and cancel and launch.
Above-mentioned digital certificate is by certificate granting (Certificate Authority; Hereinafter to be referred as: CA) center is each user's granting using public-key, and the effect of digital certificate is the legal PKI of listing in certificate that has of user of listing in certification.The form of above-mentioned digital certificate is followed X.509 standard.
In network security protection, because the physical interface of internal network is dispersed throughout the different location of building, any personnel that can enter this region can utilize the physical interface of these exposures access easily internal network and attack.
At present in a lot of networks to the strick precaution major part of network security by equipment such as fire compartment walls, these are all the strick precautions based on external attack, if will carry out safeguard protection to internal network, important means realize network ID authentication exactly; Equipment identities authentication is a kind of network authentication method that prior art provides.
Equipment identities authentication is all to issue digital certificate to trusting user based on CA center at present, is mainly used in ecommerce and Email the behavior that local application is encrypted and is deciphered.But existing equipment identities authentication does not support the authority of the network equipment to authenticate, and internet security is lower; And the authentication of existing equipment identities can only manually be delivered to digital certificate CA center, and verification is carried out to digital certificate in YouCA center, implement very inconveniently, ease for use is lower.
Summary of the invention
The authentication method, device, the System and Network equipment that the invention provides a kind of network equipment, authenticate the authority of the network equipment to realize, and improves internet security.
One aspect of the present invention provides a kind of authentication method of the network equipment, comprising:
After the upstream equipment physical connection of the network equipment and the described network equipment, receive the challenge message that described upstream equipment sends after described upstream equipment authentication success;
The described network equipment sends authentication request packet to described upstream equipment, and the authentication request packet that the described network equipment sends carries the certificate that the described network equipment obtains;
The described network equipment receives the authentication response message that described upstream equipment sends, and while carrying the indication information of authentication success in described authentication response message, the described network equipment forwards the data message that the described network equipment receives; The authentication response message that described upstream equipment sends is that the certificate that described upstream equipment obtains the described network equipment sends to certificate calibration equipment, the certificate described network equipment being obtained for described certificate calibration equipment carries out verification, and after receiving the described authentication response message that described certificate calibration equipment sends, sends to the described network equipment.
The present invention provides a kind of authenticate device of the network equipment on the other hand, and the authenticate device of the described network equipment is arranged in the network equipment, and the authenticate device of the described network equipment comprises:
Receiver module, after the upstream equipment physical connection at the network equipment and the described network equipment, receives the challenge message that described upstream equipment sends after described upstream equipment authentication success; And the authentication response message that receives described upstream equipment transmission, the authentication response message that described upstream equipment sends is that the certificate that described upstream equipment obtains the described network equipment sends to certificate calibration equipment, the certificate described network equipment being obtained for described certificate calibration equipment carries out verification, and send after the described authentication response message that receives described certificate calibration equipment transmission;
Sending module, for sending authentication request packet to described upstream equipment, the authentication request packet that described sending module sends carries the certificate that the described network equipment obtains; And while carrying the indication information of authentication success in the described authentication response message that described receiver module receives, forward the data message that the described network equipment receives.
Further aspect of the present invention provides a kind of network equipment, comprises the authenticate device of the network equipment as above.
Another aspect of the invention provides a kind of Verification System of the network equipment, comprising: at least two interconnective network equipments as above and certificate calibration equipment.
The technique effect of one aspect of the present invention is: after the upstream equipment physical connection of the network equipment and this network equipment, receive the challenge message that upstream equipment sends after this upstream equipment authentication success, then network equipment upstream device sends the authentication request packet of the certificate that carries network equipment acquisition, and receive the authentication response message that upstream equipment sends, while carrying the indication information of authentication success in authentication response message, the network equipment forwards the data message that this network equipment receives; Thereby can realize, the authority of the network equipment is authenticated, improve internet security, and the certificate that the present invention obtains the network equipment by network sends to certificate calibration equipment to carry out verification, it is convenient to realize, and ease for use is higher.
Accompanying drawing explanation
Fig. 1 is the flow chart of an embodiment of authentication method of the network equipment of the present invention;
Fig. 2 is the flow chart of another embodiment of authentication method of the network equipment of the present invention;
Fig. 3 is the schematic diagram of an embodiment of application scenarios of the present invention;
Fig. 4 is the structural representation of an embodiment of authenticate device of the network equipment of the present invention;
Fig. 5 is the structural representation of another embodiment of authenticate device of the network equipment of the present invention;
Fig. 6 is the structural representation of an embodiment of Verification System of the network equipment of the present invention.
Embodiment
Fig. 1 is the flow chart of an embodiment of authentication method of the network equipment of the present invention, and as shown in Figure 1, the authentication method of this network equipment can comprise:
Step 101, after the upstream equipment physical connection of the network equipment and the network equipment, receives the challenge message that this upstream equipment sends after this upstream equipment authentication success.
Step 102, network equipment upstream device sends authentication request packet, and the authentication request packet that this network equipment sends carries the certificate that this network equipment obtains.
Step 103, the network equipment receives the authentication response message that upstream equipment sends, and while carrying the indication information of authentication success in this authentication response message, the network equipment forwards the data message that this network equipment receives.
In the present embodiment, the authentication response message that above-mentioned upstream equipment sends is that the certificate that upstream equipment obtains the network equipment sends to certificate calibration equipment, the certificate network equipment being obtained for certificate calibration equipment carries out verification, and after receiving the authentication response message that certificate calibration equipment sends, sends to the network equipment.
