CN100338904C - Full-matching certification method for broad band switch-in server - Google Patents
Full-matching certification method for broad band switch-in server Download PDFInfo
- Publication number
- CN100338904C CN100338904C CNB2003101035777A CN200310103577A CN100338904C CN 100338904 C CN100338904 C CN 100338904C CN B2003101035777 A CNB2003101035777 A CN B2003101035777A CN 200310103577 A CN200310103577 A CN 200310103577A CN 100338904 C CN100338904 C CN 100338904C
- Authority
- CN
- China
- Prior art keywords
- user
- weights
- coupling
- authentication
- authenticated user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000008878 coupling Effects 0.000 claims description 47
- 238000010168 coupling process Methods 0.000 claims description 47
- 238000005859 coupling reaction Methods 0.000 claims description 47
- 238000013480 data collection Methods 0.000 claims description 2
- 239000012141 concentrate Substances 0.000 claims 1
- 238000012423 maintenance Methods 0.000 abstract 1
- 238000012795 verification Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a full matching certification method of a broad band switch-in server. The present invention comprises the processing procedures that procedure 1, a data set of a user is organized into a plurality of matching certification user sets according to the different magnitude of priority; procedure 2, a matching certification user set is searched according to a multi-component group of the user, and whether certification is passed is determined by an attribute value of the user. The full matching certification method of the broad band switch-in server of the present invention can be automatically adapted to various application requirements and has an effective algorithm and simple maintenance. Various binding requirements proposed in the new added certification process can be satisfied only by changing user set data in BNAS. The present invention has the advantages of no need of newly adding a special treatment method, convenient application and simple configuration.
Description
Technical field
The present invention relates to INTERNET and insert the field, the user group and the authentication method of a kind of full coupling authentication on the BAS Broadband Access Server (BNAS) relate in particular to the Access Network part in INTERNET field.
Background technology
The coupling authentication is exactly one group of data, and data have a lot of, has shown the identity that inserts the user, and the legitimacy of these data is confirmed in request.In the broadband access field, this is an inevitable link of access procedure.And the coupling verification process is exactly the data centralization of setting up in advance at, searches the process of match user data.Therefore, for BAS Broadband Access Server, the tissue of user data set is its key technology with the coupling verification process.
Coupling authentication and route querying algorithm have close part, but different.
The IP address is regular in the route querying, 4 byte longs, and the tissue of routing table can be organized according to the figure place of address mask.When searching route, in order to find the purpose outlet of an IP address, from the longest list item of mask, according to the order that mask successively decreases, the optimum Match item that finds is exactly the route outlet.And the coupling verify data is one polynary group, does not have rule, does not also have fixing word length.But, also can be the same by routing algorithm, look for a kind of optimum match method, the tissue and the authentication of mating list item separated, no matter adopt which type of authentication mode, verification process becomes the process of looking for the optimum Match item in table as the route querying algorithm.
The verification process of radius server is a kind of verification process based on user name, during authentication, in user's the verify data user name must be arranged, user's list item is organized by the user name unique index, during authentication, as long as user name is passed through the HASH index, if can in table, find with the identical list item of user name, just compare other verify datas, these data are legal, and just authentication is passed through.If in table, can not find with the identical list item of user name, just declare authentification failure.But, now in the broadband access field, the various binding authentication processes of demand, have IP address and MAC Address binding, binding of IP address and VLAN or the like is arranged, such binding relationship is a lot.Binding authentication also is a kind of authentication, is name in an account book of no use.A lot of producers treat with a certain discrimination when handling these application demands and based on the verification process of user name, take special processing.It is complicated that the cost that causes like this is exactly that verification process becomes, and verification process can not adapt to various application demands, and newly-increased a kind of verification process will increase a kind of special treatment method newly, safeguard also complicated, inefficiency.
Summary of the invention
The technical problem that the present invention solves is to find a kind of broad band access server full-matching authentication method that various verification process are united.
