CN102904861B - A kind of extended authentication method and system based on ISAKMP - Google Patents
A kind of extended authentication method and system based on ISAKMP Download PDFInfo
- Publication number
- CN102904861B CN102904861B CN201110213510.3A CN201110213510A CN102904861B CN 102904861 B CN102904861 B CN 102904861B CN 201110213510 A CN201110213510 A CN 201110213510A CN 102904861 B CN102904861 B CN 102904861B
- Authority
- CN
- China
- Prior art keywords
- eap
- respondent
- diameter
- promoter
- load
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of extended authentication method based on internet security alliance and IKMP (ISAKMP), including:When needing to send first route messages, promoter consults to be authenticated using Extensible Authentication Protocol (EAP) with respondent;After the success of EAP authentication process, master session key (MSK) or shared key of the promoter with the respondent according to the generation of EAP processes, calculate message authentication code (HMAC) value with key in AUTH load, and AUTH load is sent to other side, certification is completed in ISAKMP.The present invention discloses a kind of extended authentication system based on ISAKMP, using the method and system of the present invention, authentication method, and then the development for the modern authentication techniques that can follow up can be flexibly selected in ISAKMP.
Description
Technical field
It is based on the present invention relates to the key management of routing device in communication network and authentication techniques, more particularly to one kind because of spy
Net Security Association and IKMP (ISAKMP, Internet Security Association and Key
Management Protocol) extended authentication method and system.
Background technology
Internet (Internet) has become the indispensable infrastructure of modern society, to politics, economy and the people's livelihood
Play very important effect.Internet is once wrecked or attacked, and will bring serious harm and influence, therefore network is pacified
Common people are enjoyed to pay close attention to entirely.Nucleus equipment in internet is routing device, and the safety for ensureing routing device is the weight of network security
Aspect is wanted, and in the security mechanism of routing device (including the Routing Protocol run), key management is extremely important with certification
One side.Here, the Internet just refers to Internet Protocol (IP, Internet Protocol) network.At present, because
Special net engineering task force (IETF, Internet Engineering Task Force) is directed to the Internet architecture and various associations
Discuss standard formulation work global organization) Routing Protocol key and certification (KARP, Keying and
Authentication for Routing Protocols) working group and safe inter-domain routing (SIDR, Secure Inter-
Domain Routing) working group carrying out the research of this respect, wherein it has been proposed that be extended to ISAKMP, for
The key management and certification of routing device (including Routing Protocol).
The basic thought and process of ISAKMP certifications be:Certification both sides elder generation negotiating about security alliance (SA, Security
Association), i.e.,:ISAKMP SA, here, the SA are a set of key material, including:Hash algorithm (the hash of use
) or signature algorithm, AES (encryption algorithm), identifying algorithm (authentication algorithm
) and the group informations etc. that exchange of Diffie-Hellman algorithm;The both sides of certification use the hash consulted
Algorithm or signature algorithm, by transmitted part messages and/or ISAKMP states, calculate message of the generation with key and recognize
Code (HMAC, Keyed-hash Message Authentication Code) is demonstrate,proved, and this HMAC is write in AUTH load,
Give other side, and then completion message and authentication procedures.Wherein, the part messages refer to:SA parameters or parameters for authentication;Can
Exchange the shared key (pre-shared key) of configured in advance or by key and calculated as Diffie-Hellman is exchanged
Key, be used as calculate HMAC when input key.
But, in the prior art, the limitation of ISAKMP authentication mode is mainly manifested in the following aspects:
First, the range of choice of authentication mechanism is limited.Due to simple hash algorithm or signature can only be used to calculate
Method generates HMAC, completes verification process, it is impossible to use newest authentication method such as secure transport layers (TLS, Transport
Layer Security) authentication method is authenticated, in this way, limiting the freedom that routing device selects authentication mechanism, it is impossible to
When the modern authentication techniques of follow-up development.
Second, configuration is complicated.Configured in advance has trusting relationship between ISAKMP authentication mechanism requires routing device, such as
Pre-shared key or digital certificate etc., however, the workload that trusting relationship is configured on routing device is very big, Er Qie
It may even not completed in the case of certain.For example for, it is assumed that have n routing device in local network, for they two
Two configuration trusting relationships, then need to configure n (n-1)/2 trusting relationship, if local network is larger, i.e.,:Routing device
Number it is more when, then configuring workload will be very huge.In addition, if two routing devices adhere to different operations separately
Business, is then difficult configured in advance trusting relationship between the two now.Further, if in the world, can not possibly be
Routing device configures trusting relationship two-by-two.
3rd, it is impossible to use tripartite's authentication techniques.What ISAKMP was defined is the technology of two side's certifications, it is desirable to routing device it
Between configured in advance have trusting relationship.But, in practical application, routing device between any two configured in advance trusting relationship a lot
When be impossible, especially in the case where routing device adheres to heterogeneous networks domain separately.In this case, due to
ISAKMP does not define tripartite's authentication mechanism, therefore, and ISAKMP can not solve non-configured in advance letter between routing device well
The situation for the relation of appointing.
4th, it is unfavorable for long term keys and updates and increase dismounting routing device.When some routing device needs to update shared
During key, other all related routing devices will follow more new key, and the workload of this process is huge, and can influence it
Its routing device.When needing to increase a routing device on network, all related routing devices will increase this road
By device-dependent safe material, the workload of this process is equally huge, and can influence other routing devices.When some route
When equipment is removed, the related safe material of this routing device, this mistake will be deleted on other all related route apparatus
The workload of journey is also very big, and can influence other routing devices.
The content of the invention
In view of this, it is a primary object of the present invention to provide a kind of extended authentication method and system based on ISAKMP,
Authentication method, and then the development for the modern authentication techniques that can follow up can be flexibly selected in ISAKMP.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
The invention provides a kind of extended authentication method based on ISAKMP, this method includes:
When needing to send first route messages, promoter and respondent consult using Extensible Authentication Protocol (EAP,
Extensible Authentication Protocol) it is authenticated;
After the success of EAP authentication process, master session key of the promoter with the respondent according to the generation of EAP processes
(MSK, Master Session Key) or shared key, calculate the HMAC values in AUTH load, and send AUTH loads to other side
Lotus, completes certification in ISAKMP.
In such scheme, the promoter consults to be authenticated using EAP with respondent, including:
The promoter sends the EAP message not comprising AUTH load to the respondent;
The respondent is received after EAP message, and EAP Request (Request) is sent to the promoter by EAP load;
The promoter is received after EAP Request, and EAP responses are sent to the respondent by EAP load
(Response), EAP authentication process is carried out with the respondent.
In such scheme, before the promoter sends EAP message to the respondent, this method further comprises:
The promoter carries out initial SA with the respondent and sets up process.
In such scheme, when being consulted between the promoter and the respondent using EAP authentication is carried out, and when described
Do not configure trusting relationship between promoter and the respondent, the promoter with the respondent and Diameter server
Between in advance configured trusting relationship when, this method further comprises:
The respondent sends EAP startups (Start) according to Diameter-EAP agreements, to Diameter server and disappeared
Breath;
Diameter server is received after EAP Start message, and EAP authentication information exchange is carried out with the respondent, with
Make by Diameter server progress EAP authentication process between the promoter and the respondent, and in EAP authentication process
After success, the MSK or shared key of generation are sent to the respondent.
In such scheme, the respondent sends EAP according to Diameter-EAP agreements to Diameter server
Start message, be:
The respondent sends the Diameter-EAP-Request comprising empty EAP load to Diameter server and disappeared
Breath;
The promoter carries out EAP authentication information exchange with the respondent, so that the promoter and the respondent
Between by Diameter server carry out EAP authentication process, be:
EAP Request are encapsulated in EAP load by Diameter server, the backward respondent return and include
The Diameter-EAP-Answer message of EAP load;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute
State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent
In, Diameter server is sent to, and so on, until Diameter server confirms that EAP authentication process terminates.
In such scheme, in MSK or shared key of the respondent according to the generation of EAP processes, calculate in AUTH load
HMAC values before, this method further comprises:
After the success of EAP authentication process, MSK that Diameter server generates EAP success messages and EAP authentication process or
Shared key is sent to the respondent.
In such scheme, when being consulted between the promoter and the respondent using EAP authentication is carried out, and when described
Trusting relationship is not configured between promoter and the respondent, two or more is passed through between the promoter and the respondent
When Diameter server sets up trusting relationship, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter Relay Servers;
Diameter Relay Servers forward EAP Start message to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information is carried out with Diameter Relay Servers
Interaction, so as to be entered between the promoter and the respondent by Diameter server and Diameter Relay Servers
Row EAP authentication process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to following the service in Diameter
Business device;The MSK received or shared key are sent to the respondent by Diameter Relay Servers.
In such scheme, the respondent sends EAP according to Diameter-EAP agreements to Diameter server
Start message, be:
The respondent sends the Diameter-EAP-Request comprising empty EAP load to Diameter server and disappeared
Breath;
It is described to carry out EAP authentication information exchange with Diameter Relay Servers, so that the promoter and the response
EAP authentication process is carried out by Diameter server and Diameter Relay Servers between person, is:
EAP Request are encapsulated in EAP load by Diameter server, backward Diameter Relay Servers return
Return the Diameter-EAP-Answer message for including EAP load;
Diameter Relay Servers forward the Diameter-EAP- for including EAP load received to the respondent
Answer message;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute
State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent
In, it is sent to Diameter Relay Servers;
Diameter Relay Servers forward the EAP Response received to Diameter server, and so on, directly
Confirm that EAP authentication process terminates to Diameter server.
In such scheme, in MSK or shared key of the respondent according to the generation of EAP processes, calculate in AUTH load
HMAC values before, this method further comprises:
After the success of EAP authentication process, MSK that Diameter server generates EAP success messages and EAP authentication process or
Shared key is sent to Diameter Relay Servers;
MSK or shared key that Diameter Relay Servers generate the EAP success messages received and EAP authentication process
It is transmitted to the respondent.
Present invention also offers a kind of extended authentication system based on ISAKMP, the system includes:The first router and
Two routers;Wherein,
The first router, for needing to send during first route messages, consults to carry out using EAP with secondary route equipment
Certification;And after EAP authentication success, according to the MSK or shared key of the generation of EAP processes, calculate the value of AUTH load, and to the
Two routing devices send AUTH load, and certification is completed in ISAKMP;
The second router, for consulting to be authenticated using EAP with first routing device;And after EAP authentication success, according to
The MSK or shared key generated according to EAP processes, calculates the value of AUTH load, and sends AUTH load to first routing device,
Certification is completed in ISAKMP.
In such scheme, when consulting to be authenticated using EAP between first routing device and secondary route equipment, and
When not configuring trusting relationship between first routing device and secondary route equipment, and first routing device and secondary route equipment are equal
Between Diameter server during prior configured trusting relationship, the system further comprises:First Diameter server,
After EAP Start message for receiving the transmission of secondary route equipment, EAP authentication information exchange is carried out with secondary route equipment,
So as to carry out EAP authentication process by Diameter server between first routing device and secondary route equipment, and recognize in EAP
After the success of card process, the MSK or shared key of generation are sent to secondary route equipment;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, send to the first Diameter server
EAP Start message, carries out EAP authentication information exchange, so that first routing device and second with the first Diameter server
EAP authentication process is carried out by the first Diameter server between routing device, and receives the first Diameter server hair
The MSK or shared key for the generation sent.
In such scheme, when consulting to be authenticated using EAP between first routing device and secondary route equipment, and work as
Trusting relationship is not configured between first routing device and secondary route equipment, is led between first routing device and secondary route equipment
When crossing two or more Diameter server and setting up trusting relationship, the system further comprises:Second Diameter server, is used
In receiving after the EAP Start message of secondary route equipment transmission, disappear to the first Diameter server forwarding EAP Start
Breath;EAP authentication information exchange is carried out with the first Diameter server, so that between first routing device and secondary route equipment
EAP authentication process is carried out by the first Diameter server and the second Diameter server;And by receive first
The MSK or shared key for the generation that Diameter server is sent are sent to secondary route equipment;
First Diameter server, the EAP Start for being additionally operable to receive the transmission of the second Diameter server disappear
After breath, EAP authentication information exchange is carried out with the second Diameter server so that first routing device and secondary route equipment it
Between EAP authentication process is carried out by the first Diameter server and the second Diameter server, and in EAP authentication process
After success, the MSK or shared key of generation are sent to the second Diameter server;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, send to the second Diameter server
EAP Start message, and receive the MSK or shared key of the generation that the second Diameter server is sent.
In such scheme, the number of second Diameter server is more than one.
Extended authentication method and system based on ISAKMP that the present invention is provided, it is necessary to when sending first route messages,
Promoter consults to be authenticated using EAP with respondent;After the success of EAP authentication process, the promoter and the respondent according to
The MSK or shared key generated according to EAP processes, calculates the HMAC values in AUTH load, and sends AUTH load to other side,
Certification is completed in ISAKMP;Promoter and respondent can be according to flexibly selection authentication method be needed, such as in EAP authentication process
This so that authentication mechanism is flexible, and then the development for the modern authentication techniques that can follow up.
In addition, when consulting to be authenticated using EAP, when not configuring trusting relationship between promoter and respondent, and sending out
Person and respondent are played between Diameter server during prior configured trusting relationship, respondent uses foundation
Diameter-EAP agreements send EAP Start message to Diameter server;Diameter server receives EAP Start
After message, EAP authentication information exchange is carried out with respondent, so as to enter between respondent and promoter by Diameter server
Row EAP authentication process;When not configured between promoter and respondent between trusting relationship, and promoter and respondent by two
When above Diameter server sets up trusting relationship, respondent is according to Diameter-EAP agreements, the following the service into Diameter
Business device sends EAP Start message;Diameter Relay Servers forward EAP Start message to Diameter server;
Diameter server is received after EAP Start message, by carrying out EAP authentication with Diameter Relay Servers and respondent
Information exchange, so as to carry out EAP by Diameter server and Diameter Relay Servers between promoter and respondent
Verification process, in this way, tripartite's authentication techniques can be realized in ISAKMP, so as to solve the problem of configuration trusting relationship is complicated;
Moreover, in key updating, and/or increase routing device, and/or dismounting routing device, it is only necessary in Diameter server
Upper renewal, and/or increase, and/or the safe material for deleting corresponding routing device correlation, in this way, can efficiently reduce
Workload, is easy to implement.
