CN101141253A - Implementing authentication method and system - Google Patents
Implementing authentication method and system Download PDFInfo
- Publication number
- CN101141253A CN101141253A CNA2006101276669A CN200610127666A CN101141253A CN 101141253 A CN101141253 A CN 101141253A CN A2006101276669 A CNA2006101276669 A CN A2006101276669A CN 200610127666 A CN200610127666 A CN 200610127666A CN 101141253 A CN101141253 A CN 101141253A
- Authority
- CN
- China
- Prior art keywords
- dhcp
- user
- authentication
- network equipment
- certificate server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The utility model discloses an authentication method and a authentication system. The core thereof is that when the DHCP network equipment receives the DHCP message sent by the user, the authentication information for the user can be obtained through the interaction with the authentication server. Based on the information needed by the authentication client, the DHCP network equipment can conduct the DHCP authentication for the user. Also, the utility model provides another authentication method as well as a certified server, a DHCP network device and a user device. The utility model guarantees not only the user's safety, but also the network equipment's reliability. Meanwhile, based on the DHCP authentication mechanism, the user can conduct the network authentication. As the relay certified server is added, the user can be effectively certified. The authentication server can launch the re-authentication process, so that the network is supported to conduct the re-authentication for the user.
Description
Technical field
The present invention relates to the communications field, relate in particular to authentication techniques.
Background technology
In order to guarantee the access control to validated user, network side need carry out access authentication to the user, simultaneously, needs to give user equipment allocation corresponding IP address and relevant parameter, so that the communication of enabled user equipment.
Before verification process, share between user and the server key is arranged, based on RADIUS (RFC2865Remote Authentication Dial In User Service, remote authentication dial-in customer business) agreement process that user terminal is authenticated as shown in Figure 1, its main thought is: the user initiates authentication, server sends a challenge word to the user, and the user calculates the challenge word based on shared key, and the authentication return value that will obtain is returned; Described server calculates the challenge word based on shared key, compares result of calculation and the authentication return value of receiving then, thereby realizes the authentication to the user.
Distinguish as shown in Figure 2 with shown in Figure 3 based on the network model A and the network model B of DHCP (RFC2131 Dynamic Host Configuration Protocol and RFC3315Dynamic Host Configuration Protocol for IPv6, DHCP) when the user is carried out address assignment.Wherein corresponding dhcp client of network model A and server are in the situation of the same network segment; Network model B is at the situation that router is arranged between dhcp client and server.Mainly adopt network model B in actual applications.Based on above-mentioned network model, the main frame of applied address promptly moves the client computer of DHCP CLIENT (dhcp client), is also referred to as subscriber equipment, carries out alternately with server, and obtaining server is own addresses distributed and parameter.
When actual user's access network, can be in the branch timing of carrying out address and relevant parameter to the user, finish the authentication that network inserts the user based on the DHCP agreement, this be because: the DHCP agreement has option90 expansion, it follows the RFC3118 standard, require to share between the DHCP network equipment and the DHCP CLIENT key, utilize key that mutual dhcp message is calculated, obtain MAC (message authentication code) value, to prevent illegal dhcp client address acquisition or the DHCP network equipment is attacked.
For the fail safe of the assurance DHCP network equipment and the fail safe of address resource, need network access authentication to carry out prior to address assignment.If the user has the client end capacity of dhcp client and authentication protocol simultaneously, then can carry out dhcp process and verification process respectively, and need other mechanism assurance authentication to carry out prior to address assignment.But, when the user only has the dhcp client ability, and when not possessing the Authentication Client ability, how to realize that network access authentication is a research topic prior to address assignment.
The prior art relevant with the present invention provides a kind of user of working as only to have the dhcp client ability, do not realize the flow process that network access authentication carries out prior to address assignment under the situation of Authentication Client ability and do not possess, specifically as shown in Figure 4, its main thought is: the user sends DHCP DISCOVER (DHCP discovery) message and seeks the DHCP SERVER (Dynamic Host Configuration Protocol server) that distributes the address for oneself, when access devices such as message arrival DHCPRELAY/RADIUS CLIENT, described access device inserts the accessing position information of OPTION82 with recording user in message, and the trigger network verification process, user's accessing position information and accounts information sent to certificate server; After learning that described certificate server is finished verification process according to described user's accessing position information, just continue to carry out dhcp process to finish the configuration of IP address.
By prior art as can be seen, this scheme is carried out access authentication by the access device proxy user in fact, and it can only utilize user's on-position to authenticate, so there is following technological deficiency in it:
1, fail safe is not enough: prior art is to user's the identification dependence user and the binding relationship of on-position, and when this binding relationship was unreliable, network can't carry out legitimate verification to the user, and network also is vulnerable to attack, and fail safe is not enough.
2, can not realize two-way authentication between network and user: prior art can only realize that network authenticates the user, and does not have the authentication capability of user to network.
3, prior art can not be supported roaming: prior art with user binding under the port of on-position, when the user produces when roaming, owing to can't effectively discern to the user.Even increase the DHCP authentication mechanism, when the user needs local DHCP SERVER that service is provided in the roaming place,, also can't realize effective authentication and the address assignment of the network of roaming place to the user because the network of roaming place lacks the cipher key shared with the user.
4, the more difficult network enabled of prior art is to user's re-authentication: radius protocol is not supported re-authentication, even change the agreement of supporting re-authentication, as the DIAMETER agreement, also can't allow the user reenter process shown in Figure 4, this is because DHCP RELAY does not have mechanism triggering address assignment again.If, then lost the meaning of re-authentication still by the network agent authentication.
Summary of the invention
First purpose of the present invention provides a kind of method and system of authenticating realized, by the present invention, can carry out safety certification at the user, has not only guaranteed security of users, and has guaranteed the fail safe of the network equipment.
Second purpose of the present invention provides second kind of method that realizes authentication, by the present invention, can realize the authentication of user to network.
The present invention realizes by the following technical solutions:
The invention provides a kind of method of authenticating of realizing, it comprises:
A, after the DHCP network equipment receives the DHCP message that the user sends, mutual by with certificate server obtains corresponding described user's authentication information;
B, the described DHCP network equipment carry out the DHCP authentication based on the Authentication Client information needed in the described authentication information to described user.
Wherein, described method also comprises: after the described DHCP network equipment finishes user DHCP authentication, described user's user ID is reported described certificate server, and authentication result is notified to described certificate server.
Wherein said steps A specifically comprises: described user sends the DHCP message to the DHCP network equipment, wherein carries described user's user ID; Receive the DHCP message of described user's transmission when the DHCP network equipment after, it reports certificate server with described user ID; Described certificate server extracts or generates the authentication information of corresponding described user ID according to described user ID, and sends it to the described DHCP network equipment; The described DHCP network equipment gets access to described authentication information according to the information that described certificate server sends.
Wherein, described authentication information comprises: the corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter that generates session key Ka '; Or, cipher key shared Ka between described certificate server and the described user; Or when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or, when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and the session key Ka ' of the shared key K a generation of corresponding described appointment and the parameter that generates session key Ka '.
Wherein, the Authentication Client information needed in the described authentication information comprises: described user and described certificate server cipher key shared Ka; Or, by the session key Ka ' of described user and described certificate server cipher key shared Ka generation.
Wherein, described method also comprises: the user authenticates the network equipment based on shared key K a; Or the user obtains the authenticating network information needed in the described authentication information that the described DHCP network equipment obtains; And generate the authentication information of authenticating network, and based on the described authentication information authenticating network equipment that generates based on described authenticating network information needed.
Wherein, the authenticating network information needed in the described authentication information comprises: the parameter of described generation session key Ka '; Or, the selection parameter of the shared key K a of corresponding described appointment; The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
Wherein, the authentication information of described authenticating network comprises: the session key Ka ' that generates according to the parameter of described shared key K a and described generation session key Ka '; Or, share key K a according to the correspondence of selecting parameter to select; Or, according to the parameter that the correspondence of selecting parameter to select is shared key K a and generated session key Ka ', the session key Ka ' of generation.
Wherein, described method also comprises: described certificate server authenticates the described DHCP network equipment; And/or the described DHCP network equipment authenticates described certificate server.
Wherein, when described certificate server carries out re-authentication to described user, also comprise: described certificate server is initiated the re-authentication flow process, and notifies the described DHCP network equipment; After the described DHCP network equipment receives the notice of described re-authentication, utilize DHCP to force renewal Force Renew message to carry the DHCP authentication information described user is carried out re-authentication.
