CN114257393A - Terminal equipment authentication method and device and computer readable storage medium - Google Patents

Terminal equipment authentication method and device and computer readable storage medium Download PDF

Info

Publication number
CN114257393A
CN114257393A CN202011024819.3A CN202011024819A CN114257393A CN 114257393 A CN114257393 A CN 114257393A CN 202011024819 A CN202011024819 A CN 202011024819A CN 114257393 A CN114257393 A CN 114257393A
Authority
CN
China
Prior art keywords
authentication
cpe
controller
registration
receiving
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011024819.3A
Other languages
Chinese (zh)
Inventor
杨锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202011024819.3A priority Critical patent/CN114257393A/en
Publication of CN114257393A publication Critical patent/CN114257393A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The embodiment of the invention provides a terminal equipment authentication method, a device and a computer readable storage medium, wherein the method comprises the following steps: the controller receives an authentication identifier sent by a registered node; verifying with a Customer Premises Equipment (CPE) based on the authentication identification; and if the verification is successful, executing the registration process of the CPE.

Description

Terminal equipment authentication method and device and computer readable storage medium
Technical Field
The present invention relates to the field of mobile communications technologies, and in particular, to a method and an apparatus for authenticating a terminal device, and a computer-readable storage medium.
Background
In a large-scale software-defined wide area network (SD-WAN), a plurality of controllers are generally deployed, and all on-line requests of Customer Premise Equipment (CPE) need to be distributed to different controllers by means of registration nodes. Thus each controller is responsible for the management of a part of the CPE, and the association between the CPE and the controller relies on a global registrar. The CPE is deployed by a customer, and the verification of the registered node, the CPE and the controller can be achieved through certificate authentication.
However, the SD-WAN system needs to prevent unauthorized CPE from going on line and also binding any controller without authorization, and the current implementation has a safety hazard.
Disclosure of Invention
In view of this, embodiments of the present invention are intended to provide a terminal device authentication method, apparatus, and computer-readable storage medium.
In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:
the embodiment of the invention provides a terminal equipment authentication method, which is applied to a controller and comprises the following steps: receiving an authentication identifier sent by a registration node;
verifying the authentication identifier and the Customer Premise Equipment (CPE) based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
The receiving of the authentication identifier sent by the registration node includes:
receiving the authentication identification which is periodically and actively updated by the registered node; alternatively, the first and second electrodes may be,
and sending the received authentication identification to the registered node after the update request is sent.
The receiving of the authentication identifier sent by the registration node includes:
and receiving the authentication identification sent by the registration node through a northbound interface.
Wherein, the verifying with the Customer Premise Equipment (CPE) based on the authentication identifier comprises: judging whether the authentication identification is consistent with the authentication identification received by the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
Wherein, the determining whether the authentication identifier is consistent with the authentication identifier received by the CPE includes:
the authentication identification is carried in a network configuration protocol NetConf Hello handshake message interacted with the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
The embodiment of the invention also provides a terminal equipment authentication method, which is applied to the Customer Premise Equipment (CPE) and comprises the following steps:
receiving an authentication identifier sent by a registration node;
verifying the controller based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
The receiving of the authentication identifier sent by the registration node includes:
receiving a registration response message sent by a registration node; and the registration response message carries the authentication identification.
Optionally, before receiving the authentication identifier sent by the registration node, the method further includes:
a registration request message is sent to the registration node.
Wherein the verifying with the controller based on the authentication identifier comprises:
judging whether the authentication identification is consistent with the authentication identification received by the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
Wherein the determining whether the authentication identifier is consistent with the authentication identifier received by the controller includes:
carrying the authentication identification in a network configuration protocol NetConf Hello handshake message interacted with the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
The embodiment of the invention also provides a terminal equipment authentication method, which is applied to the registration node and comprises the following steps:
sending an authentication identifier to a controller and/or a Customer Premise Equipment (CPE);
and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
Wherein sending the authentication identification to the controller comprises:
periodically and actively sending updated authentication identification to the controller; alternatively, the first and second electrodes may be,
and after receiving an updating request initiated by the controller, carrying the authentication identifier in a feedback updating response.
Wherein, sending the authentication identifier to the CPE comprises:
sending a registration response message to the CPE; and the registration response message carries the authentication identification.
The embodiment of the invention also provides a terminal equipment authentication device, which is applied to a controller and comprises the following components:
the first receiving module is used for receiving the authentication identifier sent by the registration node;
the first checking module is used for checking with the Customer Premise Equipment (CPE) based on the authentication identification; and if the verification is successful, executing the registration process of the CPE.
The embodiment of the invention also provides a terminal equipment authentication device, which is applied to the Customer Premise Equipment (CPE) and comprises the following steps:
the second receiving module is used for receiving the authentication identifier sent by the registration node;
the second check module is used for checking with the controller based on the authentication identification; and if the verification is successful, executing the registration process of the CPE.
The embodiment of the invention also provides a terminal equipment authentication device, which is applied to the registration node and comprises the following steps:
the sending module is used for sending the authentication identification to the controller and/or the Customer Premise Equipment (CPE);
and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
The embodiment of the invention also provides a terminal equipment authentication device, which comprises: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to perform the steps of the above method when running the computer program.
Embodiments of the present invention also provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the above-mentioned method.
According to the terminal equipment authentication method, the terminal equipment authentication device and the computer readable storage medium, the controller receives the authentication identification sent by the registration node; verifying the authentication identifier and the Customer Premise Equipment (CPE) based on the authentication identifier; and if the verification is successful, executing the registration process of the CPE. Therefore, in the embodiment of the invention, if the registration node is a counterfeit node, the counterfeit registration node cannot send the authentication identifier to the controller; if the CPE needs to skip the register node to directly access the controller, the CPE does not have correct authentication identification, and then the register of the CPE cannot be completed, so that the problem that the CPE bypasses the register node to be directly connected with the controller is solved.
Drawings
Fig. 1 is a first flowchart illustrating a method for authenticating a terminal device according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a terminal device authentication method according to an embodiment of the present invention;
fig. 3 is a third schematic flowchart of a terminal device authentication method according to an embodiment of the present invention;
fig. 4 is a first schematic structural diagram of an authentication apparatus of a terminal device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a terminal device authentication apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a third authentication apparatus of a terminal device according to an embodiment of the present invention;
fig. 7 is a fourth schematic structural diagram of the authentication apparatus of the terminal device according to the embodiment of the present invention;
fig. 8 is a schematic interaction diagram of the system according to the embodiment of the present disclosure.
Detailed Description
The invention is described below with reference to the figures and examples.
It can be known that potential safety hazards exist in the current implementation of the SD-WAN system: first, when the DNS is attacked, a false registration node may be caused to assign a controller to the CPE; second, the CPE, knowing the controller address, can connect directly to the controller, bypassing the registered node.
Based on this, an embodiment of the present invention provides a terminal device authentication method, as shown in fig. 1, where the method is applied to a controller, and includes:
step 101: receiving an authentication identifier sent by a registration node;
step 102: verifying the authentication identifier and the Customer Premise Equipment (CPE) based on the authentication identifier;
step 103: and if the verification is successful, executing the registration process of the CPE.
In this embodiment of the present invention, the receiving an authentication identifier sent by a registration node includes:
receiving the authentication identification which is periodically and actively updated by the registered node; alternatively, the first and second electrodes may be,
and sending the received authentication identification to the registered node after the update request is sent.
In this embodiment of the present invention, the receiving an authentication identifier sent by a registration node includes:
and receiving the authentication identification sent by the registration node through a northbound interface.
In the embodiment of the present invention, the verifying the CPE based on the authentication identifier and the CPE comprises:
judging whether the authentication identification is consistent with the authentication identification received by the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
In the embodiment of the present invention, the determining whether the authentication identifier is consistent with an authentication identifier received by a CPE includes:
the authentication identification is carried in a network configuration protocol NetConf Hello handshake message interacted with the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
An embodiment of the present invention further provides a terminal device authentication method, as shown in fig. 2, where the method is applied to a client-side front-end device CPE, and includes:
step 201: receiving an authentication identifier sent by a registration node;
step 202: verifying the controller based on the authentication identifier;
step 203: and if the verification is successful, executing the registration process of the CPE.
In this embodiment of the present invention, the receiving an authentication identifier sent by a registration node includes:
receiving a registration response message sent by a registration node; and the registration response message carries the authentication identification.
In an embodiment of the present invention, before receiving the authentication identifier sent by the registration node, the method further includes:
a registration request message is sent to the registration node.
In the embodiment of the present invention, the verifying with the controller based on the authentication identifier includes:
judging whether the authentication identification is consistent with the authentication identification received by the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
In this embodiment of the present invention, the determining whether the authentication identifier is consistent with the authentication identifier received by the controller includes:
carrying the authentication identification in a network configuration protocol NetConf Hello handshake message interacted with the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
An embodiment of the present invention further provides a terminal device authentication method, as shown in fig. 3, where the method is applied to a registration node, and includes:
step 301: sending an authentication identifier to a controller and/or a Customer Premise Equipment (CPE);
step 302: and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
In the embodiment of the present invention, sending an authentication identifier to a controller includes:
periodically and actively sending updated authentication identification to the controller; alternatively, the first and second electrodes may be,
and after receiving an updating request initiated by the controller, carrying the authentication identifier in a feedback updating response.
In the embodiment of the present invention, sending an authentication identifier to a CPE includes:
sending a registration response message to the CPE; and the registration response message carries the authentication identification.
In order to implement the foregoing method embodiment, an embodiment of the present invention further provides a terminal device authentication apparatus, as shown in fig. 4, where the apparatus is applied to a controller, and includes:
a first receiving module 401, configured to receive an authentication identifier sent by a registration node;
a first checking module 402, configured to check, based on the authentication identifier, a CPE (customer premises equipment); and if the verification is successful, executing the registration process of the CPE.
In this embodiment of the present invention, the receiving, by the first receiving module 401, the authentication identifier sent by the registration node includes:
receiving the authentication identification which is periodically and actively updated by the registered node; alternatively, the first and second electrodes may be,
and sending the received authentication identification to the registered node after the update request is sent.
In this embodiment of the present invention, the receiving, by the first receiving module 401, the authentication identifier sent by the registration node includes:
and receiving the authentication identification sent by the registration node through a northbound interface.
In this embodiment of the present invention, the verifying, by the first verifying module 402, the verification with the CPE, based on the authentication identifier, includes:
judging whether the authentication identification is consistent with the authentication identification received by the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
In this embodiment of the present invention, the determining, by the first checking module 402, whether the authentication identifier is consistent with an authentication identifier received by a CPE includes:
the authentication identification is carried in a network configuration protocol NetConf Hello handshake message interacted with the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
An embodiment of the present invention further provides a terminal device authentication apparatus, as shown in fig. 5, where the apparatus is applied to a customer premise equipment CPE, and includes:
a second receiving module 501, configured to receive an authentication identifier sent by a registered node;
a second verification module 502, configured to verify with the controller based on the authentication identifier; and if the verification is successful, executing the registration process of the CPE.
In this embodiment of the present invention, the receiving, by the second receiving module 501, the authentication identifier sent by the registered node includes:
receiving a registration response message sent by a registration node; and the registration response message carries the authentication identification.
In one embodiment of the present invention, as shown in fig. 6, the apparatus further includes: a registration module 503;
before the second receiving module 501 receives the authentication identifier sent by the registered node,
the registration module 503 is configured to send a registration request message to a registration node.
In this embodiment of the present invention, the verifying module 502 performs verification with the controller based on the authentication identifier, including:
judging whether the authentication identification is consistent with the authentication identification received by the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
In this embodiment of the present invention, the determining, by the second checking module 502, whether the authentication identifier is consistent with the authentication identifier received by the controller includes:
carrying the authentication identification in a network configuration protocol NetConf Hello handshake message interacted with the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
An embodiment of the present invention further provides a terminal device authentication apparatus, as shown in fig. 7, where the apparatus is applied to a registration node, and includes:
a sending module 701, configured to send an authentication identifier to a controller and/or a CPE (customer premises equipment);
and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
In this embodiment of the present invention, the sending module 701 sends the authentication identifier to the controller, including:
periodically and actively sending updated authentication identification to the controller; alternatively, the first and second electrodes may be,
as shown in fig. 7, the apparatus further includes: a third receiving module 702 is provided for receiving the data,
after the third receiving module 702 receives the update request initiated by the controller, the sending module 701 carries the authentication identifier in the feedback update response.
In this embodiment of the present invention, the sending module 701 sends the authentication identifier to the CPE, including:
sending a registration response message to the CPE; and the registration response message carries the authentication identification.
The embodiment of the invention also provides a terminal equipment authentication device, which comprises: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to execute, when running the computer program:
receiving an authentication identifier sent by a registration node;
verifying the authentication identifier and the Customer Premise Equipment (CPE) based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
When receiving the authentication identifier sent by the registration node, the processor is further configured to execute, when running the computer program:
receiving the authentication identification which is periodically and actively updated by the registered node; alternatively, the first and second electrodes may be,
and sending the received authentication identification to the registered node after the update request is sent.
When receiving the authentication identifier sent by the registration node, the processor is further configured to execute, when running the computer program:
and receiving the authentication identification sent by the registration node through a northbound interface.
When the authentication identifier is checked with the Customer Premise Equipment (CPE) based on the authentication identifier, the processor is further configured to execute, when the computer program is run:
judging whether the authentication identification is consistent with the authentication identification received by the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
When the authentication identifier is judged to be consistent with the authentication identifier received by the CPE, the processor is further configured to execute, when the computer program is run:
the authentication identification is carried in a network configuration protocol NetConf Hello handshake message interacted with the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
The embodiment of the invention also provides a terminal equipment authentication device, which comprises: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to execute, when running the computer program:
receiving an authentication identifier sent by a registration node;
verifying the controller based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
When receiving the authentication identifier sent by the registration node, the processor is configured to execute, when running the computer program:
receiving a registration response message sent by a registration node; and the registration response message carries the authentication identification.
Before receiving the authentication identifier sent by the registration node, the processor is configured to execute, when running the computer program:
a registration request message is sent to the registration node.
When the controller checks the authentication identifier, the processor is configured to execute, when the computer program runs, the following steps:
judging whether the authentication identification is consistent with the authentication identification received by the controller;
if the authentication identification of the two is consistent, the verification is successful
When the authentication identifier is judged to be consistent with the authentication identifier received by the controller, the processor is used for executing the following steps when the computer program is run:
carrying the authentication identification in a network configuration protocol NetConf Hello handshake message interacted with the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
The embodiment of the invention also provides a terminal equipment authentication device, which comprises: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to execute, when running the computer program:
sending an authentication identifier to a controller and/or a Customer Premise Equipment (CPE);
and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
When the authentication identifier is sent to the controller, the processor is configured to execute, when the computer program is run, the following steps:
periodically and actively sending updated authentication identification to the controller; alternatively, the first and second electrodes may be,
and after receiving an updating request initiated by the controller, carrying the authentication identifier in a feedback updating response.
When the authentication identifier is sent to the CPE, the processor is configured to execute, when the computer program is run, the following:
sending a registration response message to the CPE; and the registration response message carries the authentication identification.
It should be noted that: the apparatus provided in the foregoing embodiment is only illustrated by the division of the foregoing program modules when performing terminal device authentication, and in practical applications, the above processing allocation may be completed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules to complete all or part of the above-described processing. In addition, the apparatus provided in the above embodiments and the corresponding method embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
In an exemplary embodiment, the embodiment of the present invention also provides a computer-readable storage medium, which may be a Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disc, or CD-ROM; or may be a variety of devices including one or any combination of the above memories, such as a mobile phone, computer, tablet device, personal digital assistant, etc.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs:
receiving an authentication identifier sent by a registration node;
verifying the authentication identifier and the Customer Premise Equipment (CPE) based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
When the authentication identifier sent by the registration node is received, the computer program further executes, when executed by the processor:
receiving the authentication identification which is periodically and actively updated by the registered node; alternatively, the first and second electrodes may be,
and sending the received authentication identification to the registered node after the update request is sent.
When the authentication identifier sent by the registration node is received, the computer program further executes, when executed by the processor:
and receiving the authentication identification sent by the registration node through a northbound interface.
When the verification is performed with the Customer Premise Equipment (CPE) based on the authentication identification, when the computer program is executed by the processor, the method further executes:
judging whether the authentication identification is consistent with the authentication identification received by the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
When the authentication identifier is judged to be consistent with the authentication identifier received by the CPE, the computer program further executes, when executed by the processor:
the authentication identification is carried in a network configuration protocol NetConf Hello handshake message interacted with the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs:
receiving an authentication identifier sent by a registration node;
verifying the controller based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
When receiving the authentication identifier sent by the registration node, the processor is configured to execute, when running the computer program:
receiving a registration response message sent by a registration node; and the registration response message carries the authentication identification.
Before receiving the authentication identifier sent by the registration node, the processor is configured to execute, when running the computer program:
a registration request message is sent to the registration node.
When the controller checks the authentication identifier, the processor is configured to execute, when the computer program runs, the following steps:
judging whether the authentication identification is consistent with the authentication identification received by the controller;
if the authentication identification of the two is consistent, the verification is successful
When the authentication identifier is judged to be consistent with the authentication identifier received by the controller, the processor is used for executing the following steps when the computer program is run:
carrying the authentication identification in a network configuration protocol NetConf Hello handshake message interacted with the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs:
sending an authentication identifier to a controller and/or a Customer Premise Equipment (CPE);
and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
When the authentication identifier is sent to the controller, the processor is configured to execute, when the computer program is run, the following steps:
periodically and actively sending updated authentication identification to the controller; alternatively, the first and second electrodes may be,
and after receiving an updating request initiated by the controller, carrying the authentication identifier in a feedback updating response.
When the authentication identifier is sent to the CPE, the processor is configured to execute, when the computer program is run, the following:
sending a registration response message to the CPE; and the registration response message carries the authentication identification.
The invention is described below in conjunction with the scenario embodiments.
The embodiment eliminates the potential safety hazard by introducing a secret number (namely, authentication identification) mechanism. As shown in fig. 8, the CPE and controller may be informed by the registered node of a secret number.
In the actual application process, the registration node can periodically and actively update the secret number for the controller; alternatively, the first and second electrodes may be,
and after receiving the updating request initiated by the controller, the registration node carries the secret number in the feedback updating response.
In the actual application process, when the registration request is sent to the registration node after the CPE is on line, the registration node sends the latest secret number to the CPE.
Thus, if the registered node is a counterfeit node, the counterfeit registered node cannot send a secret number to the controller; if the CPE wants to skip the registration node and directly access the controller, the CPE will not have the correct combination, and the registration of the CPE cannot be completed. Thus, the problem of CPE bypassing the registered node and directly connecting to the controller can be solved.
The password is a random number, and may have different granularities, and may be a password for each client that is refreshed at regular time, or a password for each controller that is refreshed at regular time.
Concerning the issuance of the secret number: the secret number issuing mechanism can be implemented by adding a northbound interface on the controller and enhancing the registration response message on the CPE, which is as follows:
the controller can obtain the secret number in a plurality of ways, wherein one way is that a URI can be added to a reset API call of the northbound interface to transfer parameters to the controller;
the CPE can be realized by adding a secret number in a registration response message sent by the registration node;
the transmission can be performed in an encrypted manner, and the northbound interface of the controller and the CPE can use HTTPS to carry the distribution of information.
For the controller and CPE that acquired the secret number, this may be done by enhancing the NetConf protocol.
NetConf is the predominant governing protocol for telecommunications network devices. The first step (general) of the current terminal equipment network access needs to be connected with a controller; the controller then checks the legitimacy of the device by NetConf. Here, the validity is checked mainly by the underlying transport protocol SSH of NetConf.
In this embodiment, this is done by enhancing the NetConf Hello handshake. The Hello messages sent by the controller to the CPE and sent by the CPE to the controller respectively carry the secret numbers, if the secret number of the opposite side is matched with the known secret number, the verification is successfully passed, otherwise, the verification fails.
When a session is established between the NetConf controller and the CPE in the existing mechanism, the respective supported capability sets must be exchanged, and the two parties can perform the next operation after receiving the capability set of the other party. As shown in the following HELLO message content sent by the CPE, a secret number field (Code) is added to HELLO to implement secret number pairing.
Figure BDA0002701841510000141
The content between the messages < capabilities > and </capabilities > above represents the set of capabilities supported by the controller and the CPE itself. The Hello message sent by the CPE contains a < session-ID > tag, and the XML content indicates a session ID allocated by the CPE for the session, and is used to uniquely identify the session.
In this embodiment, when the CPE sends a registration request to the registration node, the registration node sends the latest secret number to the CPE, and when the secret number received by the CPE is consistent with the secret number received by the controller, the CPE is allowed to register. It can be seen that if the registered node is a counterfeit node, the counterfeit registered node cannot send a secret number to the controller; if the CPE wants to skip the registered node to directly access the controller, the CPE does not have the correct password, thereby solving the problem that the CPE bypasses the registered node to directly connect the controller.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (18)

1. A terminal equipment authentication method is applied to a controller and comprises the following steps:
receiving an authentication identifier sent by a registration node;
verifying the authentication identifier and the Customer Premise Equipment (CPE) based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
2. The method according to claim 1, wherein said receiving the authentication identifier sent by the registration node comprises:
receiving the authentication identification which is periodically and actively updated by the registered node; alternatively, the first and second electrodes may be,
and sending the received authentication identification to the registered node after the update request is sent.
3. The method according to claim 1, wherein said receiving the authentication identifier sent by the registration node comprises:
and receiving the authentication identification sent by the registration node through a northbound interface.
4. The method according to claim 1, wherein the checking with the CPE based on the authentication identifier comprises:
judging whether the authentication identification is consistent with the authentication identification received by the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
5. The method of claim 4, wherein the determining whether the authentication identifier is consistent with an authentication identifier received by the CPE comprises:
the authentication identification is carried in a network configuration protocol NetConf Hello handshake message interacted with the CPE;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
6. A terminal equipment authentication method is applied to a Customer Premise Equipment (CPE) and comprises the following steps:
receiving an authentication identifier sent by a registration node;
verifying the controller based on the authentication identifier;
and if the verification is successful, executing the registration process of the CPE.
7. The method according to claim 6, wherein said receiving the authentication identifier sent by the registration node comprises:
receiving a registration response message sent by a registration node; and the registration response message carries the authentication identification.
8. The method according to claim 6 or 7, wherein before receiving the authentication identifier sent by the registration node, the method further comprises:
a registration request message is sent to the registration node.
9. The method of claim 6, wherein the verifying with the controller based on the authentication identifier comprises:
judging whether the authentication identification is consistent with the authentication identification received by the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
10. The method of claim 9, wherein determining whether the authentication identifier is consistent with an authentication identifier received by a controller comprises:
carrying the authentication identification in a network configuration protocol NetConf Hello handshake message interacted with the controller;
and if the authentication identifications of the two are determined to be consistent, the verification is successful.
11. A terminal equipment authentication method is applied to a registration node and comprises the following steps:
sending an authentication identifier to a controller and/or a Customer Premise Equipment (CPE);
and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
12. The method of claim 11, wherein sending the authentication identification to the controller comprises:
periodically and actively sending updated authentication identification to the controller; alternatively, the first and second electrodes may be,
and after receiving an updating request initiated by the controller, carrying the authentication identifier in a feedback updating response.
13. The method of claim 11, wherein sending the authentication identification to the CPE comprises:
sending a registration response message to the CPE; and the registration response message carries the authentication identification.
14. A terminal equipment authentication device is applied to a controller and comprises the following components:
the first receiving module is used for receiving the authentication identifier sent by the registration node;
the first checking module is used for checking with the Customer Premise Equipment (CPE) based on the authentication identification; and if the verification is successful, executing the registration process of the CPE.
15. An authentication device for terminal equipment, which is applied to a Customer Premise Equipment (CPE), comprising:
the second receiving module is used for receiving the authentication identifier sent by the registration node;
the second check module is used for checking with the controller based on the authentication identification; and if the verification is successful, executing the registration process of the CPE.
16. An authentication device for a terminal device, the device being applied to a registration node, comprising:
the sending module is used for sending the authentication identification to the controller and/or the Customer Premise Equipment (CPE);
and the authentication identifier is used for verifying the controller and the client and performing a registration process of the CPE after the verification is successful.
17. A terminal device authentication apparatus, characterized in that the apparatus comprises: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is adapted to perform the steps of the method of any one of claims 1 to 5, or to perform the steps of the method of any one of claims 6 to 10, or to perform the steps of the method of any one of claims 11 to 13, when running the computer program.
18. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5, or carries out the steps of the method of any one of claims 6 to 10, or carries out the steps of the method of any one of claims 11 to 13.
CN202011024819.3A 2020-09-25 2020-09-25 Terminal equipment authentication method and device and computer readable storage medium Pending CN114257393A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011024819.3A CN114257393A (en) 2020-09-25 2020-09-25 Terminal equipment authentication method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011024819.3A CN114257393A (en) 2020-09-25 2020-09-25 Terminal equipment authentication method and device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN114257393A true CN114257393A (en) 2022-03-29

Family

ID=80789120

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011024819.3A Pending CN114257393A (en) 2020-09-25 2020-09-25 Terminal equipment authentication method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN114257393A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401884A (en) * 2013-08-16 2013-11-20 深信服网络科技(深圳)有限公司 Authentication method and system for public wireless environment Internet access based on micro message
CN105515781A (en) * 2016-01-19 2016-04-20 上海众人网络安全技术有限公司 Login system of application platform and login method thereof
WO2017177551A1 (en) * 2016-04-13 2017-10-19 中兴通讯股份有限公司 Binding method, device and system for customer information and equipment
JP2020068024A (en) * 2018-10-19 2020-04-30 本田技研工業株式会社 Authentication and registration system
CN111447245A (en) * 2020-05-27 2020-07-24 杭州海康威视数字技术股份有限公司 Authentication method, authentication device, electronic equipment and server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401884A (en) * 2013-08-16 2013-11-20 深信服网络科技(深圳)有限公司 Authentication method and system for public wireless environment Internet access based on micro message
CN105515781A (en) * 2016-01-19 2016-04-20 上海众人网络安全技术有限公司 Login system of application platform and login method thereof
WO2017177551A1 (en) * 2016-04-13 2017-10-19 中兴通讯股份有限公司 Binding method, device and system for customer information and equipment
JP2020068024A (en) * 2018-10-19 2020-04-30 本田技研工業株式会社 Authentication and registration system
CN111447245A (en) * 2020-05-27 2020-07-24 杭州海康威视数字技术股份有限公司 Authentication method, authentication device, electronic equipment and server

Similar Documents

Publication Publication Date Title
CN108197913B (en) Payment method, system and computer readable storage medium based on block chain
KR101243073B1 (en) Method for terminal configuration and management and terminal apparatus
CN111010372A (en) Block chain network identity authentication system, data processing method and gateway equipment
CN108512862A (en) Internet-of-things terminal safety certification control platform based on no certificates identified authentication techniques
CN110800331A (en) Network verification method, related equipment and system
CN107547573B (en) authentication method applied to eSIM, RSP terminal and management platform
CN108022100B (en) Cross authentication system and method based on block chain technology
JP2004007690A (en) Method and apparatus for checking authentication of first communication component in communication network
CN105681258B (en) Session method and conversational device based on third-party server
CN114553592B (en) Method, equipment and storage medium for equipment identity verification
EP2466759A1 (en) Method and system for changing a selected home operator of a machine to machine equipment
CN108712440A (en) User information management method, device, server and storage medium
WO2017107653A1 (en) Mobile payment method, related device and system
CN106535089A (en) Machine to machine virtual private network
CN110213230B (en) network security verification method and device for distributed communication
CN104796255A (en) A safety certification method, device and system for a client end
JP2012514919A (en) Method and system for authenticating network nodes in a peer-to-peer network
US20130183934A1 (en) Methods for initializing and/or activating at least one user account for carrying out a transaction, as well as terminal device
WO2013189398A2 (en) Application data push method, device, and system
CN104092687A (en) BGP conversation establishing method and device
CN114786170B (en) Uplink data security processing entity switching method, terminal, USIM and system
US20190306673A1 (en) Automated activation and onboarding of connected devices
CN114257393A (en) Terminal equipment authentication method and device and computer readable storage medium
CN106487776B (en) Method, network entity and system for protecting machine type communication equipment
CN113015265B (en) Network session self-healing method, device, system, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination