CN102904861B - A kind of extended authentication method and system based on ISAKMP - Google Patents

A kind of extended authentication method and system based on ISAKMP Download PDF

Info

Publication number
CN102904861B
CN102904861B CN201110213510.3A CN201110213510A CN102904861B CN 102904861 B CN102904861 B CN 102904861B CN 201110213510 A CN201110213510 A CN 201110213510A CN 102904861 B CN102904861 B CN 102904861B
Authority
CN
China
Prior art keywords
eap
respondent
diameter
promoter
load
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110213510.3A
Other languages
Chinese (zh)
Other versions
CN102904861A (en
Inventor
梁小萍
韦银星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
No.2 shrimp culture company, Sheyang port, Sheyang County
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110213510.3A priority Critical patent/CN102904861B/en
Publication of CN102904861A publication Critical patent/CN102904861A/en
Application granted granted Critical
Publication of CN102904861B publication Critical patent/CN102904861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of extended authentication method based on internet security alliance and IKMP (ISAKMP), including:When needing to send first route messages, promoter consults to be authenticated using Extensible Authentication Protocol (EAP) with respondent;After the success of EAP authentication process, master session key (MSK) or shared key of the promoter with the respondent according to the generation of EAP processes, calculate message authentication code (HMAC) value with key in AUTH load, and AUTH load is sent to other side, certification is completed in ISAKMP.The present invention discloses a kind of extended authentication system based on ISAKMP, using the method and system of the present invention, authentication method, and then the development for the modern authentication techniques that can follow up can be flexibly selected in ISAKMP.

Description

A kind of extended authentication method and system based on ISAKMP
Technical field
It is based on the present invention relates to the key management of routing device in communication network and authentication techniques, more particularly to one kind because of spy Net Security Association and IKMP (ISAKMP, Internet Security Association and Key Management Protocol) extended authentication method and system.
Background technology
Internet (Internet) has become the indispensable infrastructure of modern society, to politics, economy and the people's livelihood Play very important effect.Internet is once wrecked or attacked, and will bring serious harm and influence, therefore network is pacified Common people are enjoyed to pay close attention to entirely.Nucleus equipment in internet is routing device, and the safety for ensureing routing device is the weight of network security Aspect is wanted, and in the security mechanism of routing device (including the Routing Protocol run), key management is extremely important with certification One side.Here, the Internet just refers to Internet Protocol (IP, Internet Protocol) network.At present, because Special net engineering task force (IETF, Internet Engineering Task Force) is directed to the Internet architecture and various associations Discuss standard formulation work global organization) Routing Protocol key and certification (KARP, Keying and Authentication for Routing Protocols) working group and safe inter-domain routing (SIDR, Secure Inter- Domain Routing) working group carrying out the research of this respect, wherein it has been proposed that be extended to ISAKMP, for The key management and certification of routing device (including Routing Protocol).
The basic thought and process of ISAKMP certifications be:Certification both sides elder generation negotiating about security alliance (SA, Security Association), i.e.,:ISAKMP SA, here, the SA are a set of key material, including:Hash algorithm (the hash of use ) or signature algorithm, AES (encryption algorithm), identifying algorithm (authentication algorithm ) and the group informations etc. that exchange of Diffie-Hellman algorithm;The both sides of certification use the hash consulted Algorithm or signature algorithm, by transmitted part messages and/or ISAKMP states, calculate message of the generation with key and recognize Code (HMAC, Keyed-hash Message Authentication Code) is demonstrate,proved, and this HMAC is write in AUTH load, Give other side, and then completion message and authentication procedures.Wherein, the part messages refer to:SA parameters or parameters for authentication;Can Exchange the shared key (pre-shared key) of configured in advance or by key and calculated as Diffie-Hellman is exchanged Key, be used as calculate HMAC when input key.
But, in the prior art, the limitation of ISAKMP authentication mode is mainly manifested in the following aspects:
First, the range of choice of authentication mechanism is limited.Due to simple hash algorithm or signature can only be used to calculate Method generates HMAC, completes verification process, it is impossible to use newest authentication method such as secure transport layers (TLS, Transport Layer Security) authentication method is authenticated, in this way, limiting the freedom that routing device selects authentication mechanism, it is impossible to When the modern authentication techniques of follow-up development.
Second, configuration is complicated.Configured in advance has trusting relationship between ISAKMP authentication mechanism requires routing device, such as Pre-shared key or digital certificate etc., however, the workload that trusting relationship is configured on routing device is very big, Er Qie It may even not completed in the case of certain.For example for, it is assumed that have n routing device in local network, for they two Two configuration trusting relationships, then need to configure n (n-1)/2 trusting relationship, if local network is larger, i.e.,:Routing device Number it is more when, then configuring workload will be very huge.In addition, if two routing devices adhere to different operations separately Business, is then difficult configured in advance trusting relationship between the two now.Further, if in the world, can not possibly be Routing device configures trusting relationship two-by-two.
3rd, it is impossible to use tripartite's authentication techniques.What ISAKMP was defined is the technology of two side's certifications, it is desirable to routing device it Between configured in advance have trusting relationship.But, in practical application, routing device between any two configured in advance trusting relationship a lot When be impossible, especially in the case where routing device adheres to heterogeneous networks domain separately.In this case, due to ISAKMP does not define tripartite's authentication mechanism, therefore, and ISAKMP can not solve non-configured in advance letter between routing device well The situation for the relation of appointing.
4th, it is unfavorable for long term keys and updates and increase dismounting routing device.When some routing device needs to update shared During key, other all related routing devices will follow more new key, and the workload of this process is huge, and can influence it Its routing device.When needing to increase a routing device on network, all related routing devices will increase this road By device-dependent safe material, the workload of this process is equally huge, and can influence other routing devices.When some route When equipment is removed, the related safe material of this routing device, this mistake will be deleted on other all related route apparatus The workload of journey is also very big, and can influence other routing devices.
The content of the invention
In view of this, it is a primary object of the present invention to provide a kind of extended authentication method and system based on ISAKMP, Authentication method, and then the development for the modern authentication techniques that can follow up can be flexibly selected in ISAKMP.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
The invention provides a kind of extended authentication method based on ISAKMP, this method includes:
When needing to send first route messages, promoter and respondent consult using Extensible Authentication Protocol (EAP, Extensible Authentication Protocol) it is authenticated;
After the success of EAP authentication process, master session key of the promoter with the respondent according to the generation of EAP processes (MSK, Master Session Key) or shared key, calculate the HMAC values in AUTH load, and send AUTH loads to other side Lotus, completes certification in ISAKMP.
In such scheme, the promoter consults to be authenticated using EAP with respondent, including:
The promoter sends the EAP message not comprising AUTH load to the respondent;
The respondent is received after EAP message, and EAP Request (Request) is sent to the promoter by EAP load;
The promoter is received after EAP Request, and EAP responses are sent to the respondent by EAP load (Response), EAP authentication process is carried out with the respondent.
In such scheme, before the promoter sends EAP message to the respondent, this method further comprises:
The promoter carries out initial SA with the respondent and sets up process.
In such scheme, when being consulted between the promoter and the respondent using EAP authentication is carried out, and when described Do not configure trusting relationship between promoter and the respondent, the promoter with the respondent and Diameter server Between in advance configured trusting relationship when, this method further comprises:
The respondent sends EAP startups (Start) according to Diameter-EAP agreements, to Diameter server and disappeared Breath;
Diameter server is received after EAP Start message, and EAP authentication information exchange is carried out with the respondent, with Make by Diameter server progress EAP authentication process between the promoter and the respondent, and in EAP authentication process After success, the MSK or shared key of generation are sent to the respondent.
In such scheme, the respondent sends EAP according to Diameter-EAP agreements to Diameter server Start message, be:
The respondent sends the Diameter-EAP-Request comprising empty EAP load to Diameter server and disappeared Breath;
The promoter carries out EAP authentication information exchange with the respondent, so that the promoter and the respondent Between by Diameter server carry out EAP authentication process, be:
EAP Request are encapsulated in EAP load by Diameter server, the backward respondent return and include The Diameter-EAP-Answer message of EAP load;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent In, Diameter server is sent to, and so on, until Diameter server confirms that EAP authentication process terminates.
In such scheme, in MSK or shared key of the respondent according to the generation of EAP processes, calculate in AUTH load HMAC values before, this method further comprises:
After the success of EAP authentication process, MSK that Diameter server generates EAP success messages and EAP authentication process or Shared key is sent to the respondent.
In such scheme, when being consulted between the promoter and the respondent using EAP authentication is carried out, and when described Trusting relationship is not configured between promoter and the respondent, two or more is passed through between the promoter and the respondent When Diameter server sets up trusting relationship, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter Relay Servers;
Diameter Relay Servers forward EAP Start message to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information is carried out with Diameter Relay Servers Interaction, so as to be entered between the promoter and the respondent by Diameter server and Diameter Relay Servers Row EAP authentication process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to following the service in Diameter Business device;The MSK received or shared key are sent to the respondent by Diameter Relay Servers.
In such scheme, the respondent sends EAP according to Diameter-EAP agreements to Diameter server Start message, be:
The respondent sends the Diameter-EAP-Request comprising empty EAP load to Diameter server and disappeared Breath;
It is described to carry out EAP authentication information exchange with Diameter Relay Servers, so that the promoter and the response EAP authentication process is carried out by Diameter server and Diameter Relay Servers between person, is:
EAP Request are encapsulated in EAP load by Diameter server, backward Diameter Relay Servers return Return the Diameter-EAP-Answer message for including EAP load;
Diameter Relay Servers forward the Diameter-EAP- for including EAP load received to the respondent Answer message;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent In, it is sent to Diameter Relay Servers;
Diameter Relay Servers forward the EAP Response received to Diameter server, and so on, directly Confirm that EAP authentication process terminates to Diameter server.
In such scheme, in MSK or shared key of the respondent according to the generation of EAP processes, calculate in AUTH load HMAC values before, this method further comprises:
After the success of EAP authentication process, MSK that Diameter server generates EAP success messages and EAP authentication process or Shared key is sent to Diameter Relay Servers;
MSK or shared key that Diameter Relay Servers generate the EAP success messages received and EAP authentication process It is transmitted to the respondent.
Present invention also offers a kind of extended authentication system based on ISAKMP, the system includes:The first router and Two routers;Wherein,
The first router, for needing to send during first route messages, consults to carry out using EAP with secondary route equipment Certification;And after EAP authentication success, according to the MSK or shared key of the generation of EAP processes, calculate the value of AUTH load, and to the Two routing devices send AUTH load, and certification is completed in ISAKMP;
The second router, for consulting to be authenticated using EAP with first routing device;And after EAP authentication success, according to The MSK or shared key generated according to EAP processes, calculates the value of AUTH load, and sends AUTH load to first routing device, Certification is completed in ISAKMP.
In such scheme, when consulting to be authenticated using EAP between first routing device and secondary route equipment, and When not configuring trusting relationship between first routing device and secondary route equipment, and first routing device and secondary route equipment are equal Between Diameter server during prior configured trusting relationship, the system further comprises:First Diameter server, After EAP Start message for receiving the transmission of secondary route equipment, EAP authentication information exchange is carried out with secondary route equipment, So as to carry out EAP authentication process by Diameter server between first routing device and secondary route equipment, and recognize in EAP After the success of card process, the MSK or shared key of generation are sent to secondary route equipment;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, send to the first Diameter server EAP Start message, carries out EAP authentication information exchange, so that first routing device and second with the first Diameter server EAP authentication process is carried out by the first Diameter server between routing device, and receives the first Diameter server hair The MSK or shared key for the generation sent.
In such scheme, when consulting to be authenticated using EAP between first routing device and secondary route equipment, and work as Trusting relationship is not configured between first routing device and secondary route equipment, is led between first routing device and secondary route equipment When crossing two or more Diameter server and setting up trusting relationship, the system further comprises:Second Diameter server, is used In receiving after the EAP Start message of secondary route equipment transmission, disappear to the first Diameter server forwarding EAP Start Breath;EAP authentication information exchange is carried out with the first Diameter server, so that between first routing device and secondary route equipment EAP authentication process is carried out by the first Diameter server and the second Diameter server;And by receive first The MSK or shared key for the generation that Diameter server is sent are sent to secondary route equipment;
First Diameter server, the EAP Start for being additionally operable to receive the transmission of the second Diameter server disappear After breath, EAP authentication information exchange is carried out with the second Diameter server so that first routing device and secondary route equipment it Between EAP authentication process is carried out by the first Diameter server and the second Diameter server, and in EAP authentication process After success, the MSK or shared key of generation are sent to the second Diameter server;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, send to the second Diameter server EAP Start message, and receive the MSK or shared key of the generation that the second Diameter server is sent.
In such scheme, the number of second Diameter server is more than one.
Extended authentication method and system based on ISAKMP that the present invention is provided, it is necessary to when sending first route messages, Promoter consults to be authenticated using EAP with respondent;After the success of EAP authentication process, the promoter and the respondent according to The MSK or shared key generated according to EAP processes, calculates the HMAC values in AUTH load, and sends AUTH load to other side, Certification is completed in ISAKMP;Promoter and respondent can be according to flexibly selection authentication method be needed, such as in EAP authentication process This so that authentication mechanism is flexible, and then the development for the modern authentication techniques that can follow up.
In addition, when consulting to be authenticated using EAP, when not configuring trusting relationship between promoter and respondent, and sending out Person and respondent are played between Diameter server during prior configured trusting relationship, respondent uses foundation Diameter-EAP agreements send EAP Start message to Diameter server;Diameter server receives EAP Start After message, EAP authentication information exchange is carried out with respondent, so as to enter between respondent and promoter by Diameter server Row EAP authentication process;When not configured between promoter and respondent between trusting relationship, and promoter and respondent by two When above Diameter server sets up trusting relationship, respondent is according to Diameter-EAP agreements, the following the service into Diameter Business device sends EAP Start message;Diameter Relay Servers forward EAP Start message to Diameter server; Diameter server is received after EAP Start message, by carrying out EAP authentication with Diameter Relay Servers and respondent Information exchange, so as to carry out EAP by Diameter server and Diameter Relay Servers between promoter and respondent Verification process, in this way, tripartite's authentication techniques can be realized in ISAKMP, so as to solve the problem of configuration trusting relationship is complicated; Moreover, in key updating, and/or increase routing device, and/or dismounting routing device, it is only necessary in Diameter server Upper renewal, and/or increase, and/or the safe material for deleting corresponding routing device correlation, in this way, can efficiently reduce Workload, is easy to implement.
Brief description of the drawings
Fig. 1 is the extended authentication method flow schematic diagram of the invention based on ISAKMP;
Fig. 2 exchanges schematic flow sheet for original technology ISAKMP identity protection;
Fig. 3 is extended authentication method flow schematic diagram of the embodiment one based on ISAKMP;
Fig. 4 is the extended authentication method flow schematic diagram based on ISAKMP that embodiment two introduces Diameter server;
Fig. 5 is the signal of the extended authentication method flow based on ISAKMP that embodiment three introduces Diameter Relay Servers Figure;
Fig. 6 is the extended authentication system structure diagram of the invention based on ISAKMP.
Embodiment
Below in conjunction with the accompanying drawings and specific embodiment the present invention is further described in more detail.
In the following description, the routing device referred to as promoter of promoter will be served as, the route for serving as respondent is set Standby referred to as respondent.Wherein, the promoter refers to:The routing device of a piece of news is initiated, the respondent refers to:For to Promoter feeds back the routing device of a piece of news.
Extended authentication method of the invention based on ISAKMP, as shown in figure 1, comprising the following steps:
Step 101:When needing to send first route messages, promoter consults to be authenticated using EAP with respondent;
Here, this step is implemented, and is comprised the following steps:
The promoter sends the EAP message not comprising AUTH load to the respondent;
The respondent is received after EAP message, and EAP Request are sent to the promoter by EAP load;
The promoter is received after EAP Request, and EAP Response are sent to the respondent by EAP load, EAP authentication process is carried out with the respondent.
Wherein, the EAP message does not include AUTH load, and the respondent can know startup EAP authentication process accordingly.
If the promoter needs the content interacted more with the respondent, EAP Request and EAP Response sequence can continue, i.e.,:Multiple EAP load is interacted between the promoter and the respondent, until The respondent sends EAP authentication result to the promoter, i.e.,:Success (EAP Success) or failure (EAP Failure)。
Before the promoter sends EAP message to the respondent, this method can further include:
The promoter carries out initial SA with the respondent and sets up process;Wherein, the tool that initial SA sets up process is carried out Body is embodied as prior art, repeats no more here.
When being consulted between the promoter and the respondent using EAP authentication is carried out, and when the promoter and institute State and do not configure trusting relationship between respondent, the promoter and the respondent between Diameter server in advance When configuring trusting relationship, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information exchange is carried out with the respondent, with Make by Diameter server progress EAP authentication process between the promoter and the respondent, and in EAP authentication process After success, the MSK or shared key of generation are sent to the respondent.
Wherein, the respondent sends EAP Start to Diameter server and disappeared according to Diameter-EAP agreements Breath, be specially:
The respondent sends the Diameter-EAP-Request comprising empty EAP load to Diameter server and disappeared Breath;
The promoter carries out EAP authentication information exchange with the respondent, so that the promoter and the respondent Between by Diameter server carry out EAP authentication process be specially:
EAP Request are encapsulated in EAP load by Diameter server, the backward respondent return and include The Diameter-EAP-Answer message of EAP load;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent In, Diameter server is sent to, and so on, until Diameter server confirms that EAP authentication process terminates.Here, The result of the certification can be success or failure.
If EAP authentication process success, Diameter server gives birth to EAP Success message and EAP method validations process Into MSK or shared key be sent to the respondent, then the MSK or shared key of generation be sent to institute by the respondent State promoter.
When being consulted between the promoter and the respondent using EAP authentication is carried out, and when the promoter and institute State and do not configure trusting relationship between respondent, serviced between the promoter and the respondent by two or more Diameter When device sets up trusting relationship, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter Relay Servers;
Diameter Relay Servers forward EAP Start message to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information is carried out with Diameter Relay Servers Interaction, so as to be entered between the promoter and the respondent by Diameter server and Diameter Relay Servers Row EAP authentication process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to following the service in Diameter Business device;The MSK received or shared key are sent to the respondent by Diameter Relay Servers.
Wherein, the respondent sends EAP Start according to Diameter-EAP agreements to Diameter Relay Servers Message, be specially:
The respondent sends the Diameter-EAP- for including empty EAP load to Diameter Relay Servers Request message;
Carry out EAP authentication information exchange with Diameter Relay Servers so that the promoter and the respondent it Between EAP authentication process is carried out by Diameter server and Diameter Relay Servers, be specially:
EAP Request are encapsulated in EAP load by Diameter server, backward Diameter Relay Servers return Return the Diameter-EAP-Answer message for including EAP load;
Diameter Relay Servers forward the Diameter-EAP- for including EAP load received to the respondent Answer message;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent In, it is sent to Diameter Relay Servers;
Diameter Relay Servers forward the EAP Response received to Diameter server, and so on, directly Confirm that EAP authentication process terminates to Diameter server.Here, the result of the certification can be success or failure.
The process and promoter described above and the respondent prior configured letter between Diameter server The process during relation of appointing is equally identical, believes between the respondent, Diameter Relay Servers and Diameter server The interaction of breath is also foundation Diameter-EAP agreements to complete, and in this process, Diameter Relay Servers have been The effect of the relaying arrived, directly can be turned the message from the respondent and Diameter server without processing Hair.If EAP authentication process success, Diameter server generates EAP Success message and EAP method validations process MSK or shared key are sent to Diameter Relay Servers, Diameter Relay Servers by EAP Success message and The MSK or shared key of EAP method validations process generation are transmitted to the respondent, then by the respondent by the MSK of generation Or shared key is sent to the promoter.
Before the promoter sends EAP message to the respondent, this method can further include:
The promoter carries out ISAKMP SA with the respondent and sets up process;Wherein, ISAKMP SA are carried out to set up Journey is implemented as prior art, repeats no more here;After ISAKMP SA are set up, under ISAKMP SA protections, the hair Person is played to consult to be authenticated using EAP with the respondent.
Due to being accomplished that two-way authentication in ISAKMP, therefore, when selecting EAP methods, selection is recommended to realize two-way The EAP methods of certification, so as to generate MSK or shared key.
Step 102:After the success of EAP authentication process, MSK of the promoter with the respondent according to the generation of EAP processes Or shared key, the HMAC values in AUTH load are calculated, and AUTH load is sent to other side, certification is completed in ISAKMP.
Here, when generating MSK during EAP authentication, then the MSK according to generation, calculates the HMAC values in AUTH load, When not generating MSK during EAP authentication, according to the shared key of generation, the HMAC values in AUTH load are calculated.
After EAP authentication success, the respondent to the promoter while EAP authentication result is sent, to described Promoter sends the MSK or shared key according to the generation of EAP authentication process, and then makes the promoter and the respondent can be with Certification is completed in ISAKMP.
Wherein, MSK is a constant parameter, and shared key is disposable parameter, is only applicable to this session, changes sentence Talk about, when promoter and respondent send session again, the shared key of generation is then different from the shared key of last session, And MSK will not then change;Here, the MSK or shared key according to the generation of EAP processes, calculate the HMAC in AUTH load The concrete processing procedure of value is prior art, is repeated no more here.
The concrete processing procedure that certification is completed in ISAKMP is prior art, is repeated no more here.
Involved EAP load during the EAP authentication that the present invention is used, its form and definition in RFC3748 with determining Justice.Here, the RFC refers to request for comments (RFC, Request For Comments), a series of to be ranked with numbering File.File collection is about internet relevent information and UNIX and the software document of internet community.
The present invention is described in further detail again with reference to embodiment.
ISAKMP can implement authentication mechanism, four kinds of switch types point in four kinds of switch types (Exchange Type) It is not that basic (the Base Exchange), identity protection of exchanging exchanges (Identity Protection Exchange), only certification Exchange (Authentication Only Exchange) and exchange of keeping forging ahead (Aggressive Exchange).Wherein, Identity Protection Exchange can protect identification load and AUTH load well.
Identity Protection Exchange flow, as shown in Fig. 2 comprising the following steps:
Step 201:When needing to send first route messages, promoter sends HDR load and SA load to respondent;
Step 202:Respondent is received after SA load, and HDR load and SA load are sent to promoter, consults to build with promoter Vertical ISAKMP SA;
Here, HDR load represents ISAKMP protocol headers, is intended to send HDR load when interacting between promoter and respondent.
Step 203~204:Promoter mutually sent with respondent key exchange (KE, Key Exchange) load and with Machine number (NONCE) load, promoter, according to the KE load and NONCE load received, calculates shared key, is used as meter with respondent Calculate the HMAC of AUTH load input key;
Here, what KE load was loaded is Diffie-Hellman public value (public value).
Step 205~206:Promoter mutually sends HDR load, identity with respondent under ISAKMP SA protection (IDx) load and AUTH load, are mutually authenticated.
Specifically, promoter calculates HMAC values with respondent and is compared with the HMAC values in AUTH load respectively, such as Fruit promoter can match with the HMAC of respondent both sides, then be mutually authenticated and pass through, otherwise, authentification failure.
Here, " * " behind HDR load number represents that by encryption, i.e., subsequent load be:IDx load and AUTH Load is by encryption;
X can be ii or ir, respectively represent ISAKMP promoter and respondent, when ISAKMP daemon (guard into Journey) be agent negotiation person (a proxy negotiator) when, x can also be ui or ur, represent respectively user promoter and Respondent;AUTH load is general ID authentication mechanism, and AUTH load can be specifically HASH (Hash) load or SIG (label Name) load.
Because Identity Protection Exchange have preferable security, to achieve the object of the present invention, And the core concept of the present invention is best embodied, Identity Protection are used in embodiment described below Exchange come put into practice the present invention core concept, i.e.,:The other switch types carried out in EAP extensions, ISAKMP can also Copy embodiments of the invention to carry out EAP extensions, belong to the protection category of patent of the present invention.
Embodiment one:
The application scenarios of the present embodiment are:Prior configured shared key k between promoter and respondentab, promoter and Any position that respondent may be on network, is communicated using IP agreement.Wherein, promoter refers to send route messages Router, respondent for receive route messages router.The present embodiment carries out EAP extensions to ISAKMP, and it is based on ISAKMP identity protection exchanges the flow being authenticated using EAP methods, as shown in figure 3, comprising the following steps:
Step 301:When needing to send first route messages, promoter sends SA load to respondent;
Step 302:Respondent sends SA load to promoter;
So far, promoter consults to set up ISAKMP SA with respondent.
Step 303:Promoter sends KE load and NONCE load to respondent;
Step 304:Respondent sends KE load and NONCE load to promoter;
Here, the process of step 301~304 is properly termed as ISAKMP SA and sets up process, the mesh that step 301~304 are performed Be:Promoter and respondent be exchanged with each other negotiation cryptographic algorithm (crytographic algorithms), exchange NONCE, with And Diffie-Hellman (D-H) exchanges etc. are carried out, provide escape way for the exchange of promoter and respondent then;Step 301~304 concrete processing procedure is prior art, is repeated no more here.
Step 305:Under ISAKMP SA protection, promoter sends IDii load to respondent;
Here, promoter allows AUTH load to be sky, informs that respondent wants to consult to be authenticated using EAP methods with this.
Step 306:Under ISAKMP SA protection, respondent sends IDir, AUTH and EAP load to promoter;
Here, send EAP load and represent that respondent agrees to be authenticated using EAP methods, be simultaneously emitted by EAP Request;
Step 307:Promoter responds EAP load to respondent, and EAP authentication process is carried out with the respondent;
Here, the EAP load is EAP Response;
The method that EAP authentication is used can be existing authentication method, such as:TLS or Message Digest Algorithm 5 (MD5, Message Digest Algorithm 5) etc.;In practical application, can select to carry out EAP authentication mistake according to needs The method that journey is used;Need to interact multiple EAP loads according to the difference of the authentication method of use, between promoter and respondent Lotus, in other words, according to the authentication method used, promoter may need to send multiple EAP load to respondent, accordingly , respondent needs to send multiple EAP load to promoter, to complete EAP authentication process.It is recommended that use can be realized and two-way recognized The EAP methods of card.
Due to prior configured shared key k between promoter and respondentab, therefore, respondent is received after EAP load, Directly EAP authentication process is carried out with promoter.
Step 308:After EAP authentication success, respondent returns to EAP load to sender;
Here, the EAP load is EAP Success, process generation MSK or shared key comprising EAP authentication.
Step 309:Promoter is received after EAP load, according to the MSK or shared key of the generation of EAP authentication process, is calculated HMAC values in AUTH load, and AUTH load is sent to respondent, to be compared with the HMAC values calculated;
Step 310:MSK or shared key of the respondent according to the generation of EAP authentication process, calculate the HMAC in AUTH load Value, and AUTH load is sent to promoter, to be compared with the HMAC values calculated;
So far, both sides complete ISAKMP certifications.
Embodiment two:
The application scenarios of the present embodiment are:Do not configure trusting relationship between promoter and respondent, promoter with Prior configured trusting relationship k between Diameter serverac, prior configured letter between respondent and Diameter server Appoint relation kbc, interacted, used between respondent and Diameter server using ISAKMP between promoter and respondent Diameter-ISAKMP is interacted.Wherein, promoter refers to the router for sending route messages, and respondent route to receive The router of message.The present embodiment introduces the extended authentication method based on ISAKMP of Diameter server, as shown in figure 4, Comprise the following steps:
Step 401:When needing to send first route messages, promoter sends SA load to respondent;
Step 402:Respondent sends SA load to promoter;
So far, promoter consults to set up ISAKMP SA with respondent.
Step 403:Promoter sends KE load and NONCE load to respondent;
Step 404:Respondent sends KE load and NONCE load to promoter;
Here, the process of step 401~404 is properly termed as ISAKMP SA and sets up process, the mesh that step 401~404 are performed Be:Promoter and respondent are exchanged with each other negotiation crytographic algorithms, exchange NONCE and carry out D-H Exchange etc., provide escape way for the exchange of promoter and respondent then;The concrete processing procedure of step 401~404 is existing There is technology, repeat no more here.
Step 405:Under ISAKMP SA protection, promoter sends HDR load and IDii load to respondent;
Here, promoter allows AUTH load to be sky, informs that respondent wants to consult to be authenticated using EAP methods with this.
Step 406:Respondent is received after KE load and NONCE load, according to Diameter-EAP agreements, to Diameter Server sends EAP Start message;
Specifically, the EAP load of sky is sent in Diameter-EAP-Request message to point out Diameter to service Device.
Here, due to not configuring trusting relationship between promoter and respondent, and respondent and Diameter server it Between in advance configured trusting relationship kbc, therefore, respondent is received after EAP load, can send EAP to Diameter server Start message;
Wherein, the process initially connected is set up between respondent's Diameter server and sees Diameter, i.e.,: Regulation in RFC3588 files, in practical application, typically, it is only necessary to configure name and trusting relationship;Set up connection Mode can be:Respondent can utilize domain name system (DNS, Domain Name System) server with Diameter server Can just complete Dynamic link library foundation, respondent and Diameter server can also by way of manual configuration the company of foundation Connect.
Step 407:Diameter server is received after EAP Start message, and EAP Request are encapsulated in into EAP load In, backward respondent return and include the Diameter-EAP-Answer message of EAP load;
Step 408:The EAP Request received are encapsulated in ISAKMP extension load EAP load by respondent, are sent To promoter;
Step 409:Promoter returns to corresponding EAP Response according to the EAP Request received to respondent;
Here, the EAP Response are equally encapsulated in ISAKMP extension load EAP load.
Step 410:The EAP Response received are encapsulated in Diameter-EAP-Request message by respondent again In EAP load, Diameter server is sent to, EAP authentication process is carried out;
Here, the method that EAP authentication is used can be existing authentication method, such as:TLS or MD5, etc.;In reality Using when, can be according to needing to select to carry out the method that be used of EAP authentication process;According to the difference of the authentication method of use, Need to interact multiple EAP load between promoter and respondent, in other words, according to the authentication method used, promoter can It can need to send multiple EAP load to respondent, accordingly, respondent needs to send multiple EAP load to promoter, accordingly , need to interact multiple EAP message between Diameter server and respondent to complete EAP authentication process.It is recommended that using energy Enough realize the EAP methods of two-way authentication.
Step 411:The success of EAP authentication process, Diameter server is by EAP Success message and EAP authentication process The MSK or shared key of generation are encapsulated in Diameter-EAP-Answer message, are sent to respondent;
Step 412:Respondent is received after Diameter-EAP-Answer message, and EAP load is returned to sender;
Here, the EAP load is EAP Success, process generation MSK or shared key comprising EAP authentication.
Step 413:Promoter is received after EAP load, according to the MSK or shared key, is calculated in AUTH load HMAC values, and AUTH load is sent to respondent, to be compared with the HMAC values calculated;
Step 414:Respondent calculates the HMAC values in AUTH load, and AUTH is carried according to the MSK or shared key Lotus is sent to promoter, to be compared with the HMAC values calculated.
So far, both sides complete ISAKMP certifications.
Embodiment three:
The application scenarios of the present embodiment are:Do not configure trusting relationship between promoter and respondent, promoter with Prior configured trusting relationship k between Diameter serverac, matched somebody with somebody in advance between respondent and Diameter Relay Servers Put trusting relationship kbd, prior configured trusting relationship k between Diameter Relay Servers and Diameter servercd.Due to Non- configured in advance trusting relationship between Diameter Relay Servers and promoter.Wherein, promoter refers to send route messages Router, respondent for receive route messages router.The present embodiment introduce Diameter Relay Servers based on ISAKMP extended authentication method, as shown in figure 5, comprising the following steps:
Step 501:When needing to send first route messages, promoter sends SA load to respondent;
Step 502:Respondent sends SA load to promoter;
So far, promoter consults to set up ISAKMP SA with respondent.
Step 503:Promoter sends KE load and NONCE load to respondent;
Step 504:Respondent sends KE load and NONCE load to promoter;
Here, the process of step 501~504 is properly termed as ISAKMP SA and sets up process, the mesh that step 501~504 are performed Be:Promoter and respondent are exchanged with each other negotiation crytographic algorithms, exchange NONCE and carry out D-H Exchange etc., provide escape way for the exchange of promoter and respondent then;The concrete processing procedure of step 501~504 is existing There is technology, repeat no more here.
Step 505:Under ISAKMP SA protection, promoter sends HDR load and IDii load to respondent;
Here, promoter allows AUTH load to be sky, informs that respondent wants to consult to be authenticated using EAP methods with this.
Step 506:Respondent is received after KE load and NONCE load, according to Diameter-EAP agreements, to Diameter Relay Server sends EAP Start message;
Specifically, the EAP load of sky is sent in Diameter-EAP-Request message to point out Diameter to relay Server.
Here, due to not configuring trusting relationship, and respondent and Diameter relay services between promoter and respondent Prior configured trusting relationship k between devicebd, therefore, respondent is received after EAP load, can be sent out to Diameter Relay Servers Send authentication request message;
Wherein, the process initially connected is set up between respondent and Diameter Relay Servers and sees diameter agreements, I.e.:Regulation in RFC3588 files, in practical application, typically, it is only necessary to configure name and trusting relationship;The company of foundation The mode connect can be:Respondent can just complete Dynamic link library using dns server with Diameter Relay Servers and build Vertical, respondent can also be set up by way of manual configuration with Diameter Relay Servers and is connected.
Step 507:Diameter Relay Servers directly forward EAP Start message to Diameter server;
Step 508:Diameter server is received after EAP Start message, and EAP Request are encapsulated in into EAP load In, backward Diameter Relay Servers return and include the Diameter-EAP-Answer message of EAP load;
Step 509:Diameter Relay Servers are received after message, forward to respondent receive comprising EAP load Diameter-EAP-Answer message;
Step 510:The EAP Request received are encapsulated in ISAKMP extension load EAP load by respondent, are sent To promoter;
Step 511:Promoter returns to corresponding EAP Response according to the EAP Request received to respondent;
Here, the EAP Response are equally encapsulated in ISAKMP extension load EAP load.
Step 512:The EAP Response received are encapsulated in the EAP of Diameter-EAP-Request message by respondent In load, Diameter Relay Servers are sent to;
Step 513:Diameter Relay Servers forward the EAP Response received to Diameter server, carry out EAP authentication process;
Here, the method that EAP authentication is used can be existing authentication method, such as:TLS or MD5, etc.;In reality Using when, can be according to needing to select to carry out the method that be used of EAP authentication process;According to the difference of the authentication method of use, Need to interact multiple EAP load between promoter and respondent, in other words, according to the authentication method used, promoter can It can need to send multiple EAP load to respondent, accordingly, respondent needs to send multiple EAP load to promoter, accordingly , need to interact multiple EAP message between Diameter Relay Servers and respondent, Diameter Relay Servers with Need also exist for interacting multiple EAP message between Diameter server, to complete EAP authentication process.It is recommended that use can be realized The EAP methods of two-way authentication.
Step 514:The success of EAP authentication process, Diameter server is by EAP Success message and EAP authentication process The MSK or shared key of generation are encapsulated in Diameter-EAP-Answer message, are sent to Diameter Relay Servers;
Step 515:Diameter Relay Servers are received after Diameter-EAP-Answer message, are forwarded to respondent The Diameter-EAP-Answer message received;
Step 516:Respondent is received after Diameter-EAP-Answer message, and EAP load is returned to sender;
Here, the EAP load is EAP Success, process generation MSK or shared key comprising EAP authentication.
Step 517:Promoter is received after EAP load, according to the MSK or shared key, is calculated in AUTH load HMAC values, and AUTH load is sent to respondent, to be compared with the HMAC values calculated;
Step 518:Respondent calculates the HMAC values in AUTH load, and AUTH is carried according to the MSK or shared key Lotus is sent to promoter, to be compared with the HMAC values calculated.
Here, the definition and effect of the message in the present embodiment and the definition of the message in embodiment two and the complete phase of effect Together.
So far, both sides complete ISAKMP certifications.
To realize the above method, present invention also offers a kind of extended authentication system based on ISAKMP, as shown in fig. 6, The system includes:First routing device 61 and secondary route equipment 62;Wherein,
First routing device 61, for needing to send during first route messages, consults to use with secondary route equipment 62 EAP is authenticated;And after EAP authentication success, according to the MSK or shared key of the generation of EAP processes, calculate AUTH load Value, and AUTH load is sent to secondary route equipment 62, certification is completed in ISAKMP;
Secondary route equipment 62, for consulting to be authenticated using EAP with first routing device 61;And EAP authentication into After work(, according to the MSK or shared key of the generation of EAP processes, the value of AUTH load is calculated, and send to first routing device 61 AUTH load, completes certification in ISAKMP.
Need exist for explanation be:First routing device 61 is the routing device for serving as promoter, secondary route equipment 62 To serve as the routing device of respondent;Wherein, the promoter refers to:Initiate the routing device of a piece of news, the response Person refers to:To feed back the routing device of a piece of news to promoter.
When consulting to be authenticated using EAP between first routing device 61 and secondary route equipment 62, and when first Trusting relationship is not configured between routing device and secondary route equipment 62, and first routing device 61 and secondary route equipment 62 are equal Between Diameter server during prior configured trusting relationship, the system can further include:First Diameter After server, the EAP Start message for receiving the transmission of secondary route equipment 62, carry out EAP with secondary route equipment 62 and recognize Information exchange is demonstrate,proved, is recognized so as to carry out EAP by Diameter server between first routing device 61 and secondary route equipment 62 Card process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to secondary route equipment 62;
The secondary route equipment 62, is additionally operable to, according to Diameter-EAP agreements, send out to the first Diameter server Send EAP Start message, with the first Diameter server carry out EAP authentication information exchange so that first routing device 61 with EAP authentication process is carried out by the first Diameter server between secondary route equipment 62, and receives the first Diameter clothes The MSK or shared key for the generation that business device is sent.
When consulting to be authenticated using EAP between first routing device 61 and secondary route equipment 62, and work as the first via Trusting relationship is not configured between equipment 61 and secondary route equipment 62, between first routing device 61 and secondary route equipment 62 When setting up trusting relationship by two or more Ddiameter servers, the system further comprises:2nd Diameter is serviced After device, the EAP Start message for receiving the transmission of secondary route equipment 62, EAP is forwarded to the first Diameter server Start message;EAP authentication information exchange is carried out with the first Diameter server, so that the tunnel of first routing device 61 and second EAP authentication process is carried out by the first Diameter server and the second Diameter server between equipment 62;And will receive To the first Diameter server send generation MSK or shared key be sent to secondary route equipment 62;
First Diameter server, the EAP Start for being additionally operable to receive the transmission of the second Diameter server disappear After breath, EAP authentication information exchange is carried out with the second Diameter server, so that first routing device 61 and secondary route equipment EAP authentication process is carried out by the first Diameter server and the second Diameter server between 62, and in EAP authentication After process success, the MSK or shared key of generation are sent to the second Diameter server;
The secondary route equipment 62, is additionally operable to, according to Diameter-EAP agreements, send out to the second Diameter server EAP Start message is sent, and receives the MSK or shared key of the generation that the second Diameter server is sent.
Here, it is necessary to which what is illustrated is:The number of second Diameter server can be more than one.
Here, the first router in system of the present invention, the second router, the first Diameter server and second The concrete processing procedure of Diameter server is hereinbefore described in detail, repeats no more.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.

Claims (13)

1. extended authentication method of the one kind based on internet security alliance and IKMP (ISAKMP), it is characterised in that This method includes:
When needing to send first route messages, promoter consults to be authenticated using Extensible Authentication Protocol (EAP) with respondent;
After the success of EAP authentication process, master session key (MSK) of the promoter with the respondent according to the generation of EAP processes Or shared key, message authentication code (HMAC) value with key in AUTH load is calculated, and AUTH load is sent to other side, Certification is completed in ISAKMP;
Wherein, the ISAKMP includes basic exchange, only identity protection exchange, authenticated exchange and four kinds of friendships of exchange of keeping forging ahead Change type.
2. according to the method described in claim 1, it is characterised in that the promoter consults to be recognized using EAP with respondent Card, including:
The promoter sends the EAP message not comprising AUTH load to the respondent;
The respondent is received after EAP message, and EAP Request (Request) is sent to the promoter by EAP load;
The promoter is received after EAP Request, and EAP responses (Response) are sent to the respondent by EAP load, EAP authentication process is carried out with the respondent.
3. method according to claim 2, it is characterised in that send EAP message to the respondent in the promoter Before, this method further comprises:
The promoter carries out initial safe alliance (SA) with the respondent and sets up process.
4. the method according to claim 1,2 or 3, it is characterised in that assisted between the promoter and the respondent When business is using EAP authentication is carried out, and when not configuring trusting relationship between the promoter and the respondent, the promoter with The respondent is between Diameter server during prior configured trusting relationship, and this method further comprises:
The respondent sends EAP according to Diameter-EAP agreements, to Diameter server and starts (Start) message;
Diameter server is received after EAP Start message, EAP authentication information exchange is carried out with the respondent, so that institute State by Diameter server progress EAP authentication process between promoter and the respondent, and in the success of EAP authentication process Afterwards, the MSK or shared key of generation are sent to the respondent.
5. method according to claim 4, it is characterised in that respondent's foundation Diameter-EAP agreements, to Diameter server sends EAP Start message, is:
The respondent sends the Diameter-EAP-Request message for including empty EAP load to Diameter server;
The promoter carries out EAP authentication information exchange with the respondent, so that between the promoter and the respondent EAP authentication process is carried out by Diameter server, is:
EAP Request are encapsulated in EAP load by Diameter server, the backward respondent return and carried comprising EAP The Diameter-EAP-Answer message of lotus;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to the hair Play person;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent, Diameter server is sent to, and so on, until Diameter server confirms that EAP authentication process terminates.
6. method according to claim 5, it is characterised in that in MSK or common of the respondent according to the generation of EAP processes Key is enjoyed, is calculated before the HMAC values in AUTH load, this method further comprises:
After the success of EAP authentication process, the MSK or shared that Diameter server generates EAP success messages and EAP authentication process Key is sent to the respondent.
7. the method according to claim 1,2 or 3, it is characterised in that assisted between the promoter and the respondent When business is using EAP authentication is carried out, and when not configuring trusting relationship between the promoter and the respondent, the promoter with When setting up trusting relationship by two or more Diameter server between the respondent, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter Relay Servers;
Diameter Relay Servers forward EAP Start message to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information friendship is carried out with Diameter Relay Servers Mutually, so as to be carried out between the promoter and the respondent by Diameter server and Diameter Relay Servers EAP authentication process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to Diameter relay services Device;The MSK received or shared key are sent to the respondent by Diameter Relay Servers.
8. method according to claim 7, it is characterised in that respondent's foundation Diameter-EAP agreements, to Diameter server sends EAP Start message, is:
The respondent sends the Diameter-EAP-Request message for including empty EAP load to Diameter server;
It is described that EAP authentication information exchange is carried out with Diameter Relay Servers so that the promoter and the respondent it Between EAP authentication process is carried out by Diameter server and Diameter Relay Servers, be:
EAP Request are encapsulated in EAP load by Diameter server, backward Diameter Relay Servers return bag The Diameter-EAP-Answer message of the load containing EAP;
Diameter Relay Servers forward the Diameter-EAP-Answer for including EAP load received to the respondent Message;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to the hair Play person;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent, It is sent to Diameter Relay Servers;
Diameter Relay Servers forward the EAP Response received to Diameter server, and so on, until Diameter server confirms that EAP authentication process terminates.
9. method according to claim 8, it is characterised in that in MSK or common of the respondent according to the generation of EAP processes Key is enjoyed, is calculated before the HMAC values in AUTH load, this method further comprises:
After the success of EAP authentication process, the MSK or shared that Diameter server generates EAP success messages and EAP authentication process Key is sent to Diameter Relay Servers;
The MSK or shared key that Diameter Relay Servers generate the EAP success messages received and EAP authentication process are forwarded To the respondent.
10. a kind of extended authentication system based on ISAKMP, it is characterised in that the system includes:The first router and the second tunnel By device;Wherein,
The first router, for needing to send during first route messages, consults to be recognized using EAP with secondary route equipment Card;And after EAP authentication success, according to the MSK or shared key of the generation of EAP processes, calculate the value of AUTH load, and to second Routing device sends AUTH load, and certification is completed in ISAKMP;
The second router, for consulting to be authenticated using EAP with first routing device;And after EAP authentication success, foundation The MSK or shared key of EAP processes generation, calculate the value of AUTH load, and send AUTH load to first routing device, Certification is completed in ISAKMP;
The ISAKMP includes basic exchange, only identity protection exchange, authenticated exchange and four kinds of exchange classes of exchange of keeping forging ahead Type.
11. system according to claim 10, it is characterised in that when between first routing device and secondary route equipment Negotiation is using EAP when being authenticated, and when not configuring trusting relationship between first routing device and secondary route equipment, and first Routing device and secondary route equipment are between Diameter server during prior configured trusting relationship, and the system is further Including:After first Diameter server, the EAP Start message for receiving the transmission of secondary route equipment, with secondary route Equipment carries out EAP authentication information exchange, so as to pass through Diameter server between first routing device and secondary route equipment EAP authentication process is carried out, and after the success of EAP authentication process, the MSK or shared key of generation is sent to secondary route and set It is standby;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, EAP be sent to the first Diameter server Start message, carries out EAP authentication information exchange, so that first routing device and secondary route with the first Diameter server EAP authentication process is carried out by the first Diameter server between equipment, and receives what the first Diameter server was sent The MSK or shared key of generation.
12. system according to claim 11, it is characterised in that assisted between first routing device and secondary route equipment When business is authenticated using EAP, and when not configuring trusting relationship between first routing device and secondary route equipment, the first via by When setting up trusting relationship by two or more Diameter server between equipment and secondary route equipment, the system is further wrapped Include:After second Diameter server, the EAP Start message for receiving the transmission of secondary route equipment, to first Diameter server forwards EAP Start message;EAP authentication information exchange is carried out with the first Diameter server, so that Carried out between first routing device and secondary route equipment by the first Diameter server and the second Diameter server EAP authentication process;And the MSK or shared key of the generation for sending the first Diameter server received are sent to the second tunnel By equipment;
First Diameter server, is additionally operable to receive after the EAPStart message that the second Diameter server is sent, EAP authentication information exchange is carried out with the second Diameter server, so as to lead between first routing device and secondary route equipment Cross the first Diameter server and the second Diameter server carries out EAP authentication process, and in the success of EAP authentication process Afterwards, the MSK or shared key of generation are sent to the second Diameter server;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, EAP be sent to the second Diameter server Start message, and receive the MSK or shared key of the generation that the second Diameter server is sent.
13. system according to claim 12, it is characterised in that the number of second Diameter server is one More than.
CN201110213510.3A 2011-07-28 2011-07-28 A kind of extended authentication method and system based on ISAKMP Active CN102904861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110213510.3A CN102904861B (en) 2011-07-28 2011-07-28 A kind of extended authentication method and system based on ISAKMP

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110213510.3A CN102904861B (en) 2011-07-28 2011-07-28 A kind of extended authentication method and system based on ISAKMP

Publications (2)

Publication Number Publication Date
CN102904861A CN102904861A (en) 2013-01-30
CN102904861B true CN102904861B (en) 2017-10-03

Family

ID=47576903

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110213510.3A Active CN102904861B (en) 2011-07-28 2011-07-28 A kind of extended authentication method and system based on ISAKMP

Country Status (1)

Country Link
CN (1) CN102904861B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111130775A (en) * 2019-12-27 2020-05-08 广东电网有限责任公司电力科学研究院 Key negotiation method, device and equipment
CN112804268A (en) * 2021-04-13 2021-05-14 北京太一星晨信息技术有限公司 Synchronization method, first device, second device and synchronization system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594231A (en) * 2008-05-27 2009-12-02 北京飞天诚信科技有限公司 A kind of method and system based on the EAP authentication

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8625787B2 (en) * 2010-01-14 2014-01-07 Alcatel Lucent Hierarchical key management for secure communications in multimedia communication system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594231A (en) * 2008-05-27 2009-12-02 北京飞天诚信科技有限公司 A kind of method and system based on the EAP authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
IKE协议的安全性问题;陈忠良;《浙江大学学报》;20020531;第36卷(第3期);正文第1-2页 *
基于扩展认证机制的IKEv2研究;谷雷;《中国优秀硕士论文电子期刊网》;20080815;全文 *

Also Published As

Publication number Publication date
CN102904861A (en) 2013-01-30

Similar Documents

Publication Publication Date Title
CN104660603B (en) Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network)
CN103155512B (en) System and method for providing secure access to service
CN101981885B (en) Methods and entities using IPSEC ESP to support security functionality for UDP-based OMA enablers
EP3668048B1 (en) Methods and apparatuses for bootstrapping machine-to-machine service
WO2017181894A1 (en) Method and system for connecting virtual private network by terminal, and related device
CN102036230B (en) Method for implementing local route service, base station and system
CN108400867A (en) A kind of authentication method based on public encryption system
CN101156352A (en) Authentication method, system and authentication center based on mobile network P2P communication
JP2010503329A (en) Security method and security system for security processing of authentication key material in an ad hoc wireless network
JP2004241976A (en) Mobile communication network system and method for authenticating mobile terminal
CN108712252B (en) Symmetric key pool and relay-crossing based AKA identity authentication system and method
CN104468618B (en) XMPP safety access method based on sensor network
CN110808834B (en) Quantum key distribution method and quantum key distribution system
CN108768632B (en) AKA identity authentication system and method based on symmetric key pool and relay communication
CN102904861B (en) A kind of extended authentication method and system based on ISAKMP
CN105325020B (en) For the communication means and femto access point between femto access point
CN100544247C (en) The negotiating safety capability method
CN103401751B (en) Internet safety protocol tunnel establishing method and device
CN106209384B (en) Use the client terminal of security mechanism and the communication authentication method of charging unit
CN102469063B (en) Routing protocol security alliance management method, Apparatus and system
CN102420740B (en) Method and system for managing keys of routing protocol
CN103312495B (en) The forming method of a kind of CA in groups and device
CN112636913B (en) Networking method for key sharing
CN107171786A (en) Network agent account control method
CN107135226A (en) Transport-layer proxy communication means based on socks5

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20201229

Address after: 224300 Sheyang port, Sheyang County, Yancheng City, Jiangsu Province

Patentee after: No.2 shrimp culture company, Sheyang port, Sheyang County

Address before: 518057 Ministry of justice, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen, Guangdong

Patentee before: ZTE Corp.