Wherein, when the network support user roams, between the described DHCP network equipment and described certificate server, the relays authentication server is set, and by the interactive information between the described DHCP network equipment of described relays authentication server relaying and the described certificate server.
Wherein, the described DHCP network equipment comprises: Dynamic Host Configuration Protocol server or DHCP relay server.
The invention provides the another kind of method that realizes authentication, it comprises: the user authenticates the network equipment.
Wherein, described user specifically comprises the process that the network equipment authenticates: after the DHCP network equipment received the DHCP message that the user sends, mutual by with certificate server obtained corresponding described user's authentication information; Authenticating network information needed in the described authentication information that described user obtains by the described DHCP network equipment; And generate the authentication information of authenticating network, and based on the described authentication information authenticating network equipment that generates based on described authenticating network information needed; Or described user is based on shared key K a authenticating network equipment.
Wherein, described authentication information comprises: the corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter that generates session key Ka '; Or, cipher key shared Ka between described certificate server and the described user; Or when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or, when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and session key Ka ' that generates according to the shared key K a of described appointment and the parameter that generates session key Ka '.
Wherein, the authenticating network information needed in the described authentication information comprises: the parameter of described generation session key Ka '; Or, the selection parameter of the shared key K a of corresponding described appointment; The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
Wherein, the authentication information of described authenticating network comprises: the session key Ka ' that generates according to the parameter of described shared key K a and described generation session key Ka '; Or, share key K a according to the correspondence of selecting parameter to select; Or, according to the parameter that the correspondence of selecting parameter to select is shared key K a and generated session key Ka ', the session key Ka ' of generation.
The invention provides a kind of Verification System, it comprises: certificate server, the DHCP network equipment and subscriber equipment; Described certificate server is used for behind the message that carries user profile that receives the transmission of the DHCP network equipment, and the authentication information that corresponding described user is provided is to the described DHCP network equipment; The described DHCP network equipment, be used for behind the DHCP message that receives described subscriber equipment transmission, the user profile that the DHCP message is carried sends to described certificate server, and by with the described authentication information that obtains corresponding described user alternately of described certificate server; And the user is carried out DHCP authentication based on Authentication Client information needed in the described authentication information.
Wherein, described certificate server comprises: user profile acquiring unit, authentication information generation unit and authentication information transmission unit; Described user profile acquiring unit is used for obtaining from the message that the described DHCP network equipment that receives sends user's user ID; Described authentication information generation unit is used for extracting or generating according to described user ID corresponding described user's authentication information; Described authentication information transmission unit is used to transmit the described authentication information that described authentication information generation unit obtains and gives the described DHCP network equipment.
Wherein, described certificate server also comprises: first authentication ' unit is used for the described DHCP network equipment is authenticated.
Wherein, the described DHCP network equipment also comprises: the authentication information acquiring unit, be used for by and described certificate server between obtain described authentication information alternately; The DHCP authentication ' unit, the authentication information Authentication Client information needed that is used for obtaining according to described authentication information acquiring unit is carried out the DHCP authentication to described user.
Wherein, the described DHCP network equipment also comprises: notification unit is used for the user ID with described user, and notifies described certificate server to described user's authentication result.
Wherein, the described DHCP network equipment also comprises: second authentication ' unit is used for described certificate server is authenticated.
Wherein, the described DHCP network equipment also comprises: authenticating network information needed transmission unit is used for sending the authentication information authenticating network information needed that described authentication information acquiring unit obtains by the DHCP message of transmission.
Wherein, described subscriber equipment comprises: DHCP message transmissions unit and authenticating network unit; Described DHCP message transmissions unit is used to send user's DHCP message and receives the DHCP message that the DHCP network equipment sends to; Described authenticating network unit is used for sharing a key when user and the network equipment, and the parameter that generates session key Ka ' authenticates the network equipment based on shared key K a when being sky; Otherwise, be used for the DHCP message access authentication network information needed that receives from described DHCP message transmissions unit, and according to described authenticating network information needed generate authenticating network authentication information; Then, according to described authenticating network authentication information the network equipment is authenticated.
Wherein, described Verification System also comprises: the relays authentication server is used for when the user is in roaming state mutual information between the described certificate server of relaying and the described DHCP network equipment.
Wherein, the described DHCP network equipment comprises: Dynamic Host Configuration Protocol server or DHCP relay server.
The invention provides a kind of certificate server, it comprises: user profile acquiring unit, authentication information generation unit and authentication information transmission unit; Described user profile acquiring unit is used for obtaining from the message that the described DHCP network equipment that receives sends user's user ID; Described authentication information generation unit is used for extracting or generating according to described user ID the authentication information of corresponding described user ID; Described authentication information transmission unit is used to transmit the described authentication information that described authentication information generation unit obtains and gives the described DHCP network equipment.
Wherein, described certificate server also comprises: first authentication ' unit is used for the described DHCP network equipment is authenticated.
The invention provides a kind of DHCP network equipment, it comprises: the authentication information acquiring unit, be used for by with described certificate server between the authentication information that obtains corresponding described user alternately; The DHCP authentication ' unit, the described authentication information Authentication Client information needed that is used for obtaining according to described authentication information acquiring unit is carried out the DHCP authentication to described user.
Wherein, the described DHCP network equipment also comprises: notification unit is used for the user ID with described user, and described user's authentication result is notified to described certificate server.
Wherein, the described DHCP network equipment also comprises: second authentication ' unit is used for described certificate server is authenticated.
Wherein, the described DHCP network equipment also comprises: authenticating network information needed transmission unit is used for sending the authentication information authenticating network information needed that described authentication information acquiring unit obtains by the DHCP message of transmission.
Wherein, the described DHCP network equipment comprises: Dynamic Host Configuration Protocol server or DHCP relay server.
The invention provides a kind of subscriber equipment, it comprises: authentication information generation unit and authenticating network unit; Described authentication information generation unit is used for from the DHCP message access authentication network information needed that receives, and generates the authentication information of authenticating network according to described authenticating network information needed; Described authenticating network unit is used for according to the authentication information of described authenticating network the network equipment being authenticated.
As seen from the above technical solution provided by the invention, pass through the mutual of the DHCP network equipment and certificate server among the present invention, obtain corresponding described user's authentication information; Based on the Authentication Client information needed in the described authentication information described user is carried out the DHCP authentication technology then, can carry out safety certification, not only guaranteed security of users, and guaranteed the fail safe of the network equipment at the user.
In addition, the present invention can realize the authentication of user to network by the DHCP authentication mechanism.
In addition, the relays authentication server of the present invention by increasing can be realized the effective authentication of roaming place to the user; Can initiate the re-authentication process by certificate server, make the present invention can network enabled to user's re-authentication.
Description of drawings
The verification process that Fig. 1 provides for background technology based on radius protocol;
The network model A of the DHCP agreement correspondence that Fig. 2 provides for background technology;
The network model B of the DHCP agreement correspondence that Fig. 3 provides for background technology;
The authentication that Fig. 4 provides for prior art and the flow chart of address allocation procedure;
Fig. 5 is the flow chart of first embodiment provided by the invention;
Fig. 6 is when authentication protocol employing radius protocol, the handling process when the DHCP network equipment is DHCP SERVER among first embodiment provided by the invention;
Fig. 7 is when authentication protocol employing radius protocol, the handling process when the DHCP network equipment is DHCP RELAY among first embodiment provided by the invention;
Fig. 8 is the system construction drawing among the 3rd embodiment provided by the invention;
Fig. 9 is the structure chart of the certificate server among the 4th embodiment provided by the invention;
Figure 10 is the structure chart of the DHCP network equipment among the 5th embodiment provided by the invention;
Figure 11 is the structure chart of the subscriber equipment among the 6th embodiment provided by the invention.
Embodiment
The present invention utilizes the DHCP authentication mechanism to solve safety problem, and realizes that the user is to network authentication; For solving the roaming problem, DHCP is authenticated the authentication that needed shared key is used for user access network simultaneously, initiate re-authentication by the DHCP network equipment in addition, can effectively utilize DHCP mechanism and support re-authentication.Simultaneously, form the cascade authentication relationship between the certificate server-DHCP network equipment-DHCP CLIENT, utilize this relation to finish the access authentication of certificate server the user.Therefore the present invention has fully guaranteed fail safe owing to the authentication that is based on each user.
First embodiment provided by the invention is first kind of method that realizes authentication, its core is: after the DHCP network equipment receives the DHCP message that the user sends to, mutual by with certificate server, obtain and described user between the authentication information that uses when carrying out the DHCP authentication; The described DHCP network equipment carries out the DHCP authentication based on the information that is used for described user is carried out DHCP authentication in the described authentication information to described user.When enforcement is of the present invention, shares a key K a between user and the certificate server or share a plurality of shared keys; The described certificate server and the described DHCP network equipment are shared key K d.The specific implementation process of first embodiment provided by the invention comprises the steps: as shown in Figure 5
Step S101, user send the DHCP message to the DHCP network equipment, wherein carry described user's user ID.
Step S102, after the DHCP network equipment received the DHCP message that the user sends to, it sent to described certificate server with the user ID of carrying in the described DHCP message, and request authenticates described user.
Step S103 after described certificate server receives user ID, extracts the authentication information of corresponding described user ID, and sends the authentication information of the described user ID of described correspondence to the described DHCP network equipment.
The specific implementation process of step S103 comprises following four kinds of situations:
First kind of situation: when sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' is empty, described certificate server directly extracts described key K a as authentication information, and sends it to described DHCP network equipment.
Second kind of situation: when sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' is not empty, cipher key shared Ka and the parameter that generates described session key Ka ' between described certificate server utilization and the user generate corresponding session key Ka '; And send the authentication informations such as parameter of described session key Ka ' and the described session key Ka ' of described generation to the described DHCP network equipment.
The third situation: when sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' when be empty, described certificate server will send the described DHCP network equipment to for the shared key K a of described user's appointment and the authentication informations such as selection parameter of the described shared key K a of correspondence.
The 4th kind of situation: when sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is not sky, generate corresponding session key Ka ' according to described shared key K a and the parameter that generates described session key Ka ', send the parameter of described session key Ka ', the described session key Ka ' of described generation and the authentication informations such as selection parameter of the described shared key K a of described correspondence to the described DHCP network equipment then.
Step S104, the described authentication information that the described DHCP network equipment sends to according to described certificate server obtains the required information of authenticated user, and based on described information described user is carried out the DHCP authentication.
Four kinds of situations among the corresponding step S103, the specific implementation process of step S104 also is divided into four kinds of situations:
First kind of situation: when sharing a shared key K a between user and the described certificate server, and when the parameter of the shared key K a ' of described generation is empty, the described authentication information that the described DHCP network equipment sends to according to described certificate server obtains the required information of authenticated user, comprising: corresponding described user's shared key K a; The described DHCP network equipment utilizes described key K a that the DHCP message that receives is authenticated, send the user's of DHCP message legitimacy with checking, that is to say, the described DHCP network equipment utilizes described key K a that the DHCP message that receives is calculated, and whether the message authentication code that relatively carries in result of calculation and the described DHCP message is consistent, if consistent, illustrate that then described user is a validated user.
Second kind of situation: when sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' is not empty, the required information of authenticated user that the described authentication information that the described DHCP network equipment sends to according to described certificate server obtains comprises: the session key Ka ' corresponding with described user; The described DHCP network equipment utilizes described session key Ka ' that the DHCP message that receives is authenticated, send the user's of DHCP message legitimacy with checking, that is to say, the described DHCP network equipment utilizes described session key Ka ' that the DHCP message that receives is calculated, and whether the message authentication code that relatively carries in result of calculation and the described DHCP message is consistent, if consistent, illustrate that then described user is a validated user.
The third situation: when sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is sky, the described authentication information that the described DHCP network equipment sends to according to described certificate server obtains authenticating the required information of described user, comprising: the shared key K a of described appointment; The described DHCP network equipment utilizes described key K a that the DHCP message that receives is authenticated, send the user's of DHCP message legitimacy with checking, that is to say, the described DHCP network equipment utilizes described key K a that the DHCP message that receives is calculated, and whether the message authentication code that relatively carries in result of calculation and the described DHCP message is consistent, if consistent, illustrate that then described user is a validated user.
The 4th kind of situation: when sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is not sky, the described authentication information that the described DHCP network equipment sends to according to described certificate server obtains authenticating the required information of described user, comprising: the session key Ka ' that generates according to the shared key K a of described appointment; The described DHCP network equipment utilizes described session key Ka ' that the DHCP message that receives is authenticated, send the user's of DHCP message legitimacy with checking, that is to say, the described DHCP network equipment utilizes described session key Ka ' that the DHCP message that receives is calculated, and whether the message authentication code that relatively carries in result of calculation and the described DHCP message is consistent, if consistent, illustrate that then described user is a validated user.
Step S105 after the described DHCP network equipment passes through user DHCP authentication, reports described certificate server with the user ID of described user's correspondence, and authentication result is notified to described certificate server.
Can also realize the authentication of user based on above-mentioned first embodiment to network side.Specific implementation process is as follows:
For first kind of situation, promptly when sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' is empty, described user directly authenticates the DHCP message that receives according to described key K a, promptly utilize described key K a that the DHCP message that receives is calculated, and whether the message authentication code that relatively carries in result of calculation and the described DHCP message is consistent, as if unanimity, illustrates that then the described DHCP network equipment is legal.
For its excess-three kind situation, need the described DHCP network equipment information that authenticating network is required to send described user to; After described user receives, utilize the required information of described authenticating network to obtain the required authentication information of authenticating network, and the network equipment is carried out the DHCP authentication based on described authentication information.Specific implementation process is as follows:
For second kind of situation, promptly when sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' was not empty, the described DHCP network equipment sent the required information of authenticating networks such as parameter of described generation session key Ka ' to corresponding user; After described user receives the parameter of described generation session key Ka ', generate corresponding session key Ka ', and the network equipment is authenticated based on described session key Ka ' according to the parameter of sharing key K a and described generation session key Ka '.
For the third situation, promptly when sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' was sky, the selection parameter of the shared key K a that the described DHCP network equipment is specified with correspondence sent to described user; Described user selects corresponding key K a according to described selection parameter from a plurality of shared keys, and based on described key K a the network equipment is authenticated.
For the 4th kind of situation, promptly when sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is not sky, the parameter of the described generation session key Ka ' of the shared key K a that the selection parameter of the shared key K a that the described DHCP network equipment is specified with correspondence and correspondence are specified sends to described user; Described user selects corresponding key K a according to described selection parameter from a plurality of shared keys, and go out corresponding session key Ka ', and the network equipment is authenticated based on described session key Ka ' based on the calculation of parameter of described key K a and described generation session key Ka '.
Based on above-mentioned first embodiment, can also realize the authentication of certificate server to the DHCP network equipment, a kind of method is for authenticating based on sharing key K d between the described certificate server and the described DHCP network equipment.Specific implementation process is as follows:
In the above-mentioned first embodiment execution in step S103, described certificate server also sends the authentication challenge word to the described DHCP network equipment;
After the described DHCP network equipment receives described authentication challenge word, utilize shared key K d that described authentication challenge word is calculated, and send described certificate server to by the authentication return value that message will obtain;
After described certificate server receives the message of described DHCP network equipment transmission, utilize described shared key K d that before authentication challenge word is calculated, result of calculation that oneself is calculated and received authentication return value compare, when it is consistent, think that then the described DHCP network equipment is legal; Otherwise, think illegal.
Equally, can also realize the authentication of the DHCP network equipment to certificate server based on first embodiment, a kind of method is for authenticating based on sharing key K d between the described certificate server and the described DHCP network equipment.Specific implementation process is as follows:
The described DHCP network equipment sends the authentication challenge word to described certificate server;
After described certificate server receives described authentication challenge word, utilize shared key K d that described authentication challenge word is calculated, and send result of calculation to the described DHCP network equipment by message;
After the described DHCP network equipment receives the message of described certificate server transmission, utilize described shared key K d that former authentication challenge word is calculated, result of calculation that oneself is calculated and received result of calculation compare, when it is consistent, think that then described certificate server is legal; Otherwise, think illegal.
Two-way trust between the DHCP network equipment and the certificate server can be based on the password of sharing, based on the digital certificate of holding the other side mutually, technology such as transmission channel based on IPsec (IP safety) or TLS structures such as (Transport Layer Security RFC2246) safety guarantee, at this patent scope are not discussed.
In addition, can also realize the user is carried out re-authentication based on above-mentioned first embodiment.This moment, described certificate server triggered the re-authentication flow process, and notified the described DHCP network equipment; After the described DHCP network equipment receives the notice of described re-authentication, utilize DHCP Force Renew (DHCP forces to upgrade) message to carry authentication information described user is carried out re-authentication.
In addition, above-mentioned first embodiment can also support the situation that the user roams.Be provided with the relays authentication server this moment between the described DHCP network equipment and described certificate server, and by the interactive information between the described DHCP network equipment of described relays authentication server relaying and the described certificate server.
Reciprocal process described in above-mentioned first embodiment between the DHCP network equipment and described certificate server adopts authentication protocol, described authentication protocol comprises radius protocol, DIAMETER agreement or EAP (RFC3748 Extensible Authentication Protocol, Extensible Authentication Protocol).
Mutual employing DHCP agreement between the DHCP network equipment described in above-mentioned first embodiment and the described DHCP CLIENT (dhcp client) comprises the DHCPv4 agreement that is used for IPv4 of following RFC2131 and/or the DHCPv6 agreement that is used for IPv6 of following RFC3315.Described DHCP message comprises the DISCOVER message of DHCPv4 or the SOLICIT message of DHCPv6.
The above-mentioned DHCP network equipment comprises DHCP SERVER and DHCP relay server.
Adopt radius protocol with authentication protocol below, the handling process when the DHCP network equipment is DHCP SERVER is that example is elaborated to first embodiment, as shown in Figure 6, comprises the steps:
Step 1, the user sends DHCP DISCOVER message, carries OPTION 90 (this OPTION 90 is not with authentication code) message and user ID simultaneously.
Step 2, after DHCP SERVER received DHCP DISCOVER message, DHCP SERVER inserted the request authentication message as Authentication Client structure RADIUS, inserts in the request authentication message at RADIUS, carries user ID.
Step 3, after AA-SERVER (certificate server) receives described RADIUS access request authentication message, based on user's cipher key shared Ka with generate the parameter (the nonce random code among Fig. 6) of session key Ka ', produce an authenticate key that is used for the DHCP authentication, as session key Ka ', then described session key Ka ' and described parameter are sent to described DHCP SERVER.
If AA-SERVER also needs to authenticate DHCP SERVER, also need to send an authentication challenge word to DHCPSERVER simultaneously, as the challenge among Fig. 6.
Step 4, DHCP SERVER utilizes Ka ' to generate the option90 field, together with the nonce value, sends to DHCP CLIENT.
Step 5, after DHCP CLIENT receives the nonce value, in conjunction with network cipher key shared Ka, generate session key Ka ', and the message that utilizes described Ka ' checking DHCP SERVER to send, to realize authentication to network.
Step 6, DHCP CLIENT sends DHCP REQ (DHCP request) message, carries option90 and user ID.
Step 7, DHCP SERVER finishes authentication to DHCP REQ message according to the option90 standard, if pass through, thinks that then the user has passed through network authentication.
DHCP SERVER sends ACCESS REQ (authentication request) message to certificate server, current request carries user ID, if desired DHCP SERVER is authenticated, the return value that also has authentication, i.e. " challenge resp using Kd (the challenge word that utilizes Kd to calculate) " among Fig. 6.
Step 8, after AA-SERVER receives the authentication request packet of DHCP SERVER transmission, utilize shared key K d that the authentication challenge word that step 3 sends is calculated, and the authentication return value of carrying in result of calculation and the described authentication request packet when consistent, thought that then described DHCP SERVER is legal.
After AA-SERVER has passed through authentication to DHCP SERVER, also passed through DHCPSERVER is carried simultaneously user's authentication.
The certificate server return authentication is by ACCESS ACCEPT (authentication is passed through) message.
Step 9, DHCP SERVER returns to DHCP ACK (dhcp response) message that the user has DHCP option90, finishes authentication and address assignment procedure.
When supporting that the user roams, AA-SERVER finds that the user is not the local user, can search out the AA-SERVER of user's home network by authentication roaming interface, this moment, nonce value and session key Ka ' were provided by the AA-SERVER of home network, and authentication is simultaneously given above-mentioned AA-SERVER certificate server by the AA-SERVER relaying of this home network.
For re-authentication, at first need authentication protocol to support re-authentication, DHCP SERVER can utilize the Force Renew process of arranging in the DHCP agreement to combine with the option90 standard then, finishes re-authentication.Wherein said Force Renew process is followed the RFC3203 standard.
Above-mentionedly only adopt radius protocol to describe, the invention is not restricted to radius protocol with authentication protocol.
Adopt radius protocol with authentication protocol; the DHCP network equipment is that example is elaborated to first embodiment for DHCP RELAY; in this example; DHCP RELAY entity is realized the Authentication Client function; certificate server and DHCP RELAY share key K d; the dhcp message that carry OPTION 90 of DHCP RELAY to sending from user side; after carrying out message based authentication; remove option90; there is not the dhcp process of option90 with DHCP SERVER; and, increase option90 to the dhcp message that DHCP SERVER sends, carry out the message authentication process that DHCP option90 protects with the user.Specific implementation process comprises the steps: as shown in Figure 7
Step 1, the user sends DHCP DISCOVER message, carries OPTION 90 (this OPTION 90 is not with authentication code) message and user ID simultaneously.
Step 2, after DHCP RELAY received DHCP DISCOVER message, DHCP RELAY inserted in the request authentication message at RADIUS as Authentication Client structure RADIUS ACCESS REQ (access request authentication) message, carries user ID.
Step 3, after AA-SERVER receives described RADIUS access request authentication message, based on user's cipher key shared Ka with generate the parameter (the nonce random code among Fig. 7) of session key Ka ', produce an authenticate key that is used for the DHCP authentication, as session key Ka ', then described session key Ka ' and described parameter are sent to described DHCP RELAY.
If AA-SERVER also needs to authenticate DHCP SERVER, also need to send an authentication challenge word to DHCPRELAY simultaneously, as the challenge among Fig. 7.
Step 4, DHCP RELAY sends DHCP DISCOVER to DHCP SERVER, does not carry option90.
Step 5, DHCP SERVER sends Dhcp Offer to DHCP RELAY.
Step 6, DHCP RELAY utilizes Ka ' to generate the option90 field, and by Dhcp Offer message, with described option90 field and nonce value, sends to DHCP CLIENT.
Step 7, after DHCP CLIENT receives the nonce value, in conjunction with network cipher key shared Ka, generate session key Ka ', and the message that utilizes described Ka ' checking DHCP RELAY to send, to realize authentication to network.
Step 8, DHCP CLIENT sends DHCP REQ message, carries option90 field and the user ID of utilizing described Ka ' to generate.
Step 9, DHCP RELAY finishes authentication to DHCP REQ message according to the option90 standard, if pass through, thinks that then the user has passed through network authentication.
Step 10, DHCP RELAY sends authentication request packet to certificate server, and current request carries user ID, if desired the DHCP network equipment is authenticated, the return value that also has authentication, i.e. " challenge resp using Kd (the authentication return value of utilizing Kd to calculate) " among Fig. 7.
Step 11, after AA-SERVER receives the ACCESS REQ authentication request packet of DHCP RELAY transmission, utilize shared key K d that the challenge word that sends in the step 3 is calculated, and with the authentication return value of carrying in result of calculation and the described authentication request packet when consistent, think that then described DHCP RELAY is legal, so send ACCESS ACCEPT to described DHCP RELAY.
Step 12, described DHCP RELAY sends DHCP REQ to DHCP SERVER.
Step 13, described DHCP SERVER loopback DHCPACK gives described DHCP RELAY.
Step 14, DHCP RELAY returns to the DHCP ACK message that the user has DHCP option90, finishes authentication and address assignment procedure.
When supporting that the user roams, AA-SERVER finds that the user is not the local user, can search out the AA-SERVER of user's home network by authentication roaming interface, this moment, nonce value and Ka ' were provided by the AA-SERVER of home network, and authentication is simultaneously given above-mentioned AA-SERVER certificate server by the AA-SERVER relaying of this home network.
For re-authentication, at first need authentication protocol to support re-authentication, DHCP RELAY can utilize the Force Renew process of arranging in the DHCP agreement to combine with the option90 standard then, finishes re-authentication.Wherein said Force Renew process is followed the RFC3203 standard.
Second embodiment provided by the invention is second kind of method that realizes authentication, and its main thought is: the user authenticates the network equipment.Its main implementation procedure is as follows:
At first, the user sends the DHCP message to the DHCP network equipment.
After the DHCP network equipment received the DHCP message that the user sends, mutual by with certificate server obtained corresponding described user's authentication information.Associated description among this process and first embodiment is identical, is not described in detail here.The corresponding described user's who obtains authentication information comprises following information: the corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter of generation session key Ka '; Or, cipher key shared Ka between described certificate server and the described user; Or when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or, when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and the parameter of the session key Ka ' of the shared key K a of corresponding described appointment and generation session key Ka '.
When the parameter of described generation session key Ka ' when being empty, and when sharing a key K a between user and the certificate server, described user can directly authenticate the network equipment according to described key K a.
When the parameter of described generation session key Ka ' is empty, and when sharing a plurality of key between user and the certificate server; Perhaps when the parameter of described generation session key Ka ' was not sky, the authenticating network information needed in the described authentication information that the described DHCP network equipment of needs will obtain sent to described subscriber equipment; Then, described user generates the authentication information of authenticating network based on described authenticating network information needed, and based on the described authentication information authenticating network equipment that generates.Wherein, the authenticating network information needed in the described described authentication information comprises: the parameter of described generation session key Ka '; Or, the selection parameter of the shared key K a of corresponding described appointment; The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.The authentication information of described authenticating network comprises: the session key Ka ' that generates according to the parameter of described shared key K a and described generation session key Ka '; Or, share key K a according to the correspondence of selecting parameter to select; Or, according to the parameter that the correspondence of selecting parameter to select is shared key K a and generated session key Ka ', the session key Ka ' of generation.The specific implementation process of this part is as follows:
When sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' is not empty, after described user receives the parameter of described generation session key Ka ', generate corresponding session key Ka ' according to the parameter of sharing key K a and described generation session key Ka ', and the network equipment is authenticated based on described session key Ka '.
When sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is sky, described user selects corresponding key K a according to described selection parameter from a plurality of shared keys, and based on described key K a the network equipment is authenticated.
When sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is not sky, described user selects corresponding key K a according to described selection parameter from a plurality of shared keys, and go out corresponding session key Ka ', and the network equipment is authenticated based on described session key Ka based on the calculation of parameter of described key K a and described generation session key Ka '.
The 3rd embodiment provided by the invention is a kind of Verification System, and its structure comprises as shown in Figure 8: certificate server, the DHCP network equipment and subscriber equipment.
Wherein said certificate server comprises user profile acquiring unit, authentication information generation unit and authentication information transmission unit, and when needs authenticated the described DHCP network equipment, described certificate server also comprised first authentication ' unit.
The described DHCP network equipment comprises authentication information acquiring unit, DHCP authentication ' unit; The described DHCP network equipment can also comprise notification unit; When needs authenticated described certificate server, the described DHCP network equipment can also comprise second authentication ' unit; When needs are realized the user to network authentication, also need the described DHCP network equipment to comprise authenticating network information needed transmission unit.
Described subscriber equipment comprises DHCP message transmissions unit and authenticating network unit.
Signal transmission between certificate server, the DHCP network equipment and the subscriber equipment be described below and deal with relationship:
The DHCP message that described subscriber equipment sends the user by described DHCP message transmissions unit wherein carries described user's user ID to the described DHCP network equipment.
The described DHCP network equipment sends described user ID to described certificate server.
Described certificate server obtains user's user ID from the message that the described DHCP network equipment that receives sends by the user profile acquiring unit;
Extract or generate corresponding described user's authentication information then according to described user ID by described authentication information generation unit; Described authentication information comprises: the corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter that generates session key Ka '; Or, cipher key shared Ka between described certificate server and the described user; Or when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or, when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and the parameter of the session key Ka ' of the shared key K a of corresponding described appointment and generation session key Ka '.
Transmit the described authentication information that described authentication information generation unit obtains by described authentication information transmission unit at last and give the described DHCP network equipment.
Certificate server authenticates the described DHCP network equipment if desired, also needs by the first authentication ' unit utilization and described DHCP LA Management Room cipher key shared Kd the message that receives to be authenticated.The concrete verification process associated description in method embodiment that duplicates is not described in detail here.
After described authentication information that described certificate server sends to arrived the described DHCP network equipment, the described DHCP network equipment carried out following processing:
The described DHCP network equipment receives the described authentication information that described certificate server sends to by the authentication information acquiring unit; The Authentication Client information needed comprises in the described authentication information: described user and described certificate server cipher key shared Ka; Or, by the session key Ka ' of described user and described certificate server cipher key shared Ka generation.
According to Authentication Client information needed in the authentication information of described authentication information acquiring unit acquisition described user is carried out the DHCP authentication by described DHCP authentication ' unit then.
After authentication finishes,, and notify described certificate server to described user's authentication result by the user ID of notification unit with described user.When needs authenticated described certificate server, the described DHCP network equipment authenticated the message that receives by cipher key shared Kd between the second authentication ' unit utilization and described certificate server.The concrete verification process associated description in method embodiment that duplicates is not described in detail here.
When needs are realized the user to the authentication of the network equipment, need subscriber equipment to carry out following processing:
Between described user and described certificate server, share a key K a, and when the parameter of described generation session key Ka ' is empty, then described subscriber equipment only just can authenticate the DHCP message that the DHCP network equipment sends to based on shared key K a by the authenticating network unit, to realize the authentication to the network equipment.
Between described user and described certificate server, share a plurality of keys, and the parameter of described generation session key Ka ' is when be sky; Perhaps, no matter share one between user and the described certificate server and still share a plurality of keys, when the parameter of described generation session key Ka ' be sky, need carry out following processing:
The described DHCP network equipment sends to described subscriber equipment by authenticating network information needed transmission unit transmission of dhcp message with authenticating network information needed in the authentication information of described authentication information acquiring unit acquisition.Described authenticating network information needed comprises: the parameter of described generation session key Ka '; Or, the selection parameter of the shared key K a of corresponding described appointment; The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
After the DHCP message of DHCP network equipment transmission arrived described subscriber equipment, the disposition of described subscriber equipment was as follows:
Described subscriber equipment receives the DHCP message that the DHCP network equipment sends to by DHCP message transmissions unit.
Then by the authenticating network unit to access authentication network information needed the DHCP message that receives from described DHCP message transmissions unit, and generate the authentication information that the network equipment is carried out the DHCP authentication according to described authenticating network information needed.Wherein said authenticating network information needed comprises: the parameter of described generation session key Ka '; Or, the selection parameter of the shared key K a of corresponding described appointment; The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
The wherein said authentication information that the network equipment is carried out DHCP authentication comprises: the session key Ka ' that generates according to the parameter of described shared key K a and described generation session key Ka '; Or, share key K a according to the correspondence of selecting parameter to select; Or, according to the parameter that the correspondence of selecting parameter to select is shared key K a and generated session key Ka ', the session key Ka ' of generation.
Generate according to described authenticating network information needed specifically that the network equipment is carried out the concrete processing procedure of authentication information of DHCP authentication is as follows:
When sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' is not empty, described subscriber equipment generates corresponding session key Ka ' according to after receiving the parameter of described generation session key Ka ' according to the parameter of sharing key K a and described generation session key Ka '.
When sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' was empty, described user selected corresponding key K a according to the selection parameter of the shared key K a of the corresponding described appointment that receives from a plurality of shared keys.
When sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is not empty, described subscriber equipment is selected corresponding key K a according to the selection parameter of the shared key K a of the corresponding described appointment that receives from a plurality of shared keys, and goes out corresponding session key Ka ' based on the calculation of parameter of described key K a and described generation session key Ka '.
The network equipment is authenticated according to the described described authentication information that the network equipment is carried out DHCP authentication that obtains by the authenticating network unit at last.The concrete verification process associated description in method embodiment that duplicates is not described in detail here.
In order to support the user to roam, above-mentioned the 3rd embodiment that provides is provided, increased the relays authentication server.When the user is in roaming state, by mutual information between the described described certificate server of relays authentication server relaying and the described DHCP network equipment.
The above-mentioned described DHCP network equipment comprises: Dynamic Host Configuration Protocol server or DHCP relay server.
The 4th embodiment provided by the invention is a kind of certificate server, and its structure comprises as shown in Figure 9: user profile acquiring unit, authentication information generation unit and authentication information transmission unit.
After the message of DHCP network equipment transmission arrived described certificate server, described certificate server obtained user's user ID from the message that the described DHCP network equipment that receives sends by described user profile acquiring unit;
Extract or generate the authentication information of corresponding described user ID then according to described user ID by described authentication information generation unit; Described authentication information comprises: the corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter that generates session key Ka '; Or, cipher key shared Ka between described certificate server and the described user; Or when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or, when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and the parameter of the session key Ka ' of the shared key K a of corresponding described appointment and generation session key Ka '.
Transmit the described authentication information that described authentication information generation unit obtains by described authentication information transmission unit at last and give the described DHCP network equipment.
If desired the described DHCP network equipment is authenticated, also need the message that receives to be authenticated by the first authentication ' unit utilization and described DHCP LA Management Room cipher key shared Kd.The concrete verification process associated description in method embodiment that duplicates is not described in detail here.
The 5th embodiment provided by the invention is a kind of DHCP network equipment, and its structure comprises as shown in figure 10: authentication information acquiring unit, DHCP authentication ' unit; The described DHCP network equipment can also comprise notification unit; When needs authenticated described certificate server, the described DHCP network equipment can also comprise second authentication ' unit; When needs are realized the user to network authentication, also need the described DHCP network equipment to comprise authenticating network information needed transmission unit.
The described DHCP network equipment receives the authentication information that described certificate server sends to by the authentication information acquiring unit; Described authentication information comprises: the corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter that generates session key Ka '; Or, cipher key shared Ka between described certificate server and the described user; Or when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or, when sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and the parameter of the session key Ka ' of the shared key K a of corresponding described appointment and generation session key Ka '.
According to Authentication Client information needed in the authentication information of described authentication information acquiring unit acquisition described user is carried out the DHCP authentication by described DHCP authentication ' unit then.The Authentication Client information needed comprises in the described authentication information: described user and described certificate server cipher key shared Ka; Or, by the session key Ka ' of described user and described certificate server cipher key shared Ka generation.
After authentication finishes, use identifying of corpse by notification unit with described, and notify described certificate server described authentication result with corpse with corpse.When needs authenticated described certificate server, the described DHCP network equipment authenticated the message that receives by cipher key shared Kd between the second authentication ' unit utilization and described certificate server.The concrete verification process associated description in method embodiment that duplicates is not described in detail here.
When needs are realized the user to the authentication of network, the described DHCP network equipment sends to described subscriber equipment by authenticating network information needed transmission unit transmission of dhcp message with authenticating network information needed in the authentication information of described authentication information acquiring unit acquisition.Described authenticating network information needed comprises: the parameter of described generation session key Ka '; Or, the selection parameter of the shared key K a of corresponding described appointment; The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
The DHCP network equipment among the 5th embodiment comprises Dynamic Host Configuration Protocol server or DHCP relay server.
The 6th embodiment provided by the invention is a kind of subscriber equipment, and its structure comprises as shown in figure 11: DHCP message transmissions unit, authentication information generation unit and authenticating network unit.
Described subscriber equipment receives the DHCP message by DHCP message transmissions unit, by authentication information generation unit access authentication network information needed from the DHCP message that receives, and according to the authentication information of described authenticating network information needed generation to authenticating network.
Wherein said authenticating network information needed comprises: the parameter of described generation session key Ka '; Or, the selection parameter of the shared key K a of corresponding described appointment; The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
The authentication information of described authenticating network comprises: the session key Ka ' that generates according to the parameter of described shared key K a and described generation session key Ka '; Or, share key K a according to the correspondence of selecting parameter to select; Or, according to the parameter that the correspondence of selecting parameter to select is shared key K a and generated session key Ka ', the session key Ka ' of generation.
The process of authentication information that generates authenticating network according to described authenticating network information needed is specific as follows:
When sharing a shared key K a between user and the described certificate server, and when the parameter of described generation session key Ka ' is not empty, described subscriber equipment generates corresponding session key Ka ' according to after receiving the parameter of described generation session key Ka ' according to the parameter of sharing key K a and described generation session key Ka '.
When sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' was sky, described user selected corresponding key K a according to the selection parameter of the shared key K a of the corresponding described appointment that receives from a plurality of shared keys.
When sharing a plurality of shared key between user and the described certificate server, described certificate server is that described user specifies a shared key K a, and when the parameter that generates session key Ka ' is not sky, described subscriber equipment is selected corresponding key K a according to the selection parameter of the shared key K a of the corresponding described appointment that receives from a plurality of shared keys, and goes out corresponding session key Ka ' based on the calculation of parameter of described key K a and described generation session key Ka '.
Described afterwards subscriber equipment is by authenticating the network equipment according to the described authentication information that the network equipment is carried out DHCP authentication that described authentication information generation unit obtains by the authenticating network unit.The concrete verification process associated description in method embodiment that duplicates is not described in detail here.
By as can be seen above-mentioned, pass through the mutual of the DHCP network equipment and certificate server among the present invention, obtain corresponding described user's authentication information; Based on the Authentication Client information needed in the described authentication information described user is carried out the DHCP authentication technology then, can carry out safety certification, not only guaranteed security of users, and guaranteed the fail safe of the network equipment at the user.In addition, the present invention can realize the authentication of user to network by the DHCP authentication mechanism; By the relays authentication server that increases, can realize the effective authentication of roaming place to the user; Can initiate the re-authentication process by certificate server, make the present invention can network enabled to user's re-authentication.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (35)
1. a method that realizes authenticating is characterized in that, comprising:
A, after the dynamic host configuration protocol DHCP network equipment receives the DHCP message that the user sends, mutual by with certificate server obtains corresponding described user's authentication information;
B, the described DHCP network equipment carry out the DHCP authentication based on the Authentication Client information needed in the described authentication information to described user.
2. the method for claim 1 is characterized in that, also comprises:
After the described DHCP network equipment finishes user DHCP authentication, described user's user ID is reported described certificate server, and authentication result is notified to described certificate server.
3. the method for claim 1 is characterized in that, described steps A specifically comprises:
The user sends the DHCP message to the DHCP network equipment, wherein carries described user's user ID;
After the DHCP network equipment is received the DHCP message, described user ID is offered certificate server;
Described certificate server extracts or generates the authentication information of corresponding described user ID according to described user ID, and sends it to the described DHCP network equipment;
The described DHCP network equipment gets access to described authentication information according to the information that described certificate server sends.
4. as claim 1,2 or 3 described methods, it is characterized in that described authentication information comprises:
The corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter that generates session key Ka '; Or,
Cipher key shared Ka between described certificate server and the described user; Or,
When sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or,
When sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and session key Ka ' that generates according to the shared key K a of described appointment and the parameter that generates session key Ka '.
5. method as claimed in claim 4 is characterized in that, the Authentication Client information needed in the described authentication information comprises:
Described user and described certificate server cipher key shared Ka; Or, by the session key Ka ' of described user and described certificate server cipher key shared Ka generation.
6. method as claimed in claim 5 is characterized in that, also comprises:
The user authenticates the network equipment based on shared key K a; Or,
The user obtains the authenticating network information needed in the described authentication information that the described DHCP network equipment obtains; And generate the authentication information of authenticating network, and based on the described authentication information authenticating network equipment that generates based on described authenticating network information needed.
7. method as claimed in claim 6 is characterized in that, the authenticating network information needed in the described authentication information comprises:
The parameter of described generation session key Ka '; Or,
The selection parameter of the shared key K a of corresponding described appointment;
The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
8. method as claimed in claim 6 is characterized in that, the authentication information of described authenticating network comprises:
The session key Ka ' that generates according to the parameter of described shared key K a and described generation session key Ka '; Or,
Share key K a according to the correspondence of selecting parameter to select; Or,
According to the parameter that the correspondence of selecting parameter to select is shared key K a and generated session key Ka ', the session key Ka ' of generation.
9. the method for claim 1 is characterized in that, also comprises:
Described certificate server authenticates the described DHCP network equipment; And/or the described DHCP network equipment authenticates described certificate server.
10. the method for claim 1 is characterized in that, when described certificate server carries out re-authentication to described user, also comprises:
Described certificate server is initiated the re-authentication flow process, and notifies the described DHCP network equipment;
After the described DHCP network equipment receives the notice of described re-authentication, utilize DHCP to force renewal Force Renew message to carry the DHCP authentication information described user is carried out re-authentication.
11. as claim 1,9 or 10 described methods, it is characterized in that, when the network support user roams, between the described DHCP network equipment and described certificate server, the relays authentication server is set, and by the interactive information between the described DHCP network equipment of described relays authentication server relaying and the described certificate server.
12. the method for claim 1 is characterized in that, the described DHCP network equipment comprises: Dynamic Host Configuration Protocol server or DHCP relay server.
13. a method that realizes authenticating is characterized in that comprise: the user authenticates the network equipment.
14. method as claimed in claim 13 is characterized in that, described user specifically comprises the process that the network equipment authenticates:
After the DHCP network equipment received the DHCP message that the user sends, mutual by with certificate server obtained corresponding described user's authentication information;
Authenticating network information needed in the described authentication information that described user obtains by the described DHCP network equipment; And generate the authentication information of authenticating network, and based on the described authentication information authenticating network equipment that generates based on described authenticating network information needed; Or described user is based on shared key K a authenticating network equipment.
15. method as claimed in claim 14 is characterized in that, described authentication information comprises:
The corresponding described user's who generates according to cipher key shared Ka between described certificate server and the described user session key Ka ' and the parameter that generates session key Ka '; Or,
Cipher key shared Ka between described certificate server and the described user; Or,
When sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of the shared key K a of described user's appointment and corresponding described appointment; Or,
When sharing a plurality of key between described certificate server and the described user, described certificate server is the selection parameter of the shared key K a of described user's appointment, and session key Ka ' that generates according to the shared key K a of described appointment and the parameter that generates session key Ka '.
16. method as claimed in claim 14 is characterized in that, the authenticating network information needed in the described authentication information comprises:
The parameter of described generation session key Ka '; Or,
The selection parameter of the shared key K a of corresponding described appointment;
The parameter of the described generation session key Ka ' of the selection parameter of the shared key K a of corresponding described appointment and the shared key K a of corresponding described appointment.
17. method as claimed in claim 14 is characterized in that, the authentication information of described authenticating network comprises:
The session key Ka ' that generates according to the parameter of described shared key K a and described generation session key Ka '; Or,
Share key K a according to the correspondence of selecting parameter to select; Or,
According to the parameter that the correspondence of selecting parameter to select is shared key K a and generated session key Ka ', the session key Ka ' of generation.
18. a Verification System is characterized in that, comprising:
Certificate server, the DHCP network equipment and subscriber equipment;
Described certificate server is used for behind the message that carries user profile that receives the transmission of the DHCP network equipment, and the authentication information that corresponding described user is provided is to the described DHCP network equipment;
The described DHCP network equipment, be used for behind the DHCP message that receives described subscriber equipment transmission, the user profile that the DHCP message is carried sends to described certificate server, and by with the described authentication information that obtains corresponding described user alternately of described certificate server; And the user is carried out DHCP authentication based on Authentication Client information needed in the described authentication information.
19. Verification System as claimed in claim 18 is characterized in that, described certificate server comprises:
User profile acquiring unit, authentication information generation unit and authentication information transmission unit;
Described user profile acquiring unit is used for obtaining from the message that the described DHCP network equipment that receives sends user's user ID;
Described authentication information generation unit is used for extracting or generating according to described user ID corresponding described user's authentication information;
Described authentication information transmission unit is used to transmit the described authentication information that described authentication information generation unit obtains and gives the described DHCP network equipment.
20. Verification System as claimed in claim 19 is characterized in that, described certificate server also comprises: first authentication ' unit is used for the described DHCP network equipment is authenticated.
21. Verification System as claimed in claim 18 is characterized in that, the described DHCP network equipment comprises:
The authentication information acquiring unit, be used for by with described certificate server obtain described authentication information alternately;
The DHCP authentication ' unit, the authentication information Authentication Client information needed that is used for obtaining according to described authentication information acquiring unit is carried out the DHCP authentication to described user.
22. Verification System as claimed in claim 21 is characterized in that, the described DHCP network equipment also comprises: notification unit is used for the user ID with described user, and notifies described certificate server to described user's authentication result.
23., it is characterized in that the described DHCP network equipment also comprises as claim 21 or 22 described Verification Systems: second authentication ' unit is used for described certificate server is authenticated.
24. Verification System as claimed in claim 23, it is characterized in that, the described DHCP network equipment also comprises: authenticating network information needed transmission unit is used for sending the authentication information authenticating network information needed that described authentication information acquiring unit obtains by the DHCP message of transmission.
25. Verification System as claimed in claim 18 is characterized in that, described subscriber equipment comprises:
DHCP message transmissions unit and authenticating network unit;
Described DHCP message transmissions unit is used to send user's DHCP message and receives the DHCP message that the DHCP network equipment sends to;
Described authenticating network unit is used for sharing a key when user and the network equipment, and the parameter that generates session key Ka ' authenticates the network equipment based on shared key K a when being sky; Otherwise, be used for the DHCP message access authentication network information needed that receives from described DHCP message transmissions unit, and according to described authenticating network information needed generate authenticating network authentication information; Then, according to described authenticating network authentication information the network equipment is authenticated.
26. Verification System as claimed in claim 18 is characterized in that, also comprises: the relays authentication server is used for when the user is in roaming state mutual information between the described certificate server of relaying and the described DHCP network equipment.
27. Verification System as claimed in claim 18 is characterized in that, the described DHCP network equipment comprises: Dynamic Host Configuration Protocol server or DHCP relay server.
28. a certificate server is characterized in that, comprising:
User profile acquiring unit, authentication information generation unit and authentication information transmission unit;
Described user profile acquiring unit is used for obtaining from the message that the described DHCP network equipment that receives sends user's user ID;
Described authentication information generation unit is used for extracting or generating according to described user ID the authentication information of corresponding described user ID;
Described authentication information transmission unit is used to transmit the described authentication information that described authentication information generation unit obtains and gives the described DHCP network equipment.
29. certificate server as claimed in claim 28 is characterized in that, described certificate server also comprises: first authentication ' unit is used for the described DHCP network equipment is authenticated.
30. a DHCP network equipment is characterized in that, comprising:
The authentication information acquiring unit, be used for by with described certificate server between the authentication information that obtains corresponding described user alternately;
The DHCP authentication ' unit, the described authentication information Authentication Client information needed that is used for obtaining according to described authentication information acquiring unit is carried out the DHCP authentication to described user.
31. the DHCP network equipment as claimed in claim 30 is characterized in that, also comprises: notification unit is used for the user ID with described user, and described user's authentication result is notified to described certificate server.
32. as the claim 30 or the 31 described DHCP network equipments, it is characterized in that, also comprise: second authentication ' unit is used for described certificate server is authenticated.
33. the DHCP network equipment as claimed in claim 32 is characterized in that, also comprises: authenticating network information needed transmission unit is used for sending the authentication information authenticating network information needed that described authentication information acquiring unit obtains by the DHCP message of transmission.
34. the DHCP network equipment as claimed in claim 30 is characterized in that, the described DHCP network equipment comprises: Dynamic Host Configuration Protocol server or DHCP relay server.
35. a subscriber equipment is characterized in that, described subscriber equipment comprises:
Authentication information generation unit and authenticating network unit;
Described authentication information generation unit is used for from the DHCP message access authentication network information needed that receives, and generates the authentication information of authenticating network according to described authenticating network information needed;
Described authenticating network unit is used for according to the authentication information of described authenticating network the network equipment being authenticated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610127666A CN100591013C (en) | 2006-09-05 | 2006-09-05 | Implementing authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610127666A CN100591013C (en) | 2006-09-05 | 2006-09-05 | Implementing authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101141253A true CN101141253A (en) | 2008-03-12 |
| CN100591013C CN100591013C (en) | 2010-02-17 |
Family
ID=39193022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610127666A Expired - Fee Related CN100591013C (en) | 2006-09-05 | 2006-09-05 | Implementing authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100591013C (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102123157A (en) * | 2011-03-03 | 2011-07-13 | 上海华为技术有限公司 | Authentication method and system |
| CN102377773A (en) * | 2010-08-24 | 2012-03-14 | 巴比禄股份有限公司 | Network relay device and relay control method of received frames |
| CN102487505A (en) * | 2010-12-06 | 2012-06-06 | 中国移动通信集团河南有限公司 | Access authentication method of sensor node, apparatus thereof and system thereof |
| CN102651736A (en) * | 2011-02-28 | 2012-08-29 | 华为技术有限公司 | DHCP-based authentication method, DHCP server and DHCP client side |
| CN102710811A (en) * | 2012-06-14 | 2012-10-03 | 杭州华三通信技术有限公司 | Method for realizing security assignment of DHCP (Dynamic Host Configuration Protocol) address and switch board |
| CN102790675A (en) * | 2011-05-20 | 2012-11-21 | 纬创资通股份有限公司 | Authentication method of network connection, network device and network authentication system thereof |
| CN102810064A (en) * | 2011-05-30 | 2012-12-05 | 海尔集团公司 | User side information loading method for electrical equipment and electrical equipment |
| WO2013086870A1 (en) * | 2011-12-15 | 2013-06-20 | Hangzhou H3C Technologies Co., Ltd. | Method and device for dynamically selecting a dhcp server for a client terminal device |
| CN103975568A (en) * | 2011-12-06 | 2014-08-06 | 李青锺 | Security management system having multiple relay servers, and security management method |
| CN106330442A (en) * | 2015-06-17 | 2017-01-11 | 中兴通讯股份有限公司 | Identity authentication method, device and system |
| CN106357486A (en) * | 2016-08-18 | 2017-01-25 | 杭州迪普科技有限公司 | Access method and device for network users |
| CN106576096A (en) * | 2014-06-17 | 2017-04-19 | 思科技术公司 | Authentication of devices having unequal capabilities |
| CN107409133A (en) * | 2015-03-30 | 2017-11-28 | 高通股份有限公司 | Certifiede-mail protocol with complete forward secrecy |
| WO2019041086A1 (en) * | 2017-08-28 | 2019-03-07 | 华为技术有限公司 | Information verification method and related equipment |
-
2006
- 2006-09-05 CN CN200610127666A patent/CN100591013C/en not_active Expired - Fee Related
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102377773A (en) * | 2010-08-24 | 2012-03-14 | 巴比禄股份有限公司 | Network relay device and relay control method of received frames |
| CN102487505A (en) * | 2010-12-06 | 2012-06-06 | 中国移动通信集团河南有限公司 | Access authentication method of sensor node, apparatus thereof and system thereof |
| CN102487505B (en) * | 2010-12-06 | 2015-05-27 | 中国移动通信集团河南有限公司 | Access authentication method of sensor node, apparatus thereof and system thereof |
| CN102651736B (en) * | 2011-02-28 | 2014-12-03 | 华为技术有限公司 | DHCP-based authentication method, DHCP server and DHCP client side |
| CN102651736A (en) * | 2011-02-28 | 2012-08-29 | 华为技术有限公司 | DHCP-based authentication method, DHCP server and DHCP client side |
| WO2012116633A1 (en) * | 2011-02-28 | 2012-09-07 | 华为技术有限公司 | Authentication method based on dhcp, dhcp server and client |
| CN103685272B (en) * | 2011-03-03 | 2017-02-22 | 上海华为技术有限公司 | Authentication method and system |
| CN102123157A (en) * | 2011-03-03 | 2011-07-13 | 上海华为技术有限公司 | Authentication method and system |
| CN102123157B (en) * | 2011-03-03 | 2013-12-04 | 上海华为技术有限公司 | Authentication method and system |
| CN102790675A (en) * | 2011-05-20 | 2012-11-21 | 纬创资通股份有限公司 | Authentication method of network connection, network device and network authentication system thereof |
| CN102790675B (en) * | 2011-05-20 | 2016-06-01 | 纬创资通股份有限公司 | Authentication method of network connection, network device and network authentication system thereof |
| CN102810064A (en) * | 2011-05-30 | 2012-12-05 | 海尔集团公司 | User side information loading method for electrical equipment and electrical equipment |
| US9608973B2 (en) | 2011-12-06 | 2017-03-28 | Chung Jong Lee | Security management system including multiple relay servers and security management method |
| CN103975568A (en) * | 2011-12-06 | 2014-08-06 | 李青锺 | Security management system having multiple relay servers, and security management method |
| CN103975568B (en) * | 2011-12-06 | 2017-03-01 | 李青锺 | There is safety management system and the method for managing security of multiple Relay Servers |
| WO2013086870A1 (en) * | 2011-12-15 | 2013-06-20 | Hangzhou H3C Technologies Co., Ltd. | Method and device for dynamically selecting a dhcp server for a client terminal device |
| GB2511225A (en) * | 2011-12-15 | 2014-08-27 | Hangzhou H3C Tech Co Ltd | Method and device for dynamically selecting a DHCP server for a client terminal device |
| US9967254B2 (en) | 2011-12-15 | 2018-05-08 | Hewlett Packard Enterprise Development Lp | Dynamically selecting a DHCP server for a client terminal |
| CN102710811A (en) * | 2012-06-14 | 2012-10-03 | 杭州华三通信技术有限公司 | Method for realizing security assignment of DHCP (Dynamic Host Configuration Protocol) address and switch board |
| CN106576096B (en) * | 2014-06-17 | 2019-12-13 | 思科技术公司 | Apparatus, method, and medium for authentication of devices with unequal capability |
| CN106576096A (en) * | 2014-06-17 | 2017-04-19 | 思科技术公司 | Authentication of devices having unequal capabilities |
| CN107409133A (en) * | 2015-03-30 | 2017-11-28 | 高通股份有限公司 | Certifiede-mail protocol with complete forward secrecy |
| CN107409133B (en) * | 2015-03-30 | 2020-06-19 | 高通股份有限公司 | Method and equipment for authentication and key agreement with complete forward secrecy |
| CN106330442A (en) * | 2015-06-17 | 2017-01-11 | 中兴通讯股份有限公司 | Identity authentication method, device and system |
| CN106330442B (en) * | 2015-06-17 | 2020-04-28 | 中兴通讯股份有限公司 | Identity authentication method, device and system |
| CN106357486A (en) * | 2016-08-18 | 2017-01-25 | 杭州迪普科技有限公司 | Access method and device for network users |
| WO2019041086A1 (en) * | 2017-08-28 | 2019-03-07 | 华为技术有限公司 | Information verification method and related equipment |
| US11234131B2 (en) | 2017-08-28 | 2022-01-25 | Huawei Technologies Co., Ltd. | Information verification method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100591013C (en) | 2010-02-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100591013C (en) | Implementing authentication method and system | |
| CN101127600B (en) | A method for user access authentication | |
| JP4666169B2 (en) | Method of communication via untrusted access station | |
| US9344417B2 (en) | Authentication method and system | |
| US20100107223A1 (en) | Network Access Method, System, and Apparatus | |
| JP2007180998A (en) | Wireless network controller, and wireless network control system | |
| CN101478576A (en) | Method, apparatus and system for selecting service network | |
| KR20150017891A (en) | Method and apparatus for registering and authenticating a device in a wireless communication system | |
| CN102572005A (en) | IP address allocation method and equipment | |
| CN101986598B (en) | Authentication method, server and system | |
| CN111194035B (en) | Network connection method, device and storage medium | |
| CN101668017A (en) | Authentication method and equipment | |
| WO2015089996A1 (en) | Security authentication method and authorization authentication server | |
| CN102231725A (en) | Method, equipment and system for authenticating dynamic host configuration protocol message | |
| CN102263793A (en) | Method, system and device for verifying and controlling permission of MTC (machine type communication) server | |
| CN101800686A (en) | Method, device and system for realizing service | |
| CN101697550A (en) | Method and system for controlling access authority of double-protocol-stack network | |
| CN101282215A (en) | Method and apparatus for distinguishing certificate | |
| EP3758401A1 (en) | Method and device for obtaining local domain name | |
| JP2008263445A (en) | Connection setting system, authentication apparatus, wireless terminal and connection setting method | |
| CN105873059A (en) | United identity authentication method and system for power distribution communication wireless private network | |
| CN101232369B (en) | Method and system for distributing cryptographic key in dynamic state host computer collocation protocol | |
| KR100819942B1 (en) | Method for access control in wire and wireless network | |
| CN102075567B (en) | Authentication method, client, server, feedthrough server and authentication system | |
| CN205693897U (en) | The secondary identity authorization system of LTE electric power wireless private network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100217 Termination date: 20170905 |