CN101741554A - Method for network access control, server, user network equipment and communication system - Google Patents

Method for network access control, server, user network equipment and communication system Download PDF

Info

Publication number
CN101741554A
CN101741554A CN200810177093A CN200810177093A CN101741554A CN 101741554 A CN101741554 A CN 101741554A CN 200810177093 A CN200810177093 A CN 200810177093A CN 200810177093 A CN200810177093 A CN 200810177093A CN 101741554 A CN101741554 A CN 101741554A
Authority
CN
China
Prior art keywords
network equipment
digest value
user network
configuration information
checking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200810177093A
Other languages
Chinese (zh)
Inventor
赵世武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Device Co Ltd
Original Assignee
Huawei Device Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Device Co Ltd filed Critical Huawei Device Co Ltd
Priority to CN200810177093A priority Critical patent/CN101741554A/en
Priority to PCT/CN2009/075003 priority patent/WO2010057428A1/en
Publication of CN101741554A publication Critical patent/CN101741554A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Abstract

The invention discloses a method for the network access control, a server, user network equipment and a communication system. The method of the invention comprises the following steps of: receiving a service verification request of the user network equipment, wherein the service verification request comprises a digest value which is calculated by the user network equipment according to the configuration information thereof; verifying the digest value, which is calculated by the user network equipment according to the configuration information thereof, according to the stored digest value; and controlling the access of the user network equipment according to a result of the verification. Even if the administrator user/secret of the user equipment is revealed or broken through, the access of the user network equipment of which the configuration information is altered without approval can be prevented by verifying the digest value calculated by the network user equipment according to the configuration information.

Description

Method, server, user network equipment and the communication system of network insertion control
Technical field
The present invention relates to communication technical field, be specifically related to method, server, user network equipment and the communication system of network insertion control.
Background technology
Along with home gateway popularize day by day and that it is provided is professional more and more diversified, operator commences business and has proposed requirements at the higher level how controlling home gateway effectively, be that the user can only use operator to authorize open function and business, and do not allow the user to reach illegal undelegated function of use operator and business, even break away from the purpose that operator controls this equipment by the key configuration parameter of revising home gateway privately.
Home gateway generally provides the various configurations way to manage, as, modes such as telemanagement, the page (Web) management, order line.At present operator realizes configuration management and service dispense to home gateway by the telemanagement mode.Operator will realize the effective control to home gateway, and the safeguard protection of its configuration parameter or configuration file is crucial.And existing by modes such as administrator/password control of authority or encryption configuration files, can not guarantee that also its configuration file or key configuration parameter be not by user's illegal modifications.If the user has revised the relevant webmaster parameter of home gateway privately, then this equipment has just broken away from the management and the control of operator fully, the business of follow-up operator is carried out making a big impact.
In research and practice process to prior art, the present inventor finds, under the normal condition, carry out user/password control of authority to landing home gateway, promptly have only administrator more new configuration file or modification key configuration parameter, but administrator username and password is in case revealed or be broken, the user just can revise its configuration arbitrarily, reach operator's unauthorized uses in the illegal use home gateway function and professional purpose, perhaps because modification causes the subscriber equipment fault.
Summary of the invention
The embodiment of the invention provides method, server, user network equipment and the communication system of network insertion control, can prevent the access of the user network equipment that configuration information is revised without authorization.
The method of a kind of network insertion control that the embodiment of the invention provides comprises:
Receive the business checking request of user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self;
According to the digest value of preserving described user network equipment is verified according to the digest value of the configuration information calculating of self;
Control the access of described user network equipment according to the result of described checking.
The method of a kind of network insertion control that the embodiment of the invention provides comprises:
User network equipment sends the checking request to the webserver, comprises the digest value that calculates according to local configuration information in the described professional checking request; Make the described webserver insert checking to described user network equipment according to described digest value.
A kind of webserver that the embodiment of the invention provides comprises:
Checking request receiving element is used to receive the business checking request of user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self;
Authentication unit is used for according to the digest value of preserving described user network equipment being verified according to the digest value of the configuration information calculating of self;
The access control unit is used for controlling according to the result of the checking of described authentication unit the access of described user network equipment.
A kind of communication system that the embodiment of the invention provides, its feature exists, and comprising:
User network equipment is used to ask network insertion, and sends the checking request to the webserver, comprises the digest value that calculates according to local configuration information in the described professional checking request;
The webserver is used for according to the digest value of preserving described user network equipment being verified according to the digest value of the configuration information calculating of self; And control the access of described user network equipment according to the result of described checking.
A kind of user network equipment that the embodiment of the invention provides comprises: the digest calculations unit is used for the digest value according to the configuration information calculating of self;
The checking request transmitting unit, be used for sending professional checking request to the webserver, comprise the digest value that described digest calculations unit calculates in the described professional checking request, make the described webserver insert checking to described user network equipment according to described digest value.
The embodiment of the invention adopts the business checking request that receives user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self; According to the digest value of preserving described user network equipment is verified according to the digest value of the configuration information calculating of self; Control the access of described user network equipment according to the result of described checking.According to the digest value that configuration information calculates,, also can effectively prevent the access of the user network equipment that configuration information is revised without authorization by the checking user network equipment even the administrator/password of subscriber equipment is revealed or is broken.
Description of drawings
Fig. 1 is the flow chart of the method for 21 kinds of network insertion controls of the embodiment of the invention;
Fig. 2 is the flow chart of the method for 31 kinds of network insertion controls of the embodiment of the invention;
Fig. 3 is the structural representation of the embodiment of the invention five webservers;
Fig. 4 is the structural representation of the embodiment of the invention six communication systems;
Fig. 5 is the structural representation of the embodiment of the invention seven user network equipments.
Embodiment
The embodiment of the invention provides a kind of method, server, user network equipment of network insertion control and is elaborated respectively below the communication system.
The method of embodiment one, network insertion control comprises:
Receive the business checking request of user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self;
According to the digest value of preserving described user network equipment is verified according to the digest value of the configuration information calculating of self;
The algorithm of digest value can take existing multiple conventional algorithm to realize, for example: Message-Digest Algorithm 5 (Message-Digest Algorithm 5, MD5), the first generation security hashing algorithm (Secure HashAlgorithm-0, SHA-0), second generation SHA (SHA-1), third generation SHA (SHA-2) and cyclic redundancy check algorithm (CRC) etc.
Control the access of described user network equipment according to the result of described checking.
In the embodiment of the invention one, adopt the business checking request that receives user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self; According to the digest value of preserving described user network equipment is verified according to the digest value of the configuration information calculating of self; Control the access of described user network equipment according to the result of described checking.According to the digest value that configuration information calculates,, also can effectively prevent the access of the user network equipment that configuration information is revised without authorization by the checking user network equipment even the administrator/password of subscriber equipment is revealed or is broken.
Be appreciated that, in the embodiment of the invention when operator initially provides home gateway service or when the configuration file of home gateway or key configuration parameter or equipment key mark information have been revised by terminal management system or other authorization by operator, the gateway digest value of this home gateway need be calculated in the operation commercial city, and it is recorded in the service access verification system.
The method of embodiment two, network insertion control, in the embodiment of the invention, network side need be preserved the digest value at the network equipment in advance, digest value can calculate before the network equipment is provided to the user in advance, and be saved in network side, particular flow sheet comprises as shown in Figure 2:
B1 receives the business checking request of user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self;
The network equipment in the embodiment of the invention can be the network access equipment of user sides such as home gateway, router.
B2 verifies according to the digest value of the configuration information calculating of self described user network equipment according to the digest value of preserving;
The digest value that the configuration information of the described digest value of preserving used user network equipment for according to service dispense the time calculates.
Concrete verification mode can for:
Whether the digest value of judging the described user network equipment of preserving is consistent with the digest value that the described network equipment sends;
If consistent, then checking is passed through; If inconsistent, authentication failed then.
Be understandable that, described digest value can also according to equipment key mark information (as, device mac address, Equipment Serial Number etc.) and/or user ID calculate to generate.Be about to equipment key mark information and/or user ID and also can be used as the parameter of calculating digest value.
B3 controls the access of described user network equipment according to the result of described checking.
Be appreciated that if checking is not passed through, then do not allow the access of the described network equipment down.If checking is passed through, may need also to wait for that result to other checkings network equipment that whether allows described user of making a strategic decision inserts.