In a kind of implementation of the present embodiment, the initial value that the global state of the network equipment can be set is un-authenticated state, when global state is during in un-authenticated state, the message that this network equipment can only forward CA type (for example: message identifying) or address resolution protocol (Address Resolution Protocol; Hereinafter to be referred as: ARP) message, the message of other types all can not forward; While carrying the indication information of authentication success in the authentication response message receiving, the network equipment changes to authentication success state by the global state of this network equipment, at this moment this network equipment can forward the data message that this network equipment receives, that is to say, after authentication success, this network equipment can forward all types of messages that this network equipment receives;
Message identifying) or ARP message in the another kind of implementation of the present embodiment, the network equipment also can be set before authentication success, (for example:, the message of other types all can not forward can only forward the message of CA type; While carrying the indication information of authentication success in the authentication response message receiving, the network equipment is known self authentication success, at this moment, this network equipment can forward the data message that this network equipment receives, that is to say, after authentication success, this network equipment can forward all types of messages that this network equipment receives.
In the present embodiment, above-mentioned certificate calibration equipment is used for carrying out certificate verification, and this certificate calibration equipment can be the upstream equipment of network internal, such as: gateway etc.
In the present embodiment, above-mentioned challenge message can comprise CA message identification position and CA type of message field; The protocol number of the tunneling that in above-mentioned challenge message, the value of CA message identification position adopts for this challenge message, in above-mentioned challenge message, the value of CA type of message field is the first preset value, for example: " 00 ", this first preset value is used for representing that type of message is challenge message;
Above-mentioned authentication request packet can comprise CA message identification position, CA type of message field, two three-layer equipment identification fields, media access control (Media Access Control; Hereinafter to be referred as: MAC)/Internet Protocol (Internet Protocol; Hereinafter to be referred as: IP) address field and CA certificate information field; The protocol number of the tunneling that in above-mentioned authentication request packet, the value of CA message identification position adopts for this authentication request packet; In above-mentioned authentication request packet, the value of CA type of message field can be the second preset value, for example: " 01 ", this second preset value is used for representing that type of message is authentication request packet; In above-mentioned authentication request packet, the value of two three-layer equipment identification fields is used for representing that the above-mentioned network equipment is two-layer equipment or three-layer equipment; When the above-mentioned network equipment of value representation of two three-layer equipment identification fields is two-layer equipment, the MAC Address that the value of MAC/IP address field is the above-mentioned network equipment; When the above-mentioned network equipment of value representation of two three-layer equipment identification fields is three-layer equipment, the IP address that the value of MAC/IP address field is the above-mentioned network equipment; CA certificate information field in above-mentioned authentication request packet carries the certificate that this network equipment obtains.
In above-described embodiment, after the upstream equipment physical connection of the network equipment and this network equipment, receive the challenge message that upstream equipment sends after this upstream equipment authentication success, then network equipment upstream device sends the authentication request packet of the certificate that carries network equipment acquisition, and receive the authentication response message that upstream equipment sends, while carrying the indication information of authentication success in authentication response message, the network equipment forwards the data message that this network equipment receives; Thereby can realize, the authority of the network equipment is authenticated, improve internet security, and the certificate that the present embodiment obtains the network equipment by network sends to certificate calibration equipment to carry out verification, it is convenient to realize, and ease for use is higher.
Fig. 2 is the flow chart of another embodiment of authentication method of the network equipment of the present invention, and as shown in Figure 2, the authentication method of this network equipment can comprise:
Step 201, after the upstream equipment physical connection of the network equipment and the network equipment, receives the challenge message that this upstream equipment sends after this upstream equipment authentication success.
In the present embodiment, after the upstream equipment physical connection of the network equipment and the network equipment, if this upstream equipment is authentication success, the state of the port that this upstream equipment is connected with the network equipment in this upstream equipment of perception changes, for example: after down becomes up, to the network equipment, send challenge message; If this upstream equipment is unverified success also, the state of the port that this upstream equipment is connected with the network equipment in this upstream equipment of perception changes, for example: from down, become up, and after waiting for this upstream equipment authentication success, to the network equipment, send challenge message.
Wherein, the form of above-mentioned challenge message can be as shown in table 1.
Table 1
In above-mentioned challenge message, in Ethernet header fields, target MAC (Media Access Control) address is full F; In IP header fields, object IP address is 255.255.255.255; The value of CA message identification position is protocol number, and this protocol number is the protocol number of the tunneling that adopts of challenge message; The value of CA type of message field can be the first preset value, for example: " 00 ", this first preset value is used for representing that type of message is challenge message; When the value of two three-layer equipment identification fields is " 0 ", represent that the equipment of this challenge message of transmission is three-layer equipment, when the value of two three-layer equipment identification fields is " 1 ", represent that the equipment of this challenge message of transmission is two-layer equipment; The value of ttl field is " 1 ".
Step 202, the network equipment determines whether this network equipment has obtained certificate.If so, perform step 204; If the network equipment is determined this network equipment and is not yet obtained certificate, performs step 203.
Particularly, the network equipment can be searched in the storage mediums such as the flash memory (Flash) of this network equipment or hard disk, if find certificate, determines that this network equipment has obtained certificate, if do not found, can determine that this network equipment not yet obtains certificate; Or,
The network equipment can be at USB (the Universal Serial Bus of this network equipment; Hereinafter to be referred as: USB) after interface access USB flash disk or portable hard drive, in the USB flash disk accessing or portable hard drive, search, if find certificate, determine that this network equipment has obtained certificate, if do not found, can determine that this network equipment not yet obtains certificate.
These are only the network equipment determines whether this network equipment has obtained several examples of certificate, and the present invention is not limited to this certainly, the present invention determines that to the network equipment mode whether this network equipment has obtained certificate is not construed as limiting.
Step 203, the network equipment is determined this network equipment authentification failure.
Step 204, whether the network equipment determines this network equipment authentication success.If so, perform step 205; If the network equipment is determined the also unverified success of this network equipment, perform step 206.
In a kind of implementation of the present embodiment, the initial value that the global state of the network equipment can be set is un-authenticated state, when global state is during in un-authenticated state, message identifying) or ARP message the message that this network equipment can only forward CA type (for example:, the message of other types all can not forward; After authentication success, the network equipment changes to authentication success state by the global state of this network equipment, and under authentication success state, this network equipment can forward the data message that this network equipment receives.Particularly, in this step, after definite this network equipment has obtained certificate, this network equipment can determine that the global state of this network equipment is un-authenticated state, or authentication success state.If global state is un-authenticated state, the network equipment can be determined the also unverified success of this network equipment; If global state is authentication success state, the network equipment can be determined this network equipment authentication success.
Message identifying) or ARP message in the another kind of implementation of the present embodiment, the network equipment also can be set before authentication success, (for example:, the message of other types all can not forward can only forward the message of CA type; After authentication success, this network equipment can forward the data message that this network equipment receives, and that is to say, after authentication success, this network equipment can forward all types of messages that this network equipment receives.Particularly, in this step, after definite this network equipment has obtained certificate, this network equipment can determine that this network equipment whether can forwarding data packets, if this network equipment can forwarding data packets, this network equipment can be determined this network equipment authentication success; If this network equipment cannot forwarding data packets, this network equipment can be determined the also unverified success of this network equipment.
In this implementation, when specific implementation, the interface reception that the network equipment can be connected with other network equipments except this network equipment by this network equipment of inquiry and the number-of-packet of transmission, if the number-of-packet that above-mentioned interface receives is not 0, but the number-of-packet sending is 0, this illustrates that this network equipment cannot forwarding data packets, and then can determine the also unverified success of this network equipment; If the number-of-packet that above-mentioned interface receives is not 0, and the number-of-packet sending is not 0 yet, and this illustrates that this network equipment can forwarding data packets, and then can determine this network equipment authentication success.
Below be only whether the network equipment determines this network equipment two kinds of examples of authentication success, the present invention is not limited to this, the present invention to the network equipment determine this network equipment whether the mode of authentication success be not construed as limiting.
Step 205, the network equipment forwards the data message that this network equipment receives.
In the present embodiment, after the network equipment is determined this network equipment authentication success, the network equipment can forward the data message that this network equipment receives.
For instance, if the network equipment causes the network equipment and upstream equipment to disconnect because line is loosening, after line being seated, this network equipment again with upstream equipment physical connection, at this moment the state that upstream equipment can perceive the port being connected with the network equipment in this upstream equipment equally changes, for example: from down, become up, therefore upstream equipment can send challenge message to the network equipment equally, but the network equipment receives after this challenge message, at definite this network equipment, obtained certificate and after authentication success, the network equipment can directly forward the data message that this network equipment receives, do not need to repeat authentication.
Step 206, network equipment upstream device sends authentication request packet.
In the present embodiment, the authentication request packet that this network equipment sends carries the certificate that the network equipment obtains, and particularly, the form of authentication request packet can be as shown in table 2.
Table 2
In above-mentioned authentication request packet, in Ethernet header fields, source MAC and target MAC (Media Access Control) address forward encapsulation according to normal two layers, in the present embodiment, the MAC Address that the source MAC in this Ethernet header fields is the network equipment, the MAC Address that target MAC (Media Access Control) address is upstream equipment; The IP address that in IP header fields, source IP address is the network equipment, the IP address that object IP address is upstream equipment; The value of CA message identification position is protocol number, and this protocol number is the protocol number of the tunneling that adopts of authentication request packet; The value of CA type of message field can be the second preset value, for example: " 01 ", this second preset value is used for representing that type of message is authentication request packet; When the value of two three-layer equipment identification fields is " 0 ", represent to send the equipment of this authentication request packet, be that the network equipment in the present embodiment is three-layer equipment, when the value of two three-layer equipment identification fields is " 1 ", the equipment that represents to send this authentication request packet, the network equipment in the present embodiment is two-layer equipment; When the value of two three-layer equipment identification fields is " 0 ", the IP address that the value of MAC/IP address field is the network equipment, when the value of two three-layer equipment identification fields is " 1 ", the MAC Address that the value of MAC/IP address field is the network equipment; CA certificate information field carries the certificate that the network equipment obtains; The value of ttl field is " 255 ".
Step 207, after upstream equipment receives the authentication request packet of network equipment transmission, the authentication request packet that the decapsulation network equipment sends.
In the present embodiment, the address that the outer source address of the authentication request packet that the network equipment sends is the network equipment, the address that the outer destination address of the authentication request packet that the network equipment sends is upstream equipment; Reference table 2, the outer source address of the authentication request packet that the network equipment sends, the IP address that source IP address in IP header fields is the network equipment; The outer destination address of the authentication request packet that the network equipment sends, the IP address that the object IP address in IP header fields is upstream equipment.
Step 208, the outer source address of the authentication request packet that upstream equipment sends the network equipment changes to the address of upstream equipment, and the outer destination address of the authentication request packet that the network equipment is sent changes to the address of certificate calibration equipment.
Reference table 2, in this step, upstream equipment changes to the source IP address in IP header fields the IP address of this upstream equipment, the object IP address in IP header fields is changed to the IP address of certificate calibration equipment.
In the present embodiment, above-mentioned certificate calibration equipment is used for carrying out certificate verification, and this certificate calibration equipment can be the upstream equipment of network internal, such as: gateway etc.
Step 209, upstream equipment sends to certificate calibration equipment by the authentication request packet after the above-mentioned outer source address of change and above-mentioned outer destination address.
In the present embodiment, the authentication request packet that this upstream equipment sends carries the certificate that the network equipment obtains.
Step 210, the certificate that certificate calibration equipment obtains the network equipment carries out verification.
Particularly, certificate calibration equipment is searched the certificate that the certificate obtaining with the network equipment has identical credentials sign in the certificate repository of this certificate calibration equipment; If found, the certificate that certificate calibration equipment obtains the network equipment according to the certificate finding carries out verification; If do not find the certificate that the certificate obtaining with the network equipment has identical credentials sign in the certificate repository of certificate calibration equipment, certificate calibration equipment XiangCA center sends the certificate download request of carrying above-mentioned certificates identified, and after receiving the certificate that CA center sends according to above-mentioned certificates identified, the certificate network equipment being obtained according to the certificate receiving carries out verification.
In the present embodiment, certificate can comprise: certificate version, certificate index, the MAC Address of equipment that has this certificate and the information such as person liable of this equipment, information that can this certificate of unique identification in the information that above-mentioned certificates identified can comprise for certificate, for example: certificate index.
Step 211, certificate calibration equipment upstream device sends authentication response message.
In the present embodiment, if certificate calibration equipment determines that the cryptographic algorithm of the certificate that the network equipment obtains is correct, certificate content is not forged, and this certificate is not out of date, carries the indication information of authentication success in the authentication response message that certificate calibration equipment sends; If certificate calibration equipment determines that the cryptographic algorithm of the certificate that the network equipment obtains is incorrect, certificate content for forge, this certificate Is Expired or this certificate be revoked, carries the indication information of authentification failure in the authentication response message that certificate calibration equipment sends.
Step 212, upstream equipment sends to the network equipment by above-mentioned authentication response message.
In the present embodiment, the address that in the authentication response message that certificate calibration equipment sends, the value of MAC/IP address field is the network equipment, when the network equipment is two-layer equipment, the MAC Address that in the authentication response message that certificate calibration equipment sends, the value of MAC/IP address field is the network equipment; When the network equipment is three-layer equipment, the IP address that in the authentication response message that certificate calibration equipment sends, the value of MAC/IP address field is the network equipment.
Particularly, in the authentication response message that upstream equipment can send according to certificate calibration equipment, the value of MAC/IP address field, sends to the network equipment by this authentication response message.
Step 213, while carrying the indication information of authentication success in above-mentioned authentication response message, the network equipment forwards the data message that this network equipment receives.
Above-described embodiment can be realized the authority of the network equipment is authenticated, and improves internet security, and the certificate that the present embodiment obtains the network equipment by network sends to certificate calibration equipment to carry out verification, and it is convenient to realize, and ease for use is higher.
In addition, the authentication method that the present embodiment provides and user be without contacting directly, and need to, by user's mounting software voluntarily, also not need to consider the compatibility of software environment; And only after authentication success, the network equipment just can forward the data message that this network equipment receives, can prevent access network device privately, and prevent dilatation number of network node voluntarily, thereby can control the nodes of whole net equipment, prevent the potential safety hazard of bringing thus, further improve internet security.In addition, certificate is not easy to be forged, thereby also can improve internet security.And, in the present embodiment, authentication request packet adopts the mode of double address (being the address of all carrying the network equipment in IP header fields and MAC/IP address field), the message identifying forward-path of having avoided unverified front route to fail to set up and having caused is unreachable, has solved the forwarding problems of the front message identifying of network equipment authentication success.
During the present invention is embodiment illustrated in fig. 2, certificate calibration equipment can also receive the certificate revocation message that CA center sends, and this certificate revocation message carries the index that is revoked certificate; Then certificate calibration equipment is deleted the certificate in the certificate repository of this certificate calibration equipment with above-mentioned index, and indication has this equipment that is revoked certificate the state of self is changed to un-authenticated state.
In addition, certificate calibration equipment can also receive the certificate repository renewal message that CA center sends, and then according to this certificate repository, upgrades the more certificate repository of new authentication calibration equipment of message.
The form of above-mentioned certificate revocation message and certificate repository renewal message can be as shown in table 3.
Table 3
In table 3, in Ethernet header fields, source MAC and target MAC (Media Access Control) address forward and arrange according to normal two layers, in the present embodiment, the MAC Address that in Ethernet header fields, source MAC can WeiCA center, in Ethernet header fields, target MAC (Media Access Control) address can be the MAC Address of certificate calibration equipment; Source IP address in IP header fields can WeiCA center IP address, the object IP address in IP header fields can be the IP address of certificate calibration equipment; The value of CA message identification position is protocol number, and this protocol number is the protocol number of the tunneling that adopts of message; The value of CA type of message field is the 3rd preset value, for example: when " 02 ", represent that type of message is certificate revocation message, the value of CA type of message field is the 4th preset value, and for example: when " 03 ", represent that type of message is that certificate repository upgrades message; When the value of CA type of message field is the 3rd preset value, CA certificate information field carries index, certificate content and the term of validity of the certificate being revoked, when the value of CA type of message field is the 4th preset value, CA certificate information field carries index, certificate content and the term of validity of the certificate after renewal; The value of ttl field is " 255 ".
Fig. 1 of the present invention and the method providing embodiment illustrated in fig. 2 can be applied in the application scenarios shown in Fig. 3, and Fig. 3 is the schematic diagram of an embodiment of application scenarios of the present invention, and in Fig. 3, (Switch 1 for CA center, gateway, switch 1; Hereinafter to be referred as: SW1) form a network with SW2.SW1 is connected to the physical interface 1 of gateway, SW2 is connected to the physical interface 2 of gateway, SW1 and SW2 are connected to network by gateway, the USB interface of SW1 is inserted USB flash disk, SW1 can obtain the certificate of the CA central authority being kept in USB flash disk, according to Fig. 1 of the present invention and the method providing embodiment illustrated in fig. 2, authenticate, the network host after authentication success under SW1 can accesses network resource; SW2 is by the physical interface 2 that exposes access network privately, because do not have the certificate cannot access network or certificate is illegal, thereby have greatly improved network internal fail safe.
Particularly, in Fig. 3, the outlet that gateway is network, is generally the upstream equipment of network internal, the gateway be here Fig. 1 of the present invention and embodiment illustrated in fig. 2 in certificate calibration equipment, first gateway can for example, send to CA center by network (: internet (internet)) by the certificate of oneself and carry out verification, and after verification is passed through, the state of gateway becomes forwarding state, when SW1 is connected to the physical interface 1 of gateway, the state that gateway perceives physical interface 1 changes, for example: after down becomes up, to SW1, send challenge message, SW1 receives after challenge message, the certificate that SW1 is obtained is carried at and in authentication request packet, sends to gateway, the IP address that source IP address in the IP header fields of this authentication request packet is SW1, object IP address is the IP address of gateway, and when the value of two three-layer equipment identification fields of this authentication request packet is " 0 ", the value of MAC/IP address field is the IP address of SW1, when the value of two three-layer equipment identification fields is " 1 ", the value of MAC/IP address field is the MAC Address of SW1, be equivalent to this authentication request packet and have double-deck address.The SW1 be here Fig. 1 of the present invention and embodiment illustrated in fig. 2 in the network equipment.
After gateway receives authentication request packet, the certificate that SW1 is obtained carries out verification, verification by the rear authentication response message that sends the indication information carry authentication success to SW1, SW1 receives after above-mentioned authentication response message, the global state of this SW1 changes to authentication success state, and SW1 can forward the data message that this SW1 receives.
In Fig. 3, the physical interface 2 of gateway is exposed to outside, and SW2 is by non-network management personnel or hacker accesses physical interface 2 privately, and owing to having, certificate or certificate are not illegal, even after physics UNICOM, SW2 still cannot communicate in network.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can complete by the relevant hardware of program command.Aforesaid program can be stored in a computer read/write memory medium.This program, when carrying out, is carried out the step that comprises above-mentioned each embodiment of the method; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Fig. 4 is the structural representation of an embodiment of authenticate device of the network equipment of the present invention, the authenticate device of the network equipment in the present embodiment is arranged in the network equipment, can realize the present invention's flow process embodiment illustrated in fig. 1, as shown in Figure 4, the authenticate device of this network equipment can comprise: receiver module 41 and sending module 42;
Particularly, receiver module 41, after the upstream equipment physical connection at the network equipment and the network equipment, receives the challenge message that upstream equipment sends after this upstream equipment authentication success; And the authentication response message that receives upstream equipment transmission, the authentication response message that this upstream equipment sends is that the certificate that upstream equipment obtains the network equipment sends to certificate calibration equipment, the certificate network equipment being obtained for certificate calibration equipment carries out verification, and send after the authentication response message that receives the transmission of certificate calibration equipment;
Sending module 42, sends authentication request packet for upstream device, and the authentication request packet that sending module 42 sends carries the certificate that the network equipment obtains; And while carrying the indication information of authentication success in the authentication response message that receiver module 41 receives, the data message that forwarding network appliance receives.
In the present embodiment, certificate calibration equipment is used for carrying out certificate verification, and this certificate calibration equipment can be the upstream equipment of network internal, such as: gateway etc.
In above-described embodiment, after the upstream equipment physical connection of the network equipment and this network equipment, receiver module 41 receives the challenge message that upstream equipment sends after this upstream equipment authentication success, then sending module 42 upstream device send the authentication request packet of the certificate that carries network equipment acquisition, and receive by receiver module 41 the authentication response message that upstream equipment sends, while carrying the indication information of authentication success in authentication response message, the data message that sending module 42 forwarding network appliances receive; Thereby can realize, the authority of the network equipment is authenticated, improve internet security, and the certificate that said apparatus obtains the network equipment by network sends to certificate calibration equipment to carry out verification, it is convenient to realize, and ease for use is higher.。
Fig. 5 is the structural representation of another embodiment of authenticate device of the network equipment of the present invention, compares with the authenticate device of the network equipment shown in Fig. 4, and difference is, the authenticate device of the network equipment shown in Fig. 5 can also comprise: determination module 43;
Determination module 43, for determining whether the network equipment has obtained certificate;
At this moment, sending module 42, specifically for determining that when determination module 43 network equipment has obtained certificate, and the network equipment is also unverified when successful, and upstream device sends authentication request packet.
Sending module 42, also for determining that when determination module 43 network equipment has obtained certificate, and the network equipment is during authentication success, forwards the data message that this network equipment receives.
In addition, determination module 43, also, for when definite network equipment not yet obtains certificate, determines network equipment authentification failure.
Further, the authenticate device of the above-mentioned network equipment can also comprise: address conversion module 44;
Sending module 42, while also carrying the indication information of authentication success for the authentication response message receiving when receiver module 41, after the upstream device and this network equipment physical connection of the network equipment, to the upstream device transmission challenge message of the network equipment; And the authentication request packet after the address conversion module 44 outer source addresses of change and outer destination address is sent to certificate calibration equipment, this authentication request packet carries the certificate that above-mentioned upstream device obtains;
Receiver module 41, the authentication request packet also sending for receiving the upstream device of the network equipment, the authentication request packet that this upstream device of decapsulation sends, the address that the outer source address of the authentication request packet that this upstream device sends is upstream device, the address that the outer destination address of the authentication request packet that upstream device sends is the above-mentioned network equipment, the authentication request packet that this upstream device sends carries the certificate that upstream device obtains;
Address conversion module 44, for the outer source address of the authentication request packet of upstream device transmission being changed to the address of the network equipment, the outer destination address of the authentication request packet that upstream device is sent changes to the address of certificate calibration equipment.
The authenticate device of the above-mentioned network equipment can be realized the authority of the network equipment is authenticated, and improves internet security, and the certificate that said apparatus obtains the network equipment by network sends to certificate calibration equipment to carry out verification, and it is convenient to realize, and ease for use is higher.
In addition, the authenticate device of the above-mentioned network equipment and user be without contacting directly, and need to, by user's mounting software voluntarily, also not need to consider the compatibility of software environment; And only after authentication success, the network equipment just can forward the data message that this network equipment receives, can prevent access network device privately, and prevent dilatation number of network node voluntarily, thereby can control the nodes of whole net equipment, prevent the potential safety hazard of bringing thus, further improve internet security.In addition, certificate is not easy to be forged, thereby also can improve internet security.
The present invention also provides a kind of network equipment, and this network equipment can be realized by the authenticate device of Fig. 4 of the present invention or the network equipment providing embodiment illustrated in fig. 5.
Fig. 6 is the structural representation of an embodiment of Verification System of the network equipment of the present invention, and as shown in Figure 6, the Verification System of this network equipment can comprise: at least two interconnective network equipments 61 and certificate calibration equipment 62.
Particularly, the network equipment 61 can be realized by the authenticate device of Fig. 4 of the present invention or the network equipment providing embodiment illustrated in fig. 5; Certificate calibration equipment 62 is for carrying out certificate verification, and this certificate calibration equipment 62 can be the upstream equipment of network internal, such as: gateway etc.
Fig. 6 comprises that with the Verification System of the network equipment two network equipments 61 are for exemplifying, be expressed as 61A and 61B, in the Verification System of the network equipment shown in Fig. 6, network equipment 61B is the upstream equipment of network equipment 61A, network equipment 61A, network equipment 61B and certificate calibration equipment 62 can carry out alternately, not repeating them here according to Fig. 1 of the present invention or the flow process providing embodiment illustrated in fig. 2.
Finally it should be noted that: each embodiment, only in order to technical scheme of the present invention to be described, is not intended to limit above; Although the present invention is had been described in detail with reference to aforementioned each embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or some or all of technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (16)
1. an authentication method for the network equipment, is characterized in that, comprising:
After the upstream equipment physical connection of the network equipment and the described network equipment, receive the challenge message that described upstream equipment sends after described upstream equipment authentication success;
The described network equipment sends authentication request packet to described upstream equipment, and the authentication request packet that the described network equipment sends carries the certificate that the described network equipment obtains;
The described network equipment receives the authentication response message that described upstream equipment sends, and while carrying the indication information of authentication success in described authentication response message, the described network equipment forwards the data message that the described network equipment receives; The authentication response message that described upstream equipment sends is that the certificate that described upstream equipment obtains the described network equipment sends to certificate calibration equipment, the certificate described network equipment being obtained for described certificate calibration equipment carries out verification, and after receiving the described authentication response message that described certificate calibration equipment sends, sends to the described network equipment;
Wherein, described authentication request packet comprises CA message identification position, CA type of message field, two three-layer equipment identification fields, media access control/Internet Protocol address field and CA certificate information field; In described authentication request packet, the value of CA message identification position is the protocol number of the tunneling that adopts of described authentication request packet; In described authentication request packet, the value of CA type of message field is the second preset value, and described the second preset value is used for representing that type of message is authentication request packet; In described authentication request packet, the value of two three-layer equipment identification fields is used for representing that the described network equipment is two-layer equipment or three-layer equipment; When described in the value representation of described two three-layer equipment identification fields, the network equipment is two-layer equipment, the Media Access Control Address that the value of described media access control/Internet Protocol address field is the described network equipment; When described in the value representation of described two three-layer equipment identification fields, the network equipment is three-layer equipment, the Internet Protocol address that the value of described media access control/Internet Protocol address field is the described network equipment; CA certificate information field in described authentication request packet carries the certificate that the described network equipment obtains.
2. method according to claim 1, is characterized in that, the described network equipment also comprises before sending authentication request packet to described upstream equipment:
The described network equipment determines whether the described network equipment has obtained certificate;
The described network equipment sends authentication request packet to described upstream equipment and comprises:
When the described network equipment, determine the described network equipment and obtained certificate, and the described network equipment is also unverified when successful, the described network equipment sends authentication request packet to described upstream equipment.
3. method according to claim 2, is characterized in that, the described network equipment also comprises before sending authentication request packet to described upstream equipment:
When the described network equipment, determine the described network equipment and obtained certificate, and the described network equipment is during authentication success, the described network equipment forwards the data message that the described network equipment receives.
4. method according to claim 1, is characterized in that, the described network equipment also comprises after receiving the authentication response message of described upstream equipment transmission:
While carrying the indication information of authentication success in described authentication response message, after the upstream device and described network equipment physical connection of the described network equipment, the described network equipment sends challenge message to the upstream device of the described network equipment;
The described network equipment receives the authentication request packet of the upstream device transmission of the described network equipment, the authentication request packet that described in decapsulation, upstream device sends, the address that the outer source address of the authentication request packet that described upstream device sends is described upstream device, the address that the outer destination address of the authentication request packet that described upstream device sends is the described network equipment, the authentication request packet that described upstream device sends carries the certificate that described upstream device obtains;
The outer source address of the authentication request packet that the described network equipment sends described upstream device changes to the address of the described network equipment, and the outer destination address of the authentication request packet that described upstream device is sent changes to the address of described certificate calibration equipment;
The described network equipment sends to described certificate calibration equipment by the authentication request packet after the described outer source address of change and described outer destination address, and the authentication request packet that the described network equipment sends carries the certificate that described upstream device obtains.
5. according to the method described in claim 1-4 any one, it is characterized in that, described challenge message comprises certificate granting CA message identification position and CA type of message field; In described challenge message, the value of CA message identification position is the protocol number of the tunneling that adopts of described challenge message, and in described challenge message, the value of CA type of message field is the first preset value, and described the first preset value is used for representing that type of message is challenge message.
6. according to the method described in claim 1-4 any one, it is characterized in that, the certificate that described certificate calibration equipment obtains the described network equipment carries out verification and comprises:
Described certificate calibration equipment is searched the certificate that the certificate obtaining with the described network equipment has identical credentials sign in the certificate repository of described certificate calibration equipment;
If found, the certificate that described certificate calibration equipment obtains the described network equipment according to the certificate finding carries out verification, and after verification succeeds, sends the authentication response message of the indication information that carries described authentication success to described upstream equipment;
If do not find the certificate that the certificate obtaining with the described network equipment has identical credentials sign in the certificate repository of described certificate calibration equipment, described certificate calibration equipment sends the certificate download request of carrying described certificates identified to certificate granting center, and after receiving the certificate that described certificate granting center sends according to described certificates identified, the certificate described network equipment being obtained according to the certificate receiving carries out verification, and after verification succeeds, to described upstream equipment, send the authentication response message of the indication information that carries described authentication success.
7. method according to claim 6, is characterized in that, also comprises:
Described certificate calibration equipment receives the certificate revocation message that described certificate granting center sends, and described certificate revocation message carries the index that is revoked certificate;
Described certificate calibration equipment is deleted the certificate in the certificate repository of described certificate calibration equipment with described index, and the equipment that indication is revoked certificate described in having changes to un-authenticated state by the state of self.
8. method according to claim 7, is characterized in that, described certificate revocation message comprises CA message identification position, CA type of message field and CA certificate information field; In described certificate revocation message, the value of CA message identification position is the protocol number of the tunneling that adopts of described certificate revocation message; In described certificate revocation message, the value of CA type of message field is the 3rd preset value, and described the 3rd preset value is used for representing that type of message is certificate revocation message; CA certificate information field in described certificate revocation message carries the index of the certificate being revoked.
9. method according to claim 6, is characterized in that, also comprises:
Described certificate calibration equipment receives the certificate repository renewal message that described certificate granting center sends, and according to described certificate repository, upgrades the certificate repository that message upgrades described certificate calibration equipment.
10. method according to claim 9, is characterized in that, described certificate repository upgrades message and comprises CA message identification position, CA type of message field and CA certificate information field; The value that described certificate repository upgrades CA message identification position in message is the protocol number that described certificate repository upgrades the tunneling that message adopts; The value that described certificate repository upgrades CA type of message field in message is the 4th preset value, and described the 4th preset value is used for representing that type of message is that certificate repository upgrades message; Described certificate repository upgrades index, certificate content and the term of validity that the CA certificate information field in message carries the certificate after renewal.
The authenticate device of 11. 1 kinds of network equipments, is characterized in that, the authenticate device of the described network equipment is arranged in the network equipment, and the authenticate device of the described network equipment comprises:
Receiver module, after the upstream equipment physical connection at the network equipment and the described network equipment, receives the challenge message that described upstream equipment sends after described upstream equipment authentication success; And the authentication response message that receives described upstream equipment transmission, the authentication response message that described upstream equipment sends is that the certificate that described upstream equipment obtains the described network equipment sends to certificate calibration equipment, the certificate described network equipment being obtained for described certificate calibration equipment carries out verification, and send after the described authentication response message that receives described certificate calibration equipment transmission;
Sending module, for sending authentication request packet to described upstream equipment, the authentication request packet that described sending module sends carries the certificate that the described network equipment obtains; And while carrying the indication information of authentication success in the described authentication response message that described receiver module receives, forward the data message that the described network equipment receives; Wherein, described authentication request packet comprises CA message identification position, CA type of message field, two three-layer equipment identification fields, media access control/Internet Protocol address field and CA certificate information field; In described authentication request packet, the value of CA message identification position is the protocol number of the tunneling that adopts of described authentication request packet; In described authentication request packet, the value of CA type of message field can be the second preset value, and described the second preset value is used for representing that type of message is authentication request packet; In described authentication request packet, the value of two three-layer equipment identification fields is used for representing that the described network equipment is two-layer equipment or three-layer equipment; When described in the value representation of described two three-layer equipment identification fields, the network equipment is two-layer equipment, the Media Access Control Address that the value of described media access control/Internet Protocol address field is the described network equipment; When described in the value representation of described two three-layer equipment identification fields, the network equipment is three-layer equipment, the Internet Protocol address that the value of described media access control/Internet Protocol address field is the described network equipment; CA certificate information field in described authentication request packet carries the certificate that the described network equipment obtains.
12. devices according to claim 11, is characterized in that, also comprise: determination module;
Described determination module, for determining whether the described network equipment has obtained certificate;
Described sending module, specifically for determining that the described network equipment has obtained certificate when described determination module, and the described network equipment is also unverified when successful, to described upstream equipment, sends authentication request packet.
13. devices according to claim 12, is characterized in that,
Described sending module, also for determining that the described network equipment has obtained certificate when described determination module, and the described network equipment is during authentication success, forwards the data message that the described network equipment receives.
14. devices according to claim 11, is characterized in that, also comprise: address conversion module;
Described sending module, while also carrying the indication information of authentication success for the described authentication response message receiving when described receiver module, after the upstream device and described network equipment physical connection of the described network equipment, to the upstream device transmission challenge message of the described network equipment; And the authentication request packet that described address conversion module is changed after outer source address and outer destination address sends to described certificate calibration equipment, described authentication request packet carries the certificate that described upstream device obtains;
Described receiver module, the authentication request packet also sending for receiving the upstream device of the described network equipment, the authentication request packet that described in decapsulation, upstream device sends, the address that the outer source address of the authentication request packet that described upstream device sends is described upstream device, the address that the outer destination address of the authentication request packet that described upstream device sends is the described network equipment, the authentication request packet that described upstream device sends carries the certificate that described upstream device obtains;
Described address conversion module, for the outer source address of the authentication request packet of described upstream device transmission being changed to the address of the described network equipment, the outer destination address of the authentication request packet that described upstream device is sent changes to the address of described certificate calibration equipment.
15. 1 kinds of network equipments, is characterized in that, comprise the authenticate device of the network equipment as described in claim 11-14 any one.
The Verification System of 16. 1 kinds of network equipments, is characterized in that, comprising: at least two interconnective network equipments as claimed in claim 15 and certificate calibration equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210100152.XA CN102624744B (en) | 2012-04-06 | 2012-04-06 | Authentication method, device and system of network device and network device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210100152.XA CN102624744B (en) | 2012-04-06 | 2012-04-06 | Authentication method, device and system of network device and network device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102624744A CN102624744A (en) | 2012-08-01 |
| CN102624744B true CN102624744B (en) | 2014-09-10 |
Family
ID=46564428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210100152.XA Active CN102624744B (en) | 2012-04-06 | 2012-04-06 | Authentication method, device and system of network device and network device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102624744B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105743863A (en) * | 2014-12-12 | 2016-07-06 | 华为技术有限公司 | Method and device used for processing message |
| CN111654464A (en) * | 2015-12-31 | 2020-09-11 | 华为技术有限公司 | Access control method, authentication device and system |
| EP3451723A4 (en) * | 2016-05-18 | 2019-05-01 | Huawei Technologies Co., Ltd. | Communication method, network equipment, and user equipment |
| EP3761571B1 (en) | 2018-03-22 | 2022-06-22 | Huawei Technologies Co., Ltd. | Method, device and system for handling message fragmentation |
| CN111010404B (en) * | 2018-03-30 | 2022-07-29 | 贵州白山云科技股份有限公司 | Data transmission method, data transmission equipment and computer readable storage medium |
| CN109800579B (en) * | 2018-12-25 | 2020-12-25 | 苏州科达科技股份有限公司 | Software integrity checking method and device and electronic equipment |
| CN112565182B (en) * | 2020-10-28 | 2023-06-27 | 锐捷网络股份有限公司 | Data processing method, system, electronic device and gateway device |
| CN112383555B (en) * | 2020-11-17 | 2022-06-03 | 宏图智能物流股份有限公司 | Network request validity verification method in logistics network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1901448A (en) * | 2005-07-21 | 2007-01-24 | 华为技术有限公司 | Connecting identification system in communication network and realizing method |
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
-
2012
- 2012-04-06 CN CN201210100152.XA patent/CN102624744B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1901448A (en) * | 2005-07-21 | 2007-01-24 | 华为技术有限公司 | Connecting identification system in communication network and realizing method |
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102624744A (en) | 2012-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102624744B (en) | Authentication method, device and system of network device and network device | |
| JP6684930B2 (en) | Blockchain-based identity authentication method, device, node and system | |
| CN101123811B (en) | Apparatus and method for managing stations associated with WPA-PSK wireless network | |
| US11451614B2 (en) | Cloud authenticated offline file sharing | |
| CN106034104B (en) | Verification method, device and system for network application access | |
| JP2020080530A (en) | Data processing method, device, terminal, and access point computer | |
| US20060126848A1 (en) | Key authentication/service system and method using one-time authentication code | |
| KR20160127167A (en) | Multi-factor certificate authority | |
| US20130227660A1 (en) | Registration server, gateway apparatus and method for providing a secret value to devices | |
| CN102984045B (en) | The cut-in method and Virtual Private Network client of Virtual Private Network | |
| TW200534653A (en) | Communication system using TCP/IP protocols | |
| US7243368B2 (en) | Access control system and method for a networked computer system | |
| US20160373260A1 (en) | Public Key Based Network | |
| CN101980496A (en) | Message processing method and system, exchange board and access server equipment | |
| CN108632037B (en) | Public key processing method and device of public key infrastructure | |
| CN103780389A (en) | Port based authentication method and network device | |
| CN111314269B (en) | Address automatic allocation protocol security authentication method and equipment | |
| WO2015178597A1 (en) | System and method for updating secret key using puf | |
| US20090198998A1 (en) | Method and apparatus of ensuring security of communication in home network | |
| JP6056970B2 (en) | Information processing apparatus, terminal, information processing system, and information processing method | |
| JP4409377B2 (en) | Communication system and service providing method | |
| JP5011314B2 (en) | Method and apparatus for incorporating a device into a community of network devices | |
| CN112448808A (en) | Communication method, device, access point, server, system and storage medium | |
| WO2018172776A1 (en) | Secure transfer of data between internet of things devices | |
| CN101656661B (en) | Method, system and equipment for implementing transmission of trusted information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |