CN101895535A - Network authentication method, device and system for identifying separate mapping network - Google Patents
Network authentication method, device and system for identifying separate mapping network Download PDFInfo
- Publication number
- CN101895535A CN101895535A CN2010102211263A CN201010221126A CN101895535A CN 101895535 A CN101895535 A CN 101895535A CN 2010102211263 A CN2010102211263 A CN 2010102211263A CN 201010221126 A CN201010221126 A CN 201010221126A CN 101895535 A CN101895535 A CN 101895535A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- network
- authentication
- authenticate device
- access network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network authentication method for identifying a separate mapping network, which comprises the following steps of: when a user terminal which is not connected to the network requests for connecting to the network, performing bidirectional authentication between the user terminal and an authentication device corresponding to an access network to be accessed; issuing an identity tag of the user terminal to the user terminal; storing the identity tag of the user terminal to one of authentication devices in a Chord link determined according to a Chord algorithm by the authentication device; and when the user terminal requests for converting a state of accessing the network through one access network into a state of accessing the network through the other access network, sending an authentication request to the authentication device corresponding to the other access network by the user terminal, determining the authentication device which stores the authentication registration information of the user terminal by the authentication device corresponding to the other access network according to the Chord algorithm, and acquiring the authentication registration information of the user terminal. The method can meet the requirements of mobility and security and the real-time requirements of services with strong real-time requirements of audio and video and the like.
Description
Technical field
The present invention relates to the network service processing method, relate in particular to method for network authorization, network authentication device and network authentication system, relate in particular to the method for network authorization, network authentication device and the network authentication system that are used for identifier separating mapping network.
Background technology
The IP address had both represented that the network topology address of main frame also represented host identities information in the ICP/IP protocol system, and the dual semanteme of this IP address has seriously limited the mobility of main frame.When user terminal is moved, the IP address must change, change with the expression terminal location, cause communicating pair will interrupt at the network layer communication link of initial creation, the interruption that also can cause transport layer to connect simultaneously, need rebulid connection, therefore can't provide satisfied support for the voice and video business of delay sensitive.
Yet, in order to solve the ambiguous problem in IP address in the existing network, identifier separating mapping network has appearred.The network architecture that identifier separating mapping network has adopted sign (for example, inserting sign and exchange Route Distinguisher) to separate mapping.Specifically, identifier separating mapping network inserts sign AID (Access Identifier) and exchange Route Distinguisher RID (Switch Routing Identifier) by introducing, created the separation of polymeric mapping theory that inserts sign and exchange Route Distinguisher, the positional information of user terminal is separated with identity information, solved IP address ambiguity problem.
At present, the access authentication technique in the Internet mainly contains aaa authentication and 802.1x authentication etc.These authentication techniques can be used for ensureing the communications security between user terminal and the access network.But, since when user terminal when an Access Network switches to another Access Network, need and another Access Network between authenticate again.
Particularly, aaa authentication (wherein, authentication (Authentication) expression checking user's identity and spendable network service; Authorize (Authorization) expression to serve to the user according to the authentication result open network; Account (Accounting) expression recording user to the consumption of various network services, and offer charge system) whole authentication normally adopt the user to input user name to carry out authority with password and examine.The principle of authentication is that each user has a unique authority to obtain standard.In aaa authentication, when user terminal switches between two Access Networks, need authenticate again.When user terminal roams to new Access Network, at first can send authentication request to the aaa authentication server of this locality, local then aaa authentication server can send inquiry to the local of user terminal aaa authentication server, if determine to allow accessing user terminal to network according to the inquiry result, the verification process when then ensuing verification process is asked access network with user terminal under the state that is not linked into any Access Network is identical.This shows, in aaa authentication, when user terminal switches between two Access Networks, owing to also need to send inquiry to the local of user terminal aaa authentication server, so whole authentication process even the verification process during than request access network under the state that is not linked into any Access Network are also complicated more.
802.1x agreement is based on access control and the authentication protocol of Client/Server.It can limit unwarranted user/equipment by access interface (access port) visit LAN/WLAN.User terminal authenticated the user/equipment that is connected on the switch ports themselves according to the 802.1x agreement before obtaining the miscellaneous service that switch or LAN provide.When user terminal switches to another Access Network (for example, Access Network B) from an Access Network (for example, Access Network A), need send authentication request to the switch among the Access Network B.Because the switch among the Access Network B is not also known that user terminal switches from Access Network A and is come, do not know that the switch among the Access Network A has carried out authentication and preserved the authentication information corresponding with this user terminal with user terminal yet, therefore, when the switch among the Access Network B receives the authentication request that user terminal sends, will require this user terminal to finish and could insert after other wishes initially to be linked into the same whole authentication process of all user terminals of Access Network B.In brief, when user terminal when Access Network A switches to Access Network B, and the authentication of being carried out between the Access Network A and carry out whole authentication process again, this obviously can cause long communication delay before ignoring.
This shows that traditional aaa authentication and 802.1x authentication have all increased user terminal and switched to the switching time of another Access Network from an Access Network, thereby make communication produce significantly time delay, all can't satisfy the demand of real-time service.
In addition, identifier separating mapping network has adopted the sign separate mapping mechanism to realize separating of user terminal identity information and positional information, traditional authentication techniques can not adapt to this new architectural framework that identifier separating mapping network adopts, thereby can't satisfy the mobility demand and the security requirement of identifier separating mapping network.
Current authentication techniques are only applicable to traditional Internet architecture, can not be applicable to the identifier separating mapping network that is recently just developing rapidly.When in identifier separating mapping network, using traditional authentication techniques, cause communication obvious time delay to occur, thereby can't satisfy the real-time demand that real-times such as audio frequency and video require strong business.
Summary of the invention
The purpose of this invention is to provide the method for network authorization, network authentication device and the network authentication system that are used for identifier separating mapping network, can satisfy the real-time demand that real-times such as mobility demand, security requirement, audio frequency and video require strong business.
