Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the drawings and specific embodiments.
Method provided by the invention is by expanding the EAP agreement, make the authentication end in the EAP verification process, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, after certified termination is received authentication request packet, obtain with described authentication request packet in the corresponding extend information of extend information type, and described extend information is sent to authentication end, preferably, this extend information is carried in and is sent to the authentication end in the authentication response message, after the authentication termination is received the authentication response message, extend information in this authentication response message is carried out the validity authentication, if authentification failure is then refused the network insertion of certified end, if authentication success then allows the network insertion of certified end.
In said method, extend information can comprise at least one in RSA certificate information, DSS certificate information, digital signature, Equipment Serial Number, device mac address, ESN information, the IMSI information.
In said method, authentication request packet, and the authentication response message all is the expansions to the message of existing EAP agreement regulation.Fig. 1 shows the message format schematic diagram of existing EAP agreement regulation.As shown in Figure 1, the main containing type of message (type) field, identification of the manufacturer field (Vendor-ID), Vendor-Type field and the data field of existing EAP agreement regulation.And the form that authentication request packet among the present invention and authentication response message adopt is the privately owned expansion to message format shown in Figure 1, specifically can be referring to shown in Figure 2, mainly comprise: type field shown in Figure 1 is expanded, for example making the type field value is to indicate privately owned expansion at 254 o'clock, Vendor-Type field shown in Figure 1 is expanded, and for example making Vendor-Id field value is that 01 to indicate type of message be the extend information auth type.
Preferably, among the present invention, also can expand data field shown in Figure 1, be specially: unified Info Type-Info Lenghh-Info Value shown in Figure 3 (the being called for short TLV) form that adopts carries various data.
Wherein, Info Type, length is 1 byte, is specially data type, is used to represent requested data or the data type of carrying;
Info Length, length is 1 byte, is used to represent length, comprises the length of Info Type and InfoLength;
Value, variable-length is used to indicate the occurrence corresponding with Info Type.
Based on form shown in Figure 3, the data field in authentication request packet and the authentication response message is described respectively below:
Authentication request packet:
It is by carrying following parameter to certified end request extend information in data field:
Info Type: value can be 1, is used for expression to certified end request extend information;
Info Length: more than or equal to 3;
Value: the type of the extend information that the certified end of needs provides.Being specially RSA certificate, DSS certificate, digital signature, Equipment Serial Number, device mac address, ESN information and IMSI information with extend information is example, the type that then can comprise this each extend information among the Value, the type value of this each extend information defines hereinafter.
The authentication response message:
1, RSA certificate: RSA Certificate, it is by following three parametric representations:
Info Type: value can be 2;
Info Length: more than or equal to 3;
The Value:RSA certificate information.
2, DSS certificate: DSS Certificate, it is by following three parametric representations:
Info Type: value can be 3;
Info Length: more than or equal to 3;
The Value:DSS certificate information.
3, digital signature: Signature, it is by following three parametric representations:
Info Type: value can be 4;
Info Length: more than or equal to 3;
The digital signature of Value:RSA or DSA;
Illustrate: with the corresponding digital signature of certificate that sends.
4, Equipment Serial Number: SN, it is by following three parametric representations:
Info Type: value can be 6;
Info Length: more than or equal to 3;
Value: Equipment Serial Number value;
Illustrate: the Equipment Serial Number information that is used for carrying certified end.
5, device mac address: MAC, it is by following three parametric representations:
Info Type: value can be 7;
Info Length: more than or equal to 3;
Value: device mac address value;
Illustrate: the mac address information that is used for carrying certified end.
6, ESN information: ESN, it is by following three parametric representations:
Info Type: value can be 8;
Info Length: more than or equal to 3;
Value: the data card of certified end or Modem ESN number.
7, IMSI information: IMSI, it is by following three parametric representations:
Info Type: value can be 9;
Info Length: more than or equal to 3;
Value:IMSI information;
More than just described the type of several extend informations for example, as for the extend information of other types, those skilled in the art can expand according to application scenarios and demand.
In addition, in said method, in order to ensure the integrality of extend information in the authentication response message, correctness and can not imitation property, described extend information is carried at is sent to authentication end and specifically can be in the authentication response message: obtain random value from authentication request packet, adopt the hash algorithm and the cryptographic algorithm that identify in self certificate that described random value and extend information are carried out signature calculation, described extend information, random value, the signature that calculates are carried at together are sent to the authentication end in the authentication response message.
Preferably, the present invention also makes random value be carried at the data field of authentication request packet and authentication response message according to form shown in Figure 3, and is specific as follows:
Random value, it is by following three parametric representations:
Info Type: value can be 5;
Info Length: more than or equal to 3;
Value: random value, suggestion is more than or equal to 28 bytes.
As for the signature that calculates, it can be arranged on the desired location of data field in the authentication response message, such as, can be arranged on the field at last Info Type-Info Length-Value place of data field in the authentication response message, the present invention does not specifically limit.
In addition, method provided by the invention can be applicable to also can be applicable in the authentication environment of IEEE802.1X agreement in the authentication environment of ppp protocol.Be that example describes method provided by the invention with these two authentication environment respectively below.
Embodiment 1:
This embodiment 1 is an example with the authentication environment of ppp protocol.
Referring to Fig. 4, the flow chart that Fig. 4 provides for the embodiment of the invention 1.This flow process is applied to 3G L2TP networking, and other situation principles are similar.Use 3G L2TP networking based on this, above-mentioned authentication end can be the aaa server of LNS and this LNS Local or Remote, and certified end can be 3G terminal.In 3G L2TP networking, a kind of situation is: set up L2TP Tunnel between LNS and the 3G terminal, another kind of situation is: set up L2TP Tunnel between the access means that LNS is connected with 3G terminal (LAC:L2TP Access Concentrator).Be that example is described in detail present embodiment 1 with the networking of setting up the tunnel between LNS and LAC shown in Figure 5 below, other situation principles are similar:
As shown in Figure 4, this flow process can may further comprise the steps:
Step 401, LAC receives the PPP connection foundation request that 3G terminal is initiated, and carries out PPP LCP with 3G terminal and consult and 3G terminal is authenticated.
This step 401 is the flow process of standard P PP protocol authentication, repeats no more here.
Step 402, LAC initiates L2TP Tunnel to LNS and sets up request, with the L2TP Tunnel between foundation and the LNS after 3G terminal passes through authentication.
Preferably, set up in the process at L2TP Tunnel, LAC and LNS can carry out the operation of mutual authentication, and with checking the other side's validity, this is operating as optionally, also is the flow process of standard P PP protocol authentication, no longer describe in detail.
Step 403, LNS and LAC between L2TP Tunnel finish foundation after, heavily consult with 3G terminal, negotiating when adopting the EAP agreement that 3G terminal is authenticated, enter the EAP authentication.
Step 404, after entering the EAP authentication phase, LNS sends the identify label request message to 3G terminal, is used to ask the identify label of 3G terminal.
Identify label request message in this step 404 adopts the message format of EAP agreement regulation shown in Figure 1, wherein, for distinguishing with the message of other types, can be 1 with type field value in this identify label request message, be used for to 3G terminal request identify label with expression.
After step 405,3G terminal receive the identify label request message, self identify label is carried in the identify label response message sends to LNS.
Identify label response message in this step 405 adopts the message format of EAP agreement regulation shown in Figure 1.
In addition, among the present invention, can be user name during the identify label specific implementation, below all be described with user's example by name.
Step 406, LNS judges whether to start according to the user name of 3G terminal this 3G terminal is carried out the extend information authentication, if, execution in step 407, otherwise, continue 3G terminal is authenticated according to the identifying procedure of existing EAP standard protocol specifies.
In the present embodiment 1, meeting storage in LNS needs to start the user record of extend information authentication, and this record can be the corresponding relation between user name and the authentication of startup extend information.Based on this, in this step 406, after the user name that receives 3G terminal, from this corresponding relation, search the user name of this reception, if find, then determine this 3G terminal is carried out the extend information authentication, otherwise, decision is not carried out the extend information authentication to this 3G terminal, but continue 3G terminal is authenticated according to the identifying procedure of existing EAP standard protocol specifies, here, the identifying procedure of existing EAP standard protocol specifies can be the md5 authentication flow process, perhaps other identifying procedures, the present invention does not specifically limit.
Step 407, LNS sends authentication request packet to 3G terminal.
Authentication request packet in this step 407 adopts form shown in Figure 2, its data field has carried random value and to the type of the extend information of 3G terminal request, wherein, random value and all adopt form shown in Figure 3 to the type of the extend information of 3G terminal request, specifically above be described, repeating no more here.
Step 408,3G terminal are judged the extend information auth type of self whether supporting that described authentication request packet is affiliated, if, then execution in step 409, otherwise, return the message (EAP-NAK) of not supporting the extend information authentication to LNS, so that LNS determines follow-up processing flow according to EAP-NAK.
Form based on authentication request packet shown in Figure 2, be that the type of 01 indication message is when being the extend information auth type then in the Vendor-type value, the judgement of this step 408 is specially: judge whether the Vendor-type field of this authentication request packet is changed to 01 earlier, not the time, 3G terminal is according to standard P PP agreement flow processing, when being, continue to judge whether self supports the extend information auth type, if, then execution in step 409, if not, return the message (EAP-NAK) of not supporting the extend information authentication to LNS, so that LNS determines follow-up processing flow according to EAP-NAK,, perhaps carry out above-mentioned identifying procedure and continue 3G terminal is authenticated according to existing EAP standard protocol specifies such as forcing 3G terminal to roll off the production line.
Step 409,3G terminal are obtained random value from authentication request packet, and obtain with described authentication request packet in the corresponding extend information of extend information type, described random value and the extend information obtained are added in the authentication response message.
In this step 409, random value, the extend information of obtaining all adopt above-described Fig. 3 form to be added on the data field of authentication response message respectively.
Step 410,3G terminal carries out signature calculation to random value and the extend information obtained, the signature of this calculating is added into the desired location of data field in the authentication response message, and is sent to LNS.
In this step 410,3G terminal can use the hash algorithm and the cryptographic algorithm that identify in self certificate that random value and the extend information obtained are carried out signature calculation.As for the position that the signature of this calculating adds, specifically can be added on the field at last Info Type-Info Length-Value place of data field in the authentication response message.
Step 411, after LNS receives the authentication response message, at first the signature in this authentication response message is authenticated, if authentification failure is then refused the access of 3G terminal, if authentication success, then each extend information in the described authentication response message is sent to the Local or Remote aaa server and authenticate, and when authentication success, allow the access of 3G terminal, otherwise, the access of refusal 3G terminal.
In this step 411, LNS can adopt the PKI strategy that the signature in the authentication response message is authenticated, and specifically can repeat no more here with reference to the existing proof scheme of utilizing the PKI strategy.Wherein, 411 pairs of signatures of this step authenticate, and purpose is in order to verify the integrality of extend information, and when 3G terminal is stolen, stop 3G terminal stolen by the certificate of revoking 3G terminal.
In this step 411, the access of refusal 3G terminal is specially the LAC that set up above the disconnection and the tunnel between the LNS, and like this, 3G terminal just can't be visited LNS.
Also have, in this step 411, the Local or Remote aaa server authenticates extend information, and purpose is in order to verify whether this extend information is correct, effective.
So far, can realize present embodiment 1 by top step.
The flow process that is applied to 802.1X authentication environment below by 2 pairs of methods provided by the invention of embodiment is described.Embodiment 2:
Present embodiment 2 is an example with 802.1X authentication environment, and based on this authentication environment, above-mentioned authentication end can be the Radius server of equipment end and this equipment end Local or Remote, and certified end is a client.
Below by Fig. 6 the embodiment of the invention 2 is described.
Referring to Fig. 6, the flow chart that Fig. 6 provides for the embodiment of the invention 2.Wherein, the EAP authentication starting stage is consistent with standard 802.1X agreement, repeats no more, and after entering the EAP authentication phase, can adopt the extend information identifying procedure.Need to prove, in this flow process, adopt Extensible Authentication Protocol (EAPOL) that all messages in the EAP authentication phase (message in also promptly following each step) are encapsulated based on local area network (LAN).
Based on this, as shown in Figure 6, this flow process can may further comprise the steps:
Step 601, equipment end sends the identify label request message to client, is used for the identify label of requesting client.
After step 602, client receive the identify label request message, self identify label is carried in the identify label response message sends to equipment end.
Among the present invention, can be user name during the identify label specific implementation, below all be described with user's example by name.
Above-mentioned steps 601 to step 602 is the normal process of 802.1X agreement, is not described in detail.
Step 603, equipment end judges whether to start the extend information authentication according to the user name of client, if, execution in step 604, otherwise, continue client is authenticated according to the identifying procedure that has the 802.1X/EAP standard protocol specifies now.
In the present embodiment 2, meeting storage in equipment end needs to start the user record of extend information authentication, and this record can be the corresponding relation between user name and the authentication of startup extend information.Based on this, in this step 603, after the user name that receives client end, from this corresponding relation, search the user name of this reception, if find, then determine this client is carried out the extend information authentication, otherwise decision is not carried out the extend information authentication to this client, identifying procedure according to existing 802.1X/EAP standard protocol specifies continues client is authenticated, the identifying procedure here can be the md5 authentication flow process, perhaps other identifying procedures, and the present invention does not specifically limit.
Than standard 802.1X, this step 603, and following step 604 to step 609 all be to the equipment end among the standard 802.1X to the client-requested password, and the improvement that authenticates of equipment end password that client is sent.In the present invention, the password that no longer only requires client to provide, and only authenticate this password, but require client that more information is provided, to improve the fail safe of network insertion, specifically state step as follows.
Step 604, equipment end send authentication request packet to client.
Step 605, client is judged the extend information auth type of self whether supporting that described authentication request packet is affiliated, if, then execution in step 606, otherwise, return EAP-NAK to equipment end, make equipment end according to this EAP-NAK decision follow-up processing flow, such as, force client to roll off the production line, carry out that perhaps the above-mentioned identifying procedure continuation according to existing 802.1X/EAP standard protocol specifies authenticates client etc.
Step 606, client are obtained random value from authentication request packet, and obtain with described authentication request packet in the corresponding extend information of extend information type, described random value and the extend information obtained are added in the authentication response message.
Step 607, client is carried out signature calculation to random value and the extend information obtained, the signature of this calculating is added into the desired location of data field in the authentication response message, and is sent to equipment end.
Step 608, equipment end at first authenticates the signature in this authentication response message, if authentification failure, then refuse the access of client, if authentication success then further authenticates each extend information in the described authentication response message with Local or Remote Radius server interaction, and when authentication success, allow the client access network, otherwise, the access of refusal client.
In this step 608, before allowing the client access network, also can further comprise: the following standard operation of 802.1X agreement regulation: equipment end and Radius server interaction realize pap authentication, and when authentication success, send the EAP authentication success to client, to realize allowing the client access network.
So far, finish embodiment 2 by top step 601 to step 608.
Need to prove, in the foregoing description 1 or embodiment 2, if have the message of length in the mutual message between described authentication end and the certified end greater than link MTU, such as, when certified end comprises certificate information in the authentication response message that the authentication end sends, this length that may cause the authentication response message is greater than the link MTU value, and based on this, the present invention can carry out burst greater than the message of link MTU value to length and handle.Be that example is described the burst processing with the authentication response message below, other situation principles are similar.
In the present invention, in order to finish the transmission and the reception of a plurality of fragment messages that the authentication response message is divided into, can be by definition Flags and Message Length field in fragment message, wherein, the Flags field comprises L sign (Length) and M sign (More fragments) sign, comprise Message Length field in the L sign expression message, in first fragment message this sign must be set; The M sign represents whether to also have follow-up fragment message, and first sign is that second sign denys that except last 1 fragment message, other fragment messages all need to be provided with the M sign in the fragment message such as 0 expression such as 1 expression.After the authentication termination is received the fragment message that is provided with the M sign, must reply response message, this message conduct receives the ACK message behind the fragment message, and message format can adopt extend information message identifying form shown in Figure 2, and wherein Vendor data is empty.
For fear of the mistake of fragment message, can in the fragment message that is divided into, make each fragment message all comprise identification field, and the value of this identification field increase progressively successively according to the order of transmission, but the identification field value of the fragment message that is retransmitted remains unchanged.And the ACK message at fragment message that the authentication end is replied is identical with the Identifier field value of this fragment message.
More than method that the embodiment of the invention is provided be described.The device that the embodiment of the invention is provided is described below:
The present invention also provides a kind of Verification System based on Extensible Authentication Protocol, and this system comprises: authentication end equipment and certified end equipment.
Wherein, can adopt structure shown in Figure 7 during authentication end equipment specific implementation, comprise: transmitting element and authentication ' unit.
Wherein, described transmitting element, be used for verification process at EAP, send authentication request packet to certified end, described authentication request packet comprises the extend information type that the certified end of needs provides, with obtain from described certified end with described authentication request packet the corresponding extend information of extend information type;
Described authentication ' unit is used for described extend information is authenticated, if authentification failure then refuse certified termination and go into network, if authentication success then allows certified termination to go into network.
Preferably, the operation that described transmitting element sends authentication request packet is to finish the tunnel at described authentication end device authentication end according to ppp protocol authentication mode and certified end to set up, and carries out after heavily negotiating the identify label of enabling the EAP authentication and receiving certified end transmission with certified end; Perhaps,
Be to finish the tunnel in the tunnel access means that described authentication end equipment is connected with certified end according to the ppp protocol authentication mode to set up, and heavily negotiate with this certified end and to carry out after enabling the EAP authentication and receiving the identify label that certified end sends; Perhaps,
Be described authentication end equipment receives the identify label of certified end transmission according to 802.1X protocol authentication mode after, to carry out.
As for certified end equipment, it can adopt structure shown in Figure 8, comprising: receiving element, acquiring unit and transmitting element.
Wherein, described receiving element is used to receive the authentication request packet that the authentication end sends;
Described acquiring unit is used for obtaining and the corresponding extend information of described authentication request packet extend information type;
Transmitting element, the described extend information that is used for obtaining are sent to the authentication end and authenticate, and when described extend information is passed through authentication, access network.
Preferably, as shown in Figure 8, described certified end equipment further comprises:
Judging unit, be used to judge whether described certified end equipment supports the extend information auth type that described authentication request packet is affiliated, if, trigger described acquiring unit and continue to carry out the operation of obtaining extend information, otherwise, send the message of not supporting the extend information auth type and hold, so that the authentication end is not supported the message decision follow-up processing flow of extend information auth type according to this to authentication.
Preferably, described transmitting element can comprise:
Obtain subelement, be used for obtaining random value from described authentication request packet;
The signature subelement, the hash algorithm and the cryptographic algorithm that are used for adopting the certificate of described device own to identify are carried out signature calculation to described random value and extend information;
Send subelement, the described signature that is used for the extend information that will obtain and random value and calculates is carried at the authentication response message together and is sent to the authentication end, so that the authentication end authenticates random value in the authentication response message and signature, all by authentication the time, continue to carry out authentication to extend information.
Wherein, can comprise with lower module during described transmission subelement specific implementation:
Add module, the random value of each extend information that is used for obtaining, described authentication request packet is added on the data field of described authentication response message and the desired location that described signature is added on data field in the described authentication response message respectively according to the TLV form;
Sending module is used for after finishing interpolation, sends described authentication response message to the authentication end.
So far, finish the system that the embodiment of the invention provides and the description of equipment.
As can be seen from the above technical solutions, among the present invention, be not only username and password to be authenticated, also further the extend information of certified end is authenticated, like this, even the third party obtains username and password, it is not owing to know the extend information of certified end, can not access network, this has improved the fail safe of network insertion.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.