CN100338904C - Full-matching certification method for broad band switch-in server - Google Patents

Full-matching certification method for broad band switch-in server Download PDF

Info

Publication number
CN100338904C
CN100338904C CNB2003101035777A CN200310103577A CN100338904C CN 100338904 C CN100338904 C CN 100338904C CN B2003101035777 A CNB2003101035777 A CN B2003101035777A CN 200310103577 A CN200310103577 A CN 200310103577A CN 100338904 C CN100338904 C CN 100338904C
Authority
CN
China
Prior art keywords
user
weights
coupling
authentication
authenticated user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB2003101035777A
Other languages
Chinese (zh)
Other versions
CN1545241A (en
Inventor
田平
纪小利
何茂平
刘兴铨
胡鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CNB2003101035777A priority Critical patent/CN100338904C/en
Publication of CN1545241A publication Critical patent/CN1545241A/en
Application granted granted Critical
Publication of CN100338904C publication Critical patent/CN100338904C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The present invention discloses a full matching certification method of a broad band switch-in server. The present invention comprises the processing procedures that procedure 1, a data set of a user is organized into a plurality of matching certification user sets according to the different magnitude of priority; procedure 2, a matching certification user set is searched according to a multi-component group of the user, and whether certification is passed is determined by an attribute value of the user. The full matching certification method of the broad band switch-in server of the present invention can be automatically adapted to various application requirements and has an effective algorithm and simple maintenance. Various binding requirements proposed in the new added certification process can be satisfied only by changing user set data in BNAS. The present invention has the advantages of no need of newly adding a special treatment method, convenient application and simple configuration.

Description

A kind of broad band access server full-matching authentication method
Technical field
The present invention relates to INTERNET and insert the field, the user group and the authentication method of a kind of full coupling authentication on the BAS Broadband Access Server (BNAS) relate in particular to the Access Network part in INTERNET field.
Background technology
The coupling authentication is exactly one group of data, and data have a lot of, has shown the identity that inserts the user, and the legitimacy of these data is confirmed in request.In the broadband access field, this is an inevitable link of access procedure.And the coupling verification process is exactly the data centralization of setting up in advance at, searches the process of match user data.Therefore, for BAS Broadband Access Server, the tissue of user data set is its key technology with the coupling verification process.
Coupling authentication and route querying algorithm have close part, but different.
The IP address is regular in the route querying, 4 byte longs, and the tissue of routing table can be organized according to the figure place of address mask.When searching route, in order to find the purpose outlet of an IP address, from the longest list item of mask, according to the order that mask successively decreases, the optimum Match item that finds is exactly the route outlet.And the coupling verify data is one polynary group, does not have rule, does not also have fixing word length.But, also can be the same by routing algorithm, look for a kind of optimum match method, the tissue and the authentication of mating list item separated, no matter adopt which type of authentication mode, verification process becomes the process of looking for the optimum Match item in table as the route querying algorithm.
The verification process of radius server is a kind of verification process based on user name, during authentication, in user's the verify data user name must be arranged, user's list item is organized by the user name unique index, during authentication, as long as user name is passed through the HASH index, if can in table, find with the identical list item of user name, just compare other verify datas, these data are legal, and just authentication is passed through.If in table, can not find with the identical list item of user name, just declare authentification failure.But, now in the broadband access field, the various binding authentication processes of demand, have IP address and MAC Address binding, binding of IP address and VLAN or the like is arranged, such binding relationship is a lot.Binding authentication also is a kind of authentication, is name in an account book of no use.A lot of producers treat with a certain discrimination when handling these application demands and based on the verification process of user name, take special processing.It is complicated that the cost that causes like this is exactly that verification process becomes, and verification process can not adapt to various application demands, and newly-increased a kind of verification process will increase a kind of special treatment method newly, safeguard also complicated, inefficiency.
Summary of the invention
The technical problem that the present invention solves is to find a kind of broad band access server full-matching authentication method that various verification process are united.
Broad band access server full-matching authentication method of the present invention comprises following processing procedure:
Step 1, the user's data collection varied in size according to priority is organized into a plurality of coupling authenticated user collection;
1) according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2 ..., Bm), wherein Ai represents keyword, the Bi representation attribute; Each Ai and Bi are set, and an element can be arranged in the set, also a plurality of elements can be arranged;
2) weights according to priority just determined in each keyword and attribute, the weights that priority is high are also high; Weights distribute according to following method:
A. if Ai or Bi are multielement set, then weights are 0;
B. if Ai or Bi are singleton, then weights are 2^ (i-1), wherein i>=1;
3) set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication;
Step 2 according to user's the polynary group of authenticated user collection of searching coupling, and determines that by the attribute of user value whether authentication pass through.
4) definite authenticated user collection that mates with user key words is if user to be certified is polynary group of (A11, A12, ..., A1n, B11, B12 ..., each elements A 1i B1m) is polynary group of (A21 of authenticated user collection, A22 ..., A2n, B21, B22 ..., B2m) subclass of each elements A 2i, then coupling is set up;
5) the coupling authenticated user of finding out in described step 4) is concentrated, and has the tuple coupling of a plurality of authenticated user collection, selects the coupling authenticated user subclass of tuple weights maximum, rejects other tuples;
6) determine maximum attribute weights coupling authenticated user collection, the maximum weights matches authenticated user collected works of finding out in described step 5) are concentrated, the a plurality of tuple couplings that have a plurality of authenticated user subclass, select the coupling authenticated user subclass of match attribute weights sum maximum, play except that other tuple;
7) determine the coupling authentication result, in the coupling authenticated user subclass of in described step 6), selecting, may also have a plurality of tuple couplings, in these tuples, as long as finding the attribute weights sum that do not match of a tuple is 0, then mate authentication success, the authentication of declaration coupling is passed through; If no one finds, then mate authentification failure, authentication is not passed through.
Match attribute weights sum is the weights sum of the attribute item that mates in the authenticated user tuple, and the attribute weights sum that do not match is the weights sum of unmatched attribute item in the authenticated user tuple.
Adopt broad band access server full-matching authentication method of the present invention can be adaptive to various application demands, algorithm is efficient, safeguards simple.And,, just can satisfy the various binding demands that propose as long as change user set data among the BNAS for newly-increased verification process, and do not need newly-increased a kind of special treatment method, it is convenient to use, and configuration is simple.
Description of drawings
Fig. 1 is the process chart of broad band access server full-matching authentication method of the present invention.
Embodiment
The handling process of full matching authentication method as shown in Figure 1 comprises following processing procedure:
1) according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2 ..., Bm), wherein Ai represents keyword, the Bi representation attribute; Each Ai and Bi are set, and an element can be arranged in the set, also a plurality of elements can be arranged;
2) weights according to priority just determined in each keyword and attribute, the weights that priority is high are also high;
3) set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication;
4) definite authenticated user collection that mates with user key words is if user to be certified is polynary group of (A11, A12, ..., A1n, B11, B12 ..., each elements A 1i B1m) is polynary group of (A21 of authenticated user collection, A22 ..., A2n, B21, B22 ..., B2m) subclass of each elements A 2i, then coupling is set up;
5) the coupling authenticated user of finding out in described step 4) is concentrated, and has the tuple coupling of a plurality of authenticated user collection, selects the coupling authenticated user subclass of tuple weights maximum, rejects other tuples;
6) determine maximum attribute weights coupling authenticated user collection, the maximum weights matches authenticated user collected works of finding out in described step 5) are concentrated, the a plurality of tuple couplings that have a plurality of authenticated user subclass, select the coupling authenticated user subclass of match attribute weights sum maximum, play except that other tuple;
7) determine the coupling authentication result, in the coupling authenticated user subclass of in described step 6), selecting, may also have a plurality of tuple couplings, in these tuples, as long as finding the attribute weights sum that do not match of a tuple is 0, then mate authentication success, the authentication of declaration coupling is passed through; If no one finds, then mate authentification failure, authentication is not passed through.
Be that example is introduced realization of the present invention in detail with the coupling authentication based on the user of user name and binding relationship among the built-in BNAS below.
In this verification process, the user is for polynary group:
(PORT,VLAN,MAC,USERNAME,IP,PASSWORD)
Wherein keyword is respectively:
PORT: access interface, when getting default value, represent all ports, be a multielement set, weights are 0.When getting the single port value, be singleton, weights are 1.
VLAN: user's VLAN, when getting default value, represent all VLAN, be a multielement set, weights are 0.When getting non-default value (1-4095), be singleton, weights are 2.
MAC: two layers of physical address of subscriber's main station, when getting default value, represent MAC Address arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 4.
USERNAME: user name, when getting default value, represent all users, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 8.
Attribute is respectively:
IP: user's IP address, when getting default value, represent IP address arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 1.
PASSWORD: user's password, when getting default value, represent password arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 2.
Because user's tuple of this example is one 6 tuple, therefore when setting up the match user collection, user group is become 5 class HASH chains, each user can only be present on the class HASH chain.This 5 class chain is respectively:
The USERNAME chain: all user names be not the match user of default value entirely on this class chain, USERNAME is as the HASH keyword;
The MAC chain: all USERNAME are default values, MAC be not the user of default value on this class chain, MAC Address is as the HASH keyword;
The VLAN chain: all USERNAME and MAC are default value, and VLAN be not the user of default value all on this class chain, VLAN is as the HASH keyword;
The PORT chain: all USERNAME, MAC and VLAN are default value, and PORT be not the user of default value all on this class chain, PORT is as the HASH keyword;
Complete default chain: all USERNAME, MAC, VLAN and PORT all be the user of default value entirely on this class chain, do not have the HASH keyword, all such users are on a chain.
The height of the weights sum of tuple is respectively in proper order on this 5 class chain: USERNAME chain, MAC chain, VLAN chain, PORT chain, complete default chain.Therefore, after building up the HASH chain of match user collection, when user's request authentication, on 5 class chains, look for the subclass of keyword coupling successively according to the height order of weights, at first finding the chain of coupling subclass is the highest chain of weights naturally, also be the highest subclass of weights, the chain of back has been kept the change again.The method of saying according to the front is determined maximum attribute weights set of matches then, and attribute is IP and PASSWORD here, judges that according to the attribute weights that do not match whether mate authentication passes through again.In last set, can find the attribute weights that do not match is 0 tuple, and then authentication is passed through, otherwise authentification failure is exactly that IP and PASSWORD correctly mate here, with regard to authentication success, does not match with regard to authentification failure.If all do not find on all chains, also be that the coupling authentication is not passed through naturally.
The verification process of this BNAS is organized and implemented according to the method for the invention exactly, and efficient is very high, makes this BNAS can adapt to various authentication demands.

Claims (5)

1. a broad band access server full-matching authentication method is characterized in that, described method comprises following processing procedure:
Step 1, the user's data collection varied in size according to priority is organized into a plurality of coupling authenticated user collection;
Step 2 according to user's the polynary group of authenticated user collection of searching coupling, and determines that by the attribute of user value whether authentication pass through;
Wherein, step 2 further comprises:
1.1. search authenticated user collection with the user key words coupling, if each element that user to be certified is polynary group is a subclass of each element of polynary group of authenticated user collection, then the match is successful, execution in step 1.2, lose otherwise mate to recognize, the declaration authentication is not passed through and is finished;
1.2. concentrate the authenticated user subclass of the coupling of selecting tuple weights maximum from the authenticated user of described coupling;
1.3. from described authenticated user subclass, select the authenticated user subclass of the coupling of match attribute weights sum maximum;
If 1.4. find the attribute weights sum that do not match from described authenticated user subclass is 0 tuple, then mate authentication success, the authentication of declaration coupling is passed through; If do not find, then mate authentification failure, the declaration authentication is not passed through.
2. broad band access server full-matching authentication method according to claim 1 is characterized in that, described step 1 specifically comprises following treatment step:
2.1. according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2, ..., Bm), wherein Ai represents keyword, the Bi representation attribute, Ai represents the arbitrary value of A1 among the An, and its Bi represents the arbitrary value of B1 among the Bm, m, n, i are natural number;
2.2. weights according to priority just determined in each keyword and attribute, and the weights that priority is high are also high;
2.3. set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication.
3. broad band access server full-matching authentication method according to claim 2 is characterized in that, each Ai and Bi are set in the described step 2.1, and an element can be arranged in the set, also a plurality of elements can be arranged.
4. broad band access server full-matching authentication method according to claim 3 is characterized in that, described step 2.2) in, weights distribute according to following method:
A. if Ai or Bi are multielement set, then weights are 0;
B. if Ai or Bi are singleton, then weights are 2^ (i-1), and wherein i is a positive integer, and ^ asks factorial sign.
5. broad band access server full-matching authentication method according to claim 2, it is characterized in that, described match attribute weights sum is the weights sum of the attribute item that mates in the authenticated user tuple, and the described attribute weights sum that do not match is the weights sum of unmatched attribute item in the authenticated user tuple.
CNB2003101035777A 2003-11-11 2003-11-11 Full-matching certification method for broad band switch-in server Expired - Lifetime CN100338904C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2003101035777A CN100338904C (en) 2003-11-11 2003-11-11 Full-matching certification method for broad band switch-in server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2003101035777A CN100338904C (en) 2003-11-11 2003-11-11 Full-matching certification method for broad band switch-in server

Publications (2)

Publication Number Publication Date
CN1545241A CN1545241A (en) 2004-11-10
CN100338904C true CN100338904C (en) 2007-09-19

Family

ID=34333320

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2003101035777A Expired - Lifetime CN100338904C (en) 2003-11-11 2003-11-11 Full-matching certification method for broad band switch-in server

Country Status (1)

Country Link
CN (1) CN100338904C (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111212066B (en) * 2019-12-31 2022-04-01 浙江工业大学 Dynamic allocation request verification method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1372179A (en) * 2001-02-23 2002-10-02 株式会社东芝 Telecommunication setting method and electronic equipment thereof
US6615352B2 (en) * 1997-08-05 2003-09-02 Fuji Xerox Co., Ltd. Device and method for authenticating user's access rights to resources

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6615352B2 (en) * 1997-08-05 2003-09-02 Fuji Xerox Co., Ltd. Device and method for authenticating user's access rights to resources
CN1372179A (en) * 2001-02-23 2002-10-02 株式会社东芝 Telecommunication setting method and electronic equipment thereof

Also Published As

Publication number Publication date
CN1545241A (en) 2004-11-10

Similar Documents

Publication Publication Date Title
CN109766389B (en) Block chain light client verification query method based on bitmap index
CN1270487C (en) Method and apparatus for ternary content addressable meomry (TCAM) table management
US20090132509A1 (en) Communication control device and communication control system
US7702630B2 (en) Longest prefix match lookup using hash function
US20090132554A1 (en) Data processing system
US7110540B2 (en) Multi-pass hierarchical pattern matching
US20120066410A1 (en) Data structure, method and system for address lookup
US20070078827A1 (en) Searching for information utilizing a probabilistic detector
WO2004079631A2 (en) Method and arrangement for searching for strings
CN1913527A (en) Apparatus and methods for processing filter rules
US9703869B2 (en) Stream recognition and filtering
CN101401090A (en) Programmable hardware for deep packet filtering
KR20080113227A (en) Method and communication system for the computer-aided detection and identification of copyrighted contents
US8965911B2 (en) Searching and storing data in a tree data structure using prefix-matching node
US20070201458A1 (en) System and method for implementing ACLs using multiple hash-trie-key tables
CN108197499B (en) Verifiable ciphertext data range query method
CN1362820A (en) Method for selecting route for grouping in route apparatus
CN1543150A (en) Packet classification apparatus and method using field level tries
Ma et al. Computing similarity between RNA structures
KR101311031B1 (en) A multi bloom filter including a detecting bloom filter
CN100338904C (en) Full-matching certification method for broad band switch-in server
CN1176540C (en) Method for realizing switch in with mixed multiple users'types in Ethernet network switch in devices
CN108365962B (en) Certificate revocation list query method and device
Gollapudi et al. A dictionary for approximate string search and longest prefix search
US8873555B1 (en) Privilege-based access admission table

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20070919