According to an aspect of the present invention, provide a kind of method for network authorization that is used for identifier separating mapping network.In this method for network authorization, the authenticate device in the core net of described identifier separating mapping network is arranged in a virtual Chord ring.When the user terminal requests that is in the state that is not connected to network is connected to network, carry out following steps: carry out two-way authentication between described user terminal and the corresponding authenticate device of the Access Network that will insert to finish authentication; Described authenticate device is issued the identity label of described user terminal to described user terminal; Described authenticate device is stored to the identity label of described user terminal in one of authenticate device in the described Chord ring definite according to the Chord algorithm.When described user terminal requests when the state by an Access Network accesses network switches to state by another Access Network accesses network, carry out following steps to finish authentication: described user terminal sends authentication request to the authenticate device corresponding with described another Access Network, wherein, described authentication request comprises the identity label of described user terminal; The authenticate device corresponding with described another Access Network determines to have stored in the described Chord ring authenticate device of the authentication registration information of described user terminal according to the Chord algorithm, and obtains the authentication registration information of described user terminal from the authenticate device of the authentication registration information of having stored described user terminal.
According to another aspect of the invention, provide a kind of authenticate device that is used for identifier separating mapping network, described authenticate device is arranged in a virtual Chord ring.When the user terminal requests that is in the state that is not connected to network was connected to the Access Network of being responsible for authenticating by described authenticate device, described authenticate device carried out following steps to finish authentication: carry out two-way authentication with described user terminal; Issue the identity label of described user terminal to described user terminal; The identity label of described user terminal is stored in one of authenticate device in the described Chord ring definite according to the Chord algorithm.When described user terminal switches to when visiting the state of network by the Access Network of being responsible for authenticating by another authenticate device from the state by the Access Network accesses network be responsible for by described authenticate device, described another authenticate device carries out following steps to finish authentication: receive the authentication request that described user terminal is sent, wherein, described authentication request comprises the identity label of described user terminal; Determine to have stored in the described Chord ring authenticate device of the authentication registration information of described user terminal according to the Chord algorithm, and from the authenticate device of the authentication registration information of having stored described user terminal, obtain the authentication registration information of described user terminal.
According to another aspect of the invention, provide a kind of network authentication system that is used for identifier separating mapping network.Adopted above-mentioned authenticate device that the user terminal of request access network is authenticated in the described network authentication system.
The present invention combines the design philosophy of Chord agreement in identifier separating mapping network, by authentication center's (corresponding to authenticate device) being formed ring based on the Chord agreement, not only in the user terminal initial access process, realized the two-way authentication with access network, and the rapid authentication can realize that user terminal switches between different Access Networks the time.
In initial access process, realize the two-way authentication of user terminal and access network by the exchange of digital certificate, and the method that adopts pseudo random number, ensured the freshness and the uniqueness of exchange message exchange.Move in the process that switches to another Access Network at user terminal, by identity label realize apace between user terminal and the different Access Networks authentication (hereinafter, to move the authentication of being carried out in the process that switches to another Access Network at user terminal and be called " switching authentication "), make whole switching verification process both ensure the authenticity of user terminal identity, prevent disabled user's access network, the behavior that makes identity pretend to be does not exist, make that again the switching verification process time spent that is linked into another Access Network is short, real-time, can provide authentication service for real-time business such as audio frequency and videos better.
In addition, in switching verification process of the present invention, adopt encrypted transmission mechanism, protected the privacy of user identity effectively.
In addition, in switching verification process of the present invention, ensure the authenticity of user terminal identity all the time, prevented disabled user's access network, improved the security reliability of identifier separating mapping network.
In addition, according to the authentication method that is used for identifier separating mapping network of the present invention based on the Chord agreement, can realize switching authentication safely and fast, improve the security reliability of identifier separating mapping network, increase the controlled pipe property of identifier separating mapping network.
Description of drawings
By following (with reference to the accompanying drawings) explanation to exemplary embodiments, it is clear that further feature of the present invention will become.
Fig. 1 is illustrated in the identifier separating mapping network schematic diagram of the example of a basic communication process between the user terminal 100A and user terminal 100B.
Fig. 2 is the schematic diagram that illustrates according to the deployment of network configuration that is used for identifier separating mapping network of the present invention and authentication center.
Fig. 3 illustrates the flow chart according to the example of access authentication procedure of the present invention that is carried out when user terminal is linked into identifier separating mapping network.
Fig. 4 illustrates user terminal switches to the switching verification process of another Access Network from an Access Network the flow chart of example.
Fig. 5 is the table that the implication of the Reference numeral of using among Fig. 3 to Fig. 4 is shown.
Fig. 6 be illustrated in according in the method for network authorization of the present invention to the storage of identity label and the schematic diagram of search procedure.
Embodiment
Describe various exemplary embodiments of the present invention, feature and aspect in detail below with reference to accompanying drawing.
Divide according to the network topology position, identifier separating mapping network mainly is made up of Access Network and core net two parts.Access Network realize various types of terminals or fixing, move, the access of sensing net etc., by inserting the identity information of sign expression user terminal.Core net mainly solves routing management and technology such as message forwarding, route, represents the positional information of user terminal by the exchange Route Distinguisher; Adopt unified Route Distinguisher form in the core net, with route aggregation and the pathfinding of finishing core net.
In identifier separating mapping network, insert switch router (ASR, Access Switch Router) the mainly access of responsible various terminals, for user terminal provides sign and the replacement service that exchanges Route Distinguisher of inserting, the packet of the user terminal after will replacing through sign transmits in core net.Broad sense switch router (GSR, General Switch Router) is carried out routing and is transmitted packet according to the exchange Route Distinguisher in the packet in core net.Mapping server (IDserver, Identifier server) is responsible for storage and maintenance and is inserted sign and the mapping relations that exchange Route Distinguisher, and the registration and the inquiry service of mapping relations are provided to couple in router.Authentication center (AC, Authentication Center) is responsible for the grade of service of recording user terminal class and user terminal enjoyment etc., and carries out access control and mandate when user terminal inserts.Deposited the authentication information of all validated users in the database of authentication center.In verification process, whether the network authentication terminal is legal, and whether terminal also authenticating network is legal.
With reference to as Fig. 1, in identifier separating mapping network, user terminal 100A is as follows with the process of finishing a full communication from initiating to communicate by letter to of user terminal 100B:
Step 1: user terminal 100A enters the coverage that inserts switch router 200A, when communicating by letter for the first time, at first sends authentication request to inserting switch router 200A.
Step 2: insert switch router 200A and carry out authentication challenge to authentication center 400.
Step 3: insert switch router 200A and will return to user terminal 100A from the authentication result at authentication center 400.
Step 4: if authentication is passed through, then insert switch router 200A, set up the mapping relations that insert between sign and the exchange Route Distinguisher, and be saved in local user's mapping table for user terminal 100A distributes the exchange Route Distinguisher.
Step 5: insert switch router 200A these mapping relations are reported to mapping server 300, mapping server 300 is preserved this to mapping relations.
Step 6: user terminal 100A sends packet to user terminal 100B.Source address field is the access sign of user terminal 100A in the packet, and the destination address domain of packet is the access sign of user terminal 100B.
Step 7: insert switch router 200A and receive that user terminal 100A issues first packet of user terminal 100B, because it does not know the access sign of user terminal 100B and the mapping relations between the exchange Route Distinguisher, so it is to mapping server 300 inquiries.
Step 8: after inserting the mapping relations that switch router 200A obtains the user terminal 100B that returns from mapping server 300, these mapping relations are stored in the end subscriber mapping table.
Step 9: insert switch router 200A and sign and purpose are inserted in the source in the packet insert sign and replace with corresponding source exchange Route Distinguisher and purpose exchange Route Distinguisher respectively, then the packet after the replacement is forwarded to core net 500.Broad sense switch router 600 in the core net 500 is transmitted to this packet according to the exchange Route Distinguisher in the packet and inserts switch router 200B.
Step 10: insert switch router 200B receive insert the packet that switch router 200A sends after, owing to be communication for the first time, inserting does not have the map information of user terminal 100A to the end subscriber mapping table among the switch router 200B, thus in the mapping server 300 map information of inquiring user terminal 100A.
Step 11: after inserting the mapping relations that switch router 200B receives that mapping server 300 returns, access sign and the mapping relations that exchange between the Route Distinguisher of user terminal 100A are stored in the end subscriber mapping table.
Step 12: after access switch router 200B obtains mapping relations, the source address and the destination address of packet are gone into sign by exchange Route Distinguisher replacement tieback, and transmit to user terminal 100B, the terminal 100B of end user receives the packet that user terminal 100A sends.
So far, user terminal 100A and user terminal 100B have finished once complete communication process.
According to above-mentioned with reference to figure 1 explanation user terminal 100A and the communication process (especially, step 1~4) of user terminal 100B as can be known, two user terminals needed the authentication of authentication center 400 to pass through before beginning to carry out data communication.
As noted earlier, a kind of authentication method based on the Chord agreement that is used for identifier separating mapping network according to the present invention passes through the characteristic in conjunction with the quick Search and Orientation of resource of the characteristics of identifier separating mapping network architecture sign separation mapping and Chord agreement, authentication center is formed ring based on the Chord agreement (in the below, be called for short " Chord ring "), thus realized the quick switching authentication of user terminal between different Access Networks.According to the switching authentication method based on the Chord agreement that is used for identifier separating mapping network of the present invention, emphasis improves the authentication center in the core net 500 (hereinafter, abbreviating " AC " as).Below switching authentication method according to the present invention and system and the authentication center that is used for this changing method and system are elaborated.
Fig. 2 is the schematic diagram that illustrates according to the deployment of network configuration that is used for identifier separating mapping network of the present invention and authentication center.As shown in Figure 2, the 400A to 400F of authentication center has adopted the distributed p 2 p structure based on the Chord agreement.
Particularly, each 400A to 400F of authentication center has one 128 node identifier, this node identifier is that the exchange Route Distinguisher by the 400A to 400F self of Hash authentication center obtains, all 400A to 400F of authentication center form Chord ring 800 by the size order of its node identifier, and this hash mode has ensured the load balancing of Chord ring 800.Each authentication center is corresponding with an Access Network respectively, is in charge of the access control and the mandate of the user terminal in each self-corresponding Access Network.In other words, an authentication center only is responsible for the access authentication of user terminal in a certain Access Network and switches authentication, and different user of access network is responsible at the different authentication center.Each authentication center has identical digital certificate and public private key pair.
Each authentication center's user terminal in the Access Network of being managed is issued " identity label ".Authentication center (300A to 300F) is by distributed hashtable (DHT, Distributed Hash Table) to user's authentication information (mainly comprise user terminal letter of identity, insert sign, current timestamp and pseudo random number) shine upon, to obtain " identity label " of user terminal.Authentication center utilizes the data that identity label is stored, inquired about and maintenance is relevant with the relative users terminal.Each authentication center on the Chord ring 800 is in charge of those identity labels less than self but greater than the forerunner's of this authentication center resource, wherein, resource described herein refers to the access sign of user terminal, the identity label of user terminal, the digital certificate of user terminal and the authentication registration information such as access registration time of user terminal.Authentication center utilizes user terminal in Chord ring identity label is finished search (hereinafter will describe in detail) to the user end certification log-on message as index.Each authentication center except have a forerunner and follow-up, also have the routing table (hereinafter, be called Finger and show) of keeping m list item (that is, the m of table is capable), wherein a m=log
2N, wherein, N is node sum in the ring, and the Finger table is the routing table of Chord ring 800, and the Chord algorithm shows route and each node of searching in the ring according to Finger.In Finger table, the i list item preserved about after this node apart from this node relevant information of nearest node of 2i-1 node at least, will elaborate to this information in the back.
