WO2011020279A1 - Public key certificate-based identity authentication method and system thereof - Google Patents

Public key certificate-based identity authentication method and system thereof Download PDF

Info

Publication number
WO2011020279A1
WO2011020279A1 PCT/CN2009/076223 CN2009076223W WO2011020279A1 WO 2011020279 A1 WO2011020279 A1 WO 2011020279A1 CN 2009076223 W CN2009076223 W CN 2009076223W WO 2011020279 A1 WO2011020279 A1 WO 2011020279A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
field
access
packet
certificate
Prior art date
Application number
PCT/CN2009/076223
Other languages
French (fr)
Chinese (zh)
Inventor
铁满霞
曹军
葛莉
李琴
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Publication of WO2011020279A1 publication Critical patent/WO2011020279A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the invention relates to a method for authenticating an identity based on a public key certificate and a system thereof, in particular to a Tri-element Peer Authentication (TePA) based mechanism for a user in a wired local area network (LAN) to access a network. Identification method and system thereof.
  • TePA Tri-element Peer Authentication
  • the ternary peer-to-peer identification TePA technology is the first technical idea and framework method for peer-to-peer authentication between users and networks. This technology defines a ternary entity authentication architecture. Based on the idea of peer-to-peer identification, users can complete users. Two-way peer-to-peer authentication with the network.
  • IEEE In wired LAN, IEEE currently implements security enhancement of IEEE802.3 to achieve link layer security.
  • the typical secure access architecture protocol IEEE 802.1x is used.
  • the basic method is to increase the number of terminals and access point devices.
  • the authentication server uses the authentication server to authenticate the identity of the terminal, thereby implementing secure access control to the terminal.
  • the access point device directly forwards the authentication information between the terminal and the authentication server, and does not participate in the identity authentication process as an independent entity. This mode can only realize the legality identification of the terminal identity of the network, but it can not meet the legality identification requirements of the terminal for the access network, and cannot realize the two-way authentication between the terminal and the network.
  • the terminal cannot confirm the identity of the access point device.
  • Such security access technology agreements have been extended to date and have caused serious obstacles to industrial development.
  • the present invention provides an identity authentication method based on a ternary peer-to-peer authentication TePA mechanism when a user accesses a network in a wired local area network (LAN), which can implement two-way between the user and the network.
  • LAN local area network
  • the authentication process is based on a public key certificate.
  • the technical solution of the present invention is:
  • the present invention provides a public key certificate-based identity authentication method, and the public key certificate-based identity authentication method includes the following steps: 1) the authentication access controller AAC sends an authentication activation packet to the requester REQ;
  • the authentication activation packet includes: SNonce, ID AS ⁇ AC, CertAAc, and Para ECDH ; wherein, the SNonce field: indicates an authentication identifier, and if it is the first identity authentication, the field is a random number generated by the authentication access controller AAC; For the updated identity authentication process, the value of the field is the authentication identifier value that is negotiated and generated during the last identity authentication process; ID AS ⁇ A C field: indicates the identity ID of the authentication server AS trusted by the authentication access controller AAC.
  • CertAAc indicates the certificate of the authentication access controller AAC
  • Para ECDH field the elliptic curve cryptographic parameter indicating the elliptic curve cryptosystem, is the request Elliptic curve cryptographic parameters used by the REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key agreement calculation;
  • the requester REQ sends an access authentication request packet to the authentication access controller AAC after receiving the authentication activation packet;
  • the access authentication request packet includes: a SNonce field: indicating an authentication identifier, if the first identity authentication process, the field value directly depends on the SNonce field value in the authentication activation packet; if it is an updated identity authentication process, the field The value is the authentication identifier value calculated in the last identity authentication process; ⁇ field: the key data representing the requester REQ, which is the temporary public key EC ⁇ generated by the requester REQ for ECDH exchange; IDAAC field: indicates The identity ID of the authentication access controller AAC is obtained according to the certificate CertAAc field of the authentication access controller AAC in the authentication activation packet; the CertREQ field: the certificate representing the requester REQ; the Para ECDH field: the elliptic curve representing the elliptic curve cryptosystem
  • the password parameter is an elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key negotiation calculation, and the value is the same as the Para EC
  • the authentication access controller AAC generates a temporary public key P for ECDH exchange, and performs an ECDH calculation based on the temporary public key ⁇ of the requester REQ and its own temporary private key y to obtain a base key ⁇ , and then set up The result is successful, constructing an access authentication response packet to be sent to the requester REQ, and allowing the user to access the network;
  • the access authentication response packet includes: ACCRES field, ⁇ field, P field, IDAAC field, IDREQ field, SIGAAC Field or MIC1 field; where ACCRES field: indicates the access result, which is the access success or failure and failure of the authentication access controller AAC according to the authentication result.
  • indicates the key data of the requester REQ, the value of which is the same as the value of the ⁇ field in the access authentication request packet
  • P indicates the key data of the authentication access controller AAC, which is the authentication access controller A temporary public key P for ECDH exchange generated by AAC
  • IDAAC field indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC
  • IDREQ field indicates the identity of the requester REQ ID, obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet
  • SIGAAC field indicates the signature of the authentication access controller AAC, and is the authentication access controller AAC uses its own private key to access the authentication response packet.
  • MIC 1 field indicates the message authentication code, which is the authentication access controller AAC uses the base key BK negotiated in the authentication process to access all the authentication except the field in the access authentication response packet.
  • the hash value obtained by the field calculation.
  • the method further includes between step 2) and step 5):
  • the authentication access controller AAC sends a certificate authentication request packet to the authentication server AS;
  • the certificate authentication request packet includes: CertREQ field: a certificate representing the requester REQ, the value of which is the same as the value of the CertREQ field in the access authentication request packet;
  • CertAAc field Representing the certificate of the authentication access controller AAC, the value of which is the same as the value of the CertAAc field in the authentication activation packet;
  • the authentication server AS sends a certificate authentication response packet to the authentication access controller AAC after receiving the certificate authentication request packet;
  • the certificate authentication response packet includes: RES CERT field: indicates the verification result of the certificate, and the field includes the authentication access controller AAC query value.
  • the signature of the RES CERT field indicating the verification result of the certificate in the packet by the authentication server AS trusted by the requester REQ.
  • step 1) the authentication access controller AAC sends an authentication activation packet to the requester REQ to activate the requester REQ for the certificate authentication process.
  • step 2) After the requester REQ receives the authentication activation packet, the following processing is performed:
  • the requester REQ checks whether the authentication identifier field in the authentication activation packet is consistent with the authentication identifier calculated in the last identity authentication process, and if not, discards the Grouping, if they are consistent, perform 2.2); if the authentication process is not the update process of identity authentication, for the first identity authentication process, directly execute 2.2); 2.2) If the received authentication activation packet further includes the SIGAAC field, verify the correctness of the SIGAAC field, discard the packet if it is incorrect, if it is correct, execute 2.3); if the received authentication activation packet does not contain The SIGAAC field is directly executed by 2.3); the SIGAAC field: indicates the signature of the authentication access controller AAC, and is the signature of the authentication access controller AAC to use all of the fields except the field in the packet by using the private key of the access controller;
  • step 3 After the authentication access controller receives the access authentication request packet, the AAC performs the following processing:
  • the authentication access controller AAC If the authentication access controller AAC sends the authentication activation packet, it checks whether the SNonce, Para ECDH field value and the corresponding field value in the authentication activation packet in the received access authentication request packet are consistent, if there is an inconsistency, Discard the packet, if it is consistent, perform 3.2); if the authentication access controller AAC does not send the authentication activation packet, check whether the SNonce field value is consistent with the authentication identifier calculated in the last certificate authentication process, and check the Para ECDH field and Whether the Para ECDH in the last authentication activation packet is consistent, if there is an inconsistency, discard the packet; if they are consistent, perform 3.2);
  • the authentication access controller AAC If the local policy of the authentication access controller AAC requires the authentication server AS to authenticate the certificate CertREQ of the requester REQ, the authentication access controller AAC generates a certificate authentication request packet and sends it to the authentication server AS; otherwise, it executes 3.5);
  • the certificate CertREQ of the access controller AAC local authentication requester REQ that is, the verification result of the certificate CertREQ of the requester REQ according to the verification result of the certificate CertREQ of the locally cached requester REQ and the time validity defined by the local policy, If it is legal, the temporary public key P for ECDH exchange is generated locally, and is based on the temporary public key ⁇ of the requester REQ and its own temporary private key y.
  • the ECDH calculates the base key BK, and then sets the access result to be successful, constructs the access authentication response packet to the requester REQ, and allows the user to access the network; if the CertREQ verification result is invalid, the access controller AAC is authenticated. If the access result is set to be unsuccessful, the constructing access authentication response packet is sent to the requester REQ.
  • step 4 After the authentication server AS receives the certificate authentication request packet, the following processing is performed:
  • a certificate authentication response packet is constructed, and the corresponding signature is attached to the authentication access controller AAC.
  • step 5 The specific implementation manner of the step 5) is as follows: After the authentication access controller receives the certificate authentication response packet, the AAC performs the following processing:
  • the authentication access controller AAC checks the authentication result of the certificate RES CERT field in the authentication access controller AAC. Whether the value of the NAAC field in the certificate authentication request packet is the same, if not, discarding the packet; if the same, performing 5.2); the NAAC field: indicating the authentication access controller AAC query, which is the randomization generated by the authentication access controller AAC NREQ field: indicates a requester REQ inquiry in a certificate authentication request packet, the value of which is the same as the value of the NREQ field in the access authentication request packet, and is a random number generated by the requester REQ in the access authentication request packet;
  • certificate authentication response packet further comprises SIG AS _AAC field, check the AAC trusted authentication server AS signature SIG AS _AAC fields are correct, if correct, the packet is discarded, if the correct execution 5.3); if the packet contains only one signature
  • Section, which indicates the results of the verification certificate to sign the authentication server AS is the AAC trusted authentication server AS, check SIG AS _REQ field is correct, if not correct, the packet is discarded, if the correct execution 5.3); the SIGAS ⁇ AC field: indicates that the authentication server AS trusted by the access controller AAC trusts all the fields in the packet except this field;
  • the method further includes after step 5):
  • the requester REQ sends an access authentication acknowledgement packet to the authentication access controller AAC after receiving the access authentication response packet; the access authentication acknowledgement packet includes: MIC2 field: indicates a message authentication code.
  • step 6 The specific implementation manner of the step 6) is as follows: After the requester REQ receives the access authentication response packet, the following processing is performed:
  • the received access authentication response packet contains the SIGAAC field, verify the correctness of the SIGAAC, if not, discard the packet; if it is correct, execute 6.5); if the received packet contains the MIC 1 field , then verify the correctness of the MIC 1 field, if not, discard the packet; if it is correct, execute 6.5);
  • the NREQ field value included in the MRES CERT field is consistent with the value of the NREQ field in the access authentication request packet sent by itself. If not, the packet is discarded; if yes, the signature SIG AS is verified. Whether _REQ is correct, discard the packet if it is incorrect, and 6.6 if it is correct;
  • the requester REQ performs the ECDH calculation based on the temporary public key P of the authentication access controller AAC and its own temporary private key X to obtain the base key BK;
  • the method further includes: the authentication access controller AAC waiting to receive the access authentication confirmation packet.
  • the method further includes: verifying the correctness of the MIC2 field in the packet, and if correct, means that the requester REQ has the sum The own base key BK; if not correct, discard the packet.
  • the MIC 1 field in the access authentication response packet is preferably all the fields except the current field and the next certificate authentication in the access authentication response packet by the authentication access controller AAC using the base key BK negotiated in the authentication process.
  • the process's authentication identifies the calculated hash value.
  • the present invention also provides an identity authentication system based on a public key certificate, the public key certificate based identity authentication system comprising a requester REQ, an authentication access controller AAC;
  • the authentication access controller AAC is configured to send an authentication activation packet to the requester REQ; generate a temporary public key P for ECDH exchange, and perform according to the temporary public key ⁇ of the requester REQ and its own temporary private key y
  • the ECDH calculates the base key ⁇ , and then sets the access result to be successful, constructs the access authentication response packet to be sent to the requester REQ, and allows the user to access the network;
  • the requester REQ configured to send an access authentication request packet to the authentication access controller AAC after receiving the authentication activation packet;
  • the authentication activation packet includes: SNonce, ID AS-A AC, CertAAc, and Para ECDH ; wherein
  • SNonce field indicates the authentication identifier. If it is the first identity authentication, the field is the random number generated by the authentication access controller AAC. If it is the updated identity authentication process, the value of the field is negotiated during the last identity authentication process.
  • Para ECDH field Elliptic curve cryptographic parameter indicating the elliptic curve cryptosystem, is the requester REQ and the authentication access controller AAC performs elliptic curve Diffie-Hellman (ECDH) key negotiation The elliptic curve cryptographic parameters used in the calculation;
  • the access authentication request packet includes: a SNonce field: indicating an authentication identifier, if it is the first body For the authentication process, the value of the field directly depends on the value of the SNonce field in the authentication activation packet; if it is an updated identity authentication process, the field value is the value of the authentication identifier calculated in the last identity authentication process; ⁇ field: The key data representing the requester REQ is a temporary public key generated by the requester REQ for ECDH exchange; IDAAC field: indicates the identity ID of the authentication access controller AAC, and the authentication access controller is activated according to the authentication activation packet AAC's certificate CertAAc field is obtained; CertREQ field: indicates the requester's REQ certificate; Para ECDH field: indicates the ECDH parameter, which is the elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for ECDH calculation.
  • Si gRE Q field indicates the signature of the requester REQ, which is the signature of the requester REQ using all of the fields except the field in the access authentication request packet by using the private key of the requester;
  • the access authentication response packet includes: an ACCRES field, a ⁇ field, a P field, an IDAAC field, an IDREQ field, a SIGAAC field, or an MIC1 field; wherein, the ACCRES field: indicates an access result, and is an authentication access controller AAC according to the authentication.
  • x P the key data representing the requester REQ, the value of which is the same as the value of the ⁇ field in the access authentication request packet
  • y P indicates the authentication access controller
  • the key data of the AAC is a temporary public key generated by the access controller AAC for ECDH exchange
  • IDAAC field indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC
  • IDREQ field indicates the identity ID of the requester REQ, which is obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet
  • SIGAAC field indicates the signature of the authentication access controller AAC, which is used by the authentication access controller AAC.
  • MIC1 field indicates the message Code, the AAC is negotiated during authentication generated using the base key BK for access authentication hash value calculated for all fields in addition to this packet field response.
  • the public key certificate based identity authentication system further includes: an authentication server AS, an authentication server AS and a requester REQ, an authentication access controller AAC link; a requester REQ and an authentication access controller AAC for authentication by the authentication server AS.
  • the MIC 1 field in the access authentication response packet is preferably all the fields except the current field and the next certificate authentication in the access authentication response packet by the authentication access controller AAC using the base key BK negotiated in the authentication process.
  • the process's authentication identifies the calculated hash value.
  • the invention provides a wired local area network in which a user accesses a network based on ternary peer-to-peer identification of TePA
  • the mechanism identification method can realize two-way (one-way) authentication, fast update authentication, and support for multiple certificates between the user and the network, so as to ensure confidentiality, integrity, source identification and anti-replay of data.
  • the authentication process is based on a public key certificate.
  • Figure 1 is a schematic illustration of the authentication process of the method of the present invention.
  • the requester REQ and the authentication access controller AAC obtain the public key certificate issued by the authentication server AS in advance, representing their own identity, and the public key certificate is in the X.509 certificate format.
  • an identity authentication method provided by the present invention is implemented to implement secure access control. The method includes:
  • the authentication access controller AAC sends an authentication activation packet to the requester REQ to activate the requester REQ for the certificate authentication process.
  • the main contents of the authentication activation packet include: among them:
  • SNonce field indicates the authentication identifier. If it is the first identity authentication, the field is the random number generated by the authentication access controller AAC. If it is the updated identity authentication process, the value of the field is negotiated during the last identity authentication process. The identification value of the identification.
  • ID AS _AAC field represents the AAC trusted authentication server AS identity ID (identity), is the AAC CertAAc certificate issued by the authentication server AS identity ID.
  • CertAAc field Indicates the certificate that authenticates the access controller AAC.
  • Elliptic curve cryptographic parameter representing the elliptic curve cryptosystem, which is the elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key negotiation calculation. ;
  • TIEAAC field Indicates the authentication and key management suite and password suite supported by the Authentication Access Controller AAC. This field is optional.
  • SIGAAC field indicates the signature of the authentication access controller AAC, which is the authentication access controller AAC. Field.
  • Access authentication request After the requester REQ receives the authentication activation packet, the following processing is performed: 2.1) If the authentication process is the identity authentication update process, the requester REQ checks the authentication identification field in the authentication activation packet and Whether the authentication identifiers calculated in one identity authentication process are consistent, if not, discard the packets, otherwise perform 2.2); if the authentication process is the first identity authentication process, directly execute 2.2);
  • the main contents of the access authentication request packet include:
  • SNonce field Indicates the authentication identifier whose value is the same as the value of the SNonce field in the authentication activation packet. If it is the first identity authentication process, the value of the field directly depends on the SNonce field value in the authentication activation packet; if it is an updated identity authentication process, the field value is the value of the authentication identifier calculated in the last identity authentication process.
  • NREQ field Indicates the requester REQ query, which is the random number generated by the requester REQ.
  • ⁇ field Indicates the key data of the requester REQ, which is the temporary public key generated by the requester REQ for ECDH exchange.
  • IDAAC field Indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC in the authentication activation packet.
  • CertREQ field A certificate representing the requester REQ.
  • Para ECDH field Elliptic curve cryptographic parameter representing the elliptic curve cryptosystem, which is the elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key negotiation calculation. The value is the same as the value of the Para ECDH field in the authentication activation packet.
  • TIEREQ field An authentication and key management suite and cipher suite that represents the requester's REQ selection. This field is optional.
  • List AS _REQ field Indicates the list of authentication server ASs trusted by the requester REQ, but does not include the issuer of the certificate CertREQ of the requester REQ. If the requester REQ trusts other certificate entities in addition to other certificate entities, the authentication server AAC can be notified through this field. This field is optional.
  • SigREQ field Represents the signature of the requester REQ, which is the signature of the requester REQ with its own private key for all fields in this group except this field.
  • the authentication access controller AAC If the authentication access controller AAC sends the authentication activation packet, it checks whether the SNonce, Para ECDH field value and the corresponding field value in the authentication activation packet in the received access authentication request packet are consistent, if there is an inconsistency, Discard the packet, otherwise perform 3.2); if the authentication access controller AAC does not send the authentication activation packet, check whether the SNonce field value is consistent with the authentication identifier calculated in the last certificate authentication process, and check the Para ECDH field and the last authentication. Whether the Para ECDH in the activation group is consistent. If there is an inconsistency, discard the packet, otherwise perform 3.2);
  • the authentication access controller AAC If the local policy of the authentication access controller AAC requires the authentication server AS to authenticate the certificate CertREQ of the requester REQ, the authentication access controller AAC generates a certificate authentication request packet, which is sent to the authentication server AS; otherwise, 3.5);
  • the certificate CertREQ of the access controller AAC local authentication requester REQ is authenticated, that is, the verification result of the certificate CertREQ of the requester REQ is confirmed according to the verification result of the certificate CertREQ of the locally cached requester REQ and the time validity defined by the local policy.
  • the temporary public key P for the ECDH exchange is generated locally, and the AAC queries the NAAC, and the base key is calculated according to the temporary public key ⁇ of the requester REQ and the temporary private key y of the requester, and the next time The authentication identifier of the identity authentication process, and then setting the access result to be successful, constructing the access authentication response packet to be sent to the requester REQ, and Allowing the user to access the network; if the authentication result of CertREQ is invalid, the authentication access controller AAC sets the access result to be unsuccessful, and the authentication access controller AAC query NAAC and temporary public key P can be set to any value, The incoming authentication response packet is sent to the requester REQ.
  • the main contents of the certificate authentication request packet include:
  • NAAC field Indicates the authentication access controller AAC query, which is the random number generated by the authentication access controller AAC.
  • NREQ field Indicates the requester REQ inquiry whose value is the same as the value of the NREQ field in the access authentication request packet.
  • CertREQ field A certificate representing the requester REQ whose value is the same as the value of the CertREQ field in the access authentication request packet.
  • CertAAc field A certificate representing the authentication access controller AAC, the value of which is the same as the value of the CertAAc field in the authentication activation packet.
  • List AS _REQ fields a list of AS indicates the REQ trusted authentication server, which is the same value in the access authentication request packet List AS _REQ field. This field is optional.
  • a certificate authentication response packet is constructed, and the corresponding signature is attached to the authentication access controller AAC.
  • the main contents of the certificate authentication response packet include:
  • RES Cert field indicates the verification result of the certificate. This field includes the authentication access controller AAC query value NAAC, the requester REQ query value NREQ, the verification result of CertAAc, and the verification result of CertREQ. If only one-way verification is performed, the verification result of CertAAc is not included.
  • SIG AS _REQ field A signature indicating the authentication result RES CERT field of the certificate in the packet by the authentication server AS trusted by the requester REQ.
  • SIG AS _AAC field Indicates that the authentication server AS that authenticates the access controller AAC trusts all the fields in this packet except this field. This field is optional. This field is not required if the authentication server AS that signed the certificate verification result is the same as the authentication server AS that the authentication access controller AAC trusts.
  • Access authentication response Authentication access controller After receiving the certificate authentication response packet, AAC performs the following processing:
  • the authentication access controller AAC in the RES CERT field queries whether the NAAC and the NAAC field value in the certificate authentication request packet are the same. If not, the packet is discarded, otherwise 5.2);
  • the packet contains two signature field, check the AAC trusted authentication server AS signature SIG AS _AAC field is correct, if not correct, the packet is discarded, otherwise 5.3); if a packet containing only a signature field, i.e., the certificate verification result indicates that the authentication server aS signed is the AAC trusted authentication server aS, SIG aS _REQ check field is correct, if correct, the packet is discarded Otherwise, 5.3);
  • the authentication access controller AAC sets the access result to be unsuccessful, and the authentication NAAC and the temporary public key P of the authentication access controller AAC can be set to an arbitrary value, and the configuration access authentication response packet is sent to the requester REQ. .
  • the main contents of the access authentication response packet include:
  • NREQ field Indicates the requester REQ inquiry, which is the random number generated by the requester REQ. When only the one-way authentication process is used, the access authentication response packet needs to include this field. If present, its value is the same as the value of the NRE Q field in the Access Authentication Request packet sent by the requester REQ.
  • NAAC field A query indicating the authentication access controller AAC, which is a random number generated by the authentication access controller AAC. When only the one-way authentication process is used, the access authentication response packet needs to include this field. If present, its value is the same as the value of the NAAC field in the certificate authentication request packet sent by the authentication access controller AAC.
  • ACCRES field Indicates the access result, which is the reason why the access controller AAC sets the success or failure of the access according to the authentication result and the failure.
  • x P Key data representing the requester REQ, the value of which is the same as the value of the ⁇ field in the access authentication request packet.
  • y P indicates the key data of the authentication access controller AAC, which is the temporary public key generated by the access controller AAC for ECDH exchange.
  • IDAAC field Indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC.
  • IDREQ field Indicates the identity ID of the requester REQ, which is obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet.
  • MRES CERT field Indicates the result of the certificate verification of the composite. This field is required in the access authentication response packet only for the two-way authentication process. If present, this field consists of the fields in the certificate authentication response packet and has the same value.
  • SIGAAC field indicates the signature of the authentication access controller AAC, which is the authentication access controller AAC
  • MIC 1 field indicates the message authentication code, which is the authentication key calculation by the access controller AAC using the base key BK negotiated in the authentication process to identify all the fields except the field and the next certificate authentication process in the access authentication response packet. The hash value obtained.
  • the access authentication response packet only needs to contain either the SIGAAC field and the MIC 1 field. If there is an authentication activation packet in the identity authentication process, and the authentication activation packet includes a SIGAAC field, then only the MIC 1 field is included in the packet; if the authentication authentication packet does not exist in the identity authentication process or the SIGAAC is not included in the authentication activation packet Field, then only the SIGAAC field is included in this group.
  • Access authentication confirmation After receiving the access authentication response packet, the requester REQ performs the following processing: 6.1) determining, according to the IDAAC and IDREQ fields in the packet, whether it is an access authentication response packet corresponding to the current access authentication request packet, If not, discard the packet, otherwise 6.2); 6.2) In the comparison packet, the requester REQ key data ⁇ field value is consistent with the value of the ⁇ field in the access authentication request packet sent by itself, and if not, the packet is discarded, otherwise 6.3);
  • the received access authentication response packet contains the SIGAAC field, verify the correctness of the SIGAAC, if not, discard the packet, otherwise perform 6.6); if the received packet contains the MIC1 field, then verify The correctness of the MIC1 field, if not correct, discard the packet, otherwise perform 6.6);
  • the value of the NREQ field included in the 1 ⁇ 80 ⁇ field is the same as the value of the NREQ field in the access authentication request packet sent by itself. If not, the packet is discarded, otherwise the signature is verified. , if not correct, discard the packet, otherwise perform 6.7);
  • Requester REQ performs ECDH calculation based on the temporary public key P of the authentication access controller AAC and its own temporary private key X to obtain the base key BK and the identification identifier of the next identity authentication process;
  • the received access authentication response packet contains the MIC1 field, whether to send the access authentication acknowledgement packet is optional; if the received packet contains the SIGAAC field, the access authentication acknowledgement packet needs to be constructed and sent to The access controller AAC is authenticated.
  • the main contents of the access authentication confirmation packet include:
  • MIC2 field indicates the message authentication code, which is calculated by the requester REQ using the base key BK negotiated in the authentication process to identify the access controller AAC query value NAAC, the requester REQ query value NREQ, and the next certificate authentication process. The hash value.
  • the authentication access controller AAC verifies the correctness of the MIC2 field in the packet after receiving the access authentication acknowledgement packet sent by the requester REQ. If it is correct, it means that the requester REQ has the base key BK consistent with itself; otherwise , discard the packet.
  • the function of the present invention is highly concentrated, and two-way authentication can be realized, and one-way authentication can be realized, and authentication update and fast authentication update are also supported.
  • the so-called fast authentication update means that the authentication server AS does not need to participate in the identity authentication process, and the authentication between the access controller AAC and the requester REQ is directly verified according to the certificate verification result in the previous identity authentication process;
  • the identity authentication process does not include the certificate authentication request packet and the certificate authentication response packet, and the access authentication response packet does not include a composite certificate verification result field; the fast authentication process can only be used as the authentication update process, and cannot Used as the first authentication when the client is connected to the network.
  • the present invention also provides an identity authentication system based on a public key certificate, including a requester REQ, an authentication access controller AAC, and an authentication server AS, the authentication server AS and the requester REQ, the authentication access controller AAC link, respectively; the requester REQ and The authentication access controller AAC authenticates through the authentication server AS.
  • a public key certificate including a requester REQ, an authentication access controller AAC, and an authentication server AS, the authentication server AS and the requester REQ, the authentication access controller AAC link, respectively; the requester REQ and The authentication access controller AAC authenticates through the authentication server AS.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)
  • Small-Scale Networks (AREA)

Abstract

Disclosed are a public key certificate-based identity authentication method and a system thereof. The authentication method includes the following steps: 1) an authentication access controller (AAC) sends an authentication activation packet to a requester (REQ); 2) after receiving the authentication activation packet, the REQ sends an access authentication request packet to the AAC; 5) the AAC generates the temporary public key y∙P used for the Elliptic Curve Diffie-Hellman (ECDH) exchange, and performs the ECDH calculation according to the temporary public key x∙P of the REQ and its own temporary private key y to obtain a base key (BK); then the AAC sets the access result to be a success, constructs an access authentication response packet and sends it to the REQ, and allows the user to access the network.

Description

一种基于^ I证书的身份鉴别方法及其系统  Method for identifying identity based on ^I certificate and system thereof
本申请要求于 2009 年 8 月 19 日提交中国专利局、 申请号为 200910023629.7、 发明名称为"一种基于公钥证书的身份鉴别方法及其系统"的 中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  This application claims priority to Chinese Patent Application No. 200910023629.7, entitled "A Public Key Certificate Based Identification Method and System", filed on August 19, 2009, the entire contents of which are hereby incorporated by reference. The citations are incorporated herein by reference.
技术领域 Technical field
本发明涉及一种基于公钥证书的身份鉴别方法及其系统,特别涉及有线局 域网 LAN( Local Area Network )中用户接入网络时一种基于三元对等鉴别 TePA ( Tri-element Peer Authentication )机制的身份鉴别方法及其系统。  The invention relates to a method for authenticating an identity based on a public key certificate and a system thereof, in particular to a Tri-element Peer Authentication (TePA) based mechanism for a user in a wired local area network (LAN) to access a network. Identification method and system thereof.
背景技术 Background technique
三元对等鉴别 TePA技术是我国首次提出的一种用户与网络间对等鉴别的 技术思想和框架方法, 该技术定义了一种三元实体鉴别架构,基于对等鉴别的 思想, 可完成用户与网络之间的双向对等鉴别。  The ternary peer-to-peer identification TePA technology is the first technical idea and framework method for peer-to-peer authentication between users and networks. This technology defines a ternary entity authentication architecture. Based on the idea of peer-to-peer identification, users can complete users. Two-way peer-to-peer authentication with the network.
在有线局域网中, 目前 IEEE通过对 IEEE802.3进行安全增强来实现链路层 的安全, 釆用典型的安全接入架构协议 IEEE 802.1x, 其基本方法是在终端和 接入点设备之外增加鉴别服务器,接入点设备利用鉴别服务器对终端的身份进 行鉴别,从而实现对终端的安全接入控制。接入点设备直接转发终端和鉴别服 务器间的鉴别信息, 并不作为独立实体参与身份鉴别过程。这种模式仅能实现 网络对终端身份的合法性鉴别, 却不能满足终端对接入网络的合法性鉴别需 求, 无法实现终端与网络间的双向鉴别。终端无法对接入点设备的身份予以确 认, 即使后期在此类安全架构上通过增加安全补丁等措施来弥补安全漏洞,但 也不能彻底解决诸如中间人攻击、终端接入非法的网络等安全问题。这类安全 接入技术协议延用至今, 已经对产业发展造成严重的障碍。  In wired LAN, IEEE currently implements security enhancement of IEEE802.3 to achieve link layer security. The typical secure access architecture protocol IEEE 802.1x is used. The basic method is to increase the number of terminals and access point devices. The authentication server uses the authentication server to authenticate the identity of the terminal, thereby implementing secure access control to the terminal. The access point device directly forwards the authentication information between the terminal and the authentication server, and does not participate in the identity authentication process as an independent entity. This mode can only realize the legality identification of the terminal identity of the network, but it can not meet the legality identification requirements of the terminal for the access network, and cannot realize the two-way authentication between the terminal and the network. The terminal cannot confirm the identity of the access point device. Even if security patches are added to the security architecture by adding security patches in the future, security problems such as man-in-the-middle attacks and terminal access to illegal networks cannot be completely solved. Such security access technology agreements have been extended to date and have caused serious obstacles to industrial development.
发明内容 Summary of the invention
为了解决背景技术中存在的上述技术问题,本发明提供了一种有线局域网 LAN中用户接入网络时基于三元对等鉴别 TePA机制的身份鉴别方法, 可实现 用户与网络之间的双向(单向)鉴别、 快速更新认证、 支持多证书等功能, 其 中鉴别过程基于公钥证书进行。  In order to solve the above technical problem in the prior art, the present invention provides an identity authentication method based on a ternary peer-to-peer authentication TePA mechanism when a user accesses a network in a wired local area network (LAN), which can implement two-way between the user and the network. To the functions of authentication, fast update authentication, support for multiple certificates, etc., wherein the authentication process is based on a public key certificate.
本发明的技术解决方案是:本发明提供了一种基于公钥证书的身份鉴别方 法, 所述基于公钥证书的身份鉴别方法包括以下步骤: 1 )鉴别访问控制器 AAC向请求者 REQ发送鉴别激活分组; The technical solution of the present invention is: The present invention provides a public key certificate-based identity authentication method, and the public key certificate-based identity authentication method includes the following steps: 1) the authentication access controller AAC sends an authentication activation packet to the requester REQ;
所述鉴别激活分组包括: SNonce、 IDAS^AC、 CertAAc和 ParaECDH; 其中, SNonce字段: 表示鉴别标识, 若为首次身份鉴别, 则该字段为由鉴别访问控 制器 AAC产生的随机数; 若为更新的身份鉴别过程,则该字段的值是上一次身 份鉴别过程中协商生成的鉴别标识值; IDAS^AC字段:表示鉴别访问控制器 AAC 所信任的鉴别服务器 AS的身份标识 ID, 是鉴别访问控制器 AAC证书 CertAAc的 颁发者鉴别服务器 AS的身份标识 ID; CertAAc字段: 表示鉴别访问控制器 AAC 的证书; ParaECDH字段: 表示椭圓曲线密码体制的椭圓曲线密码参数, 是请求 者 REQ和鉴别访问控制器 AAC进行椭圓曲线 Diffie-Hellman (ECDH) 密钥协 商计算时釆用的椭圓曲线密码参数; The authentication activation packet includes: SNonce, ID AS ^AC, CertAAc, and Para ECDH ; wherein, the SNonce field: indicates an authentication identifier, and if it is the first identity authentication, the field is a random number generated by the authentication access controller AAC; For the updated identity authentication process, the value of the field is the authentication identifier value that is negotiated and generated during the last identity authentication process; ID AS ^A C field: indicates the identity ID of the authentication server AS trusted by the authentication access controller AAC. Is the identity authentication ID of the issuer authentication server AS that authenticates the access controller AAC certificate CertAAc; CertAAc field: indicates the certificate of the authentication access controller AAC; Para ECDH field: the elliptic curve cryptographic parameter indicating the elliptic curve cryptosystem, is the request Elliptic curve cryptographic parameters used by the REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key agreement calculation;
2 )请求者 REQ收到鉴别激活分组后向鉴别访问控制器 AAC发送接入鉴别 请求分组;  2) the requester REQ sends an access authentication request packet to the authentication access controller AAC after receiving the authentication activation packet;
所述接入鉴别请求分组包括: SNonce字段: 表示鉴别标识, 若为首次身 份鉴别过程, 则该字段值直接取决于鉴别激活分组中的 SNonce字段值; 若为 更新的身份鉴别过程, 则该字段值为上一次身份鉴别过程中计算的鉴别标识 值; χ·Ρ字段: 表示请求者 REQ的密钥数据, 是请求者 REQ生成的用于 ECDH 交换的临时公钥 χ·Ρ; IDAAC字段: 表示鉴别访问控制器 AAC的身份标识 ID , 根 据鉴别激活分组中鉴别访问控制器 AAC的证书 CertAAc字段得到; CertREQ字段: 表示请求者 REQ的证书; ParaECDH字段: 表示椭圓曲线密码体制的椭圓曲线密 码参数, 是请求者 REQ和鉴别访问控制器 AAC进行椭圓曲线 Diffie-Hellman (ECDH) 密钥协商计算时釆用的椭圓曲线密码参数,其值同鉴别激活分组中的 ParaECDH字段值; SigREQ字段: 表示请求者 REQ的签名, 是请求者 REQ利用自 己的私钥对接入鉴别请求分组中除本字段之外所有字段进行的签名; The access authentication request packet includes: a SNonce field: indicating an authentication identifier, if the first identity authentication process, the field value directly depends on the SNonce field value in the authentication activation packet; if it is an updated identity authentication process, the field The value is the authentication identifier value calculated in the last identity authentication process; χ·Ρ field: the key data representing the requester REQ, which is the temporary public key EC·Ρ generated by the requester REQ for ECDH exchange; IDAAC field: indicates The identity ID of the authentication access controller AAC is obtained according to the certificate CertAAc field of the authentication access controller AAC in the authentication activation packet; the CertREQ field: the certificate representing the requester REQ; the Para ECDH field: the elliptic curve representing the elliptic curve cryptosystem The password parameter is an elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key negotiation calculation, and the value is the same as the Para ECDH field value in the authentication activation packet; Si gRE Q field: indicates the signature of the requester REQ, which is the requester REQ uses its own private key to group access authentication requests. Signatures of all fields except this field;
5 )鉴别访问控制器 AAC生成用于 ECDH交换的临时公钥 P, 并根据请求 者 REQ的临时公钥 χ·Ρ以及自己的临时私钥 y进行 ECDH计算得到基密钥 ΒΚ,然 后设定接入结果为成功, 构造接入鉴别响应分组发送给请求者 REQ, 并允许用 户访问网络; 所述接入鉴别响应分组包括: ACCRES字段、 χ·Ρ字段、 P字段、 IDAAC字段、 IDREQ字段、 SIGAAC字段或 MIC1字段; 其中, ACCRES字段: 表示接 入结果,是鉴别访问控制器 AAC根据鉴别结果设定的接入成功或失败以及失败 的原因; χ·Ρ : 表示请求者 REQ的密钥数据, 其值同接入鉴别请求分组中 χ·Ρ字 段的值; P: 表示鉴别访问控制器 AAC的密钥数据, 是鉴别访问控制器 AAC 生成的用于 ECDH交换的临时公钥 P; IDAAC字段: 表示鉴别访问控制器 AAC 的身份标识 ID , 是根据鉴别访问控制器 AAC的证书 CertAAc字段得到; IDREQ字 段: 表示请求者 REQ的身份标识 ID , 根据收到的接入鉴别请求分组中请求者 REQ的证书 CertREQ字段得到; SIGAAC字段: 表示鉴别访问控制器 AAC的签名, 是鉴别访问控制器 AAC利用自己的私钥对接入鉴别响应分组中除本字段之外 所有字段的签名; MIC 1字段: 表示消息鉴别码, 是鉴别访问控制器 AAC利用 鉴别过程中协商生成的基密钥 BK对接入鉴别响应分组中除了本字段外的所有 字段计算得到的杂凑值。 5) The authentication access controller AAC generates a temporary public key P for ECDH exchange, and performs an ECDH calculation based on the temporary public key 请求·Ρ of the requester REQ and its own temporary private key y to obtain a base key ΒΚ, and then set up The result is successful, constructing an access authentication response packet to be sent to the requester REQ, and allowing the user to access the network; the access authentication response packet includes: ACCRES field, χ·Ρ field, P field, IDAAC field, IDREQ field, SIGAAC Field or MIC1 field; where ACCRES field: indicates the access result, which is the access success or failure and failure of the authentication access controller AAC according to the authentication result. Reason; χ·Ρ : indicates the key data of the requester REQ, the value of which is the same as the value of the 鉴别·Ρ field in the access authentication request packet; P: indicates the key data of the authentication access controller AAC, which is the authentication access controller A temporary public key P for ECDH exchange generated by AAC; IDAAC field: indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC; IDREQ field: indicates the identity of the requester REQ ID, obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet; SIGAAC field: indicates the signature of the authentication access controller AAC, and is the authentication access controller AAC uses its own private key to access the authentication response packet. The signature of all fields except this field; MIC 1 field: indicates the message authentication code, which is the authentication access controller AAC uses the base key BK negotiated in the authentication process to access all the authentication except the field in the access authentication response packet. The hash value obtained by the field calculation.
如果鉴别访问控制器 AAC的本地策略要求使用鉴别服务器 AS来鉴别请求 者 REQ的证书 CertREQ , 则所述方法在步骤 2 )和步骤 5 )之间还包括:  If the local policy of the authentication access controller AAC requires the authentication server AS to authenticate the certificate CertREQ of the requester REQ, the method further includes between step 2) and step 5):
3 )鉴别访问控制器 AAC向鉴别服务器 AS发送证书鉴别请求分组; 证书鉴 别请求分组包括: CertREQ字段: 表示请求者 REQ的证书, 其值同接入鉴别请求 分组中 CertREQ字段的值; CertAAc字段: 表示鉴别访问控制器 AAC的证书, 其 值同鉴别激活分组中 CertAAc字段的值;  3) The authentication access controller AAC sends a certificate authentication request packet to the authentication server AS; the certificate authentication request packet includes: CertREQ field: a certificate representing the requester REQ, the value of which is the same as the value of the CertREQ field in the access authentication request packet; CertAAc field: Representing the certificate of the authentication access controller AAC, the value of which is the same as the value of the CertAAc field in the authentication activation packet;
4 )鉴别服务器 AS收到证书鉴别请求分组后向鉴别访问控制器 AAC发送证 书鉴别响应分组;证书鉴别响应分组包括: RESCERT字段:表示证书的验证结果, 本字段包括鉴别访问控制器 AAC询问值 NAAC、请求者 REQ询问值 NREQ、 CertAAc 的验证结果以及 CertREQ的验证结果;
Figure imgf000005_0001
表示请求者 REQ信任的鉴 别服务器 AS对本分组中证书的验证结果 RESCERT字段的签名。 4) The authentication server AS sends a certificate authentication response packet to the authentication access controller AAC after receiving the certificate authentication request packet; the certificate authentication response packet includes: RES CERT field: indicates the verification result of the certificate, and the field includes the authentication access controller AAC query value. NAAC, requester REQ query value NRE Q , CertAAc verification result and CertREQ verification result;
Figure imgf000005_0001
The signature of the RES CERT field indicating the verification result of the certificate in the packet by the authentication server AS trusted by the requester REQ.
所述步骤 1 ) 的具体实现方式是: 鉴别访问控制器 AAC向请求者 REQ发送 鉴别激活分组以激活请求者 REQ进行证书鉴别过程。  The specific implementation of the step 1) is: the authentication access controller AAC sends an authentication activation packet to the requester REQ to activate the requester REQ for the certificate authentication process.
所述步骤 2 ) 的具体实现方式是: 请求者 REQ收到鉴别激活分组后, 进行 如下处理:  The specific implementation manner of the step 2) is as follows: After the requester REQ receives the authentication activation packet, the following processing is performed:
2. 1 )如果此次鉴别过程为身份鉴别的更新过程, 则请求者 REQ检查鉴别 激活分组中的鉴别标识字段与上一次身份鉴别过程中计算的鉴别标识是否一 致, 如果不一致, 则丟弃该分组, 如果一致, 则执行 2.2 ); 如果此次鉴别过程 不是身份鉴别的更新过程, 为首次身份鉴别过程, 则直接执行 2.2 ); 2.2 )如果收到的鉴别激活分组中还包括 SIGAAC字段, 则验证 SIGAAC字段 的正确性, 如果不正确则丟弃该分组, 如果正确, 则执行 2.3 ); 如果收到的鉴 别激活分组中未包含 SIGAAC字段, 则直接执行 2.3 ); 所述 SIGAAC字段: 表示鉴 别访问控制器 AAC的签名, 是鉴别访问控制器 AAC利用自己的私钥对本分组 中除本字段之外所有字段进行的签名; 2. 1) If the authentication process is an update process of the identity authentication, the requester REQ checks whether the authentication identifier field in the authentication activation packet is consistent with the authentication identifier calculated in the last identity authentication process, and if not, discards the Grouping, if they are consistent, perform 2.2); if the authentication process is not the update process of identity authentication, for the first identity authentication process, directly execute 2.2); 2.2) If the received authentication activation packet further includes the SIGAAC field, verify the correctness of the SIGAAC field, discard the packet if it is incorrect, if it is correct, execute 2.3); if the received authentication activation packet does not contain The SIGAAC field is directly executed by 2.3); the SIGAAC field: indicates the signature of the authentication access controller AAC, and is the signature of the authentication access controller AAC to use all of the fields except the field in the packet by using the private key of the access controller;
2.3 )根据鉴别激活分组中的 IDAS^AC 字段选择由该鉴别服务器 AS颁发的 请求者 REQ证书 CertREQ或者根据本地策略选择请求者 REQ证书 CertREQ ,并产生 用于 ECDH交换的请求者 REQ临时公钥 χ·Ρ和请求者 REQ询问 NREQ,生成接入鉴 别请求分组, 发送给鉴别访问控制器 AAC。 2.3) selecting the requester REQ certificate CertREQ issued by the authentication server AS according to the IDAS^AC field in the authentication activation packet or selecting the requester REQ certificate CertRE Q according to the local policy, and generating the requester REQ temporary public key for ECDH exchange The 请求·Ρ and the requester REQ interrogate the NREQ, generate an access authentication request packet, and send it to the authentication access controller AAC.
所述步骤 3 ) 的具体实现方式是: 鉴别访问控制器 AAC收到接入鉴别请求 分组后, 进行如下处理:  The specific implementation manner of the step 3) is as follows: After the authentication access controller receives the access authentication request packet, the AAC performs the following processing:
3.1 )如果鉴别访问控制器 AAC发送了鉴别激活分组, 则检查收到的接入 鉴别请求分组中的 SNonce、 ParaECDH字段值和鉴别激活分组中对应的字段值是 否一致, 如果有一个不一致, 则丟弃该分组, 如果一致, 则执行 3.2 ); 如果鉴 别访问控制器 AAC没有发送鉴别激活分组, 则检查 SNonce字段值和上一次证 书鉴别过程中计算的鉴别标识是否一致, 并检查 ParaECDH字段和上一次鉴别激 活分组中的 ParaECDH是否一致, 如果有一个不一致, 则丟弃该分组; 如果一致, 则执行 3.2 ); 3.1) If the authentication access controller AAC sends the authentication activation packet, it checks whether the SNonce, Para ECDH field value and the corresponding field value in the authentication activation packet in the received access authentication request packet are consistent, if there is an inconsistency, Discard the packet, if it is consistent, perform 3.2); if the authentication access controller AAC does not send the authentication activation packet, check whether the SNonce field value is consistent with the authentication identifier calculated in the last certificate authentication process, and check the Para ECDH field and Whether the Para ECDH in the last authentication activation packet is consistent, if there is an inconsistency, discard the packet; if they are consistent, perform 3.2);
3.2 )检查 IDAAC与自己的身份是否一致, 如果不一致, 则丟弃该分组; 如 果一致则执行 3.3 );  3.2) Check if the IDAAC is consistent with its own identity. If it is inconsistent, discard the packet; if it is consistent, execute 3.3);
3.3 )验证请求者 REQ的签名 SigREQ字段的正确性, 如果不正确, 则执行丟 弃该分组; 如果正确, 则执行 3.4);  3.3) Verify the requester REQ's signature SigREQ field is correct, if it is not correct, then execute the discarding of the packet; if it is correct, execute 3.4);
3.4 )如果鉴别访问控制器 AAC的本地策略要求使用鉴别服务器 AS来鉴别 请求者 REQ的证书 CertREQ , 则鉴别访问控制器 AAC生成证书鉴别请求分组, 发送给鉴别服务器 AS; 否则执行 3.5 );  3.4) If the local policy of the authentication access controller AAC requires the authentication server AS to authenticate the certificate CertREQ of the requester REQ, the authentication access controller AAC generates a certificate authentication request packet and sends it to the authentication server AS; otherwise, it executes 3.5);
3.5 )鉴别访问控制器 AAC本地鉴别请求者 REQ的证书 CertREQ , 即根据本 地緩存的请求者 REQ的证书 CertREQ的验证结果及本地策略所定义的时效性确 认请求者 REQ的证书 CertREQ的验证结果, 若合法, 则本地生成用于 ECDH交换 的临时公钥 P , 并根据请求者 REQ的临时公钥 χ·Ρ以及自己的临时私钥 y进行 ECDH计算得到基密钥 BK,然后设定接入结果为成功,构造接入鉴别响应分组 发送给请求者 REQ , 并允许用户访问网络; 若 CertREQ的验证结果为不合法, 则 鉴别访问控制器 AAC设定接入结果为不成功,构造接入鉴别响应分组发送给请 求者 REQ。 3.5) Authenticate the certificate CertREQ of the access controller AAC local authentication requester REQ, that is, the verification result of the certificate CertREQ of the requester REQ according to the verification result of the certificate CertREQ of the locally cached requester REQ and the time validity defined by the local policy, If it is legal, the temporary public key P for ECDH exchange is generated locally, and is based on the temporary public key χ·Ρ of the requester REQ and its own temporary private key y. The ECDH calculates the base key BK, and then sets the access result to be successful, constructs the access authentication response packet to the requester REQ, and allows the user to access the network; if the CertREQ verification result is invalid, the access controller AAC is authenticated. If the access result is set to be unsuccessful, the constructing access authentication response packet is sent to the requester REQ.
所述步骤 4 )的具体实现方式是:鉴别服务器 AS收到证书鉴别请求分组后, 进行如下处理:  The specific implementation manner of the step 4) is: after the authentication server AS receives the certificate authentication request packet, the following processing is performed:
4.1 ) 同时验证鉴别访问控制器 AAC的证书 CertAAc和请求者 REQ的证书 CertREQ , 然后执行 4.2 );  4.1) Simultaneously verify the certificate of the access controller AAC CertAAc and the requester REQ certificate CertREQ, and then execute 4.2);
4.2 )根据证书的验证结果, 构造证书鉴别响应分组, 并且附加相应的签 名, 发往鉴别访问控制器 AAC。  4.2) According to the verification result of the certificate, a certificate authentication response packet is constructed, and the corresponding signature is attached to the authentication access controller AAC.
所述步骤 5 ) 的具体实现方式是: 鉴别访问控制器 AAC收到证书鉴别响应 分组后, 进行如下处理:  The specific implementation manner of the step 5) is as follows: After the authentication access controller receives the certificate authentication response packet, the AAC performs the following processing:
5.1 )如果接入鉴别请求分组还包括 NREQ字段, 且证书鉴别请求分组还包 括 NAAC字段和 NREQ字段, 则鉴别访问控制器 AAC检查证书的验证结果 RESCERT 字段中的鉴别访问控制器 AAC的询问 NAAC与证书鉴别请求分组中的 NAAC字段 值是否相同, 若不同, 丟弃该分组; 若相同则执行 5.2 ); 所述 NAAC字段: 表示 鉴别访问控制器 AAC询问, 是鉴别访问控制器 AAC产生的随机数; NREQ字段: 在证书鉴别请求分组中表示请求者 REQ询问,其值同接入鉴别请求分组中 NREQ 字段的值, 在接入鉴别请求分组中是请求者 REQ产生的随机数; 5.1) If the access authentication request packet further includes an NREQ field, and the certificate authentication request packet further includes a NAAC field and an NREQ field, the authentication access controller AAC checks the authentication result of the certificate RES CERT field in the authentication access controller AAC. Whether the value of the NAAC field in the certificate authentication request packet is the same, if not, discarding the packet; if the same, performing 5.2); the NAAC field: indicating the authentication access controller AAC query, which is the randomization generated by the authentication access controller AAC NREQ field: indicates a requester REQ inquiry in a certificate authentication request packet, the value of which is the same as the value of the NREQ field in the access authentication request packet, and is a random number generated by the requester REQ in the access authentication request packet;
5.2 )如果证书鉴别响应分组还包括 SIGAS_AAC字段, 则检查鉴别访问控制 器 AAC所信任的鉴别服务器 AS的签名 SIGAS_AAC字段是否正确, 若不正确, 则 丟弃该分组, 若正确则执行 5.3 ); 如果分组中只含有一个签名
Figure imgf000007_0001
5.2) If the certificate authentication response packet further comprises SIG AS _AAC field, check the AAC trusted authentication server AS signature SIG AS _AAC fields are correct, if correct, the packet is discarded, if the correct execution 5.3); if the packet contains only one signature
Figure imgf000007_0001
段, 即表明对证书验证结果进行签名的鉴别服务器 AS也是鉴别访问控制器 AAC所信任的鉴别服务器 AS , 则检查 SIGAS_REQ字段是否正确, 若不正确, 则 丟弃该分组,若正确则执行 5.3 );所述 SIGAS^AC字段:表示鉴别访问控制器 AAC 信任的鉴别服务器 AS对本分组中除本字段之外所有字段的签名; Section, which indicates the results of the verification certificate to sign the authentication server AS is the AAC trusted authentication server AS, check SIG AS _REQ field is correct, if not correct, the packet is discarded, if the correct execution 5.3); the SIGAS^AC field: indicates that the authentication server AS trusted by the access controller AAC trusts all the fields in the packet except this field;
5.3 )检查证书的验证结果 RESCERT字段中 CertREQ的验证结果是否合法, 若 合法, 则本地生成用于 ECDH交换的临时公钥 P, 并根据请求者 REQ的临时公 钥 χ·Ρ以及自己的临时私钥 y进行 ECDH计算得到基密钥 ΒΚ,然后设定接入结果 为成功, 构造接入鉴别响应分组发送给请求者 REQ , 并允许用户访问网络; 若 CertREQ的验证结果为不合法, 则鉴别访问控制器 AAC设定接入结果为不成功, 构造接入鉴别响应分组发送给请求者 REQ。 5.3) Checking the verification result of the certificate The result of the verification of CertREQ in the RES CERT field is legal. If it is legal, the temporary public key P for ECDH exchange is generated locally, and according to the temporary public key of the requester REQ and its own temporary The private key y performs ECDH calculation to obtain the base key ΒΚ, and then sets the access result. To successfully, the access authentication response packet is sent to the requester REQ, and the user is allowed to access the network. If the authentication result of the CertREQ is invalid, the authentication access controller AAC sets the access result to be unsuccessful, and constructs the access authentication response. The packet is sent to the requester REQ.
若所述接入鉴别响应分组中包括 SIGAAC字段, 则所述方法在步骤 5 )之后 还包括:  If the access authentication response packet includes a SIGAAC field, the method further includes after step 5):
6 )请求者 REQ收到接入鉴别响应分组后向鉴别访问控制器 AAC发送接入 鉴别确认分组; 接入鉴别确认分组包括: MIC2字段: 表示消息鉴别码。  6) The requester REQ sends an access authentication acknowledgement packet to the authentication access controller AAC after receiving the access authentication response packet; the access authentication acknowledgement packet includes: MIC2 field: indicates a message authentication code.
所述步骤 6 ) 的具体实现方式是: 请求者 REQ收到接入鉴别响应分组后, 进行如下处理:  The specific implementation manner of the step 6) is as follows: After the requester REQ receives the access authentication response packet, the following processing is performed:
6.1 )根据分组中的 IDAAC和 IDREQ字段判断是否为对应当前接入鉴别请求分 组的接入鉴别响应分组, 如果不是, 则丟弃该分组; 如果是则执行 6.2 );  6.1) determining, according to the IDAAC and IDREQ fields in the packet, whether the packet is an access authentication response packet corresponding to the current access authentication request packet, and if not, discarding the packet; if yes, executing 6.2);
6.2 ) 比较分组中请求者 REQ临时公钥 χ·Ρ字段值与自己发送的接入鉴别请 求分组中的 χ·Ρ字段值是否一致, 若不一致, 则丟弃该分组; 否则执行 6.3 );  6.2) Comparing the requester in the packet The REQ temporary public key χ·Ρ field value is consistent with the value of the χ·Ρ field in the access authentication request packet sent by itself. If not, the packet is discarded; otherwise, 6.3);
6.3 ) )查看分组中的 ACCRES字段, 如果接入结果为不成功, 则得知不能访 问该网络; 如果接入结果为成功, 则执行 6.4 );  6.3)) Check the ACCRES field in the packet. If the access result is unsuccessful, it is known that the network cannot be accessed. If the access result is successful, execute 6.4);
6.4 )如果收到的接入鉴别响应分组中含有 SIGAAC字段, 则验证 SIGAAC的 正确性, 如果不正确, 则丟弃该分组; 如果正确则执行 6.5 ); 如果收到的分组 中含有 MIC 1字段, 则验证 MIC 1字段的正确性, 如果不正确, 则丟弃分组; 如 果正确则执行 6.5 );  6.4) If the received access authentication response packet contains the SIGAAC field, verify the correctness of the SIGAAC, if not, discard the packet; if it is correct, execute 6.5); if the received packet contains the MIC 1 field , then verify the correctness of the MIC 1 field, if not, discard the packet; if it is correct, execute 6.5);
6.5 )验证复合的证书验证结果 MRESCERT字段中所包含的 NREQ字段值与自己 发送的接入鉴别请求分组中 NREQ字段值是否一致, 若不一致, 则丟弃该分组; 如果一致则验证签名 SIGAS_REQ是否正确, 如果不正确则丟弃该分组, 如果正确 则执行 6.6 ); 6.5) Verifying the composite certificate verification result The NREQ field value included in the MRES CERT field is consistent with the value of the NREQ field in the access authentication request packet sent by itself. If not, the packet is discarded; if yes, the signature SIG AS is verified. Whether _REQ is correct, discard the packet if it is incorrect, and 6.6 if it is correct;
6.6 )验证复合的证书验证结果 MRESCERT字段中鉴别访问控制器 AAC证书 验证结果是否为合法,如果不合法,则得知该网络不合法,不可以访问该网络; 如果合法则得到该网络是合法的, 可以进行访问, 并执行 6.7 ); 6.6) Verifying the composite certificate verification result The authentication result of the access controller AAC certificate in the MRES CERT field is legal. If it is not legal, it is known that the network is illegal and cannot access the network; if it is legal, the network is legal. , can be accessed, and executed 6.7);
6.7 )请求者 REQ根据鉴别访问控制器 AAC的临时公钥 P和自己的临时私 钥 X进行 ECDH计算得到基密钥 BK;  6.7) The requester REQ performs the ECDH calculation based on the temporary public key P of the authentication access controller AAC and its own temporary private key X to obtain the base key BK;
6.8 )如果收到的分组中含有 SIGAAC字段, 则需要构造接入鉴别确认分组, 发送给鉴别访问控制器 AAC。 6.8) If the received packet contains the SIGAAC field, then an access authentication acknowledgement packet needs to be constructed. Send to the authentication access controller AAC.
所述步骤 6 ) 中鉴别访问控制器 AAC在发送接入鉴别响应分组给请求者 REQ之后,如果发送的接入鉴别响应分组中包含的是鉴别访问控制器 AAC的签 名 SIGAAC字段,则所述方法还包括: 鉴别访问控制器 AAC等待接收接入鉴别确 认分组。  In the step 6), after the authentication access controller AAC sends the access authentication response packet to the requester REQ, if the sent access authentication response packet includes the signature SIGAAC field of the authentication access controller AAC, the method The method further includes: the authentication access controller AAC waiting to receive the access authentication confirmation packet.
所述步骤 6 ) 中当鉴别访问控制器 AAC在收到请求者 REQ发送的接入鉴别 确认分组之后, 还包括: 验证分组中 MIC2字段的正确性, 如果正确, 则意味 着请求者 REQ具有和自己一致的基密钥 BK; 如果不正确, 则丟弃该分组。  After the access authentication controller AAC receives the access authentication acknowledgement packet sent by the requester REQ, the method further includes: verifying the correctness of the MIC2 field in the packet, and if correct, means that the requester REQ has the sum The own base key BK; if not correct, discard the packet.
所述接入鉴别响应分组中的 MIC 1字段优选是由鉴别访问控制器 AAC利用 鉴别过程中协商生成的基密钥 BK对接入鉴别响应分组中除了本字段外的所有 字段及下一次证书鉴别过程的鉴别标识计算得到的杂凑值。  The MIC 1 field in the access authentication response packet is preferably all the fields except the current field and the next certificate authentication in the access authentication response packet by the authentication access controller AAC using the base key BK negotiated in the authentication process. The process's authentication identifies the calculated hash value.
本发明还提供了一种基于公钥证书的身份鉴别系统,所述基于公钥证书的 身份鉴别系统包括请求者 REQ、 鉴别访问控制器 AAC;  The present invention also provides an identity authentication system based on a public key certificate, the public key certificate based identity authentication system comprising a requester REQ, an authentication access controller AAC;
所述鉴别访问控制器 AAC , 用于向请求者 REQ发送鉴别激活分组; 生成 用于 ECDH交换的临时公钥 P, 并根据请求者 REQ的临时公钥 χ·Ρ以及自己的 临时私钥 y进行 ECDH计算得到基密钥 ΒΚ, 然后设定接入结果为成功, 构造接 入鉴别响应分组发送给请求者 REQ, 并允许用户访问网络;  The authentication access controller AAC is configured to send an authentication activation packet to the requester REQ; generate a temporary public key P for ECDH exchange, and perform according to the temporary public key χ·Ρ of the requester REQ and its own temporary private key y The ECDH calculates the base key ΒΚ, and then sets the access result to be successful, constructs the access authentication response packet to be sent to the requester REQ, and allows the user to access the network;
所述请求者 REQ, 用于在收到鉴别激活分组后向鉴别访问控制器 AAC发 送接入鉴别请求分组;  The requester REQ, configured to send an access authentication request packet to the authentication access controller AAC after receiving the authentication activation packet;
所述鉴别激活分组包括: SNonce、 IDAS-AAC、 CertAAc和 ParaECDH; 其中,The authentication activation packet includes: SNonce, ID AS-A AC, CertAAc, and Para ECDH ; wherein
SNonce字段: 表示鉴别标识, 若为首次身份鉴别, 则该字段为由鉴别访问控 制器 AAC产生的随机数; 若为更新的身份鉴别过程,则该字段的值是上一次身 份鉴别过程中协商生成的鉴别标识值; IDAS^AC字段:表示鉴别访问控制器 AAC 所信任的鉴别服务器 AS的身份标识 ID, 是鉴别访问控制器 AAC证书 CertAAc的 颁发者鉴别服务器 AS的身份标识 ID; CertAAc字段: 表示鉴别访问控制器 AAC 的证书; ParaECDH字段: 表示椭圓曲线密码体制的椭圓曲线密码参数, 是请求 者 REQ和鉴别访问控制器 AAC进行椭圓曲线 Diffie-Hellman (ECDH) 密钥协 商计算时釆用的椭圓曲线密码参数; SNonce field: indicates the authentication identifier. If it is the first identity authentication, the field is the random number generated by the authentication access controller AAC. If it is the updated identity authentication process, the value of the field is negotiated during the last identity authentication process. Identification ID value; ID AS ^ A C field: indicates the identity ID of the authentication server AS trusted by the authentication access controller AAC, which is the identity ID of the issuer authentication server AS that authenticates the access controller AAC certificate CertAAc; CertAAc field : Indicates the certificate that authenticates the access controller AAC; Para ECDH field: Elliptic curve cryptographic parameter indicating the elliptic curve cryptosystem, is the requester REQ and the authentication access controller AAC performs elliptic curve Diffie-Hellman (ECDH) key negotiation The elliptic curve cryptographic parameters used in the calculation;
所述接入鉴别请求分组包括: SNonce字段: 表示鉴别标识, 若为首次身 份鉴别过程, 则该字段值直接取决于鉴别激活分组中的 SNonce字段值; 若为 更新的身份鉴别过程, 则该字段值为上一次身份鉴别过程中计算的鉴别标识 值; χ·Ρ字段: 表示请求者 REQ的密钥数据, 是请求者 REQ生成的用于 ECDH 交换的临时公钥 χ·Ρ; IDAAC字段: 表示鉴别访问控制器 AAC的身份标识 ID , 根 据鉴别激活分组中鉴别访问控制器 AAC的证书 CertAAc字段得到; CertREQ字段: 表示请求者 REQ的证书; ParaECDH字段: 表示 ECDH参数, 是请求者 REQ和鉴 别访问控制器 AAC进行 ECDH计算时釆用的椭圓曲线密码参数,其值同鉴别激 活分组中的 ParaECDH字段值; SigREQ字段: 表示请求者 REQ的签名, 是请求者 REQ利用自己的私钥对接入鉴别请求分组中除本字段之外所有字段进行的签 名; The access authentication request packet includes: a SNonce field: indicating an authentication identifier, if it is the first body For the authentication process, the value of the field directly depends on the value of the SNonce field in the authentication activation packet; if it is an updated identity authentication process, the field value is the value of the authentication identifier calculated in the last identity authentication process; χ·Ρ field: The key data representing the requester REQ is a temporary public key generated by the requester REQ for ECDH exchange; IDAAC field: indicates the identity ID of the authentication access controller AAC, and the authentication access controller is activated according to the authentication activation packet AAC's certificate CertAAc field is obtained; CertREQ field: indicates the requester's REQ certificate; Para ECDH field: indicates the ECDH parameter, which is the elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for ECDH calculation. Same as the Para ECDH field value in the authentication activation packet; Si gRE Q field: indicates the signature of the requester REQ, which is the signature of the requester REQ using all of the fields except the field in the access authentication request packet by using the private key of the requester;
所述接入鉴别响应分组包括: ACCRES字段、 χ·Ρ字段、 P字段、 IDAAC字段、 IDREQ字段、 SIGAAC字段或 MIC1字段; 其中, ACCRES字段: 表示接入结果, 是 鉴别访问控制器 AAC根据鉴别结果设定的接入成功或失败以及失败的原因; x P: 表示请求者 REQ的密钥数据, 其值同接入鉴别请求分组中 χ·Ρ字段的值; y P: 表示鉴别访问控制器 AAC的密钥数据, 是鉴别访问控制器 AAC生成的用 于 ECDH交换的临时公钥; IDAAC字段: 表示鉴别访问控制器 AAC的身份标识 ID , 是根据鉴别访问控制器 AAC的证书 CertAAc字段得到; IDREQ字段: 表示请 求者 REQ的身份标识 ID , 根据收到的接入鉴别请求分组中请求者 REQ的证书 CertREQ字段得到; SIGAAC字段: 表示鉴别访问控制器 AAC的签名, 是鉴别访问 控制器 AAC利用自己的私钥对本分组中除本字段之外所有字段的签名; MIC1 字段:表示消息鉴别码,是鉴别访问控制器 AAC利用鉴别过程中协商生成的基 密钥 BK对接入鉴别响应分组中除了本字段外的所有字段计算得到的杂凑值。  The access authentication response packet includes: an ACCRES field, a χ·Ρ field, a P field, an IDAAC field, an IDREQ field, a SIGAAC field, or an MIC1 field; wherein, the ACCRES field: indicates an access result, and is an authentication access controller AAC according to the authentication. The result indicates the success or failure of the access and the reason for the failure; x P: the key data representing the requester REQ, the value of which is the same as the value of the χ·Ρ field in the access authentication request packet; y P: indicates the authentication access controller The key data of the AAC is a temporary public key generated by the access controller AAC for ECDH exchange; IDAAC field: indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC; IDREQ field: indicates the identity ID of the requester REQ, which is obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet; SIGAAC field: indicates the signature of the authentication access controller AAC, which is used by the authentication access controller AAC. The signature of all the fields except this field in the own private key; MIC1 field: indicates the message Code, the AAC is negotiated during authentication generated using the base key BK for access authentication hash value calculated for all fields in addition to this packet field response.
所述基于公钥证书的身份鉴别系统还包括: 鉴别服务器 AS , 鉴别服务器 AS分别和请求者 REQ、 鉴别访问控制器 AAC链接; 请求者 REQ和鉴别访问控 制器 AAC通过鉴别服务器 AS进行鉴别。  The public key certificate based identity authentication system further includes: an authentication server AS, an authentication server AS and a requester REQ, an authentication access controller AAC link; a requester REQ and an authentication access controller AAC for authentication by the authentication server AS.
所述接入鉴别响应分组中的 MIC 1字段优选是由鉴别访问控制器 AAC利用 鉴别过程中协商生成的基密钥 BK对接入鉴别响应分组中除了本字段外的所有 字段及下一次证书鉴别过程的鉴别标识计算得到的杂凑值。  The MIC 1 field in the access authentication response packet is preferably all the fields except the current field and the next certificate authentication in the access authentication response packet by the authentication access controller AAC using the base key BK negotiated in the authentication process. The process's authentication identifies the calculated hash value.
本发明提供的一种有线局域网中用户接入网络时基于三元对等鉴别 TePA 机制的身份鉴别方法, 可实现用户与网络之间的双向(单向)鉴别、 快速更新 认证、支持多证书等功能,用以保障数据的机密性、完整性、 源鉴别及防重放, 其中鉴别过程基于公钥证书进行。 The invention provides a wired local area network in which a user accesses a network based on ternary peer-to-peer identification of TePA The mechanism identification method can realize two-way (one-way) authentication, fast update authentication, and support for multiple certificates between the user and the network, so as to ensure confidentiality, integrity, source identification and anti-replay of data. The authentication process is based on a public key certificate.
附图说明 DRAWINGS
图 1为本发明所述方法的鉴别过程示意图。  Figure 1 is a schematic illustration of the authentication process of the method of the present invention.
具体实施方式 detailed description
参见图 1 ,请求者 REQ和鉴别访问控制器 AAC事先获得认证服务器 AS颁发 的公钥证书, 代表自己的身份, 其中公钥证书釆用 X.509证书格式。 当请求者 REQ需要访问网络时,执行本发明提供的一种身份鉴别方法, 以实现安全的访 问控制。 该方法包括:  Referring to Figure 1, the requester REQ and the authentication access controller AAC obtain the public key certificate issued by the authentication server AS in advance, representing their own identity, and the public key certificate is in the X.509 certificate format. When the requester REQ needs to access the network, an identity authentication method provided by the present invention is implemented to implement secure access control. The method includes:
1 )鉴别激活: 鉴别访问控制器 AAC向请求者 REQ发送鉴别激活分组以激 活请求者 REQ进行证书鉴别过程。 鉴别激活分组的主要内容包括:
Figure imgf000011_0001
其中: 1) Authentication Activation: The authentication access controller AAC sends an authentication activation packet to the requester REQ to activate the requester REQ for the certificate authentication process. The main contents of the authentication activation packet include:
Figure imgf000011_0001
among them:
SNonce字段: 表示鉴别标识, 若为首次身份鉴别, 则该字段为由鉴别访 问控制器 AAC产生的随机数; 若为更新的身份鉴别过程,则该字段的值是上一 次身份鉴别过程中协商生成的鉴别标识值。  SNonce field: indicates the authentication identifier. If it is the first identity authentication, the field is the random number generated by the authentication access controller AAC. If it is the updated identity authentication process, the value of the field is negotiated during the last identity authentication process. The identification value of the identification.
IDAS_AAC字段:表示鉴别访问控制器 AAC所信任的鉴别服务器 AS的身份标 识 ID ( identity ), 是鉴别访问控制器 AAC证书 CertAAc的颁发者鉴别服务器 AS 的身份标识 ID。 ID AS _AAC field: represents the AAC trusted authentication server AS identity ID (identity), is the AAC CertAAc certificate issued by the authentication server AS identity ID.
CertAAc字段: 表示鉴别访问控制器 AAC的证书。  CertAAc field: Indicates the certificate that authenticates the access controller AAC.
ParaECDH字段:表示椭圓曲线密码体制的椭圓曲线密码参数,是请求者 REQ 和鉴别访问控制器 AAC进行椭圓曲线 Diffie-Hellman (ECDH) 密钥协商计算 时釆用的椭圓曲线密码参数; Para ECDH field: Elliptic curve cryptographic parameter representing the elliptic curve cryptosystem, which is the elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key negotiation calculation. ;
TIEAAC字段:表示鉴别访问控制器 AAC所支持的鉴别和密钥管理套件及密 码套件。 本字段为可选字段。  TIEAAC field: Indicates the authentication and key management suite and password suite supported by the Authentication Access Controller AAC. This field is optional.
SIGAAC字段: 表示鉴别访问控制器 AAC的签名, 是鉴别访问控制器 AAC 字段。 SIGAAC field: indicates the signature of the authentication access controller AAC, which is the authentication access controller AAC. Field.
2 )接入鉴别请求: 请求者 REQ收到鉴别激活分组后, 进行如下处理: 2.1 )如果此次鉴别过程为身份鉴别的更新过程, 则请求者 REQ检查鉴别 激活分组中的鉴别标识字段与上一次身份鉴别过程中计算的鉴别标识是否一 致, 如果不一致, 则丟弃该分组, 否则执行 2.2 ); 如果此次鉴别过程为首次身 份鉴别过程, 则直接执行 2.2 );  2) Access authentication request: After the requester REQ receives the authentication activation packet, the following processing is performed: 2.1) If the authentication process is the identity authentication update process, the requester REQ checks the authentication identification field in the authentication activation packet and Whether the authentication identifiers calculated in one identity authentication process are consistent, if not, discard the packets, otherwise perform 2.2); if the authentication process is the first identity authentication process, directly execute 2.2);
2.2 )如果收到的鉴别激活分组中包含 SIGAAC字段, 则验证 SIGAAC字段的 正确性, 如果不正确则丟弃该分组, 否则执行 2.3 ); 如果收到的鉴别激活分组 中未包含 SIGAAC字段, 则直接执行 2.3 );  2.2) If the received authentication activation packet contains a SIGAAC field, verify the correctness of the SIGAAC field, discard the packet if it is incorrect, otherwise perform 2.3); if the received authentication activation packet does not contain the SIGAAC field, then Direct execution 2.3);
2.3 )根据鉴别激活分组中的 IDAS^AC 字段选择由该鉴别服务器 AS颁发的 请求者 REQ证书 CertREQ或者根据本地策略选择请求者 REQ证书 CertREQ ,并产生 用于 ECDH交换的请求者 REQ密钥数据 χ·Ρ和请求者 REQ询问 NREQ,生成接入鉴 别请求分组, 发送给鉴别访问控制器 AAC。 2.3) selecting the requester REQ certificate CertREQ issued by the authentication server AS according to the IDAS^AC field in the authentication activation packet or selecting the requester REQ certificate CertRE Q according to the local policy, and generating requester REQ key data for ECDH exchange The 请求·Ρ and the requester REQ interrogate the NREQ, generate an access authentication request packet, and send it to the authentication access controller AAC.
接入鉴别请求分组主要内容包括:
Figure imgf000012_0002
The main contents of the access authentication request packet include:
Figure imgf000012_0002
Figure imgf000012_0001
Figure imgf000012_0001
SNonce字段: 表示鉴别标识, 其值同鉴别激活分组中的 SNonce字段值。 若为首次身份鉴别过程, 则该字段值直接取决于鉴别激活分组中的 SNonce字 段值; 若为更新的身份鉴别过程, 则该字段值为上一次身份鉴别过程中计算的 鉴别标识值。  SNonce field: Indicates the authentication identifier whose value is the same as the value of the SNonce field in the authentication activation packet. If it is the first identity authentication process, the value of the field directly depends on the SNonce field value in the authentication activation packet; if it is an updated identity authentication process, the field value is the value of the authentication identifier calculated in the last identity authentication process.
NREQ字段: 表示请求者 REQ询问, 是请求者 REQ产生的随机数。 χ·Ρ字段: 表示请求者 REQ的密钥数据, 是请求者 REQ生成的用于 ECDH 交换的临时公钥。  NREQ field: Indicates the requester REQ query, which is the random number generated by the requester REQ. χ·Ρ field: Indicates the key data of the requester REQ, which is the temporary public key generated by the requester REQ for ECDH exchange.
IDAAC字段: 表示鉴别访问控制器 AAC的身份标识 ID , 根据鉴别激活分组 中鉴别访问控制器 AAC的证书 CertAAc字段得到。  IDAAC field: Indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC in the authentication activation packet.
CertREQ字段: 表示请求者 REQ的证书。  CertREQ field: A certificate representing the requester REQ.
ParaECDH字段:表示椭圓曲线密码体制的椭圓曲线密码参数,是请求者 REQ 和鉴别访问控制器 AAC进行椭圓曲线 Diffie-Hellman (ECDH) 密钥协商计算 时釆用的椭圓曲线密码参数; 其值同鉴别激活分组中的 ParaECDH字段值。 TIEREQ字段: 表示请求者 REQ选择的鉴别和密钥管理套件及密码套件。 本 字段为可选字段。 Para ECDH field: Elliptic curve cryptographic parameter representing the elliptic curve cryptosystem, which is the elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman (ECDH) key negotiation calculation. The value is the same as the value of the Para ECDH field in the authentication activation packet. TIEREQ field: An authentication and key management suite and cipher suite that represents the requester's REQ selection. This field is optional.
ListAS_REQ字段: 表示请求者 REQ所信任的鉴别服务器 AS列表, 但不包含 请求者 REQ的证书 CertREQ的颁发者。 若请求者 REQ除了信任其证书颁发者以 外,还信任其他的某些实体, 可以通过本字段通知鉴别服务器 AAC。 本字段为 可选字段。 List AS _REQ field: Indicates the list of authentication server ASs trusted by the requester REQ, but does not include the issuer of the certificate CertREQ of the requester REQ. If the requester REQ trusts other certificate entities in addition to other certificate entities, the authentication server AAC can be notified through this field. This field is optional.
SigREQ字段: 表示请求者 REQ的签名, 是请求者 REQ利用自己的私钥对本 分组中除本字段之外所有字段进行的签名。  SigREQ field: Represents the signature of the requester REQ, which is the signature of the requester REQ with its own private key for all fields in this group except this field.
3 )证书鉴别请求: 鉴别访问控制器 AAC收到接入鉴别请求分组后, 进行 如下处理:  3) Certificate authentication request: Authentication access controller After receiving the access authentication request packet, AAC performs the following processing:
3.1 )如果鉴别访问控制器 AAC发送了鉴别激活分组, 则检查收到的接入 鉴别请求分组中的 SNonce、 ParaECDH字段值和鉴别激活分组中对应的字段值是 否一致, 如果有一个不一致, 则丟弃该分组, 否则执行 3.2 ); 如果鉴别访问控 制器 AAC没有发送鉴别激活分组, 则检查 SNonce字段值和上一次证书鉴别过 程中计算的鉴别标识是否一致, 并检查 ParaECDH字段和上一次鉴别激活分组中 的 ParaECDH是否一致, 如果有一个不一致, 则丟弃该分组, 否则执行 3.2 ); 3.1) If the authentication access controller AAC sends the authentication activation packet, it checks whether the SNonce, Para ECDH field value and the corresponding field value in the authentication activation packet in the received access authentication request packet are consistent, if there is an inconsistency, Discard the packet, otherwise perform 3.2); if the authentication access controller AAC does not send the authentication activation packet, check whether the SNonce field value is consistent with the authentication identifier calculated in the last certificate authentication process, and check the Para ECDH field and the last authentication. Whether the Para ECDH in the activation group is consistent. If there is an inconsistency, discard the packet, otherwise perform 3.2);
3.2 )检查 IDAAC与自己的身份是否一致, 如果不一致, 则丟弃该分组, 否 则执行 3.3 );  3.2) Check if the IDAAC is consistent with its own identity. If it is inconsistent, discard the packet, otherwise execute 3.3);
3.3 )验证请求者 REQ的签名 SigREQ字段的正确性, 如果不正确, 则执行丟 弃该分组; 如果正确, 则执行 3.4);  3.3) Verify the requester REQ's signature SigREQ field is correct, if it is not correct, then execute the discarding of the packet; if it is correct, execute 3.4);
3. 4 )如果鉴别访问控制器 AAC的本地策略要求使用鉴别服务器 AS来鉴别 请求者 REQ的证书 CertREQ , 则鉴别访问控制器 AAC生成证书鉴别请求分组, 发送给鉴别服务器 AS; 否则执行 3.5 );  3. 4) If the local policy of the authentication access controller AAC requires the authentication server AS to authenticate the certificate CertREQ of the requester REQ, the authentication access controller AAC generates a certificate authentication request packet, which is sent to the authentication server AS; otherwise, 3.5);
3.5 )鉴别访问控制器 AAC本地鉴别请求者 REQ的证书 CertREQ , 即根据本 地緩存的请求者 REQ的证书 CertREQ的验证结果及本地策略所定义的时效性确 认请求者 REQ的证书 CertREQ的验证结果。 若合法, 则本地生成用于 ECDH交换 的临时公钥 P以及 AAC询问 NAAC , 并根据请求者 REQ的临时公钥 χ·Ρ以及自己 的临时私钥 y进行 ECDH计算得到基密钥 ΒΚ以及下一次身份鉴别过程的鉴别标 识, 然后设定接入结果为成功, 构造接入鉴别响应分组发送给请求者 REQ, 并 允许用户访问网络; 若 CertREQ的验证结果为不合法, 则鉴别访问控制器 AAC 设定接入结果为不成功, 鉴别访问控制器 AAC的询问 NAAC和临时公钥 P可设 置为任意值, 构造接入鉴别响应分组发送给请求者 REQ。 3.5) The certificate CertREQ of the access controller AAC local authentication requester REQ is authenticated, that is, the verification result of the certificate CertREQ of the requester REQ is confirmed according to the verification result of the certificate CertREQ of the locally cached requester REQ and the time validity defined by the local policy. If it is legal, the temporary public key P for the ECDH exchange is generated locally, and the AAC queries the NAAC, and the base key is calculated according to the temporary public key χ·Ρ of the requester REQ and the temporary private key y of the requester, and the next time The authentication identifier of the identity authentication process, and then setting the access result to be successful, constructing the access authentication response packet to be sent to the requester REQ, and Allowing the user to access the network; if the authentication result of CertREQ is invalid, the authentication access controller AAC sets the access result to be unsuccessful, and the authentication access controller AAC query NAAC and temporary public key P can be set to any value, The incoming authentication response packet is sent to the requester REQ.
证书鉴别请求分组主要内容包括:
Figure imgf000014_0001
The main contents of the certificate authentication request packet include:
Figure imgf000014_0001
其中:  among them:
NAAC字段: 表示鉴别访问控制器 AAC询问, 是鉴别访问控制器 AAC产生 的随机数。  NAAC field: Indicates the authentication access controller AAC query, which is the random number generated by the authentication access controller AAC.
NREQ字段: 表示请求者 REQ询问,其值同接入鉴别请求分组中 NREQ字段的 值。  NREQ field: Indicates the requester REQ inquiry whose value is the same as the value of the NREQ field in the access authentication request packet.
CertREQ字段: 表示请求者 REQ的证书, 其值同接入鉴别请求分组中 CertREQ 字段的值。  CertREQ field: A certificate representing the requester REQ whose value is the same as the value of the CertREQ field in the access authentication request packet.
CertAAc字段: 表示鉴别访问控制器 AAC的证书, 其值同鉴别激活分组中 CertAAc字段的值。  CertAAc field: A certificate representing the authentication access controller AAC, the value of which is the same as the value of the CertAAc field in the authentication activation packet.
ListAS_REQ字段: 表示请求者 REQ信任的鉴别服务器 AS列表, 其值同接入 鉴别请求分组中 ListAS_REQ字段的值。 本字段为可选字段。 List AS _REQ fields: a list of AS indicates the REQ trusted authentication server, which is the same value in the access authentication request packet List AS _REQ field. This field is optional.
4 )证书鉴别响应: 鉴别服务器 AS收到证书鉴别请求分组后, 进行如下处 理:  4) Certificate authentication response: After the authentication server receives the certificate authentication request packet, the AS performs the following processing:
4.1 ) 如果此次鉴别过程为单向鉴别, 则只需验证请求者 REQ的证书 CertREQ , 如果是双向鉴别则需要同时验证鉴别访问控制器 AAC的证书 CertAAc 和请求者 REQ的证书 CertREQ , 然后执行 4.2 );  4.1) If the authentication process is one-way authentication, only the certificate CertREQ of the requester REQ is verified. If it is a two-way authentication, it is necessary to simultaneously verify the certificate CertAAc of the access controller AAC and the certificate CertREQ of the requester REQ, and then execute 4.2. );
4.2 )根据证书的验证结果, 构造证书鉴别响应分组, 并且附加相应的签 名, 发往鉴别访问控制器 AAC。  4.2) According to the verification result of the certificate, a certificate authentication response packet is constructed, and the corresponding signature is attached to the authentication access controller AAC.
证书鉴别响应分组主要内容包括:  The main contents of the certificate authentication response packet include:
RES Cert SIG AS-REQ SIG AS-AAC  RES Cert SIG AS-REQ SIG AS-AAC
其中:  among them:
RESCert字段:表示证书的验证结果,本字段包括鉴别访问控制器 AAC询问 值 NAAC、 请求者 REQ询问值 NREQ、 CertAAc的验证结果以及 CertREQ的验证结果。 如果只是单向验证则不包括 CertAAc的验证结果。 SIGAS_REQ字段: 表示请求者 REQ信任的鉴别服务器 AS对本分组中证书的 验证结果 RESCERT字段的签名。 RES Cert field: indicates the verification result of the certificate. This field includes the authentication access controller AAC query value NAAC, the requester REQ query value NREQ, the verification result of CertAAc, and the verification result of CertREQ. If only one-way verification is performed, the verification result of CertAAc is not included. SIG AS _REQ field: A signature indicating the authentication result RES CERT field of the certificate in the packet by the authentication server AS trusted by the requester REQ.
SIGAS_AAC字段: 表示鉴别访问控制器 AAC信任的鉴别服务器 AS对本分组 中除本字段之外所有字段的签名。本字段为可选字段。如果对证书验证结果进 行签名的鉴别服务器 AS和鉴别访问控制器 AAC信任的鉴别服务器 AS相同, 则 不需要本字段。 SIG AS _AAC field: Indicates that the authentication server AS that authenticates the access controller AAC trusts all the fields in this packet except this field. This field is optional. This field is not required if the authentication server AS that signed the certificate verification result is the same as the authentication server AS that the authentication access controller AAC trusts.
5 )接入鉴别响应: 鉴别访问控制器 AAC收到证书鉴别响应分组后, 进行 如下处理:  5) Access authentication response: Authentication access controller After receiving the certificate authentication response packet, AAC performs the following processing:
5. 1 )检查证书的验证结果 RESCERT字段中的鉴别访问控制器 AAC的询问 NAAC与证书鉴别请求分组中的 NAAC字段值是否相同, 若不同, 则丟弃该分组, 否则执行 5.2 ); 5. 1) Checking the verification result of the certificate The authentication access controller AAC in the RES CERT field queries whether the NAAC and the NAAC field value in the certificate authentication request packet are the same. If not, the packet is discarded, otherwise 5.2);
5.2 )如果分组中含有两个签名字段, 则检查鉴别访问控制器 AAC所信任 的鉴别服务器 AS的签名 SIGAS_AAC字段是否正确, 若不正确, 则丟弃该分组, 否则执行 5.3 ); 如果分组中只含有一个签名字段, 即表明对证书验证结果进行 签名的鉴别服务器 AS也是鉴别访问控制器 AAC所信任的鉴别服务器 AS , 则检 查 SIGAS_REQ字段是否正确, 若不正确, 则丟弃该分组, 否则执行 5.3 ); 5.2) If the packet contains two signature field, check the AAC trusted authentication server AS signature SIG AS _AAC field is correct, if not correct, the packet is discarded, otherwise 5.3); if a packet containing only a signature field, i.e., the certificate verification result indicates that the authentication server aS signed is the AAC trusted authentication server aS, SIG aS _REQ check field is correct, if correct, the packet is discarded Otherwise, 5.3);
5.3 )检查证书的验证结果 RESCERT字段中 CertREQ的验证结果是否合法, 若 合法, 则本地生成用于 ECDH交换的临时公钥 P, 并根据请求者 REQ的临时公 钥 x.P以及自己的临时私钥 y进行 ECDH计算得到基密钥 BK以及下一次身份鉴 别过程的鉴别标识, 然后设定接入结果为成功,构造接入鉴别响应分组发送给 请求者 REQ , 并允许用户访问网络; 若 CertREQ的验证结果为不合法, 则鉴别访 问控制器 AAC设定接入结果为不成功, 鉴别访问控制器 AAC的询问 NAAC和临 时公钥 P可设置为任意值, 构造接入鉴别响应分组发送给请求者 REQ。 5.3) Checking the verification result of the certificate The validity of the CertREQ verification result in the RES CERT field is legal. If it is legal, the temporary public key P for ECDH exchange is generated locally, and the temporary public key xP of the requester REQ and its own temporary private key are generated. y performing ECDH calculation to obtain the base key BK and the identification identifier of the next identity authentication process, and then setting the access result to be successful, constructing the access authentication response packet to be sent to the requester REQ, and allowing the user to access the network; if the CertREQ is verified If the result is illegal, the authentication access controller AAC sets the access result to be unsuccessful, and the authentication NAAC and the temporary public key P of the authentication access controller AAC can be set to an arbitrary value, and the configuration access authentication response packet is sent to the requester REQ. .
接入鉴别响应分组主要内容包括:
Figure imgf000015_0001
The main contents of the access authentication response packet include:
Figure imgf000015_0001
其中:  among them:
NREQ字段: 表示请求者 REQ询问, 是请求者 REQ产生的随机数。 仅为单向 鉴别过程时, 接入鉴别响应分组需包含此字段。 若存在, 其值同请求者 REQ 发送的接入鉴别请求分组中 NREQ字段的值。 NAAC字段: 表示鉴别访问控制器 AAC的询问, 是鉴别访问控制器 AAC产 生的随机数。仅为单向鉴别过程时,接入鉴别响应分组需包含此字段。若存在, 其值同鉴别访问控制器 AAC发送的证书鉴别请求分组中 NAAC字段的值。 NREQ field: Indicates the requester REQ inquiry, which is the random number generated by the requester REQ. When only the one-way authentication process is used, the access authentication response packet needs to include this field. If present, its value is the same as the value of the NRE Q field in the Access Authentication Request packet sent by the requester REQ. NAAC field: A query indicating the authentication access controller AAC, which is a random number generated by the authentication access controller AAC. When only the one-way authentication process is used, the access authentication response packet needs to include this field. If present, its value is the same as the value of the NAAC field in the certificate authentication request packet sent by the authentication access controller AAC.
ACCRES字段: 表示接入结果, 是鉴别访问控制器 AAC根据鉴别结果设定的 接入成功或失败以及失败的原因。  ACCRES field: Indicates the access result, which is the reason why the access controller AAC sets the success or failure of the access according to the authentication result and the failure.
x P: 表示请求者 REQ的密钥数据, 其值同接入鉴别请求分组中 χ·Ρ字段的 值。  x P: Key data representing the requester REQ, the value of which is the same as the value of the χ·Ρ field in the access authentication request packet.
y P: 表示鉴别访问控制器 AAC的密钥数据, 是鉴别访问控制器 AAC生成 的用于 ECDH交换的临时公钥。  y P: indicates the key data of the authentication access controller AAC, which is the temporary public key generated by the access controller AAC for ECDH exchange.
IDAAC字段: 表示鉴别访问控制器 AAC的身份标识 ID , 是根据鉴别访问控 制器 AAC的证书 CertAAc字段得到。  IDAAC field: Indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC.
IDREQ字段: 表示请求者 REQ的身份标识 ID , 根据收到的接入鉴别请求分 组中请求者 REQ的证书 CertREQ字段得到。  IDREQ field: Indicates the identity ID of the requester REQ, which is obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet.
MRESCERT字段: 表示复合的证书验证结果。 仅为双向鉴别过程时, 在接入 鉴别响应分组中需包含此字段。 若存在, 则该字段由证书鉴别响应分组中的各 个字段组成, 并且值相同。 MRES CERT field: Indicates the result of the certificate verification of the composite. This field is required in the access authentication response packet only for the two-way authentication process. If present, this field consists of the fields in the certificate authentication response packet and has the same value.
SIGAAC字段: 表示鉴别访问控制器 AAC的签名, 是鉴别访问控制器 AAC  SIGAAC field: indicates the signature of the authentication access controller AAC, which is the authentication access controller AAC
MIC 1字段: 表示消息鉴别码, 是鉴别访问控制器 AAC利用鉴别过程中协 商生成的基密钥 BK对接入鉴别响应分组中除了本字段外的所有字段及下一次 证书鉴别过程的鉴别标识计算得到的杂凑值。 MIC 1 field: indicates the message authentication code, which is the authentication key calculation by the access controller AAC using the base key BK negotiated in the authentication process to identify all the fields except the field and the next certificate authentication process in the access authentication response packet. The hash value obtained.
注:接入鉴别响应分组只需要包含 SIGAAC字段和 MIC 1字段二者之一即可。 如果在此次身份鉴别过程中存在鉴别激活分组, 且鉴别激活分组包含 SIGAAC 字段, 则此分组中只包含 MIC 1字段; 如果此次身份鉴别过程不存在鉴别激活 分组或者鉴别激活分组中没有包含 SIGAAC字段, 则此分组中只包含 SIGAAC字 段。  Note: The access authentication response packet only needs to contain either the SIGAAC field and the MIC 1 field. If there is an authentication activation packet in the identity authentication process, and the authentication activation packet includes a SIGAAC field, then only the MIC 1 field is included in the packet; if the authentication authentication packet does not exist in the identity authentication process or the SIGAAC is not included in the authentication activation packet Field, then only the SIGAAC field is included in this group.
6 )接入鉴别确认: 请求者 REQ收到接入鉴别响应分组后, 进行如下处理: 6.1 )根据分组中的 IDAAC和 IDREQ字段判断是否为对应当前接入鉴别请求分 组的接入鉴别响应分组, 如果不是, 则丟弃该分组, 否则执行 6.2 ); 6.2) 比较分组中请求者 REQ密钥数据 χ·Ρ字段值与自己发送的接入鉴别请 求分组中的 χ·Ρ字段值是否一致, 若不一致, 则丟弃该分组, 否则执行 6.3 ); 6) Access authentication confirmation: After receiving the access authentication response packet, the requester REQ performs the following processing: 6.1) determining, according to the IDAAC and IDREQ fields in the packet, whether it is an access authentication response packet corresponding to the current access authentication request packet, If not, discard the packet, otherwise 6.2); 6.2) In the comparison packet, the requester REQ key data χ·Ρ field value is consistent with the value of the χ·Ρ field in the access authentication request packet sent by itself, and if not, the packet is discarded, otherwise 6.3);
6.3 )如果是单向鉴别过程, 则比较 NREQ字段值与之前发送的接入鉴别请 求分组中的 NREQ字段值是否一致, 若不一致, 则丟弃该分组, 否则执行 6.4); 如果是双向鉴别过程, 则直接执行 6.4);  6.3) If it is a one-way authentication process, compare whether the value of the NREQ field is consistent with the value of the NREQ field in the previously sent access authentication request packet, and if not, discard the packet, otherwise perform 6.4); if it is a two-way authentication process , directly execute 6.4);
6.4) 查看分组中的 ACCRES字段, 如果接入结果为不成功, 则得知不能访 问该网络; 否则执行 6.5 );  6.4) View the ACCRES field in the packet. If the access result is unsuccessful, it is known that the network cannot be accessed; otherwise, 6.5);
6.5 )如果收到的接入鉴别响应分组中含有 SIGAAC字段, 则验证 SIGAAC的 正确性, 如果不正确, 则丟弃该分组, 否则执行 6.6); 如果收到的分组中含有 MIC1字段, 则验证 MIC1字段的正确性, 如果不正确, 则丟弃分组, 否则执行 6.6);  6.5) If the received access authentication response packet contains the SIGAAC field, verify the correctness of the SIGAAC, if not, discard the packet, otherwise perform 6.6); if the received packet contains the MIC1 field, then verify The correctness of the MIC1 field, if not correct, discard the packet, otherwise perform 6.6);
6.6)如果是单向鉴别过程, 则执行 6.8 ); 否则验证复合的证书验证结果 6.6) If it is a one-way authentication process, execute 6.8); otherwise verify the composite certificate verification result
? 1^80^字段中所包含的 NREQ字段值与自己发送的接入鉴别请求分组中 NREQ 字段值是否一致,若不一致,则丟弃该分组,否则验证签名
Figure imgf000017_0001
, 如果不正确则丟弃该分组, 否则执行 6.7 ); The value of the NREQ field included in the 1^80^ field is the same as the value of the NREQ field in the access authentication request packet sent by itself. If not, the packet is discarded, otherwise the signature is verified.
Figure imgf000017_0001
, if not correct, discard the packet, otherwise perform 6.7);
6.7 )验证复合的证书验证结果 MRESCERT字段中鉴别访问控制器 AAC证书 验证结果是否为合法,如果不合法,则得知该网络不合法,不可以访问该网络; 否则得到该网络是合法的, 可以进行访问, 并执行 6.8); 6.7) Verifying the composite certificate verification result In the MRES CERT field, the authentication access controller AAC certificate verification result is legal. If it is not legal, it is known that the network is illegal and cannot access the network; otherwise, the network is legal. Can be accessed and executed 6.8);
6.8)请求者 REQ根据鉴别访问控制器 AAC的临时公钥 P和自己的临时私 钥 X进行 ECDH计算得到基密钥 BK以及下一次身份鉴别过程的鉴别标识;  6.8) Requester REQ performs ECDH calculation based on the temporary public key P of the authentication access controller AAC and its own temporary private key X to obtain the base key BK and the identification identifier of the next identity authentication process;
6.9)如果收到的接入鉴别响应分组中含有 MIC1字段, 则是否发送接入鉴 别确认分组是可选的; 如果收到的分组中含有 SIGAAC字段, 则需要构造接入鉴 别确认分组, 发送给鉴别访问控制器 AAC。  6.9) If the received access authentication response packet contains the MIC1 field, whether to send the access authentication acknowledgement packet is optional; if the received packet contains the SIGAAC field, the access authentication acknowledgement packet needs to be constructed and sent to The access controller AAC is authenticated.
接入鉴别确认分组主要内容包括:  The main contents of the access authentication confirmation packet include:
MIC2  MIC2
其中:  among them:
MIC2字段: 表示消息鉴别码, 是请求者 REQ利用鉴别过程中协商生成的 基密钥 BK对鉴别访问控制器 AAC询问值 NAAC、 请求者 REQ询问值 NREQ及下一 次证书鉴别过程的鉴别标识计算得到的杂凑值。 鉴别访问控制器 AAC在发送接入鉴别响应分组给请求者 REQ之后,如果发 送的接入鉴别响应分组中包含的是鉴别访问控制器 AAC的签名 SIGAAC字段,则 鉴别访问控制器 AAC需要等待接收接入鉴别确认分组。 MIC2 field: indicates the message authentication code, which is calculated by the requester REQ using the base key BK negotiated in the authentication process to identify the access controller AAC query value NAAC, the requester REQ query value NREQ, and the next certificate authentication process. The hash value. After the authentication access controller AAC sends the access authentication response packet to the requester REQ, if the sent access authentication response packet contains the signature SIGAAC field of the authentication access controller AAC, the authentication access controller AAC needs to wait for receiving. Enter the authentication confirmation packet.
鉴别访问控制器 AAC在收到请求者 REQ发送的接入鉴别确认分组之后 ,要 验证分组中 MIC2字段的正确性, 如果正确, 则意味着请求者 REQ具有和自己 一致的基密钥 BK; 否则, 丟弃该分组。  The authentication access controller AAC verifies the correctness of the MIC2 field in the packet after receiving the access authentication acknowledgement packet sent by the requester REQ. If it is correct, it means that the requester REQ has the base key BK consistent with itself; otherwise , discard the packet.
注: 本发明功能高度集中, 即可实现双向鉴别, 又可实现单向鉴别, 还支 持鉴别更新以及快速的鉴别更新。所谓快速的鉴别更新就是指在身份鉴别过程 中不需要鉴别服务器 AS的参与, 鉴别访问控制器 AAC与请求者 REQ之间直接 根据以前的身份鉴别过程中的证书验证结果进行签名验证;反映在分组中的内 容上, 就是身份鉴别过程不包含证书鉴别请求分组和证书鉴别响应分组,且接 入鉴别响应分组中不包含复合的证书验证结果字段;快速的鉴别过程只能用作 鉴别更新过程, 不能用作客户端与网络连接时的首次鉴别。  Note: The function of the present invention is highly concentrated, and two-way authentication can be realized, and one-way authentication can be realized, and authentication update and fast authentication update are also supported. The so-called fast authentication update means that the authentication server AS does not need to participate in the identity authentication process, and the authentication between the access controller AAC and the requester REQ is directly verified according to the certificate verification result in the previous identity authentication process; In the content, the identity authentication process does not include the certificate authentication request packet and the certificate authentication response packet, and the access authentication response packet does not include a composite certificate verification result field; the fast authentication process can only be used as the authentication update process, and cannot Used as the first authentication when the client is connected to the network.
本发明还提供一种基于公钥证书的身份鉴别系统, 包括请求者 REQ、鉴别 访问控制器 AAC以及鉴别服务器 AS , 鉴别服务器 AS分别和请求者 REQ、 鉴别 访问控制器 AAC链接; 请求者 REQ和鉴别访问控制器 AAC通过鉴别服务器 AS 进行鉴别。  The present invention also provides an identity authentication system based on a public key certificate, including a requester REQ, an authentication access controller AAC, and an authentication server AS, the authentication server AS and the requester REQ, the authentication access controller AAC link, respectively; the requester REQ and The authentication access controller AAC authenticates through the authentication server AS.

Claims

权 利 要 求 Rights request
1、 一种基于公钥证书的身份鉴别方法, 其特征在于: 该方法包括以下步 骤:  A public key certificate based authentication method, characterized in that: the method comprises the following steps:
1 )鉴别访问控制器 AAC向请求者 REQ发送鉴别激活分组; 所述鉴别激活 分组包括: SNonce、 IDAS-AAC、 CertAAc和 ParaECDH; 其中, SNonce字段: 表示 鉴别标识,若为首次身份鉴别,则该字段为由鉴别访问控制器 AAC产生的随机 数; 若为更新的身份鉴别过程, 则该字段的值是上一次身份鉴别过程中协商生 成的鉴别标识值; IDAS_AAC字段: 表示鉴别访问控制器 AAC所信任的鉴别服务 器 AS的身份标识 ID , 是鉴别访问控制器 AAC证书 CertAAc的颁发者鉴别服务器 AS的身份标识 ID; CertAAc字段: 表示鉴别访问控制器 AAC的证书; ParaECDH 字段: 表示椭圓曲线密码体制的椭圓曲线密码参数,是请求者 REQ和鉴别访问 控制器 AAC进行椭圓曲线 Diffie-Hellman密钥协商计算时釆用的椭圓曲线密 码参数; 1) The authentication access controller AAC sends an authentication activation packet to the requester REQ; the authentication activation packet includes: SNonce, ID AS-A AC, CertAAc, and Para ECDH ; wherein, SNonce field: indicates an authentication identifier, if it is the first identity authentication , the field discrimination by the random number generated by the AAC; if the authentication process is updated, the value of this field is the identification value of the primary differential process identity authentication negotiation generated; ID aS _AAC field: represents identification The identity ID of the authentication server AS trusted by the access controller AAC is the identity identifier ID of the issuer authentication server AS of the authentication access controller AAC certificate CertAAc; CertAAc field: the certificate representing the authentication access controller AAC; Para ECDH field: The elliptic curve cryptographic parameter representing the elliptic curve cryptosystem is an elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman key negotiation calculation;
2 )请求者 REQ收到鉴别激活分组后向鉴别访问控制器 AAC发送接入鉴别 请求分组; 所述接入鉴别请求分组包括: SNonce字段: 表示鉴别标识, 若为 首次身份鉴别过程, 则该字段值直接取决于鉴别激活分组中的 SNonce字段值; 若为更新的身份鉴别过程,则该字段值为上一次身份鉴别过程中计算的鉴别标 识值; χ·Ρ字段: 表示请求者 REQ的密钥数据, 是请求者 REQ生成的用于椭圓 曲线 Diffie-Hellman交换的临时公钥; IDAAC字段: 表示鉴别访问控制器 AAC 的身份标识 ID , 根据鉴别激活分组中鉴别访问控制器 AAC的证书 CertAAc字段 得到; CertREQ字段: 表示请求者 REQ的证书; ParaECDH字段: 表示椭圓曲线密 码体制的椭圓曲线密码参数,是请求者 REQ和鉴别访问控制器 AAC进行椭圓曲 线 Diffie-Hellman密钥协商计算时釆用的椭圓曲线密码参数, 其值同鉴别激活 分组中的 ParaECDH字段值; SigREQ字段: 表示请求者 REQ的签名, 是请求者 REQ 利用自己的私钥对接入鉴别请求分组中除本字段之外所有字段进行的签名;2) The requester REQ sends an access authentication request packet to the authentication access controller AAC after receiving the authentication activation packet; the access authentication request packet includes: SNonce field: indicates an authentication identifier, and if it is the first identity authentication process, the field The value directly depends on the SNonce field value in the authentication activation packet; if it is an updated identity authentication process, the field value is the authentication identity value calculated in the last identity authentication process; χ·Ρ field: the key representing the requester REQ Data, is a temporary public key generated by the requester REQ for elliptic curve Diffie-Hellman exchange; IDAAC field: indicates the identity ID of the authentication access controller AAC, and the certificate CertAAc field of the authentication access controller AAC according to the authentication activation packet Get; CertREQ field: certificate representing requester REQ; Para ECDH field: Elliptic curve cryptographic parameter indicating elliptic curve cryptosystem, requester REQ and authentication access controller AAC for elliptic curve Diffie-Hellman key negotiation calculation The elliptic curve cryptographic parameter used at the same time, the value of which is the same as the value of the Para ECDH field in the authentication activation group; gRE Q field: indicates the signature of the requester REQ, which is the signature of the requester REQ using all of the fields except the field in the access authentication request packet by using the private key of the requester;
5 )鉴别访问控制器 AAC生成用于椭圓曲线 Diffie-Hellman交换的临时公 钥 P , 并根据请求者 REQ的临时公钥 χ·Ρ以及自己的临时私钥 y进行椭圓曲线 Diffie-Hellman计算得到基密钥 BK, 然后设定接入结果为成功, 构造接入鉴别 响应分组发送给请求者 REQ , 并允许用户访问网络; 所述接入鉴别响应分组包 括: ACCRES字段、 χ·Ρ字段、 P字段、 IDAAC字段、 IDREQ字段、 SIGAAC字段或 MIC1字段; 其中, ACCRES字段: 表示接入结果, 是鉴别访问控制器 AAC根据 鉴别结果设定的接入成功或失败以及失败的原因; x.P: 表示请求者 REQ的密 钥数据, 其值同接入鉴别请求分组中 χ·Ρ字段的值; P: 表示鉴别访问控制器 AAC的密钥数据,是鉴别访问控制器 AAC生成的用于椭圓曲线 Diffie-Hellman 交换的临时公钥; IDAAC字段: 表示鉴别访问控制器 AAC的身份标识 ID, 是根 据鉴别访问控制器 AAC的证书 CertAAc字段得到; IDREQ字段: 表示请求者 REQ 的身份标识 ID ,根据收到的接入鉴别请求分组中请求者 REQ的证书 CertREQ字段 得到; SIGAAC字段: 表示鉴别访问控制器 AAC的签名,是鉴别访问控制器 AAC 消息鉴别码, 是鉴别访问控制器 AAC利用鉴别过程中协商生成的基密钥 BK对 接入鉴别响应分组中除了本字段外的所有字段计算得到的杂凑值。 5) The authentication access controller AAC generates a temporary public key P for elliptic curve Diffie-Hellman exchange, and performs elliptic curve Diffie-Hellman calculation according to the temporary public key χ·Ρ of the requester REQ and its own temporary private key y. Obtaining the base key BK, and then setting the access result to be successful, constructing the access authentication response packet to be sent to the requester REQ, and allowing the user to access the network; the access authentication response packet The ACCRES field, the χ·Ρ field, the P field, the IDAAC field, the IDREQ field, the SIGAAC field or the MIC1 field; wherein, the ACCRES field: indicates the access result, and the authentication access controller AAC sets the access success according to the authentication result. Or failure and the reason for the failure; xP: indicates the key data of the requester REQ, and its value is the same as the value of the χ·Ρ field in the access authentication request packet; P: indicates the key data of the authentication access controller AAC, which is the authentication access. The temporary public key generated by the controller AAC for elliptic curve Diffie-Hellman exchange; IDAAC field: indicates the identity ID of the authentication access controller AAC, which is obtained according to the certificate CertAAc field of the authentication access controller AAC; IDREQ field: indicates The identity ID of the requester REQ is obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet; SIGAAC field: indicates the signature of the authentication access controller AAC, which is the authentication access controller AAC message authentication code, The authentication access controller AAC uses the base key BK negotiated in the authentication process to access the authentication response packet except the field. The hash value calculated for all fields.
2、 根据权利要求 1所述的基于公钥证书的身份鉴别方法, 其特征在于: 如 果鉴别访问控制器 AAC的本地策略要求使用鉴别服务器 AS来鉴别请求者 REQ 的证书 CertREQ , 则所述方法在步骤 2 )和步骤 5 )之间还包括:  2. The public key certificate based identity authentication method according to claim 1, wherein: if the local policy of the authentication access controller AAC requires the authentication server AS to authenticate the certificate CertREQ of the requester REQ, the method is Between step 2) and step 5) further includes:
3 )鉴别访问控制器 AAC向鉴别服务器 AS发送证书鉴别请求分组; 证书鉴 别请求分组包括: CertREQ字段: 表示请求者 REQ的证书, 其值同接入鉴别请求 分组中 CertREQ字段的值; CertAAc字段: 表示鉴别访问控制器 AAC的证书, 其 值同鉴别激活分组中 CertAAc字段的值;  3) The authentication access controller AAC sends a certificate authentication request packet to the authentication server AS; the certificate authentication request packet includes: CertREQ field: a certificate representing the requester REQ, the value of which is the same as the value of the CertREQ field in the access authentication request packet; CertAAc field: Representing the certificate of the authentication access controller AAC, the value of which is the same as the value of the CertAAc field in the authentication activation packet;
4 )鉴别服务器 AS收到证书鉴别请求分组后向鉴别访问控制器 AAC发送证 书鉴别响应分组;证书鉴别响应分组包括: RESCERT字段:表示证书的验证结果, 本字段包括鉴别访问控制器 AAC询问值 NAAC、请求者 REQ询问值 NREQ、 CertAAc 的验证结果以及 CertREQ的验证结果;
Figure imgf000020_0001
表示请求者 REQ信任的鉴 别服务器 AS对本分组中证书的验证结果 RESCERT字段的签名。 4) The authentication server AS sends a certificate authentication response packet to the authentication access controller AAC after receiving the certificate authentication request packet; the certificate authentication response packet includes: RES CERT field: indicates the verification result of the certificate, and the field includes the authentication access controller AAC query value. NAAC, requester REQ query value NRE Q , CertAAc verification result and CertREQ verification result;
Figure imgf000020_0001
The signature of the RES CERT field indicating the verification result of the certificate in the packet by the authentication server AS trusted by the requester REQ.
3、根据权利要求 1或 2所述的基于公钥证书的身份鉴别方法, 其特征在于: 所述步骤 1 ) 的具体实现方式是: 鉴别访问控制器 AAC向请求者 REQ发送鉴别 激活分组以激活请求者 REQ进行证书鉴别过程。  The public key certificate-based identity authentication method according to claim 1 or 2, wherein: the specific implementation manner of the step 1) is: the authentication access controller AAC sends an authentication activation packet to the requester REQ to activate The requester REQ performs a certificate authentication process.
4、 根据权利要求 3所述的基于公钥证书的身份鉴别方法, 其特征在于: 所 述步骤 2 ) 的具体实现方式是: 请求者 REQ收到鉴别激活分组后, 进行如下处 理: The public key certificate-based identity authentication method according to claim 3, wherein: the specific implementation manner of the step 2) is: after the requester REQ receives the authentication activation packet, the following is performed: Reason:
2.1 )如果此次鉴别过程为身份鉴别的更新过程, 则请求者 REQ检查鉴别 激活分组中的鉴别标识字段与上一次身份鉴别过程中计算的鉴别标识是否一 致, 如果不一致, 则丟弃该分组, 如果一致, 则执行 2.2 ); 如果此次鉴别过程 为首次身份鉴别过程, 则直接执行 2.2 );  2.1) If the authentication process is an update process of identity authentication, the requester REQ checks whether the authentication identifier field in the authentication activation packet is consistent with the authentication identifier calculated in the last identity authentication process, and if not, discards the packet. If they are consistent, execute 2.2); if the authentication process is the first identity authentication process, directly execute 2.2);
2.2 )如果收到的鉴别激活分组中还包括 SIGAAC字段, 则验证 SIGAAC字段 的正确性, 如果不正确则丟弃该分组, 如果正确, 则执行 2.3 ); 如果收到的鉴 别激活分组中未包含 SIGAAC字段, 则直接执行 2.3 ); 所述 SIGAAC字段: 表示鉴 别访问控制器 AAC的签名, 是鉴别访问控制器 AAC利用自己的私钥对本分组 中除本字段之外所有字段进行的签名;  2.2) If the received authentication activation packet further includes the SIGAAC field, verify the correctness of the SIGAAC field, discard the packet if it is incorrect, if it is correct, execute 2.3); if the received authentication activation packet does not contain The SIGAAC field is directly executed by 2.3); the SIGAAC field: indicates the signature of the authentication access controller AAC, and is the signature of the authentication access controller AAC to use all of the fields except the field in the packet by using the private key of the access controller;
2.3 )根据鉴别激活分组中的 IDAS^AC 字段选择由该鉴别服务器 AS颁发的 请求者 REQ证书 CertREQ或者根据本地策略选择请求者 REQ证书 CertREQ ,并产生 用于椭圓曲线 Diffie-Hellman密钥协商交换的请求者 REQ密钥数据 χ·Ρ和请求 者 REQ询问 NREQ, 生成接入鉴别请求分组, 发送给鉴别访问控制器 AAC。 2.3) Selecting the requester REQ certificate CertREQ issued by the authentication server AS according to the IDAS^AC field in the authentication activation packet or selecting the requester REQ certificate CertRE Q according to the local policy, and generating Diffie-Hellman key agreement for elliptic curve The exchanged requester REQ key data Ρ·Ρ and the requester REQ interrogate the NREQ, generate an access authentication request packet, and send it to the authentication access controller AAC.
5、 根据权利要求 4所述的基于公钥证书的身份鉴别方法, 其特征在于: 所 述步骤 3 )的具体实现方式是:鉴别访问控制器 AAC收到接入鉴别请求分组后, 进行如下处理:  The public key certificate-based identity authentication method according to claim 4, wherein: the specific implementation manner of the step 3) is: after the authentication access controller AAC receives the access authentication request packet, performing the following processing: :
3.1 )如果鉴别访问控制器 AAC发送了鉴别激活分组, 则检查收到的接入 鉴别请求分组中的 SNonce、 ParaECDH字段值和鉴别激活分组中对应的字段值是 否一致, 如果有一个不一致, 则丟弃该分组, 如果一致, 则执行 3.2 ); 如果鉴 别访问控制器 AAC没有发送鉴别激活分组, 则检查 SNonce字段值和上一次证 书鉴别过程中计算的鉴别标识是否一致, 并检查 ParaECDH字段和上一次鉴别激 活分组中的 ParaECDH是否一致, 如果有一个不一致, 则丟弃该分组, 如果一致, 则执行 3.2 ); 3.1) If the authentication access controller AAC sends the authentication activation packet, it checks whether the SNonce, Para ECDH field value and the corresponding field value in the authentication activation packet in the received access authentication request packet are consistent, if there is an inconsistency, Discard the packet, if it is consistent, perform 3.2); if the authentication access controller AAC does not send the authentication activation packet, check whether the SNonce field value is consistent with the authentication identifier calculated in the last certificate authentication process, and check the Para ECDH field and Whether the Para ECDH in the last authentication activation packet is consistent. If there is an inconsistency, discard the packet. If they are consistent, perform 3.2);
3.2 )检查 IDAAC与自己的身份是否一致, 如果不一致, 则丟弃该分组; 如 果一致则执行 3.3 );  3.2) Check if the IDAAC is consistent with its own identity. If it is inconsistent, discard the packet; if it is consistent, execute 3.3);
3.3 )验证请求者 REQ的签名 SigREQ字段的正确性, 如果正确, 则执行 3.4); 如果不正确, 则执行丟弃该分组;  3.3) Verify the requester REQ's signature The correctness of the SigREQ field, if correct, execute 3.4); if not, perform discarding the packet;
3.4 )如果鉴别访问控制器 AAC的本地策略要求使用鉴别服务器 AS来鉴别 请求者 REQ的证书 CertREQ , 则鉴别访问控制器 AAC生成证书鉴别请求分组, 发送给鉴别服务器 AS ; 否则执行 3.5 ); 3.4) If the local policy of the authentication access controller AAC requires the authentication server AS to be used for authentication Requester REQ's certificate CertREQ, then the authentication access controller AAC generates a certificate authentication request packet, and sends it to the authentication server AS; otherwise, it executes 3.5);
3.5 )鉴别访问控制器 AAC本地鉴别请求者 REQ的证书 CertREQ , 即根据本 地緩存的请求者 REQ的证书 CertREQ的验证结果及本地策略所定义的时效性确 认请求者 REQ的证书 CertREQ的验证结果, 若合法, 则本地生成用于椭圓曲线 Diffie-Hellman密钥协商交换的临时公钥 P, 并根据请求者 REQ的临时公钥 χ·Ρ 以及自己的临时私钥 y进行椭圓曲线 Diffie-Hellman密钥协商计算得到基密钥 BK, 然后设定接入结果为成功, 构造接入鉴别响应分组发送给请求者 REQ , 并允许用户访问网络;若 CertREQ的验证结果为不合法,则鉴别访问控制器 AAC 设定接入结果为不成功, 构造接入鉴别响应分组发送给请求者 REQ。  3.5) Authenticate the certificate CertREQ of the access controller AAC local authentication requester REQ, that is, the verification result of the certificate CertREQ of the requester REQ according to the verification result of the certificate CertREQ of the locally cached requester REQ and the time validity defined by the local policy, If it is legal, the temporary public key P for elliptic curve Diffie-Hellman key agreement exchange is generated locally, and the elliptic curve Diffie-Hellman is performed according to the temporary public key χ·Ρ of the requester REQ and its own temporary private key y. Key negotiation calculates the base key BK, then sets the access result to be successful, constructs the access authentication response packet to be sent to the requester REQ, and allows the user to access the network; if the CertREQ verification result is invalid, the authentication access controller The AAC sets the access result to be unsuccessful, and constructs an access authentication response packet to be sent to the requester REQ.
6、 根据权利要求 5所述的基于公钥证书的身份鉴别方法, 其特征在于: 所 述步骤 4 )的具体实现方式是: 鉴别服务器 AS收到证书鉴别请求分组后, 进行 如下处理:  The public key certificate-based identity authentication method according to claim 5, wherein: the specific implementation manner of the step 4) is: after the authentication server AS receives the certificate authentication request packet, the following processing is performed:
4. 1 )验证鉴别访问控制器 AAC的证书 CertAAc和请求者 REQ的证书 CertREQ , 然后执行 4.2 );  4. 1) Verify the authentication access controller AAC's certificate CertAAc and the requester REQ certificate CertREQ, and then execute 4.2);
4.2 )根据证书的验证结果, 构造证书鉴别响应分组, 并且附加相应的签 名, 发往鉴别访问控制器 AAC。  4.2) According to the verification result of the certificate, a certificate authentication response packet is constructed, and the corresponding signature is attached to the authentication access controller AAC.
7、 根据权利要求 6所述的基于公钥证书的身份鉴别方法, 其特征在于: 所 述步骤 5 )的具体实现方式是:鉴别访问控制器 AAC收到证书鉴别响应分组后, 进行如下处理:  The public key certificate-based identity authentication method according to claim 6, wherein: the specific implementation manner of the step 5) is: after the authentication access controller AAC receives the certificate authentication response packet, the following processing is performed:
5. 1 )如果接入鉴别请求分组包括 NREQ字段, 且证书鉴别请求分组还包括 NAAC字段和 NREQ字段, 则鉴别访问控制器 AAC检查证书的验证结果 RESCER 段中的鉴别访问控制器 AAC的询问 NAAC与证书鉴别请求分组中的 NAAC字段值 是否相同, 若不同, 丟弃该分组; 若相同则执行 5.2 ); 所述 NAAC字段: 表示鉴 别访问控制器 AAC询问, 是鉴别访问控制器 AAC产生的随机数; NREQ字段: 在证书鉴别请求分组中表示请求者 REQ询问,其值同接入鉴别请求分组中 NREQ 字段的值, 在接入鉴别请求分组中是请求者 REQ产生的随机数; 5. 1) If the access authentication request packet includes an NREQ field, and the certificate authentication request packet further includes a NAAC field and an NREQ field, the inquiry of the authentication access controller AAC in the verification result RES CER segment of the access controller AAC check certificate is authenticated. Whether the value of the NAAC field in the NAAC is the same as the value of the NAAC field in the certificate authentication request packet. If it is different, the packet is discarded. If the same, the 5.2) is performed; the NAAC field: indicates that the authentication access controller AAC query is generated by the authentication access controller AAC. a random number; NREQ field: indicates a requester REQ inquiry in a certificate authentication request packet, the value of which is the same as the value of the NREQ field in the access authentication request packet, and is a random number generated by the requester REQ in the access authentication request packet;
5.2 )如果证书鉴别响应分组还包括 SIGAS_AAC字段, 则检查鉴别访问控制 器 AAC所信任的鉴别服务器 AS的签名 SIGAS_AAC字段是否正确, 若不正确, 则 丟弃该分组, 若正确则执行 5.3 ); 如果分组中只含有一个签名
Figure imgf000023_0001
5.2) If the certificate authentication response packet also includes SIG AS _AAC field, check the AAC trusted authentication server AS signature SIG AS _AAC field is correct, if not correct, Discard the packet, if it is correct, execute 5.3); if the packet contains only one signature
Figure imgf000023_0001
段, 即表明对证书验证结果进行签名的鉴别服务器 AS也是鉴别访问控制器 AAC所信任的鉴别服务器 AS , 则检查 SIGAS_REQ字段是否正确, 若不正确, 则 丟弃该分组,若正确则执行 5.3 );所述 SIGAS^AC字段:表示鉴别访问控制器 AAC 信任的鉴别服务器 AS对本分组中除本字段之外所有字段的签名; Section, which indicates the results of the verification certificate to sign the authentication server AS is the AAC trusted authentication server AS, check SIG AS _REQ field is correct, if not correct, the packet is discarded, if the correct execution 5.3); the SIGAS^AC field: indicates that the authentication server AS trusted by the access controller AAC trusts all the fields in the packet except this field;
5.3 )检查证书的验证结果 RESCERT字段中 CertREQ的验证结果是否合法, 若 合法, 则本地生成用于椭圓曲线 Diffie-Hellman密钥协商交换的临时公钥 y-P, 并根据请求者 REQ的临时公钥 χ·Ρ以及自 己的临时私钥 y进行椭圓曲线 Diffie-Hellman密钥协商计算得到基密钥 BK, 然后设定接入结果为成功, 构造 接入鉴别响应分组发送给请求者 REQ , 并允许用户访问网络; 若 CertREQ的验证 结果为不合法,则鉴别访问控制器 AAC设定接入结果为不成功,构造接入鉴别 响应分组发送给请求者 REQ。 5.3) Checking the verification result of the certificate The validity of the CertREQ verification result in the RES CERT field is legal. If it is legal, the temporary public key yP for the elliptic curve Diffie-Hellman key agreement exchange is generated locally, and according to the temporary public of the requester REQ The key χ·Ρ and its own temporary private key y are subjected to elliptic curve Diffie-Hellman key negotiation to obtain the base key BK, and then the access result is set to be successful, and the constructing access authentication response packet is sent to the requester REQ, and The user is allowed to access the network; if the verification result of the CertREQ is invalid, the authentication access controller AAC sets the access result to be unsuccessful, and constructs the access authentication response packet to be sent to the requester REQ.
8、根据权利要求 1或 2所述的基于公钥证书的身份鉴别方法, 其特征在于: 若所述接入鉴别响应分组中包括 SIGAAC字段, 则所述方法在步骤 5 )之后 还包括:  The public key certificate-based identity authentication method according to claim 1 or 2, wherein: if the access authentication response packet includes a SIGAAC field, the method further includes: after step 5):
6 )请求者 REQ收到接入鉴别响应分组后向鉴别访问控制器 AAC发送接入 鉴别确认分组; 接入鉴别确认分组包括: MIC2字段: 表示消息鉴别码。  6) The requester REQ sends an access authentication acknowledgement packet to the authentication access controller AAC after receiving the access authentication response packet; the access authentication acknowledgement packet includes: MIC2 field: indicates a message authentication code.
9、 根据权利要求 8所述的基于公钥证书的身份鉴别方法, 其特征在于: 所 述步骤 6 ) 的具体实现方式是: 请求者 REQ收到接入鉴别响应分组后, 进行如 下处理:  The public key certificate-based identity authentication method according to claim 8, wherein the specific implementation manner of the step 6) is: after the requester REQ receives the access authentication response packet, the following processing is performed:
6.1 )根据分组中的 IDAAC和 IDREQ字段判断是否为对应当前接入鉴别请求分 组的接入鉴别响应分组, 如果不是, 则丟弃该分组; 如果是则执行 6.2 );  6.1) determining, according to the IDAAC and IDREQ fields in the packet, whether the packet is an access authentication response packet corresponding to the current access authentication request packet, and if not, discarding the packet; if yes, executing 6.2);
6.2 ) 比较分组中请求者 REQ临时公钥 χ·Ρ字段值与自己发送的接入鉴别请 求分组中的 χ·Ρ字段值是否一致, 若不一致, 则丟弃该分组; 否则执行 6.3 );  6.2) Comparing the requester in the packet The REQ temporary public key χ·Ρ field value is consistent with the value of the χ·Ρ field in the access authentication request packet sent by itself. If not, the packet is discarded; otherwise, 6.3);
6.3 ) 查看分组中的 ACCRES字段, 如果接入结果为不成功, 则得知不能访 问该网络; 如果接入结果为成功, 则执行 6.4 );  6.3) View the ACCRES field in the packet. If the access result is unsuccessful, it is known that the network cannot be accessed. If the access result is successful, execute 6.4);
6.4 )如果收到的接入鉴别响应分组中含有 SIGAAC字段, 则验证 SIGAAC的 正确性, 如果不正确, 则丟弃该分组; 如果正确则执行 6.5 ); 如果收到的分组 中含有 MIC 1字段, 则验证 MIC 1字段的正确性, 如果不正确, 则丟弃分组, 如 果正确则执行 6.5 ); 6.4) If the received access authentication response packet contains the SIGAAC field, verify the correctness of the SIGAAC, if not, discard the packet; if it is correct, execute 6.5); if the received packet contains the MIC 1 field , then verify the correctness of the MIC 1 field, if not correct, discard the packet, such as If it is correct, execute 6.5);
6.5 )验证复合的证书验证结果 MRESCER^段中所包含的 NREQ字段值与自己 发送的接入鉴别请求分组中 NREQ字段值是否一致, 若不一致, 则丟弃该分组; 如果一致则验证签名 SIGAS_REQ是否正确, 如果不正确则丟弃该分组, 如果正确 则执行 6.6 ); 6.5) Verifying the composite certificate verification result The NREQ field value included in the MRES CER ^ segment is consistent with the value of the NREQ field in the access authentication request packet sent by itself. If not, the packet is discarded; if it is consistent, the signature SIG is verified. Whether AS _REQ is correct, if not correct, discard the packet, if it is correct, execute 6.6);
6.6 )验证复合的证书验证结果 MRESCert字段中鉴别访问控制器 AAC证书 验证结果是否为合法,如果不合法,则得知该网络不合法,不可以访问该网络; 如果合法则得到该网络是合法的, 可以进行访问, 并执行 6.7 ); 6.6) Verifying the composite certificate verification result In the MRES Cert field, the authentication access controller AAC certificate verification result is legal. If it is not legal, the network is invalid and cannot access the network; if it is legal, the network is legal. , can be accessed, and executed 6.7);
6.7 )请求者 REQ根据鉴别访问控制器 AAC的临时公钥 P和自己的临时私 钥 X进行椭圓曲线 Diffie-Hellman计算得到基密钥 BK;  6.7) The requester REQ performs an elliptic curve based on the temporary public key P of the authentication access controller AAC and its own temporary private key X. The base key BK is obtained by Diffie-Hellman calculation;
6.8 )如果收到的分组中含有 SIGAAC字段, 则需要构造接入鉴别确认分组, 发送给鉴别访问控制器 AAC。  6.8) If the received packet contains the SIGAAC field, then an access authentication acknowledgement packet needs to be constructed and sent to the authentication access controller AAC.
10、 根据权利要求 8所述的基于公钥证书的身份鉴别方法, 其特征在于: 所述步骤 6 ) 中鉴别访问控制器 AAC在发送接入鉴别响应分组给请求者 REQ之 后, 如果发送的接入鉴别响应分组中包含的是鉴别访问控制器 AAC的签名 SIGAAC字段,则所述方法还包括:鉴别访问控制器 AAC等待接收接入鉴别确认 分组。  The public key certificate-based identity authentication method according to claim 8, wherein: in the step 6), after the authentication access controller AAC sends the access authentication response packet to the requester REQ, if the transmission is received Included in the incoming authentication response packet is the signature SIGAAC field of the authentication access controller AAC, the method further comprising: the authentication access controller AAC waiting to receive the access authentication acknowledgement packet.
11、 根据权利要求 8所述的基于公钥证书的身份鉴别方法, 其特征在于: 所述步骤 6 ) 中当鉴别访问控制器 AAC在收到请求者 REQ发送的接入鉴别确认 分组之后, 还包括: 验证分组中 MIC2字段的正确性, 如果正确, 则意味着请 求者 REQ具有和自己一致的基密钥 BK; 如果不正确, 则丟弃该分组。  The public key certificate-based identity authentication method according to claim 8, wherein: in the step 6), after the authentication access controller AAC receives the access authentication acknowledgement packet sent by the requester REQ, Including: Verifying the correctness of the MIC2 field in the packet, if correct, means that the requester REQ has a base key BK that is consistent with itself; if not, discarding the packet.
12、根据权利要求 1或 2所述的基于公钥证书的身份鉴别方法,其特征在于: 所述接入鉴别响应分组中的 MIC 1字段是由鉴别访问控制器 AAC利用鉴别 过程中协商生成的基密钥 BK对接入鉴别响应分组中除了本字段外的所有字段 及下一次证书鉴别过程的鉴别标识计算得到的杂凑值。  The public key certificate-based identity authentication method according to claim 1 or 2, wherein: the MIC 1 field in the access authentication response packet is generated by negotiation by the authentication access controller AAC during the authentication process. The base key BK calculates the hash value of all the fields except the present field in the access authentication response packet and the identification identifier of the next certificate authentication process.
13、 一种基于公钥证书的身份鉴别系统, 其特征在于: 所述基于公钥证书 的身份鉴别系统包括请求者 REQ、 鉴别访问控制器 AAC;  13. A public key certificate based identity authentication system, characterized in that: the public key certificate based identity authentication system comprises a requester REQ, an authentication access controller AAC;
所述鉴别访问控制器 AAC , 用于向请求者 REQ发送鉴别激活分组; 生成 用于椭圓曲线 Diffie-Hellman交换的临时公钥 y P ,并根据请求者 REQ的临时公 钥 χ·Ρ以及自己的临时私钥 y进行椭圓曲线 Diffie-Hellman计算得到基密钥 BK, 然后设定接入结果为成功,构造接入鉴别响应分组发送给请求者 REQ, 并允许 用户访问网络; The authentication access controller AAC is configured to send an authentication activation packet to the requester REQ; generate a temporary public key y P for elliptic curve Diffie-Hellman exchange, and according to the temporary public of the requester REQ Key χ·Ρ and its own temporary private key y perform elliptic curve Diffie-Hellman calculation to obtain the base key BK, and then set the access result to be successful, construct the access authentication response packet to be sent to the requester REQ, and allow the user to access The internet;
所述请求者 REQ, 用于在收到鉴别激活分组后向鉴别访问控制器 AAC发 送接入鉴别请求分组;  The requester REQ, configured to send an access authentication request packet to the authentication access controller AAC after receiving the authentication activation packet;
所述鉴别激活分组包括: SNonce、 IDAS^AC、 CertAAc和 ParaECDH; 其中, SNonce字段: 表示鉴别标识, 若为首次身份鉴别, 则该字段为由鉴别访问控 制器 AAC产生的随机数; 若为更新的身份鉴别过程,则该字段的值是上一次身 份鉴别过程中协商生成的鉴别标识值; IDAS^AC字段:表示鉴别访问控制器 AAC 所信任的鉴别服务器 AS的身份标识 ID, 是鉴别访问控制器 AAC证书 CertAAc的 颁发者鉴别服务器 AS的身份标识 ID; CertAAc字段: 表示鉴别访问控制器 AAC 的证书; ParaECDH字段: 表示椭圓曲线密码体制的椭圓曲线密码参数, 是请求 者 REQ和鉴别访问控制器 AAC进行椭圓曲线 Diffie-Hellman密钥协商计算时 釆用的椭圓曲线密码参数; The authentication activation packet includes: SNonce, ID AS ^AC, CertAAc, and Para ECDH ; wherein, the SNonce field: indicates an authentication identifier, and if it is the first identity authentication, the field is a random number generated by the authentication access controller AAC; For the updated identity authentication process, the value of the field is the authentication identifier value that is negotiated and generated during the last identity authentication process; ID AS ^A C field: indicates the identity ID of the authentication server AS trusted by the authentication access controller AAC. Is the identity authentication ID of the issuer authentication server AS that authenticates the access controller AAC certificate CertAAc; CertAAc field: indicates the certificate of the authentication access controller AAC; Para ECDH field: the elliptic curve cryptographic parameter indicating the elliptic curve cryptosystem, is the request Elliptic curve cryptographic parameters used by the REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman key agreement calculation;
所述接入鉴别请求分组包括: SNonce字段: 表示鉴别标识, 若为首次身 份鉴别过程, 则该字段值直接取决于鉴别激活分组中的 SNonce字段值; 若为 更新的身份鉴别过程, 则该字段值为上一次身份鉴别过程中计算的鉴别标识 值; χ·Ρ字段: 表示请求者 REQ的密钥数据, 是请求者 REQ生成的用于椭圓曲 线 Diffie-Hellman交换的临时公钥; IDAAC字段: 表示鉴别访问控制器 AAC的 身份标识 ID , 根据鉴别激活分组中鉴别访问控制器 AAC的证书 CertAAc字段得 到; CertREQ字段: 表示请求者 REQ的证书; ParaECDH字段: 表示椭圓曲线密码 体制的椭圓曲线密码参数 ,是请求者 REQ和鉴别访问控制器 AAC进行椭圓曲线 Diffie-Hellman密钥协商计算时釆用的椭圓曲线密码参数, 其值同鉴别激活分 组中的 ParaECDH字段值; SigREQ字段: 表示请求者 REQ的签名, 是请求者 REQ 利用自己的私钥对接入鉴别请求分组中除本字段之外所有字段进行的签名; 所述接入鉴别响应分组包括: ACCRES字段、 χ·Ρ字段、 P字段、 IDAAC字段、 IDREQ字段、 SIGAAC字段或 MIC1字段; 其中, ACCRES字段: 表示接入结果, 是 鉴别访问控制器 AAC根据鉴别结果设定的接入成功或失败以及失败的原因; x P: 表示请求者 REQ的密钥数据, 其值同接入鉴别请求分组中 χ·Ρ字段的值; y P: 表示鉴别访问控制器 AAC的密钥数据, 是鉴别访问控制器 AAC生成的用 于椭圓曲线 Diffie-Hellman交换的临时公钥; IDAAC字段:表示鉴别访问控制器 AAC的身份标识 ID , 是根据鉴别访问控制器 AAC的证书 CertAAc字段得到; IDREQ字段: 表示请求者 REQ的身份标识 ID , 根据收到的接入鉴别请求分组中 请求者 REQ的证书 CertREQ字段得到; SIGAAC字段: 表示鉴别访问控制器 AAC 的签名,是鉴别访问控制器 AAC利用自己的私钥对本分组中除本字段之外所有 字段的签名; MIC1字段: 表示消息鉴别码, 是鉴别访问控制器 AAC利用鉴别 过程中协商生成的基密钥 BK对接入鉴别响应分组中除了本字段外的所有字段 计算得到的杂凑值。 The access authentication request packet includes: a SNonce field: indicating an authentication identifier, if the first identity authentication process, the field value directly depends on the SNonce field value in the authentication activation packet; if it is an updated identity authentication process, the field The value is the authentication identifier value calculated in the last identity authentication process; χ·Ρ field: the key data representing the requester REQ, which is the temporary public key generated by the requester REQ for the elliptic curve Diffie-Hellman exchange; ID AAC Field: indicates the identity ID of the authentication access controller AAC, obtained according to the certificate CertAAc field of the authentication access controller AAC in the authentication activation packet; CertREQ field: certificate representing the requester REQ; Para ECDH field: representing the elliptic curve cryptosystem The elliptic curve cryptographic parameter is an elliptic curve cryptographic parameter used by the requester REQ and the authentication access controller AAC for elliptic curve Diffie-Hellman key negotiation calculation, and the value is the same as the Para ECDH field value in the authentication activation packet; Si gRE Q field: indicates the signature of the requester REQ, which is the requester REQ uses its own private key pair access authentication request a signature of all the fields in the packet except the field; the access authentication response packet includes: an ACCRES field, a χ·Ρ field, a P field, an IDAAC field, an IDREQ field, a SIGAAC field, or an MIC1 field; wherein, the ACCRES field: Indicates the access result, which is the reason why the access controller AAC sets the access success or failure according to the authentication result and the failure; x P: represents the key data of the requester REQ, and its value is the same as the access authentication request packet. The value of the field; y P: indicates the key data of the authentication access controller AAC, is a temporary public key generated by the access controller AAC for elliptic curve Diffie-Hellman exchange; IDAAC field: indicates the identity ID of the authentication access controller AAC, It is obtained according to the certificate CertAAc field of the authentication access controller AAC; IDREQ field: indicates the identity ID of the requester REQ, which is obtained according to the certificate CertREQ field of the requester REQ in the received access authentication request packet; SIGAAC field: indicates the authentication access The signature of the controller AAC is that the authentication access controller AAC uses its own private key to sign all the fields except this field in the packet; MIC1 field: indicates the message authentication code, which is generated by the authentication access controller AAC during the authentication process. The base key BK calculates the hash value of all the fields except the present field in the access authentication response packet.
14、根据权利要求 13所述的基于公钥证书的身份鉴别系统, 其特征在于: 所述基于公钥证书的身份鉴别系统还包括: 鉴别服务器 AS , 所述鉴别服务器 AS分别和请求者 REQ、 鉴别访问控制器 AAC链接; 所述请求者 REQ和鉴别 访问控制器 AAC通过鉴别服务器 AS进行鉴别。  The public key certificate-based identity authentication system according to claim 13, wherein: the public key certificate-based identity authentication system further comprises: an authentication server AS, the authentication server AS and the requester REQ, respectively The access controller AAC link is authenticated; the requester REQ and the authentication access controller AAC authenticate by the authentication server AS.
15、根据权利要求 13或 14所述的基于公钥证书的身份鉴别系统, 其特征 在于, 所述接入鉴别响应分组中的 MIC 1字段是由鉴别访问控制器 AAC利用 鉴别过程中协商生成的基密钥 BK对接入鉴别响应分组中除了本字段外的所 有字段及下一次证书鉴别过程的鉴别标识计算得到的杂凑值。  The public key certificate-based identity authentication system according to claim 13 or 14, wherein the MIC 1 field in the access authentication response packet is generated by the authentication access controller AAC during negotiation using the authentication process. The base key BK calculates the hash value of all the fields except the present field in the access authentication response packet and the identification identifier of the next certificate authentication process.
PCT/CN2009/076223 2009-08-19 2009-12-30 Public key certificate-based identity authentication method and system thereof WO2011020279A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009100236297A CN101631114B (en) 2009-08-19 2009-08-19 Identity authentication method based on public key certificate and system thereof
CN200910023629.7 2009-08-19

Publications (1)

Publication Number Publication Date
WO2011020279A1 true WO2011020279A1 (en) 2011-02-24

Family

ID=41576060

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/076223 WO2011020279A1 (en) 2009-08-19 2009-12-30 Public key certificate-based identity authentication method and system thereof

Country Status (2)

Country Link
CN (1) CN101631114B (en)
WO (1) WO2011020279A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2807058C1 (en) * 2020-12-26 2023-11-09 Чайна Ивнкомм Ко., Лтд. Method and apparatus for authentication of identification information, device, microcircuit, information storage media and program

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958908B (en) * 2010-10-13 2012-08-08 西安西电捷通无线网络通信股份有限公司 Network access control method and system
US9038143B2 (en) 2010-10-13 2015-05-19 China Iwncomm Co., Ltd. Method and system for network access control
US9763081B2 (en) * 2013-11-21 2017-09-12 Apple Inc. System and method for policy control functions management mechanism
CN104954130B (en) * 2014-03-31 2019-08-20 西安西电捷通无线网络通信股份有限公司 A kind of method for authenticating entities and device
CN114760046A (en) * 2020-12-26 2022-07-15 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device
CN114760034A (en) * 2020-12-26 2022-07-15 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device
CN114760038A (en) * 2020-12-26 2022-07-15 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device
CN114760039A (en) * 2020-12-26 2022-07-15 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device
CN114760032A (en) * 2020-12-26 2022-07-15 西安西电捷通无线网络通信股份有限公司 Identity authentication method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056177A (en) * 2007-06-01 2007-10-17 清华大学 Radio mesh re-authentication method based on the WLAN secure standard WAPI
CN101442749A (en) * 2008-12-15 2009-05-27 广州杰赛科技股份有限公司 Authentication method for wireless netted network based on WAPI
CN101448262A (en) * 2008-12-15 2009-06-03 广州杰赛科技股份有限公司 WAPI-based authentication method of wireless mesh network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7293284B1 (en) * 2002-12-31 2007-11-06 Colligo Networks, Inc. Codeword-enhanced peer-to-peer authentication
CN1225941C (en) * 2004-11-04 2005-11-02 西安西电捷通无线网络通信有限公司 Roaming access method of mobile node in radio IP system
CN100488305C (en) * 2006-09-23 2009-05-13 西安西电捷通无线网络通信有限公司 Method of network access indentifying and authorizing and method of updating authorizing key
CN101431517B (en) * 2008-12-08 2011-04-27 西安西电捷通无线网络通信股份有限公司 Trusted network connection handshaking method based on ternary equity identification

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056177A (en) * 2007-06-01 2007-10-17 清华大学 Radio mesh re-authentication method based on the WLAN secure standard WAPI
CN101442749A (en) * 2008-12-15 2009-05-27 广州杰赛科技股份有限公司 Authentication method for wireless netted network based on WAPI
CN101448262A (en) * 2008-12-15 2009-06-03 广州杰赛科技股份有限公司 WAPI-based authentication method of wireless mesh network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements-Part 11 : Wireless LAN Medium Access Control (MAC) and Physical Layer(PHY) specifications Amendment 1", GB 15629.11-2003/XG1-2006, GENERAL ADMINISTRATION OF QUALITY SUPERVISION, INSPECTION AND QUARANTINE OF THE PEOPLE'S REPUBLIC OF CHINA, STANDARDIZATION ADMINISTRATION OF THE PEOPLE'S REPUBLIC OF CHINA, 27 January 2006 (2006-01-27), pages 25 - 34 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2807058C1 (en) * 2020-12-26 2023-11-09 Чайна Ивнкомм Ко., Лтд. Method and apparatus for authentication of identification information, device, microcircuit, information storage media and program

Also Published As

Publication number Publication date
CN101631114A (en) 2010-01-20
CN101631114B (en) 2011-09-21

Similar Documents

Publication Publication Date Title
JP5414898B2 (en) Security access control method and system for wired LAN
WO2011020279A1 (en) Public key certificate-based identity authentication method and system thereof
US8312278B2 (en) Access authentication method applying to IBSS network
WO2009094941A1 (en) A method, device and system of id based wireless multi-hop network autentication access
US8751792B2 (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
WO2015010537A1 (en) Encrypted communications method and encrypted communications system
WO2013087039A1 (en) Secure data transmission method, device and system
WO2011022915A1 (en) Method and system for pre-shared-key-based network security access control
CN107396350B (en) SDN-5G network architecture-based security protection method between SDN components
WO2009067902A1 (en) A two-way access authentication method
WO2006131061A1 (en) Authentication method and corresponding information transmission method
WO2008083628A1 (en) A authentication server and a method,a system,a device for bi-authenticating in a mesh network
WO2009109136A1 (en) A bidirectional entity authentication method based on the credible third party
WO2010003335A1 (en) Method, system and device for negotiating security association (sa) in ipv6 network
WO2011022918A1 (en) Entity bidirectional authentication method by introducing an online third party
WO2009089764A1 (en) A system and method of secure network authentication
WO2011026296A1 (en) Method for authenticating entities by introducing an on-line trusted third party
JP2011504318A (en) One-way access authentication method
RU2448427C2 (en) Wapi unicast secret key negotiation method
WO2011009268A1 (en) Wapi (wlan authentication and privacy infrastructure) -based authentication system and method
WO2011022919A1 (en) Entity authentication method by introducing online third party
WO2012075825A1 (en) Security configuration method for station in wireless local area network, ap, sta, as and system
RU2010123869A (en) KEY MANAGEMENT METHOD
WO2012000313A1 (en) Method and system for home gateway certification
WO2022135380A1 (en) Identity authentication method and apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09848420

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09848420

Country of ref document: EP

Kind code of ref document: A1