CN101330494A - Method for implementing computer terminal safety admittance based on credible authentication gateway - Google Patents
Method for implementing computer terminal safety admittance based on credible authentication gateway Download PDFInfo
- Publication number
- CN101330494A CN101330494A CNA2007100524986A CN200710052498A CN101330494A CN 101330494 A CN101330494 A CN 101330494A CN A2007100524986 A CNA2007100524986 A CN A2007100524986A CN 200710052498 A CN200710052498 A CN 200710052498A CN 101330494 A CN101330494 A CN 101330494A
- Authority
- CN
- China
- Prior art keywords
- terminal
- information
- identity
- authentication gateway
- authentic authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method for realizing the safety admittance of a computer terminal based on a trusted authentication gateway, and belongs to the security technology field of the computer. The method comprises the following procedures: (1) the computer terminal initiates an access request to the gateway; (2) the basic identity information of the computer terminal is registered to the gateway; (3) an active label of the computer terminal is formed by the gateway; (4) the identity and the authority of the active label are verified through the trusted authentication gateway; (5) the trusted authentication gateway judges whether the identity and the authority of the active label are legal or not; (5.1), when the identity and the authority of the active label are illegal, the access of the computer terminal is barred; (5.2), when the identity and the authority of the active label are legal, the access of the computer terminal is permitted. The method has the advantages: firstly, the uniqueness and the identifiability of the identity of the computer terminal to the network are realized; secondly, the possibility that the terminal identification is falsified illegally can be avoided, and the terminal identification can not be forged.
Description
Technical field
The present invention relates to a kind of method, belong to the computer security technique field based on authentic authentication gateway realization terminal safety access.
Background technology
Development of computer network, ICP/IP protocol is extensive use of by Internet, and adopt MAC and IP marking terminal between two communications platforms of use ICP/IP protocol is not believable, because MAC and IP can arbitrarily be changed, be that terminal identity in network can be forged, therefore, when communication, can't verify the other side's true identity between the communication entity, can not verify just whether the other side is credible.
Summary of the invention
The objective of the invention is to: overcome the shortcoming of prior art, a kind of method based on authentic authentication gateway realization terminal safety access is provided, realize uniqueness, unforgeable, the identifiability of terminal identity on network.
Technical scheme of the present invention is achieved in that described a kind of method based on authentic authentication gateway realization terminal safety access, and it comprises following program:
1), terminal sends the request of access to the authentic authentication gateway;
2), terminal is to the basic identity information of authentic authentication gateway registration terminal: this basic identity information is made up of the hardware characteristics information and the software features information of terminal;
3), the authentic authentication gateway forms the active label of this terminal: be the basic identity information of submitting to according to terminal, utilize the private key of authentic authentication gateway to the processing of signing of the public key information of basic identity information, gateway timestamp information and the terminal of terminal, form the active label of this terminal;
4), the authentic authentication gateway is verified the identity and the authority of active label;
5), the authentic authentication gateway judge whether legal: it is to judge whether the identity of active label and authority legal;
5.1), illegal when the identity and the authority of active label, then the authentic authentication gateway stops terminal to insert;
5.2), legal when the identity and the authority of active label, then the authentic authentication gateway is permitted terminal and is inserted.
On the technique scheme basis, have additional technical feature, further technical scheme has:
The hardware characteristics information of described terminal includes following two kinds at least: machine identification, network interface card hardware number, hard disk sequence number and hard disc data feature, CD-ROM drive type and sequence number, USB information, sound card information, video card information; The software features information of described terminal comprises computer operation system information and institute's installed software information.
The basic identity information of described terminal also comprises the one group of unsymmetrical key information being issued according to the hardware characteristics information of this computer and software features information by authentic authentication gateway or third party CA center and the X509 digital certificate of standard.
Described one group of unsymmetrical key information comprises computer private key information and public key information, and wherein private key information is used as digital signature, and is externally not open; Public key information uses as identity verification information, and is externally open.
The X509 digital certificate of described standard comprises computer identity information and computer public key information, and the X509 digital certificate of this standard is externally open.
Described public key information to terminal signs to handle: when other computers in this terminal and the network or authentic authentication gateway communication, the packet that this terminal is sent is with the processing of signing of the private key of this machine; Described the gateway timestamp information is signed to handle be: the authentic authentication gateway is with processings of signing of temporal information, the terminal identity information of gateway, the unforgeable of assurance terminal identity in network.
Described terminal sends the request of access to the authentic authentication gateway, is terminal application access and accesses network are submitted the indicating self identity simultaneously to the authentic authentication gateway of network boundary the active label of terminal.
Effect of the present invention is: the uniqueness, the identifiability that 1, have realized terminal identity on network; 2, utilize the technical scheme of security protocol to solve the problem of communicating pair authentication, changed traditional method (IP and MAC can arbitrarily be changed) that identifies a station terminal based on IP and MAC, thereby the possibility of having avoided terminal iidentification illegally to be distorted has unforgeable.
Description of drawings
Fig. 1 is the program schematic diagram of the inventive method.
Embodiment
It is as follows that the invention will be further described in conjunction with the accompanying drawings and embodiments:
1), terminal sends the request of access to the authentic authentication gateway as shown in Figure 1, describedly a kind ofly realize the method for terminal safety access based on the authentic authentication gateway, its program is:; 2), terminal is to the basic identity information of authentic authentication gateway registration terminal, this basic identity information is made up of the hardware characteristics information and the software features information of terminal; The hardware characteristics information of described terminal is machine identification, network interface card hardware number, hard disk sequence number and hard disc data feature, CD-ROM drive type and sequence number, USB information, sound card information, video card information, when hardware characteristics information is above-mentioned two kinds or three kinds of combinations or other combination in any wherein, then be different embodiment; The software features information of described terminal is computer operation system information and institute's installed software information; The one group of unsymmetrical key information that the basic identity information of described terminal is still issued according to the hardware characteristics information of this computer and software features information by authentic authentication gateway or third party CA center and X 509 digital certificates of standard; Described one group of unsymmetrical key information is computer private key information and public key information, and wherein private key information is used as digital signature, and is externally not open; Public key information uses as identity verification information, and is externally open; The X509 digital certificate of described standard has computer identity information and computer public key information, and the X509 digital certificate of this standard is externally open; 3), the authentic authentication gateway forms the active label of this terminal: be the basic identity information of submitting to according to terminal, utilize the private key of authentic authentication gateway to the processing of signing of the public key information of basic identity information, gateway timestamp information and the terminal of terminal, form the active label of this terminal; 4), the authentic authentication gateway is verified the identity and the authority of active label; 5), the authentic authentication gateway judge whether legal: it is to judge whether the identity of active label and authority legal; 5.1), illegal when the identity and the authority of active label, then the authentic authentication gateway stops terminal to insert; 5.2), legal when the identity and the authority of active label, then the authentic authentication gateway is permitted terminal and is inserted; Described public key information to terminal signs to handle: when other computers in this terminal and the network or authentic authentication gateway communication, the packet that this terminal is sent is with the processing of signing of the private key of this machine; Described the gateway timestamp information is signed to handle be: the authentic authentication gateway is with processings of signing of the basic identity information of temporal information, terminal of gateway, the unforgeable of assurance terminal identity in network.
On the foregoing description basis, send to the authentic authentication gateway with regard to described terminal and to insert with regard to the request mode, also have different embodiment to be: terminal application access and accesses network are submitted the active label of terminal of indicating self identity simultaneously to the authentic authentication gateway of network boundary.