The present embodiment flow process can trigger when the network equipment carries out network insertion, as Ethernet peer-peer protocol (Point to Point Protocol over Ethernet, PPPoE) dialing or PPPOE act on behalf of dial-up access, DHCP (Dynamic Host Configuration Protocol, DHCP) address distribution access etc.
In the embodiment of the invention, if network management device by network amendment the configuration information of user network equipment; Then recomputate the new digest value of described user network equipment; And the digest value that uses new digest value to upgrade described preservation upgrades.
The network management device here can be that terminal management system or other can be revised the network equipment of user network equipment configuration information, be appreciated that, when the various information of configuration file of user network equipment need be revised by operator, then after modification, need recomputate the gateway digest value of this home gateway, and it is updated to the old digest value of covering in the current service access verification system, can normally move so that insert verification system.
Embodiment three, a kind of method of network insertion control, and flow chart comprises as shown in Figure 2:
C1 when user network equipment carries out network insertion, sends the checking request to the webserver, comprises the digest value that calculates according to local configuration information in the described professional checking request;
C2, the webserver is verified according to the digest value of the configuration information calculating of self described user network equipment according to the digest value of preserving; And control the access of described user network equipment according to the result of described checking.
The digest value that described user network equipment is calculated according to self configuration information according to the digest value of preserving is verified and is comprised:
Whether the digest value of judging the described user network equipment of preserving is consistent with the digest value that the described network equipment sends;
If consistent, then checking is passed through; If inconsistent, authentication failed then.
In the embodiment of the invention, the digest value that the configuration information of the described digest value of preserving used user network equipment for according to service dispense the time calculates.
Be appreciated that the checking request that subscriber equipment of the present invention sends can also comprise: conventional authorization information;
The present embodiment method can also comprise: the webserver is verified described conventional authorization information;
Described and can comprise according to the process that the result of described checking controls the access of described user network equipment:
If all authorization informations all by checking, then allow described user network equipment access network.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of the foregoing description is to instruct relevant hardware to finish by program, this program can be stored in the computer-readable recording medium, and storage medium can comprise: ROM, RAM, disk or CD etc.
The method of embodiment four, a kind of network insertion control comprises:
User network equipment sends the checking request to the webserver, comprises the digest value that calculates according to local configuration information in the described professional checking request; Make the described webserver insert checking to described user network equipment according to described digest value.
Can also comprise in the present embodiment:
Receive the checking result that the webserver is verified the digest value of described user network equipment transmission according to the digest value of preserving.
In the present embodiment, user network equipment calculates digest value according to local configuration information, and sending to the webserver verifies at digest value, in case the configuration information of user network equipment is revised without authorization, the digest value that then calculates can not be by checking, prevent to be modified the user network equipment access network of configuration information, to the unnecessary loss that Internet resources cause, network side is more safe and effective to the access control of user network equipment.
Embodiment five, a kind of webserver 300, and structural representation comprises as shown in Figure 3:
Checking request receiving element 310 is used to receive the business checking request of user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self;
Authentication unit 320 is used for according to the digest value of preserving described user network equipment being verified according to the digest value of the configuration information calculating of self;
Access control unit 330 is used for controlling according to the result of the checking of described authentication unit the access of described user network equipment.
The embodiment of the invention four can be moved embodiment one to two described method, but is not limited to move the method for embodiment one to two.
The webserver that present embodiment five provides can be verified user network equipment according to the digest value that configuring information of network appliance calculates, can prevent to be modified the user network equipment access network of configuration information, to the unnecessary loss that Internet resources cause, make network side more safe and effective to the access control of user network equipment.
Embodiment six, a kind of communication system, and structural representation comprises as shown in Figure 4:
User network equipment 410 is used to ask network insertion, and sends the checking request to the webserver, comprises the digest value that calculates according to local configuration information in the described professional checking request;
The webserver 420 is used for according to the digest value of preserving described user network equipment being verified according to the digest value of the configuration information calculating of self; And control the access of described user network equipment according to the result of described checking.
Be appreciated that in the present embodiment that described communication system can also comprise: configuration management server is used for calculating the generation digest value according to the configuration information of user network equipment or with the equipment key message, and offers the webserver.Be used for the webserver user network equipment is inserted checking.
The embodiment of the invention five can be moved embodiment one to three described method, but is not limited to move the method for embodiment one to three.
The communication system that present embodiment is logical, can verify user network equipment according to the digest value that configuring information of network appliance calculates, can prevent to be modified the user network equipment access network of configuration information, to the unnecessary loss that Internet resources cause, make network side more safe and effective to the access control of user network equipment.
Embodiment seven, and a kind of user network equipment 500 comprises, digest calculations unit 510 and checking request transmitting unit 520;
Digest calculations unit 510 is used for the digest value according to the configuration information calculating of self;
Checking request transmitting unit 520, be used for sending professional checking request to the webserver, comprise the digest value that described digest calculations unit 510 calculates in the described professional checking request, make the described webserver insert checking to described user network equipment according to described digest value.
The user network equipment that present embodiment provides can calculate digest value according to the configuration information of self, and digest value sent to network equipment, for inserting checking by digest value to described user network equipment, network equipment provides support, can prevent to be modified the user network equipment access network of configuration information, to the unnecessary loss that Internet resources cause, make network side more safe and effective to the access control of user network equipment.
More than method, server, user network equipment and the communication system of network insertion that the embodiment of the invention provided control is described in detail, wherein:
In one embodiment of the invention, adopt the business checking request that receives user network equipment; Comprise the digest value of described user network equipment in the described professional checking request according to the configuration information calculating of self; According to the digest value of preserving described user network equipment is verified according to the digest value of the configuration information calculating of self; Control the access of described user network equipment according to the result of described checking.According to the digest value that configuration information calculates,, also can effectively prevent the access of the user network equipment that configuration information is revised without authorization by the checking user network equipment even the administrator/password of subscriber equipment is revealed or is broken.
Generally speaking, the initial administrator of home gateway is normally identical with password, can not change because of equipment, and these factors have all increased the possibility that administrator/password is revealed.
Can be controlled fully by operator the configuration file of home gateway or the modification of key configuration parameter or equipment key mark information, thereby guarantee maintenance management and the service dispense of operator this equipment.Realize the binding of family gateway equipment and operator.If also include the equipment key mark information of home gateway in generate home gateway gateway digest value, then can realize the binding of family gateway equipment and operator, have only the family gateway equipment of this operator's approval on the network of this operator, to use.Realize the binding of user and family gateway equipment.Include the gateway digest value that generates home gateway in during as if user profile that home gateway service is inserted checking and equipment key mark information of same, then can realize the binding of user and family gateway equipment, prevent that other user from using this family gateway equipment.
Used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (11)

1. the method for a network insertion control is characterized in that, comprising:
The business that receives user network equipment is verified request, comprises the digest value of described user network equipment according to the configuration information calculating of self in the described professional checking request;
According to the digest value of preserving described user network equipment is verified according to the digest value of the configuration information calculating of self;
Control the access of described user network equipment according to the result of described checking.
2. the method for claim 1 is characterized in that, the described digest value of the preserving digest value that the configuration information of described user network equipment calculates for according to service dispense the time.
3. the method for claim 1 is characterized in that, according to the digest value of preserving described user network equipment is verified according to the digest value of the configuration information calculating of self to comprise:
Whether the digest value of judging the described user network equipment of preserving is consistent with the digest value that the described network equipment sends;
If consistent, then checking is passed through; If inconsistent, authentication failed then.
4. the method for claim 1 is characterized in that, if network management device by network amendment the configuration information of user network equipment; Then recomputate the new digest value of described user network equipment; And the digest value that uses new digest value to upgrade described preservation upgrades.
5. as any described method of claim 1 to 4, it is characterized in that described digest value also calculates generation according to equipment key mark information and/or user ID.
6. the method for a network insertion control is characterized in that, comprising:
User network equipment sends the checking request to the webserver, comprises the digest value that calculates according to local configuration information in the described professional checking request; Make the described webserver insert checking to described user network equipment according to described digest value.
7. method as claimed in claim 6 is characterized in that, also comprises:
Receive the checking result that the webserver is verified the digest value of described user network equipment transmission according to the digest value of preserving.
8. a webserver is characterized in that, comprising:
Checking request receiving element is used to receive the business checking request of user network equipment, comprises the digest value that described user network equipment calculates according to self configuration information in the described professional checking request;
Authentication unit is used for according to the digest value of preserving described user network equipment being verified according to the digest value of the configuration information calculating of self;
The access control unit is used for controlling according to the result of the checking of described authentication unit the access of described user network equipment.
9. a communication system is characterized in that, comprising:
User network equipment is used for sending the checking request to the webserver, comprises the digest value that calculates according to local configuration information in the described professional checking request;
The webserver is used for according to the digest value of preserving described user network equipment being verified according to the digest value of the configuration information calculating of self; And control the access of described user network equipment according to the result of described checking.
10. communication system as claimed in claim 9 is characterized in that, also comprises: configuration management server is used for calculating the generation digest value according to the configuration information of user network equipment or with the equipment key message, and offers the webserver.
11. a user network equipment is characterized in that, comprising:
The digest calculations unit is used for the digest value according to the configuration information calculating of self;
The checking request transmitting unit, be used for sending professional checking request to the webserver, comprise the digest value that described digest calculations unit calculates in the described professional checking request, make the described webserver insert checking to described user network equipment according to described digest value.
CN200810177093A 2008-11-21 2008-11-21 Method for network access control, server, user network equipment and communication system Pending CN101741554A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200810177093A CN101741554A (en) 2008-11-21 2008-11-21 Method for network access control, server, user network equipment and communication system
PCT/CN2009/075003 WO2010057428A1 (en) 2008-11-21 2009-11-18 Network access control method, server, user network device and communication system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810177093A CN101741554A (en) 2008-11-21 2008-11-21 Method for network access control, server, user network equipment and communication system

Publications (1)

Publication Number Publication Date
CN101741554A true CN101741554A (en) 2010-06-16

Family

ID=42197842

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810177093A Pending CN101741554A (en) 2008-11-21 2008-11-21 Method for network access control, server, user network equipment and communication system

Country Status (2)

Country Link
CN (1) CN101741554A (en)
WO (1) WO2010057428A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103138979A (en) * 2011-11-30 2013-06-05 华为终端有限公司 Network access management method and network access facility
CN110191008A (en) * 2019-07-03 2019-08-30 中国联合网络通信集团有限公司 The method of self-service Configuration network equipment, user terminal, server

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004304304A (en) * 2003-03-28 2004-10-28 Fujitsu Ltd Electronic signature generating method, electronic signature authenticating method, electronic signature generating request program and electronic signature authenticate request program
CN100539501C (en) * 2006-10-13 2009-09-09 清华大学 Unified Identity sign and authentication method based on domain name
CN101013941A (en) * 2007-02-09 2007-08-08 上海林果科技有限公司 Digital certificate authentication/management system and authentication/management method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103138979A (en) * 2011-11-30 2013-06-05 华为终端有限公司 Network access management method and network access facility
CN103138979B (en) * 2011-11-30 2016-08-03 华为终端有限公司 Network access management method and network access equipment
CN110191008A (en) * 2019-07-03 2019-08-30 中国联合网络通信集团有限公司 The method of self-service Configuration network equipment, user terminal, server

Also Published As

Publication number Publication date
WO2010057428A1 (en) 2010-05-27

Similar Documents

Publication Publication Date Title
US10298581B2 (en) Zero-touch IoT device provisioning
US8826378B2 (en) Techniques for authenticated posture reporting and associated enforcement of network access
CN104811444B (en) A kind of safe cloud control method
CN109995792B (en) Safety management system of storage equipment
EP3068093B1 (en) Security authentication method and bidirectional forwarding detection method
EP2965465B1 (en) Handling of digital certificates
CN101129014B (en) System and method for multi-session establishment
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
WO2006004785A1 (en) Systems and methods for enhanced electronic asset protection
US20180198616A1 (en) Host-storage authentication
US20130246590A1 (en) Autonomous network device configuration method
CN101159630B (en) Flux monitoring method, system and broadband accessing server
WO2008034319A1 (en) Authentication method, system and device for network device
CN102571729A (en) Internet protocol version (IPV)6 network access authentication method, device and system
CN101068255A (en) User identification method and device in safety shell protocol application
CN111107085A (en) Safety communication method based on publish-subscribe mode
CN101986598A (en) Authentication method, server and system
US8751647B1 (en) Method and apparatus for network login authorization
CN102271120A (en) Trusted network access authentication method capable of enhancing security
CN103957194B (en) A kind of procotol IP cut-in methods and access device
CN101741554A (en) Method for network access control, server, user network equipment and communication system
CN111641651B (en) Access verification method and device based on Hash chain
CN101938428B (en) Message transmission method and equipment
KR20180081965A (en) Apparatus and methdo for providing network service
CN105451225A (en) An access authentication method and an access authentication device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20100616