Broad band access server full-matching authentication method of the present invention comprises following processing procedure:
Step 1, the user's data collection varied in size according to priority is organized into a plurality of coupling authenticated user collection;
1) according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2 ..., Bm), wherein Ai represents keyword, the Bi representation attribute; Each Ai and Bi are set, and an element can be arranged in the set, also a plurality of elements can be arranged;
2) weights according to priority just determined in each keyword and attribute, the weights that priority is high are also high; Weights distribute according to following method:
A. if Ai or Bi are multielement set, then weights are 0;
B. if Ai or Bi are singleton, then weights are 2^ (i-1), wherein i>=1;
3) set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication;
Step 2 according to user's the polynary group of authenticated user collection of searching coupling, and determines that by the attribute of user value whether authentication pass through.
4) definite authenticated user collection that mates with user key words is if user to be certified is polynary group of (A11, A12, ..., A1n, B11, B12 ..., each elements A 1i B1m) is polynary group of (A21 of authenticated user collection, A22 ..., A2n, B21, B22 ..., B2m) subclass of each elements A 2i, then coupling is set up;
5) the coupling authenticated user of finding out in described step 4) is concentrated, and has the tuple coupling of a plurality of authenticated user collection, selects the coupling authenticated user subclass of tuple weights maximum, rejects other tuples;
6) determine maximum attribute weights coupling authenticated user collection, the maximum weights matches authenticated user collected works of finding out in described step 5) are concentrated, the a plurality of tuple couplings that have a plurality of authenticated user subclass, select the coupling authenticated user subclass of match attribute weights sum maximum, play except that other tuple;
7) determine the coupling authentication result, in the coupling authenticated user subclass of in described step 6), selecting, may also have a plurality of tuple couplings, in these tuples, as long as finding the attribute weights sum that do not match of a tuple is 0, then mate authentication success, the authentication of declaration coupling is passed through; If no one finds, then mate authentification failure, authentication is not passed through.
Match attribute weights sum is the weights sum of the attribute item that mates in the authenticated user tuple, and the attribute weights sum that do not match is the weights sum of unmatched attribute item in the authenticated user tuple.
Adopt broad band access server full-matching authentication method of the present invention can be adaptive to various application demands, algorithm is efficient, safeguards simple.And,, just can satisfy the various binding demands that propose as long as change user set data among the BNAS for newly-increased verification process, and do not need newly-increased a kind of special treatment method, it is convenient to use, and configuration is simple.
Description of drawings
Fig. 1 is the process chart of broad band access server full-matching authentication method of the present invention.
Embodiment
The handling process of full matching authentication method as shown in Figure 1 comprises following processing procedure:
1) according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2 ..., Bm), wherein Ai represents keyword, the Bi representation attribute; Each Ai and Bi are set, and an element can be arranged in the set, also a plurality of elements can be arranged;
2) weights according to priority just determined in each keyword and attribute, the weights that priority is high are also high;
3) set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication;
4) definite authenticated user collection that mates with user key words is if user to be certified is polynary group of (A11, A12, ..., A1n, B11, B12 ..., each elements A 1i B1m) is polynary group of (A21 of authenticated user collection, A22 ..., A2n, B21, B22 ..., B2m) subclass of each elements A 2i, then coupling is set up;
5) the coupling authenticated user of finding out in described step 4) is concentrated, and has the tuple coupling of a plurality of authenticated user collection, selects the coupling authenticated user subclass of tuple weights maximum, rejects other tuples;
6) determine maximum attribute weights coupling authenticated user collection, the maximum weights matches authenticated user collected works of finding out in described step 5) are concentrated, the a plurality of tuple couplings that have a plurality of authenticated user subclass, select the coupling authenticated user subclass of match attribute weights sum maximum, play except that other tuple;
7) determine the coupling authentication result, in the coupling authenticated user subclass of in described step 6), selecting, may also have a plurality of tuple couplings, in these tuples, as long as finding the attribute weights sum that do not match of a tuple is 0, then mate authentication success, the authentication of declaration coupling is passed through; If no one finds, then mate authentification failure, authentication is not passed through.
Be that example is introduced realization of the present invention in detail with the coupling authentication based on the user of user name and binding relationship among the built-in BNAS below.
In this verification process, the user is for polynary group:
(PORT,VLAN,MAC,USERNAME,IP,PASSWORD)
Wherein keyword is respectively:
PORT: access interface, when getting default value, represent all ports, be a multielement set, weights are 0.When getting the single port value, be singleton, weights are 1.
VLAN: user's VLAN, when getting default value, represent all VLAN, be a multielement set, weights are 0.When getting non-default value (1-4095), be singleton, weights are 2.
MAC: two layers of physical address of subscriber's main station, when getting default value, represent MAC Address arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 4.
USERNAME: user name, when getting default value, represent all users, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 8.
Attribute is respectively:
IP: user's IP address, when getting default value, represent IP address arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 1.
PASSWORD: user's password, when getting default value, represent password arbitrarily, be a multielement set, weights are 0.When getting non-default value, be singleton, weights are 2.
Because user's tuple of this example is one 6 tuple, therefore when setting up the match user collection, user group is become 5 class HASH chains, each user can only be present on the class HASH chain.This 5 class chain is respectively:
The USERNAME chain: all user names be not the match user of default value entirely on this class chain, USERNAME is as the HASH keyword;
The MAC chain: all USERNAME are default values, MAC be not the user of default value on this class chain, MAC Address is as the HASH keyword;
The VLAN chain: all USERNAME and MAC are default value, and VLAN be not the user of default value all on this class chain, VLAN is as the HASH keyword;
The PORT chain: all USERNAME, MAC and VLAN are default value, and PORT be not the user of default value all on this class chain, PORT is as the HASH keyword;
Complete default chain: all USERNAME, MAC, VLAN and PORT all be the user of default value entirely on this class chain, do not have the HASH keyword, all such users are on a chain.
The height of the weights sum of tuple is respectively in proper order on this 5 class chain: USERNAME chain, MAC chain, VLAN chain, PORT chain, complete default chain.Therefore, after building up the HASH chain of match user collection, when user's request authentication, on 5 class chains, look for the subclass of keyword coupling successively according to the height order of weights, at first finding the chain of coupling subclass is the highest chain of weights naturally, also be the highest subclass of weights, the chain of back has been kept the change again.The method of saying according to the front is determined maximum attribute weights set of matches then, and attribute is IP and PASSWORD here, judges that according to the attribute weights that do not match whether mate authentication passes through again.In last set, can find the attribute weights that do not match is 0 tuple, and then authentication is passed through, otherwise authentification failure is exactly that IP and PASSWORD correctly mate here, with regard to authentication success, does not match with regard to authentification failure.If all do not find on all chains, also be that the coupling authentication is not passed through naturally.
The verification process of this BNAS is organized and implemented according to the method for the invention exactly, and efficient is very high, makes this BNAS can adapt to various authentication demands.
Claims (5)
1. a broad band access server full-matching authentication method is characterized in that, described method comprises following processing procedure:
Step 1, the user's data collection varied in size according to priority is organized into a plurality of coupling authenticated user collection;
Step 2 according to user's the polynary group of authenticated user collection of searching coupling, and determines that by the attribute of user value whether authentication pass through;
Wherein, step 2 further comprises:
1.1. search authenticated user collection with the user key words coupling, if each element that user to be certified is polynary group is a subclass of each element of polynary group of authenticated user collection, then the match is successful, execution in step 1.2, lose otherwise mate to recognize, the declaration authentication is not passed through and is finished;
1.2. concentrate the authenticated user subclass of the coupling of selecting tuple weights maximum from the authenticated user of described coupling;
1.3. from described authenticated user subclass, select the authenticated user subclass of the coupling of match attribute weights sum maximum;
If 1.4. find the attribute weights sum that do not match from described authenticated user subclass is 0 tuple, then mate authentication success, the authentication of declaration coupling is passed through; If do not find, then mate authentification failure, the declaration authentication is not passed through.
2. broad band access server full-matching authentication method according to claim 1 is characterized in that, described step 1 specifically comprises following treatment step:
2.1. according to the user's of each coupling authentication keyword and property value with user group become one polynary group (A1, A2 ..., An, B1, B2, ..., Bm), wherein Ai represents keyword, the Bi representation attribute, Ai represents the arbitrary value of A1 among the An, and its Bi represents the arbitrary value of B1 among the Bm, m, n, i are natural number;
2.2. weights according to priority just determined in each keyword and attribute, and the weights that priority is high are also high;
2.3. set up a plurality of authenticated user collection according to the difference of keyword weights sum, wait for that the user asks the coupling authentication.
3. broad band access server full-matching authentication method according to claim 2 is characterized in that, each Ai and Bi are set in the described step 2.1, and an element can be arranged in the set, also a plurality of elements can be arranged.
4. broad band access server full-matching authentication method according to claim 3 is characterized in that, described step 2.2) in, weights distribute according to following method:
A. if Ai or Bi are multielement set, then weights are 0;
B. if Ai or Bi are singleton, then weights are 2^ (i-1), and wherein i is a positive integer, and ^ asks factorial sign.
5. broad band access server full-matching authentication method according to claim 2, it is characterized in that, described match attribute weights sum is the weights sum of the attribute item that mates in the authenticated user tuple, and the described attribute weights sum that do not match is the weights sum of unmatched attribute item in the authenticated user tuple.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2003101035777A CN100338904C (en) | 2003-11-11 | 2003-11-11 | Full-matching certification method for broad band switch-in server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2003101035777A CN100338904C (en) | 2003-11-11 | 2003-11-11 | Full-matching certification method for broad band switch-in server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1545241A CN1545241A (en) | 2004-11-10 |
CN100338904C true CN100338904C (en) | 2007-09-19 |
Family
ID=34333320
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2003101035777A Expired - Lifetime CN100338904C (en) | 2003-11-11 | 2003-11-11 | Full-matching certification method for broad band switch-in server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100338904C (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111212066B (en) * | 2019-12-31 | 2022-04-01 | 浙江工业大学 | Dynamic allocation request verification method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1372179A (en) * | 2001-02-23 | 2002-10-02 | 株式会社东芝 | Telecommunication setting method and electronic equipment thereof |
US6615352B2 (en) * | 1997-08-05 | 2003-09-02 | Fuji Xerox Co., Ltd. | Device and method for authenticating user's access rights to resources |
-
2003
- 2003-11-11 CN CNB2003101035777A patent/CN100338904C/en not_active Expired - Lifetime
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6615352B2 (en) * | 1997-08-05 | 2003-09-02 | Fuji Xerox Co., Ltd. | Device and method for authenticating user's access rights to resources |
CN1372179A (en) * | 2001-02-23 | 2002-10-02 | 株式会社东芝 | Telecommunication setting method and electronic equipment thereof |
Also Published As
Publication number | Publication date |
---|---|
CN1545241A (en) | 2004-11-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109766389B (en) | Block chain light client verification query method based on bitmap index | |
CN1270487C (en) | Method and apparatus for ternary content addressable meomry (TCAM) table management | |
US20090132509A1 (en) | Communication control device and communication control system | |
US7702630B2 (en) | Longest prefix match lookup using hash function | |
US20090132554A1 (en) | Data processing system | |
US7110540B2 (en) | Multi-pass hierarchical pattern matching | |
US20120066410A1 (en) | Data structure, method and system for address lookup | |
US20070078827A1 (en) | Searching for information utilizing a probabilistic detector | |
WO2004079631A2 (en) | Method and arrangement for searching for strings | |
CN1913527A (en) | Apparatus and methods for processing filter rules | |
US9703869B2 (en) | Stream recognition and filtering | |
CN101401090A (en) | Programmable hardware for deep packet filtering | |
KR20080113227A (en) | Method and communication system for the computer-aided detection and identification of copyrighted contents | |
US8965911B2 (en) | Searching and storing data in a tree data structure using prefix-matching node | |
US20070201458A1 (en) | System and method for implementing ACLs using multiple hash-trie-key tables | |
CN108197499B (en) | Verifiable ciphertext data range query method | |
CN1362820A (en) | Method for selecting route for grouping in route apparatus | |
CN1543150A (en) | Packet classification apparatus and method using field level tries | |
Ma et al. | Computing similarity between RNA structures | |
KR101311031B1 (en) | A multi bloom filter including a detecting bloom filter | |
CN100338904C (en) | Full-matching certification method for broad band switch-in server | |
CN1176540C (en) | Method for realizing switch in with mixed multiple users'types in Ethernet network switch in devices | |
CN108365962B (en) | Certificate revocation list query method and device | |
Gollapudi et al. | A dictionary for approximate string search and longest prefix search | |
US8873555B1 (en) | Privilege-based access admission table |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CX01 | Expiry of patent term | ||
CX01 | Expiry of patent term |
Granted publication date: 20070919 |