CN102025769B - Access method of distributed internet - Google Patents
Access method of distributed internet Download PDFInfo
- Publication number
- CN102025769B CN102025769B CN 201010281214 CN201010281214A CN102025769B CN 102025769 B CN102025769 B CN 102025769B CN 201010281214 CN201010281214 CN 201010281214 CN 201010281214 A CN201010281214 A CN 201010281214A CN 102025769 B CN102025769 B CN 102025769B
- Authority
- CN
- China
- Prior art keywords
- server
- terminal
- nat
- request
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000008569 process Effects 0.000 claims abstract description 9
- 230000008859 change Effects 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 10
- 238000013519 translation Methods 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 6
- 230000002457 bidirectional effect Effects 0.000 claims description 5
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 239000000463 material Substances 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 101100217298 Mus musculus Aspm gene Proteins 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 101150012579 ADSL gene Proteins 0.000 description 1
- 102100020775 Adenylosuccinate lyase Human genes 0.000 description 1
- 108700040193 Adenylosuccinate lyases Proteins 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an access method of a distributed internet based on word command two-way authentication. The method comprises the following steps of: detecting NAT (Network Address Translator) types of the internet in which the terminal is positioned by using a plurality of servers; then requesting a query server list from a proxy server; and finally, transmitting an authentication request to a query server and acquiring public network IP (Internet Protocol) and ports of terminals, which are registered in the current query server after the authentication is successful, thereby finishing the access process. According to the method, the burden of the servers is reduced and the query efficiency and the stability of the system are improved by adopting a distributed query scheme. In addition, the invention can prevent the query servers from being attacked by illegal terminals.
Description
Technical field
The present invention relates to the network communication field technology, be specifically related to a kind of distributed interconnection cut-in method based on password bidirectional authentication.
Background technology
Extensively popularizing of Internet technology causes the public network IP address appearance in short supply, and especially C class address is in short supply.The distribution of IP address at present mainly comprises dual mode: a kind of is exactly the mode that dials up on the telephone, and when home terminal used ADSL to dial up on the telephone, telecommunications Terminal Type was for this reason dynamically distributed public network IP address; The second way is that this mode mainly operates in the enterprise by the distribution fixed public network IP address.But which kind of mode no matter, limited C class public network IP address resources all can't satisfy the demand of terminal.Therefore, in order to address this problem, the existing network address is converted into inevitable.
Network address translation (NAT, Network Address Translation) is terminal in a kind of private network when communicating with the terminal with public network address, when the IP packet is rewritten the IP source address of this packet or the technology of purpose IP address during by router or fire compartment wall again.This technology be commonly used in privately owned networking multiple host with have the communicating by letter of public network IP address.NAT device has been realized a kind of mapping relations between public network IP address and the private network IP address.
Although the NAT technology can fine solution public network terminal with private net terminal between communicate by letter, yet, also stoped the terminals in two private networks to carry out direct communication simultaneously.Because the terminal under two private networks can't be known the mapping relations on NAT each other.Existing being used for solves the technology that communicates between the terminal under the private network at present, mainly is based on the NAT crossing technology of udp protocol, is called a kind of Chinese patent application that private user is inserted the method for public network as name: 200410006287.5.Its solution is to set up location, tableland mapping server in public network, and endpoint registration also passes through NAT public network exit address and the port that terminal in other private networks is arrived in this server access in the private network to this server.
There is following defective in above-mentioned prior art:
1 concentrates on the station server inquiry can waste massive band width, increases the server burden, makes that mapping item increases among the NAT, reduces search efficiency;
2 meet with network as master server interrupts causing whole inquiry service to lose efficacy;
3 querying servers suffer the attack of illegal terminal easily.
Summary of the invention
The objective of the invention is to propose a kind of distributed interconnection cut-in method based on password bidirectional authentication.
The technical scheme that the present invention proposes is to use NAT (network address translation) type of the current network of living in of multiple servers sense terminals, tabulate to acting server request querying server then, send the registration request to querying server at last, obtain public network IP and the port of other terminals of having registered at current querying server after succeeding in registration, thereby finish access procedure.
The distributed interconnection cut-in method that the present invention proposes comprises the following steps:
Step 1: judge the network address translation (nat) type, terminal sends request to procotol (STUN) server, requires to obtain self address after the NAT mapping, replys if can not receive server, thinks that then terminal NAT type is blocking-up (Blocked); Reply if receive server, if the contrast local address identical, thinks that then no NAT arranges, and enters step 5, otherwise thinks have NAT to arrange, and enters step 2;
Step 2: terminal sends request to the STUN server, require server to reply to terminal from other IP and outlet, as can not receive server from the answer of other IP addresses, think that request is set to blocking-up by preposition NAT, change step 3 over to, as receive, think that then the NAT type of network is full clone (Full Cone), change step 5 over to;
Step 3: terminal sends request to the another one IP address of STUN server, requires to obtain self address after the NAT mapping, and compares, and inequality as the address, then network N AT type is symmetrical expression NAT (Symmetric NAT), changes step 4 over to; As identical, then think registered type (Restricted NAT), change step 5 over to;
Step 4: terminal is used the port prediction algorithm, and (IP1 IP2) sends twice STUN request, and predicts according to the response message of STUN server and corresponding public network address and port behind the NAT afterwards, to change step 5 over to 2 IP of STUN server;
Step 5: the request that terminal is obtained server list to the acting server initiation, described server list refers to be distributed in the server zone that has public network IP address in the Internet, returns this server list after the proxy server processes request;
Step 6: terminal according to the server list returned finish with certain private network in other-end between communicate by letter.
The step that between step 5 and step 6, can also comprise the password mutual authentication:
Step 51: the terminal inquiry server list is also initiated authentication request to destination server, and password and id information that destination server is submitted to according to terminal are verified terminal, and returned the authentication result;
Step 52: if the verification passes, the destination server processing terminal is inquired about the request of interior all NAT outlet IP addresses of its regional private network of being responsible for and port; If authentication failed, the destination server refusal provides follow-up service for terminal.
The flow process that described terminal is initiated two-way authentication to destination server comprises the following steps:
Step 511: terminal sends the registration request to destination server, and carries self terminal identity IDc;
Step 512: destination server response terminal registration request, produce a random number R s, send own identity IDs and random number R s then;
Step 513: terminal receives to resolve and checks and the checking feedback information, and produce a random number R c, the cryptographic Hash (HMACc) of computing terminal sends both sides' identity then simultaneously, and random number is right, and verify data HMACc is to destination server;
Step 514: destination server receive to resolve checks also checking feedback information, and session key KM, and the encryption key EK that derives calculate the cryptographic Hash (HMACs) of destination server at last, search the terminal authority, send IDs, IDc then, Rs, Rc, HMACs is to terminal;
After step 515 terminal received feedback information, terminal receive to be resolved also checking feedback information, and session key material KM then utilizes the KM encryption key EK that derives, and whole authentication process finishes.
Compared with prior art, the present invention has following advantage:
1 adopts the distributed query scheme, reduces the server burden, improves search efficiency;
2 use multiple servers that service is provided, and improve the stability of a system;
3 employings avoid querying server to suffer the attack of illegal terminal based on the two-way authentication mode of password.
Description of drawings
Below in conjunction with accompanying drawing and preferred embodiment the present invention is described in detail, wherein:
Fig. 1 is the topology diagram of the distributed interconnection access network of the present invention's proposition;
Fig. 2 is the terminal authentication flow chart;
Fig. 3 is the flow chart of the distributed interconnection cut-in method of the present invention's proposition.
Embodiment
Fig. 1 is the topology diagram of the distributed interconnection access network of the present invention's proposition.Among the present invention:
Proxy Server refers to the reason server.Server A, Server B are destination server.
PG_A, PG_B, PG_C and PG_D refer to be in the terminal on private network or the public network respectively.
The STUN server refers to penetrate for fire compartment wall, makes terminal can recognize the NAT type of their public network address, network of living in and the port of public network outlet.
NAT refers to network address translation.
The NAT type that detects network refers to, by sending request data package to the STUN server with public network IP address, and the NAT type that the message IP address that terminal is returned according to the STUN server and port are judged its current private network of living in.
Legal terminal refers to, it is inner and finished NAT and penetrate or have public network IP address no matter these terminals are in private network, and they need could obtain the respective queries service by the authentication of querying server.
Querying server refers to, this server has been preserved IP address behind all private net terminal NAT after penetrating through NAT and IP address and the port of port and public network terminal.These servers all are registered to acting server and keep heartbeat to connect constantly.
The distributed interconnection cut-in method refers to, at public network many querying servers that distributed, these querying servers provide inquiry service simultaneously for legal terminal.
Mutual authentication method based on password refers to that terminal uses the password of oneself to initiate authentication request to querying server.If authentication is passed through, then terminal can be inquired about the information of other registered terminals; Otherwise the querying server refusal provides service to this terminal.
Two-way authentication refers to that after terminal was initiated authentication request, querying server need be verified id information, password and authentication codes (HMAC) that terminal provides; Terminal is to the authentication result of querying server feedback, comprises that mainly server ID information, random number, HMAC value verify.After bi-directional verification was passed through, terminal produced session key KM at last.
The distributed interconnection cut-in method based on password bidirectional authentication that the present invention proposes mainly is made up of three parts:
One, terminal is used NAT (network address translation) type of the current network of living in of multiple servers sense terminals;
Two, terminal sends authentication request to destination server then, and carries out two-way authentication to the tabulation of acting server request querying server;
Three, obtain other behind the authentication success at public network IP and the port of current querying server registration terminal, thereby finish access procedure.
In a preferred embodiment of the present invention, specifically comprise following implementation step:
Step 1: as shown in figures 1 and 3, when terminal A need be connected with a certain public network PG_A, at first detect the NAT type of own network of living in.Terminal sends request to the STUN server, requires to obtain self address after the NAT mapping.Reply if can not receive server, think that then UDP (procotol) is blocked by fire compartment wall, can not communicate by letter, the NAT type is: blocking-up (Blocked); Reply if receive server, if the contrast local address identical, thinks that then no NAT arranges, and enters step 5, otherwise thinks have NAT to arrange, and enters step 2;
Step 2: terminal A sends request to the STUN server, requires server to reply to terminal from other IP and outlet (PORT).As can not receive server from the answer of other IP addresses, think that request is arranged blocking-up by preposition NAT, changes step 3 over to.As receive that think that then the NAT type is full clone (Full Cone), namely the NAT type of network is: full clone (Full Cone NAT) changes step 5 over to;
Step 3: terminal A sends request to the another one IP address of STUN server, requires to obtain self address after the NAT mapping, and compares, and inequality as the address, then network N AT type is symmetrical expression NAT (Symmetric NAT), changes step 4 over to; As identical, then think registered type (Restricted NAT), change step 5 over to;
Step 4: according to the described execution mode of step 3, can judge that network N AT type is Symmetric NAT, terminal uses the port prediction algorithm to 2 IP (IP1 of STUN server, IP2) send twice STUN request, and predict corresponding public network address and port behind the NAT according to the response message of STUN server, afterwards, change step 5 over to;
The request that step 5: terminal A obtains server list to acting server (Proxy Server) initiation.Described server list just refers to be distributed in the server zone that has public network IP address in the Internet.Return this server list after the proxy server processes request;
Step 51: terminal A querying server is tabulated and destination server ServerA is initiated authentication request.Server A verifies terminal A according to password and id information that terminal is submitted to, and returns the authentication result;
Step 52: according to the described execution mode of step 51, if the verification passes, the ServerA processing terminal is inquired about the request of interior all NAT outlet IP addresses of its regional private network of being responsible for and port; If authentication failed, Server A refusal provides follow-up service for terminal A;
Step 6: according to the described result of implementation of step 52, terminal A can according to the Query Result of ServerA feedback finish with certain private network in other-end communicate, thereby reach the purpose that distributed interconnection inserts.
With reference to figure 2, the process step that the destination server Server of terminal A A initiates two-way authentication is described below:
Step 511:Client->Server:Register (IDc), terminal to server send the registration request, and carry self terminal identity IDc;
Step 512:Server->Client:IDs, Rs.Server response terminal registration request produces a random number R s, sends own identity IDs and random number R s then;
Step 513:Client->Server:IDc, IDs, Rc, Rs, HMACc (terminal authentication data).Terminal receives to resolve and checks information in the step 512, produces a random number R c, and the cryptographic Hash HMACc of computing terminal sends both sides' identity then simultaneously, and random number is right, and verify data (HMACc) is to server;
Step 514:Server->Client:IDs, IDc, Rs, Rc, HMACs (cryptographic Hash of destination server).Server receives and resolves information in inspection and the verification step 513, session key KM, and the encryption key EK that derives.Calculate HMACs at last, search the terminal authority, send IDs then, IDc, Rs, Rc, HMACs is to terminal.
Step 515: terminal receives in the step 514 after the information, terminal receive resolve and verification step 514 in information (comprise the HMAC function, specify here and use HMAC-SHA1-96, checking), session key material KM then utilizes the KM encryption key EK that derives, and whole authentication process finishes.
Wherein:
K=H (PW), PW are password, and K is that password is through the value after the Hash calculation;
HMACs=HMACK(IDs,IDc,Rs,Rc);
HMACc=HMACK(IDc,IDs,Rc,Rs);
KM=H(K,Rs,Rc);
EK=H (KM, " ENCRYPTION "), wherein EK is 16 bytes, ENCRYPTION is salt figure, also can be sky.
Whether the Information Authentication among the present invention is according to hash function, and employing SHA1 algorithm calculates the authentication codes HMAC value of all feedback informations, mate with the HMAC value to be as the criterion to judge whether checking is passed through.
The present invention sets up the public network address that an acting server is used for other servers of inquiry in public network, adopt distributed schemes to insert the purpose of the Internet thereby reach terminal.The present invention uses distributed server zone scheme to avoid causing the inefficient problem of server lookup because great amount of terminals inserts the Internet by same station server.The present invention uses the authority based on the two-way authentication mode verification terminal of password before terminal to server is initiated query requests, so both can guarantee the information legitimacy that provides has the attack that can prevent from illegal terminal.
Claims (4)
1. a distributed interconnection cut-in method is characterized in that, this method comprises the following steps:
Step 1: judge the network address translation (nat) type, terminal sends request to procotol (STUN) server, requires to obtain self address after the NAT mapping, replys if can not receive server, thinks that then terminal NAT type is blocking-up; Reply if receive server, if the contrast local address identical, thinks that then no NAT arranges, and enters step 5, otherwise thinks have NAT to arrange, and enters step 2;
Step 2: terminal sends request to the STUN server, require server to reply to terminal from other IP and outlet, as can not receive server from the answer of other IP addresses, think that request is set to blocking-up by preposition NAT, change step 3 over to, as receive, think that then the NAT type of network is full clone (Full Cone), change step 5 over to;
Step 3: terminal sends request to the another one IP address of STUN server, requires to obtain self address after the NAT mapping, and compares, and inequality as the address, then network N AT type is symmetrical expression NAT(Symmetri NAT), change step 4 over to; As identical, then think registered type (Restricted NAT), change step 5 over to;
Step 4: terminal uses the port prediction algorithm to 2 IP(IP1 of STUN server, IP2) sends twice STUN request, and predicts according to the response message of STUN server and corresponding public network address and port behind the NAT afterwards, to change step 5 over to;
Step 5: the request that terminal is obtained server list to the acting server initiation, described server list refers to be distributed in the server zone that has public network IP address in the Internet, returns this server list after the proxy server processes request;
Step 6: terminal according to the server list returned finish with certain private network in other-end between communicate by letter.
2. method according to claim 1 is characterized in that, also comprises the step of password bidirectional authentication between step 5 and the step 6:
Step 51: the terminal inquiry server list is also initiated authentication request to destination server, and password and id information that destination server is submitted to according to terminal are verified terminal, and returned the authentication result;
Step 52: if the verification passes, the destination server processing terminal is inquired about the request of interior all NAT outlet IP addresses of its regional private network of being responsible for and port; If authentication failed, the destination server refusal provides follow-up service for terminal.
3. whether method according to claim 2 is characterized in that: described password bidirectional authentication is according to hash function, adopts the SHA1 algorithm to calculate the authentication codes HMAC value of all feedback informations, mate with the HMAC value to be as the criterion to judge whether checking is passed through.
4. method according to claim 3 is characterized in that, the flow process that terminal is initiated two-way authentication to destination server comprises the following steps:
Step 511: terminal sends the registration request to destination server, and carries self terminal identity IDc;
Step 512: the registration request of destination server response terminal, produce a random number R s, send own identity IDs and Rs at random then;
Step 513: terminal receives to resolve and checks and the checking feedback information, and produce a random number R c, the cryptographic Hash (HMACc) of computing terminal sends both sides' identity then simultaneously, and random number is right, and verify data (HMACc) is to destination server;
Step 514: destination server receive to resolve checks also checking feedback information, and session key KM, and the encryption key EK that derives calculate the cryptographic Hash (HMACs) of destination server at last, search the terminal authority, send IDs, IDc then, Rs, Rc, HMACs is to terminal;
After step 515 terminal received feedback information, terminal receive to be resolved also checking feedback information, and session key material KM then utilizes the KM encryption key EK that derives, and whole authentication process finishes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010281214 CN102025769B (en) | 2010-09-10 | 2010-09-10 | Access method of distributed internet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010281214 CN102025769B (en) | 2010-09-10 | 2010-09-10 | Access method of distributed internet |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025769A CN102025769A (en) | 2011-04-20 |
| CN102025769B true CN102025769B (en) | 2013-07-17 |
Family
ID=43866618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010281214 Expired - Fee Related CN102025769B (en) | 2010-09-10 | 2010-09-10 | Access method of distributed internet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025769B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333029B (en) * | 2011-06-23 | 2014-04-16 | 北京新媒传信科技有限公司 | Routing method in server cluster system |
| CN106095977A (en) * | 2016-06-20 | 2016-11-09 | 环球大数据科技有限公司 | The distributed approach of a kind of data base and system |
| CN106331074B (en) * | 2016-08-17 | 2019-09-13 | 上海斐讯数据通信技术有限公司 | A kind of certification switching method |
| CN111314481B (en) * | 2020-02-27 | 2021-08-24 | 腾讯科技(深圳)有限公司 | Data transmission method, device, equipment and readable storage medium |
| CN114286420B (en) * | 2021-12-21 | 2023-09-05 | 深圳创维数字技术有限公司 | PON technology-based gateway locking method, device, server and medium |
| CN114900502B (en) * | 2022-05-17 | 2024-02-27 | 北京奇艺世纪科技有限公司 | Network registration method, device, electronic equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1694034A1 (en) * | 2005-02-16 | 2006-08-23 | Alcatel | Method to establish a peer-to-peer connection between two user agents located behind symmetric NATs |
| CN101321128A (en) * | 2008-06-27 | 2008-12-10 | 中国科学院计算技术研究所 | Communication equipment, communication network system and communication method |
| CN101557388A (en) * | 2008-04-11 | 2009-10-14 | 中国科学院声学研究所 | NAT traversing method based on combination of UPnP and STUN technologies |
-
2010
- 2010-09-10 CN CN 201010281214 patent/CN102025769B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1694034A1 (en) * | 2005-02-16 | 2006-08-23 | Alcatel | Method to establish a peer-to-peer connection between two user agents located behind symmetric NATs |
| CN101557388A (en) * | 2008-04-11 | 2009-10-14 | 中国科学院声学研究所 | NAT traversing method based on combination of UPnP and STUN technologies |
| CN101321128A (en) * | 2008-06-27 | 2008-12-10 | 中国科学院计算技术研究所 | Communication equipment, communication network system and communication method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025769A (en) | 2011-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6651096B1 (en) | Data processing method, apparatus, terminal, and access point computer | |
| US9131026B2 (en) | Method and system for establishing media channel based on relay | |
| US8295285B2 (en) | Method and apparatus for communication of data packets between local networks | |
| CN102025769B (en) | Access method of distributed internet | |
| US9882897B2 (en) | Method and system for transmitting and receiving data, method and device for processing message | |
| US9369873B2 (en) | Network application function authorisation in a generic bootstrapping architecture | |
| EP2859700A1 (en) | Using neighbor discovery to create trust information for other applications | |
| US20060253701A1 (en) | Method for providing end-to-end security service in communication network using network address translation-protocol translation | |
| CN103701700A (en) | Node discovering method and system in communication network | |
| US11943213B2 (en) | Device and method for mediating configuration of authentication information | |
| US8769623B2 (en) | Grouping multiple network addresses of a subscriber into a single communication session | |
| Younes | Securing ARP and DHCP for mitigating link layer attacks | |
| US10205757B2 (en) | Communications methods, apparatus and systems for correlating registrations, service requests and calls | |
| CN107071075B (en) | Device and method for dynamically jumping network address | |
| CN108599968B (en) | Information broadcasting method for urban Internet of things | |
| CN108495292B (en) | Intelligent household short-distance equipment communication method | |
| CN103051594A (en) | Method, network side equipment and system of establishing end-to-end security of marked net | |
| US11936633B2 (en) | Centralized management of private networks | |
| KR20180099293A (en) | Method for communicating between trust domains and gateway therefor | |
| CN110971701A (en) | Internet of things communication method and device | |
| Aiash | A novel security protocol for resolving addresses in the location/ID split architecture | |
| US20100088748A1 (en) | Secure peer group network and method thereof by locking a mac address to an entity at physical layer | |
| WO2013060224A1 (en) | Secure connection method, system and network element | |
| CN114531234B (en) | Distributed system and equipment registration and verification method thereof | |
| US10841283B2 (en) | Smart sender anonymization in identity enabled networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130717 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |