CN106961451A - Method for authenticating, right discriminating system, fringe node and authentication server in CDN - Google Patents
Method for authenticating, right discriminating system, fringe node and authentication server in CDN Download PDFInfo
- Publication number
- CN106961451A CN106961451A CN201710378887.1A CN201710378887A CN106961451A CN 106961451 A CN106961451 A CN 106961451A CN 201710378887 A CN201710378887 A CN 201710378887A CN 106961451 A CN106961451 A CN 106961451A
- Authority
- CN
- China
- Prior art keywords
- identity
- external equipment
- authentication server
- facility information
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses the method for authenticating in CDN, right discriminating system, fringe node and authentication server, wherein, methods described includes:Authentication server certification and the facility information for preserving the external equipment;Fringe node of the external equipment into the content distributing network sends access request, and the access request includes the encryption data for carrying identity;The fringe node obtains the identity of the external equipment, and the authentication request for carrying the identity is sent to the authentication server;The authentication server inquiry whether there is the facility information corresponding with the identity;If in the presence of to the fringe node feedback facility information corresponding with the identity;The fringe node is after the facility information of the authentication server feedback is received, the access request that certification passes through the external equipment.The technical scheme that the present invention is provided, ensure that being normally carried out for authentication process.
Description
Technical field
The present invention relates to Internet technical field, method for authenticating, right discriminating system, fringe node in more particularly to CDN and
Authentication server.
Background technology
In current content distributing network (Content Delivery Network, CDN), external equipment is on access side
, in this case, could normal edge node for access after in authentication during edge node, it is sometimes desirable to authenticated.
Currently, the process that external equipment can often be authenticated according to following steps:
Step 1:Some server into fringe node sends registration request;After succeeding in registration, the clothes in fringe node
Business device needs synchronous log-on message, in order to authentication verification;
Step 2:Access server into fringe node sends authentication request;
Step 3:, just can be with edge node for access after authentication passes through.
However, existing this method for authenticating, it will usually bring problems with:
First, in same fringe node, due to load-balancing mechanism, the server of actual accepting device registration and progress
The server of authentication operations may not be same, so be accomplished by by realizing that information is same between each server in fringe node
Step, so as to cause certain difficulty to Disposition & Operation.
Secondly, when carrying out domain name mapping, external equipment may be caused to a certain fringe node transmission registration request, and to
Another fringe node sends authentication request, so, between different fringe nodes data do not share or not timely synchronization if,
It may result in access failure.
Therefore, existing method for authenticating, due to needing to carry out synchronizing information in fringe node, can improve edge section
The load of each server in point;If in addition, can not be realized between different fringe nodes information sharing or information not and
When it is synchronous, can cause the external equipment can not edge node for access.
The content of the invention
In order to solve problem of the prior art, the embodiments of the invention provide the method for authenticating in a kind of CDN, authentication system
System, fringe node and authentication server.The technical scheme is as follows:
On the one hand, a kind of method for authenticating in content distributing network, methods described includes:
Fringe node of the external equipment into the content distributing network, which is sent in access request, the access request, to be carried
Encryption data;Wherein, the encryption data includes the identity of the external equipment;
The encryption data is decrypted the fringe node, to obtain the identity of the external equipment,
And the authentication request for carrying the identity is sent to the authentication server;
The identity of the authentication server in the authentication request, inquiry whether there is and the identity
The corresponding facility information of mark;If in the presence of to the fringe node feedback facility information corresponding with the identity;
The fringe node receive authentication server feedback it is corresponding with the identity described in set
After standby information, the access request that certification passes through the external equipment.
Further, methods described also includes:Authentication server persistently receives the log-on message that different external equipments are sent,
The facility information of the external equipment succeeded in registration is preserved, wherein, the access request of the external equipment succeeded in registration is certified
Pass through.
Further, methods described also includes:
The fringe node is specifying persistently preserving authentication server feedback in duration with the identity phase
The corresponding facility information;
When the fringe node receives the access request of the external equipment again in the specified duration, at this
Ground inquiry whether there is the corresponding facility information of the external equipment.
Further, after authentication server receives the log-on message that external equipment is sent, methods described also includes:
The authentication server judges whether the log-on message carries specified token, if not carrying, and abandons the note
Volume information;If carrying, the validity of log-on message described in certification.
Further, the log-on message includes the plaintext of the identity of the external equipment and according to pre-
If the ciphertext that the identity is encrypted AES;Correspondingly, the authentication server is registering letter described in certification
During breath, the ciphertext is decrypted according to default decipherment algorithm, and whether the data checked after decryption are consistent with the plaintext;
If consistent, certification passes through the registration request;If inconsistent, the prompt message of registration failure is sent to the external equipment.
Further, the step of identity being encrypted according to predetermined encryption algorithm includes:
The dynamic check data that the authentication server is provided are added in the identity, and are calculated according to predetermined encryption
The identity for adding the dynamic check data is encrypted method;
Correspondingly, it is described after the ciphertext is decrypted according to the default decipherment algorithm for the authentication server
Method also includes:
The authentication server judges whether include the dynamic check data in the data after decryption, if including certification
Data and the uniformity of the plaintext after decryption;If not including, the prompt message of registration failure is sent to the external equipment.
Further, the authentication server preserve described in succeed in registration external equipment facility information the step of it
Afterwards, methods described also includes:
The external equipment sends heartbeat data packets according to predetermined period to the authentication server;
If the authentication server does not receive the heartbeat data packets that the external equipment is sent in preset duration,
The facility information of the external equipment of preservation is deleted.
Further, before the authentication request for carrying the identity is sent to the authentication server, the side
Method also includes:
The fringe node whether there is the facility information corresponding with the identity in local search;If depositing
In the access request that then certification passes through the external equipment;If being not present, sent to the authentication server and carry described
The authentication request of identity.
On the other hand, a kind of right discriminating system in content distributing network, the system includes authentication server and edge section
Point, wherein:
The authentication server, for receiving the log-on message that external equipment is sent, preserves the external equipment succeeded in registration
Facility information;The authentication request that the fringe node is sent is received, according to the identity in the authentication request, inquiry is
It is no to there is the facility information corresponding with the identity;If in the presence of to fringe node feedback and the identity
The corresponding facility information;And
The fringe node, for the encryption data to be decrypted, to obtain the identity of the external equipment,
And the authentication request for carrying the identity is sent to the authentication server;Receiving the authentication server feedback
After the facility information corresponding with the identity, the access request that certification passes through the external equipment.
Further, the fringe node that the external equipment is used for into the content distributing network sends access request,
Encryption data is carried in the access request;Wherein, the encryption data includes the identity of the external equipment.
On the other hand, a kind of method for authenticating in content distributing network, methods described includes:
Receive in the access request that external equipment is sent, the access request and carry encryption data;Wherein, the encryption number
According to including the identity of the external equipment;
The encryption data is decrypted, to obtain the identity of the external equipment, and to authentication service
Device sends the authentication request for carrying the identity;
After the facility information corresponding with the identity of the authentication server feedback is received, certification passes through
The access request of the external equipment.
Further, methods described also includes:
Specify persistently preserved in duration authentication server feedback it is corresponding with the identity described in set
Standby information;
When receiving the access request of the external equipment again in the specified duration, it is in local search
It is no to there is the corresponding facility information of the external equipment.
Further, before the authentication request for carrying the identity is sent to the authentication server, the side
Method also includes:
It whether there is the facility information corresponding with the identity in local search;If in the presence of certification is led to
Cross the access request of the external equipment;If being not present, sent to the authentication server and carry the identity
The authentication request.
On the other hand, a kind of fringe node in content distributing network, the fringe node includes:
Access request receiving unit, adds for receiving to carry in the access request that external equipment is sent, the access request
Ciphertext data;Wherein, the encryption data includes the identity of the external equipment;
Authentication request transmitting element, for the encryption data to be decrypted, to obtain the identity of the external equipment
Mark, and the authentication request for carrying the identity is sent to authentication server;
Certification is by unit, for receiving corresponding with the identity the setting of the authentication server feedback
After standby information, the access request that certification passes through the external equipment.
On the other hand, a kind of method for authenticating in content distributing network, methods described includes:
Receive the identity that external equipment is carried in the authentication request that fringe node is sent, the authentication request;
According to the identity in the authentication request, inquiry is believed with the presence or absence of the equipment corresponding with the identity
Breath;If in the presence of to the fringe node feedback facility information corresponding with the identity.
Further, the log-on message that different external equipments are sent also is received including lasting, preserves the outside succeeded in registration
The step of facility information of equipment.
Further, after the log-on message that the different external equipments are sent is received, methods described also includes:
Judge whether the log-on message carries specified token, if not carrying, abandon the log-on message;If carrying,
The validity of log-on message described in certification.
Further, the log-on message includes the plaintext of the identity of the external equipment and according to pre-
If the ciphertext that the identity is encrypted AES;Correspondingly, in log-on message described in certification, according to described pre-
If the ciphertext is decrypted decipherment algorithm, and whether the data checked after decryption are consistent with the plaintext;If consistent, recognize
Card passes through the registration request;If inconsistent, the prompt message of registration failure is sent to the external equipment.
Further, after the step of the facility information for the external equipment that succeeded in registration described in preserving, methods described is also wrapped
Include:
If not receiving the heartbeat data packets that the external equipment is sent in preset duration, the outside of preservation is set
The standby facility information is deleted.
On the other hand, a kind of authentication server in content distributing network, the authentication server includes:
Log-on message receiving unit, for receiving the log-on message that different external equipments are sent, in log-on message note
After volume success, the facility information of the external equipment succeeded in registration is preserved;
Authentication request receiving unit, institute is carried for receiving in the authentication request that fringe node is sent, the authentication request
State the identity of external equipment;
Query unit, for the identity in the authentication request, inquiry whether there is and the identity
Corresponding facility information;If in the presence of to the fringe node feedback facility information corresponding with the identity.
The beneficial effect that technical scheme provided in an embodiment of the present invention is brought is:By configuring system in content distributing network
One authentication server, the log-on message of external equipment is preserved by authentication server.So, when external equipment is sent out to fringe node
When sending authentication request, fringe node can inquire about the equipment letter of the external equipment with corresponding log-on message from authentication server
Breath, so as to complete the process of authentication;Or, fringe node can persistently preserve authentication server feedback specifying in duration
The facility information corresponding with identity, can locally complete inquiry, without being inquired about to authentication server, improve mirror
Weigh efficiency.Method for authenticating, right discriminating system, fringe node and authentication server in the CDN that the present invention is provided, it is not necessary at edge
Information sharing is carried out in node and between different fringe nodes, while also ensuring the fringe node energy for receiving authentication request
Enough log-on messages for getting external equipment in time, so as to ensure that being normally carried out for authentication process, improve authentication process
Efficiency.Moreover, when authentication server is with external device communication, employing specific communication protocol or authentication mode, body
Part verification mode can include carrying token or the identity with encryption policy etc., please for ineligible access
Ask, can so possess the effect of attack protection with denied access, further increase reliability.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will be to that will make needed for embodiment description
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is the flow chart of method for authenticating in the embodiment of the present invention one;
Fig. 2 is the structural representation of right discriminating system in the embodiment of the present invention two;
Fig. 3 is the flow chart of method for authenticating in the embodiment of the present invention three;
Fig. 4 is the structural representation of authentication server in the embodiment of the present invention four;
Fig. 5 is the flow chart of method for authenticating in the embodiment of the present invention five;
Fig. 6 is the structural representation of fringe node in the embodiment of the present invention six.
Embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to embodiment party of the present invention
Formula is described in further detail.
Embodiment one
Referring to Fig. 1, the application embodiment provides the method for authenticating in a kind of content distributing network, methods described bag
Include:
S1:Authentication server persistently receives the log-on message that different external equipments are sent, according to corresponding predetermined communication protocols
View, if the log-on message of external equipment succeeds in registration, preserves the facility information of counterpart external device.
In the present embodiment, external equipment can be unified registration request being sent to authentication server, by authentication service
Device manages the log-on message of all external equipments.
Specifically, it can be communicated between authentication server and external equipment using specific agreement, not meet the association
The request of data of view can be authenticated server refusal without exception, so that while guaranteeing data security, it is unnecessary to filter
Junk data.
In the present embodiment, above-mentioned specific agreement can realize following functions:
After authentication server receives the log-on message that external equipment is sent, the authentication server may determine that described
Whether log-on message carries specified token, if not carrying, and assert it is the data for not meeting protocol requirement, so as to abandon
The log-on message.If carrying, can further log-on message described in certification validity.
In the present embodiment, in the log-on message can include the external equipment identity plaintext and
The ciphertext that the identity is encrypted according to predetermined encryption algorithm.Correspondingly, the authentication server is described in certification
During log-on message, the ciphertext can be decrypted according to default decipherment algorithm, and check the data after decryption with being stated clearly
Whether text is consistent.If consistent, show that decipherment algorithm that the AES of the use of external equipment is used with authentication server is
Match somebody with somebody, the registration request is passed through so as to certification.If inconsistent, registration failure can be sent to the external equipment
Prompt message.
In the present embodiment, in order to be further ensured that the reliabilities of data, external equipment is according to predetermined encryption algorithm
When the identity is encrypted, the dynamic check that the authentication server is provided can be added in the identity
Data, and the identity for adding the dynamic check data is encrypted according to predetermined encryption algorithm.So, the mirror
After the ciphertext is decrypted according to default decipherment algorithm for power server, it can be determined that whether included in the data after decryption
The dynamic check data, if including the uniformity of data and the plaintext that can further after certification decryption.If not wrapping
Contain, then the prompt message of registration failure can be sent to the external equipment.
In the present embodiment, after the authentication server is the step of the facility information of the preservation external equipment,
The external equipment needs to send heartbeat data packets to the authentication server according to predetermined period, to show that external equipment is current
In presence.If the authentication server does not receive the heartbeat data that the external equipment is sent in preset duration
Bag, show the external equipment may it is offline or break down, so as to setting the external equipment of preservation
Standby information deletion.
S2:Fringe node of the external equipment into the content distributing network sends access request, and the access please
Seek middle carrying encryption data;Wherein, the encryption data includes the identity of the external equipment.
In the present embodiment, external equipment possesses after the authentication registration by authentication server, just to the side
Edge node sends the authority of access request.The identity of itself can be sent to the side by external equipment after encryption
Edge node.Wherein, during the identity is such as can be the MAC Address, equipment Serial Number and/or IP address of external equipment
At least one.
S3:The encryption data is decrypted the fringe node, to obtain the identity of the external equipment, and
The authentication request for carrying the identity is sent to the authentication server.
In the present embodiment, the communication protocol between external equipment and fringe node can defines data encryption reconciliation
Close used encryption/decryption algorithm, so, the fringe node, can be using corresponding after the encryption data is received
Decipherment algorithm is decrypted, so as to obtain the identity of the external equipment wherein carried.
In the present embodiment, after the identity of the external equipment is obtained, the fringe node just can be with
The authentication request for carrying the identity is sent to the authentication server, to verify the external equipment in the authentication service
Whether possesses facility information in device.
It should be noted that in one embodiment of the application, whether fringe node can wrap in local search in advance
Facility information containing the external equipment.Specifically, the fringe node can whether there is and the identity in local search
The corresponding facility information of mark.If in the presence of the access request by the external equipment can be authenticated.If being not present,
The authentication request for carrying the identity can be sent to the authentication server.
S4:Identity of the authentication server in the authentication request, inquiry whether there is and the identity
The corresponding facility information of mark;If in the presence of to the fringe node feedback facility information corresponding with the identity.
In the present embodiment, the authentication server is received after authentication request, can be carried from the authentication request
The identity of carrying is taken, and whether there is the facility information corresponding with the identity in local search.If it does,
Then show that registration has been carried out in external equipment, so as to allow in its edge node for access.So, the authentication server
The facility information corresponding with the identity can be fed back to the fringe node.Set if it does not exist, then explanation is outside
Registered for no, or the information of registration has failed, so as to return to the prompting for needing to register to external equipment.
S5:The fringe node is receiving the equipment corresponding with the identity of the authentication server feedback
After information, the access request that certification passes through the external equipment.
In the present embodiment, fringe node is received after the facility information of authentication server feedback, shows to set outside this
The standby mistake registered in advance in authentication server, so as to allow its edge node for access.
In one embodiment of the application, after the facility information that authentication server is sent is received, the edge section
Point can also specify the equipment corresponding with the identity for persistently preserving the authentication server feedback in duration to believe
Breath.For example, the facility information can be preserved 1 hour local.So when the fringe node in the specified duration again
It is secondary receive the external equipment access request when, can be without sending authentication request to authentication server, but can be
Local search whether there is the corresponding facility information of the external equipment, can directly allow the outside to set if present
Standby edge node for access, so as to improve the efficiency of authentication.
Embodiment two
Referring to Fig. 2, the application embodiment also provides the right discriminating system in a kind of content distributing network, the system bag
External equipment, authentication server and fringe node are included, wherein:
The authentication server, for receiving the log-on message that the external equipment is sent, preserves the outside succeeded in registration
The facility information of equipment;The authentication request that the fringe node is sent is received, according to the identity in the authentication request, is looked into
Ask and whether there is the facility information corresponding with the identity;If in the presence of to fringe node feedback and the identity
The corresponding facility information of mark;
The external equipment, access request, the access are sent for the fringe node into the content distributing network
Encryption data is carried in request;Wherein, the encryption data includes the identity of the external equipment;
The fringe node, for the encryption data to be decrypted, to obtain the identity of the external equipment,
And the authentication request for carrying the identity is sent to the authentication server;Receiving the authentication server feedback
After the facility information corresponding with the identity, the access request that certification passes through the external equipment.
Embodiment three
Referring to Fig. 3, the application also provides the method for authenticating in a kind of content distributing network, this method can be by edge section
Point is performed, and methods described includes:
S31:Receive in the access request that external equipment is sent, the access request and carry encryption data;Wherein, it is described to add
Ciphertext data includes the identity of the external equipment;
S32:The encryption data is decrypted, to obtain the identity of the external equipment, and to authentication service
Device sends the authentication request for carrying the identity;
S33:After the facility information corresponding with the identity of the authentication server feedback is received, certification
Pass through the access request of the external equipment.
In the present embodiment, methods described also includes:
Believe specifying the equipment corresponding with the identity that the authentication server feedback is persistently preserved in duration
Breath;
When receiving the access request of the external equipment again in the specified duration, whether deposited in local search
In the corresponding facility information of the external equipment.
In the present embodiment, before the authentication request for carrying the identity is sent to the authentication server,
Methods described also includes:
It whether there is the facility information corresponding with the identity in local search;If in the presence of certification passes through institute
State the access request of external equipment;If being not present, the authentication request for carrying the identity is sent to the authentication server.
Example IV
Referring to Fig. 4, the application also provides the fringe node in a kind of content distributing network, the fringe node includes:
Access request receiving unit 100, is carried for receiving in the access request that external equipment is sent, the access request
Encryption data;Wherein, the encryption data includes the identity of the external equipment;
Authentication request transmitting element 200, for the encryption data to be decrypted, to obtain the body of the external equipment
Part mark, and the authentication request for carrying the identity is sent to authentication server;
Certification is by unit 300, for receiving the corresponding with the identity of the authentication server feedback
Facility information after, the access request that certification passes through the external equipment.
Embodiment five
Referring to Fig. 5, the application also provides the method for authenticating in a kind of content distributing network, this method can be taken by authentication
Business device is performed, and methods described includes:
S51:The log-on message that different external equipments are sent persistently is received, according to predetermined communication protocol, if the registration is believed
Breath succeeds in registration, then preserves the facility information of the external equipment succeeded in registration;
S52:Receive the identity mark that the external equipment is carried in the authentication request that fringe node is sent, the authentication request
Know;
S53:According to the identity in the authentication request, inquiry is set with the presence or absence of corresponding with the identity
Standby information;If in the presence of to the fringe node feedback facility information corresponding with the identity.
In the present embodiment, after the log-on message that external equipment is sent is received, methods described also includes:
Judge whether the log-on message carries specified token, if not carrying, abandon the log-on message;If carrying,
The validity of log-on message described in certification.
In the present embodiment, the log-on message include the identity of the external equipment plaintext and according to
The ciphertext that the identity is encrypted predetermined encryption algorithm;Correspondingly, in log-on message described in certification, according to default
The ciphertext is decrypted decipherment algorithm, and whether the data checked after decryption are consistent with the plaintext;If consistent, certification
Pass through the registration request;If inconsistent, the prompt message of registration failure is sent to the external equipment.
In the present embodiment, after the step of preserving the facility information of the external equipment, methods described also includes:
If not receiving the heartbeat data packets that the external equipment is sent in preset duration, the outside of preservation is set
Standby facility information is deleted.
Embodiment six
Referring to Fig. 6, the application also provides the authentication server in a kind of content distributing network, the authentication server bag
Include:
Log-on message receiving unit 110, for receiving the log-on message that different external equipments are sent, in the log-on message
After succeeding in registration, the facility information of the external equipment succeeded in registration is preserved;
Authentication request receiving unit 210, is carried for receiving in the authentication request that fringe node is sent, the authentication request
The identity of the external equipment;
Query unit 310, for the identity in the authentication request, inquiry whether there is and the identity mark
Sensible corresponding facility information;If in the presence of to the fringe node feedback facility information corresponding with the identity.
Therefore, the beneficial effect that technical scheme provided in an embodiment of the present invention is brought is:By in content delivery network
Unified authentication server is added in network, the log-on message of external equipment is preserved by authentication server.So, when external equipment to
When fringe node sends authentication request, fringe node can inquire about the outside with corresponding log-on message from authentication server and set
Standby facility information, so as to complete the process of authentication;Or, fringe node can specify lasting preserve in duration to authenticate
The facility information corresponding with identity of server feedback, can locally complete inquiry, without being looked into authentication server
Ask, improve authentication efficiency.Method for authenticating, right discriminating system, fringe node and authentication server in the CDN that the present invention is provided,
Information sharing need not be carried out in fringe node and between different fringe node, while also ensuring reception authentication request
Fringe node can get the log-on message of external equipment in time, so as to ensure that being normally carried out for authentication process, improve
The efficiency of authentication process.Moreover, when authentication server is with external device communication, employing specific communication protocol or identity
Verification mode, authentication mode can include carrying token or the identity with encryption policy etc., for not meeting
The access request of condition, can so possess the effect of attack protection, further increases reliability with denied access.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
System embodiment described above is only schematical, wherein the unit illustrated as separating component can
To be or may not be physically separate, the part shown as unit can be or may not be physics list
Member, you can with positioned at a place, or can also be distributed on multiple NEs.It can be selected according to the actual needs
In some or all of module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creativeness
Work in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
Realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Understood based on such, on
The part that technical scheme substantially in other words contributes to prior art is stated to embody in the form of software product, should
Computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including some fingers
Order is make it that a computer equipment (can be personal computer, server, or network equipment etc.) performs each implementation
Method described in some parts of example or embodiment.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and
Within principle, any modifications, equivalent substitutions and improvements made etc. should be included within the scope of the present invention.
Claims (20)
1. the method for authenticating in a kind of content distributing network, it is characterised in that methods described includes:
Fringe node of the external equipment into the content distributing network, which is sent, carries encryption in access request, the access request
Data;Wherein, the encryption data includes the identity of the external equipment;
The encryption data is decrypted the fringe node, to obtain the identity of the external equipment, and to
The authentication server sends the authentication request for carrying the identity;
The identity of the authentication server in the authentication request, inquiry whether there is and the identity
Corresponding facility information;If in the presence of to the fringe node feedback facility information corresponding with the identity;
The fringe node is receiving the equipment letter corresponding with the identity of the authentication server feedback
After breath, the access request that certification passes through the external equipment.
2. according to the method described in claim 1, it is characterised in that methods described also includes:Authentication server is persistently received not
The log-on message sent with external equipment, preserve the facility information of external equipment succeeded in registration, wherein, it is described to succeed in registration
The access request of external equipment is authenticated.
3. according to the method described in claim 1, it is characterised in that methods described also includes:
The fringe node persistently preserves the corresponding with the identity of the authentication server feedback in specified duration
The facility information;
When the fringe node receives the access request of the external equipment again in the specified duration, locally looking into
Ask and whether there is the corresponding facility information of the external equipment.
4. method according to claim 2, it is characterised in that receive the registration letter that external equipment is sent in authentication server
After breath, methods described also includes:
The authentication server judges whether the log-on message carries specified token, if not carrying, and abandons the registration letter
Breath;If carrying, the validity of log-on message described in certification.
5. method according to claim 2, it is characterised in that the log-on message includes the described of the external equipment
The plaintext of identity and the ciphertext that the identity is encrypted according to predetermined encryption algorithm;Correspondingly, the mirror
Server is weighed in log-on message described in certification, the ciphertext is decrypted according to default decipherment algorithm, and checks after decryption
Data it is whether consistent with the plaintext;If consistent, certification passes through the registration request;If inconsistent, set to the outside
Preparation send the prompt message of registration failure.
6. method according to claim 5, it is characterised in that added according to predetermined encryption algorithm to the identity
Close step includes:
The dynamic check data that the authentication server is provided are added in the identity, and according to predetermined encryption algorithm pair
The identity for adding the dynamic check data is encrypted;
Correspondingly, after the ciphertext is decrypted according to the default decipherment algorithm for the authentication server, methods described
Also include:
The authentication server judges whether include the dynamic check data in the data after decryption, if including certification decryption
Data afterwards and the uniformity of the plaintext;If not including, the prompt message of registration failure is sent to the external equipment.
7. method according to claim 2, it is characterised in that the authentication server described in preserving outside succeeding in registration
After the step of facility information of portion's equipment, methods described also includes:
The external equipment sends heartbeat data packets according to predetermined period to the authentication server;
If the authentication server does not receive the heartbeat data packets that the external equipment is sent in preset duration, it will protect
The facility information for the external equipment deposited is deleted.
8. according to the method described in claim 1, it is characterised in that carry the identity mark being sent to the authentication server
Before the authentication request of knowledge, methods described also includes:
The fringe node whether there is the facility information corresponding with the identity in local search;If in the presence of,
The access request that then certification passes through the external equipment;If being not present, sent to the authentication server and carry the body
The authentication request of part mark.
9. the right discriminating system in a kind of content distributing network, it is characterised in that the system includes authentication server and edge section
Point, wherein:
The authentication server, for receiving the log-on message that external equipment is sent, preserves setting for the external equipment that succeeds in registration
Standby information;The authentication request that the fringe node is sent is received, according to the identity in the authentication request, whether inquiry deposits
In the facility information corresponding with the identity;If in the presence of relative with the identity to fringe node feedback
The facility information answered;And
The fringe node, for encryption data to be decrypted, to obtain the identity of the external equipment, and to described
Authentication server sends the authentication request for carrying the identity;Receiving authentication server feedback with the body
After the corresponding facility information of part mark, the access request that certification passes through the external equipment.
10. right discriminating system according to claim 9, it is characterised in that the external equipment is used for the content distribution
Fringe node in network, which is sent in access request, the access request, carries encryption data;Wherein, wrapped in the encryption data
Include the identity of the external equipment.
11. the method for authenticating in a kind of content distributing network, it is characterised in that methods described includes:
Receive in the access request that external equipment is sent, the access request and carry encryption data;Wherein, in the encryption data
Include the identity of the external equipment;
The encryption data is decrypted, to obtain the identity of the external equipment, and sent out to authentication server
Send the authentication request for carrying the identity;
After the facility information corresponding with the identity of the authentication server feedback is received, certification passes through described
The access request of external equipment.
12. method according to claim 11, it is characterised in that methods described also includes:
Believe specifying the equipment corresponding with the identity that the authentication server feedback is persistently preserved in duration
Breath;
When receiving the access request of the external equipment again in the specified duration, whether deposited in local search
In the corresponding facility information of the external equipment.
13. method according to claim 11, it is characterised in that carry the identity being sent to the authentication server
Before the authentication request of mark, methods described also includes:
It whether there is the facility information corresponding with the identity in local search;If in the presence of certification passes through institute
State the access request of external equipment;If being not present, send and carried described in the identity to the authentication server
Authentication request.
14. the fringe node in a kind of content distributing network, it is characterised in that the fringe node includes:
Access request receiving unit, carried in the access request that external equipment is sent, the access request encryption number for receiving
According to;Wherein, the encryption data includes the identity of the external equipment;
Authentication request transmitting element, for the encryption data to be decrypted, to obtain the identity of the external equipment,
And the authentication request for carrying the identity is sent to authentication server;
Certification is by unit, for receiving the equipment letter corresponding with the identity of the authentication server feedback
After breath, the access request that certification passes through the external equipment.
15. the method for authenticating in a kind of content distributing network, it is characterised in that methods described includes:
Receive the identity that external equipment is carried in the authentication request that fringe node is sent, the authentication request;
According to the identity in the authentication request, inquiry whether there is the facility information corresponding with the identity;
If in the presence of to the fringe node feedback facility information corresponding with the identity.
16. method according to claim 15, it is characterised in that also receive the note that different external equipments are sent including lasting
Volume information, the step of preserving the facility information of the external equipment succeeded in registration.
17. method according to claim 16, it is characterised in that receiving the registration letter that the different external equipments are sent
After breath, methods described also includes:
Judge whether the log-on message carries specified token, if not carrying, abandon the log-on message;If carrying, certification
The validity of the log-on message.
18. method according to claim 16, it is characterised in that the log-on message includes the institute of the external equipment
The ciphertext stated the plaintext of identity and the identity is encrypted according to predetermined encryption algorithm;Correspondingly, recognizing
When demonstrate,proving the log-on message, the ciphertext is decrypted according to the default decipherment algorithm, and check decryption after data with
Whether the plaintext is consistent;If consistent, certification passes through the registration request;If inconsistent, send and note to the external equipment
The prompt message of volume failure.
19. method according to claim 16, it is characterised in that in the equipment letter for the external equipment that succeeded in registration described in preservation
After the step of breath, methods described also includes:
If not receiving the heartbeat data packets that the external equipment is sent in preset duration, by the external equipment of preservation
The facility information is deleted.
20. the authentication server in a kind of content distributing network, it is characterised in that the authentication server includes:
Log-on message receiving unit, for receiving the log-on message that different external equipments are sent, is registered in the log-on message
After work(, the facility information of the external equipment succeeded in registration is preserved;
Authentication request receiving unit, carries described outer for receiving in the authentication request that fringe node is sent, the authentication request
The identity of portion's equipment;
Query unit, for the identity in the authentication request, inquiry is with the presence or absence of relative with the identity
The facility information answered;If in the presence of to the fringe node feedback facility information corresponding with the identity.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710378887.1A CN106961451A (en) | 2017-05-25 | 2017-05-25 | Method for authenticating, right discriminating system, fringe node and authentication server in CDN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710378887.1A CN106961451A (en) | 2017-05-25 | 2017-05-25 | Method for authenticating, right discriminating system, fringe node and authentication server in CDN |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106961451A true CN106961451A (en) | 2017-07-18 |
Family
ID=59482178
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710378887.1A Pending CN106961451A (en) | 2017-05-25 | 2017-05-25 | Method for authenticating, right discriminating system, fringe node and authentication server in CDN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106961451A (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107580004A (en) * | 2017-10-31 | 2018-01-12 | 深圳竹云科技有限公司 | A kind of new authentication method and authentication center's framework |
CN108377245A (en) * | 2018-02-26 | 2018-08-07 | 湖南科技学院 | A kind of optimizing demonstration method and system of network insertion request |
CN108768979A (en) * | 2018-05-17 | 2018-11-06 | 网宿科技股份有限公司 | Corporate intranet access method, for corporate intranet access device and its system |
CN108881280A (en) * | 2018-07-11 | 2018-11-23 | 中国联合网络通信集团有限公司 | Cut-in method, content distribution network system and access system |
CN109150606A (en) * | 2018-08-20 | 2019-01-04 | 华为技术有限公司 | Data processing method, device and equipment |
CN109831511A (en) * | 2019-02-18 | 2019-05-31 | 华为技术有限公司 | Method and equipment for scheduling content delivery network CDN edge nodes |
CN110191139A (en) * | 2019-07-17 | 2019-08-30 | 中国联合网络通信集团有限公司 | A kind of method for authenticating and system, the method for accessing terminal to network |
CN111193692A (en) * | 2018-11-15 | 2020-05-22 | 北京金山云网络技术有限公司 | Request response method, device, edge node and authentication system |
CN111371730A (en) * | 2018-12-26 | 2020-07-03 | 中国科学院沈阳自动化研究所 | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene |
CN111555873A (en) * | 2020-05-07 | 2020-08-18 | 四川普思科创信息技术有限公司 | Remote authentication method, device and system |
CN111639073A (en) * | 2020-04-30 | 2020-09-08 | 深圳精匠云创科技有限公司 | Edge computing access method and edge computing node device |
CN111741467A (en) * | 2020-06-19 | 2020-10-02 | 中国联合网络通信集团有限公司 | Authentication method and device |
CN112261003A (en) * | 2020-09-27 | 2021-01-22 | 紫光云引擎科技(苏州)有限公司 | Safety authentication method and system for industrial internet edge computing node |
CN112953986A (en) * | 2019-12-10 | 2021-06-11 | 华为技术有限公司 | Management method and device for edge application |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101674178A (en) * | 2008-09-12 | 2010-03-17 | 中国移动通信集团公司 | User information storage method as well as user information authentication method and device |
CN102638417A (en) * | 2012-03-27 | 2012-08-15 | 广州市动景计算机科技有限公司 | Information communication method, device and system |
CN105871888A (en) * | 2016-05-16 | 2016-08-17 | 乐视控股(北京)有限公司 | Identity authentication method, device and system |
WO2016141856A1 (en) * | 2015-03-07 | 2016-09-15 | 华为技术有限公司 | Verification method, apparatus and system for network application access |
-
2017
- 2017-05-25 CN CN201710378887.1A patent/CN106961451A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101674178A (en) * | 2008-09-12 | 2010-03-17 | 中国移动通信集团公司 | User information storage method as well as user information authentication method and device |
CN102638417A (en) * | 2012-03-27 | 2012-08-15 | 广州市动景计算机科技有限公司 | Information communication method, device and system |
WO2016141856A1 (en) * | 2015-03-07 | 2016-09-15 | 华为技术有限公司 | Verification method, apparatus and system for network application access |
CN105871888A (en) * | 2016-05-16 | 2016-08-17 | 乐视控股(北京)有限公司 | Identity authentication method, device and system |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107580004A (en) * | 2017-10-31 | 2018-01-12 | 深圳竹云科技有限公司 | A kind of new authentication method and authentication center's framework |
CN108377245A (en) * | 2018-02-26 | 2018-08-07 | 湖南科技学院 | A kind of optimizing demonstration method and system of network insertion request |
CN108768979A (en) * | 2018-05-17 | 2018-11-06 | 网宿科技股份有限公司 | Corporate intranet access method, for corporate intranet access device and its system |
CN108768979B (en) * | 2018-05-17 | 2021-04-16 | 网宿科技股份有限公司 | Method for accessing intranet, device and system for accessing intranet |
CN108881280B (en) * | 2018-07-11 | 2021-02-02 | 中国联合网络通信集团有限公司 | Access method, content distribution network system and access system |
CN108881280A (en) * | 2018-07-11 | 2018-11-23 | 中国联合网络通信集团有限公司 | Cut-in method, content distribution network system and access system |
CN109150606A (en) * | 2018-08-20 | 2019-01-04 | 华为技术有限公司 | Data processing method, device and equipment |
CN109150606B (en) * | 2018-08-20 | 2022-03-01 | 超聚变数字技术有限公司 | Data processing method and device |
CN111193692A (en) * | 2018-11-15 | 2020-05-22 | 北京金山云网络技术有限公司 | Request response method, device, edge node and authentication system |
WO2020098773A1 (en) * | 2018-11-15 | 2020-05-22 | 北京金山云网络技术有限公司 | Request response method and device, edge node and authentication system |
CN111371730A (en) * | 2018-12-26 | 2020-07-03 | 中国科学院沈阳自动化研究所 | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene |
CN111371730B (en) * | 2018-12-26 | 2021-11-30 | 中国科学院沈阳自动化研究所 | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene |
CN109831511A (en) * | 2019-02-18 | 2019-05-31 | 华为技术有限公司 | Method and equipment for scheduling content delivery network CDN edge nodes |
CN109831511B (en) * | 2019-02-18 | 2020-10-23 | 华为技术有限公司 | Method and equipment for scheduling content delivery network CDN edge nodes |
US11888958B2 (en) | 2019-02-18 | 2024-01-30 | Petal Cloud Technology Co., Ltd. | Content delivery network CDN edge node scheduling method and device |
CN110191139A (en) * | 2019-07-17 | 2019-08-30 | 中国联合网络通信集团有限公司 | A kind of method for authenticating and system, the method for accessing terminal to network |
CN112953986A (en) * | 2019-12-10 | 2021-06-11 | 华为技术有限公司 | Management method and device for edge application |
CN112953986B (en) * | 2019-12-10 | 2024-03-12 | 华为云计算技术有限公司 | Edge application management method and device |
CN111639073A (en) * | 2020-04-30 | 2020-09-08 | 深圳精匠云创科技有限公司 | Edge computing access method and edge computing node device |
CN111555873A (en) * | 2020-05-07 | 2020-08-18 | 四川普思科创信息技术有限公司 | Remote authentication method, device and system |
CN111741467A (en) * | 2020-06-19 | 2020-10-02 | 中国联合网络通信集团有限公司 | Authentication method and device |
CN111741467B (en) * | 2020-06-19 | 2023-04-18 | 中国联合网络通信集团有限公司 | Authentication method and device |
CN112261003A (en) * | 2020-09-27 | 2021-01-22 | 紫光云引擎科技(苏州)有限公司 | Safety authentication method and system for industrial internet edge computing node |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106961451A (en) | Method for authenticating, right discriminating system, fringe node and authentication server in CDN | |
US11588649B2 (en) | Methods and systems for PKI-based authentication | |
EP2705642B1 (en) | System and method for providing access credentials | |
CN104506534B (en) | Secure communication key agreement interaction schemes | |
EP1635502B1 (en) | Session control server and communication system | |
US20080222714A1 (en) | System and method for authentication upon network attachment | |
US6892308B1 (en) | Internet protocol telephony security architecture | |
CN1842993B (en) | Providing credentials | |
CN103906052B (en) | A kind of mobile terminal authentication method, Operational Visit method and apparatus | |
CN104753674B (en) | A kind of verification method and equipment of application identity | |
CN104618120A (en) | Digital signature method for escrowing private key of mobile terminal | |
CN103812651B (en) | Method of password authentication, apparatus and system | |
CN105207778B (en) | A method of realizing packet identity and digital signature on accessing gateway equipment | |
CN105681470A (en) | Communication method, server and terminal based on hypertext transfer protocol | |
CN102209046A (en) | Network resource integration system and method | |
EP2414983B1 (en) | Secure Data System | |
CN101986598A (en) | Authentication method, server and system | |
CN115567210A (en) | Method and system for realizing zero trust access by quantum key distribution | |
CN1925401B (en) | Internet access system and method | |
CN111756530A (en) | Quantum service mobile engine system, network architecture and related equipment | |
CN107888615A (en) | A kind of safety certifying method of Node registry | |
CN112565294A (en) | Identity authentication method based on block chain electronic signature | |
EP1320975B1 (en) | Internet protocol telephony security architecture | |
CN106549918B (en) | A kind of method and device of the transmission service abnormal cause page | |
CN111404680B (en) | Password management method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170718 |
|
RJ01 | Rejection of invention patent application after publication |