In conjunction with the technology of the present invention principle, technical scheme more for example to asking invention to be described further that following (this example is used for illustrating the communication process that utilizes the active label of terminal, has omitted the encryption, signature of signature verification to the active label of terminal, IP packet etc.):
Three station terminals: HostA, HostB, HostC
The address of A is: the legal label of IP:192.168.10.1: AA-AA-AA-AA-AA-AA
The address of B is: the legal label of IP:192.168.10.2: BB-BB-BB-BB-BB-BB
The address of C is: IP:192.168.10.3 does not have label (not passing through the audit and the mandate of gateway)
A sends one piece of data XXX 1234 XXX to B now, when this packet process network layer, newly-increased security protocol will be wrapped and be added the active label of terminal that this machine obtains from server, forming following data XXX AA-AA-AA-AA-AA-AA 1234 XXX (annotates: the signature of the active label of terminal, the encryption of IP bag, signature operation slightly), when B receives data XXXAA-AA-AA-AA-AA-AA 1234 XXX that A sends, at first verify the legal label A A-AA-AA-AA-AA-AA whether A is arranged in this packet, if judge that the label of A is legal, then packet is reduced into XXX 1234 XXX, and is transmitted to the last layer driving; Otherwise carrying out packet loss handles;
A sends one piece of data XXX 1234 XXX to C, when this packet process network layer, newly-increased security protocol will be wrapped and be added the active label of terminal that this machine obtains from server, forming following data XXX AA-AA-AA-AA-AA-AA 1234 XXX (annotates: the signature of the active label of terminal, the encryption of IP bag, signature operation are slightly), when C receives data XXXAA-AA-AA-AA-AA-AA 1234 XXX that A sends, the program of its system layer can be handled it as an error data packets, carry out packet loss and handle;
C sends one piece of data XXX 1234 XXX to A, when C receives the data XXX1234 XXX that A sends, finds in the packet the not active label of the terminal of this machine, carries out packet loss and handles.
Protection range of the present invention is not limited to the foregoing description.
Claims (7)
1. the method based on authentic authentication gateway realization terminal safety access is characterized in that, comprises following program:
1), terminal sends the request of access to the authentic authentication gateway;
2), terminal is to the basic identity information of authentic authentication gateway registration terminal: this basic identity information is made up of the sharp software features information of the hardware characteristics information of terminal;
3), the authentic authentication gateway forms the active label of this terminal: be the basic identity information of submitting to according to terminal, utilize the private key of authentic authentication gateway to the processing of signing of the public key information of basic identity information, gateway timestamp information and the terminal of terminal, form the active label of this terminal;
4), the authentic authentication gateway is verified the identity and the authority of active label;
5), the authentic authentication gateway judge whether legal: it is to judge whether the identity of active label and authority legal;
5.1), illegal when the identity and the authority of active label, then the authentic authentication gateway stops terminal to insert;
5.2), legal when the identity and the authority of active label, then the authentic authentication gateway is permitted terminal and is inserted.
2. method according to claim 1, it is characterized in that the hardware characteristics information of described terminal includes following two kinds at least: machine identification, network interface card hardware number, hard disk sequence number and hard disc data feature, CD-ROM drive type and sequence number, USB information, sound card information, video card information; The software features information of described terminal comprises computer operation system information and institute's installed software information at least.
3. method according to claim 1, it is characterized in that the basic identity information of described terminal also comprises the one group of unsymmetrical key information being issued according to the hardware characteristics information of this computer and software features information by authentic authentication gateway or third party CA center and the X509 digital certificate of standard.
4. method according to claim 3 is characterized in that, described one group of unsymmetrical key information comprises computer private key information and public key information, and wherein private key information is used as digital signature, and is externally not open; Public key information uses as identity verification information, and is externally open.
5. method according to claim 3 is characterized in that, the X509 digital certificate of described standard comprises computer identity information and computer public key information, and the X509 digital certificate of this standard is externally open.
6. method according to claim 1, it is characterized in that, described public key information to terminal signs to handle: when other computers in this terminal and the network or authentic authentication gateway communication, the packet that this terminal is sent is with the processing of signing of the private key of this machine; Described the gateway timestamp information is signed to handle be: the authentic authentication gateway is with processings of signing of the basic identity information of the temporal information of gateway, terminal, the unforgeable of assurance terminal identity in network.
7. method according to claim 1, it is characterized in that, described terminal sends the request of access to the authentic authentication gateway, is terminal application access and accesses network are submitted the indicating self identity simultaneously to the authentic authentication gateway of network boundary the active label of terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100524986A CN101330494A (en) | 2007-06-19 | 2007-06-19 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100524986A CN101330494A (en) | 2007-06-19 | 2007-06-19 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101330494A true CN101330494A (en) | 2008-12-24 |
Family
ID=40206085
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100524986A Pending CN101330494A (en) | 2007-06-19 | 2007-06-19 | Method for implementing computer terminal safety admittance based on credible authentication gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101330494A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045309A (en) * | 2009-10-14 | 2011-05-04 | 上海可鲁系统软件有限公司 | Method and device for preventing computer from being attacked by virus |
| CN101562551B (en) * | 2009-05-05 | 2012-02-22 | 候万春 | System and method for providing picture identification service or video identification service |
| CN103368916A (en) * | 2012-04-01 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Technology for generating trusted identity certification of computer terminal based on hardware information |
| CN103973456A (en) * | 2014-05-29 | 2014-08-06 | 深圳市密思科技有限公司 | Small district management system and method based on digital certificates |
| WO2015135305A1 (en) * | 2014-03-12 | 2015-09-17 | 北京安兔兔科技有限公司 | Method and device for verifying authenticity of a terminal |
| CN105207778A (en) * | 2014-07-03 | 2015-12-30 | 清华大学深圳研究生院 | Method of realizing package identity identification and digital signature on access gateway equipment |
| CN105282157A (en) * | 2015-10-22 | 2016-01-27 | 中国人民解放军装备学院 | Secure communication control method |
| CN112330423A (en) * | 2020-11-30 | 2021-02-05 | 上海寻梦信息技术有限公司 | Order data management system, method, equipment and storage medium |
| CN112866210A (en) * | 2020-12-31 | 2021-05-28 | 北京珞安科技有限责任公司 | Industrial control equipment access control method and device and electronic equipment |
| CN112953932A (en) * | 2021-02-07 | 2021-06-11 | 北京中船信息科技有限公司 | Identity authentication gateway integration design method and system based on CA certificate |
| CN113114858A (en) * | 2021-04-13 | 2021-07-13 | 艾迪通证技术(北京)有限公司 | Method and device for adding credible identification for call based on gateway |
| CN114157503A (en) * | 2021-12-08 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Access request authentication method and device, API gateway equipment and storage medium |
| CN114257458A (en) * | 2022-01-08 | 2022-03-29 | 广州市成格信息技术有限公司 | Multifunctional gateway of all-optical network |
-
2007
- 2007-06-19 CN CNA2007100524986A patent/CN101330494A/en active Pending
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562551B (en) * | 2009-05-05 | 2012-02-22 | 候万春 | System and method for providing picture identification service or video identification service |
| CN102045309A (en) * | 2009-10-14 | 2011-05-04 | 上海可鲁系统软件有限公司 | Method and device for preventing computer from being attacked by virus |
| CN103368916A (en) * | 2012-04-01 | 2013-10-23 | 百度在线网络技术(北京)有限公司 | Technology for generating trusted identity certification of computer terminal based on hardware information |
| WO2015135305A1 (en) * | 2014-03-12 | 2015-09-17 | 北京安兔兔科技有限公司 | Method and device for verifying authenticity of a terminal |
| CN103973456A (en) * | 2014-05-29 | 2014-08-06 | 深圳市密思科技有限公司 | Small district management system and method based on digital certificates |
| CN105207778B (en) * | 2014-07-03 | 2019-04-16 | 清华大学深圳研究生院 | A method of realizing packet identity and digital signature on accessing gateway equipment |
| CN105207778A (en) * | 2014-07-03 | 2015-12-30 | 清华大学深圳研究生院 | Method of realizing package identity identification and digital signature on access gateway equipment |
| CN105282157A (en) * | 2015-10-22 | 2016-01-27 | 中国人民解放军装备学院 | Secure communication control method |
| CN105282157B (en) * | 2015-10-22 | 2018-07-06 | 中国人民解放军装备学院 | A kind of secure communication control method |
| CN112330423A (en) * | 2020-11-30 | 2021-02-05 | 上海寻梦信息技术有限公司 | Order data management system, method, equipment and storage medium |
| CN112866210A (en) * | 2020-12-31 | 2021-05-28 | 北京珞安科技有限责任公司 | Industrial control equipment access control method and device and electronic equipment |
| CN112953932A (en) * | 2021-02-07 | 2021-06-11 | 北京中船信息科技有限公司 | Identity authentication gateway integration design method and system based on CA certificate |
| CN112953932B (en) * | 2021-02-07 | 2022-12-20 | 北京中船信息科技有限公司 | Identity authentication gateway integration design method and system based on CA certificate |
| CN113114858A (en) * | 2021-04-13 | 2021-07-13 | 艾迪通证技术(北京)有限公司 | Method and device for adding credible identification for call based on gateway |
| CN113114858B (en) * | 2021-04-13 | 2023-03-14 | 艾迪通证技术(北京)有限公司 | Method and device for adding credible identification for call based on gateway |
| CN114157503A (en) * | 2021-12-08 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Access request authentication method and device, API gateway equipment and storage medium |
| CN114257458A (en) * | 2022-01-08 | 2022-03-29 | 广州市成格信息技术有限公司 | Multifunctional gateway of all-optical network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101330494A (en) | Method for implementing computer terminal safety admittance based on credible authentication gateway | |
| KR101158956B1 (en) | Method for distributing certificates in a communication system | |
| CN104735068B (en) | Method based on the close SIP safety certification of state | |
| AU2002355593B2 (en) | Data certification method and apparatus | |
| US6052784A (en) | Network discovery system and method | |
| US8418242B2 (en) | Method, system, and device for negotiating SA on IPv6 network | |
| US9699158B2 (en) | Network user identification and authentication | |
| CN103532713B (en) | Sensor authentication and shared key production method and system and sensor | |
| US20140337619A1 (en) | Derived Certificate based on Changing Identity | |
| US9184917B2 (en) | Method and system for registering a DRM client | |
| WO2008009183A1 (en) | Password remotely authentication method based on the intelligent card and an intelligent card, a server and system thereof | |
| CN100344208C (en) | Identification method for preventing replay attack | |
| CN101136748A (en) | Identification authentication method and system | |
| CN107454077A (en) | A kind of single-point logging method based on IKI ID authentications | |
| CN104601593A (en) | Anti-tracking method in network electronic identity authentication process based on challenge modes | |
| CN102668450B (en) | Identity based network policy enablement | |
| JP2013503513A (en) | Entity authentication method to introduce online third parties | |
| CN112866236B (en) | Internet of things identity authentication system based on simplified digital certificate | |
| CN113242554A (en) | Mobile terminal authentication method and system based on certificate-free signature | |
| He et al. | An accountable, privacy-preserving, and efficient authentication framework for wireless access networks | |
| WO2023036348A1 (en) | Encrypted communication method and apparatus, device, and storage medium | |
| CN108011873A (en) | A kind of illegal connection determination methods based on set covering | |
| EP2827529B1 (en) | Method, device, and system for identity authentication | |
| CN114513339A (en) | Security authentication method, system and device | |
| CN110929231A (en) | Digital asset authorization method and device and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20081224 |