Among the 400A to 400F of authentication center each all has an authentication registration table.The authentication registration table has been stored the access sign of user terminal, the identity label of user terminal, the digital certificate of user terminal and the authentication registration information such as access registration time of user terminal.According to the Chord algorithm, what stored in the authentication registration table of authentication center is identity label less than the node identifier of this authentication center itself and greater than the authentication registration information of the user terminal of the forerunner's of this authentication center node identifier itself, that is to say, determine according to the Chord algorithm user authentication information of specific user terminal is stored in which authentication center in the Cord ring.
When the user terminal requests that is in the state that is not connected to network is connected to network, provide the identity label of this user terminal to user terminal by the corresponding authentication center of Access Network that will insert with this user terminal.Particularly, the corresponding authentication center of Access Network that will insert with this user terminal according to the letter of identity of user terminal, insert sign, current timestamp and pseudo random number calculates 128 hashed values, as the identity label of this user terminal.The identity label of user terminal and the node identifier of authentication center are in same Hash space, and the authentication registration information of user terminal is searched by authentication center by identity label according to the Chord algorithm.Hence one can see that, and the identity label of user terminal has been represented the temporary transient identity information of user terminal.The life cycle of identity label be from user access network to deviated from network till, timestamp and pseudo random number can guarantee the no repeatability of identity label.
Fig. 3 illustrates the flow chart according to the example of access authentication procedure of the present invention that is carried out when user terminal 100A is linked into identifier separating mapping network.
Note, in the present invention, the verification process that is carried out when the user terminal requests that will be in the state when not being connected to network is connected to network is called " access authentication procedure ", and the verification process that user terminal will be carried out when the state by an Access Network accesses network switches to state by another Access Network accesses network is called " switching verification process ".
In access authentication stage as shown in Figure 3, mainly finish the two-way authentication of user terminal 100A and the 400A of authentication center, the 400A of authentication center provides identity label to user terminal 100A, simultaneously authentication registration information such as identity label is stored in the authentication center that determines according to the Cord algorithm in the Chord ring 800.This access authentication stage mainly comprises following steps:
Step (1): after user terminal 100A enters Access Network 700A, send authentication request to (700A is corresponding with the Access Network) 400A of authentication center that is responsible for Access Network 700A, i.e. packet A, packet A mainly comprises the pseudo random number N that user terminal 100A generates automatically
xThe digital certificate Cert of (for example, 64 pseudo random number), user terminal 100A
a, to the request load CertReq of the digital certificate of the 400A of authentication center and to the digital signature Sig of packet A
a(N
x| Cert
a).
Step (2): after the 400A of authentication center receives packet A, utilize digital certificate Cert
aPKI check whether the digital signature among the packet A correct, if correct, construction data bag B and send it to user terminal then, wherein, packet B mainly comprises pseudo random number N
x+ 1, the digital certificate Cert of the 400A of authentication center
c, the pseudo random number N that uses the PKI of user terminal 100A that the 400A of authentication center is generated
yThe information E (Pu that encrypts gained
a, N
y) and the 400A of authentication center to the digital signature sig of packet B
c(N
x+ 1|Cert
c| E (Pu
a, N
y).Wherein, utilize E (Pu
a, N
y) confirm digital certificate Cert
aReally be to send, because have only the private key of user terminal 100A just can decrypt N by user terminal
y, while pseudo random number N
yHas certain preventing playback attack effect
Step (3): after user terminal 100A receives packet B, check at first whether the digital signature among the packet B is correct, for example, utilize digital certificate Cert
cPKI check whether the signature of packet correct.If correct, the digital certificate Cert of authentication storage center 400A then
c, and the private key of utilization oneself is to N
yBe decrypted.Then, be configured to ask the packet C of identity label.Wherein, packet C mainly comprises pseudo random number N
y+ 1, the request load IdReq of identity label, the use 400A of authentication center PKI Pu
cPseudo random number N to user terminal 100A generation
zEncrypt the information E (Pu of gained
c, N
z) and to the digital signature sig of packet C
a(N
y+ 1|IdReq|E (Pu
c, N
z)).Wherein, E (Pu
c, N
z) be used to confirm digital certificate Cert
cReally send by authentication center.
Step (4): after the 400A of authentication center receives packet C, check that at first whether its digital signature is correct, checks pseudo random number N then
y, by determining N
yValue confirm the authenticity of user terminal digital certificate.Construction data bag D then, to provide identity label to user terminal, wherein, packet D mainly comprises random number N
z+ 1, utilizes the identity label E (Pu of the user terminal behind the public key encryption of user terminal 100A
a, Id-Sig) and the 400A of authentication center to the digital signature sig of packet D
c(N
z+ 1|E (Pu
a, Id-Sig)).Utilize the PKI of user terminal 100A that identity label is encrypted, can ensure the privacy of identity label.
More specifically, can be according to the letter of identity Cert of the 400A of authentication center according to user terminal 100A
aAnd access sign AID
a, current time stamp T
s, and pseudo random number N
tCalculate 128 hashed values that the identity label of user terminal goes out.For example, the identity label of user terminal can be the letter of identity Cert according to user terminal 100A
aWith access sign AID
a, current time stamp T
s, and pseudo random number N
t128 hashed values that calculate are formulated as follows.
Id-Sig=hash(Cert
a|AID
a|T
s|N
t)
The identity label of user terminal is represented the temporary transient identity information of a user terminal, and its life cycle is for to begin till deviated from network from accessing user terminal to network, time stamp T
sAnd pseudo random number N
tCan fully guarantee the no repeatability of identity label.
In addition, by the PKI Pu of user terminal 100A
aEncrypt, be expressed as E (Pu
a, Id-Sig), ensured the privacy of the identity label of user terminal 100A.Sig
c(N
z+ 1|E (Pu
a, Id-Sig)) and expression authentication center is to the digital signature of the domain of dependence.
Step (5): user terminal 100A receives packet D, at first checks its digital signature correctness, then by checking pseudo random number N
z, by determining N
zThe value authenticity of coming the digital certificate of authentication verification center 400A, that is, confirm digital certificate Cert
cReally belong to authentication center.So far finished the two-way authentication of user terminal and the 400A of authentication center.User terminal 100A utilizes own private key to come being utilized by access center 400A of being comprised among the packet D gone out identity label E (Pu behind the public key encryption of user terminal 100A
a, Id-Sig) be decrypted, thus the identity label after obtaining to decipher.Then, user terminal 100A construction data bag E, it has obtained identity label to inform the 400A of authentication center, and packet E comprises the PKI Pu that utilizes the 400A of authentication center
cIdentity label Id-Sig is encrypted the information E (Pu of gained
c, Id-Sig) and the digital signature sig of user terminal 100A
a(E (Pu
c, Id-Sig)) etc.
After the 400A of authentication center receives packet E, the authenticity of certifying digital signature, learn that user terminal 100A has received identity label Id-Sig, inform then insert switch router 200A can be with user terminal 100A access network, and the authentication registration information of user terminal 100A is sent in the authentication registration table of the corresponding authentication center that determines according to the Chord algorithm in the Chord ring.Notice that according to the Cord algorithm, the node identifier of above-mentioned corresponding authentication center should be bigger than the identify label of user terminal 100A, and the forerunner's of above-mentioned corresponding authentication center node identifier should be littler than the identify label of user terminal 100A.
Fig. 4 illustrates user terminal 100A switches to the switching verification process of Access Network 700B from Access Network 700A the flow chart of example.Illustrate according to switching verification process of the present invention below with reference to Fig. 4.In switching verification process, mainly realize the switching authentication of user terminal 100A when from Access Network 700A, moving to Access Network 700B, also be implemented in searching identity label in the Chord ring.At this moment, the 700B of authentication center of user terminal 100A and responsible Access Network 700B switches authentication.The groundwork step is as follows:
Step 1: when user terminal 100A moves to Access Network 700B, user terminal 100A at first sends the access authentication that packet X comes request authentication center 400E to (700B is corresponding with the Access Network) 400E of authentication center that is responsible for Access Network 700B, wherein, packet X comprises that mainly the PKI of user terminal 100A utilization oneself is to its pseudo random number N that produces at random
kEncrypt the information E (Pu of gained
a, N
k), user terminal 100A utilizes the common PKI of the 400A to 400F of authentication center identity label to be encrypted the information E (Pu of gained
c, Id-Sig) and to the digital signature sig of packet X
a(E (Pu
a, N
k), E (Pu
c, Id-Sig)).Wherein,
E (Pu
a, N
k) be used to ensure freshness and the uniqueness of packet X, E (Pu
c, Id-Sig) be used to ensure the confidentiality of identity label, and sig
a(E (Pu
a, N
k), E (Pu
c, Id-Sig)) and be used to guarantee the authenticity of packet X.
Step 2: after the 400E of authentication center receives packet X, at first utilize its private key to decrypt the identity label of user terminal 100A, determined to store authentication center in the Chord ring of identity label value of user terminal 100A according to the Chord algorithm then, obtaining the authentication registration information of user terminal 100A, thereby learn the access sign and the digital certificate of user terminal.Then, the 400E of authentication center judges access sign AID
aWhether with the conforming to of user terminal 100A, and utilize digital certificate Cert
aPKI come the authenticity of verification msg bag X digital signature, if be verified as untruely, then forbid user terminal 100A access network; If be verified as truly, inform that then access switch router 200B user terminal 100A can access network.Then, the 400E of authentication center sends packet Y to user terminal 100A.Wherein, packet Y mainly comprises pseudo random number N
k+ 1, utilize the PKI of user terminal 100A identity label to be encrypted the enciphered message E (Pu that is obtained
a, Id-Sig), and to the digital signature sig of packet Y
c(N
k+ 1, E (Pu
a, Id-Sig)).
After user terminal 100A received packet Y, at first the correctness of certifying digital signature used the private key of oneself to decrypt identity label Id-Sig then, learns that by identity label oneself has been allowed to access network, and this moment, user terminal 100A can continue communication.
In addition, Fig. 5 is the table that the implication of the Reference numeral of using among Fig. 3 to Fig. 4 is shown.
According to above 3 to Fig. 5 explanation with reference to the accompanying drawings as can be known, the distributed peer-to-peer network structure based on the Chord agreement is adopted in the deployment of authentication center 200 in identifier separating mapping network, in core net 500, form virtual Chord ring, thereby the quick switching of finishing user terminal authenticates in addition, in the explanation of when user terminal 100A being linked into identifier separating mapping network, being carried out, omitted the middle repeating process of the access switch router in the identifier separating mapping network according to access authentication procedure of the present invention according to Fig. 3.The authentication 400A of its user terminal 100A and responsible Access Network a carries out access authentication.
In addition, switch to the switching verification process of Access Network 700B from Access Network 700A, also omitted the middle repeating process of the access switch router in the identifier separating mapping network at above-mentioned user terminal 100A with reference to figure 4 explanations.
Fig. 6 has described in method for network authorization according to the present invention storage and search procedure to identity label.Below with reference to Fig. 6 storage and the process of searching the identity label of user terminal are described.
With reference to figure 6, for convenience of explanation, describe as an example with m=3, when m=3, node adds up to N=2 in the Chord ring
m=2
3=8.
As shown in Figure 6, corresponding each authentication center of each node on the Chord ring shown in Figure 6, form a Chord ring according to the size order of 128 node identifiers, all there is unique forerunner and follow-up in each authentication center on the Chord ring, and the identity label of user terminal and node identifier are in identical Hash space.Each authentication center on the Chord ring all is responsible for those identity labels less than self but greater than the resource as this node forerunner's authentication center.
In addition, authentication center on each Chord ring except have a forerunner and follow-up, also has a Finger table (also being called routing table) that comprises m list item, m=log N wherein, N is node sum in the ring, i in Finger table (i is an integer, the individual list item storage of and 1≤i≤m) with this node after with this node apart at least 2
I-1The data such as authentication registration information of the nearest user terminal of individual node should be stored in or be stored in the relevant information of which authentication center in the Chord ring.For example, in Fig. 6, with node 1 at a distance of 2
1-1, 2
2-1, 2
3-1The nearest user terminal of individual node is user terminal 2, user terminal 3 and user terminal 5, therefore, as shown in Figure 6, stored in the node 3 with the data storage such as authentication registration information of user terminal 2, user terminal 3 and user terminal 5 or be stored in the relevant information of which authentication center in the Chord ring.For convenience of explanation, hereinafter, will should be stored in or be stored in the follow-up that the relevant information of which authentication center in the Chord ring is called this user terminal with the data such as authentication registration information of user terminal.Should note the node identification that " with data storage such as authentication registration information relevant information of which authentication center in the Chord ring of user terminal " (i.e. " follow-up ") can directly indicate the authentication center of the data such as authentication registration information of having stored this user terminal, also can indicate the node identification that can find the authentication center of the data such as authentication registration information of having stored this user terminal indirectly from which authentication center, in brief, follow-up both can be the target authentication center that will find the authentication registration information of having stored this user terminal, also can be the next-hop node in whole search procedure, continue to search by this next-hop node then.In addition, all there is an authentication registration table in each authentication center.The authentication registration table is used to preserve the authentication information by its user terminal of being responsible for.What the authentication information of user terminal was used for switching verification process searches authentication fast, access sign, identity label, digital certificate and the hour of log-on etc. that mainly comprise user terminal, wherein the identity label of user terminal is less than the node identifier of this authentication center and greater than the forerunner's of this authentication center node identifier.
First of routing table shown in Fig. 6 is classified starting point (start) as, and second classifies interval (interval) as, and the 3rd classifies follow-up (succesor) as.For example, the 2nd of the routing table of node 0 (corresponding to the 2nd row, gauge outfit is designated as the 0th row) expression from user sign drop on from 2, interval [2,4) follow-up of the user terminal of (comprise 2 and do not comprise 4) is 3, in other words, the 2nd row by this routing table has further been determined to store by node 3 and maybe will have been stored the node (authentication center) that user ID is the log-on message of 2 and 3 user terminal as can be known.
The storing process of the identity label of user terminal:
In other words, the Finger table that each authentication center all safeguards in the Chord ring, wherein to deposit apart from this node ' s length be 2 to the i item
I-1((log 2 for 0≤i≤O
N)) the follow-up information of user terminal.As seen, each authentication center's common storage in the Chord ring follow-up of all user terminals.In the present embodiment, suppose to be respectively 0,1,3 and 6 as the identifier of the authentication center of the node 0,1,3 in the Chord ring and 6.According to the Chord algorithm, node (authentication center) 0 storage identity label is the authentication registration information of 7 and 0 user terminal, node 1 storage identity label is the authentication registration information of 1 user terminal, in like manner, the authentication registration information that node 3 is stored the user terminal of identity labels 2 and 3, the authentication registration information that node 6 is stored the user terminal of identity labels 4,5 and 6.When Access Network 900A that user terminal requests access node (authentication center) 0 is managed, suppose that the identity label value that node 0 is issued to user terminal 100A is 2, after node 0 was received the affirmation of user terminal 100A to identity label, then it was by the finger table of query node 0 self.With reference to figure 6 as can be known, can know to be that the authentication registration information of 2 user terminal is stored in the authentication center 3 with identity label from the 2nd (promptly the 2nd is capable) of the finger table of node 0 self.Then, node 0 is to the authentication registration information of node 3 transmission user terminal 100A, and wherein, authentication registration information mainly comprises for example information such as access sign, identity label, digital certificate and access registration time of user terminal 100A.Then, the authentication registration information of node 3 storage user terminal 100A is to finish the storing process of whole identity label.
The search procedure of the identity label of user terminal:
After node 1 (authentication center 1) is received packet X, decrypt identity label Id-Sig, the authentication registration information of in Chord ring, searching user terminal 100A by Id-Sig according to the Chord algorithm.As shown in Figure 6, in the Chord ring structure, node 0 is responsible for the access control of Access Network 900A, authentication center 1 is responsible for the access control of Access Network 900B, when user terminal 100A when Access Network 900A moves to Access Network 900B, at first send packet X to node 1 (authentication center 1), suppose that the identity label that authentication center 1 decrypts user terminal is 2, search the Finger table of oneself then, find that identity label is that the authentication registration information of 2 user terminal is stored in the authentication center 3, then authentication center 1 sends the request message of authentication registration information to authentication center 3.After request message is received by authentication center 3, the authentication registration information of user terminal 100A is sent to authentication center 1, so far, finish whole search procedure.
Though the invention has been described for reference example embodiment, should be appreciated that the present invention is not limited to disclosed exemplary embodiment.The scope of claims meets the wideest explanation, to comprise all modifications and equivalent structure and function.
For example, number of nodes of the present invention is not restricted to 4,6,8, can be for positive integer is individual arbitrarily.
By the above-mentioned a plurality of embodiment of the present invention as can be known, the present invention can be embodied as the authenticate device in method for network authorization, network authentication system or the network system in implementation process.
For another example, constituting the Chord ring can be not merely authentication center, and other any network of relation device can constitute the Chord ring jointly with authentication center.
For another example, also can there be different digital certificates and public private key pair in all authentication centers in the virtual Chord ring, as long as the public private key pair of whole authentication centers can be known in each authentication center.
Claims (10)
1. a method for network authorization that is used for identifier separating mapping network is characterized in that, the authenticate device in the core net of described identifier separating mapping network is arranged in a virtual Chord ring, wherein,
When the user terminal requests that is in the state that is not connected to network is connected to network, carry out following steps: carry out two-way authentication between described user terminal and the corresponding authenticate device of the Access Network that will insert to finish authentication; Described authenticate device is issued the identity label of described user terminal to described user terminal; Described authenticate device is stored to the identity label of described user terminal in one of authenticate device in the described Chord ring definite according to the Chord algorithm, and
When described user terminal requests when the state by an Access Network accesses network switches to state by another Access Network accesses network, carry out following steps to finish authentication: described user terminal sends authentication request to the authenticate device corresponding with described another Access Network, wherein, described authentication request comprises the identity label of described user terminal; The authenticate device corresponding with described another Access Network determines to have stored in the described Chord ring authenticate device of the authentication registration information of described user terminal according to the Chord algorithm, and obtains the authentication registration information of described user terminal from the authenticate device of the authentication registration information of having stored described user terminal.
2. the method for network authorization that is used for identifier separating mapping network according to claim 1, it is characterized in that, each authenticate device in the described virtual Chord ring all has node identifier, and is made up of the size order of the node identifier of a plurality of authenticate devices by separately in the described virtual Chord ring.
3. the method for network authorization that is used for identifier separating mapping network according to claim 2 is characterized in that, described node identifier is that the exchange Route Distinguisher by Hash authentication center self obtains.
4. the method for network authorization that is used for identifier separating mapping network according to claim 1, it is characterized in that, each authenticate device is corresponding one by one with each Access Network in the identifier separating mapping network in the described virtual Chord ring, and the responsible respectively user terminal that request is accessed in the Access Network corresponding with it of each authenticate device authenticates.
5. the method for network authorization that is used for identifier separating mapping network according to claim 1 is characterized in that, when carrying out described two-way authentication, the described and corresponding authenticate device of Access Network that will insert is issued identity label to described user terminal.
6. the method for network authorization that is used for identifier separating mapping network according to claim 1 is characterized in that, all authentication centers in the described virtual Chord ring all have identical digital certificate and public private key pair.
7. the method for network authorization that is used for identifier separating mapping network according to claim 4 is characterized in that, each authenticate device in the described virtual Chord ring has routing table, and described routing table storage is with at it after apart at least 2
I-1The authentication registration information of the nearest user terminal of individual node should be stored in or be stored in the relevant information of which authenticate device in the described virtual Chord ring, m=logN wherein, and i is integer and 1≤i≤m, N is the authentication node sum in the described virtual Chord ring.
8. the method for network authorization that is used for identifier separating mapping network according to claim 5 is characterized in that, and is described with at it after apart at least 2
I-1The authentication registration information of the nearest user terminal of individual node should be stored in or be stored in the relevant information of which authenticate device in the described virtual Chord ring, is the node identification of authenticate device of having stored the authentication registration information of relative users terminal.
9. an authenticate device that is used for identifier separating mapping network is characterized in that, described authenticate device is arranged in a virtual Chord ring, wherein,
When the user terminal requests that is in the state that is not connected to network was connected to the Access Network of being responsible for authenticating by described authenticate device, described authenticate device carried out following steps to finish authentication: carry out two-way authentication with described user terminal; Issue the identity label of described user terminal to described user terminal; The identity label of described user terminal is stored in one of authenticate device in the described Chord ring definite according to the Chord algorithm, and
When described user terminal switches to when visiting the state of network by the Access Network of being responsible for authenticating by another authenticate device from the state by the Access Network accesses network be responsible for by described authenticate device, described another authenticate device carries out following steps to finish authentication: receive the authentication request that described user terminal is sent, wherein, described authentication request comprises the identity label of described user terminal; Determine to have stored in the described Chord ring authenticate device of the authentication registration information of described user terminal according to the Chord algorithm, and from the authenticate device of the authentication registration information of having stored described user terminal, obtain the authentication registration information of described user terminal.
10. the network authentication system based on the identifier separating mapping network framework is characterized in that, adopts authenticate device according to claim 9 that the user terminal of request access network is authenticated in the described network authentication system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010221126 CN101895535B (en) | 2010-06-28 | 2010-06-28 | Network authentication method, device and system for identifying separate mapping network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010221126 CN101895535B (en) | 2010-06-28 | 2010-06-28 | Network authentication method, device and system for identifying separate mapping network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101895535A true CN101895535A (en) | 2010-11-24 |
| CN101895535B CN101895535B (en) | 2012-12-26 |
Family
ID=43104602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010221126 Expired - Fee Related CN101895535B (en) | 2010-06-28 | 2010-06-28 | Network authentication method, device and system for identifying separate mapping network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101895535B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102164149A (en) * | 2011-05-17 | 2011-08-24 | 北京交通大学 | Method for guarding against mapping cheat based on identifying separation mapping network |
| CN102571368A (en) * | 2010-12-27 | 2012-07-11 | 中兴通讯股份有限公司 | Charging method and access device |
| CN103618749A (en) * | 2013-12-12 | 2014-03-05 | 绵阳芯联芯网络科技有限公司 | Method for achieving protection of passive optical network user based on separate mapping mechanism |
| CN103856929A (en) * | 2012-12-04 | 2014-06-11 | 中兴通讯股份有限公司 | Method, system and device for achieving distributed roaming gateways in identity and position separated network |
| CN104320781A (en) * | 2014-11-27 | 2015-01-28 | 上海斐讯数据通信技术有限公司 | Verifying method and system for mobile terminal |
| CN104320780A (en) * | 2014-11-17 | 2015-01-28 | 上海斐讯数据通信技术有限公司 | Authentication sharing method and module for wireless routers inside local area network |
| CN104580261A (en) * | 2015-02-10 | 2015-04-29 | 成都英力拓信息技术有限公司 | Safety method applicable to wireless internet of things |
| CN106713223A (en) * | 2015-07-31 | 2017-05-24 | 展讯通信(上海)有限公司 | Multi-media sub system registration method and mobile terminal |
| CN107819579A (en) * | 2017-12-13 | 2018-03-20 | 西安Tcl软件开发有限公司 | A kind of processing method, server and the computer-readable recording medium of user's request |
| CN112332901A (en) * | 2020-09-29 | 2021-02-05 | 北京邮电大学 | Heaven and earth integrated mobile access authentication method and device |
| CN112668376A (en) * | 2019-10-16 | 2021-04-16 | 北京三好互动教育科技有限公司 | Hand-lifting statistic device, and hand-lifting people number statistic method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127663A (en) * | 2007-09-13 | 2008-02-20 | 北京交通大学 | A system and method for access of mobile self-organized network to integrated network |
| US20100091733A1 (en) * | 2007-10-17 | 2010-04-15 | Gene Beck Hahn | Method for handover between heterogenous radio access networks |
-
2010
- 2010-06-28 CN CN 201010221126 patent/CN101895535B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127663A (en) * | 2007-09-13 | 2008-02-20 | 北京交通大学 | A system and method for access of mobile self-organized network to integrated network |
| US20100091733A1 (en) * | 2007-10-17 | 2010-04-15 | Gene Beck Hahn | Method for handover between heterogenous radio access networks |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571368A (en) * | 2010-12-27 | 2012-07-11 | 中兴通讯股份有限公司 | Charging method and access device |
| CN102164149A (en) * | 2011-05-17 | 2011-08-24 | 北京交通大学 | Method for guarding against mapping cheat based on identifying separation mapping network |
| CN103856929B (en) * | 2012-12-04 | 2018-03-16 | 中兴通讯股份有限公司 | The method, system and device of distributed roaming gateway are realized in identity position separation network |
| CN103856929A (en) * | 2012-12-04 | 2014-06-11 | 中兴通讯股份有限公司 | Method, system and device for achieving distributed roaming gateways in identity and position separated network |
| CN103618749A (en) * | 2013-12-12 | 2014-03-05 | 绵阳芯联芯网络科技有限公司 | Method for achieving protection of passive optical network user based on separate mapping mechanism |
| CN103618749B (en) * | 2013-12-12 | 2017-01-25 | 绵阳芯联芯网络科技有限公司 | Method for achieving protection of passive optical network user based on separate mapping mechanism |
| CN104320780A (en) * | 2014-11-17 | 2015-01-28 | 上海斐讯数据通信技术有限公司 | Authentication sharing method and module for wireless routers inside local area network |
| CN104320781A (en) * | 2014-11-27 | 2015-01-28 | 上海斐讯数据通信技术有限公司 | Verifying method and system for mobile terminal |
| CN104580261A (en) * | 2015-02-10 | 2015-04-29 | 成都英力拓信息技术有限公司 | Safety method applicable to wireless internet of things |
| CN104580261B (en) * | 2015-02-10 | 2018-01-05 | 成都英力拓信息技术有限公司 | A kind of safety method suitable for Internet of Things |
| CN106713223A (en) * | 2015-07-31 | 2017-05-24 | 展讯通信(上海)有限公司 | Multi-media sub system registration method and mobile terminal |
| CN107819579A (en) * | 2017-12-13 | 2018-03-20 | 西安Tcl软件开发有限公司 | A kind of processing method, server and the computer-readable recording medium of user's request |
| CN107819579B (en) * | 2017-12-13 | 2021-08-24 | 西安Tcl软件开发有限公司 | User request processing method, server and computer readable storage medium |
| CN112668376A (en) * | 2019-10-16 | 2021-04-16 | 北京三好互动教育科技有限公司 | Hand-lifting statistic device, and hand-lifting people number statistic method and device |
| CN112332901A (en) * | 2020-09-29 | 2021-02-05 | 北京邮电大学 | Heaven and earth integrated mobile access authentication method and device |
| CN112332901B (en) * | 2020-09-29 | 2022-01-11 | 北京邮电大学 | Heaven and earth integrated mobile access authentication method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101895535B (en) | 2012-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101895535B (en) | Network authentication method, device and system for identifying separate mapping network | |
| CN107147489B (en) | Distributed access authentication management method in a kind of LEO satellite network | |
| CN110086821A (en) | The authentication method of electric power things-internet gateway and the access of electric power internet-of-things terminal based on block chain | |
| CN101222331B (en) | Authentication server, method and system for bidirectional authentication in mesh network | |
| CN108809637B (en) | LTE-R vehicle-ground communication non-access stratum authentication key agreement method based on mixed password | |
| JP3869392B2 (en) | User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method | |
| CN102594823B (en) | Trusted system for remote secure access of intelligent home | |
| CN110046521A (en) | Decentralization method for secret protection | |
| Liu et al. | Bua: A blockchain-based unlinkable authentication in vanets | |
| US20090240941A1 (en) | Method and apparatus for authenticating device in multi domain home network environment | |
| US20040015689A1 (en) | Mobile-ad-hoc network including node authentication features and related methods | |
| CN108012232A (en) | VANETs location privacy protection querying methods under mist computing architecture | |
| CN110059503A (en) | The retrospective leakage-preventing method of social information | |
| CN112199726A (en) | Block chain-based alliance trust distributed identity authentication method and system | |
| CN112039870A (en) | Privacy protection-oriented vehicle-mounted network authentication method and system based on block chain | |
| CN107493570B (en) | A kind of the PMIPV6 anonymous access authentication system and method for identity-based group label | |
| CN102045413A (en) | DHT expanded DNS mapping system and method for realizing DNS security | |
| CN108259469A (en) | Cluster security authentication method based on block chain, node and cluster | |
| CN110191153A (en) | Social communication method based on block chain | |
| US9270652B2 (en) | Wireless communication authentication | |
| CN110035037A (en) | Safety certifying method, relevant device and system | |
| CN112332901B (en) | Heaven and earth integrated mobile access authentication method and device | |
| CN103188080A (en) | Method and system for secret key certification consultation of terminal to terminal based on identify label | |
| CN113626781A (en) | Block chain efficient authentication method based on trusted group | |
| CN113747433B (en) | Equipment authentication method based on block side chain structure in fog network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121226 Termination date: 20180628 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |