CN102025769A - Access method of distributed internet - Google Patents
Access method of distributed internet Download PDFInfo
- Publication number
- CN102025769A CN102025769A CN2010102812142A CN201010281214A CN102025769A CN 102025769 A CN102025769 A CN 102025769A CN 2010102812142 A CN2010102812142 A CN 2010102812142A CN 201010281214 A CN201010281214 A CN 201010281214A CN 102025769 A CN102025769 A CN 102025769A
- Authority
- CN
- China
- Prior art keywords
- server
- terminal
- nat
- authentication
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides an access method of a distributed internet based on word command two-way authentication. The method comprises the following steps of: detecting NAT (Network Address Translator) types of the internet in which the terminal is positioned by using a plurality of servers; then requesting a query server list from a proxy server; and finally, transmitting an authentication request to a query server and acquiring public network IP (Internet Protocol) and ports of terminals, which are registered in the current query server after the authentication is successful, thereby finishing the access process. According to the method, the burden of the servers is reduced and the query efficiency and the stability of the system are improved by adopting a distributed query scheme. In addition, the invention can prevent the query servers from being attacked by illegal terminals.
Description
Technical field
The present invention relates to the network communication field technology, be specifically related to a kind of distributed interconnection cut-in method based on password bidirectional authentication.
Background technology
Extensively popularizing of Internet technology causes the public network IP address appearance in short supply, and especially C class address is in short supply.The distribution of IP address at present mainly comprises dual mode: a kind of is exactly the mode that dials up on the telephone, and when home terminal used ADSL to dial up on the telephone, telecommunications Terminal Type was for this reason dynamically distributed public network IP address; The second way is that this mode mainly operates in the enterprise by the distribution fixed public network IP address.But which kind of mode no matter, limited C class public network IP address resources all can't satisfy the demand of terminal.Therefore, in order to address this problem, the existing network address is converted into inevitable.
Network address translation (NAT, Network Address Translation) is terminal in a kind of private network when communicating, when the IP packet is rewritten the IP source address of this packet or the technology of purpose IP address during by router or fire compartment wall again with terminal with public network address.This technology be commonly used in privately owned networking multiple host with have the communicating by letter of public network IP address.NAT device has been realized a kind of mapping relations between public network IP address and the private network IP address.
Although the NAT technology can fine solution public network terminal with private net terminal between communicate by letter, yet, also stoped the terminals in two private networks to carry out direct communication simultaneously.Because the terminal under two private networks can't be known the mapping relations on NAT each other.Present having is used to solve the technology that communicates between the terminal under the private network, mainly is based on the NAT crossing technology of udp protocol, is called a kind of Chinese patent application that private user is inserted the method for public network as name: 200410006287.5.Its solution is to set up location, tableland mapping server in public network, and endpoint registration also passes through NAT public network exit address and the port that terminal in other private networks is arrived in this server access in the private network to this server.
There is following defective in above-mentioned prior art:
1 concentrates on the station server inquiry can waste massive band width, increases the server burden, makes that mapping item increases among the NAT, reduces search efficiency;
2 meet with network as master server interrupts causing whole inquiry service to lose efficacy;
3 querying servers suffer the attack of illegal terminal easily.
Summary of the invention
The objective of the invention is to propose a kind of distributed interconnection cut-in method based on password bidirectional authentication.
The technical scheme that the present invention proposes is to use NAT (network address translation) type of the current network of living in of multiple servers sense terminals, tabulate to acting server request querying server then, send register requirement to querying server at last, obtain the public network IP and the port of other terminals of having registered at current querying server after succeeding in registration, thereby finish access procedure.
The distributed interconnection cut-in method that the present invention proposes comprises the following steps:
Step 1: judge the network address translation (nat) type, terminal sends request to procotol (STUN) server, requires to obtain self address after the NAT mapping, replys if can not receive server, thinks that then terminal NAT type is blocking-up (Blocked); Reply if receive server, if the contrast local address identical, thinks that then no NAT is provided with, and enters step 5, otherwise thinks have NAT to be provided with, and enters step 2;
Step 2: terminal sends request to the STUN server, require server to reply to terminal from other IP and outlet, as can not receive the answer of server from other IP addresses, think that request is set to blocking-up by preposition NAT, change step 3 over to, as receive, think that then the NAT type of network is full clone (Full Cone), change step 5 over to;
Step 3: terminal sends request to the another one IP address of STUN server, requires to obtain self address after the NAT mapping, and compares, and inequality as the address, then network N AT type is symmetrical expression NAT (Symmetric NAT), changes step 4 over to; As identical, then think registered type (Restricted NAT), change step 5 over to;
Step 4: terminal is used the port prediction algorithm, and (IP1 IP2) sends twice STUN request, and predicts according to the response message of STUN server and corresponding public network address and port behind the NAT afterwards, to change step 5 over to 2 IP of STUN server;
Step 5: the request that terminal is obtained server list to the acting server initiation, described server list refers to be distributed in the server zone that has public network IP address in the Internet, returns this server list after the proxy server processes request;
Step 6: terminal according to the server list returned finish with certain private network in other-end between communicate by letter.
The step that between step 5 and step 6, can also comprise the password mutual authentication:
Step 51: the terminal inquiry server list is also initiated authentication request to destination server, and password and id information that destination server is submitted to according to terminal are verified terminal, and returned the authentication result;
Step 52: if the verification passes, the destination server processing terminal is inquired about the request of interior all NAT outlet IP addresses of its regional private network of being responsible for and port; If authentication failed, the destination server refusal provides follow-up service for terminal.
The flow process that described terminal is initiated two-way authentication to destination server comprises the following steps:
Step 511: terminal sends register requirement to destination server, and carries self terminal identity IDc;
Step 512: destination server response terminal register requirement, produce a random number R s, send own identity IDs and random number R s then;
Step 513: terminal receives to resolve and checks and the checking feedback information, and produce a random number R c, the cryptographic Hash (HMACc) of computing terminal sends both sides' identity then simultaneously, and random number is right, and verify data HMACc is to destination server;
Step 514: destination server receive to resolve is checked also checking feedback information, and session key KM, and the encryption key EK that derives calculate the cryptographic Hash (HMACs) of destination server at last, search the terminal authority, send IDs, IDc then, Rs, Rc, HMACs is to terminal;
After step 515 terminal received feedback information, terminal receive to be resolved also checking feedback information, and session key material KM then utilizes the KM encryption key EK that derives, and whole authentication process finishes.
Compared with prior art, the present invention has following advantage:
1 adopts the distributed query scheme, reduces the server burden, improves search efficiency;
2 use multiple servers that service is provided, and improve the stability of a system;
3 employings avoid querying server to suffer the attack of illegal terminal based on the two-way authentication mode of password.
Description of drawings
Below in conjunction with accompanying drawing and preferred embodiment the present invention is described in detail, wherein:
Fig. 1 is the topology diagram of the distributed interconnection access network of the present invention's proposition;
Fig. 2 is the terminal authentication flow chart;
Fig. 3 is the flow chart of the distributed interconnection cut-in method of the present invention's proposition.
Embodiment
Fig. 1 is the topology diagram of the distributed interconnection access network of the present invention's proposition.Among the present invention:
Proxy Server refers to the reason server.Server A, Server B are destination server.
PG_A, PG_B, PG_C and PG_D refer to be in the terminal on private network or the public network respectively.
The STUN server is meant that being used for fire compartment wall penetrates, and makes terminal can recognize the NAT type of their public network address, network of living in and the port of public network outlet.
NAT refers to network address translation.
The NAT type that detects network is meant, by sending request data package to STUN server with public network IP address, and the NAT type that message IP address that terminal is returned according to the STUN server and port are judged its current private network of living in.
Legal terminal is meant, it is inner and finished NAT and penetrate or have public network IP address no matter these terminals are in private network, and they need could obtain the respective queries service by the authentication of querying server.
Querying server is meant, this server has been preserved the IP address behind all private net terminal NAT after penetrating through NAT and the IP address and the port of port and public network terminal.These servers all are registered to acting server and keep heartbeat to connect constantly.
The distributed interconnection cut-in method is meant, many querying servers that on public network, distributed, and these querying servers provide inquiry service simultaneously for legal terminal.
Mutual authentication method based on password is meant that terminal uses the password of oneself to initiate authentication request to querying server.If authentication is passed through, then terminal can be inquired about the information of other registered terminals; Otherwise the querying server refusal provides service to this terminal.
Two-way authentication is meant that after terminal was initiated authentication request, querying server need be verified id information, password and authentication codes (HMAC) that terminal provided; Terminal is to the authentication result of querying server feedback, comprises that mainly server ID information, random number, HMAC value verify.After bi-directional verification was passed through, terminal produced session key KM at last.
The distributed interconnection cut-in method based on password bidirectional authentication that the present invention proposes mainly is made up of three parts:
One, terminal is used NAT (network address translation) type of the current network of living in of multiple servers sense terminals;
Two, terminal sends authentication request to destination server then, and carries out two-way authentication to the tabulation of acting server request querying server;
Three, obtain other behind the authentication success at the public network IP and the port of current querying server registration terminal, thereby finish access procedure.
In a preferred embodiment of the present invention, specifically comprise following implementation step:
Step 1: as shown in figures 1 and 3, when terminal A need be connected with a certain public network PG_A, at first detect the NAT type of own network of living in.Terminal sends request to the STUN server, requires to obtain self address after the NAT mapping.Reply if can not receive server, think that then UDP (procotol) is blocked by fire compartment wall, can not communicate by letter, the NAT type is: blocking-up (Blocked); Reply if receive server, if the contrast local address identical, thinks that then no NAT is provided with, and enters step 5, otherwise thinks have NAT to be provided with, and enters step 2;
Step 2: terminal A sends request to the STUN server, requires server to reply to terminal from other IP and outlet (PORT).As can not receive the answer of server from other IP addresses, think that request is provided with blocking-up by preposition NAT, changes step 3 over to.As receive that think that then the NAT type is full clone (Full Cone), promptly the NAT type of network is: full clone (Full Cone NAT) changes step 5 over to;
Step 3: terminal A sends request to the another one IP address of STUN server, requires to obtain self address after the NAT mapping, and compares, and inequality as the address, then network N AT type is symmetrical expression NAT (Symmetric NAT), changes step 4 over to; As identical, then think registered type (Restricted NAT), change step 5 over to;
Step 4: according to the described execution mode of step 3, can judge that network N AT type is Symmetric NAT, terminal is used 2 the IP (IP1s of port prediction algorithm to the STUN server, IP2) send twice STUN request, and predict corresponding public network address and port behind the NAT according to the response message of STUN server, afterwards, change step 5 over to;
The request that step 5: terminal A obtains server list to acting server (Proxy Server) initiation.Described server list just is meant and is distributed in the server zone that has public network IP address in the Internet.Return this server list after the proxy server processes request;
Step 51: terminal A querying server is tabulated and destination server ServerA is initiated authentication request.Server A verifies terminal A according to password and id information that terminal is submitted to, and returns the authentication result;
Step 52: according to the described execution mode of step 51, if the verification passes, the ServerA processing terminal is inquired about the request of interior all NAT outlet IP addresses of its regional private network of being responsible for and port; If authentication failed, Server A refusal provides follow-up service for terminal A;
Step 6: according to the described result of implementation of step 52, terminal A can according to the Query Result of ServerA feedback finish with certain private network in other-end communicate, thereby reach the purpose that distributed interconnection inserts.
With reference to figure 2, terminal A is described below the process step that destination server Server A initiates two-way authentication:
Step 511:Client->Server:Register (IDc), terminal to server sends register requirement, and carries self terminal identity IDc;
Step 512:Server->Client:IDs, Rs.Server response terminal register requirement produces a random number R s, sends own identity IDs and random number R s then;
Step 513:Client->Server:IDc, IDs, Rc, Rs, HMACc (terminal authentication data).Terminal receives to resolve checks information in the step 512, produces a random number R c, and the cryptographic Hash HMACc of computing terminal sends both sides' identity then simultaneously, and random number is right, and verify data (HMACc) is to server;
Step 514:Server->Client:IDs, IDc, Rs, Rc, HMACs (cryptographic Hash of destination server).Server receives and resolves information in inspection and the verification step 513, session key KM, and the encryption key EK that derives.Calculate HMACs at last, search the terminal authority, send IDs then, IDc, Rs, Rc, HMACs is to terminal.
Step 515: terminal receives in the step 514 after the information, terminal receive resolve and verification step 514 in information (comprise the HMAC function, specify here and use HMAC-SHA1-96, checking), session key material KM then utilizes the KM encryption key EK that derives, and whole authentication process finishes.
Wherein:
K=H (PW), PW are password, and K is that password is through the value after the Hash calculation;
HMACs=HMACK(IDs,IDc,Rs,Rc);
HMACc=HMACK(IDc,IDs,Rc,Rs);
KM=H(K,Rs,Rc);
EK=H (KM, " ENCRYPTION "), wherein EK is 16 bytes, ENCRYPTION is a salt figure, also can be sky.
Whether the Information Authentication among the present invention is adopted the authentication codes HMAC value of all feedback informations of SHA1 algorithm computation according to hash function, mate to be as the criterion with the HMAC value and judge whether checking is passed through.
The present invention sets up an acting server and is used to inquire about the public network address of other servers in public network, adopt distributed schemes to insert the purpose of the Internet thereby reach terminal.The present invention uses distributed server zone scheme to avoid causing the inefficient problem of server lookup because of great amount of terminals inserts the Internet by same station server.The present invention uses the authority based on the two-way authentication mode verification terminal of password before terminal to server is initiated query requests, so both can guarantee the information legitimacy that provided has the attack that can prevent from illegal terminal.
Claims (4)
1. a distributed interconnection cut-in method is characterized in that, this method comprises the following steps:
Step 1: judge the network address translation (nat) type, terminal sends request to procotol (STUN) server, requires to obtain self address after the NAT mapping, replys if can not receive server, thinks that then terminal NAT type is blocking-up; Reply if receive server, if the contrast local address identical, thinks that then no NAT is provided with, and enters step 5, otherwise thinks have NAT to be provided with, and enters step 2;
Step 2: terminal sends request to the STUN server, require server to reply to terminal from other IP and outlet, as can not receive the answer of server from other IP addresses, think that request is set to blocking-up by preposition NAT, change step 3 over to, as receive, think that then the NAT type of network is full clone (Full Cone), change step 5 over to;
Step 3: terminal sends request to the another one IP address of STUN server, requires to obtain self address after the NAT mapping, and compares, and inequality as the address, then network N AT type is symmetrical expression NAT (Symmetric NAT), changes step 4 over to; As identical, then think registered type (Restricted NAT), change step 5 over to;
Step 4: terminal is used the port prediction algorithm, and (IP1 IP2) sends twice STUN request, and predicts according to the response message of STUN server and corresponding public network address and port behind the NAT afterwards, to change step 5 over to 2 IP of STUN server;
Step 5: the request that terminal is obtained server list to the acting server initiation, described server list refers to be distributed in the server zone that has public network IP address in the Internet, returns this server list after the proxy server processes request;
Step 6: terminal according to the server list returned finish with certain private network in other-end between communicate by letter.
2. method according to claim 1 is characterized in that, also comprises the step of password bidirectional authentication between step 5 and the step 6:
Step 51: the terminal inquiry server list is also initiated authentication request to destination server, and password and id information that destination server is submitted to according to terminal are verified terminal, and returned the authentication result;
Step 52: if the verification passes, the destination server processing terminal is inquired about the request of interior all NAT outlet IP addresses of its regional private network of being responsible for and port; If authentication failed, the destination server refusal provides follow-up service for terminal.
3. method according to claim 2 is characterized in that: whether described password mutual authentication adopts the authentication codes HMAC value of all feedback informations of SHA1 algorithm computation according to hash function, mate to be as the criterion with the HMAC value and judge whether checking is passed through.
4. method according to claim 3 is characterized in that, the flow process that terminal is initiated two-way authentication to destination server comprises the following steps:
Step 511: terminal sends register requirement to destination server, and carries self terminal identity IDc;
Step 512: destination server response terminal register requirement, produce a random number R s, send own identity IDs and random number R s then;
Step 513: terminal receives to resolve and checks and the checking feedback information, and produce a random number R c, the cryptographic Hash (HMACc) of computing terminal sends both sides' identity then simultaneously, and random number is right, and verify data (HMACc) is to destination server;
Step 514: destination server receive to resolve is checked also checking feedback information, and session key KM, and the encryption key EK that derives calculate the cryptographic Hash (HMACs) of destination server at last, search the terminal authority, send IDs, IDc then, Rs, Rc, HMACs is to terminal;
After step 515 terminal received feedback information, terminal receive to be resolved also checking feedback information, and session key material KM then utilizes the KM encryption key EK that derives, and whole authentication process finishes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010281214 CN102025769B (en) | 2010-09-10 | 2010-09-10 | Access method of distributed internet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010281214 CN102025769B (en) | 2010-09-10 | 2010-09-10 | Access method of distributed internet |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025769A true CN102025769A (en) | 2011-04-20 |
| CN102025769B CN102025769B (en) | 2013-07-17 |
Family
ID=43866618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010281214 Active CN102025769B (en) | 2010-09-10 | 2010-09-10 | Access method of distributed internet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025769B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333029A (en) * | 2011-06-23 | 2012-01-25 | 北京新媒传信科技有限公司 | Routing method in server cluster system |
| CN106095977A (en) * | 2016-06-20 | 2016-11-09 | 环球大数据科技有限公司 | The distributed approach of a kind of data base and system |
| CN106331074A (en) * | 2016-08-17 | 2017-01-11 | 上海斐讯数据通信技术有限公司 | Authentication switching method |
| CN111314481A (en) * | 2020-02-27 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Data transmission method, device, equipment and readable storage medium |
| CN114286420A (en) * | 2021-12-21 | 2022-04-05 | 深圳创维数字技术有限公司 | Gateway locking method, device, server and medium based on PON technology |
| CN114900502A (en) * | 2022-05-17 | 2022-08-12 | 北京奇艺世纪科技有限公司 | Network registration method and device, electronic equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1694034A1 (en) * | 2005-02-16 | 2006-08-23 | Alcatel | Method to establish a peer-to-peer connection between two user agents located behind symmetric NATs |
| CN101321128A (en) * | 2008-06-27 | 2008-12-10 | 中国科学院计算技术研究所 | Communication equipment, communication network system and communication method |
| CN101557388A (en) * | 2008-04-11 | 2009-10-14 | 中国科学院声学研究所 | NAT traversing method based on combination of UPnP and STUN technologies |
-
2010
- 2010-09-10 CN CN 201010281214 patent/CN102025769B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1694034A1 (en) * | 2005-02-16 | 2006-08-23 | Alcatel | Method to establish a peer-to-peer connection between two user agents located behind symmetric NATs |
| CN101557388A (en) * | 2008-04-11 | 2009-10-14 | 中国科学院声学研究所 | NAT traversing method based on combination of UPnP and STUN technologies |
| CN101321128A (en) * | 2008-06-27 | 2008-12-10 | 中国科学院计算技术研究所 | Communication equipment, communication network system and communication method |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333029A (en) * | 2011-06-23 | 2012-01-25 | 北京新媒传信科技有限公司 | Routing method in server cluster system |
| CN102333029B (en) * | 2011-06-23 | 2014-04-16 | 北京新媒传信科技有限公司 | Routing method in server cluster system |
| CN106095977A (en) * | 2016-06-20 | 2016-11-09 | 环球大数据科技有限公司 | The distributed approach of a kind of data base and system |
| CN106331074A (en) * | 2016-08-17 | 2017-01-11 | 上海斐讯数据通信技术有限公司 | Authentication switching method |
| CN106331074B (en) * | 2016-08-17 | 2019-09-13 | 上海斐讯数据通信技术有限公司 | A kind of certification switching method |
| CN111314481A (en) * | 2020-02-27 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Data transmission method, device, equipment and readable storage medium |
| CN111314481B (en) * | 2020-02-27 | 2021-08-24 | 腾讯科技(深圳)有限公司 | Data transmission method, device, equipment and readable storage medium |
| CN114286420A (en) * | 2021-12-21 | 2022-04-05 | 深圳创维数字技术有限公司 | Gateway locking method, device, server and medium based on PON technology |
| CN114286420B (en) * | 2021-12-21 | 2023-09-05 | 深圳创维数字技术有限公司 | PON technology-based gateway locking method, device, server and medium |
| CN114900502A (en) * | 2022-05-17 | 2022-08-12 | 北京奇艺世纪科技有限公司 | Network registration method and device, electronic equipment and readable storage medium |
| CN114900502B (en) * | 2022-05-17 | 2024-02-27 | 北京奇艺世纪科技有限公司 | Network registration method, device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025769B (en) | 2013-07-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9131026B2 (en) | Method and system for establishing media channel based on relay | |
| CN109561066B (en) | Data processing method and device, terminal and access point computer | |
| US8295285B2 (en) | Method and apparatus for communication of data packets between local networks | |
| CN101127600B (en) | A method for user access authentication | |
| CN102025769B (en) | Access method of distributed internet | |
| US9882897B2 (en) | Method and system for transmitting and receiving data, method and device for processing message | |
| ITTO20070853A1 (en) | AUTHENTICATION METHOD FOR USERS BELONGING TO DIFFERENT ORGANIZATIONS WITHOUT DUPLICATION OF CREDENTIALS | |
| US9369873B2 (en) | Network application function authorisation in a generic bootstrapping architecture | |
| CN103701700A (en) | Node discovering method and system in communication network | |
| US8769623B2 (en) | Grouping multiple network addresses of a subscriber into a single communication session | |
| US10205757B2 (en) | Communications methods, apparatus and systems for correlating registrations, service requests and calls | |
| Younes | Securing ARP and DHCP for mitigating link layer attacks | |
| CN107071075B (en) | Device and method for dynamically jumping network address | |
| WO2011006320A1 (en) | Attachment method and system with identifier and location splitting in next generation network | |
| CN108599968B (en) | Information broadcasting method for urban Internet of things | |
| US11552938B2 (en) | Device and method for mediating configuration of authentication information | |
| El Ksimi et al. | Towards a new algorithm to optimize IPv6 neighbor discovery security for small objects networks | |
| KR102293195B1 (en) | IoT security system according to network hierarchy structure | |
| US20220029973A1 (en) | Centralized management of private networks | |
| KR20180099293A (en) | Method for communicating between trust domains and gateway therefor | |
| Aiash | A novel security protocol for resolving addresses in the location/id split architecture | |
| Aiash et al. | Securing address registration in Location/ID split protocol using ID-based cryptography | |
| US20100088748A1 (en) | Secure peer group network and method thereof by locking a mac address to an entity at physical layer | |
| WO2013060224A1 (en) | Secure connection method, system and network element | |
| KR102307030B1 (en) | Internet of Things Communication System with Packet Safety Verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |