WO2012048551A1 - Method and system for network access control - Google Patents

Method and system for network access control Download PDF

Info

Publication number
WO2012048551A1
WO2012048551A1 PCT/CN2011/071770 CN2011071770W WO2012048551A1 WO 2012048551 A1 WO2012048551 A1 WO 2012048551A1 CN 2011071770 W CN2011071770 W CN 2011071770W WO 2012048551 A1 WO2012048551 A1 WO 2012048551A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
req
visitor
identity
access
Prior art date
Application number
PCT/CN2011/071770
Other languages
French (fr)
Chinese (zh)
Inventor
李剑雄
杜志强
铁满霞
曹军
周吉阳
王俊峰
张莎
Original Assignee
天维讯达无线电设备检测(北京)有限责任公司
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天维讯达无线电设备检测(北京)有限责任公司, 西安西电捷通无线网络通信股份有限公司 filed Critical 天维讯达无线电设备检测(北京)有限责任公司
Publication of WO2012048551A1 publication Critical patent/WO2012048551A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Definitions

  • the present invention belongs to the field of network security applications in information security technologies, and in particular, to a network access control method and system. Background technique
  • the access controller in the destination network completes the authentication and authorization of the visitor, thereby implementing access control to the visitor.
  • the access controller may not be directly connected to the authentication server because of access to the controller itself or the destination network, thereby preventing the access controller from directly using the access controller.
  • the authentication service provided by the authentication server.
  • the prior art access control method in which the access controller directly connects and uses the authentication server to provide the authentication service will not be able to meet the practical application requirements for access control of the visitor. Summary of the invention
  • the present invention provides a network access control method and system capable of satisfying application requirements for access control of a visitor.
  • the present invention provides a network access control method, including:
  • Step 1) a visitor sends an access request message to an access controller in a destination network, where the access request message includes a random number N REQ ;
  • Step 2) after the access controller receives the access request message, constructing a first identity
  • the access authentication request message of the authentication information is sent to the visitor, and the first identity authentication information is symmetrically used by the shared key K AS , AC between the access controller and an authentication server to the N REQ
  • Step 3 after receiving the access authentication request message, the visitor constructs an identity authentication request message and sends the identifier to the authentication server.
  • the identity authentication request message includes the first identity authentication information and the second Identity identification information; the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
  • Step 4 after receiving the identity authentication request message, the authentication server uses the K AS , AC to authenticate the first identity authentication information to obtain a first authentication result, and utilizes the first authentication result. Encrypting the K AS , REQ to form a first publicly identifiable authentication result to the access controller; and authenticating the second identity authentication information by using the K AS , REQ to obtain a second authentication result, and The second authentication result is encrypted by the K AS , AC to form a second publicly identifiable authentication result for the visitor; and the authentication server constructs an identity authentication response message sent to the visitor, the identity The authentication response message includes the first publicly available authentication result and the second publicly available authentication result;
  • Step 5 after receiving the identity authentication response message, the visitor decrypts the first publicly available authentication result to obtain the first authentication result, and constructs an access authentication response message according to the first authentication result. Giving the access controller; the access authentication response message includes the second publicly available authentication result;
  • Step 6 after receiving the access authentication response message, the access controller decrypts the second publicly available authentication result, obtains the second authentication result, and constructs an access response message according to an authorization policy.
  • the authorization policy refers to a policy for the access controller to authorize the access request.
  • the present invention provides an access device, including:
  • An access request interaction module configured to send an access request message to an access controller of a destination network, where the access request message includes a random number N REQ ; and receive the packet sent by the access controller An access authentication request message including first identity authentication information; the first identity authentication information is a symmetric cryptographic operation on the N REQ by using a shared key K AS , AC between the access controller and an authentication server Result produced;
  • An authentication request interaction module configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and second identity authentication information, where the second identity authentication information is a result obtained by the visitor using a shared key K AS , REQ between the user and the authentication server to perform a symmetric cryptographic operation on the N REQ ; and receiving an identity authentication response message sent by the authentication server, the identity authentication
  • the response message includes a first publicly available authentication result and a second publicly available authentication result, where the first publicly available authentication result is an identity authentication of the access controller according to the first identity authentication information.
  • An authentication result is further formed by using the K AS; REQ , and the second publicly available authentication result is a second authentication result after the identity authentication of the visitor according to the second identity authentication information. Encrypting is performed by using the K AS and Ae ;
  • An authentication result interaction module configured to send, according to the first authentication result, an access authentication response message that includes the publicly available second authentication result to the access controller, and receive the sent by the accessor Access response message.
  • the invention also provides an authentication server, comprising:
  • An authentication request receiving module configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor;
  • the first identity authentication information is performed by the access controller by using a shared key ⁇ ⁇ ⁇ between the self and the authentication server for a random number N REQ included in the access request message sent by the visitor.
  • the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
  • An authentication execution module configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and re-encrypting the first authentication result by using the K AS and REQ a first publicly identifiable result for the access controller; and according to the second The identity authentication information generates a second authentication result after the identity authentication of the visitor, and encrypts the second authentication result by using the K AS , AC to form a second publicly discriminable result for the visitor;
  • the authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.
  • the invention also provides an access controller, comprising:
  • An access request receiving module configured to receive an access request message sent by a visitor, where the access request message carries a random number N REQ ;
  • An access authentication request constructing module configured to send an access authentication request message including first identity authentication information to the visitor, where the first identity authentication information is shared by using the access controller and the authentication server a result of a symmetric cryptographic operation performed by the key K AS , Ae on the N REQ ;
  • an access authentication response receiving module configured to receive an access authentication response message sent by the visitor, and decrypt the second authentication result;
  • the access authentication response message is constructed by the visitor according to the first authentication result included in the identity authentication response message sent by the destination network to the authentication server, and includes the second authentication result; the first authentication result is
  • the authentication server determines, by using the K AS , the AC , the first identity authentication information included in the identity authentication request message sent by the visitor, and the second authentication result is determined by the authentication server. after using the shared key K AS between the visitor, REQ second authentication information transmitted by said visitor identification determination
  • the second authentication information is the result of the visitor with the K AS, REQ N REQ said symmetric cryptographic operation;
  • the access request response module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
  • the present invention also provides a network access control system, including a visitor, an access controller of a destination network, and an authentication server, where:
  • the visitor is configured to send an access request message to the access controller, where the access request message carries a random number N REQ ; Receiving an access authentication request message returned by the access controller, where the access authentication request message includes first identity authentication information;
  • the access authentication response message being constructed according to the first authentication result, and including the second publicly available authentication result;
  • the access controller is configured to receive an access request message sent by the visitor, and send an access authentication request message that includes the first identity authentication information to the visitor; Accessing a shared key K AS between the controller and the authentication server, AC performing a symmetric cryptographic operation on the N REQ ;
  • the authentication server is configured to receive the identity authentication request message sent by the visitor, and generate a first authentication result after performing identity authentication on the access controller according to the first identity authentication information, and Decoding the first authentication result by using the K AS , REQ to form a first publicly identifiable authentication result to the access controller, and generating an identity authentication for the visitor according to the second identity authentication information a second authentication result, and encrypting the second authentication result by using the K A ⁇ to form a second publicly discriminable result for the visitor; and returning an identity authentication response message to the visitor, including The first publicly discriminable authentication result and the second publicly discriminable authentication node fruit.
  • the network access control method and system provided by the present invention is a network access control method for completing identity authentication of a visitor in the case where an authentication server participates and the access controller of the destination network cannot directly utilize the authentication service provided by the authentication server. .
  • the invention is based on a symmetric crypto mechanism. After the visitor makes an access request, the access controller in the destination network processes the access request, and the visitor initiates an authentication request for the identity of the visitor to the authentication server, and the access in the destination network. The controller completes the authentication of the identity of the visitor according to the publicly available authentication result of the authentication server forwarded by the visitor, and authorizes the successful authenticated visitor according to the authorization policy.
  • the present invention solves the problem that the access control cannot be implemented when the access controller cannot directly use the authentication service provided by the authentication server, and satisfies the practical application requirements.
  • FIG. 1 is a flow chart of a network access control method provided by the present invention.
  • FIG. 2 is a schematic diagram of the operation of the network access control system provided by the present invention.
  • FIG. 3 is a detailed block diagram of step S 1 in Figure 2.
  • FIG. 4 is a detailed block diagram of step S 2 in Figure 2.
  • FIG. 5 is a detailed block diagram of step S3 in Figure 2.
  • FIG. 6 is a detailed block diagram of step S 4 in Figure 2.
  • FIG. 7 is a detailed block diagram of step S 5 in Figure 2.
  • FIG 8 is a detailed block diagram of step S6 in Figure 2. Detailed ways
  • the present invention provides a network access control system 100.
  • the access control system 100 includes a visitor REQ, an authentication server AS, and an access controller AC.
  • the shared key K AS , REQ is shared between the visitor REQ and the authentication server AS
  • the keys K AS , AC are shared between the access controller AC and the authentication server AS.
  • the network access control system 100 completes the authentication and authorization of the visitor REQ through six steps of SI to S6.
  • Step S1 Referring to FIG. 3, the visitor REQ sends an access request message M1 to the access controller AC in the destination network.
  • the access request message M1 contains N RE oQ REQ .
  • N REQ represents the random number generated by the visitor REQ
  • Q REQ represents the access request of the visitor REQ, the same below.
  • Step S2 Referring to FIG. 4, after receiving the access request message M1, the access controller AC constructs an access authentication request message M2 and sends it to the visitor REQ.
  • the access authentication request message M2 contains the identity authentication information 11 of the access controller AC.
  • the identity authentication information 11 is used to prove the validity of the access controller AC identity to the authentication server AS, and is a result of performing a symmetric cryptographic operation on the N REQ by using the shared key K AS , Ae .
  • Step S3 Referring to FIG. 5, after the visitor REQ receives the access authentication request message M2, the constructive identity authentication request message M3 is sent to the authentication server AS.
  • the identity authentication request message M3 includes the identity authentication information 11 and the identity authentication information 12 of the visitor REQ.
  • the identity authentication information 12 is used to prove the validity of the visitor REQ identity to the authentication server AS, and is a result of performing a symmetric cryptographic operation on the N REQ by using the shared key K AS , REQ .
  • Step S4 Referring to FIG. 6, the authentication server AS provides an authentication service according to the identity authentication request message M3 and generates an authentication result.
  • the authentication server AS authenticates the identity authentication information 11 in the identity authentication request message M3 by using the shared key K AS , Ae and obtains the first authentication result to the access controller AC, and uses the shared key K AS , REQ for the identity authentication request.
  • the identity authentication information 11 in the message M3 is authenticated and the second authentication result is obtained for the visitor REQ, and the authentication server AS encrypts the first authentication result by using the shared key K AS , REQ to form an access controller AC.
  • the publicly available authentication result C1 is encrypted by using the shared key K AS , Ae to form a publicly discriminable authentication result C 2 to the visitor REQ, and the authentication server AS constructs the identity authentication response message M4 to be sent to the access REQ.
  • the identity authentication response message M4 includes publicly discriminable authentication results C 1 and C 2 .
  • Step S5 Referring to FIG. 7, after receiving the identity authentication response message M4, the visitor REQ decrypts the publicly available authentication result C1 to obtain the first authentication result, and constructs an access authentication response message M5 according to the first authentication result.
  • the access authentication response message M5 includes a publicly available authentication result C2;
  • Step S6 Referring to FIG. 8, after receiving the access authentication response message M5, the access controller AC decrypts the publicly available authentication result C2 in the authentication response message M5, obtains the second authentication result, and constructs an access response according to the authorization policy.
  • the message M6 is sent to the visitor REQ, and the access response message M6 contains information as to whether the accessor REQ is authorized to access the destination network.
  • the authorization policy refers to a policy in which the access controller AC authorizes the access request Q REQ of the visitor REQ.
  • the authorization policy may come from a certain server, such as the authentication server AS, or may be from the access controller AC local.
  • the authorization policy has been previously built in the authentication server AS or the access controller AC, and the present invention only invokes the authorization policy.
  • the authentication and authorization of the visitor REQ can be realized to meet the practical application requirements for access control of the visitor REQ.
  • the present invention provides an access device, including: an access request interaction module, configured to send an access request message to an access controller of a destination network, where the access request message includes a random number N REQ; the access controller transmits and receives a first authentication information comprises an access authentication request message; the first authentication information using the shared secret between the access controller and an authentication server a result of a symmetric cryptographic operation performed by the key K AS , AC on the N REQ ;
  • An authentication request interaction module configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and second identity authentication information, where the second identity authentication information is a result obtained by the visitor using a shared key K AS , REQ between the user and the authentication server to perform a symmetric cryptographic operation on the N REQ ; and receiving an identity authentication response message sent by the authentication server, the identity authentication
  • the response message includes a first publicly available authentication result and a second publicly available authentication result, where the first publicly available authentication result is an identity authentication of the access controller according to the first identity authentication information.
  • An authentication result is further utilized by the K AS; the REQ is formed by encryption, and the second publicly available authentication result is a second authentication result after the identity authentication of the visitor according to the second identity authentication information. Encrypting is performed by using the K AS and Ae ;
  • An authentication result interaction module configured to construct, according to the first authentication result, the publicly available The access authentication response message of the second authentication result is sent to the access controller, and receives an access response message sent by the accessor.
  • the invention also provides a corresponding authentication server, comprising:
  • An authentication request receiving module configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor;
  • the first identity authentication information is performed by the access controller by using a shared key K A ⁇ between itself and the authentication server for a random number N REQ included in an access request message sent by the visitor.
  • the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
  • An authentication execution module configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and re-encrypting the first authentication result by using the K AS and REQ a first publicly available authentication result to the access controller; and generating a second authentication result after the identity identification of the visitor according to the second identity authentication information, and using the second authentication result K AS , AC performs encryption to form a second publicly discriminable result for the visitor;
  • the authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.
  • an access controller including:
  • An access request receiving module configured to receive an access request message sent by a visitor, where the access request message carries a random number N REQ ;
  • An access authentication request constructing module configured to send an access authentication request message including first identity authentication information to the visitor, where the first identity authentication information is shared by using the access controller and the authentication server a result of a symmetric cryptographic operation performed by the key K AS , Ae on the N REQ ;
  • an access authentication response receiving module configured to receive an access authentication response message sent by the visitor, and decrypt the second authentication result;
  • the access authentication response message is used by the visitor according to the purpose Constructing, by the network-authentication server, the first authentication result included in the identity authentication response message, and including the second authentication result;
  • the first authentication result is used by the authentication server by using the K AS , AC pair Determining, by the first identity authentication information included in the identity authentication request message sent by the visitor, that the second authentication result is that the authentication server utilizes a shared key K with the visitor.
  • AS , REQ determines, after the second identity authentication information sent by the visitor, the second identity authentication information, after the visitor uses the K AS , REQ to perform symmetric cryptographic operations
  • the access request response module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
  • a network access control system having a corresponding function includes a visitor, an access controller of a destination network, and an authentication server, wherein:
  • the visitor is configured to send an access request message to the access controller, where the access request message carries a random number N REQ ;
  • the access authentication response message being constructed according to the first authentication result, and including the second publicly available authentication result;
  • the access controller is configured to receive an access request message sent by the visitor, and send an access authentication request message that includes the first identity authentication information to the visitor; Other information using the shared key K AS between the access controller and the authentication server, AC symmetric cryptographic computation result of the generated N REQ; and
  • the authentication server is configured to receive the identity authentication request message sent by the visitor, and generate a first authentication result after performing identity authentication on the access controller according to the first identity authentication information, and Decoding the first authentication result by using the K AS , REQ to form a first publicly identifiable authentication result to the access controller, and generating an identity authentication for the visitor according to the second identity authentication information a second authentication result, and using the second authentication result
  • K A ⁇ is encrypted to form a second publicly identifiable result for the visitor; and an identity authentication response message is returned to the visitor, including the first publicly identifiable authentication result and the second publicly identifiable authentication result.
  • the visitor REQ constructs the N REQ
  • Q REQ is the access request message M1.
  • the request message M1 may also be other messages.
  • the other message includes at least N REQ
  • means that the two messages before and after are connected in series, the same below.
  • the access controller AC After receiving the access request message M1, that is, N REQ
  • the access authentication request message M2 is a message including at least N REQ
  • N AC represents a random number generated by the access controller AC
  • 6 (1 ⁇ , ⁇ represents the result of encrypting N REQ by using the shared key K AS , Ae , that is, the identity authentication information II of the access controller AC
  • E is A symmetric encryption algorithm; the same below.
  • Step S3 After receiving the access authentication request message M2, that is, N REQ
  • the ID AC is the identity of the access controller AC, the same below.
  • the identity authentication request message M3 is a message containing at least ID AC
  • the authentication server AS determines, according to the ID Ae, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4. 2. 1 ); If the key K AS , AC is shared, go to step 4. 2. 2 ).
  • the authentication server AS decrypts E (K AS; AC , N REQ ), that is, the identity authentication information 11 by using the shared key K AS , Ae , and determines whether the N REQ obtained after decryption is in the step with the visitor REQ S 3 is transmitted to the authentication server AS identity authentication request message is equal to N REQ message M3 is, if the decrypted N visitors REQ REQ and authentication transmitted to the authentication server AS in step S3 in the request information message M3 If N REQ is not equal, then 4. 2. 2. 1 ) is executed; if the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then Execute 4. 2. 2. 2).
  • the authentication server AS constructs an identity authentication response message M4 ie ID AC
  • MIC 2 is sent to the visitor REQ.
  • Res (AC) is the publicly discriminable result CI
  • Res (REQ) is the publicly discriminable result C 2
  • Res (AC) E (K AS; REQ , R (AC) )
  • Res (REQ E (K AS; AC , R (REQ) )
  • R (AC) is the first discrimination result
  • R (REQ) is the
  • MIC 2 H (K AS;REQ , ID AC
  • the authentication server AS decrypts E (K AS; REQ , N REQ ) by using the shared key K AS , REQ , and determines whether the N REQ obtained after decryption and the identity of the visitor REQ are sent to the authentication server AS in step S3.
  • the information N REQ in the authentication request message M3 is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then 4.3.1 is performed.
  • the authentication server AS decrypts E (K AS , REQ , the obtained N REQ and the visitor REQ in the identity authentication request message M 3 sent to the authentication server AS in step S 3 by using the shared key K AS , REQ If the information N REQ is equal, then 4.3.2).
  • the authentication server AS determines, according to the ID AC, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4.3.1.1); Keys K AS , AC , then execute 4.3.1.2).
  • the authentication server AS terminates the authentication.
  • the authentication server AS decrypts E (K AS , AC , N REQ ;) by using the shared key K A ⁇ , and determines whether the N REQ obtained after decryption is sent to the authentication server in step S 3 with the visitor REQ.
  • the information N REQ in the identity authentication request message M3 of the AS is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, the execution is performed. 4.3.1.2.1); If the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, 4.3.1.2.2) is performed.
  • the authentication server terminates the authentication.
  • the authentication server AS constructs the identity authentication response message M4
  • MIC 2 is sent to the visitor REQ.
  • R(AC) True, indicating that the authentication server AS successfully authenticates the access controller AC
  • R(REQ) Failure, indicating that the authentication server AS fails to authenticate the visitor REQ;
  • MIC 2 H (K AS ;REQ , ID AC
  • H is a one-way hash Algorithm, the same below.
  • the authentication server AS determines, according to the ID AC, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4.3.2.1); Key K AS , AC , then execute 4.3.2.2);
  • the authentication server AS constructs the identity response message M4
  • the authentication server AS determines to use the shared key K AS , Ae to decrypt 6 (1 ⁇ , ⁇ obtained)
  • the authentication server AS generates a session key KACREQ between the visitor REQ and the access controller AC, and then calculates E (K AS; using the shared key K A ⁇ OK as , req and the session key K ac , req ; AC , ID REQ
  • the authentication server AS further constructs an identity authentication response message M4 at this time, that is, ID AC
  • MIC 2 is sent to the visitor REQ.
  • the message integrity authentication code MIC 2 H(K AS , REQ , ID AC
  • the identity authentication response message M4 is ID AC
  • the identity authentication response Message M4 is a message containing at least ID AC
  • the identity authentication response message M4 is ID AC
  • the identity authentication response message M4 is at least including ID AC
  • the interviewer REQ receives the identity identification response message ⁇ 4
  • Step 5.2 the visitor REQ discards the identity authentication response message M4.
  • Step 5.3 the visitor REQ judges the integrity of the corresponding message according to the MIC 2 , if not, executes 5.3.1); if complete, executes 5.3.2).
  • the visitor REQ uses K AS , REQ to decrypt the publicly identifiable result C1, ie Res (AC), to determine the legitimacy of the access controller AC, and if the Res (AC) is decrypted, the R is obtained.
  • the visitor REQ decrypts the E (K AS , REQ , K AC , REQ ) in the identity authentication response message M4 to obtain the session key K Ae , REQ , and generates the random number N′ REQ , and calculates the message integrity.
  • the authentication code MIC 3 H (K AC , N AC
  • the message integrity authentication code MIC 3 is used to verify the integrity of the message N AC
  • the access authentication response message M5 is at least one of
  • the access controller AC receives the identity authentication response message M5 ie N AC
  • the access controller AC receives the identity authentication response message M5 ie N AC
  • Access Controller AC denied access to the visitor REQ.
  • Access Controller AC deny access to the visitor REQ.
  • the access controller AC decrypts E (K AS , AC , ID REQ
  • Access Controller AC deny access to the visitor REQ.
  • access controller AC confirmation ID REQ decrypts E (K AS, AC, ID REQ
  • Access Controller AC deny access to the visitor REQ.
  • the access controller AC determines, according to the authorization policy, whether the access request Q REQ sent by the visitor REQ in step S1 is legal, and if not, performs 6.3.2.2.2.1); if legal, Implementation of 6.3.2.2.2.2
  • Access Controller AC denies access to the visitor REQ.
  • MIC 4, is sent to the visitor REQ.
  • the R AC is used by the access controller AC to notify the visitor REQ whether to have access to the destination network.
  • the message integrity authentication code MIC 4 is used to verify the integrity of the message N' REQ
  • the AC local may also be provided by another server such as the authentication server AS.
  • the identity authentication response message M4 in step S4 is required to be ID AC
  • E in the MIC 2 K AS , AC , ID REQ
  • K AC , REQ ) is modified to E (K AS , AC , ID REQ
  • the access controller AC authenticates and authorizes the visitor REQ, and the access control to the access controller AC is realized.
  • the visitor REQ breaks the message N' REQ
  • the visitor REQ discards the access response message M6.
  • the visitor REQ decrypts E (K AC R AC ) to obtain the response data R AC , and judges whether the access controller AC authorizes access to the destination network according to the response data RAC, and then accesses the destination network accordingly.
  • the access response message M6 is a message containing at least N' REQ
  • the access controller AC After receiving the access request message M1, that is, N REQ
  • REQ in other embodiments, the access authentication request message M2 is a message containing at least N REQ
  • N REQ ) represents the result of hashing K AS , AC
  • the visitor REQ After receiving the access authentication request message M2, that is, N REQ
  • N REQ ), the visitor REQ first determines whether the N REQ is a random number generated by the visitor REQ, and if not, The authentication request message M2 is discarded; if yes, the visitor REQ calculates the message integrity authentication code MIC 5 H (K AS; REQ , ID AC
  • the message integrity authentication code MIC 5 is used to verify the integrity of the ID AC
  • the authentication request message M3 is at least one of
  • the authentication server AS After the authentication server AS receives the identity authentication request message M3, ie ID AC
  • the authentication server AS judges according to the ID Ae whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, performs 4.2.); if the shared key K AS , AC , then 4.2. V ).
  • the authentication server AS terminates the authentication.
  • the authentication server AS constructs an identity authentication response message M4 ie ID AC
  • MIC 2 is sent to the visitor REQ.
  • Res (AC) is the publicly discriminable result CI
  • Res (REQ) is the publicly discriminable result C 2
  • Res (AC) E (K AS; REQ , R (AC) )
  • Res (REQ) E (K AS; AC , R (REQ) )
  • R (AC) is the first verification result
  • R (REQ) is the second verification result
  • MIC 2 is the message integrity authentication code.
  • the AC identification was successful.
  • MIC 2 H(K AS , REQ , ID AC
  • the authentication server AS judges according to the MIC 5 in the identity authentication request message M3
  • the authentication server AS discards the identity authentication request message M3.
  • the authentication server AS uses the ID Ae to determine whether the access controller AC has been authenticated with the server.
  • the authentication server AS verifies the integrity of H (K AS; AC
  • the authentication server AS constructs an identity authentication response message M4, ie ID AC
  • R (AC) Fai lure, indicating that the authentication server AS fails authentication to the access controller AC;
  • R (REQ) True, indicating that the authentication server AS successfully authenticates the visitor REQ.
  • MIC 2 H(K AS , REQ , ID AC
  • the authentication server AS generates a session key K Ae , REQ between the visitor REQ and the access controller AC, and then utilizes the shared keys K AS , Ae and K AS , REQ and the session key K Ae , REQ calculates E (K AS; AC , ID REQ
  • K A c, REQ ) and E (K AS; REQ , KACKEQ), and then calculates the message integrity authentication code MIC 2 H (K Q , ID AC ) at this time.
  • the message integrity authentication code MIC 2 H (K AS , REQ , ID AC
  • the identity authentication response message ⁇ 4 is ID AC
  • the identity authentication response message M4 is a message including at least ID AC
  • the identity authentication response message M4 is a message including at least ID AC
  • the invention is based on a symmetric cryptographic mechanism in cryptography, and provides two specific implementation methods for realizing authentication between the access controller AC and the visitor REQ when the authentication server AS provides the authentication service, and one method is based on symmetric encryption operation.
  • a method based on the hash operation that is, the latter embodiment, can implement the authentication between the visitor REQ and the authentication server AS when the access controller AC cannot directly use the authentication service provided by the authentication server AS.
  • the access control process for authorizing the visitor REQ is completed by the access controller AC.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can be embodied in the form of one or more computer program products embodied on a computer-usable storage medium (including but not limited to disk storage, CD-ROM, optical storage, etc.) in which computer usable program code is embodied.
  • a computer-usable storage medium including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention.
  • the flow chart can be implemented by computer program instructions And/or a combination of the processes and/or blocks in the block diagrams, and the flowcharts and/or blocks in the flowcharts and/or block diagrams.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed are a method and system for network access control. After a visitor makes an access request, an access controller in a target network processes the access request and initiates an authentication request for the identity of the visitor to an authentication server via the visitor; the access controller in the target network completes the authentication for the identity of the visitor according to the publishable authentication results of the authentication server forwarded by the visitor, and performs authorization management for the visitor with successful authentication according to authorization strategies. Thus the problem in the prior art that access control cannot be implemented caused when an access controller cannot directly use the authentication services provided by an authentication server is solved, and the requirements of practical application are satisfied.

Description

一种网络访问控制方法及系统 本申请要求在 2010 年 10 月 13 日提交中国专利局、 申请号为 201010504262.3 发明名称为 "一种网络访问控制方法及系统" 的中国专利申 请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  The present invention claims the priority of the Chinese patent application entitled "A Network Access Control Method and System", filed on October 13, 2010, by the Chinese Patent Office, Application No. 201010504262.3 The content is incorporated herein by reference. Technical field
本发明属信息安全技术中的网络安全应用领域, 尤其涉及一种网络访问 控制方法及系统。 背景技术  The present invention belongs to the field of network security applications in information security technologies, and in particular, to a network access control method and system. Background technique
现有的网络访问控制方法中, 通常在访问者向目的网络发起访问请求后, 由目的网络中的访问控制器完成对访问者的鉴别和授权, 从而实现对访问者 的访问控制。 在需要第三方, 如鉴别服务器, 参与身份鉴别的访问控制场景 中, 可能因为访问控制器自身或者是目的网络的原因, 使得访问控制器无法 直接与鉴别服务器连接, 从而导致访问控制器无法直接使用鉴别服务器提供 的鉴别服务。 在这种情形下, 现有技术中的由访问控制器直接连接并使用鉴 别服务器提供鉴别服务的访问控制方法, 将无法满足对访问者进行访问控制 的实际应用需求。 发明内容  In the existing network access control method, after the visitor initiates an access request to the destination network, the access controller in the destination network completes the authentication and authorization of the visitor, thereby implementing access control to the visitor. In an access control scenario where a third party, such as an authentication server, is involved in identity authentication, the access controller may not be directly connected to the authentication server because of access to the controller itself or the destination network, thereby preventing the access controller from directly using the access controller. The authentication service provided by the authentication server. In this case, the prior art access control method in which the access controller directly connects and uses the authentication server to provide the authentication service will not be able to meet the practical application requirements for access control of the visitor. Summary of the invention
为了解决背景技术中存在的上述技术问题, 本发明提供了一种能够满足 对访问者进行访问控制的应用需求的网络访问控制方法及系统。  In order to solve the above technical problems in the prior art, the present invention provides a network access control method and system capable of satisfying application requirements for access control of a visitor.
本发明提供一种网络访问控制方法, 包括:  The present invention provides a network access control method, including:
步骤 1 ) ,一访问者向一目的网络中的一访问控制器发送一访问请求消息, 所述访问请求消息中包括一随机数 NREQ; Step 1), a visitor sends an access request message to an access controller in a destination network, where the access request message includes a random number N REQ ;
步骤 2 ), 所述访问控制器收到所述访问请求消息后, 构造包含第一身份 鉴别信息的接入鉴别请求消息发送给所述访问者, 所述第一身份鉴别信息是 利用所述访问控制器和一鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ进行对称 密码运算产生的结果; Step 2), after the access controller receives the access request message, constructing a first identity The access authentication request message of the authentication information is sent to the visitor, and the first identity authentication information is symmetrically used by the shared key K AS , AC between the access controller and an authentication server to the N REQ The result of the cryptographic operation;
步骤 3 ), 所述访问者接收到所述接入鉴别请求消息后, 构造一身份鉴别 请求消息发送给所述鉴别服务器; 所述身份鉴别请求消息中包括所述第一身 份鉴别信息以及第二身份鉴别信息; 所述第二身份鉴别信息是所述访问者利 用自身与所述鉴别服务器之间的共享密钥 KAS,REQ对所述 NREQ进行对称密码运算 后产生的结果; Step 3), after receiving the access authentication request message, the visitor constructs an identity authentication request message and sends the identifier to the authentication server. The identity authentication request message includes the first identity authentication information and the second Identity identification information; the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
步骤 4 ),所述鉴别服务器接收到所述身份鉴别请求消息后,利用所述 KAS,AC 对所述第一身份鉴别信息进行鉴别得到第一鉴别结果, 并将所述第一鉴别结 果利用所述 KAS, REQ进行加密形成对所述访问控制器的第一可公开的鉴别结果; 以及利用所述 KAS,REQ对所述第二身份鉴别信息进行鉴别得到第二鉴别结果, 并 将所述第二鉴别结果利用所述 KAS, AC进行加密形成对所述访问者的第二可公开 的鉴别结果; 以及所述鉴别服务器构造身份鉴别响应消息发送给所述访问者, 所述身份鉴别响应消息包括所述第一可公开的鉴别结果及所述第二可公开的 鉴别结果; Step 4), after receiving the identity authentication request message, the authentication server uses the K AS , AC to authenticate the first identity authentication information to obtain a first authentication result, and utilizes the first authentication result. Encrypting the K AS , REQ to form a first publicly identifiable authentication result to the access controller; and authenticating the second identity authentication information by using the K AS , REQ to obtain a second authentication result, and The second authentication result is encrypted by the K AS , AC to form a second publicly identifiable authentication result for the visitor; and the authentication server constructs an identity authentication response message sent to the visitor, the identity The authentication response message includes the first publicly available authentication result and the second publicly available authentication result;
步骤 5 ), 所述访问者收到所述身份鉴别响应消息后, 解密所述第一可公 开的鉴别结果获得所述第一鉴别结果, 根据所述第一鉴别结果构造接入鉴别 响应消息发送给所述访问控制器; 所述接入鉴别响应消息中包含所述第二可 公开的鉴别结果;  Step 5), after receiving the identity authentication response message, the visitor decrypts the first publicly available authentication result to obtain the first authentication result, and constructs an access authentication response message according to the first authentication result. Giving the access controller; the access authentication response message includes the second publicly available authentication result;
步骤 6 ), 所述访问控制器收到所述接入鉴别响应消息后, 解密所述第二 可公开的鉴别结果, 得到所述第二鉴别结果, 并根据一授权策略构造一访问 响应消息发送给所述访问者; 所述授权策略是指所述访问控制器对所述访问 请求进行授权的策略。  Step 6), after receiving the access authentication response message, the access controller decrypts the second publicly available authentication result, obtains the second authentication result, and constructs an access response message according to an authorization policy. Giving the visitor; the authorization policy refers to a policy for the access controller to authorize the access request.
本发明提供一种访问装置, 包括:  The present invention provides an access device, including:
访问请求交互模块, 用于向一目的网络的一访问控制器发送访问请求消 息, 所述访问请求消息中包括一随机数 NREQ; 并接收所述访问控制器发送的包 含第一身份鉴别信息的接入鉴别请求消息; 所述第一身份鉴别信息是利用所 述访问控制器和一鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ进行对称密码运 算产生的结果; An access request interaction module, configured to send an access request message to an access controller of a destination network, where the access request message includes a random number N REQ ; and receive the packet sent by the access controller An access authentication request message including first identity authentication information; the first identity authentication information is a symmetric cryptographic operation on the N REQ by using a shared key K AS , AC between the access controller and an authentication server Result produced;
鉴别请求交互模块, 用于向一鉴别服务器发送一身份鉴别请求消息, 所 述身份鉴别请求消息中包含所述第一身份鉴别信息和第二身份鉴别信息, 所 述第二身份鉴别信息是所述访问者利用自身与所述鉴别服务器之间的共享密 钥 KAS,REQ对所述 NREQ进行对称密码运算后产生的结果; 并接收所述鉴别服务器 发送的身份鉴别响应消息, 所述身份鉴别响应消息中包含第一可公开的鉴别 结果和第二可公开的鉴别结果, 所述第一可公开的鉴别结果是根据所述第一 身份鉴别信息对所述访问控制器进行身份鉴别后的第一鉴权结果再利用所述 KAS;REQ进行加密形成, 所述第二可公开的鉴别结果是根据所述第二身份鉴别信 息对所述访问者进行身份鉴别后的第二鉴权结果再利用所述 KAS,Ae进行加密形 成; An authentication request interaction module, configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and second identity authentication information, where the second identity authentication information is a result obtained by the visitor using a shared key K AS , REQ between the user and the authentication server to perform a symmetric cryptographic operation on the N REQ ; and receiving an identity authentication response message sent by the authentication server, the identity authentication The response message includes a first publicly available authentication result and a second publicly available authentication result, where the first publicly available authentication result is an identity authentication of the access controller according to the first identity authentication information. An authentication result is further formed by using the K AS; REQ , and the second publicly available authentication result is a second authentication result after the identity authentication of the visitor according to the second identity authentication information. Encrypting is performed by using the K AS and Ae ;
鉴权结果交互模块, 用于根据所述第一鉴权结果构造包含所述可公开的 第二鉴权结果的接入鉴别响应消息发送给所述访问控制器, 并接收所述访问 器发送的访问响应消息。  An authentication result interaction module, configured to send, according to the first authentication result, an access authentication response message that includes the publicly available second authentication result to the access controller, and receive the sent by the accessor Access response message.
本发明还提供一种鉴别服务器, 包括:  The invention also provides an authentication server, comprising:
鉴别请求接收模块, 用于接收一访问者发送的身份鉴别请求消息, 所述 身份鉴别请求消息中包含目的网络一访问控制器的第一身份鉴别信息和所述 访问者的第二身份鉴别信息; 所述第一身份鉴别信息是由所述访问控制器利 用自身和所述鉴别服务器之间的共享密钥 κΑ ^对由所述访问者发送的访问请 求消息中包含的一随机数 NREQ进行对称密码运算产生的结果,所述第二身份鉴 别信息是所述访问者利用自身与所述鉴别服务器之间的共享密钥 KAS,REQ对所述 NREQ进行对称密码运算后产生的结果; An authentication request receiving module, configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor; The first identity authentication information is performed by the access controller by using a shared key κ Α ^ between the self and the authentication server for a random number N REQ included in the access request message sent by the visitor. As a result of the symmetric cryptographic operation, the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
鉴别执行模块, 用于根据所述第一身份鉴别信息产生对所述访问控制器 进行身份鉴别后的第一鉴别结果, 并将所述第一鉴别结果再利用所述 KAS,REQ进 行加密形成对所述访问控制器的第一可公开的鉴别结果; 以及根据所述第二 身份鉴别信息产生对所述访问者进行身份鉴别后的第二鉴别结果, 并将所述 第二鉴别结果利用所述 KAS, AC进行加密形成对所述访问者的第二可公开鉴别结 果; An authentication execution module, configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and re-encrypting the first authentication result by using the K AS and REQ a first publicly identifiable result for the access controller; and according to the second The identity authentication information generates a second authentication result after the identity authentication of the visitor, and encrypts the second authentication result by using the K AS , AC to form a second publicly discriminable result for the visitor;
鉴别响应发送模块, 用于构造一身份鉴别响应消息发送给所述访问者, 所述身份鉴别响应消息中包含所述第一可公开的鉴别结果以及第二可公开的 鉴别结果。  The authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.
本发明还提供一种访问控制器, 包括:  The invention also provides an access controller, comprising:
访问请求接收模块, 用于接收一访问者发送的访问请求消息, 所述访问 请求消息中携带一随机数 NREQ; An access request receiving module, configured to receive an access request message sent by a visitor, where the access request message carries a random number N REQ ;
接入鉴别请求构造模块, 用于构造包含第一身份鉴别信息的接入鉴别请 求消息发送给所述访问者, 所述第一身份鉴别信息是利用所述访问控制器和 鉴别服务器之间的共享密钥 KAS,Ae对所述 NREQ进行对称密码运算产生的结果; 接入鉴别响应接收模块, 用于接收所述访问者发送的接入鉴别响应消息 并解密, 得到第二鉴别结果; 所述接入鉴别响应消息由所述访问者根据目的 网络一鉴权服务器发送的身份鉴别响应消息中包含的第一鉴别结果构造, 且 包含所述第二鉴别结果;所述第一鉴别结果是由所述鉴别服务器利用所述 KAS, AC 对由所述访问者发送的身份鉴别请求消息中包含的所述第一身份鉴别信息进 行鉴别后确定, 所述第二鉴别结果是由所述鉴别服务器利用与所述访问者之 间的共享密钥 KAS, REQ对由所述访问者发送的第二身份鉴别信息进行鉴别后确 定, 所述第二身份鉴别信息是所述访问者利用所述 KAS,REQ对所述 NREQ进行对称 密码运算后产生的结果; An access authentication request constructing module, configured to send an access authentication request message including first identity authentication information to the visitor, where the first identity authentication information is shared by using the access controller and the authentication server a result of a symmetric cryptographic operation performed by the key K AS , Ae on the N REQ ; an access authentication response receiving module, configured to receive an access authentication response message sent by the visitor, and decrypt the second authentication result; The access authentication response message is constructed by the visitor according to the first authentication result included in the identity authentication response message sent by the destination network to the authentication server, and includes the second authentication result; the first authentication result is The authentication server determines, by using the K AS , the AC , the first identity authentication information included in the identity authentication request message sent by the visitor, and the second authentication result is determined by the authentication server. after using the shared key K AS between the visitor, REQ second authentication information transmitted by said visitor identification determination The second authentication information is the result of the visitor with the K AS, REQ N REQ said symmetric cryptographic operation;
访问请求响应模块, 用于根据获得的所述第二鉴别结果以及授权策略, 构造一访问响应消息发送给所述访问者。  The access request response module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
本发明还提供一种网络访问控制系统, 包括访问者、 目的网络的访问控 制器、 鉴别服务器, 其中:  The present invention also provides a network access control system, including a visitor, an access controller of a destination network, and an authentication server, where:
所述访问者, 用于向所述访问控制器发发送访问请求消息, 所述访问请 求消息中携带一随机数 NREQ; 以及 接收所述访问控制器返回的接入鉴别请求消息, 所述接入鉴别请求消息 中包含第一身份鉴别信息; 以及 The visitor is configured to send an access request message to the access controller, where the access request message carries a random number N REQ ; Receiving an access authentication request message returned by the access controller, where the access authentication request message includes first identity authentication information;
向所述鉴别服务器发送身份鉴别请求消息, 包含所述第一身份鉴别信息 第二身份鉴别信息; 所述第二身份鉴别信息是所述访问者利用与所述鉴别服 务器之间的共享密钥 KAS,REQ对所述 NREQ进行对称密码运算后产生的结果; 以及 接收所述鉴别服务器发送的包含第一可公开的鉴别结果和第二可公开的 鉴别结果身份鉴别响应消息; 并解密所述第一可公开的鉴别结果获得所述第 一鉴别结果; 以及 Sending an identity authentication request message to the authentication server, including the first identity authentication information second identity authentication information; the second identity authentication information is a shared key K between the visitor and the authentication server AS , REQ , a result of performing a symmetric cryptographic operation on the N REQ ; and receiving, by the authentication server, a first publicly available authentication result and a second publicly available authentication result identity authentication response message; and decrypting the The first publicly available authentication result obtains the first authentication result;
向所述访问控制器发送接入鉴别响应消息, 所述接入鉴别响应消息根据 第一鉴别结果构造, 且包含所述第二可公开的鉴别结果; 以及  Sending an access authentication response message to the access controller, the access authentication response message being constructed according to the first authentication result, and including the second publicly available authentication result;
接收所述访问控制器根据所述第二鉴别结果发送的是否授权访问目标网 络的访问响应消息;  Receiving an access response message sent by the access controller according to the second authentication result to authorize access to the target network;
所述访问控制器, 用于接收所述访问者发送的访问请求消息, 构造包含 第一身份鉴别信息的接入鉴别请求消息发送给所述访问者; 所述第一身份鉴 别信息是利用所述访问控制器和鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ 进行对称密码运算产生的结果; 以及 The access controller is configured to receive an access request message sent by the visitor, and send an access authentication request message that includes the first identity authentication information to the visitor; Accessing a shared key K AS between the controller and the authentication server, AC performing a symmetric cryptographic operation on the N REQ ;
接收所述访问者发送的接入鉴别响应消息并解密, 得到所述第二鉴别结 果; 以及  Receiving an access authentication response message sent by the visitor and decrypting, to obtain the second authentication result;
根据获得的所述第二鉴别结果以及授权策略, 构造一访问响应消息发送 给所述访问者;  Forming an access response message to the visitor according to the obtained second authentication result and an authorization policy;
所述鉴别服务器, 用于接收所述访问者发送的所述身份鉴别请求消息, 并根据所述第一身份鉴别信息产生对所述访问控制器进行身份鉴别后的第一 鉴别结果, 并将所述第一鉴别结果再利用所述 KAS, REQ进行加密形成对所述访问 控制器的第一可公开的鉴别结果, 以及根据所述第二身份鉴别信息产生对所 述访问者进行身份鉴别后的第二鉴别结果, 并将所述第二鉴别结果利用所述 KA ^进行加密形成对所述访问者的第二可公开鉴别结果;并向所述访问者返回 身份鉴别响应消息, 包含所述第一可公开的鉴别结果和第二可公开的鉴别结 果。 The authentication server is configured to receive the identity authentication request message sent by the visitor, and generate a first authentication result after performing identity authentication on the access controller according to the first identity authentication information, and Decoding the first authentication result by using the K AS , REQ to form a first publicly identifiable authentication result to the access controller, and generating an identity authentication for the visitor according to the second identity authentication information a second authentication result, and encrypting the second authentication result by using the K A ^ to form a second publicly discriminable result for the visitor; and returning an identity authentication response message to the visitor, including The first publicly discriminable authentication result and the second publicly discriminable authentication node fruit.
本发明的优点是:  The advantages of the invention are:
本发明提出的网络访问控制方法及系统, 是在有鉴别服务器参与, 且目 的网络的访问控制器无法直接利用鉴别服务器提供的鉴别服务的情况下, 完 成对访问者身份的鉴别的网络访问控制方法。 本发明基于对称密码机制, 在 访问者提出访问请求后, 由目的网络中的访问控制器对访问请求进行处理, 并通过访问者向鉴别服务器发起对访问者身份的鉴别请求, 目的网络中的访 问控制器根据由访问者转发的鉴别服务器的可公开的鉴别结果完成对访问者 身份的鉴别, 并根据授权策略对鉴别成功的访问者进行授权管理。 本发明解 决了在访问控制器无法直接使用鉴别服务器提供的鉴别服务时导致的无法实 施访问控制的问题, 满足了实际应用需求。 附图说明  The network access control method and system provided by the present invention is a network access control method for completing identity authentication of a visitor in the case where an authentication server participates and the access controller of the destination network cannot directly utilize the authentication service provided by the authentication server. . The invention is based on a symmetric crypto mechanism. After the visitor makes an access request, the access controller in the destination network processes the access request, and the visitor initiates an authentication request for the identity of the visitor to the authentication server, and the access in the destination network. The controller completes the authentication of the identity of the visitor according to the publicly available authentication result of the authentication server forwarded by the visitor, and authorizes the successful authenticated visitor according to the authorization policy. The present invention solves the problem that the access control cannot be implemented when the access controller cannot directly use the authentication service provided by the authentication server, and satisfies the practical application requirements. DRAWINGS
图 1是本发明所提供的网络访问控制方法流程图。  1 is a flow chart of a network access control method provided by the present invention.
图 2为本发明所提供的网络访问控制系统的工作简图。  2 is a schematic diagram of the operation of the network access control system provided by the present invention.
图 3为图 2中步骤 S 1的细化框图。  Figure 3 is a detailed block diagram of step S 1 in Figure 2.
图 4为图 2中步骤 S 2的细化框图。  Figure 4 is a detailed block diagram of step S 2 in Figure 2.
图 5为图 2中步骤 S 3的细化框图。  Figure 5 is a detailed block diagram of step S3 in Figure 2.
图 6为图 2中步骤 S 4的细化框图。  Figure 6 is a detailed block diagram of step S 4 in Figure 2.
图 7为图 2中步骤 S 5的细化框图。  Figure 7 is a detailed block diagram of step S 5 in Figure 2.
图 8为图 2中步骤 S 6的细化框图。 具体实施方式  Figure 8 is a detailed block diagram of step S6 in Figure 2. Detailed ways
请参考图 2 , 本发明提供了一种网络访问控制系统 100。 访问控制系统 100 包括访问者 REQ、 鉴别服务器 AS以及访问控制器 AC。 在系统 100工作之前, 访 问者 REQ和鉴别服务器 AS之间已共享密钥 KAS,REQ, 访问控制器 AC和鉴别服务器 AS 之间已共享密钥 KAS,AC。 请参考图 1至图 8 , 网络访问控制系统 100是通过 SI ~ S6六个步骤完成对访 问者 REQ的鉴别和授权的。 Referring to FIG. 2, the present invention provides a network access control system 100. The access control system 100 includes a visitor REQ, an authentication server AS, and an access controller AC. Before the system 100 works, the shared key K AS , REQ is shared between the visitor REQ and the authentication server AS, and the keys K AS , AC are shared between the access controller AC and the authentication server AS. Referring to FIG. 1 to FIG. 8 , the network access control system 100 completes the authentication and authorization of the visitor REQ through six steps of SI to S6.
步骤 S1 : 请参考图 3 , 访问者 REQ向目的网络中的访问控制器 AC发送访问 请求消息 Ml。 访问请求消息 Ml中含有 NRE oQREQ。 其中, NREQ表示访问者 REQ产生 的随机数, QREQ表示访问者 REQ的访问请求, 下同。 Step S1: Referring to FIG. 3, the visitor REQ sends an access request message M1 to the access controller AC in the destination network. The access request message M1 contains N RE oQ REQ . Where N REQ represents the random number generated by the visitor REQ, and Q REQ represents the access request of the visitor REQ, the same below.
步骤 S2: 请参考图 4 , 访问控制器 AC收到访问请求消息 Ml后, 构造接入鉴 别请求消息 M2发送给访问者 REQ。 接入鉴别请求消息 M2含有访问控制器 AC的身 份鉴别信息 11。 身份鉴别信息 11用以向鉴别服务器 AS证明访问控制器 AC身份 的合法性, 是利用共享密钥 KAS,Ae对 NREQ进行对称密码运算后产生的结果。 Step S2: Referring to FIG. 4, after receiving the access request message M1, the access controller AC constructs an access authentication request message M2 and sends it to the visitor REQ. The access authentication request message M2 contains the identity authentication information 11 of the access controller AC. The identity authentication information 11 is used to prove the validity of the access controller AC identity to the authentication server AS, and is a result of performing a symmetric cryptographic operation on the N REQ by using the shared key K AS , Ae .
步骤 S3: 请参考图 5 , 访问者 REQ收到接入鉴别请求消息 M2后, 构造身份 鉴别请求消息 M3发送给鉴别服务器 AS。 其中, 身份鉴别请求消息 M3中包含身 份鉴别信息 11以及访问者 REQ的身份鉴别信息 12。 身份鉴别信息 12用以向鉴别 服务器 AS证明访问者 REQ身份的合法性,是利用共享密钥 KAS,REQ对 NREQ进行对称密 码运算后产生的结果。 Step S3: Referring to FIG. 5, after the visitor REQ receives the access authentication request message M2, the constructive identity authentication request message M3 is sent to the authentication server AS. The identity authentication request message M3 includes the identity authentication information 11 and the identity authentication information 12 of the visitor REQ. The identity authentication information 12 is used to prove the validity of the visitor REQ identity to the authentication server AS, and is a result of performing a symmetric cryptographic operation on the N REQ by using the shared key K AS , REQ .
步骤 S4 : 请参考图 6 , 鉴别服务器 AS根据身份鉴别请求消息 M3提供鉴别服 务并产生鉴别结果。 鉴别服务器 AS利用共享密钥 KAS,Ae对身份鉴别请求消息 M3 中的身份鉴别信息 11进行鉴别并得到对访问控制器 AC的第一鉴别结果、 利用 共享密钥 KAS, REQ对身份鉴别请求消息 M 3中的身份鉴别信息 11进行鉴别并得到对 访问者 REQ的第二鉴别结果, 鉴别服务器 AS将所述第一鉴别结果利用共享密钥 KAS,REQ进行加密形成对访问控制器 AC的可公开的鉴别结果 Cl、 将所述第二鉴别 结果利用共享密钥 KAS, Ae进行加密形成对访问者 REQ的可公开的鉴别结果 C 2 , 鉴 别服务器 AS构造身份鉴别响应消息 M4发送给访问者 REQ。 其中, 身份鉴别响应 消息 M4包含可公开的鉴别结果 C 1及 C 2。 Step S4: Referring to FIG. 6, the authentication server AS provides an authentication service according to the identity authentication request message M3 and generates an authentication result. The authentication server AS authenticates the identity authentication information 11 in the identity authentication request message M3 by using the shared key K AS , Ae and obtains the first authentication result to the access controller AC, and uses the shared key K AS , REQ for the identity authentication request. The identity authentication information 11 in the message M3 is authenticated and the second authentication result is obtained for the visitor REQ, and the authentication server AS encrypts the first authentication result by using the shared key K AS , REQ to form an access controller AC. The publicly available authentication result C1, the second authentication result is encrypted by using the shared key K AS , Ae to form a publicly discriminable authentication result C 2 to the visitor REQ, and the authentication server AS constructs the identity authentication response message M4 to be sent to the access REQ. The identity authentication response message M4 includes publicly discriminable authentication results C 1 and C 2 .
步骤 S5 : 请参考图 7 , 访问者 REQ收到身份鉴别响应消息 M4后, 解密可公 开的鉴别结果 C1获得所述第一鉴别结果, 根据所述第一鉴别结果构造接入鉴 别响应消息 M5发送给访问控制器 AC。 其中, 接入鉴别响应消息 M5中包含可公 开的鉴别结果 C2 ; 步骤 S6: 请参考图 8 , 访问控制器 AC收到接入鉴别响应消息 M5后, 解密鉴 别响应消息 M5中可公开的鉴别结果 C2 , 得到所述第二鉴别结果, 并根据授权 策略构造访问响应消息 M6发送给访问者 REQ , 访问响应消息 M6中包含是否授权 访问者 REQ对所述目的网络进行访问的信息。 至此, 完成本发明对访问者 REQ 的鉴别和授权的过程。 其中, 所述授权策略是指访问控制器 AC对访问者 REQ的 访问请求 QREQ进行授权的策略。 所述授权策略可以来自某一服务器, 例如鉴别 服务器 AS , 也可以来自访问控制器 AC本地。 所述授权策略已事先内置于所述 鉴别服务器 AS或访问控制器 AC中, 本发明仅对所述授权策略进行调用。 Step S5: Referring to FIG. 7, after receiving the identity authentication response message M4, the visitor REQ decrypts the publicly available authentication result C1 to obtain the first authentication result, and constructs an access authentication response message M5 according to the first authentication result. Give access to the controller AC. The access authentication response message M5 includes a publicly available authentication result C2; Step S6: Referring to FIG. 8, after receiving the access authentication response message M5, the access controller AC decrypts the publicly available authentication result C2 in the authentication response message M5, obtains the second authentication result, and constructs an access response according to the authorization policy. The message M6 is sent to the visitor REQ, and the access response message M6 contains information as to whether the accessor REQ is authorized to access the destination network. So far, the process of authenticating and authorizing the visitor REQ of the present invention has been completed. The authorization policy refers to a policy in which the access controller AC authorizes the access request Q REQ of the visitor REQ. The authorization policy may come from a certain server, such as the authentication server AS, or may be from the access controller AC local. The authorization policy has been previously built in the authentication server AS or the access controller AC, and the present invention only invokes the authorization policy.
按照步骤 SI ~ S6所示之方法, 即可实现对访问者 REQ的鉴别和授权, 以满 足对访问者 REQ进行访问控制的实际应用需求。  According to the method shown in steps SI to S6, the authentication and authorization of the visitor REQ can be realized to meet the practical application requirements for access control of the visitor REQ.
根据上述步骤 S1 ~ S6所示之方法, 本发明提供一种访问装置, 包括: 访问请求交互模块, 用于向一目的网络的一访问控制器发送访问请求消 息, 所述访问请求消息中包括一随机数 NREQ; 并接收所述访问控制器发送的包 含第一身份鉴别信息的接入鉴别请求消息; 所述第一身份鉴别信息是利用所 述访问控制器和一鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ进行对称密码运 算产生的结果; According to the method shown in the foregoing steps S1 to S6, the present invention provides an access device, including: an access request interaction module, configured to send an access request message to an access controller of a destination network, where the access request message includes a random number N REQ; the access controller transmits and receives a first authentication information comprises an access authentication request message; the first authentication information using the shared secret between the access controller and an authentication server a result of a symmetric cryptographic operation performed by the key K AS , AC on the N REQ ;
鉴别请求交互模块, 用于向一鉴别服务器发送一身份鉴别请求消息, 所 述身份鉴别请求消息中包含所述第一身份鉴别信息和第二身份鉴别信息, 所 述第二身份鉴别信息是所述访问者利用自身与所述鉴别服务器之间的共享密 钥 KAS,REQ对所述 NREQ进行对称密码运算后产生的结果; 并接收所述鉴别服务器 发送的身份鉴别响应消息, 所述身份鉴别响应消息中包含第一可公开的鉴别 结果和第二可公开的鉴别结果, 所述第一可公开的鉴别结果是根据所述第一 身份鉴别信息对所述访问控制器进行身份鉴别后的第一鉴权结果再利用所述 KAS; REQ进行加密形成, 所述第二可公开的鉴别结果是根据所述第二身份鉴别信 息对所述访问者进行身份鉴别后的第二鉴权结果再利用所述 KAS,Ae进行加密形 成; An authentication request interaction module, configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and second identity authentication information, where the second identity authentication information is a result obtained by the visitor using a shared key K AS , REQ between the user and the authentication server to perform a symmetric cryptographic operation on the N REQ ; and receiving an identity authentication response message sent by the authentication server, the identity authentication The response message includes a first publicly available authentication result and a second publicly available authentication result, where the first publicly available authentication result is an identity authentication of the access controller according to the first identity authentication information. An authentication result is further utilized by the K AS; the REQ is formed by encryption, and the second publicly available authentication result is a second authentication result after the identity authentication of the visitor according to the second identity authentication information. Encrypting is performed by using the K AS and Ae ;
鉴权结果交互模块, 用于根据所述第一鉴权结果构造包含所述可公开的 第二鉴权结果的接入鉴别响应消息发送给所述访问控制器, 并接收所述访问 器发送的访问响应消息。 An authentication result interaction module, configured to construct, according to the first authentication result, the publicly available The access authentication response message of the second authentication result is sent to the access controller, and receives an access response message sent by the accessor.
本发明还提供一种相应的鉴别服务器, 包括:  The invention also provides a corresponding authentication server, comprising:
鉴别请求接收模块, 用于接收一访问者发送的身份鉴别请求消息, 所述 身份鉴别请求消息中包含目的网络一访问控制器的第一身份鉴别信息和所述 访问者的第二身份鉴别信息; 所述第一身份鉴别信息是由所述访问控制器利 用自身和所述鉴别服务器之间的共享密钥 KA ^对由所述访问者发送的访问请 求消息中包含的一随机数 NREQ进行对称密码运算产生的结果,所述第二身份鉴 别信息是所述访问者利用自身与所述鉴别服务器之间的共享密钥 KAS,REQ对所述 NREQ进行对称密码运算后产生的结果; An authentication request receiving module, configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor; The first identity authentication information is performed by the access controller by using a shared key K A ^ between itself and the authentication server for a random number N REQ included in an access request message sent by the visitor. As a result of the symmetric cryptographic operation, the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
鉴别执行模块, 用于根据所述第一身份鉴别信息产生对所述访问控制器 进行身份鉴别后的第一鉴别结果, 并将所述第一鉴别结果再利用所述 KAS,REQ进 行加密形成对所述访问控制器的第一可公开的鉴别结果; 以及根据所述第二 身份鉴别信息产生对所述访问者进行身份鉴别后的第二鉴别结果, 并将所述 第二鉴别结果利用所述 KAS, AC进行加密形成对所述访问者的第二可公开鉴别结 果; An authentication execution module, configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and re-encrypting the first authentication result by using the K AS and REQ a first publicly available authentication result to the access controller; and generating a second authentication result after the identity identification of the visitor according to the second identity authentication information, and using the second authentication result K AS , AC performs encryption to form a second publicly discriminable result for the visitor;
鉴别响应发送模块, 用于构造一身份鉴别响应消息发送给所述访问者, 所述身份鉴别响应消息中包含所述第一可公开的鉴别结果以及第二可公开的 鉴别结果。  The authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.
相对应地, 本发明还提供一种访问控制器, 包括:  Correspondingly, the present invention further provides an access controller, including:
访问请求接收模块, 用于接收一访问者发送的访问请求消息, 所述访问 请求消息中携带一随机数 NREQ; An access request receiving module, configured to receive an access request message sent by a visitor, where the access request message carries a random number N REQ ;
接入鉴别请求构造模块, 用于构造包含第一身份鉴别信息的接入鉴别请 求消息发送给所述访问者, 所述第一身份鉴别信息是利用所述访问控制器和 鉴别服务器之间的共享密钥 KAS,Ae对所述 NREQ进行对称密码运算产生的结果; 接入鉴别响应接收模块, 用于接收所述访问者发送的接入鉴别响应消息 并解密, 得到第二鉴别结果; 所述接入鉴别响应消息由所述访问者根据目的 网络一鉴权服务器发送的身份鉴别响应消息中包含的第一鉴别结果构造, 且 包含所述第二鉴别结果;所述第一鉴别结果是由所述鉴别服务器利用所述 KAS, AC 对由所述访问者发送的身份鉴别请求消息中包含的所述第一身份鉴别信息进 行鉴别后确定, 所述第二鉴别结果是由所述鉴别服务器利用与所述访问者之 间的共享密钥 KAS, REQ对由所述访问者发送的第二身份鉴别信息进行鉴别后确 定, 所述第二身份鉴别信息是所述访问者利用所述 KAS,REQ对所述 NREQ进行对称 密码运算后产生的结果; An access authentication request constructing module, configured to send an access authentication request message including first identity authentication information to the visitor, where the first identity authentication information is shared by using the access controller and the authentication server a result of a symmetric cryptographic operation performed by the key K AS , Ae on the N REQ ; an access authentication response receiving module, configured to receive an access authentication response message sent by the visitor, and decrypt the second authentication result; The access authentication response message is used by the visitor according to the purpose Constructing, by the network-authentication server, the first authentication result included in the identity authentication response message, and including the second authentication result; the first authentication result is used by the authentication server by using the K AS , AC pair Determining, by the first identity authentication information included in the identity authentication request message sent by the visitor, that the second authentication result is that the authentication server utilizes a shared key K with the visitor. AS , REQ determines, after the second identity authentication information sent by the visitor, the second identity authentication information, after the visitor uses the K AS , REQ to perform symmetric cryptographic operations on the N REQ Result produced;
访问请求响应模块, 用于根据获得的所述第二鉴别结果以及授权策略, 构造一访问响应消息发送给所述访问者。  The access request response module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
根据本发明提供的上述方法, 一种具备相应功能的网络访问控制系统, 包括访问者、 目的网络的访问控制器、 鉴别服务器, 其中:  According to the above method provided by the present invention, a network access control system having a corresponding function includes a visitor, an access controller of a destination network, and an authentication server, wherein:
所述访问者, 用于向所述访问控制器发发送访问请求消息, 所述访问请 求消息中携带一随机数 NREQ; 以及 The visitor is configured to send an access request message to the access controller, where the access request message carries a random number N REQ ;
接收所述访问控制器返回的接入鉴别请求消息, 所述接入鉴别请求消息 中包含第一身份鉴别信息; 以及  Receiving an access authentication request message returned by the access controller, where the access authentication request message includes first identity authentication information;
向所述鉴别服务器发送身份鉴别请求消息, 包含所述第一身份鉴别信息 第二身份鉴别信息; 所述第二身份鉴别信息是所述访问者利用与所述鉴别服 务器之间的共享密钥 KAS,REQ对所述 NREQ进行对称密码运算后产生的结果; 以及 接收所述鉴别服务器发送的包含第一可公开的鉴别结果和第二可公开的 鉴别结果身份鉴别响应消息; 并解密所述第一可公开的鉴别结果获得所述第 一鉴别结果; 以及 Sending an identity authentication request message to the authentication server, including the first identity authentication information second identity authentication information; the second identity authentication information is a shared key K between the visitor and the authentication server AS , REQ , a result of performing a symmetric cryptographic operation on the N REQ ; and receiving, by the authentication server, a first publicly available authentication result and a second publicly available authentication result identity authentication response message; and decrypting the The first publicly available authentication result obtains the first authentication result;
向所述访问控制器发送接入鉴别响应消息, 所述接入鉴别响应消息根据 第一鉴别结果构造, 且包含所述第二可公开的鉴别结果; 以及  Sending an access authentication response message to the access controller, the access authentication response message being constructed according to the first authentication result, and including the second publicly available authentication result;
接收所述访问控制器根据所述第二鉴别结果发送的是否授权访问目标网 络的访问响应消息;  Receiving an access response message sent by the access controller according to the second authentication result to authorize access to the target network;
所述访问控制器, 用于接收所述访问者发送的访问请求消息, 构造包含 第一身份鉴别信息的接入鉴别请求消息发送给所述访问者; 所述第一身份鉴 别信息是利用所述访问控制器和鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ 进行对称密码运算产生的结果; 以及 The access controller is configured to receive an access request message sent by the visitor, and send an access authentication request message that includes the first identity authentication information to the visitor; Other information using the shared key K AS between the access controller and the authentication server, AC symmetric cryptographic computation result of the generated N REQ; and
接收所述访问者发送的接入鉴别响应消息并解密, 得到所述第二鉴别结 果; 以及  Receiving an access authentication response message sent by the visitor and decrypting, to obtain the second authentication result;
根据获得的所述第二鉴别结果以及授权策略, 构造一访问响应消息发送 给所述访问者;  Forming an access response message to the visitor according to the obtained second authentication result and an authorization policy;
所述鉴别服务器, 用于接收所述访问者发送的所述身份鉴别请求消息, 并根据所述第一身份鉴别信息产生对所述访问控制器进行身份鉴别后的第一 鉴别结果, 并将所述第一鉴别结果再利用所述 KAS, REQ进行加密形成对所述访问 控制器的第一可公开的鉴别结果, 以及根据所述第二身份鉴别信息产生对所 述访问者进行身份鉴别后的第二鉴别结果, 并将所述第二鉴别结果利用所述The authentication server is configured to receive the identity authentication request message sent by the visitor, and generate a first authentication result after performing identity authentication on the access controller according to the first identity authentication information, and Decoding the first authentication result by using the K AS , REQ to form a first publicly identifiable authentication result to the access controller, and generating an identity authentication for the visitor according to the second identity authentication information a second authentication result, and using the second authentication result
KA ^进行加密形成对所述访问者的第二可公开鉴别结果;并向所述访问者返回 身份鉴别响应消息, 包含所述第一可公开的鉴别结果和第二可公开的鉴别结 果。 K A ^ is encrypted to form a second publicly identifiable result for the visitor; and an identity authentication response message is returned to the visitor, including the first publicly identifiable authentication result and the second publicly identifiable authentication result.
上述步骤 SI ~ S6的一种具体实施例是:  A specific embodiment of the above steps SI ~ S6 is:
步骤 S1 :  Step S1:
访问者 REQ构造 NREQ||QREQ发送给访问控制器 AC, 在本实施例中 NREQ||QREQ即为访 问请求消息 Ml , 在其他实施例中, 请求消息 Ml还可为其他消息且所述其他消 息中至少包含 NREQ||QREQ。 其中 "||" 表示其前后两信息之间为串联, 下同。 The visitor REQ constructs the N REQ ||Q REQ and sends it to the access controller AC. In this embodiment, the N REQ ||Q REQ is the access request message M1. In other embodiments, the request message M1 may also be other messages. The other message includes at least N REQ ||Q REQ . Where "||" means that the two messages before and after are connected in series, the same below.
步骤 S2:  Step S2:
访问控制器 AC收到访问请求消息 Ml即 NREQ||QREQ后,构造接入鉴别请求消息 M2 即 NREQ||NAC||E (KAS; AC, NREQ)发送给访问者 REQ, 在其他实施例中, 接入鉴别请求消息 M2为一至少包含 NREQ||NAC||E (KAS; AC, NREQ)的消息。 After receiving the access request message M1, that is, N REQ ||Q REQ , the access controller AC constructs an access authentication request message M2, that is, N REQ ||N AC ||E (K AS; AC , N REQ ), and sends it to the visitor REQ. In other embodiments, the access authentication request message M2 is a message including at least N REQ ||N AC ||E (K AS; AC , N REQ ).
其中, NAC表示访问控制器 AC产生的随机数; 6 (1^^, ^表示利用共享密 钥 KAS,Ae对 NREQ加密的结果, 即访问控制器 AC的身份鉴别信息 I I; E为一种对称加 密算法; 下同。 Wherein, N AC represents a random number generated by the access controller AC; 6 (1^^, ^ represents the result of encrypting N REQ by using the shared key K AS , Ae , that is, the identity authentication information II of the access controller AC; E is A symmetric encryption algorithm; the same below.
步骤 S3: 访问者 REQ收到接入鉴别请求消息 M2即 NREQ||NAC||E (KAS; AC, NREQ)后,首先判断 NREQ 是否访问者 REQ产生的随机数,如果不是, 则丟弃该鉴别请求消息 M2; 如果是, 则访问者 REQ利用共享密钥 KAS,REQ计算 E (KAS;REQ, NREQ)即访问者 REQ的身份鉴别信 息 Π , 并构造身份鉴别请求消息 M3即 IDAe||NREQ||E (KAS,REQ, NREQ) ||E (KAS; AC, NREQ)发送给 鉴别服务器 AS。 其中, IDAC是访问控制器 AC的身份标识, 下同。 Step S3: After receiving the access authentication request message M2, that is, N REQ ||N AC ||E (K AS; AC , N REQ ), the visitor REQ first determines whether the N REQ is a random number generated by the visitor REQ, and if not, the lost Discarding the authentication request message M2; if yes, the visitor REQ calculates the E (K AS; REQ , N REQ ), that is, the identity authentication information of the visitor REQ, using the shared key K AS , REQ , and constructs the identity authentication request message M3 That is, ID Ae ||N REQ ||E (K AS , REQ , N REQ ) ||E (K AS; AC , N REQ ) is sent to the authentication server AS. The ID AC is the identity of the access controller AC, the same below.
在其他实施例中,身份鉴别请求消息 M3为一至少包含 IDAC||NREQ||E (KAS; REQ, NREQ) ||E (KAS; AC, NREQ)的消息。 In other embodiments, the identity authentication request message M3 is a message containing at least ID AC ||N REQ ||E (K AS; REQ , N REQ ) ||E (K AS; AC , N REQ ).
步骤 S4:  Step S4:
4. 1 ) , 鉴 别 服 务 器 AS 收 到 身 份鉴 别 请 求 消 息 M3 即 IDAC||NREQ||E (KAS; REQ, NREQ) ||E (KAS; AC, NREQ)后,首先判断访问者 REQ是否已与鉴别服务器 AS共享密钥 KAS,REQ, 若未共享密钥 KAS,REQ, 则执行 4. 2 ); 若已共享密钥 KAS,REQ, 则 执行 4. 3 )。 4. 1), after the authentication server AS receives the identity authentication request message M3, ie ID AC ||N REQ ||E (K AS; REQ , N REQ ) ||E (K AS; AC , N REQ ), first judge Whether the accessor REQ has shared the key K AS , REQ with the authentication server AS, and if the key K AS , REQ is not shared, the implementation of 4. 2 ); if the shared key K AS , REQ , the implementation of 4. 3 ) .
4. 2 ) , 鉴别服务器 AS根据 IDAe判断访问控制器 AC是否已与鉴别服务器 AS共 享密钥 KAS,AC, 若未共享密钥 KAS,AC, 则执行 4. 2. 1 ); 若已共享密钥 KAS,AC, 则执行 步骤 4. 2. 2 )。 4. 2), the authentication server AS determines, according to the ID Ae, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4. 2. 1 ); If the key K AS , AC is shared, go to step 4. 2. 2 ).
4. 2. 1 ), 鉴别服务器 AS终止鉴别。  4. 2. 1), the authentication server AS terminates the authentication.
4. 2. 2 ) ,鉴别服务器 AS利用共享密钥 KAS,Ae解密 E (KAS; AC, NREQ)即身份鉴别信息 11 ,并判断解密后得到的 NREQ是否与访问者 REQ在步骤 S 3中发送给鉴别服务器 AS 的身份鉴别请求消息 M3中的信息 NREQ相等, 若解密后得到的 NREQ与访问者 REQ在 步骤 S3中发送给鉴别服务器 AS的身份鉴别请求消息 M3中的信息 NREQ不相等, 则 执行 4. 2. 2. 1 );若解密后得到的 NREQ与访问者 REQ在步骤 S3中发送给鉴别服务器 AS的身份鉴别请求消息 M3中的信息 NREQ相等, 则执行 4. 2. 2. 2 )。 4. 2. 2), the authentication server AS decrypts E (K AS; AC , N REQ ), that is, the identity authentication information 11 by using the shared key K AS , Ae , and determines whether the N REQ obtained after decryption is in the step with the visitor REQ S 3 is transmitted to the authentication server AS identity authentication request message is equal to N REQ message M3 is, if the decrypted N visitors REQ REQ and authentication transmitted to the authentication server AS in step S3 in the request information message M3 If N REQ is not equal, then 4. 2. 2. 1 ) is executed; if the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then Execute 4. 2. 2. 2).
4. 2. 2. 1 ), 鉴别服务器 AS终止鉴别。  4. 2. 2. 1), the authentication server AS terminates the authentication.
4. 2. 2. 2 ) 鉴别 服务器 AS 构 造 身 份鉴别 响 应 消 息 M4 即 IDAC||NREQ||Res (AC) ||Res (REQ) ||MIC2发送给访问者 REQ。 其中, Res (AC)即为可公开 的鉴别结果 CI , Res (REQ)即为可公开的鉴别结果 C 2 , Res (AC) =E (KAS; REQ, R (AC) ) , Res (REQ) =E (KAS; AC, R (REQ) ) , R (AC)即为所述第一鉴别结果, R (REQ) 即为所述 第二鉴别结果, MIC2为消息完整性鉴别码, 下同; 此时, R(AC) =True, 表示访 问控制器 AC的身份合法, R(REQ) =Failure,表示访问者 REQ的身份非法; 此时, MIC2=H (KAS;REQ, IDAC||NREQ||Res (AC) ||Res (REQ) ) , 用 来 验 证 消 息 IDAC||NREQ||Res (AC) ||Res (REQ)的完整性。 4. 2. 2. 2) The authentication server AS constructs an identity authentication response message M4 ie ID AC ||N REQ ||Res (AC) ||Res (REQ) ||MIC 2 is sent to the visitor REQ. Among them, Res (AC) is the publicly discriminable result CI, Res (REQ) is the publicly discriminable result C 2 , Res (AC) = E (K AS; REQ , R (AC) ) , Res (REQ = E (K AS; AC , R (REQ) ) , R (AC) is the first discrimination result, R (REQ) is the The second authentication result, the MIC 2 is a message integrity authentication code, the same below; at this time, R(AC) = True, indicating that the identity of the access controller AC is legal, and R(REQ) = Failure, indicating that the identity of the visitor REQ is illegal. At this time, MIC 2 =H (K AS;REQ , ID AC ||N REQ ||Res (AC) ||Res (REQ) ), used to verify the message ID AC ||N REQ ||Res (AC) ||Res (REQ) integrity.
4.3), 鉴别服务器 AS利用共享密钥 KAS,REQ解密 E (KAS;REQ, NREQ) , 并判断解密后 得到的 NREQ是否与访问者 REQ在步骤 S3中发送给鉴别服务器 AS的身份鉴别请求 消息 M3中的信息 NREQ相等, 若解密后得到的 NREQ与访问者 REQ在步骤 S3中发送给 鉴别服务器 AS的身份鉴别请求消息 M3中的信息 NREQ不相等, 则执行 4.3.1 ); 若 鉴别服务器 AS利用共享密钥 KAS,REQ解密 E(KAS,REQ, 后得到的 NREQ与访问者 REQ在 步骤 S 3中发送给鉴别服务器 AS的身份鉴别请求消息 M 3中的信息 NREQ相等, 则执 行 4.3.2 )。 4.3), the authentication server AS decrypts E (K AS; REQ , N REQ ) by using the shared key K AS , REQ , and determines whether the N REQ obtained after decryption and the identity of the visitor REQ are sent to the authentication server AS in step S3. The information N REQ in the authentication request message M3 is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then 4.3.1 is performed. If the authentication server AS decrypts E (K AS , REQ , the obtained N REQ and the visitor REQ in the identity authentication request message M 3 sent to the authentication server AS in step S 3 by using the shared key K AS , REQ If the information N REQ is equal, then 4.3.2).
4.3.1 ), 鉴别服务器 AS根据 IDAC判断访问控制器 AC是否已与鉴别服务器 AS 共享密钥 KAS,AC, 若未共享密钥 KAS,AC, 则执行 4.3.1.1 ); 若已共享密钥 KAS,AC, 则 执行 4.3.1.2)。 4.3.1), the authentication server AS determines, according to the ID AC, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4.3.1.1); Keys K AS , AC , then execute 4.3.1.2).
4.3.1.1 ), 鉴别服务器 AS终止鉴别。  4.3.1.1), the authentication server AS terminates the authentication.
4.3.1.2), 鉴别服务器 AS利用共享密钥 KA ^解密 E(KAS,AC,NREQ;), 并判断解密 后得到的 NREQ是否与访问者 REQ在步骤 S 3中发送给鉴别服务器 AS的身份鉴别请 求消息 M3中的信息 NREQ相等, 若解密后得到的 NREQ与访问者 REQ在步骤 S3中发送 给鉴别服务器 AS的身份鉴别请求消息 M3中的信息 NREQ不相等, 则执行 4.3.1.2.1 );若解密后得到的 NREQ与访问者 REQ在步骤 S3中发送给鉴别服务器 AS 的身份鉴别请求消息 M3中的信息 NREQ相等, 则执行 4.3.1.2.2 )。 4.3.1.2), the authentication server AS decrypts E (K AS , AC , N REQ ;) by using the shared key K A ^, and determines whether the N REQ obtained after decryption is sent to the authentication server in step S 3 with the visitor REQ. The information N REQ in the identity authentication request message M3 of the AS is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, the execution is performed. 4.3.1.2.1); If the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, 4.3.1.2.2) is performed.
4.3.1.2.1 ), 鉴别服务器 AS终止鉴别。  4.3.1.2.1), the authentication server terminates the authentication.
4.3.1.2.2 ) , 鉴别服务器 AS构造身份鉴别 响应 消 息 M4 即 4.3.1.2.2), the authentication server AS constructs the identity authentication response message M4
IDAC||NREQ||Res(AC)||Res(REQ)||MIC2发送给访问者 REQ。 此时, R(AC)=True, 表示 鉴别服务器 AS对访问控制器 AC鉴别成功, R(REQ)=Failure, 表示鉴别服务器 AS对访问者 REQ鉴别失败; 此时, MIC2=H (KAS;REQ, IDAC||NREQ||Res (AC) ||Res (REQ)) , 用来验证消息 IDAC||NREQ||Res(AC)||Res(REQ)的完整性。 其中, H为一种单向哈希 算法, 下同。 ID AC ||N REQ ||Res(AC)||Res(REQ)||MIC 2 is sent to the visitor REQ. At this time, R(AC)=True, indicating that the authentication server AS successfully authenticates the access controller AC, and R(REQ)=Failure, indicating that the authentication server AS fails to authenticate the visitor REQ; at this time, MIC 2 =H (K AS ;REQ , ID AC ||N REQ ||Res (AC) ||Res (REQ)) , used to verify the integrity of the message ID AC ||N REQ ||Res(AC)||Res(REQ). Where H is a one-way hash Algorithm, the same below.
4.3.2 ), 鉴别服务器 AS根据 IDAC判断访问控制器 AC是否已与鉴别服务器 AS 共享密钥 KAS,AC, 若未共享密钥 KAS,AC, 则执行 4.3.2.1 ); 若已共享密钥 KAS,AC, 则 执行 4.3.2.2 ); 4.3.2), the authentication server AS determines, according to the ID AC, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4.3.2.1); Key K AS , AC , then execute 4.3.2.2);
4.3.2.1 ) 鉴别 服务器 AS 构 造 身 份鉴别 响 应 消 息 M4 即 4.3.2.1) The authentication server AS constructs the identity response message M4
IDAC||NREQ||Res (AC)||Res (REQ)||MIC2发送给访问者 REQ。 此时, R (AC) =Fai lure, 表 示鉴别服务器 AS对访问控制器 AC鉴别失败; R(REQ)=True, 表示鉴别服务器 AS 对访问者 REQ鉴别成功。 此时 MIC2=H (KAS,REQ, IDAC||NREQ||Res (AC) ||Res (REQ) ), 用来 验证消息 IDAC||NREQ||Res (AC) ||Res (REQ)的完整性。 ID AC ||N REQ ||Res (AC)||Res (REQ)||MIC 2 is sent to the visitor REQ. At this time, R (AC) = Fai lure, indicating that the authentication server AS fails authentication to the access controller AC; R (REQ) = True, indicating that the authentication server AS successfully authenticates the visitor REQ. At this time MIC 2 =H (K AS , REQ , ID AC ||N REQ ||Res (AC) ||Res (REQ) ), used to verify the message ID AC ||N REQ ||Res (AC) || The integrity of Res (REQ).
4.3.2.2 ),鉴别服务器 AS判断利用共享密钥 KAS,Ae解密 6(1^^,^后得到的4.3.2.2), the authentication server AS determines to use the shared key K AS , Ae to decrypt 6 (1^^, ^ obtained)
NREQ是否与访问者 REQ在步骤 S 3中发送给鉴别服务器 AS的身份鉴别请求消息 M3 中的信息 NREQ相等, 若否, 则执行步骤 4.3.2.1 ); 若是, 则执行 4.3.2.3)。 Whether visitors REQ REQ N in step S 3 are sent to the authentication server AS identity authentication request message is equal to N in the REQ message M3, and if not, step 4.3.2.1); if yes, execute 4.3.2.3).
4.3.2.3 ), 鉴别服务器 AS生成访问者 REQ和访问控制器 AC间的会话密钥 KACREQ,然后利用共享密钥 KA ^OKas,req以及会话密钥 Kac,req计算 E (KAS;AC, IDREQ||KAC,REQ) 与 E(KAS,REQ,KAe,REQ) , 进 而 计 算 此 时 的 消 息 完 整 性 鉴 别 码4.3.2.3), the authentication server AS generates a session key KACREQ between the visitor REQ and the access controller AC, and then calculates E (K AS; using the shared key K A ^ OK as , req and the session key K ac , req ; AC , ID REQ ||K A C, REQ ) and E(K AS , REQ , K Ae , REQ ), and then calculate the message integrity authentication code at this time
MIC2=H (K Q, IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||K AC, REQ) ||E (KAS, , AC, Q) )。 其中, IDREQ是访问者 REQ的身份标识, 下同。 此时的消息完整性鉴别码 MIC2用 来验证消息 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||K AC, REQ) ||E (KAS, , AC, Q)的冗 整性。 此时, R(AC)=True, 表示鉴别服务器 AS对访问控制器 AC鉴别成功; R (REQ) =True, 表示鉴别服务器 AS对访问者 REQ鉴别成功。 鉴别服务器 AS进而 构 造 此 时 的 身 份 鉴 别 响 应 消 息 M4 即 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ) ||E (KAS,REQ, KAC,REQ) ||MIC2发送给访问 者 REQ。 MIC 2 =H (K Q , ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS;AC , ID REQ ||K AC, REQ) ||E (KAS, , AC, Q)). Where ID REQ is the identity of the visitor REQ, the same below. The message integrity authentication code MIC 2 at this time is used to verify the message ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC, REQ) ||E (KAS, , AC, Q) is redundant. At this time, R(AC)=True, indicating that the authentication server AS successfully authenticates the access controller AC; R (REQ) = True, indicating that the authentication server AS successfully authenticates the visitor REQ. The authentication server AS further constructs an identity authentication response message M4 at this time, that is, ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC , REQ ) ||E (K AS , REQ , K AC , REQ ) ||MIC 2 is sent to the visitor REQ.
综上可以注意到, 当 R(AC)=Failure或 R(REQ)=Failure时, 消息完整性鉴 别码 MIC2=H(KAS,REQ, IDAC||NREQ||Res (AC)||Res (REQ)), 相应的, 身份鉴别响应消息 M4 为 IDAC||NREQ||Res (AC)||Res (REQ)||MIC2, 另外, 在其他实施例中, 身份鉴别响应消 息 M4为一至少包含 IDAC||NREQ||Res (AC) ||Res (REQ) ||MIC2的消息; 当 R (AC) =True且 R (REQ) =True 时 , 消 息 完 整 性 鉴 别 码 MIC2=In summary, when R(AC)=Failure or R(REQ)=Failure, the message integrity authentication code MIC 2 =H(K AS , REQ , ID AC ||N REQ ||Res (AC)| |Res (REQ)), correspondingly, the identity authentication response message M4 is ID AC ||N REQ ||Res (AC)||Res (REQ)||MIC 2 , in addition, in other embodiments, the identity authentication response Message M4 is a message containing at least ID AC ||N REQ ||Res (AC) ||Res (REQ) ||MIC 2 ; when R (AC) = True and When R (REQ) = True, the message integrity authentication code MIC 2 =
H (KAS;REQ, IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||K ||E (K , , ) ) ·> 相应 的 , 身 份 鉴 别 响 应 消 息 M4 为 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||KAC ) ||E (KAS;REQ, KAC,REQ) ||MIC2, 另外, 在 其 他 实 施 例 中 , 身 份 鉴 别 响 应 消 息 M4 为 一 至 少 包 含 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||KAC ) ||E (KAS;REQ, KAC,REQ) ||MIC2的消息。 H (K AS; REQ , ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS;AC , ID REQ ||K ||E (K , , ) ) ·> Correspondingly, the identity authentication response message M4 is ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC ) ||E (K AS; REQ , K AC , REQ ) ||MIC 2 , In addition, in other embodiments, the identity authentication response message M4 is at least including ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC ) ||E (K AS; REQ , K AC , REQ ) || MIC 2 message.
步骤 S5:  Step S5:
5.1 ) , 访 问 者 REQ 收 到 身 份 鉴 别 响 应 消 息 Μ4 即 5.1), the interviewer REQ receives the identity identification response message Μ4
IDAC||NREQ||Res (AC) ||Res (REQ) ||MIC2 或 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ) ||E (KAS,REQ, KAC,REQ) ||MIC2后, 首先判 断随机数 NREQ是否访问者 REQ产生的随机数, 若不是, 则执行 5.2 ); 若是, 则执 行 5.3 )。 ID AC ||N REQ ||Res (AC) ||Res (REQ) ||MIC 2 or ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS;AC , ID REQ ||K AC , REQ ) ||E (K AS , REQ , K AC , REQ ) || After MIC 2 , first determine whether the random number N REQ is a random number generated by the visitor REQ, and if not, execute 5.2 ); If yes, execute 5.3).
步骤 5.2 ), 访问者 REQ丟弃该身份鉴别响应消息 M4。  Step 5.2), the visitor REQ discards the identity authentication response message M4.
步骤 5.3), 访问者 REQ根据 MIC2判断相应消息的完整性, 若不完整, 则执 行 5.3.1 ); 若完整, 则执行 5.3.2)。 Step 5.3), the visitor REQ judges the integrity of the corresponding message according to the MIC 2 , if not, executes 5.3.1); if complete, executes 5.3.2).
5.3.1 ), 访问者 REQ丟弃该身份鉴别响应消息 M4。  5.3.1), the visitor REQ discards the identity authentication response message M4.
5.3.2 ),访问者 REQ利用 KAS,REQ对可公开的鉴别结果 C1即 Res (AC)进行解密, 来判断访问控制器 AC的合法性, 若对 Res (AC)进行解密后得到的 R(AC) =Failure, 则表示访问控制器 AC非法, 则执行 5.3.2.1 ); 若对 Res (AC) 进行解密后得到的 R(AC)=True, 则表示访问控制器 AC合法, 则执行 5.3.2.2 )。 5.3.2), the visitor REQ uses K AS , REQ to decrypt the publicly identifiable result C1, ie Res (AC), to determine the legitimacy of the access controller AC, and if the Res (AC) is decrypted, the R is obtained. (AC) =Failure, it means that the access controller AC is illegal, then 5.3.2.1); If Res (AC) is decrypted, R(AC)=True, it means the access controller AC is legal, then execute 5.3 .2.2).
5.3.2.1 ), 访问者 REQ终止访问。  5.3.2.1), the visitor REQ terminates the access.
5.3.2.2 ), 访问者 REQ解密身份鉴别响应消息 M4中的 E(KAS,REQ,KAC,REQ)而获得 会话密钥 KAe,REQ , 并产生随机数 N'REQ、 计算消 息完整性鉴别码 MIC3=H (KAC, NAC||N'REQ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ) )、 构造接入鉴别响应消息 M5即 NAC||N,REQ||Res (REQ) ||E (KAS;AC, IDREQ||KAC ) ||MIC3发送给访问控制器 AC。其中, 消 息完整性鉴别码 MIC3用来验证消息 NAC||N'REQ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ)的完 整性。 在其他实施例 中 , 接入鉴别 响应 消 息 M5为 一至少 包含5.3.2.2), the visitor REQ decrypts the E (K AS , REQ , K AC , REQ ) in the identity authentication response message M4 to obtain the session key K Ae , REQ , and generates the random number N′ REQ , and calculates the message integrity. The authentication code MIC 3 =H (K AC , N AC ||N' REQ ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC , REQ ) ), constructs an access authentication response message M5 That is, N AC ||N, REQ ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC ) || MIC 3 is sent to the access controller AC. The message integrity authentication code MIC 3 is used to verify the integrity of the message N AC ||N' REQ ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC , REQ ). In other embodiments, the access authentication response message M5 is at least one of
NAC||N'REQ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ) ||MIC3的消息。 N AC ||N' REQ ||Res (REQ) ||E (K AS;AC , ID REQ ||K AC , REQ ) ||MIC 3 message.
步骤 S6:  Step S6:
6.1 ) , 访 问 控 制 器 AC 收 到 身 份鉴 别 响 应 消 息 M5 即 NAC||N'REQ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ) ||MIC3后,首先判断随机数 NAC是否访问控制 器 AC产生的随机数, 若不是, 则执行 6.2); 若是, 则执行 6.3 ); 6.1), the access controller AC receives the identity authentication response message M5 ie N AC ||N' REQ ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC , REQ ) ||MIC 3 After that, first determine whether the random number N AC accesses the random number generated by the controller AC, if not, execute 6.2); if yes, execute 6.3);
6.2 ), 访问控制器 AC拒绝访问者 REQ的访问。  6.2), Access Controller AC denied access to the visitor REQ.
6.3 ),访问控制器 AC利用 KAS,AC对 Res(REQ)进行解密, 若解密 Res (REQ)得到 的 R(REQ)=Failure, 表示访问者 REQ非法, 则执行 6.3.1 ); 若解密 Res (REQ)得 到的 R(REQ)=True, 表示访问者 REQ合法, 则执行 6.3.2 )。 6.3), the access controller AC uses K AS , AC to decrypt Res (REQ), if the R (REQ)=Failure obtained by decrypting Res (REQ), indicating that the visitor REQ is illegal, then 6.3.1); Res (REQ) gets R(REQ)=True, indicating that the visitor REQ is legal, then 6.3.2).
6.3.1 ), 访问控制器 AC拒绝访问者 REQ的访问。  6.3.1), Access Controller AC deny access to the visitor REQ.
6.3.2),访问控制器 AC解密 E(KAS,AC, IDREQ||KAC ) , 获得会话密钥 KAC,REQ, 并根 据 MIC3判断消息 NAC||N'REQ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ)完整性, 若不完整, 则执 行 6.3.2.1 ); 若完整, 则执行 6.3.2.2)。 6.3.2), the access controller AC decrypts E (K AS , AC , ID REQ ||K AC ), obtains the session key K AC , REQ , and judges the message N AC ||N' REQ ||Res according to the MIC 3 (REQ) ||E (K AS;AC , ID REQ ||K AC , REQ ) Integrity, if not complete, perform 6.3.2.1); if complete, perform 6.3.2.2).
6.3.2.1 ), 访问控制器 AC拒绝访问者 REQ的访问。  6.3.2.1), Access Controller AC deny access to the visitor REQ.
6.3.2.2 ),访问控制器 AC确认解密 E(KAS,AC, IDREQ||KAC )后获得的 IDREQ是否与 访问者 REQ的身份标识 IDREQ—致, 若不一致, 则执行 6.3.2.2.1 ); 若一致, 则 执行 6.3.2.2.2 )。 6.3.2.2), access controller AC confirmation ID REQ decrypts E (K AS, AC, ID REQ || K AC) obtained whether the identity ID REQ REQ visitors - the cause, if not match, the 6.3. 2.2.1); If they are consistent, proceed to 6.3.2.2.2).
6.3.2.2.1 ), 访问控制器 AC拒绝访问者 REQ的访问。  6.3.2.2.1), Access Controller AC deny access to the visitor REQ.
6.3.2.2.2 ), 访问控制器 AC根据所述授权策略判断访问者 REQ在步骤 S1中 发送的访问请求 QREQ是否合法, 若不合法, 则执行 6.3.2.2.2.1 ); 若合法, 则 执行 6.3.2.2.2.2 6.3.2.2.2), the access controller AC determines, according to the authorization policy, whether the access request Q REQ sent by the visitor REQ in step S1 is legal, and if not, performs 6.3.2.2.2.1); if legal, Implementation of 6.3.2.2.2.2
6.3.2.2.2.1 ), 访问控制器 AC拒绝访问者 REQ的访问。  6.3.2.2.2.1), Access Controller AC denies access to the visitor REQ.
6.3.2.2.2.2), 访问控制器 AC根据 QREQ构造应答数据 RAC、 计算消息完整性 鉴别码 MIC4=H (KACREQ, N'REQ||E (KACREQ, Rac) ) , 进而构造访问响应消息 M6即 N'REQ||E (KACKEQ, RAC) ||MIC4发送给访问者 REQ。 其中, RAC用于访问控制器 AC通知所述 访问者 REQ是否有权访问所述目的网络。 其中, 消息完整性鉴别码 MIC4用来验证消息 N'REQ||E(KAC,REQ,RAC)的完整性,访 问控制器 AC对访问者 REQ的所述授权策略可以来自访问控制器 AC本地, 也可以 由其他服务器如鉴别服务器 AS提供, 当所述授权策略由鉴别服务器 AS提供时, 则 需 将 步骤 S4 中 的 身 份鉴别 响 应 消 息 M4 即 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||KAC,REQ) ||E (KAS;REQ, KAC,REQ) ||MIC2中的 E (KAS,AC, IDREQ||KAC,REQ)修改 为 E(KAS,AC, IDREQ||KAc,REQ||APAS) , 同时需要将步骤 S5中的接入鉴别响应消息 M5即 NAC||N'REQ||E (KAS,AC, IDREQ||KAC,REQ) ||MIC3 中 的 E(KA C, IDREQ||KAC,REQ) 修 改 为 E(KAS;AC, IDREQ||KAc,REQ||APAS)0 其中, APAS表示对访问者 REQ的授权策略。 6.3.2.2.2.2), the access controller AC response data structure according to Q REQ R & lt AC, calculates the message authentication code integrity MIC 4 = H (KACREQ, N 'REQ || E (KACREQ, R ac)), and further configured to access The response message M6, N' REQ ||E (KACKEQ, RAC) ||MIC 4, is sent to the visitor REQ. The R AC is used by the access controller AC to notify the visitor REQ whether to have access to the destination network. The message integrity authentication code MIC 4 is used to verify the integrity of the message N' REQ ||E(K AC , REQ , R AC ), and the authorization policy of the access controller AC to the visitor REQ may come from the access controller. The AC local may also be provided by another server such as the authentication server AS. When the authorization policy is provided by the authentication server AS, the identity authentication response message M4 in step S4 is required to be ID AC ||N REQ ||Res (AC). )||Res (REQ) ||E (K AS;AC , ID REQ ||K AC , REQ ) ||E (K AS;REQ , K AC , REQ ) || E in the MIC 2 (K AS , AC , ID REQ ||K AC , REQ ) is modified to E (K AS , AC , ID REQ ||K A c, REQ ||AP AS ), and the access authentication response message M5 in step S5 is required to be NAC. ||N'REQ||E (K A S,AC, ID RE Q||KAC,REQ) || E (K AC , ID REQ ||K AC , REQ ) in MIC 3 is modified to E (K AS ;AC , ID REQ ||K A c, REQ ||AP AS ) 0 where AP AS represents an authorization policy for the visitor REQ.
至此, 即完成了访问控制器 AC对访问者 REQ的鉴别和授权, 实现了对访问 控制器 AC的访问控制。  At this point, the access controller AC authenticates and authorizes the visitor REQ, and the access control to the access controller AC is realized.
6.4 ), 访问者 REQ收到访问响应消息 M6即 N'REQ||E (KAC,REQ, RAC) ||MIC4后, 首先判 断随机数 N'REQ是否访问者 REQ产生的随机数, 若不是, 则执行 6.4.1 ); 若是, 则执行 6.4.2 6.4), after the visitor REQ receives the access response message M6, that is, N' REQ ||E (K AC , REQ , R AC ) ||MIC 4 , first determines whether the random number N' REQ is a random number generated by the visitor REQ, If not, execute 6.4.1); if yes, execute 6.4.2
6.4.1 ), 访问者 REQ丟弃该访问响应消息 M6。  6.4.1), the visitor REQ discards the access response message M6.
6.4.2 ),访问者 REQ根据 MlC^'j断消息 N'REQ||E (KAC,REQ, RAC)完整性, 若不完整, 则执行 6.4.2.1 ); 若完整, 则执行 6.4.2.2 6.4.2), the visitor REQ breaks the message N' REQ ||E (K AC , REQ , R AC ) integrity according to MlC^'j, if not, executes 6.4.2.1); if complete, executes 6.4 .2.2
6.4.2.1 ), 访问者 REQ丟弃该访问响应消息 M6。  6.4.2.1), the visitor REQ discards the access response message M6.
6.4.2.2), 访问者 REQ解密 E(KAC RAC)获得所述应答数据 RAC, 并根据应答 数据 RAC判断是否被访问控制器 AC授权访问目的网络, 然后据此对目的网络进 行访问。 6.4.2.2), the visitor REQ decrypts E (K AC R AC ) to obtain the response data R AC , and judges whether the access controller AC authorizes access to the destination network according to the response data RAC, and then accesses the destination network accordingly.
在其他实施例中, 访问响应消息 M6为一至少包含 N'REQ||E (KACREQ, RAC) ,1(4的 消息。 In other embodiments, the access response message M6 is a message containing at least N' REQ ||E (KACREQ, RAC), 1 ( 4 ).
上述步骤 S2 ~ S4的另一种具体实施例是:  Another specific embodiment of the above steps S2 to S4 is:
步骤 S2:  Step S2:
访问控制器 AC收到访问请求消息 Ml即 NREQ||QREQ后,构造接入鉴别请求消息 M2 即 NREQ||NAC||H(KAS,AC||NREQ)发送给访问者 REQ, 在其他实施例中, 接入鉴别请求消息 M2为一至少包含 NREQ||NAC||H(KAS,AC||NREQ 々消息。 其中, H(KAS,AC||NREQ)表示对 KAS,AC||NREQ进行哈希运算后的结果, 即访问控制器 AC的身份鉴别信息 II。 After receiving the access request message M1, that is, N REQ ||Q REQ , the access controller AC constructs an access authentication request message M2, that is, N REQ ||N AC ||H(K AS , AC ||N REQ ), and sends it to the visitor. REQ, in other embodiments, the access authentication request message M2 is a message containing at least N REQ ||N AC ||H(K AS , AC ||N REQ 。 message. Where H(K AS , AC ||N REQ ) represents the result of hashing K AS , AC ||N REQ , that is, the identity authentication information II of the access controller AC.
步骤 S3:  Step S3:
访问者 REQ收到接入鉴别请求消息 M2即 NREQ||NAC||H(KAS,AC||NREQ)后,首先判断 NREQ 是否访问者 REQ产生的随机数,如果不是, 则丟弃该鉴别请求消息 M2; 如果是, 则 访 问 者 REQ 利 用 共 享 密 钥 KAS,REQ计 算 消 息 完 整性鉴别 码 MIC5=H (KAS;REQ, IDAC||NREQ||H (KAS;AC||NREQ) ) , 并进而构造身份鉴别请求消息 Μ3即 IDAC||NREQ||H (KAS;AC||NREQ) ||MIC5发送给鉴别服务器 AS。 其中, 消息完整性鉴别码 MIC5 用来验证 IDAC||NREQ||H(KA C||NREQ)的完整性, MIC5即为访问者 REQ的身份鉴别信息 12。 After receiving the access authentication request message M2, that is, N REQ ||N AC ||H(K AS , AC ||N REQ ), the visitor REQ first determines whether the N REQ is a random number generated by the visitor REQ, and if not, The authentication request message M2 is discarded; if yes, the visitor REQ calculates the message integrity authentication code MIC 5 =H (K AS; REQ , ID AC ||N REQ ||H (K) using the shared key K AS , REQ AS;AC ||N REQ ) ) , and in turn constructs an authentication request message Μ3, ie ID AC ||N REQ ||H (K AS; AC ||N REQ ) || MIC 5 is sent to the authentication server AS. The message integrity authentication code MIC 5 is used to verify the integrity of the ID AC ||N REQ ||H(K AC ||N REQ ), and the MIC 5 is the identity authentication information 12 of the visitor REQ.
在其他实施例 中 , 身份鉴别请求消 息 M3为 一至少 包含 In other embodiments, the authentication request message M3 is at least one of
IDAC||NREQ||H(KAS,AC||NREQ)||MIC^々消息。 ID AC ||N REQ ||H(K AS , AC ||N REQ )||MIC^々 message.
步骤 S4:  Step S4:
4.1' ) , 鉴 别 服 务 器 AS 收 到 身 份鉴 别 请 求 消 息 M3 即 IDAC||NREQ||H(KAS,AC||NREQ)||MIC5后, 首先判断访问者 REQ是否已与鉴别服务器 AS共享 密钥 KAS,REQ, 若未共享密钥 KAS,REQ, 则执行 4.2' ); 若已共享密钥 KAS,REQ, 则执行 4. )0 4.1'), after the authentication server AS receives the identity authentication request message M3, ie ID AC ||N REQ ||H(K AS , AC ||N REQ )||MIC 5 , it first determines whether the visitor REQ has been authenticated with the server AS shared key K AS , REQ , if no shared key K AS , REQ , then 4.2 '); if shared key K AS , REQ , then execute 4.) 0
4.2' ), 鉴别服务器 AS根据 IDAe判断访问控制器 AC是否已与鉴别服务器 AS 共享密钥 KAS,AC, 若未共享密钥 KAS,AC, 则执行 4.2. ); 若已共享密钥 KAS,AC, 则执 行 4.2. V )。 4.2'), the authentication server AS judges according to the ID Ae whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, performs 4.2.); if the shared key K AS , AC , then 4.2. V ).
4.2.1' ), 鉴别服务器 AS终止鉴别。  4.2.1'), the authentication server AS terminates the authentication.
4.2. V ) , 鉴别 服务器 AS构 造 身 份鉴别 响 应 消 息 M4 即 IDAC||NREQ||Res (AC) ||Res (REQ) ||MIC2发送给访问者 REQ。 其中, Res (AC)即为可公开 的鉴别结果 CI, Res (REQ)即为可公开的鉴别结果 C 2, Res (AC) =E (KAS;REQ, R (AC) ) , Res (REQ) =E (KAS;AC, R (REQ) ) , R (AC)即为所述第一验证结果, R (REQ) 即为所述 第二验证结果, MIC2为消息完整性鉴别码。 此时, R(REQ) =Failure, 表示鉴别 服务器 AS对访问者 REQ鉴别失败, R(AC)=True, 表示鉴别服务器 AS对访问控制 器 AC鉴别成功。 此时 MIC2=H(KAS,REQ, IDAC||NREQ||Res (AC) ||Res (REQ) ) , 用来验证消息4.2. V), the authentication server AS constructs an identity authentication response message M4 ie ID AC ||N REQ ||Res (AC) ||Res (REQ) ||MIC 2 is sent to the visitor REQ. Among them, Res (AC) is the publicly discriminable result CI, Res (REQ) is the publicly discriminable result C 2, Res (AC) = E (K AS; REQ , R (AC) ), Res (REQ) = E (K AS; AC , R (REQ) ) , R (AC) is the first verification result, R (REQ) is the second verification result, and MIC 2 is the message integrity authentication code. At this time, R(REQ)=Failure, indicating that the authentication server AS fails the authentication to the visitor REQ, and R(AC)=True indicates that the authentication server AS controls the access. The AC identification was successful. At this time MIC 2 =H(K AS , REQ , ID AC ||N REQ ||Res (AC) ||Res (REQ) ) , used to verify the message
IDAC||NREQ||Res (AC) ||Res (REQ)的完整性。 ID AC ||N REQ ||Res (AC) ||Res (REQ) integrity.
4.3' ), 鉴别服务器 AS根据身份鉴别请求消息 M3中的 MIC5判断4.3'), the authentication server AS judges according to the MIC 5 in the identity authentication request message M3
IDAC||NREQ||H(KAS,AC||NREQ)的完整性, 若不完整, 则执行 4.3.1' ); 若完整, 表示访 问者 REQ合法, 则执行 4.3.1' )0 ID AC ||N REQ ||H (K AS , AC ||N REQ ) integrity, if not complete, execute 4.3.1'); if complete, indicating that the visitor REQ is legal, then 4.3.1' ) 0
4.3.1' ), 鉴别服务器 AS丟弃该身份鉴别请求消息 M3。  4.3.1'), the authentication server AS discards the identity authentication request message M3.
4.3.2, ), 鉴别服务器 AS利用 IDAe判断访问控制器 AC是否已与鉴别服务器4.3.2, ), the authentication server AS uses the ID Ae to determine whether the access controller AC has been authenticated with the server.
AS共享密钥 KAS,AC, 若未共享密钥 KAS,AC, 则执行 4.3.2.1' ); 若已共享密钥 KAS,AC, 则执行 4.3.2.1' )0 AS shared key K AS , AC , if the key K AS , AC is not shared, then 4.3.2.1'); if the shared key K AS , AC , then 4.3.2.1' ) 0
4.3.2. V ) , 鉴另 服务器 AS构造身份鉴另 响应 消 息 M4 即 4.3.2. V), the other server AS constructs the identity verification and responds to the message M4
IDAC||NREQ||Res (AC)||Res (REQ)||MIC2发送给访问者 REQ。 此时, R (AC) =Fai lure, 表 示鉴别服务器 AS对访问控制器 AC鉴别失败; R(REQ)=True, 表示鉴别服务器 AS 对访问者 REQ鉴别成功。 此时 MIC2=H (KAS,REQ, IDAC||NREQ||Res (AC) ||Res (REQ) ), 用来 验证消息 IDAC||NREQ||Res (AC) ||Res (REQ)的完整性。 ID AC ||N REQ ||Res (AC)||Res (REQ)||MIC 2 is sent to the visitor REQ. At this time, R (AC) = Fai lure, indicating that the authentication server AS fails authentication to the access controller AC; R (REQ) = True, indicating that the authentication server AS successfully authenticates the visitor REQ. At this time MIC 2 =H (K AS , REQ , ID AC ||N REQ ||Res (AC) ||Res (REQ) ), used to verify the message ID AC ||N REQ ||Res (AC) || The integrity of Res (REQ).
4.3.2. V ),鉴别服务器 AS根据 NREQ验证 H (KAS;AC||NREQ)的完整性,若验证失败, 则执行 4.3.2.2. V ); 若验证成功, 则执行 4.3.2.2.1' )0 4.3.2. V), the authentication server AS verifies the integrity of H (K AS; AC ||N REQ ) according to N REQ , if the verification fails, it executes 4.3.2.2. V ); if the verification is successful, it executes 4.3. 2.2.1' ) 0
4.3.2.2. V ) , 鉴别服务器 AS构造身份鉴别 响应 消 息 M4即 IDAC||NREQ||Res (AC)||Res (REQ)||MIC2发送给访问者 REQ。 此时, R (AC) =Fai lure, 表 示鉴别服务器 AS对访问控制器 AC鉴别失败; R(REQ)=True, 表示鉴别服务器 AS 对访问者 REQ鉴别成功。 此时 MIC2=H(KAS,REQ, IDAC||NREQ||Res (AC)||Res (REQ)), 用来 验证消息 IDAC||NREQ||Res (AC) ||Res (REQ)的完整性。 4.3.2.2. V), the authentication server AS constructs an identity authentication response message M4, ie ID AC ||N REQ ||Res (AC)||Res (REQ)||MIC 2 is sent to the visitor REQ. At this time, R (AC) = Fai lure, indicating that the authentication server AS fails authentication to the access controller AC; R (REQ) = True, indicating that the authentication server AS successfully authenticates the visitor REQ. At this time MIC 2 =H(K AS , REQ , ID AC ||N REQ ||Res (AC)||Res (REQ)), used to verify the message ID AC ||N REQ ||Res (AC) || The integrity of Res (REQ).
4.3.2.2. V ), 鉴别服务器 AS生成访问者 REQ和访问控制器 AC间的会话密 钥 KAe,REQ , 然后利用共享密钥 KAS,Ae和 KAS,REQ以及会话密钥 KAe,REQ计算 E (KAS;AC, IDREQ||KAc,REQ)与 E (KAS;REQ, KACKEQ) , 进而计算此时的消息完整性鉴别码 MIC2=H (K Q, IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||K AC, REQ) ||E (KAS, , AC, Q) ) , 用来验证消息 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS;AC, IDREQ||K AC, REQ) ||E (KAS, , AC, Q)的 完整性。 此时 R(AC)=True, 表示鉴别服务器 AS对访问控制器 AC鉴别成功; R (REQ) =True, 表示鉴别服务器 AS对访问者 REQ鉴别成功。 鉴别服务器 AS进而 构 造 此 时 的 身 份 鉴 别 响 应 消 息 M4 即4.3.2.2. V), the authentication server AS generates a session key K Ae , REQ between the visitor REQ and the access controller AC, and then utilizes the shared keys K AS , Ae and K AS , REQ and the session key K Ae , REQ calculates E (K AS; AC , ID REQ ||K A c, REQ ) and E (K AS; REQ , KACKEQ), and then calculates the message integrity authentication code MIC 2 =H (K Q , ID AC ) at this time. ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS;AC , ID REQ ||K AC, REQ) ||E (KAS, , AC, Q) ) , used to verify Message ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS;AC , ID REQ ||K AC, REQ) ||E (KAS, , AC, Q) Sex. At this time, R(AC)=True, indicating that the authentication server AS successfully authenticates the access controller AC; R (REQ) = True, indicating that the authentication server AS successfully authenticates the visitor REQ. The authentication server AS further constructs an identity authentication response message M4 at this time
IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS; AC, IDREQ||KAC,REQ) ||E (KAS,REQ, KAC,REQ) ||MIC2发送给访问 者 REQ。 ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC , REQ ) ||E (K AS , REQ , K AC , REQ ) ||MIC 2 is sent to the visitor REQ.
综上可以注意到, 当 R (AC) =Fa i lure或 R (REQ) =Fa i lure时, 消息完整性鉴 别码 MIC2=H (KAS,REQ, IDAC||NREQ||Res (AC) ||Res (REQ) ) , 相应的, 身份鉴别响应消息 Μ4 为 IDAC||NREQ||Res (AC) ||Res (REQ) ||MIC2, 另外, 在其他实施例中, 身份鉴别响应消 息 M4为一至少包含 IDAC||NREQ||Res (AC) ||Res (REQ) ||MIC2的消息; 当 R (AC) =True且 R (REQ) =True 时 , 消 息 完 整 性 鉴 别 码 MIC2= H (KAS; REQ, IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS; AC, IDREQ||K ||E (K , , ) ) ·> 相应 的 , 身 份 鉴 别 响 应 消 息 M4 为 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS; AC, IDREQ||KAC ) ||E (KAS; REQ, KAC,REQ) ||MIC2 , 另外, 在 其 他 实 施 例 中 , 身 份 鉴 别 响 应 消 息 M4 为 一 至 少 包 含 IDAC||NREQ||Res (AC) ||Res (REQ) ||E (KAS; AC, IDREQ||KAC ) ||E (KAS; REQ, KAC,REQ) ||MIC2的消息。 It can be noted that when R (AC) = Fa i lure or R (REQ) = Fa i lure, the message integrity authentication code MIC 2 = H (K AS , REQ , ID AC ||N REQ || Res (AC) ||Res (REQ) ) , correspondingly, the identity authentication response message Μ4 is ID AC ||N REQ ||Res (AC) ||Res (REQ) ||MIC 2 , in addition, in other embodiments The identity authentication response message M4 is a message including at least ID AC ||N REQ ||Res (AC) ||Res (REQ) ||MIC 2 ; when R (AC) = True and R (REQ) = True , message integrity authentication code MIC 2 = H (K AS; REQ , ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K || E (K , , ) ) ·> Correspondingly, the identity authentication response message M4 is ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC ) ||E (K AS; REQ , K AC , REQ ) ||MIC 2 , In addition, in other embodiments, the identity authentication response message M4 is at least including ID AC ||N REQ ||Res (AC) ||Res (REQ) ||E (K AS; AC , ID REQ ||K AC ) ||E (K AS; REQ , K AC , REQ ) || MIC 2 message.
本发明基于密码学中的对称密码机制, 分别提供了两种由鉴别服务器 AS 提供鉴别服务时在访问控制器 AC与访问者 REQ之间实现鉴别的具体实施方法, 一种方法基于对称加密运算即前一实施例, 一种方法基于哈希运算即后一实 施例, 都能够实现在访问控制器 AC无法直接使用鉴别服务器 AS提供的鉴别服 务时、 由访问者 REQ与鉴别服务器 AS之间完成鉴别并由访问控制器 AC完成对访 问者 REQ进行授权的访问控制过程。  The invention is based on a symmetric cryptographic mechanism in cryptography, and provides two specific implementation methods for realizing authentication between the access controller AC and the visitor REQ when the authentication server AS provides the authentication service, and one method is based on symmetric encryption operation. In the previous embodiment, a method based on the hash operation, that is, the latter embodiment, can implement the authentication between the visitor REQ and the authentication server AS when the access controller AC cannot directly use the authentication service provided by the authentication server AS. The access control process for authorizing the visitor REQ is completed by the access controller AC.
本领域内的技术人员应明白, 本发明的实施例可提供为方法、 系统、 或 计算机程序产品。 因此, 本发明可釆用完全硬件实施例、 完全软件实施例、 或结合软件和硬件方面的实施例的形式。 而且, 本发明可釆用在一个或多个 其中包含有计算机可用程序代码的计算机可用存储介质 (包括但不限于磁盘 存储器、 CD-ROM、 光学存储器等)上实施的计算机程序产品的形式。  Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can be embodied in the form of one or more computer program products embodied on a computer-usable storage medium (including but not limited to disk storage, CD-ROM, optical storage, etc.) in which computer usable program code is embodied.
本发明是参照根据本发明实施例的方法、 设备(系统)、 和计算机程序产 品的流程图和 /或方框图来描述的。 应理解可由计算机程序指令实现流程图 和 /或方框图中的每一流程和 /或方框、 以及流程图和 /或方框图中的流程 和 /或方框的结合。 可提供这些计算机程序指令到通用计算机、 专用计算机、 嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器, 使得通 过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流 程图一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功能的 装置。 The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It should be understood that the flow chart can be implemented by computer program instructions And/or a combination of the processes and/or blocks in the block diagrams, and the flowcharts and/or blocks in the flowcharts and/or block diagrams. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设 备以特定方式工作的计算机可读存储器中, 使得存储在该计算机可读存储器 中的指令产生包括指令装置的制造品, 该指令装置实现在流程图一个流程或 多个流程和 /或方框图一个方框或多个方框中指定的功能。  The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上, 使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的 处理, 从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图 一个流程或多个流程和 /或方框图一个方框或多个方框中指定的功能的步 骤。  These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
尽管已描述了本发明的优选实施例, 但本领域内的技术人员一旦得知了 基本创造性概念, 则可对这些实施例作出另外的变更和修改。 所以, 所附权 利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。 发明的精神和范围。 这样, 倘若本发明的这些修改和变型属于本发明权利要 求及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在内。  Although the preferred embodiment of the invention has been described, it will be apparent to those skilled in the < Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and modifications The spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of the inventions

Claims

权 利 要 求 Rights request
1、 一种网络访问控制方法, 其特征在于包括: A network access control method, comprising:
步骤 1 ) ,一访问者向一目的网络中的一访问控制器发送一访问请求消息, 所述访问请求消息中包括一随机数 NREQ; Step 1), a visitor sends an access request message to an access controller in a destination network, where the access request message includes a random number N REQ ;
步骤 2 ), 所述访问控制器收到所述访问请求消息后, 构造包含第一身份 鉴别信息的接入鉴别请求消息发送给所述访问者, 所述第一身份鉴别信息是 利用所述访问控制器和一鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ进行对称 密码运算产生的结果; Step 2) After the access controller receives the access request message, construct an access authentication request message including the first identity authentication information, where the first identity authentication information is used by using the access a result of a symmetric cryptographic operation performed by the shared key K AS , AC between the controller and an authentication server on the N REQ ;
步骤 3 ), 所述访问者接收到所述接入鉴别请求消息后, 构造一身份鉴别 请求消息发送给所述鉴别服务器; 所述身份鉴别请求消息中包括所述第一身 份鉴别信息以及第二身份鉴别信息; 所述第二身份鉴别信息是所述访问者利 用自身与所述鉴别服务器之间的共享密钥 KAS,REQ对所述 NREQ进行对称密码运算 后产生的结果; Step 3), after receiving the access authentication request message, the visitor constructs an identity authentication request message and sends the identifier to the authentication server. The identity authentication request message includes the first identity authentication information and the second Identity identification information; the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
步骤 4 ),所述鉴别服务器接收到所述身份鉴别请求消息后,利用所述 KAS,AC 对所述第一身份鉴别信息进行鉴别得到第一鉴别结果, 并将所述第一鉴别结 果利用所述 KAS, REQ进行加密形成对所述访问控制器的第一可公开的鉴别结果; 以及利用所述 KAS,REQ对所述第二身份鉴别信息进行鉴别得到第二鉴别结果, 并 将所述第二鉴别结果利用所述 KAS, AC进行加密形成对所述访问者的第二可公开 的鉴别结果; 以及所述鉴别服务器构造身份鉴别响应消息发送给所述访问者, 所述身份鉴别响应消息包括所述第一可公开的鉴别结果及所述第二可公开的 鉴别结果; Step 4), after receiving the identity authentication request message, the authentication server uses the K AS , AC to authenticate the first identity authentication information to obtain a first authentication result, and utilizes the first authentication result. Encrypting the K AS , REQ to form a first publicly identifiable authentication result to the access controller; and authenticating the second identity authentication information by using the K AS , REQ to obtain a second authentication result, and The second authentication result is encrypted by the K AS , AC to form a second publicly identifiable authentication result for the visitor; and the authentication server constructs an identity authentication response message sent to the visitor, the identity The authentication response message includes the first publicly available authentication result and the second publicly available authentication result;
步骤 5 ), 所述访问者收到所述身份鉴别响应消息后, 解密所述第一可公 开的鉴别结果获得所述第一鉴别结果, 根据所述第一鉴别结果构造接入鉴别 响应消息发送给所述访问控制器; 所述接入鉴别响应消息中包含所述第二可 公开的鉴别结果;  Step 5), after receiving the identity authentication response message, the visitor decrypts the first publicly available authentication result to obtain the first authentication result, and constructs an access authentication response message according to the first authentication result. Giving the access controller; the access authentication response message includes the second publicly available authentication result;
步骤 6 ), 所述访问控制器收到所述接入鉴别响应消息后, 解密所述第二 可公开的鉴别结果, 得到所述第二鉴别结果, 并根据一授权策略构造一访问 响应消息发送给所述访问者; 所述授权策略是指所述访问控制器对所述访问 请求进行授权的策略。 Step 6), after the access controller receives the access authentication response message, decrypt the second The publicly available authentication result is obtained, and the second authentication result is obtained, and an access response message is configured to be sent to the visitor according to an authorization policy; the authorization policy refers to the access controller authorizing the access request Strategy.
2、如权利要求 1所述的方法, 其特征在于, 所述进行对称密码运算包括: 釆用基于对称加密算法或哈希算法的运算。  The method according to claim 1, wherein the performing the symmetric cryptographic operation comprises: using an operation based on a symmetric encryption algorithm or a hash algorithm.
3、 如权利要求 2所述的方法, 其特征在于, 所述身份鉴别请求消息中还 包含所述访问控制器的标识信息 IDAC; 所述步骤 4 ) 中, 所述鉴别服务器接收 到所述身份鉴别请求消息后, 若判断自身没有与所述访问者之间共享所述 KAS;REQ, 且根据所述 IDAC判断自身没有与所述访问控制器之间共享所述 KAS,AC, 则终止鉴别。 The method according to claim 2, wherein the identity authentication request message further includes the identification information ID AC of the access controller; in the step 4), the authentication server receives the After the identity authentication request message, if it is determined that the K AS; REQ is not shared with the visitor, and according to the ID AC, it is determined that the K AS , AC is not shared with the access controller. Then the authentication is terminated.
4、 如权利要求 2所述的方法, 其特征在于, 所述身份鉴别请求消息中还 包含所述访问控制器的标识信息 IDAC和所述 NREQ; 所述步骤 4 ) 中, 所述鉴别 服务器接收到所述身份鉴别请求消息后, 若判断出与所述访问者之间没有共 享所述 KAS,REQ,且根据所述 IDAC判断出与所述访问控制器之间已共享所述 KAS,AC, 则 The method according to claim 2, wherein the identity authentication request message further includes the identification information ID AC and the N REQ of the access controller; in the step 4), the authentication After receiving the identity authentication request message, the server determines that the K AS , REQ is not shared with the visitor, and determines that the shared controller is shared with the access controller according to the ID AC. K AS , AC , then
当釆用对称加密算法时, 利用所述 KA ^解密所述第一身份鉴别信息, 并 判断解密结果与所述 NREQ是否相等, 若不相等, 则终止鉴别; 若相等, 则确定 所述第一可公开的鉴别结果为所述访问控制器身份合法以及所述第二可公开 的鉴别结果为所述访问者身份非法。 When the symmetric encryption algorithm is used, the first identity authentication information is decrypted by using the K A ^ , and it is determined whether the decryption result is equal to the N REQ , and if not, the authentication is terminated; if they are equal, the The first publicly identifiable authentication result is that the access controller is legally authenticated and the second publicly identifiable authentication result is that the visitor identity is illegal.
5、 如权利要求 2所述的方法, 其特征在于, 所述身份鉴别请求消息中还 包含所述访问控制器的标识信息 IDAC和所述 NREQ; 所述步骤 4 ) 中, 当所述鉴 别服务器接收到所述身份鉴别请求消息后, 若判断出自身与所述访问者之间 已共享所述 KAS,REQ, 则 The method according to claim 2, wherein the identity authentication request message further includes the identification information ID AC and the N REQ of the access controller; in the step 4), when After the authentication server receives the identity authentication request message, if it is determined that the K AS , REQ is shared between itself and the visitor,
当釆用对称加密算法时, 利用所述 KAS,REQ解密所述第二身份鉴别信息, 若 判断解密结果与所述 NREQ不相等, 且根据所述 IDAe判断没有与所述访问控制器 之间共享所述 KAS,AC, 则终止鉴别。 When the symmetric encryption algorithm is used, the second identity authentication information is decrypted by using the K AS , REQ , if the decryption result is determined to be unequal to the N REQ , and the access controller is not determined according to the ID Ae The K AS , AC is shared between them, and the authentication is terminated.
6、 如权利要求 2所述的方法, 其特征在于, 所述身份鉴别请求消息中还 包含所述访问控制器的标识信息 IDAC和所述 NREQ; 所述步骤 4 ) 中, 当所述鉴 别服务器接收到所述身份鉴别请求消息后, 若判断出自身与所述访问者之间 已共享所述 KAS,REQ, 则 6. The method according to claim 2, wherein the identity authentication request message is further The identification information ID AC and the N REQ of the access controller are included; in the step 4), after the authentication server receives the identity authentication request message, if it is determined that it is between the user and the visitor The K AS , REQ , have been shared
当釆用对称加密算法时, 利用所述 KAS,REQ解密所述第二身份鉴别信息, 若 判断解密结果与所述 NREQ不相等, 且根据所述 IDAC判断出与所述访问控制器之 间已共享所述 KAS,AC, 则 When the symmetric encryption algorithm is used, the second identity authentication information is decrypted by using the K AS and the REQ , and if the decryption result is not equal to the N REQ , and the access controller is determined according to the ID AC The K AS , AC is shared between
利用所述 KA ^解密所述第一身份鉴别信息, 并判断解密结果与所述 NREQ 是否相等, 若不相等, 则终止鉴别; 若相等, 则确定所述第一可公开的鉴别 结果为所述访问控制器身份合法及所述第二可公开的鉴别结果为所述访问者 身份非法。 Decrypting the first identity authentication information by using the K A ^, and determining whether the decryption result is equal to the N REQ , if not equal, terminating the authentication; if equal, determining that the first publicly discriminable authentication result is The access controller is legally authenticated and the second publicly available authentication result is that the visitor identity is illegal.
7、 如权利要求 2所述的方法, 其特征在于, 所述身份鉴别请求消息中还 包含所述访问控制器的标识信息 IDAC和所述 NREQ; 当釆用对称加密算法时, 所 述步骤 4 )中, 所述鉴别服务器接收到所述身份鉴别请求消息后, 且判断出与 所述访问者之间已共享所述 KAS,REQ, 以及利用所述 KAS,REQ解密所述第二身份鉴别 信息, 并判断出解密结果与所述 NREQ相等时, 则 The method according to claim 2, wherein the identity authentication request message further includes identifier information ID AC and the N REQ of the access controller; when a symmetric encryption algorithm is used, In step 4), after the authentication server receives the identity authentication request message, it is determined that the K AS , REQ is shared with the visitor, and the KAS and REQ are used to decrypt the first Two identity authentication information, and determining that the decryption result is equal to the N REQ , then
若根据所述 IDAC判断与所述访问控制器之间没有共享所述 KAS,AC, 则确定 所述第一可公开的鉴别结果为所述访问控制器身份非法及所述第二可公开的 鉴别结果为所述访问者身份合法。 If it is determined according to the ID AC that the K AS , AC is not shared with the access controller, determining that the first publicly available authentication result is that the access controller identity is illegal and the second publicly available The result of the authentication is that the identity of the visitor is legal.
8、 如权利要求 2所述的方法, 其特征在于, 所述身份鉴别请求消息中还 包含所述访问控制器的标识信息 IDAC和所述 NREQ; 当釆用对称加密算法时, 所 述步骤 4 )中, 所述鉴别服务器接收到所述身份鉴别请求消息后, 且判断出与 所述访问者之间已共享所述 KAS,REQ, 以及利用所述 KAS,REQ解密所述第二身份鉴别 信息, 并判断出解密结果与所述 NREQ相等时, 则 The method according to claim 2, wherein the identity authentication request message further includes an identifier information ID AC and the N REQ of the access controller; when a symmetric encryption algorithm is used, In step 4), after the authentication server receives the identity authentication request message, it is determined that the K AS , REQ is shared with the visitor, and the KAS and REQ are used to decrypt the first Two identity authentication information, and determining that the decryption result is equal to the N REQ , then
若根据所述 IDAC判断出与所述访问控制器之间已共享所述 KAS,AC, 则 利用所述 KA ^解密所述第一身份鉴别信息, 并判断解密结果与所述 NREQ 是否相等, 若不相等, 则确定所述第一可公开的鉴别结果为所述访问控制器 身份非法及所述第二可公开的鉴别结果为所述访问者身份合法; 若相等, 则 确定所述第一可公开的鉴别结果为所述访问控制器身份合法及所述第二可公 开的鉴别结果为所述访问者身份合法。 If it is determined according to the ID AC that the K AS , AC is shared with the access controller, decrypting the first identity authentication information by using the K A ^, and determining a decryption result and the N REQ If they are equal, if not equal, determining that the first publicly available authentication result is that the access controller identity is illegal and the second publicly available authentication result is that the visitor identity is legal; if they are equal, Determining that the first publicly available authentication result is that the access controller identity is legal and the second publicly available authentication result is that the visitor identity is legal.
9、 如权利要求 2所述的方法, 其特征在于, 所述身份鉴别请求消息中还 包含所述访问控制器的标识信息 IDAC; 所述步骤 4 ) 中, 所述鉴别服务器接收 到所述身份鉴别请求消息后, 若判断自身没有与所述访问者之间共享所述The method according to claim 2, wherein the identity authentication request message further includes the identification information ID AC of the access controller; in the step 4), the authentication server receives the After the identity authentication request message, if it is determined that it does not share the content with the visitor
KAS,REQ, 且 KAS, REQ, and
当釆用哈希算法时, 若进一步根据所述 IDAC判断自身已与所述访问控制 器之间共享所述 KAS,AC, 则确定所述第一可公开的鉴别结果为所述访问控制器 身份合法及所述第二可公开的鉴别结果为所述访问者身份非法。 When the hash algorithm is used, if it is further determined according to the ID AC that the K AS , AC is shared with the access controller, determining that the first publicly discriminable authentication result is the access control The identity of the device is legal and the second publicly identifiable authentication result is that the identity of the visitor is illegal.
10、 如权利要求 2所述的方法, 其特征在于, 所述步骤 4 ) 中, 当所述鉴 别服务器接收到所述身份鉴别请求消息后, 若判断出自身与所述访问者之间 已共享所述 KAS,REQ, 则 The method according to claim 2, wherein, in the step 4), after the authentication server receives the identity authentication request message, if it is determined that it has been shared with the visitor The K AS , REQ , then
当釆用哈希算法时, 利用所述第二身份鉴别信息判断所述身份鉴别请求 消息的完整性, 若判断结果为不完整, 则丟弃所述身份鉴别请求消息。  When the hash algorithm is used, the second identity authentication information is used to determine the integrity of the identity authentication request message, and if the determination result is incomplete, the identity authentication request message is discarded.
11、 如权利要求 2 所述的方法, 其特征在于, 所述身份鉴别请求消息中 还包含所述访问控制器的标识信息 IDAC; 所述步骤 4 ) 中, 当所述鉴别服务器 接收到所述身份鉴别请求消息后, 若判断出自身与所述访问者之间已共享所 述 KAS,REQ, 且利用所述第二身份鉴别信息判断所述身份鉴别请求消息完整时, 则 The method according to claim 2, wherein the identity authentication request message further includes an identifier information ID AC of the access controller; in the step 4), when the authentication server receives the After determining the identity authentication request message, if it is determined that the K AS , REQ is shared between the user and the visitor, and the second identity authentication information is used to determine that the identity authentication request message is complete,
当釆用哈希算法时, 进一步根据所述 IDAC判断是否与所述访问控制器之 间共享所述 KAS,AC, 若否, 则确定所述第一可公开的鉴别结果为所述访问控制 器身份非法以及所述第二可公开的鉴别结果为所述访问者身份合法。 When the hash algorithm is used, further determining, according to the ID AC, whether the K AS , AC is shared with the access controller, and if not, determining that the first publicly available authentication result is the access The controller identity is illegal and the second publicly identifiable authentication result is legal for the visitor identity.
12、 如权利要求 2 所述的方法, 其特征在于, 所述身份鉴别请求消息中 还包含所述访问控制器的标识信息 IDAC和所述 NREQ; 所述步骤 4 ) 中, 当所述 鉴别服务器接收到所述身份鉴别请求消息后, 若判断出自身与所述访问者之 间已共享所述 KAS,REQ, 且利用所述第二身份鉴别信息判断所述身份鉴别请求消 息完整, 以及根据所述 IDAC判断出与所述访问控制器之间已共享所述 KAS,AC, 则 The method of claim 2, wherein the identity authentication request message further includes the identification information ID AC and the N REQ of the access controller; in the step 4), when After the authentication server receives the identity authentication request message, if it is determined that the K AS , REQ is shared between the user and the visitor, and the second identity authentication information is used to determine that the identity authentication request message is complete, And determining, according to the ID AC , that the K AS , AC is shared with the access controller, then
当釆用哈希算法时, 利用所述 NREQ验证所述第一身份鉴别信息的完整性, 若验证结果为不完整, 则确定所述第一可公开的鉴别结果为所述访问控制器 身份非法以及所述第二可公开的鉴别结果为所述访问者身份合法; 若验证结 果为完整, 则确定所述第一可公开的鉴别结果为所述访问控制器身份合法以 及所述第二可公开的鉴别结果为所述访问者身份合法。 When the hash algorithm is used, verifying the integrity of the first identity authentication information by using the N REQ , and if the verification result is incomplete, determining that the first publicly available authentication result is the access controller identity The illegal and the second publicly available authentication result is that the visitor identity is legal; if the verification result is complete, determining that the first publicly available authentication result is that the access controller is legal and the second The publicly identified result is that the visitor's identity is legal.
13、 如权利要求 3-12任一所述的方法, 其特征在于, 当所述访问者获得 所述第一可公开的鉴别结果为所述访问控制器身份非法时, 所述访问者终止 访问;  The method according to any one of claims 3 to 12, wherein when the visitor obtains the first publicly available authentication result that the identity of the access controller is illegal, the visitor terminates the access. ;
当所述访问者获得所述第一可公开的鉴别结果为所述访问控制器身份合 法时, 将所述第二可公开的鉴别结果通过所述接入鉴别响应消息发送给所述 访问控制器; 以及  Transmitting the second publicly available authentication result to the access controller by using the access authentication response message when the visitor obtains the first publicly available authentication result that the identity of the access controller is legal ; as well as
所述访问控制器根据所述第二可公开的鉴别结果为所述访问者身份非法 时, 拒绝所述访问者访问; 或者所述访问控制器根据所述第二可公开的鉴别 结果为所述访问者身份合法时, 允许所述访问者访问。  The access controller denies the visitor access when the visitor identity is illegal according to the second publicly available authentication result; or the access controller is according to the second publicly available authentication result When the identity of the visitor is legal, the visitor is allowed access.
14、 一种访问装置, 其特征在于, 包括:  14. An access device, comprising:
访问请求交互模块, 用于向一目的网络的一访问控制器发送访问请求消 息, 所述访问请求消息中包括一随机数 NREQ; 并接收所述访问控制器发送的包 含第一身份鉴别信息的接入鉴别请求消息; 所述第一身份鉴别信息是利用所 述访问控制器和一鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ进行对称密码运 算产生的结果; An access request interaction module, configured to send an access request message to an access controller of a destination network, where the access request message includes a random number N REQ ; and receive the first identity authentication information sent by the access controller Accessing an authentication request message; the first identity authentication information is a result of performing a symmetric cryptographic operation on the N REQ by using a shared key K AS , AC between the access controller and an authentication server;
鉴别请求交互模块, 用于向一鉴别服务器发送一身份鉴别请求消息, 所 述身份鉴别请求消息中包含所述第一身份鉴别信息和第二身份鉴别信息, 所 述第二身份鉴别信息是所述访问者利用自身与所述鉴别服务器之间的共享密 钥 KAS,REQ对所述 NREQ进行对称密码运算后产生的结果; 并接收所述鉴别服务器 发送的身份鉴别响应消息, 所述身份鉴别响应消息中包含第一可公开的鉴别 结果和第二可公开的鉴别结果, 所述第一可公开的鉴别结果是根据所述第一 身份鉴别信息对所述访问控制器进行身份鉴别后的第一鉴权结果再利用所述An authentication request interaction module, configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and second identity authentication information, where the second identity authentication information is a result obtained by the visitor using a shared key K AS , REQ between the user and the authentication server to perform a symmetric cryptographic operation on the N REQ ; and receiving an identity authentication response message sent by the authentication server, the identity authentication The response message includes a first publicly available authentication result and a second publicly available authentication result, wherein the first publicly available authentication result is according to the first Reusing the first authentication result after the identity authentication information is authenticated by the access controller
KAS; REQ进行加密形成, 所述第二可公开的鉴别结果是根据所述第二身份鉴别信 息对所述访问者进行身份鉴别后的第二鉴权结果再利用所述 KAS, Ae进行加密形 成; K AS; REQ performs encryption formation, and the second publicly discriminable authentication result is that the second authentication result after identity authentication of the visitor according to the second identity authentication information is reused by using the K AS , Ae Encryption formation;
鉴权结果交互模块, 用于根据所述第一鉴权结果构造包含所述可公开的 第二鉴权结果的接入鉴别响应消息发送给所述访问控制器, 并接收所述访问 器发送的访问响应消息。  An authentication result interaction module, configured to send, according to the first authentication result, an access authentication response message that includes the publicly available second authentication result to the access controller, and receive the sent by the accessor Access response message.
15、 一种鉴别服务器, 其特征在于, 包括:  15. An authentication server, comprising:
鉴别请求接收模块, 用于接收一访问者发送的身份鉴别请求消息, 所述 身份鉴别请求消息中包含目的网络一访问控制器的第一身份鉴别信息和所述 访问者的第二身份鉴别信息; 所述第一身份鉴别信息是由所述访问控制器利 用自身和所述鉴别服务器之间的共享密钥 KA ^对由所述访问者发送的访问请 求消息中包含的一随机数 NREQ进行对称密码运算产生的结果,所述第二身份鉴 别信息是所述访问者利用自身与所述鉴别服务器之间的共享密钥 KAS, REQ对所述 NREQ进行对称密码运算后产生的结果; An authentication request receiving module, configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor; The first identity authentication information is performed by the access controller by using a shared key K A ^ between itself and the authentication server for a random number N REQ included in an access request message sent by the visitor. As a result of the symmetric cryptographic operation, the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
鉴别执行模块, 用于根据所述第一身份鉴别信息产生对所述访问控制器 进行身份鉴别后的第一鉴别结果, 并将所述第一鉴别结果再利用所述 KAS, REQ进 行加密形成对所述访问控制器的第一可公开的鉴别结果; 以及根据所述第二 身份鉴别信息产生对所述访问者进行身份鉴别后的第二鉴别结果, 并将所述 第二鉴别结果利用所述 KAS, AC进行加密形成对所述访问者的第二可公开鉴别结 果; An authentication execution module, configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and re-encrypting the first authentication result by using the K AS and REQ a first publicly available authentication result to the access controller; and generating a second authentication result after the identity identification of the visitor according to the second identity authentication information, and using the second authentication result K AS , AC performs encryption to form a second publicly discriminable result for the visitor;
鉴别响应发送模块, 用于构造一身份鉴别响应消息发送给所述访问者, 所述身份鉴别响应消息中包含所述第一可公开的鉴别结果以及第二可公开的 鉴别结果。  The authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.
16、 一种访问控制器, 其特征在于包括:  16. An access controller, comprising:
访问请求接收模块, 用于接收一访问者发送的访问请求消息, 所述访问 请求消息中携带一随机数 NREQ; 接入鉴别请求构造模块, 用于构造包含第一身份鉴别信息的接入鉴别请 求消息发送给所述访问者, 所述第一身份鉴别信息是利用所述访问控制器和 鉴别服务器之间的共享密钥 KAS, Ae对所述 NREQ进行对称密码运算产生的结果; 接入鉴别响应接收模块, 用于接收所述访问者发送的接入鉴别响应消息 并解密, 得到第二鉴别结果; 所述接入鉴别响应消息由所述访问者根据目的 网络一鉴权服务器发送的身份鉴别响应消息中包含的第一鉴别结果构造, 且 包含所述第二鉴别结果;所述第一鉴别结果是由所述鉴别服务器利用所述 KAS, AC 对由所述访问者发送的身份鉴别请求消息中包含的所述第一身份鉴别信息进 行鉴别后确定, 所述第二鉴别结果是由所述鉴别服务器利用与所述访问者之 间的共享密钥 KAS, REQ对由所述访问者发送的第二身份鉴别信息进行鉴别后确 定, 所述第二身份鉴别信息是所述访问者利用所述 KAS, REQ对所述 NREQ进行对称 密码运算后产生的结果; An access request receiving module, configured to receive an access request message sent by a visitor, where the access request message carries a random number N REQ ; An access authentication request constructing module, configured to send an access authentication request message including first identity authentication information to the visitor, where the first identity authentication information is shared by using the access controller and the authentication server a result of a symmetric cryptographic operation performed by the key K AS , Ae on the N REQ ; an access authentication response receiving module, configured to receive an access authentication response message sent by the visitor, and decrypt the second authentication result; The access authentication response message is constructed by the visitor according to the first authentication result included in the identity authentication response message sent by the destination network to the authentication server, and includes the second authentication result; the first authentication result is The authentication server determines, by using the K AS , the AC , the first identity authentication information included in the identity authentication request message sent by the visitor, and the second authentication result is determined by the authentication server. after using the shared key K AS between the visitor, REQ second authentication information transmitted by said visitor identification determination The second authentication information is the result of the visitor with the K AS, REQ N REQ said symmetric cryptographic operation;
访问请求响应模块, 用于根据获得的所述第二鉴别结果以及授权策略, 构造一访问响应消息发送给所述访问者。  The access request response module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
17、 一种网络访问控制系统, 其特征在于, 包括访问者、 目的网络的访 问控制器、 鉴别服务器, 其中:  A network access control system, comprising: a visitor, an access controller of a destination network, and an authentication server, wherein:
所述访问者, 用于向所述访问控制器发送访问请求消息, 所述访问请求 消息中携带一随机数 NREQ; 以及 The visitor is configured to send an access request message to the access controller, where the access request message carries a random number N REQ ;
接收所述访问控制器返回的接入鉴别请求消息, 所述接入鉴别请求消息 中包含第一身份鉴别信息; 以及  Receiving an access authentication request message returned by the access controller, where the access authentication request message includes first identity authentication information;
向所述鉴别服务器发送身份鉴别请求消息, 包含所述第一身份鉴别信息 第二身份鉴别信息; 所述第二身份鉴别信息是所述访问者利用与所述鉴别服 务器之间的共享密钥 KAS, REQ对所述 NREQ进行对称密码运算后产生的结果; 以及 接收所述鉴别服务器发送的包含第一可公开的鉴别结果和第二可公开的 鉴别结果身份鉴别响应消息; 并解密所述第一可公开的鉴别结果获得所述第 一鉴别结果; 以及 Sending an identity authentication request message to the authentication server, including the first identity authentication information second identity authentication information; the second identity authentication information is a shared key K between the visitor and the authentication server AS , REQ , a result of performing a symmetric cryptographic operation on the N REQ ; and receiving, by the authentication server, a first publicly available authentication result and a second publicly available authentication result identity authentication response message; and decrypting the The first publicly available authentication result obtains the first authentication result;
向所述访问控制器发送接入鉴别响应消息, 所述接入鉴别响应消息根据 第一鉴别结果构造, 且包含所述第二可公开的鉴别结果; 以及 Sending an access authentication response message to the access controller, where the access authentication response message is based on a first authentication result constructing, and including the second publicly available authentication result;
接收所述访问控制器根据所述第二鉴别结果发送的是否授权访问目标网 络的访问响应消息;  Receiving an access response message sent by the access controller according to the second authentication result to authorize access to the target network;
所述访问控制器, 用于接收所述访问者发送的访问请求消息, 构造包含 第一身份鉴别信息的接入鉴别请求消息发送给所述访问者; 所述第一身份鉴 别信息是利用所述访问控制器和鉴别服务器之间的共享密钥 KAS,AC对所述 NREQ 进行对称密码运算产生的结果; 以及 The access controller is configured to receive an access request message sent by the visitor, and send an access authentication request message that includes the first identity authentication information to the visitor; Accessing a shared key K AS between the controller and the authentication server, AC performing a symmetric cryptographic operation on the N REQ ;
接收所述访问者发送的接入鉴别响应消息并解密, 得到所述第二鉴别结 果; 以及  Receiving an access authentication response message sent by the visitor and decrypting, to obtain the second authentication result;
根据获得的所述第二鉴别结果以及授权策略, 构造一访问响应消息发送 给所述访问者;  Forming an access response message to the visitor according to the obtained second authentication result and an authorization policy;
所述鉴别服务器, 用于接收所述访问者发送的所述身份鉴别请求消息, 并根据所述第一身份鉴别信息产生对所述访问控制器进行身份鉴别后的第一 鉴别结果, 并将所述第一鉴别结果再利用所述 KAS, REQ进行加密形成对所述访问 控制器的第一可公开的鉴别结果, 以及根据所述第二身份鉴别信息产生对所 述访问者进行身份鉴别后的第二鉴别结果, 并将所述第二鉴别结果利用所述 KA ^进行加密形成对所述访问者的第二可公开鉴别结果;并向所述访问者返回 身份鉴别响应消息, 包含所述第一可公开的鉴别结果和第二可公开的鉴别结 果。 The authentication server is configured to receive the identity authentication request message sent by the visitor, and generate a first authentication result after performing identity authentication on the access controller according to the first identity authentication information, and Decoding the first authentication result by using the K AS , REQ to form a first publicly identifiable authentication result to the access controller, and generating an identity authentication for the visitor according to the second identity authentication information a second authentication result, and encrypting the second authentication result by using the K A ^ to form a second publicly discriminable result for the visitor; and returning an identity authentication response message to the visitor, including The first publicly available authentication result and the second publicly available authentication result are described.
PCT/CN2011/071770 2010-10-13 2011-03-14 Method and system for network access control WO2012048551A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010504262 2010-10-13
CN201010504262.3 2010-10-13

Publications (1)

Publication Number Publication Date
WO2012048551A1 true WO2012048551A1 (en) 2012-04-19

Family

ID=44844269

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071770 WO2012048551A1 (en) 2010-10-13 2011-03-14 Method and system for network access control

Country Status (2)

Country Link
CN (1) CN102231736B (en)
WO (1) WO2012048551A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113551B (en) * 2014-07-28 2017-06-23 百度在线网络技术(北京)有限公司 A kind of platform authorization method, platform service end and applications client and system
CN104113549B (en) * 2014-07-28 2017-07-18 百度在线网络技术(北京)有限公司 A kind of platform authorization method, platform service end and applications client and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159660A (en) * 2007-11-16 2008-04-09 西安西电捷通无线网络通信有限公司 Ternary equal identification based reliable network access control system
CN101364875A (en) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 Method realizing public key acquiring, certificater verification and bidirectional identification of entity
CN101958908A (en) * 2010-10-13 2011-01-26 西安西电捷通无线网络通信股份有限公司 Network access control method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2851104A1 (en) * 2003-02-10 2004-08-13 France Telecom METHOD AND SYSTEM FOR AUTHENTICATING A USER AT AN ACCESS NETWORK DURING A CONNECTION OF THE USER TO THE INTERNET NETWORK
CN101431517B (en) * 2008-12-08 2011-04-27 西安西电捷通无线网络通信股份有限公司 Trusted network connection handshaking method based on ternary equity identification
CN101635624B (en) * 2009-09-02 2011-06-01 西安西电捷通无线网络通信股份有限公司 Method for authenticating entities by introducing online trusted third party

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159660A (en) * 2007-11-16 2008-04-09 西安西电捷通无线网络通信有限公司 Ternary equal identification based reliable network access control system
CN101364875A (en) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 Method realizing public key acquiring, certificater verification and bidirectional identification of entity
CN101958908A (en) * 2010-10-13 2011-01-26 西安西电捷通无线网络通信股份有限公司 Network access control method and system

Also Published As

Publication number Publication date
CN102231736A (en) 2011-11-02
CN102231736B (en) 2014-07-23

Similar Documents

Publication Publication Date Title
US11849029B2 (en) Method of data transfer, a method of controlling use of data and cryptographic device
WO2020087805A1 (en) Trusted authentication method employing two cryptographic values and chaotic encryption in measurement and control network
US9467430B2 (en) Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware
JP3999655B2 (en) Method and apparatus for access control with leveled security
JP5123209B2 (en) Method, system, and authentication center for authentication in end-to-end communication based on a mobile network
TW201701226A (en) System, method, and apparatus for electronic prescription
WO2013087039A1 (en) Secure data transmission method, device and system
WO2011140924A1 (en) Method, device and system for authenticating gateway, node and server
CN110198295A (en) Safety certifying method and device and storage medium
WO2010069180A1 (en) Method, system and device for key distribution
WO2014187206A1 (en) Method and system for backing up private key in electronic signature token
WO2014187210A1 (en) Method and system for backing up private key of electronic signature token
CN101958907A (en) Method, system and device for transmitting key
WO2016011588A1 (en) Mobility management entity, home server, terminal, and identity authentication system and method
JP2016514913A (en) Method and apparatus for establishing a session key
KR20120072032A (en) The system and method for performing mutual authentication of mobile terminal
US20240113885A1 (en) Hub-based token generation and endpoint selection for secure channel establishment
KR101515312B1 (en) Method and system for network access control
CN111526130B (en) Lightweight certificateless industrial Internet of things access control method and system
WO2014187208A1 (en) Method and system for backing up private key in electronic signature token
KR20210126319A (en) Apparatus and method for managing key
WO2012048551A1 (en) Method and system for network access control
WO2022135399A1 (en) Identity authentication method, authentication access controller, request device, storage medium, program, and program product
JP4554264B2 (en) Digital signature processing method and program therefor
JPWO2020205217A5 (en)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11831948

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11831948

Country of ref document: EP

Kind code of ref document: A1