WO2014177106A1 - Procédé et système de contrôle d'accès au réseau - Google Patents

Procédé et système de contrôle d'accès au réseau Download PDF

Info

Publication number
WO2014177106A1
WO2014177106A1 PCT/CN2014/079248 CN2014079248W WO2014177106A1 WO 2014177106 A1 WO2014177106 A1 WO 2014177106A1 CN 2014079248 W CN2014079248 W CN 2014079248W WO 2014177106 A1 WO2014177106 A1 WO 2014177106A1
Authority
WO
WIPO (PCT)
Prior art keywords
identification information
unique identification
terminal device
network
network management
Prior art date
Application number
PCT/CN2014/079248
Other languages
English (en)
Chinese (zh)
Inventor
卢安文
李锐
高为静
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014177106A1 publication Critical patent/WO2014177106A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities

Definitions

  • the present invention relates to network access control technologies, and in particular, to a network access control method and system. Background technique
  • wireless base stations in the era of LTE (Long Term Evolution), will deploy large number of small base stations (Small Cell) on a large scale in order to improve coverage. ), the Backhaul network that Small Cell reaches the core network is mostly deployed in the enterprise and user's home. Instead of going through the carrier's proprietary bearer network, the public transport network is selected to connect to the carrier's core network. The access security requirements of the accessed Small Cell are very high, and unauthorized base stations are not allowed to access their own core network.
  • the 3rd Generation Partnership Project (3GPP) recommends the use of IPSec (IP Security) technology to secure communication between the base station and the core network, while the base station and security gateway (SeGW, Security Gateway) Identity authentication technology is generally based on digital certificate authentication.
  • IPSec IP Security
  • SeGW Security Gateway
  • IP Security IP Security
  • the base station and security gateway SeGW, Security Gateway
  • the IPSec protocol can solve the need for authentication and encryption of the two parties, it cannot solve the scenario where the digital certificate is stolen and then masqueraded as a legitimate user. In this way, if someone steals the digital certificate, the security gateway can be bypassed to access the core network. Authorized access or attack.
  • the main purpose of the embodiments of the present invention is to provide a network access control method and system, which can improve the security and legality of a terminal accessing a network, and is compatible with more key associations.
  • Negotiation can improve the security and legality of a terminal accessing a network, and is compatible with more key associations.
  • the embodiment of the present invention provides a network access control method, where the method includes: the security authentication device receives the unique identification information of the terminal device; the security authentication device performs the digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the terminal is The unique identification information of the device is authenticated, and the access authority of the terminal is determined.
  • the method further includes: the network management device storing the unique identification information of each legal terminal device in batches, and establishing a unique identification information database.
  • the security authentication device receives the unique identification information of the terminal device, and includes: obtaining the unique identification information of the terminal device from the IKE message from the terminal device.
  • the authenticating the unique identification information of the terminal device, determining the access rights of the terminal includes:
  • the security authentication device parses the received IKE packet, obtains the unique identifier information of the terminal device in the IKE packet, and sends the obtained unique identifier information to the network management device; the network management device pre-stores the unique identifier information received by the network management device. The unique identification information of each legal terminal device is matched. After the matching is successful, it is confirmed that the terminal device is allowed to access the network.
  • the unique identification information is a device unique identifier (Device ID) and/or a source IP address.
  • the embodiment of the present invention further provides a network access control system, where the system includes: a terminal device, a security authentication device, and a network management device;
  • the terminal device is configured to send its unique identification information to the security authentication device;
  • the security authentication device is configured to perform digital certificate authentication on the terminal device;
  • the network management device is configured to authenticate the unique identification information of the terminal device and determine the access rights of the terminal device.
  • the security authentication device is further configured to receive and parse the unique identifier of the terminal device. After the digital certificate is verified, the unique identification information that is parsed is sent to the network management device.
  • the network management device is further configured to store the unique identification information of each legal terminal device in batches, and establish a database of unique identification information.
  • the network management device is further configured to retrieve a unique identifier information database according to the received unique identifier information, and match the received unique identifier information with the unique identifier information stored in the unique identifier information database, if the matching succeeds And determining to allow the terminal device to access the network; otherwise, determining to reject the terminal device from accessing the network.
  • Embodiments of the present invention also provide a computer storage medium in which computer executable instructions are stored, the computer executable instructions being used to perform the above method.
  • the terminal device sends its own unique identification information to the security authentication device, and the security authentication device performs digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the terminal device The unique identification information is authenticated, and the access authority of the terminal is determined.
  • the terminal accessing the network has a valid identity, thereby improving the security and legality of the terminal accessing the network.
  • the IKE technology involved in the embodiment of the present invention can be compatible with the Internet Key Exchange Protocol version 2 (IKEv2). , Internet key exchange version 2 ), and compatible with Internet Key Exchange Protocol version 1 ( IKEvl , Internet key exchange version 1 ).
  • FIG. 1 is a schematic flowchart of a basic implementation of a network access control method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a network access control method according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a network access control system according to an embodiment of the present invention. detailed description
  • the terminal device sends the unique identification information of the terminal to the security authentication device; the security authentication device performs the digital certificate authentication on the terminal device; after the digital certificate authentication is passed, the unique identification information of the terminal device is authenticated, and the terminal is determined. Access rights to the device.
  • the terminal device can place its unique identification information in the internet key exchange.
  • IKE Internet key exchange
  • the IKE packet may be the IKEv2 version of the packet
  • Determining the unique identification information of the terminal device, and determining the access authority of the terminal device includes: the security authentication device parses the received IKE packet, obtains the unique identifier information of the terminal device in the IKE packet, and obtains the unique identifier information.
  • the identification information is sent to the network management device, and the network management device matches the unique identification information with the unique identification information of each legal terminal device that is pre-stored by the network management device. After the matching is successful, the terminal device is allowed to access the network.
  • the terminal device may be a small cell (Small Cell); the unique identifier information may be a device unique identifier (Device ID) and/or a source IP address of the terminal device; the security authentication device may be secure.
  • a gateway or a high-end router; the network management device can be a server or a computer having a network management function.
  • the network access control method includes:
  • Step 101 The terminal device sends its own unique identification information to the security authentication device.
  • the unique identifier information may include one or more types, and may be a Device ID and/or a source IP address.
  • the terminal device sends its own unique identification information to the security authentication device, specifically: the terminal device places its unique identification information in the IKE packet and sends the information to the security authentication device.
  • the IKE packet is actually The application can be an IKEv2 version of the packet. Either the IKEvl version of the message;
  • the method further includes: the network management device stores the unique identifier information of each legal terminal device in batches, and establishes a unique identifier information database, so as to subsequently access the terminal device requesting access. Perform a secure authentication of uniquely identified information.
  • the security authentication device may be a security gateway or a high-end router
  • the network management device may be a server or a computer having a network management function
  • the terminal device may be a Small CelL
  • Step 102 The security authentication device performs digital certificate authentication on the terminal device. After the digital certificate authentication is passed, the unique identification information of the terminal device is authenticated, and the access rights of the terminal device are determined.
  • the security authentication device performs the digital certificate authentication on the terminal device as follows: The security authentication device performs IKE negotiation with the terminal device, and first performs digital certificate authentication on the terminal device.
  • the device authenticates the unique identification information of the terminal device, and determines the access authority of the terminal device, which is: the security authentication device parses the received IKE packet, and obtains the unique identifier information of the terminal device in the IKE packet, and obtains the obtained
  • the unique identification information is sent to the network management device, and the network management device matches the unique identification information with the unique identification information of each legal terminal device that is pre-stored by the network management device. After the matching is successful, the terminal device is allowed to access the network.
  • the unique identifier information is a Device ID
  • the terminal device is a Small Cell
  • the security authentication device is a security gateway
  • Step 201 The network management device stores the Device ID of each legal Small Cell in batches, and establishes a unique identification information database.
  • the network management device may be a server or a computer having a network management function; this step is a pre-processing, and may be entered at any time before the terminal device accesses the network. Row.
  • Step 202 When the small cell needs to access the network, the device ID is filled in the IKE packet and sent to the security gateway.
  • the IKE packet is in the IKE packet.
  • Step 203 The security gateway performs IKE negotiation with the Small Cell, first performs digital certificate authentication on the Small Cell, and determines whether the authentication is passed. If the authentication passes, step 204 is performed; otherwise, step 208 is executed to end the current processing flow.
  • Step 204 The security gateway parses the Device ID from the IKE message, and parses the
  • the Device ID is sent to the network management device.
  • Steps 205 to 207 The network management device searches the unique identifier information database, and matches the received device ID with the unique identifier information stored in the unique identifier information database to determine whether the matching is successful. If the matching is successful, the access authority of the Small Cell is determined. To allow the Small Cell to access the core network; otherwise, determine the access right of the Small Cell to reject the Small Cell access to the core network, and perform step 208 to end the current processing flow.
  • FIG. 3 is a schematic flowchart of a network access control method according to another embodiment of the present invention.
  • the unique identifier information is a device ID and a source IP address
  • the terminal device is a Small Cell
  • the security authentication device is Security gateway;
  • the method for the network access control includes:
  • Step 301 The network management device stores the Device ID and the source IP address of each legal Small Cell in batches, and establishes a unique identification information database.
  • the network management device may be a server or a computer having a network management function. This step is a pre-processing, and may be performed at any time before the terminal device accesses the network. Step 302: When the small cell needs to access the network, the device ID and the source IP address are filled in the IKE packet and sent to the security gateway.
  • the device ID is filled in the IKE file: the Device ID is filled in the ID payload field in the IKE message according to the format recommended by the 3GPP; the source IP address is filled in the IKE message: according to the format recommended by the 3GPP The source IP address is in the source IP address field of the IKE packet.
  • the IKE packet can be the IKEv2 version.
  • Step 303 The security gateway performs IKE negotiation with the Small Cell, first performs digital certificate authentication on the Small Cell, and determines whether the authentication is passed. If the authentication is passed, step 304 is performed; otherwise, step 308 is performed to end the current processing flow.
  • Step 304 The security gateway parses the device ID and the source IP address from the IKE packet, and sends the resolved device ID and source IP address to the network management device.
  • Steps 305-307 The network management device searches the unique identifier information database, and matches the received device ID and the source IP address with the unique identifier information stored in the unique identifier information database to determine whether the matching is successful. If the matching is successful, determine the Small Cell. The access permission is to allow the Small Cell to access the core network; otherwise, the access right of the Small Cell is determined to be denied access to the core network by the Small Cell, and step 308 is executed to end the current processing flow.
  • embodiments of the present invention can be applied to, but not limited to, a plurality of communication scenarios of the Small Cell, and the same applies to an Asymmetric Digital Subscriber Line (ADSL) application scenario of the broadband access.
  • ADSL Asymmetric Digital Subscriber Line
  • the network access control system includes: a terminal device 40, a security authentication device 41, and a network management device 42;
  • the terminal device 40 is configured to send its own unique identification information to the security authentication device 41.
  • the sending is: filling the unique identification information of the user into the IKE packet;
  • the security authentication device 41 is configured as the terminal device. 40 certification of digital certificates;
  • the network management device 42 is configured to authenticate the unique identification information of the terminal device 40, and determine the access authority of the terminal device 40.
  • the security authentication device 41 is further configured to receive and parse the unique identification information of the terminal device 40, and send the parsed unique identification information to the network management device 42 after confirming that the digital certificate authentication is passed;
  • the security authentication device 41 is further configured to perform IKE negotiation with the terminal device 40.
  • the network management device 42 is further configured to store the unique identification information of each legal terminal device in batches, and establish a database of unique identification information.
  • the network management device 42 is further configured to retrieve the unique identifier information database according to the received unique identifier information, and match the received unique identifier information with the unique identifier information stored in the unique identifier information database, and if the matching is successful, determine Allowing the terminal device to access the network; No, it is determined that the terminal device is denied access to the network;
  • the unique identifier information may be a device ID and/or a source IP address; the security authentication device may be a security gateway or a high-end router; the network management device may be a server or a computer having a network management function; The device can be a Small Cell.
  • the embodiment of the present invention further provides a computer storage medium, wherein computer executable instructions are stored, and the computer executable instructions are used to execute the method described in the foregoing embodiments.
  • Each of the above units may be implemented by a central processing unit (CPU), a digital signal processor (DSP) or a Field-Programmable Gate Array (FPGA) in the electronic device.
  • CPU central processing unit
  • DSP digital signal processor
  • FPGA Field-Programmable Gate Array
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware aspects. Moreover, the invention can take the form of a computer program product embodied on one or more computer usable storage media (including but not limited to disk storage and optical storage, etc.) in which computer usable program code is embodied.
  • the present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Le présent mode de réalisation de l'invention concerne un procédé de contrôle d'accès au réseau comprenant les étapes suivantes: un dispositif de sécurité et d'authentification reçoit une information d'identification unique du terminal, et le dispositif d'authentification et de sécurité procède à une authentification par certificat numérique pour le terminal; après l'authentification par certificat numérique, l'information d'identification unique du terminal et les permissions d'accès du terminal sont déterminées. L'invention concerne en outre un système de contrôle d'accès au réseau, comprenant : un terminal configuré pour transmettre ses propres informations d'identification uniques à un dispositif d'authentification et de sécurité; un dispositif d'authentification et de sécurité configuré pour réaliser une authentification par certificat numérique pour le terminal, un dispositif de gestion de réseau configuré pour authentifier l'information d'identification unique du terminal et pour déterminer les permissions d'accès du terminal.
PCT/CN2014/079248 2013-09-26 2014-06-05 Procédé et système de contrôle d'accès au réseau WO2014177106A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310461292.4A CN104518874A (zh) 2013-09-26 2013-09-26 一种网络接入控制方法和系统
CN201310461292.4 2013-09-26

Publications (1)

Publication Number Publication Date
WO2014177106A1 true WO2014177106A1 (fr) 2014-11-06

Family

ID=51843180

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/079248 WO2014177106A1 (fr) 2013-09-26 2014-06-05 Procédé et système de contrôle d'accès au réseau

Country Status (2)

Country Link
CN (1) CN104518874A (fr)
WO (1) WO2014177106A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847234A (zh) * 2016-03-11 2016-08-10 中国联合网络通信集团有限公司 可疑终端接入预警方法、网关管理平台及网关设备
CN115086085A (zh) * 2022-08-19 2022-09-20 南京华盾电力信息安全测评有限公司 一种新能源平台终端安全接入认证方法及系统

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106454836B (zh) * 2015-08-06 2021-12-31 中兴通讯股份有限公司 一种增强设备证书使用安全的方法及装置
CN106603461A (zh) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 一种业务认证的方法、装置和系统
CN109379354A (zh) * 2018-10-10 2019-02-22 小雅智能平台(深圳)有限公司 一种绑定智能设备的方法、装置和系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863048A (zh) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 用户与接入设备间因特网密钥交换协商方法
CN101064611A (zh) * 2006-04-24 2007-10-31 维豪信息技术有限公司 基于注册和呼叫控制的应用整合方法
WO2013109417A2 (fr) * 2012-01-18 2013-07-25 Zte Corporation Identité et informations de client ike notarisées par l'intermédiaire d'une prise en charge de données utiles de configuration ike

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN200941622Y (zh) * 2006-06-19 2007-08-29 福建星网锐捷网络有限公司 一种网络认证授权系统及使用的交换机
CN101656738B (zh) * 2009-09-22 2012-10-03 中兴通讯股份有限公司 一种对接入网络的终端进行验证的方法和装置
CN102984173B (zh) * 2012-12-13 2017-02-22 迈普通信技术股份有限公司 网络接入控制方法及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863048A (zh) * 2005-05-11 2006-11-15 中兴通讯股份有限公司 用户与接入设备间因特网密钥交换协商方法
CN101064611A (zh) * 2006-04-24 2007-10-31 维豪信息技术有限公司 基于注册和呼叫控制的应用整合方法
WO2013109417A2 (fr) * 2012-01-18 2013-07-25 Zte Corporation Identité et informations de client ike notarisées par l'intermédiaire d'une prise en charge de données utiles de configuration ike

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847234A (zh) * 2016-03-11 2016-08-10 中国联合网络通信集团有限公司 可疑终端接入预警方法、网关管理平台及网关设备
CN105847234B (zh) * 2016-03-11 2018-11-20 中国联合网络通信集团有限公司 可疑终端接入预警方法、网关管理平台及网关设备
CN115086085A (zh) * 2022-08-19 2022-09-20 南京华盾电力信息安全测评有限公司 一种新能源平台终端安全接入认证方法及系统

Also Published As

Publication number Publication date
CN104518874A (zh) 2015-04-15

Similar Documents

Publication Publication Date Title
US10601594B2 (en) End-to-end service layer authentication
CN107079007B (zh) 用于基于证书的认证的方法、装置和计算机可读介质
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US9131378B2 (en) Dynamic authentication in secured wireless networks
US8694782B2 (en) Wireless authentication using beacon messages
JP4824813B2 (ja) アプリケーションの認証
WO2017028593A1 (fr) Procédé pour amener un dispositif d'accès à un réseau à accéder à un point d'accès à un réseau sans fil, dispositif d'accès à un réseau, serveur d'application et support de stockage lisible par ordinateur non volatil
EP3328108A1 (fr) Procédé d'authentification, procédé de ré-authentification et appareil de communication
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
WO2016077007A1 (fr) Fourniture de certificat pour authentification sur un réseau
TW201644291A (zh) 用於使用特定於應用的網路存取身份碼來進行到無線網路的受贊助連接的設備和方法(一)
JP2013534754A (ja) 通信システムにおいて加入者認証とデバイス認証とをバインドするための方法および装置
TW201644292A (zh) 用於使用特定於應用的網路存取身份碼來進行到無線網路的受贊助連接的設備和方法(二)
JP2012503945A (ja) Homenode−b装置およびセキュリティプロトコル
WO2014180198A1 (fr) Procédé, système et dispositif d'accès d'un terminal et support de stockage informatique
CN110545252B (zh) 一种认证和信息保护的方法、终端、控制功能实体及应用服务器
CN107005534A (zh) 安全连接建立
KR20120091635A (ko) 통신 시스템에서 인증 방법 및 장치
WO2014177106A1 (fr) Procédé et système de contrôle d'accès au réseau
US20150249639A1 (en) Method and devices for registering a client to a server
WO2012171284A1 (fr) Procédé et dispositif d'authentification par un tiers et carte à puce prenant en charge une authentification bidirectionnelle
Matos et al. Secure hotspot authentication through a near field communication side-channel
WO2017020530A1 (fr) Procédé, dispositif et système d'authentification de certificat de réseau local sans fil (wlan) améliorés
WO2019196794A1 (fr) Dispositif et procédé d'authentification, et support de stockage lisible par ordinateur
WO2017020546A1 (fr) Procédé et appareil de vérification de dispositif d'accès à un réseau

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14791892

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14791892

Country of ref document: EP

Kind code of ref document: A1