CN102202065A - Access control method and system - Google Patents

Access control method and system Download PDF

Info

Publication number
CN102202065A
CN102202065A CN2011101709825A CN201110170982A CN102202065A CN 102202065 A CN102202065 A CN 102202065A CN 2011101709825 A CN2011101709825 A CN 2011101709825A CN 201110170982 A CN201110170982 A CN 201110170982A CN 102202065 A CN102202065 A CN 102202065A
Authority
CN
China
Prior art keywords
req
visitor
res
access controller
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2011101709825A
Other languages
Chinese (zh)
Inventor
王俊峰
杜志强
铁满霞
黄振海
曹军
陶洪波
刘晓勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
RADIOSKY RADIO EQUIPMENT TESTING (BEIJING) CO Ltd
China Iwncomm Co Ltd
Original Assignee
RADIOSKY RADIO EQUIPMENT TESTING (BEIJING) CO Ltd
China Iwncomm Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by RADIOSKY RADIO EQUIPMENT TESTING (BEIJING) CO Ltd, China Iwncomm Co Ltd filed Critical RADIOSKY RADIO EQUIPMENT TESTING (BEIJING) CO Ltd
Priority to CN2011101709825A priority Critical patent/CN102202065A/en
Publication of CN102202065A publication Critical patent/CN102202065A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Abstract

The invention provides an access control method and system. The method comprises the following steps: 1) a requester REQ sends an access request message M1 to an access controller AC; 2) the access controller AC accesses an authentication request message M2 and sends the authentication request message M2 to the requester REQ; 3) the requester REQ constructs an identity authentication request message M3 and sends the identity authentication request message M3 to an authentication server AS; 4) the authentication server AS constructs an identity authentication response message M4 and sends the identity authentication response message M4 to the requester REQ; 5) the requester REQ constructs an access authentication response message M5 and sends the access authentication response message M5 to an access controller AC of a target network; and 6) the access controller AC constructs an access response message M6 and sends the access response message M6 to the requester REQ. The invention provides an access control method and system which can satisfy the application requirement of access control for requesters.

Description

A kind of access control method and system
Technical field
The invention belongs to the field of network safety application in the information security technology, relate in particular to a kind of access control method and system.
Background technology
In the existing method for network access control, usually the visitor after the purpose network is initiated access request, finish discriminating and mandate by the access controller in the purpose network, thereby realize access control the visitor to the visitor.The needs third party, as authentication server, participate in the access control scene of identity discriminating, may be because the reason of access controller self or purpose network, access controller can't directly be connected with authentication server and the discriminating service that causes access controller can't directly use authentication server to provide.In this case, existing being provided by direct connection of access controller and use authentication server differentiates that the access control method of serving can't satisfy the practical application request that the visitor is conducted interviews and controls.
Summary of the invention
In order to solve the above-mentioned technical problem that exists in the background technology, the invention provides and a kind ofly can satisfy the conduct interviews access control method and the system of application demand of control the visitor.
Technical solution of the present invention is: the invention provides a kind of access control method, its special character is: described access control method comprises:
Step 1), a visitor REQ sends an access request message M1 to an access controller AC of a purpose network; Described access request message M1 comprises Q REQBe used for proving one second identity authentication information I2 of the legitimacy of described visitor REQ identity with described visitor REQ to an authentication server AS of described purpose network; Wherein, Q REQThe access request of expression visitor REQ;
Step 2), after described access controller AC was received described access request message M1, structure one inserts differentiated that request message M2 sends to described visitor REQ; Described access differentiates that request message M2 comprises that described access controller AC is used for proving to described authentication server AS one first identity authentication information I1 of the legitimacy of described access controller AC identity in order to one first digital signature SIG1 of legitimacy from described access controller AC identity to described visitor REQ that prove and described access controller AC;
After the described visitor REQ of step 3) receives that request message M2 is differentiated in described access, construct an identity and differentiate that request message M3 sends to described authentication server AS; Described identity is differentiated among the request message M3 and is comprised the described first identity authentication information I1 and the second identity authentication information I2;
Step 4), after described authentication server AS receives that described identity is differentiated request message (M3), described first identity authentication information I1 and the described second identity authentication information I2 are verified, and produce to one first ostensible identification result C1 of described access controller AC with to the one second ostensible identification result C2 of described visitor REQ, described authentication server AS constructs an identity identification response message M4 and sends to described visitor REQ; Described identity identification response message M4 comprises the described first ostensible identification result C1 and the described second ostensible identification result C2;
Step 5), after described visitor REQ receives described identity identification response message M4, according to the described first ostensible identification result C1 the described first digital signature SIG1 is verified, and select whether to construct one according to the checking result and insert the access controller AC that identification response message M5 sends to described purpose network; If send, comprise among the then described access identification response message M5 the described second ostensible identification result C2 and described visitor REQ in order to one second digital signature SIG2 to the legitimacy of described access controller AC proof visitor REQ identity;
Step 6), after described access controller AC is received described access identification response message M5, verify the described second digital signature SIG2 according to the described second ostensible identification result C2, and construct an access response message M6 according to checking result and a delegated strategy and send to described visitor REQ, described delegated strategy is meant that access controller AC is to Q REQThe strategy of authorizing.
Above-mentioned visitor (REQ) and described access controller (AC) have all been held the PKI of described authentication server (AS).
Above-mentioned steps 1) in, described access request message M1 comprises N REQ|| I REQ|| Q REQ
Wherein, the described second identity authentication information I2 is I REQDescribed N REQRepresent the random number that described visitor REQ produces; || represent to be series connection between its front and back two information.
Above-mentioned steps 2) in, the described first identity authentication information I1 is I AC, the described first digital signature SIG1 is S AC(N REQ|| N AC|| I REQ), described access differentiates that request message M2 comprises N REQ|| N AC|| I REQ|| I AC|| S AC(N REQ|| N AC|| I REQ); Wherein, described N ACRepresent the random number that described access controller AC produces; IA ACThe identity authentication information of representing described access controller AC.
Above-mentioned steps 3) comprising:
Step 3.1), described visitor REQ judges N after receiving that request message M2 is differentiated in described access REQThe random number whether described visitor REQ produces, if not, then execution in step 3.2); If then execution in step 3.3);
Step 3.2), described visitor (REQ) abandons described discriminating request message M2;
Step 3.3), the described identity of described visitor (REQ) structure differentiates that request message M3 sends to described authentication server AS; Described identity differentiates that request message M3 comprises N ' REQ|| N AC|| I REQ|| I AC
Wherein, N ' REQRandom number for visitor REQ generation.
Above-mentioned steps 4) in, described identification response message M4 is Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ));
Wherein, the described first ostensible identification result C1 is Res (I AC), Res (I AC) comprise described authentication server AS to I ACThe checking result and the PKI of described access controller AC; The described second ostensible identification result C2 is Res (I REQ), Res (I REQ) comprise described authentication server AS to I REQThe checking result and the PKI of described visitor REQ; S AS(N ' REQ|| Res (I AC)) represent that described authentication server AS is to N ' REQ|| Res (I AC) digital signature, S AS(N AC|| Res (I REQ)) represent that described authentication server AS is to N AC|| Res (I REQ) digital signature.
Above-mentioned steps 5) comprising:
Step 5.1), after described visitor REQ receives described identity identification response message M4, utilize the public key verifications signature S of described authentication server AS AS(N ' REQ|| Res (I AC)) validity; If then execution in step 5.2 effectively); If invalid, then execution in step 5.6);
Step 5.2), described visitor judges N ' REQWhether in step 3), send to the random number N of described authentication server AS ' with described visitor REQ REQUnanimity, if consistent, then execution in step 5.3); If inconsistent, then execution in step 5.6);
Step 5.3), described visitor REQ is according to identification result Res (I AC) judge whether the identity of access controller AC is legal, if legal, then execution in step 5.4); If illegal, then execution in step 5.6);
Step 5.4), described visitor REQ is from Res (I AC) in obtain the PKI of described access controller AC, and utilize this public key verifications access controller AC in step 2) in send to the S of described visitor REQ AC(N REQ|| N AC|| I REQ) validity, if effectively, then execution in step 5.5); If invalid, then execution in step 5.6);
Step 5.5), described visitor REQ structure inserts identification response message M5 and sends to described access controller AC; Described access identification response message M5 comprises Res (I REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC); Wherein, S REQ(N REQ|| N AC|| I AC) represent that described visitor REQ is to N REQ|| N AC|| I ACSignature, the described second digital signature SIG2 is S REQ(N REQ|| N AC|| I AC);
Step 5.6), described visitor REQ will stop visit.
Above-mentioned steps 6) comprising:
Step 6.1), after described access controller AC is received described identity identification response message M5, utilize the public key verifications S of described authentication server AS AS(N AC|| Res (I REQ)) validity; If then execution in step 6.2 effectively); If invalid, then execution in step 6.9);
Step 6.2), described access controller AC is according to Res (I REQ) judge whether described visitor REQ is legal, if legal, then execution in step 6.3); If illegal, then execution in step 6.9);
Step 6.3), described access controller AC is judged N ACWhether with described access controller AC in step 2) in the random number N that sends ACUnanimity, if consistent, then execution in step 6.4); If inconsistent, then execution in step 6.9);
Step 6.4), described access controller AC is from Res (I REQ) the middle PKI that obtains described visitor REQ, and utilize this public key verifications S REQ(N REQ|| N AC|| I AC) validity, if effectively, then execution in step 6.5); If invalid, then execution in step 6.9);
Step 6.5), described access controller AC is judged S REQ(N REQ|| N AC|| I AC) in I ACWhether with described access controller AC in step 2) in the I that sends ACUnanimity, if consistent, then execution in step 6.6); If inconsistent, then execution in step 6.6);
Step 6.6), described access controller AC is judged S REQ(N REQ|| N AC|| I AC) in N ACWhether with described access controller AC in step 2) in the random number N that sends ACIf unanimity is unanimity, then execution in step 6.2.7); If inconsistent, then execution in step 6.9);
Step 6.7), described access controller AC is judged the access request Q that described visitor REQ sends according to described delegated strategy in step 1) REQWhether legal, if legal, then execution in step 6.8); If inconsistent, then execution in step 6.9);
Step 6.8), described access controller AC is according to Q REQThe structure reply data, and structure access response message M6 sends to visitor REQ, described access response message M6 comprises described reply data, described reply data is used to notify visitor REQ whether to have the right to visit described purpose network;
Step 6.9), the visit of described access controller AC denied access person REQ.
Above-mentioned delegated strategy is called from described access controller AC or described authentication server AS; When described delegated strategy is called from described authentication server AS, the Res (I among the identity identification response message M4 in the step 4) REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ)) be revised as Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ) || AP AS), AP wherein ASRepresent described delegated strategy, the Res (I among the access identification response message M5 in the step 5) REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC) be revised as Res (I REQ) || S AS(N AC|| Res (I REQ) || AP AS) || S REQ(N REQ|| N AC|| I AC).
A kind of access control system, its special character is: described access control system comprises visitor REQ, access controller AC and authentication server AS; Described visitor REQ sends access request message M1 to the access controller AC of purpose network; After described access controller AC was received access request message M1, structure inserts differentiated that request message M2 sends to visitor REQ; After described visitor REQ received and inserts discriminating request message M2, the structure identity differentiated that request message M3 sends to authentication server AS; Described authentication server (AS) is verified the identity authentication information of the access controller (AC) described in the identity discriminating request message (M3), and the ostensible identification result structure identity identification response message M4 that produces respectively access controller (AC) sends to visitor REQ; After described visitor REQ received identity identification response message M4, structure inserted the access controller AC that identification response message M5 sends to the purpose network; After described access controller AC was received and inserted identification response message M5, structure access response message M6 sent to visitor REQ.
Advantage of the present invention is:
Method for network access control and system that the present invention proposes, be under the situation that the discriminating that the access controller that authentication server participation and purpose network are arranged can't directly utilize authentication server to provide is served, finish method for network access control the discriminating of visitor's identity.The present invention is based on asymmetric cryptography mechanism, after the visitor proposes access request, by the access controller in the purpose network access request is handled, and initiate discriminating request to authentication server to visitor's identity by the visitor, access controller in the purpose network is finished discriminating to visitor's identity according to the ostensible identification result of the authentication server of being transmitted by the visitor, and carries out empowerment management according to delegated strategy to differentiating successful visitor.The invention solves when access controller can't directly use the discriminating service that authentication server provides and the problem that can't implement access control that causes has satisfied practical application request.
Description of drawings
Fig. 1 is an access control method flow chart provided by the present invention.
Fig. 2 is the operational diagram of access control system provided by the present invention.
Fig. 3 is the block diagram of step S1 among Fig. 2.
Fig. 4 is the block diagram of step S2 among Fig. 2.
Fig. 5 is the block diagram of step S3 among Fig. 2.
Fig. 6 is the block diagram of step S4 among Fig. 2.
Fig. 7 is the block diagram of step S5 among Fig. 2.
Fig. 8 is the block diagram of step S6 among Fig. 2.
Embodiment
Please refer to Fig. 2, the invention provides a kind of access control system 100.Access control system 100 comprises visitor REQ, authentication server AS and access controller AC.Before system's 100 work, visitor REQ and access controller AC have all been held the PKI of authentication server AS.
Please refer to Fig. 1 to Fig. 8, network access control system 100 is to finish the discriminating of visitor REQ and mandate by six steps of S1~S6.
Step S1: please refer to Fig. 3, visitor REQ sends access request message M1 to the access controller AC of purpose network.Contain Q among the access request message M1 REQIdentity authentication information I2 with visitor REQ.Wherein, Q REQThe access request of expression visitor REQ, identity authentication information I2 is used for to the legitimacy of authentication server AS proof visitor REQ identity, down together.
Step S2: please refer to Fig. 4, after access controller AC was received access request message M1, structure inserts differentiated that request message M2 sends to visitor REQ.Insert and differentiate that request message M2 contains the digital signature SIG1 and the identity authentication information I1 of access controller AC, digital signature SIG1 is in order to the legitimacy to visitor REQ proof access controller AC identity, and identity authentication information I1 is used for to the legitimacy of authentication server AS proof access controller AC identity.
Step S3: please refer to Fig. 5, after visitor REQ received and inserts discriminating request message M2, the structure identity differentiated that request message M3 sends to authentication server AS.Identity is differentiated the identity authentication information I1 that has comprised access controller AC among the request message M3, and the identity authentication information I2 of visitor REQ.
Step S4: please refer to Fig. 6, authentication server AS differentiates that to identity the identity authentication information I1 of the access controller AC described in the request message M3 and the identity authentication information I2 of visitor REQ verify, and produce respectively to the ostensible identification result C1 of access controller AC with to the ostensible identification result C2 of visitor REQ, authentication server AS structure identity identification response message M4 sends to visitor REQ.Wherein, identity identification response message M4 comprises described ostensible identification result C1 and C2.
Step S5: please refer to Fig. 7, after visitor REQ receives identity identification response message M4, according to ostensible identification result C1 described digital signature SIG1 is verified, and select whether to construct the access controller AC that access identification response message M5 sends to the purpose network according to the checking result.If send, then insert the digital signature SIG2 that comprises described ostensible identification result C2 and visitor REQ among the identification response message M5.Digital signature SIG2 is in order to the legitimacy to access controller AC proof visitor REQ identity.
Step S6: please refer to Fig. 8, after access controller AC is received and is inserted identification response message M5, according to ostensible identification result C2 certifying digital signature SIG2, and according to verifying result and delegated strategy structure access response message M6 sends to visitor REQ, comprises the information whether granted access person REQ conducts interviews to described purpose network among the access response message M6.So far, finish the process of the present invention to discriminating and the mandate of visitor REQ.Wherein, described delegated strategy is meant the access request Q of access controller AC to visitor REQ REQThe strategy of authorizing, described delegated strategy can be from a certain servers, and authentication server AS for example also can be from access controller AC this locality.Described delegated strategy is built in described authentication server AS or the access controller AC in advance, and the present invention only calls described delegated strategy.
According to the method operation system 100 shown in step S1~S6, can realize discriminating and mandate, to satisfy the practical application request that the visitor is conducted interviews and controls to visitor REQ.
A kind of specific embodiment of above-mentioned steps S1 is:
Visitor REQ constructs N REQ|| I REQ|| Q REQSend to access controller AC, in the present embodiment N REQ|| I REQ|| Q REQBe access request message M1, in other embodiments, request message M1 also can be in other message and described other message and comprises N at least REQ|| I REQ|| Q REQ
Wherein, I REQThe identity authentication information of expression visitor REQ, i.e. identity authentication information I2 is used for legitimacy to authentication server AS proof visitor REQ identity, N REQThe random number of expression visitor REQ generation, " || " are represented between its front and back two information for connecting, down together.
A kind of specific embodiment of above-mentioned steps S2 is:
Access controller AC receives that access request message M1 is N REQ|| I REQ|| Q REQAfter, structure inserts differentiates that request message M2 is N REQ|| N AC|| I REQ|| I AC|| S AC(N REQ|| N AC|| I REQ) send to visitor REQ, in other embodiments, insert to differentiate that request message M2 one comprises N at least REQ|| N AC|| I REQ|| I AC|| S AC(N REQ|| N AC|| I REQ) message.
Wherein, N ACThe random number that the expression access controller AC produces, I ACThe identity authentication information of expression access controller AC, i.e. identity authentication information I1 is used for legitimacy to authentication server AS proof access controller AC identity, S AC(N REQ|| N AC|| I REQ) represent that access controller AC is to N REQ|| N AC|| I REQSignature, i.e. digital signature SIG1.
A kind of specific embodiment of above-mentioned steps S3 is:
Visitor REQ receives to insert and differentiates that request message M2 is N REQ|| N AC|| I REQ|| I AC|| S AC(N REQ|| N AC|| I REQ) after, at first judge N REQThe random number whether visitor REQ produces, if not, this discriminating request message M2 abandoned; If the structure identity differentiates that request message M3 is N ' REQ|| N AC|| I REQ|| I ACSend to authentication server AS.Wherein, N ' REQBe the random number of visitor REQ generation, down together.
In other embodiments, identity differentiates that request message M3 one comprises N ' at least REQ|| N AC|| I REQ|| I ACMessage.
A kind of specific embodiment of above-mentioned steps S4 is:
Authentication server AS receives that the identity discriminating request message M3 of visitor REQ is N ' REQ|| N AC|| I REQ|| I ACAfter, checking I REQAnd I AC, and structure identification response message M4 is Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ)) send to visitor REQ.
Wherein, Res (I AC) be ostensible identification result C1, wherein comprise authentication server AS to I ACThe checking result and the PKI of access controller AC; Res (I REQ) be ostensible identification result C2, wherein comprise authentication server AS to I REQThe checking result and the PKI of visitor REQ; S AS(N ' REQ|| Res (I AC)) and S AS(N AC|| Res (I REQ)) represent that respectively authentication server AS is to N ' REQ|| Res (I AC) and N AC|| Res (I REQ) digital signature.
In other embodiments, identification response message M4 one comprises Res (I at least REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ)) message.
A kind of specific embodiment of above-mentioned steps S5 is:
Visitor REQ receives that the identity identification response message M4 of authentication server AS is Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ)) after, at first utilize the public key verifications signature S of described authentication server AS AS(N ' REQ|| Res (I AC)) validity, if effectively, then judge N ' REQWhether in step S3, send to the random number N of authentication server AS ' with visitor REQ REQUnanimity, if consistent, then visitor REQ is according to identification result Res (I AC) be ostensible identification result C1, judge whether the identity of access controller AC is legal, if legal, then from Res (I AC) the middle PKI that obtains described access controller AC, and the digital signature SIG1 that utilizes this public key verifications access controller AC to send to visitor REQ in step S2 is S AC(N REQ|| N AC|| I REQ) validity, if effectively, then to insert identification response message M5 be Res (I to visitor REQ structure REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC) sending to access controller AC, comprising ostensible identification result C2 in this message is Res (I REQ), the S in this message REQ(N REQ|| N AC|| I AC) represent that visitor REQ is to N REQ|| N AC|| I ACSignature, i.e. digital signature SIG2.
If certifying signature S AS(N ' REQ|| Res (I AC)) invalid, though or certifying signature S AS(N ' REQ|| Res (I AC)) effectively but judge random number N ' REQInconsistent, though or certifying signature S AS(N ' REQ|| Res (I AC)) effective and judgement random number N ' REQConsistent but judge that the access controller AC identity is illegal, though or certifying signature S AS(N ' REQ|| Res (I AC)) effective and judgement random number N ' REQConsistent and judge the legal but certifying signature of access controller AC identity AC(N REQ|| N AC|| I REQ) invalid, then visitor REQ will stop visit.
In other embodiments, insert identification response message M5 and one comprise Res (I at least REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC) message.
A kind of specific embodiment of above-mentioned steps S6 is:
Access controller AC receives that the identity identification response message M5 of visitor REQ is Res (I REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC) after, at first utilize the public key verifications signature S of described authentication server AS AS(N AC|| Res (I REQ)) validity, if effectively, then according to Res (I REQ) be that ostensible identification result C2 judges whether visitor REQ is legal, if legal, then judge N ACThe random number N that in step S2, sends with access controller AC whether ACUnanimity, if consistent, then access controller AC is from Res (I REQ) the middle PKI that obtains described visitor REQ, and utilize this public key verifications signature S REQ(N REQ|| N AC|| I AC) validity, if effectively, then access controller AC is judged and is included in this signature S REQ(N REQ|| N AC|| I AC) in I ACThe I that in step S2, sends with access controller AC whether ACIf unanimity consistent, is then judged signature S REQ(N REQ|| N AC|| I AC) in N ACThe random number N that in step S2, sends with access controller AC whether ACUnanimity, if consistent, then access controller AC is judged the access request Q that visitor REQ sends according to described delegated strategy in step S1 REQWhether legal, if legal, then according to Q REQThe structure reply data, and structure access response message M6 sends to visitor REQ, access response message M6 comprises described reply data and sends to visitor REQ, and described reply data is used to notify visitor REQ whether to have the right to visit described purpose network.Whereby, visitor REQ is controlled for the visit behavior of described purpose network.
Wherein, access controller AC can also can be provided by other servers such as authentication server AS from this locality the delegated strategy of visitor REQ, and when being provided by authentication server AS, then needing the identity identification response message M4 with step S4 is Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ)) be revised as Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ) || AP AS), AP wherein ASRepresent described delegated strategy, the access identification response message M5 among the step S5 is Res (I at this moment REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC) need corresponding modify be Res (I REQ) || S AS(N AC|| Res (I REQ) || AP AS) || S REQ(N REQ|| N AC|| I AC).
If certifying signature S AS(N AC|| Res (I REQ)) invalid, though or certifying signature S AS(N AC|| Res (I REQ)) effectively but judge that visitor REQ is illegal, though or certifying signature S AS(N AC|| Res (I REQ)) effectively and judge that visitor REQ is legal but judge random number N ACInconsistent, though or certifying signature S AS(N AC|| Res (I REQ)) effectively and judge that visitor REQ is legal and judge random number N ACUnanimity but certifying signature S REQ(N REQ|| N AC|| I AC) invalid, though or certifying signature S AS(N AC|| Res (I REQ)) effectively and judge that visitor REQ is legal and judge random number N ACUnanimity and certifying signature S REQ(N REQ|| N AC|| I AC) effectively but judge signature S REQ(N REQ|| N AC|| I AC) in I ACInconsistent with the identity information of access controller AC, though or certifying signature S AS(N AC|| Res (I REQ)) effectively and judge that visitor REQ is legal and judge random number N ACUnanimity and certifying signature S REQ(N REQ|| N AC|| I AC) effective and judgement signature S REQ(N REQ|| N AC|| I AC) in I ACConsistent with the identity information of access controller AC but judge signature S REQ(N REQ|| N AC|| I AC) in random number N ACInconsistent, though or certifying signature S AS(N AC|| Res (I REQ)) effectively and judge that visitor REQ is legal and judge random number N ACUnanimity and certifying signature S REQ(N REQ|| N AC|| I AC) effective and judgement signature S REQ(N REQ|| N AC|| I AC) in I ACConsistent with the identity information of access controller AC and judge signature S REQ(N REQ|| N AC|| I AC) in random number N ACConsistent but judge the access request Q that visitor REQ sends in step S1 REQIllegal, then access controller AC is all with the visit of denied access person REQ.
In sum, the present invention is based on digital signature and authentication mechanism in the asymmetric cryptographic technique, finish discriminated union between having realized when access controller AC can't directly be used the discriminating service that authentication server AS provides, to finish the access control process that visitor REQ is authorized by access controller AC by visitor REQ and authentication server AS.

Claims (10)

1. access control method, it is characterized in that: described access control method comprises:
Step 1), a visitor (REQ) sends an access request message (M1) to an access controller (AC) of a purpose network; Described access request message (M1) comprises Q REQBe used for proving one second identity authentication information I2 of the legitimacy of described visitor (REQ) identity with described visitor (REQ) to an authentication server (AS) of described purpose network; Wherein, Q REQThe access request of representing described visitor (REQ);
Step 2), after described access controller (AC) was received described access request message (M1), structure one inserts differentiated that request message (M2) sends to described visitor (REQ); Described access differentiates that request message (M2) comprises the one first identity authentication information (I1) that is used for proving to described authentication server (AS) legitimacy of described access controller (AC) identity in order to one first digital signature (SIG1) of legitimacy from described access controller (AC) identity to described visitor (REQ) that prove and described access controller (AC) of described access controller (AC);
Step 3) after described visitor (REQ) receives that request message (M2) is differentiated in described access, is constructed an identity and is differentiated that request message (M3) sends to described authentication server (AS); Described identity is differentiated in the request message (M3) and is comprised described first identity authentication information (I1) and the described second identity authentication information (I2);
Step 4), after described authentication server (AS) receives that described identity is differentiated request message (M3), described first identity authentication information (I1) and the described second identity authentication information (I2) are differentiated, and produce to one first ostensible identification result (C1) of described access controller (AC) with to described visitor's (REQ) one second ostensible identification result (C2), described authentication server (AS) structure one identity identification response message (M4) sends to described visitor (REQ); Described identity identification response message (M4) comprises the described first ostensible identification result (C1) and the described second ostensible identification result (C2);
Step 5), after described visitor (REQ) receives described identity identification response message (M4), according to the described first ostensible identification result (C1) described first digital signature (SIG1) is verified, and according to verifying the result selects whether to construct an access identification response message (M5) and sends to described access controller (AC); If send, then described access identification response message (M5) comprise the described second ostensible identification result (C2) and described visitor (REQ) in order to prove legitimacy one second digital signature (SIG2) of described visitor (REQ) identity to described access controller (AC);
Step 6), after described access controller (AC) is received described access identification response message (M5), according to the described second ostensible identification result (C2) checking described second digital signature (SIG2), and construct an access response message (M6) according to checking result and a delegated strategy and send to described visitor (REQ); Described delegated strategy is that described access controller (AC) is to Q REQThe strategy of authorizing.
2. access control method according to claim 1 is characterized in that: described visitor (REQ) and described access controller (AC) have all been held the PKI of described authentication server (AS).
3. access control method according to claim 2 is characterized in that: in the described step 1), described access request message (M1) comprises N REQ|| I REQ|| Q REQ
Wherein, the described second identity authentication information (I2) is I REQN REQRepresent the random number that described visitor (REQ) produces; || represent to be series connection between its front and back two information.
4. access control method according to claim 3 is characterized in that: described step 2), the described first identity authentication information (I1) is I AC, described first digital signature (SIG1) is S AC(N REQ|| N AC|| I REQ), described access differentiates that request message (M2) comprises N REQ|| N AC|| I REQ|| I AC|| S AC(N REQ|| N AC|| I REQ), wherein, N ACRepresent the random number that described access controller (AC) produces, IA ACThe identity authentication information of representing described access controller (AC).
5. access control method according to claim 4 is characterized in that: described step 3) comprises:
Step 3.1), described visitor (REQ) judges N after receiving that request message (M2) is differentiated in described access REQThe random number whether described visitor (REQ) produces, if not, then execution in step 3.2); If then execution in step 3.3);
Step 3.2), described visitor (REQ) abandons described discriminating request message (M2);
Step 3.3), the described identity of described visitor (REQ) structure differentiates that request message (M3) sends to described authentication server (AS); Described identity differentiates that request message (M3) comprises N ' REQ|| N AC|| I REQ|| I AC
Wherein, N ' REQRandom number for described visitor (REQ) generation.
6. access control method according to claim 5 is characterized in that: in the described step 4), described identification response message (M4) comprises Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ));
Wherein, the described first ostensible identification result (C1) is Res (I AC), Res (I AC) comprise described authentication server (AS) to I ACThe checking result and the PKI of described access controller (AC); The described second ostensible identification result (C2) is Res (I REQ), Res (I REQ) comprise described authentication server (AS) to I REQThe checking result and described visitor's (REQ) PKI; S AS(N ' REQ|| Res (I AC)) represent that described authentication server (AS) is to N ' REQ|| Res (I AC) digital signature, S AS(N AC|| Res (I REQ)) represent that described authentication server (AS) is to N AC|| Res (I REQ) digital signature.
7. access control method according to claim 6 is characterized in that: described step 5) comprises:
Step 5.1), after described visitor (REQ) receives described identity identification response message (M4), utilize the public key verifications S of described authentication server (AS) AS(N ' REQ|| Res (I AC)) validity; If then execution in step 5.2 effectively); If invalid, then execution in step 5.6);
Step 5.2), described visitor (REQ) judges N ' REQWhether in step 3), send to the N ' of described authentication server (AS) with described visitor (REQ) REQUnanimity, if consistent, then execution in step 5.3); If inconsistent, then execution in step 5.6);
Step 5.3), described visitor (REQ) is according to Res (I AC) judge whether the identity of described access controller (AC) is legal, if legal, then execution in step 5.4); If illegal, then execution in step 5.6);
Step 5.4), described visitor (REQ) is from Res (I AC) in obtain the PKI of described access controller (AC), and utilize the described access controller of this public key verifications (AC) in step 2) in send to the S of described visitor (REQ) AC(N REQ|| N AC|| I REQ) validity, if effectively, then execution in step 5.5); If invalid, then execution in step 5.6);
Step 5.5), described visitor (REQ) the described access identification response message of structure (M5) sends to described access controller (AC); Described access identification response message (M5) comprises Res (I REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC); Wherein, S REQ(N REQ|| N AC|| I AC) represent that described visitor (REQ) is to N REQ|| N AC|| I ACSignature, described second digital signature (SIG2) is S REQ(N REQ|| N AC|| I AC);
Step 5.6), described visitor (REQ) will stop visit.
8. access control method according to claim 7 is characterized in that: described step 6) comprises:
Step 6.1), after described access controller (AC) is received described identity identification response message (M5), utilize the public key verifications S of described authentication server (AS) AS(N AC|| Res (I REQ)) validity; If then execution in step 6.2 effectively); If invalid, then execution in step 6.9);
Step 6.2), described access controller (AC) is according to Res (I REQ) judge whether described visitor (REQ) is legal, if legal, then execution in step 6.3); If not method, then execution in step 6.9);
Step 6.3), described access controller (AC) is judged N ACWhether with described access controller (AC) in step 2) in the N that sends ACUnanimity, if consistent, then execution in step 6.4); If inconsistent, then execution in step 6.9):
Step 6.4), described access controller (AC) is from Res (I REQ) the middle PKI that obtains described visitor (REQ), and utilize this public key verifications S REQ(N REQ|| N AC|| I AC) validity, if effectively, then execution in step 6.5); If invalid, then execution in step 6.9);
Step 6.5), described access controller (AC) is judged S REQ(N REQ|| N AC|| I AC) in I ACWhether with described access controller (AC) in step 2) in the I that sends ACUnanimity, if consistent, then execution in step 6.6); If inconsistent, then execution in step 6.9);
Step 6.6), described access controller (AC) is judged S REQ(N REQ|| N AC|| I AC) in N ACWhether with described access controller (AC) in step 2) in the N that sends ACUnanimity, if consistent, then execution in step 6.7); If inconsistent, then execution in step 6.9);
Step 6.7), described access controller (AC) is judged the Q that visitor (REQ) sends according to described delegated strategy in step 1) REQWhether legal, if legal, then execution in step 6.8); If not method, then execution in step 6.9);
Step 6.8), described access controller (AC) is according to Q REQConstruct a reply data, and construct described access response message (M6) and send to described visitor (REQ), described access response message (M6) comprises described reply data, and described reply data is used to notify described visitor (REQ) whether to have the right to visit described purpose network;
Step 6.9), described access controller (AC) is refused the visit of described visitor (REQ).
9. access control method according to claim 8 is characterized in that: described delegated strategy is called from described access controller (AC) or described authentication server (AS); When described delegated strategy is called when described authentication server (AS) Res (I in the identity identification response message (M4) in the step 4) REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ)) be revised as Res (I REQ) || Res (I AC) || S AS(N ' REQ|| Res (I AC)) || S AS(N AC|| Res (I REQ) || AP AS), AP wherein ASRepresent described delegated strategy, the Res (I in the access identification response message (M5) in the step 5) REQ) || S AS(N AC|| Res (I REQ)) || S REQ(N REQ|| N AC|| I AC) be revised as Res (I REQ) || S AS(N AC|| Res (I REQ) || AP AS) || S REQ(N REQ|| N AC|| I AC).
10. access control system comprises the access controller (AC) and the authentication server (AS) of visitor (REQ), purpose network, and it is characterized in that: described visitor (REQ) sends access request message (M1) to described access controller (AC); After described access controller (AC) is received described access request message (M1), structure inserts differentiates that request message (M2) sends to described visitor (REQ), and described access differentiates that request message (M2) contains first digital signature (SIG1) of described access controller (AC); After described visitor (REQ) received that request message (M2) is differentiated in described access, the structure identity differentiated that request message (M3) sends to described authentication server (AS); Described authentication server (AS) differentiates that according to described identity request message (M3) provides the service of discriminating and produces ostensible identification result, and sends to described visitor (REQ) according to described ostensible identification result structure identity identification response message (M4); After described visitor (REQ) receives described identity identification response message (M4), verify described first digital signature (SIG1) and construct and insert identification response message (M5) and send to described access controller (AC) that described access identification response message (M5) comprises described visitor's (REQ) second digital signature (SIG2) according to the checking result according to the described ostensible identification result in the described identity identification response message (M4); After described access controller (AC) is received described access identification response message (M5), verify described second digital signature (SIG2) according to the described ostensible identification result in the described access identification response message (M5), and send to described visitor (REQ) according to checking result and delegated strategy structure access response message (M6).
CN2011101709825A 2010-10-13 2011-06-23 Access control method and system Pending CN102202065A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2011101709825A CN102202065A (en) 2010-10-13 2011-06-23 Access control method and system

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201010505950.1 2010-10-13
CN201010505950 2010-10-13
CN2011101709825A CN102202065A (en) 2010-10-13 2011-06-23 Access control method and system

Publications (1)

Publication Number Publication Date
CN102202065A true CN102202065A (en) 2011-09-28

Family

ID=44662460

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011101709825A Pending CN102202065A (en) 2010-10-13 2011-06-23 Access control method and system

Country Status (2)

Country Link
CN (1) CN102202065A (en)
WO (1) WO2012048554A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022135377A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, and device, chip, storage medium and program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791026A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Gridding authorization realizing method
EP1890518A2 (en) * 2006-08-15 2008-02-20 Sony Corporation Communication system, wireless-communication device, and control method therefor
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization
CN101635624A (en) * 2009-09-02 2010-01-27 西安西电捷通无线网络通信有限公司 Method for authenticating entities by introducing online trusted third party
CN101771722A (en) * 2009-12-25 2010-07-07 中兴通讯股份有限公司 System and method for WAPI terminal to access Web application site

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791026A (en) * 2005-12-26 2006-06-21 北京航空航天大学 Gridding authorization realizing method
EP1890518A2 (en) * 2006-08-15 2008-02-20 Sony Corporation Communication system, wireless-communication device, and control method therefor
CN101262474A (en) * 2008-04-22 2008-09-10 武汉理工大学 A cross-domain access control system for realizing role and group mapping based on cross-domain authorization
CN101635624A (en) * 2009-09-02 2010-01-27 西安西电捷通无线网络通信有限公司 Method for authenticating entities by introducing online trusted third party
CN101771722A (en) * 2009-12-25 2010-07-07 中兴通讯股份有限公司 System and method for WAPI terminal to access Web application site

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022135377A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, and device, chip, storage medium and program

Also Published As

Publication number Publication date
WO2012048554A1 (en) 2012-04-19

Similar Documents

Publication Publication Date Title
WO2018107988A1 (en) Two-dimensional barcode processing method, device, and system
CN101547095B (en) Application service management system and management method based on digital certificate
RU2445741C1 (en) Method and system for two-way authentication of subjects
CN104753881B (en) A kind of WebService safety certification access control method based on software digital certificate and timestamp
CN101534192B (en) System used for providing cross-domain token and method thereof
CN101262342A (en) Distributed authorization and validation method, device and system
US20170230187A1 (en) Method and Apparatus for Managing Application Identifier
CN101645900A (en) Cross-domain rights management system and method
CN100512312C (en) Ternary structural coordinate access control method
CN103475666A (en) Internet of things resource digital signature authentication method
CN101378315A (en) Method, system, equipment and server for packet authentication
KR102065138B1 (en) Method and system for providing security for establishing initial contact between mobile device and device
CN101547097B (en) Digital media management system and management method based on digital certificate
CN101610515A (en) A kind of Verification System and method based on WAPI
CN100463462C (en) Coordinate access control system of ternary structure
US20200349566A1 (en) Device control method and related device
CN103312672A (en) Identity authentication method and system
CN103166969A (en) Security access method for cloud controller based on cloud computing platform
CN102457482B (en) Authentication method, apparatus and system thereof
CN110891067B (en) Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system
CN101668292B (en) WAPI roaming access authentication method, system and access site (AS) server thereof
KR20140138261A (en) Method, device, and system for authentication
CN102202065A (en) Access control method and system
CN100589384C (en) Safety interacting method for user terminal access softswitch system
CN112422534B (en) Credit evaluation method and equipment for electronic certificate

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20110928