CN106961451A - Method for authenticating, right discriminating system, fringe node and authentication server in CDN - Google Patents

Method for authenticating, right discriminating system, fringe node and authentication server in CDN Download PDF

Info

Publication number
CN106961451A
CN106961451A CN201710378887.1A CN201710378887A CN106961451A CN 106961451 A CN106961451 A CN 106961451A CN 201710378887 A CN201710378887 A CN 201710378887A CN 106961451 A CN106961451 A CN 106961451A
Authority
CN
China
Prior art keywords
identity
external equipment
authentication server
facility information
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710378887.1A
Other languages
Chinese (zh)
Inventor
陈春兴
曾智全
黄玉羡
林天建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN201710378887.1A priority Critical patent/CN106961451A/en
Publication of CN106961451A publication Critical patent/CN106961451A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses the method for authenticating in CDN, right discriminating system, fringe node and authentication server, wherein, methods described includes:Authentication server certification and the facility information for preserving the external equipment;Fringe node of the external equipment into the content distributing network sends access request, and the access request includes the encryption data for carrying identity;The fringe node obtains the identity of the external equipment, and the authentication request for carrying the identity is sent to the authentication server;The authentication server inquiry whether there is the facility information corresponding with the identity;If in the presence of to the fringe node feedback facility information corresponding with the identity;The fringe node is after the facility information of the authentication server feedback is received, the access request that certification passes through the external equipment.The technical scheme that the present invention is provided, ensure that being normally carried out for authentication process.

Description

Method for authenticating, right discriminating system, fringe node and authentication server in CDN
Technical field
The present invention relates to Internet technical field, method for authenticating, right discriminating system, fringe node in more particularly to CDN and Authentication server.
Background technology
In current content distributing network (Content Delivery Network, CDN), external equipment is on access side , in this case, could normal edge node for access after in authentication during edge node, it is sometimes desirable to authenticated.
Currently, the process that external equipment can often be authenticated according to following steps:
Step 1:Some server into fringe node sends registration request;After succeeding in registration, the clothes in fringe node Business device needs synchronous log-on message, in order to authentication verification;
Step 2:Access server into fringe node sends authentication request;
Step 3:, just can be with edge node for access after authentication passes through.
However, existing this method for authenticating, it will usually bring problems with:
First, in same fringe node, due to load-balancing mechanism, the server of actual accepting device registration and progress The server of authentication operations may not be same, so be accomplished by by realizing that information is same between each server in fringe node Step, so as to cause certain difficulty to Disposition & Operation.
Secondly, when carrying out domain name mapping, external equipment may be caused to a certain fringe node transmission registration request, and to Another fringe node sends authentication request, so, between different fringe nodes data do not share or not timely synchronization if, It may result in access failure.
Therefore, existing method for authenticating, due to needing to carry out synchronizing information in fringe node, can improve edge section The load of each server in point;If in addition, can not be realized between different fringe nodes information sharing or information not and When it is synchronous, can cause the external equipment can not edge node for access.
The content of the invention
In order to solve problem of the prior art, the embodiments of the invention provide the method for authenticating in a kind of CDN, authentication system System, fringe node and authentication server.The technical scheme is as follows:
On the one hand, a kind of method for authenticating in content distributing network, methods described includes:
Fringe node of the external equipment into the content distributing network, which is sent in access request, the access request, to be carried Encryption data;Wherein, the encryption data includes the identity of the external equipment;
The encryption data is decrypted the fringe node, to obtain the identity of the external equipment, And the authentication request for carrying the identity is sent to the authentication server;
The identity of the authentication server in the authentication request, inquiry whether there is and the identity The corresponding facility information of mark;If in the presence of to the fringe node feedback facility information corresponding with the identity;
The fringe node receive authentication server feedback it is corresponding with the identity described in set After standby information, the access request that certification passes through the external equipment.
Further, methods described also includes:Authentication server persistently receives the log-on message that different external equipments are sent, The facility information of the external equipment succeeded in registration is preserved, wherein, the access request of the external equipment succeeded in registration is certified Pass through.
Further, methods described also includes:
The fringe node is specifying persistently preserving authentication server feedback in duration with the identity phase The corresponding facility information;
When the fringe node receives the access request of the external equipment again in the specified duration, at this Ground inquiry whether there is the corresponding facility information of the external equipment.
Further, after authentication server receives the log-on message that external equipment is sent, methods described also includes:
The authentication server judges whether the log-on message carries specified token, if not carrying, and abandons the note Volume information;If carrying, the validity of log-on message described in certification.
Further, the log-on message includes the plaintext of the identity of the external equipment and according to pre- If the ciphertext that the identity is encrypted AES;Correspondingly, the authentication server is registering letter described in certification During breath, the ciphertext is decrypted according to default decipherment algorithm, and whether the data checked after decryption are consistent with the plaintext; If consistent, certification passes through the registration request;If inconsistent, the prompt message of registration failure is sent to the external equipment.
Further, the step of identity being encrypted according to predetermined encryption algorithm includes:
The dynamic check data that the authentication server is provided are added in the identity, and are calculated according to predetermined encryption The identity for adding the dynamic check data is encrypted method;
Correspondingly, it is described after the ciphertext is decrypted according to the default decipherment algorithm for the authentication server Method also includes:
The authentication server judges whether include the dynamic check data in the data after decryption, if including certification Data and the uniformity of the plaintext after decryption;If not including, the prompt message of registration failure is sent to the external equipment.
Further, the authentication server preserve described in succeed in registration external equipment facility information the step of it Afterwards, methods described also includes:
The external equipment sends heartbeat data packets according to predetermined period to the authentication server;
If the authentication server does not receive the heartbeat data packets that the external equipment is sent in preset duration, The facility information of the external equipment of preservation is deleted.
Further, before the authentication request for carrying the identity is sent to the authentication server, the side Method also includes:
The fringe node whether there is the facility information corresponding with the identity in local search;If depositing In the access request that then certification passes through the external equipment;If being not present, sent to the authentication server and carry described The authentication request of identity.
On the other hand, a kind of right discriminating system in content distributing network, the system includes authentication server and edge section Point, wherein:
The authentication server, for receiving the log-on message that external equipment is sent, preserves the external equipment succeeded in registration Facility information;The authentication request that the fringe node is sent is received, according to the identity in the authentication request, inquiry is It is no to there is the facility information corresponding with the identity;If in the presence of to fringe node feedback and the identity The corresponding facility information;And
The fringe node, for the encryption data to be decrypted, to obtain the identity of the external equipment, And the authentication request for carrying the identity is sent to the authentication server;Receiving the authentication server feedback After the facility information corresponding with the identity, the access request that certification passes through the external equipment.
Further, the fringe node that the external equipment is used for into the content distributing network sends access request, Encryption data is carried in the access request;Wherein, the encryption data includes the identity of the external equipment.
On the other hand, a kind of method for authenticating in content distributing network, methods described includes:
Receive in the access request that external equipment is sent, the access request and carry encryption data;Wherein, the encryption number According to including the identity of the external equipment;
The encryption data is decrypted, to obtain the identity of the external equipment, and to authentication service Device sends the authentication request for carrying the identity;
After the facility information corresponding with the identity of the authentication server feedback is received, certification passes through The access request of the external equipment.
Further, methods described also includes:
Specify persistently preserved in duration authentication server feedback it is corresponding with the identity described in set Standby information;
When receiving the access request of the external equipment again in the specified duration, it is in local search It is no to there is the corresponding facility information of the external equipment.
Further, before the authentication request for carrying the identity is sent to the authentication server, the side Method also includes:
It whether there is the facility information corresponding with the identity in local search;If in the presence of certification is led to Cross the access request of the external equipment;If being not present, sent to the authentication server and carry the identity The authentication request.
On the other hand, a kind of fringe node in content distributing network, the fringe node includes:
Access request receiving unit, adds for receiving to carry in the access request that external equipment is sent, the access request Ciphertext data;Wherein, the encryption data includes the identity of the external equipment;
Authentication request transmitting element, for the encryption data to be decrypted, to obtain the identity of the external equipment Mark, and the authentication request for carrying the identity is sent to authentication server;
Certification is by unit, for receiving corresponding with the identity the setting of the authentication server feedback After standby information, the access request that certification passes through the external equipment.
On the other hand, a kind of method for authenticating in content distributing network, methods described includes:
Receive the identity that external equipment is carried in the authentication request that fringe node is sent, the authentication request;
According to the identity in the authentication request, inquiry is believed with the presence or absence of the equipment corresponding with the identity Breath;If in the presence of to the fringe node feedback facility information corresponding with the identity.
Further, the log-on message that different external equipments are sent also is received including lasting, preserves the outside succeeded in registration The step of facility information of equipment.
Further, after the log-on message that the different external equipments are sent is received, methods described also includes:
Judge whether the log-on message carries specified token, if not carrying, abandon the log-on message;If carrying, The validity of log-on message described in certification.
Further, the log-on message includes the plaintext of the identity of the external equipment and according to pre- If the ciphertext that the identity is encrypted AES;Correspondingly, in log-on message described in certification, according to described pre- If the ciphertext is decrypted decipherment algorithm, and whether the data checked after decryption are consistent with the plaintext;If consistent, recognize Card passes through the registration request;If inconsistent, the prompt message of registration failure is sent to the external equipment.
Further, after the step of the facility information for the external equipment that succeeded in registration described in preserving, methods described is also wrapped Include:
If not receiving the heartbeat data packets that the external equipment is sent in preset duration, the outside of preservation is set The standby facility information is deleted.
On the other hand, a kind of authentication server in content distributing network, the authentication server includes:
Log-on message receiving unit, for receiving the log-on message that different external equipments are sent, in log-on message note After volume success, the facility information of the external equipment succeeded in registration is preserved;
Authentication request receiving unit, institute is carried for receiving in the authentication request that fringe node is sent, the authentication request State the identity of external equipment;
Query unit, for the identity in the authentication request, inquiry whether there is and the identity Corresponding facility information;If in the presence of to the fringe node feedback facility information corresponding with the identity.
The beneficial effect that technical scheme provided in an embodiment of the present invention is brought is:By configuring system in content distributing network One authentication server, the log-on message of external equipment is preserved by authentication server.So, when external equipment is sent out to fringe node When sending authentication request, fringe node can inquire about the equipment letter of the external equipment with corresponding log-on message from authentication server Breath, so as to complete the process of authentication;Or, fringe node can persistently preserve authentication server feedback specifying in duration The facility information corresponding with identity, can locally complete inquiry, without being inquired about to authentication server, improve mirror Weigh efficiency.Method for authenticating, right discriminating system, fringe node and authentication server in the CDN that the present invention is provided, it is not necessary at edge Information sharing is carried out in node and between different fringe nodes, while also ensuring the fringe node energy for receiving authentication request Enough log-on messages for getting external equipment in time, so as to ensure that being normally carried out for authentication process, improve authentication process Efficiency.Moreover, when authentication server is with external device communication, employing specific communication protocol or authentication mode, body Part verification mode can include carrying token or the identity with encryption policy etc., please for ineligible access Ask, can so possess the effect of attack protection with denied access, further increase reliability.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will be to that will make needed for embodiment description Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is the flow chart of method for authenticating in the embodiment of the present invention one;
Fig. 2 is the structural representation of right discriminating system in the embodiment of the present invention two;
Fig. 3 is the flow chart of method for authenticating in the embodiment of the present invention three;
Fig. 4 is the structural representation of authentication server in the embodiment of the present invention four;
Fig. 5 is the flow chart of method for authenticating in the embodiment of the present invention five;
Fig. 6 is the structural representation of fringe node in the embodiment of the present invention six.
Embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to embodiment party of the present invention Formula is described in further detail.
Embodiment one
Referring to Fig. 1, the application embodiment provides the method for authenticating in a kind of content distributing network, methods described bag Include:
S1:Authentication server persistently receives the log-on message that different external equipments are sent, according to corresponding predetermined communication protocols View, if the log-on message of external equipment succeeds in registration, preserves the facility information of counterpart external device.
In the present embodiment, external equipment can be unified registration request being sent to authentication server, by authentication service Device manages the log-on message of all external equipments.
Specifically, it can be communicated between authentication server and external equipment using specific agreement, not meet the association The request of data of view can be authenticated server refusal without exception, so that while guaranteeing data security, it is unnecessary to filter Junk data.
In the present embodiment, above-mentioned specific agreement can realize following functions:
After authentication server receives the log-on message that external equipment is sent, the authentication server may determine that described Whether log-on message carries specified token, if not carrying, and assert it is the data for not meeting protocol requirement, so as to abandon The log-on message.If carrying, can further log-on message described in certification validity.
In the present embodiment, in the log-on message can include the external equipment identity plaintext and The ciphertext that the identity is encrypted according to predetermined encryption algorithm.Correspondingly, the authentication server is described in certification During log-on message, the ciphertext can be decrypted according to default decipherment algorithm, and check the data after decryption with being stated clearly Whether text is consistent.If consistent, show that decipherment algorithm that the AES of the use of external equipment is used with authentication server is Match somebody with somebody, the registration request is passed through so as to certification.If inconsistent, registration failure can be sent to the external equipment Prompt message.
In the present embodiment, in order to be further ensured that the reliabilities of data, external equipment is according to predetermined encryption algorithm When the identity is encrypted, the dynamic check that the authentication server is provided can be added in the identity Data, and the identity for adding the dynamic check data is encrypted according to predetermined encryption algorithm.So, the mirror After the ciphertext is decrypted according to default decipherment algorithm for power server, it can be determined that whether included in the data after decryption The dynamic check data, if including the uniformity of data and the plaintext that can further after certification decryption.If not wrapping Contain, then the prompt message of registration failure can be sent to the external equipment.
In the present embodiment, after the authentication server is the step of the facility information of the preservation external equipment, The external equipment needs to send heartbeat data packets to the authentication server according to predetermined period, to show that external equipment is current In presence.If the authentication server does not receive the heartbeat data that the external equipment is sent in preset duration Bag, show the external equipment may it is offline or break down, so as to setting the external equipment of preservation Standby information deletion.
S2:Fringe node of the external equipment into the content distributing network sends access request, and the access please Seek middle carrying encryption data;Wherein, the encryption data includes the identity of the external equipment.
In the present embodiment, external equipment possesses after the authentication registration by authentication server, just to the side Edge node sends the authority of access request.The identity of itself can be sent to the side by external equipment after encryption Edge node.Wherein, during the identity is such as can be the MAC Address, equipment Serial Number and/or IP address of external equipment At least one.
S3:The encryption data is decrypted the fringe node, to obtain the identity of the external equipment, and The authentication request for carrying the identity is sent to the authentication server.
In the present embodiment, the communication protocol between external equipment and fringe node can defines data encryption reconciliation Close used encryption/decryption algorithm, so, the fringe node, can be using corresponding after the encryption data is received Decipherment algorithm is decrypted, so as to obtain the identity of the external equipment wherein carried.
In the present embodiment, after the identity of the external equipment is obtained, the fringe node just can be with The authentication request for carrying the identity is sent to the authentication server, to verify the external equipment in the authentication service Whether possesses facility information in device.
It should be noted that in one embodiment of the application, whether fringe node can wrap in local search in advance Facility information containing the external equipment.Specifically, the fringe node can whether there is and the identity in local search The corresponding facility information of mark.If in the presence of the access request by the external equipment can be authenticated.If being not present, The authentication request for carrying the identity can be sent to the authentication server.
S4:Identity of the authentication server in the authentication request, inquiry whether there is and the identity The corresponding facility information of mark;If in the presence of to the fringe node feedback facility information corresponding with the identity.
In the present embodiment, the authentication server is received after authentication request, can be carried from the authentication request The identity of carrying is taken, and whether there is the facility information corresponding with the identity in local search.If it does, Then show that registration has been carried out in external equipment, so as to allow in its edge node for access.So, the authentication server The facility information corresponding with the identity can be fed back to the fringe node.Set if it does not exist, then explanation is outside Registered for no, or the information of registration has failed, so as to return to the prompting for needing to register to external equipment.
S5:The fringe node is receiving the equipment corresponding with the identity of the authentication server feedback After information, the access request that certification passes through the external equipment.
In the present embodiment, fringe node is received after the facility information of authentication server feedback, shows to set outside this The standby mistake registered in advance in authentication server, so as to allow its edge node for access.
In one embodiment of the application, after the facility information that authentication server is sent is received, the edge section Point can also specify the equipment corresponding with the identity for persistently preserving the authentication server feedback in duration to believe Breath.For example, the facility information can be preserved 1 hour local.So when the fringe node in the specified duration again It is secondary receive the external equipment access request when, can be without sending authentication request to authentication server, but can be Local search whether there is the corresponding facility information of the external equipment, can directly allow the outside to set if present Standby edge node for access, so as to improve the efficiency of authentication.
Embodiment two
Referring to Fig. 2, the application embodiment also provides the right discriminating system in a kind of content distributing network, the system bag External equipment, authentication server and fringe node are included, wherein:
The authentication server, for receiving the log-on message that the external equipment is sent, preserves the outside succeeded in registration The facility information of equipment;The authentication request that the fringe node is sent is received, according to the identity in the authentication request, is looked into Ask and whether there is the facility information corresponding with the identity;If in the presence of to fringe node feedback and the identity The corresponding facility information of mark;
The external equipment, access request, the access are sent for the fringe node into the content distributing network Encryption data is carried in request;Wherein, the encryption data includes the identity of the external equipment;
The fringe node, for the encryption data to be decrypted, to obtain the identity of the external equipment, And the authentication request for carrying the identity is sent to the authentication server;Receiving the authentication server feedback After the facility information corresponding with the identity, the access request that certification passes through the external equipment.
Embodiment three
Referring to Fig. 3, the application also provides the method for authenticating in a kind of content distributing network, this method can be by edge section Point is performed, and methods described includes:
S31:Receive in the access request that external equipment is sent, the access request and carry encryption data;Wherein, it is described to add Ciphertext data includes the identity of the external equipment;
S32:The encryption data is decrypted, to obtain the identity of the external equipment, and to authentication service Device sends the authentication request for carrying the identity;
S33:After the facility information corresponding with the identity of the authentication server feedback is received, certification Pass through the access request of the external equipment.
In the present embodiment, methods described also includes:
Believe specifying the equipment corresponding with the identity that the authentication server feedback is persistently preserved in duration Breath;
When receiving the access request of the external equipment again in the specified duration, whether deposited in local search In the corresponding facility information of the external equipment.
In the present embodiment, before the authentication request for carrying the identity is sent to the authentication server, Methods described also includes:
It whether there is the facility information corresponding with the identity in local search;If in the presence of certification passes through institute State the access request of external equipment;If being not present, the authentication request for carrying the identity is sent to the authentication server.
Example IV
Referring to Fig. 4, the application also provides the fringe node in a kind of content distributing network, the fringe node includes:
Access request receiving unit 100, is carried for receiving in the access request that external equipment is sent, the access request Encryption data;Wherein, the encryption data includes the identity of the external equipment;
Authentication request transmitting element 200, for the encryption data to be decrypted, to obtain the body of the external equipment Part mark, and the authentication request for carrying the identity is sent to authentication server;
Certification is by unit 300, for receiving the corresponding with the identity of the authentication server feedback Facility information after, the access request that certification passes through the external equipment.
Embodiment five
Referring to Fig. 5, the application also provides the method for authenticating in a kind of content distributing network, this method can be taken by authentication Business device is performed, and methods described includes:
S51:The log-on message that different external equipments are sent persistently is received, according to predetermined communication protocol, if the registration is believed Breath succeeds in registration, then preserves the facility information of the external equipment succeeded in registration;
S52:Receive the identity mark that the external equipment is carried in the authentication request that fringe node is sent, the authentication request Know;
S53:According to the identity in the authentication request, inquiry is set with the presence or absence of corresponding with the identity Standby information;If in the presence of to the fringe node feedback facility information corresponding with the identity.
In the present embodiment, after the log-on message that external equipment is sent is received, methods described also includes:
Judge whether the log-on message carries specified token, if not carrying, abandon the log-on message;If carrying, The validity of log-on message described in certification.
In the present embodiment, the log-on message include the identity of the external equipment plaintext and according to The ciphertext that the identity is encrypted predetermined encryption algorithm;Correspondingly, in log-on message described in certification, according to default The ciphertext is decrypted decipherment algorithm, and whether the data checked after decryption are consistent with the plaintext;If consistent, certification Pass through the registration request;If inconsistent, the prompt message of registration failure is sent to the external equipment.
In the present embodiment, after the step of preserving the facility information of the external equipment, methods described also includes:
If not receiving the heartbeat data packets that the external equipment is sent in preset duration, the outside of preservation is set Standby facility information is deleted.
Embodiment six
Referring to Fig. 6, the application also provides the authentication server in a kind of content distributing network, the authentication server bag Include:
Log-on message receiving unit 110, for receiving the log-on message that different external equipments are sent, in the log-on message After succeeding in registration, the facility information of the external equipment succeeded in registration is preserved;
Authentication request receiving unit 210, is carried for receiving in the authentication request that fringe node is sent, the authentication request The identity of the external equipment;
Query unit 310, for the identity in the authentication request, inquiry whether there is and the identity mark Sensible corresponding facility information;If in the presence of to the fringe node feedback facility information corresponding with the identity.
Therefore, the beneficial effect that technical scheme provided in an embodiment of the present invention is brought is:By in content delivery network Unified authentication server is added in network, the log-on message of external equipment is preserved by authentication server.So, when external equipment to When fringe node sends authentication request, fringe node can inquire about the outside with corresponding log-on message from authentication server and set Standby facility information, so as to complete the process of authentication;Or, fringe node can specify lasting preserve in duration to authenticate The facility information corresponding with identity of server feedback, can locally complete inquiry, without being looked into authentication server Ask, improve authentication efficiency.Method for authenticating, right discriminating system, fringe node and authentication server in the CDN that the present invention is provided, Information sharing need not be carried out in fringe node and between different fringe node, while also ensuring reception authentication request Fringe node can get the log-on message of external equipment in time, so as to ensure that being normally carried out for authentication process, improve The efficiency of authentication process.Moreover, when authentication server is with external device communication, employing specific communication protocol or identity Verification mode, authentication mode can include carrying token or the identity with encryption policy etc., for not meeting The access request of condition, can so possess the effect of attack protection, further increases reliability with denied access.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
System embodiment described above is only schematical, wherein the unit illustrated as separating component can To be or may not be physically separate, the part shown as unit can be or may not be physics list Member, you can with positioned at a place, or can also be distributed on multiple NEs.It can be selected according to the actual needs In some or all of module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creativeness Work in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can Realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Understood based on such, on The part that technical scheme substantially in other words contributes to prior art is stated to embody in the form of software product, should Computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including some fingers Order is make it that a computer equipment (can be personal computer, server, or network equipment etc.) performs each implementation Method described in some parts of example or embodiment.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and Within principle, any modifications, equivalent substitutions and improvements made etc. should be included within the scope of the present invention.

Claims (20)

1. the method for authenticating in a kind of content distributing network, it is characterised in that methods described includes:
Fringe node of the external equipment into the content distributing network, which is sent, carries encryption in access request, the access request Data;Wherein, the encryption data includes the identity of the external equipment;
The encryption data is decrypted the fringe node, to obtain the identity of the external equipment, and to The authentication server sends the authentication request for carrying the identity;
The identity of the authentication server in the authentication request, inquiry whether there is and the identity Corresponding facility information;If in the presence of to the fringe node feedback facility information corresponding with the identity;
The fringe node is receiving the equipment letter corresponding with the identity of the authentication server feedback After breath, the access request that certification passes through the external equipment.
2. according to the method described in claim 1, it is characterised in that methods described also includes:Authentication server is persistently received not The log-on message sent with external equipment, preserve the facility information of external equipment succeeded in registration, wherein, it is described to succeed in registration The access request of external equipment is authenticated.
3. according to the method described in claim 1, it is characterised in that methods described also includes:
The fringe node persistently preserves the corresponding with the identity of the authentication server feedback in specified duration The facility information;
When the fringe node receives the access request of the external equipment again in the specified duration, locally looking into Ask and whether there is the corresponding facility information of the external equipment.
4. method according to claim 2, it is characterised in that receive the registration letter that external equipment is sent in authentication server After breath, methods described also includes:
The authentication server judges whether the log-on message carries specified token, if not carrying, and abandons the registration letter Breath;If carrying, the validity of log-on message described in certification.
5. method according to claim 2, it is characterised in that the log-on message includes the described of the external equipment The plaintext of identity and the ciphertext that the identity is encrypted according to predetermined encryption algorithm;Correspondingly, the mirror Server is weighed in log-on message described in certification, the ciphertext is decrypted according to default decipherment algorithm, and checks after decryption Data it is whether consistent with the plaintext;If consistent, certification passes through the registration request;If inconsistent, set to the outside Preparation send the prompt message of registration failure.
6. method according to claim 5, it is characterised in that added according to predetermined encryption algorithm to the identity Close step includes:
The dynamic check data that the authentication server is provided are added in the identity, and according to predetermined encryption algorithm pair The identity for adding the dynamic check data is encrypted;
Correspondingly, after the ciphertext is decrypted according to the default decipherment algorithm for the authentication server, methods described Also include:
The authentication server judges whether include the dynamic check data in the data after decryption, if including certification decryption Data afterwards and the uniformity of the plaintext;If not including, the prompt message of registration failure is sent to the external equipment.
7. method according to claim 2, it is characterised in that the authentication server described in preserving outside succeeding in registration After the step of facility information of portion's equipment, methods described also includes:
The external equipment sends heartbeat data packets according to predetermined period to the authentication server;
If the authentication server does not receive the heartbeat data packets that the external equipment is sent in preset duration, it will protect The facility information for the external equipment deposited is deleted.
8. according to the method described in claim 1, it is characterised in that carry the identity mark being sent to the authentication server Before the authentication request of knowledge, methods described also includes:
The fringe node whether there is the facility information corresponding with the identity in local search;If in the presence of, The access request that then certification passes through the external equipment;If being not present, sent to the authentication server and carry the body The authentication request of part mark.
9. the right discriminating system in a kind of content distributing network, it is characterised in that the system includes authentication server and edge section Point, wherein:
The authentication server, for receiving the log-on message that external equipment is sent, preserves setting for the external equipment that succeeds in registration Standby information;The authentication request that the fringe node is sent is received, according to the identity in the authentication request, whether inquiry deposits In the facility information corresponding with the identity;If in the presence of relative with the identity to fringe node feedback The facility information answered;And
The fringe node, for encryption data to be decrypted, to obtain the identity of the external equipment, and to described Authentication server sends the authentication request for carrying the identity;Receiving authentication server feedback with the body After the corresponding facility information of part mark, the access request that certification passes through the external equipment.
10. right discriminating system according to claim 9, it is characterised in that the external equipment is used for the content distribution Fringe node in network, which is sent in access request, the access request, carries encryption data;Wherein, wrapped in the encryption data Include the identity of the external equipment.
11. the method for authenticating in a kind of content distributing network, it is characterised in that methods described includes:
Receive in the access request that external equipment is sent, the access request and carry encryption data;Wherein, in the encryption data Include the identity of the external equipment;
The encryption data is decrypted, to obtain the identity of the external equipment, and sent out to authentication server Send the authentication request for carrying the identity;
After the facility information corresponding with the identity of the authentication server feedback is received, certification passes through described The access request of external equipment.
12. method according to claim 11, it is characterised in that methods described also includes:
Believe specifying the equipment corresponding with the identity that the authentication server feedback is persistently preserved in duration Breath;
When receiving the access request of the external equipment again in the specified duration, whether deposited in local search In the corresponding facility information of the external equipment.
13. method according to claim 11, it is characterised in that carry the identity being sent to the authentication server Before the authentication request of mark, methods described also includes:
It whether there is the facility information corresponding with the identity in local search;If in the presence of certification passes through institute State the access request of external equipment;If being not present, send and carried described in the identity to the authentication server Authentication request.
14. the fringe node in a kind of content distributing network, it is characterised in that the fringe node includes:
Access request receiving unit, carried in the access request that external equipment is sent, the access request encryption number for receiving According to;Wherein, the encryption data includes the identity of the external equipment;
Authentication request transmitting element, for the encryption data to be decrypted, to obtain the identity of the external equipment, And the authentication request for carrying the identity is sent to authentication server;
Certification is by unit, for receiving the equipment letter corresponding with the identity of the authentication server feedback After breath, the access request that certification passes through the external equipment.
15. the method for authenticating in a kind of content distributing network, it is characterised in that methods described includes:
Receive the identity that external equipment is carried in the authentication request that fringe node is sent, the authentication request;
According to the identity in the authentication request, inquiry whether there is the facility information corresponding with the identity; If in the presence of to the fringe node feedback facility information corresponding with the identity.
16. method according to claim 15, it is characterised in that also receive the note that different external equipments are sent including lasting Volume information, the step of preserving the facility information of the external equipment succeeded in registration.
17. method according to claim 16, it is characterised in that receiving the registration letter that the different external equipments are sent After breath, methods described also includes:
Judge whether the log-on message carries specified token, if not carrying, abandon the log-on message;If carrying, certification The validity of the log-on message.
18. method according to claim 16, it is characterised in that the log-on message includes the institute of the external equipment The ciphertext stated the plaintext of identity and the identity is encrypted according to predetermined encryption algorithm;Correspondingly, recognizing When demonstrate,proving the log-on message, the ciphertext is decrypted according to the default decipherment algorithm, and check decryption after data with Whether the plaintext is consistent;If consistent, certification passes through the registration request;If inconsistent, send and note to the external equipment The prompt message of volume failure.
19. method according to claim 16, it is characterised in that in the equipment letter for the external equipment that succeeded in registration described in preservation After the step of breath, methods described also includes:
If not receiving the heartbeat data packets that the external equipment is sent in preset duration, by the external equipment of preservation The facility information is deleted.
20. the authentication server in a kind of content distributing network, it is characterised in that the authentication server includes:
Log-on message receiving unit, for receiving the log-on message that different external equipments are sent, is registered in the log-on message After work(, the facility information of the external equipment succeeded in registration is preserved;
Authentication request receiving unit, carries described outer for receiving in the authentication request that fringe node is sent, the authentication request The identity of portion's equipment;
Query unit, for the identity in the authentication request, inquiry is with the presence or absence of relative with the identity The facility information answered;If in the presence of to the fringe node feedback facility information corresponding with the identity.
CN201710378887.1A 2017-05-25 2017-05-25 Method for authenticating, right discriminating system, fringe node and authentication server in CDN Pending CN106961451A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710378887.1A CN106961451A (en) 2017-05-25 2017-05-25 Method for authenticating, right discriminating system, fringe node and authentication server in CDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710378887.1A CN106961451A (en) 2017-05-25 2017-05-25 Method for authenticating, right discriminating system, fringe node and authentication server in CDN

Publications (1)

Publication Number Publication Date
CN106961451A true CN106961451A (en) 2017-07-18

Family

ID=59482178

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710378887.1A Pending CN106961451A (en) 2017-05-25 2017-05-25 Method for authenticating, right discriminating system, fringe node and authentication server in CDN

Country Status (1)

Country Link
CN (1) CN106961451A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107580004A (en) * 2017-10-31 2018-01-12 深圳竹云科技有限公司 A kind of new authentication method and authentication center's framework
CN108377245A (en) * 2018-02-26 2018-08-07 湖南科技学院 A kind of optimizing demonstration method and system of network insertion request
CN108768979A (en) * 2018-05-17 2018-11-06 网宿科技股份有限公司 Corporate intranet access method, for corporate intranet access device and its system
CN108881280A (en) * 2018-07-11 2018-11-23 中国联合网络通信集团有限公司 Cut-in method, content distribution network system and access system
CN109150606A (en) * 2018-08-20 2019-01-04 华为技术有限公司 Data processing method, device and equipment
CN109831511A (en) * 2019-02-18 2019-05-31 华为技术有限公司 Method and equipment for scheduling content delivery network CDN edge nodes
CN110191139A (en) * 2019-07-17 2019-08-30 中国联合网络通信集团有限公司 A kind of method for authenticating and system, the method for accessing terminal to network
CN111193692A (en) * 2018-11-15 2020-05-22 北京金山云网络技术有限公司 Request response method, device, edge node and authentication system
CN111371730A (en) * 2018-12-26 2020-07-03 中国科学院沈阳自动化研究所 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN111555873A (en) * 2020-05-07 2020-08-18 四川普思科创信息技术有限公司 Remote authentication method, device and system
CN111639073A (en) * 2020-04-30 2020-09-08 深圳精匠云创科技有限公司 Edge computing access method and edge computing node device
CN111741467A (en) * 2020-06-19 2020-10-02 中国联合网络通信集团有限公司 Authentication method and device
CN112261003A (en) * 2020-09-27 2021-01-22 紫光云引擎科技(苏州)有限公司 Safety authentication method and system for industrial internet edge computing node
CN112953986A (en) * 2019-12-10 2021-06-11 华为技术有限公司 Management method and device for edge application

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674178A (en) * 2008-09-12 2010-03-17 中国移动通信集团公司 User information storage method as well as user information authentication method and device
CN102638417A (en) * 2012-03-27 2012-08-15 广州市动景计算机科技有限公司 Information communication method, device and system
CN105871888A (en) * 2016-05-16 2016-08-17 乐视控股(北京)有限公司 Identity authentication method, device and system
WO2016141856A1 (en) * 2015-03-07 2016-09-15 华为技术有限公司 Verification method, apparatus and system for network application access

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674178A (en) * 2008-09-12 2010-03-17 中国移动通信集团公司 User information storage method as well as user information authentication method and device
CN102638417A (en) * 2012-03-27 2012-08-15 广州市动景计算机科技有限公司 Information communication method, device and system
WO2016141856A1 (en) * 2015-03-07 2016-09-15 华为技术有限公司 Verification method, apparatus and system for network application access
CN105871888A (en) * 2016-05-16 2016-08-17 乐视控股(北京)有限公司 Identity authentication method, device and system

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107580004A (en) * 2017-10-31 2018-01-12 深圳竹云科技有限公司 A kind of new authentication method and authentication center's framework
CN108377245A (en) * 2018-02-26 2018-08-07 湖南科技学院 A kind of optimizing demonstration method and system of network insertion request
CN108768979A (en) * 2018-05-17 2018-11-06 网宿科技股份有限公司 Corporate intranet access method, for corporate intranet access device and its system
CN108768979B (en) * 2018-05-17 2021-04-16 网宿科技股份有限公司 Method for accessing intranet, device and system for accessing intranet
CN108881280B (en) * 2018-07-11 2021-02-02 中国联合网络通信集团有限公司 Access method, content distribution network system and access system
CN108881280A (en) * 2018-07-11 2018-11-23 中国联合网络通信集团有限公司 Cut-in method, content distribution network system and access system
CN109150606A (en) * 2018-08-20 2019-01-04 华为技术有限公司 Data processing method, device and equipment
CN109150606B (en) * 2018-08-20 2022-03-01 超聚变数字技术有限公司 Data processing method and device
CN111193692A (en) * 2018-11-15 2020-05-22 北京金山云网络技术有限公司 Request response method, device, edge node and authentication system
WO2020098773A1 (en) * 2018-11-15 2020-05-22 北京金山云网络技术有限公司 Request response method and device, edge node and authentication system
CN111371730A (en) * 2018-12-26 2020-07-03 中国科学院沈阳自动化研究所 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN111371730B (en) * 2018-12-26 2021-11-30 中国科学院沈阳自动化研究所 Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN109831511A (en) * 2019-02-18 2019-05-31 华为技术有限公司 Method and equipment for scheduling content delivery network CDN edge nodes
CN109831511B (en) * 2019-02-18 2020-10-23 华为技术有限公司 Method and equipment for scheduling content delivery network CDN edge nodes
US11888958B2 (en) 2019-02-18 2024-01-30 Petal Cloud Technology Co., Ltd. Content delivery network CDN edge node scheduling method and device
CN110191139A (en) * 2019-07-17 2019-08-30 中国联合网络通信集团有限公司 A kind of method for authenticating and system, the method for accessing terminal to network
CN112953986A (en) * 2019-12-10 2021-06-11 华为技术有限公司 Management method and device for edge application
CN112953986B (en) * 2019-12-10 2024-03-12 华为云计算技术有限公司 Edge application management method and device
CN111639073A (en) * 2020-04-30 2020-09-08 深圳精匠云创科技有限公司 Edge computing access method and edge computing node device
CN111555873A (en) * 2020-05-07 2020-08-18 四川普思科创信息技术有限公司 Remote authentication method, device and system
CN111741467A (en) * 2020-06-19 2020-10-02 中国联合网络通信集团有限公司 Authentication method and device
CN111741467B (en) * 2020-06-19 2023-04-18 中国联合网络通信集团有限公司 Authentication method and device
CN112261003A (en) * 2020-09-27 2021-01-22 紫光云引擎科技(苏州)有限公司 Safety authentication method and system for industrial internet edge computing node

Similar Documents

Publication Publication Date Title
CN106961451A (en) Method for authenticating, right discriminating system, fringe node and authentication server in CDN
US11588649B2 (en) Methods and systems for PKI-based authentication
EP2705642B1 (en) System and method for providing access credentials
CN104506534B (en) Secure communication key agreement interaction schemes
EP1635502B1 (en) Session control server and communication system
US20080222714A1 (en) System and method for authentication upon network attachment
US6892308B1 (en) Internet protocol telephony security architecture
CN1842993B (en) Providing credentials
CN103906052B (en) A kind of mobile terminal authentication method, Operational Visit method and apparatus
CN104753674B (en) A kind of verification method and equipment of application identity
CN104618120A (en) Digital signature method for escrowing private key of mobile terminal
CN103812651B (en) Method of password authentication, apparatus and system
CN105207778B (en) A method of realizing packet identity and digital signature on accessing gateway equipment
CN105681470A (en) Communication method, server and terminal based on hypertext transfer protocol
CN102209046A (en) Network resource integration system and method
EP2414983B1 (en) Secure Data System
CN101986598A (en) Authentication method, server and system
CN115567210A (en) Method and system for realizing zero trust access by quantum key distribution
CN1925401B (en) Internet access system and method
CN111756530A (en) Quantum service mobile engine system, network architecture and related equipment
CN107888615A (en) A kind of safety certifying method of Node registry
CN112565294A (en) Identity authentication method based on block chain electronic signature
EP1320975B1 (en) Internet protocol telephony security architecture
CN106549918B (en) A kind of method and device of the transmission service abnormal cause page
CN111404680B (en) Password management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170718

RJ01 Rejection of invention patent application after publication