Brief description of the drawings
Fig. 1 is the extended authentication method flow schematic diagram of the invention based on ISAKMP;
Fig. 2 exchanges schematic flow sheet for original technology ISAKMP identity protection;
Fig. 3 is extended authentication method flow schematic diagram of the embodiment one based on ISAKMP;
Fig. 4 is the extended authentication method flow schematic diagram based on ISAKMP that embodiment two introduces Diameter server;
Fig. 5 is the signal of the extended authentication method flow based on ISAKMP that embodiment three introduces Diameter Relay Servers
Figure;
Fig. 6 is the extended authentication system structure diagram of the invention based on ISAKMP.
Embodiment
Below in conjunction with the accompanying drawings and specific embodiment the present invention is further described in more detail.
In the following description, the routing device referred to as promoter of promoter will be served as, the route for serving as respondent is set
Standby referred to as respondent.Wherein, the promoter refers to:The routing device of a piece of news is initiated, the respondent refers to:For to
Promoter feeds back the routing device of a piece of news.
Extended authentication method of the invention based on ISAKMP, as shown in figure 1, comprising the following steps:
Step 101:When needing to send first route messages, promoter consults to be authenticated using EAP with respondent;
Here, this step is implemented, and is comprised the following steps:
The promoter sends the EAP message not comprising AUTH load to the respondent;
The respondent is received after EAP message, and EAP Request are sent to the promoter by EAP load;
The promoter is received after EAP Request, and EAP Response are sent to the respondent by EAP load,
EAP authentication process is carried out with the respondent.
Wherein, the EAP message does not include AUTH load, and the respondent can know startup EAP authentication process accordingly.
If the promoter needs the content interacted more with the respondent, EAP Request and EAP
Response sequence can continue, i.e.,:Multiple EAP load is interacted between the promoter and the respondent, until
The respondent sends EAP authentication result to the promoter, i.e.,:Success (EAP Success) or failure (EAP
Failure)。
Before the promoter sends EAP message to the respondent, this method can further include:
The promoter carries out initial SA with the respondent and sets up process;Wherein, the tool that initial SA sets up process is carried out
Body is embodied as prior art, repeats no more here.
When being consulted between the promoter and the respondent using EAP authentication is carried out, and when the promoter and institute
State and do not configure trusting relationship between respondent, the promoter and the respondent between Diameter server in advance
When configuring trusting relationship, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information exchange is carried out with the respondent, with
Make by Diameter server progress EAP authentication process between the promoter and the respondent, and in EAP authentication process
After success, the MSK or shared key of generation are sent to the respondent.
Wherein, the respondent sends EAP Start to Diameter server and disappeared according to Diameter-EAP agreements
Breath, be specially:
The respondent sends the Diameter-EAP-Request comprising empty EAP load to Diameter server and disappeared
Breath;
The promoter carries out EAP authentication information exchange with the respondent, so that the promoter and the respondent
Between by Diameter server carry out EAP authentication process be specially:
EAP Request are encapsulated in EAP load by Diameter server, the backward respondent return and include
The Diameter-EAP-Answer message of EAP load;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute
State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent
In, Diameter server is sent to, and so on, until Diameter server confirms that EAP authentication process terminates.Here,
The result of the certification can be success or failure.
If EAP authentication process success, Diameter server gives birth to EAP Success message and EAP method validations process
Into MSK or shared key be sent to the respondent, then the MSK or shared key of generation be sent to institute by the respondent
State promoter.
When being consulted between the promoter and the respondent using EAP authentication is carried out, and when the promoter and institute
State and do not configure trusting relationship between respondent, serviced between the promoter and the respondent by two or more Diameter
When device sets up trusting relationship, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter Relay Servers;
Diameter Relay Servers forward EAP Start message to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information is carried out with Diameter Relay Servers
Interaction, so as to be entered between the promoter and the respondent by Diameter server and Diameter Relay Servers
Row EAP authentication process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to following the service in Diameter
Business device;The MSK received or shared key are sent to the respondent by Diameter Relay Servers.
Wherein, the respondent sends EAP Start according to Diameter-EAP agreements to Diameter Relay Servers
Message, be specially:
The respondent sends the Diameter-EAP- for including empty EAP load to Diameter Relay Servers
Request message;
Carry out EAP authentication information exchange with Diameter Relay Servers so that the promoter and the respondent it
Between EAP authentication process is carried out by Diameter server and Diameter Relay Servers, be specially:
EAP Request are encapsulated in EAP load by Diameter server, backward Diameter Relay Servers return
Return the Diameter-EAP-Answer message for including EAP load;
Diameter Relay Servers forward the Diameter-EAP- for including EAP load received to the respondent
Answer message;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to institute
State promoter;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent
In, it is sent to Diameter Relay Servers;
Diameter Relay Servers forward the EAP Response received to Diameter server, and so on, directly
Confirm that EAP authentication process terminates to Diameter server.Here, the result of the certification can be success or failure.
The process and promoter described above and the respondent prior configured letter between Diameter server
The process during relation of appointing is equally identical, believes between the respondent, Diameter Relay Servers and Diameter server
The interaction of breath is also foundation Diameter-EAP agreements to complete, and in this process, Diameter Relay Servers have been
The effect of the relaying arrived, directly can be turned the message from the respondent and Diameter server without processing
Hair.If EAP authentication process success, Diameter server generates EAP Success message and EAP method validations process
MSK or shared key are sent to Diameter Relay Servers, Diameter Relay Servers by EAP Success message and
The MSK or shared key of EAP method validations process generation are transmitted to the respondent, then by the respondent by the MSK of generation
Or shared key is sent to the promoter.
Before the promoter sends EAP message to the respondent, this method can further include:
The promoter carries out ISAKMP SA with the respondent and sets up process;Wherein, ISAKMP SA are carried out to set up
Journey is implemented as prior art, repeats no more here;After ISAKMP SA are set up, under ISAKMP SA protections, the hair
Person is played to consult to be authenticated using EAP with the respondent.
Due to being accomplished that two-way authentication in ISAKMP, therefore, when selecting EAP methods, selection is recommended to realize two-way
The EAP methods of certification, so as to generate MSK or shared key.
Step 102:After the success of EAP authentication process, MSK of the promoter with the respondent according to the generation of EAP processes
Or shared key, the HMAC values in AUTH load are calculated, and AUTH load is sent to other side, certification is completed in ISAKMP.
Here, when generating MSK during EAP authentication, then the MSK according to generation, calculates the HMAC values in AUTH load,
When not generating MSK during EAP authentication, according to the shared key of generation, the HMAC values in AUTH load are calculated.
After EAP authentication success, the respondent to the promoter while EAP authentication result is sent, to described
Promoter sends the MSK or shared key according to the generation of EAP authentication process, and then makes the promoter and the respondent can be with
Certification is completed in ISAKMP.
Wherein, MSK is a constant parameter, and shared key is disposable parameter, is only applicable to this session, changes sentence
Talk about, when promoter and respondent send session again, the shared key of generation is then different from the shared key of last session,
And MSK will not then change;Here, the MSK or shared key according to the generation of EAP processes, calculate the HMAC in AUTH load
The concrete processing procedure of value is prior art, is repeated no more here.
The concrete processing procedure that certification is completed in ISAKMP is prior art, is repeated no more here.
Involved EAP load during the EAP authentication that the present invention is used, its form and definition in RFC3748 with determining
Justice.Here, the RFC refers to request for comments (RFC, Request For Comments), a series of to be ranked with numbering
File.File collection is about internet relevent information and UNIX and the software document of internet community.
The present invention is described in further detail again with reference to embodiment.
ISAKMP can implement authentication mechanism, four kinds of switch types point in four kinds of switch types (Exchange Type)
It is not that basic (the Base Exchange), identity protection of exchanging exchanges (Identity Protection Exchange), only certification
Exchange (Authentication Only Exchange) and exchange of keeping forging ahead (Aggressive Exchange).Wherein,
Identity Protection Exchange can protect identification load and AUTH load well.
Identity Protection Exchange flow, as shown in Fig. 2 comprising the following steps:
Step 201:When needing to send first route messages, promoter sends HDR load and SA load to respondent;
Step 202:Respondent is received after SA load, and HDR load and SA load are sent to promoter, consults to build with promoter
Vertical ISAKMP SA;
Here, HDR load represents ISAKMP protocol headers, is intended to send HDR load when interacting between promoter and respondent.
Step 203~204:Promoter mutually sent with respondent key exchange (KE, Key Exchange) load and with
Machine number (NONCE) load, promoter, according to the KE load and NONCE load received, calculates shared key, is used as meter with respondent
Calculate the HMAC of AUTH load input key;
Here, what KE load was loaded is Diffie-Hellman public value (public value).
Step 205~206:Promoter mutually sends HDR load, identity with respondent under ISAKMP SA protection
(IDx) load and AUTH load, are mutually authenticated.
Specifically, promoter calculates HMAC values with respondent and is compared with the HMAC values in AUTH load respectively, such as
Fruit promoter can match with the HMAC of respondent both sides, then be mutually authenticated and pass through, otherwise, authentification failure.
Here, " * " behind HDR load number represents that by encryption, i.e., subsequent load be:IDx load and AUTH
Load is by encryption;
X can be ii or ir, respectively represent ISAKMP promoter and respondent, when ISAKMP daemon (guard into
Journey) be agent negotiation person (a proxy negotiator) when, x can also be ui or ur, represent respectively user promoter and
Respondent;AUTH load is general ID authentication mechanism, and AUTH load can be specifically HASH (Hash) load or SIG (label
Name) load.
Because Identity Protection Exchange have preferable security, to achieve the object of the present invention,
And the core concept of the present invention is best embodied, Identity Protection are used in embodiment described below
Exchange come put into practice the present invention core concept, i.e.,:The other switch types carried out in EAP extensions, ISAKMP can also
Copy embodiments of the invention to carry out EAP extensions, belong to the protection category of patent of the present invention.
Embodiment one:
The application scenarios of the present embodiment are:Prior configured shared key k between promoter and respondentab, promoter and
Any position that respondent may be on network, is communicated using IP agreement.Wherein, promoter refers to send route messages
Router, respondent for receive route messages router.The present embodiment carries out EAP extensions to ISAKMP, and it is based on
ISAKMP identity protection exchanges the flow being authenticated using EAP methods, as shown in figure 3, comprising the following steps:
Step 301:When needing to send first route messages, promoter sends SA load to respondent;
Step 302:Respondent sends SA load to promoter;
So far, promoter consults to set up ISAKMP SA with respondent.
Step 303:Promoter sends KE load and NONCE load to respondent;
Step 304:Respondent sends KE load and NONCE load to promoter;
Here, the process of step 301~304 is properly termed as ISAKMP SA and sets up process, the mesh that step 301~304 are performed
Be:Promoter and respondent be exchanged with each other negotiation cryptographic algorithm (crytographic algorithms), exchange NONCE, with
And Diffie-Hellman (D-H) exchanges etc. are carried out, provide escape way for the exchange of promoter and respondent then;Step
301~304 concrete processing procedure is prior art, is repeated no more here.
Step 305:Under ISAKMP SA protection, promoter sends IDii load to respondent;
Here, promoter allows AUTH load to be sky, informs that respondent wants to consult to be authenticated using EAP methods with this.
Step 306:Under ISAKMP SA protection, respondent sends IDir, AUTH and EAP load to promoter;
Here, send EAP load and represent that respondent agrees to be authenticated using EAP methods, be simultaneously emitted by EAP
Request;
Step 307:Promoter responds EAP load to respondent, and EAP authentication process is carried out with the respondent;
Here, the EAP load is EAP Response;
The method that EAP authentication is used can be existing authentication method, such as:TLS or Message Digest Algorithm 5
(MD5, Message Digest Algorithm 5) etc.;In practical application, can select to carry out EAP authentication mistake according to needs
The method that journey is used;Need to interact multiple EAP loads according to the difference of the authentication method of use, between promoter and respondent
Lotus, in other words, according to the authentication method used, promoter may need to send multiple EAP load to respondent, accordingly
, respondent needs to send multiple EAP load to promoter, to complete EAP authentication process.It is recommended that use can be realized and two-way recognized
The EAP methods of card.
Due to prior configured shared key k between promoter and respondentab, therefore, respondent is received after EAP load,
Directly EAP authentication process is carried out with promoter.
Step 308:After EAP authentication success, respondent returns to EAP load to sender;
Here, the EAP load is EAP Success, process generation MSK or shared key comprising EAP authentication.
Step 309:Promoter is received after EAP load, according to the MSK or shared key of the generation of EAP authentication process, is calculated
HMAC values in AUTH load, and AUTH load is sent to respondent, to be compared with the HMAC values calculated;
Step 310:MSK or shared key of the respondent according to the generation of EAP authentication process, calculate the HMAC in AUTH load
Value, and AUTH load is sent to promoter, to be compared with the HMAC values calculated;
So far, both sides complete ISAKMP certifications.
Embodiment two:
The application scenarios of the present embodiment are:Do not configure trusting relationship between promoter and respondent, promoter with
Prior configured trusting relationship k between Diameter serverac, prior configured letter between respondent and Diameter server
Appoint relation kbc, interacted, used between respondent and Diameter server using ISAKMP between promoter and respondent
Diameter-ISAKMP is interacted.Wherein, promoter refers to the router for sending route messages, and respondent route to receive
The router of message.The present embodiment introduces the extended authentication method based on ISAKMP of Diameter server, as shown in figure 4,
Comprise the following steps:
Step 401:When needing to send first route messages, promoter sends SA load to respondent;
Step 402:Respondent sends SA load to promoter;
So far, promoter consults to set up ISAKMP SA with respondent.
Step 403:Promoter sends KE load and NONCE load to respondent;
Step 404:Respondent sends KE load and NONCE load to promoter;
Here, the process of step 401~404 is properly termed as ISAKMP SA and sets up process, the mesh that step 401~404 are performed
Be:Promoter and respondent are exchanged with each other negotiation crytographic algorithms, exchange NONCE and carry out D-H
Exchange etc., provide escape way for the exchange of promoter and respondent then;The concrete processing procedure of step 401~404 is existing
There is technology, repeat no more here.
Step 405:Under ISAKMP SA protection, promoter sends HDR load and IDii load to respondent;
Here, promoter allows AUTH load to be sky, informs that respondent wants to consult to be authenticated using EAP methods with this.
Step 406:Respondent is received after KE load and NONCE load, according to Diameter-EAP agreements, to Diameter
Server sends EAP Start message;
Specifically, the EAP load of sky is sent in Diameter-EAP-Request message to point out Diameter to service
Device.
Here, due to not configuring trusting relationship between promoter and respondent, and respondent and Diameter server it
Between in advance configured trusting relationship kbc, therefore, respondent is received after EAP load, can send EAP to Diameter server
Start message;
Wherein, the process initially connected is set up between respondent's Diameter server and sees Diameter, i.e.,:
Regulation in RFC3588 files, in practical application, typically, it is only necessary to configure name and trusting relationship;Set up connection
Mode can be:Respondent can utilize domain name system (DNS, Domain Name System) server with Diameter server
Can just complete Dynamic link library foundation, respondent and Diameter server can also by way of manual configuration the company of foundation
Connect.
Step 407:Diameter server is received after EAP Start message, and EAP Request are encapsulated in into EAP load
In, backward respondent return and include the Diameter-EAP-Answer message of EAP load;
Step 408:The EAP Request received are encapsulated in ISAKMP extension load EAP load by respondent, are sent
To promoter;
Step 409:Promoter returns to corresponding EAP Response according to the EAP Request received to respondent;
Here, the EAP Response are equally encapsulated in ISAKMP extension load EAP load.
Step 410:The EAP Response received are encapsulated in Diameter-EAP-Request message by respondent again
In EAP load, Diameter server is sent to, EAP authentication process is carried out;
Here, the method that EAP authentication is used can be existing authentication method, such as:TLS or MD5, etc.;In reality
Using when, can be according to needing to select to carry out the method that be used of EAP authentication process;According to the difference of the authentication method of use,
Need to interact multiple EAP load between promoter and respondent, in other words, according to the authentication method used, promoter can
It can need to send multiple EAP load to respondent, accordingly, respondent needs to send multiple EAP load to promoter, accordingly
, need to interact multiple EAP message between Diameter server and respondent to complete EAP authentication process.It is recommended that using energy
Enough realize the EAP methods of two-way authentication.
Step 411:The success of EAP authentication process, Diameter server is by EAP Success message and EAP authentication process
The MSK or shared key of generation are encapsulated in Diameter-EAP-Answer message, are sent to respondent;
Step 412:Respondent is received after Diameter-EAP-Answer message, and EAP load is returned to sender;
Here, the EAP load is EAP Success, process generation MSK or shared key comprising EAP authentication.
Step 413:Promoter is received after EAP load, according to the MSK or shared key, is calculated in AUTH load
HMAC values, and AUTH load is sent to respondent, to be compared with the HMAC values calculated;
Step 414:Respondent calculates the HMAC values in AUTH load, and AUTH is carried according to the MSK or shared key
Lotus is sent to promoter, to be compared with the HMAC values calculated.
So far, both sides complete ISAKMP certifications.
Embodiment three:
The application scenarios of the present embodiment are:Do not configure trusting relationship between promoter and respondent, promoter with
Prior configured trusting relationship k between Diameter serverac, matched somebody with somebody in advance between respondent and Diameter Relay Servers
Put trusting relationship kbd, prior configured trusting relationship k between Diameter Relay Servers and Diameter servercd.Due to
Non- configured in advance trusting relationship between Diameter Relay Servers and promoter.Wherein, promoter refers to send route messages
Router, respondent for receive route messages router.The present embodiment introduce Diameter Relay Servers based on
ISAKMP extended authentication method, as shown in figure 5, comprising the following steps:
Step 501:When needing to send first route messages, promoter sends SA load to respondent;
Step 502:Respondent sends SA load to promoter;
So far, promoter consults to set up ISAKMP SA with respondent.
Step 503:Promoter sends KE load and NONCE load to respondent;
Step 504:Respondent sends KE load and NONCE load to promoter;
Here, the process of step 501~504 is properly termed as ISAKMP SA and sets up process, the mesh that step 501~504 are performed
Be:Promoter and respondent are exchanged with each other negotiation crytographic algorithms, exchange NONCE and carry out D-H
Exchange etc., provide escape way for the exchange of promoter and respondent then;The concrete processing procedure of step 501~504 is existing
There is technology, repeat no more here.
Step 505:Under ISAKMP SA protection, promoter sends HDR load and IDii load to respondent;
Here, promoter allows AUTH load to be sky, informs that respondent wants to consult to be authenticated using EAP methods with this.
Step 506:Respondent is received after KE load and NONCE load, according to Diameter-EAP agreements, to Diameter
Relay Server sends EAP Start message;
Specifically, the EAP load of sky is sent in Diameter-EAP-Request message to point out Diameter to relay
Server.
Here, due to not configuring trusting relationship, and respondent and Diameter relay services between promoter and respondent
Prior configured trusting relationship k between devicebd, therefore, respondent is received after EAP load, can be sent out to Diameter Relay Servers
Send authentication request message;
Wherein, the process initially connected is set up between respondent and Diameter Relay Servers and sees diameter agreements,
I.e.:Regulation in RFC3588 files, in practical application, typically, it is only necessary to configure name and trusting relationship;The company of foundation
The mode connect can be:Respondent can just complete Dynamic link library using dns server with Diameter Relay Servers and build
Vertical, respondent can also be set up by way of manual configuration with Diameter Relay Servers and is connected.
Step 507:Diameter Relay Servers directly forward EAP Start message to Diameter server;
Step 508:Diameter server is received after EAP Start message, and EAP Request are encapsulated in into EAP load
In, backward Diameter Relay Servers return and include the Diameter-EAP-Answer message of EAP load;
Step 509:Diameter Relay Servers are received after message, forward to respondent receive comprising EAP load
Diameter-EAP-Answer message;
Step 510:The EAP Request received are encapsulated in ISAKMP extension load EAP load by respondent, are sent
To promoter;
Step 511:Promoter returns to corresponding EAP Response according to the EAP Request received to respondent;
Here, the EAP Response are equally encapsulated in ISAKMP extension load EAP load.
Step 512:The EAP Response received are encapsulated in the EAP of Diameter-EAP-Request message by respondent
In load, Diameter Relay Servers are sent to;
Step 513:Diameter Relay Servers forward the EAP Response received to Diameter server, carry out
EAP authentication process;
Here, the method that EAP authentication is used can be existing authentication method, such as:TLS or MD5, etc.;In reality
Using when, can be according to needing to select to carry out the method that be used of EAP authentication process;According to the difference of the authentication method of use,
Need to interact multiple EAP load between promoter and respondent, in other words, according to the authentication method used, promoter can
It can need to send multiple EAP load to respondent, accordingly, respondent needs to send multiple EAP load to promoter, accordingly
, need to interact multiple EAP message between Diameter Relay Servers and respondent, Diameter Relay Servers with
Need also exist for interacting multiple EAP message between Diameter server, to complete EAP authentication process.It is recommended that use can be realized
The EAP methods of two-way authentication.
Step 514:The success of EAP authentication process, Diameter server is by EAP Success message and EAP authentication process
The MSK or shared key of generation are encapsulated in Diameter-EAP-Answer message, are sent to Diameter Relay Servers;
Step 515:Diameter Relay Servers are received after Diameter-EAP-Answer message, are forwarded to respondent
The Diameter-EAP-Answer message received;
Step 516:Respondent is received after Diameter-EAP-Answer message, and EAP load is returned to sender;
Here, the EAP load is EAP Success, process generation MSK or shared key comprising EAP authentication.
Step 517:Promoter is received after EAP load, according to the MSK or shared key, is calculated in AUTH load
HMAC values, and AUTH load is sent to respondent, to be compared with the HMAC values calculated;
Step 518:Respondent calculates the HMAC values in AUTH load, and AUTH is carried according to the MSK or shared key
Lotus is sent to promoter, to be compared with the HMAC values calculated.
Here, the definition and effect of the message in the present embodiment and the definition of the message in embodiment two and the complete phase of effect
Together.
So far, both sides complete ISAKMP certifications.
To realize the above method, present invention also offers a kind of extended authentication system based on ISAKMP, as shown in fig. 6,
The system includes:First routing device 61 and secondary route equipment 62;Wherein,
First routing device 61, for needing to send during first route messages, consults to use with secondary route equipment 62
EAP is authenticated;And after EAP authentication success, according to the MSK or shared key of the generation of EAP processes, calculate AUTH load
Value, and AUTH load is sent to secondary route equipment 62, certification is completed in ISAKMP;
Secondary route equipment 62, for consulting to be authenticated using EAP with first routing device 61;And EAP authentication into
After work(, according to the MSK or shared key of the generation of EAP processes, the value of AUTH load is calculated, and send to first routing device 61
AUTH load, completes certification in ISAKMP.
Need exist for explanation be:First routing device 61 is the routing device for serving as promoter, secondary route equipment 62
To serve as the routing device of respondent;Wherein, the promoter refers to:Initiate the routing device of a piece of news, the response
Person refers to:To feed back the routing device of a piece of news to promoter.
When consulting to be authenticated using EAP between first routing device 61 and secondary route equipment 62, and when first
Trusting relationship is not configured between routing device and secondary route equipment 62, and first routing device 61 and secondary route equipment 62 are equal
Between Diameter server during prior configured trusting relationship, the system can further include:First Diameter
After server, the EAP Start message for receiving the transmission of secondary route equipment 62, carry out EAP with secondary route equipment 62 and recognize
Information exchange is demonstrate,proved, is recognized so as to carry out EAP by Diameter server between first routing device 61 and secondary route equipment 62
Card process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to secondary route equipment 62;
The secondary route equipment 62, is additionally operable to, according to Diameter-EAP agreements, send out to the first Diameter server
Send EAP Start message, with the first Diameter server carry out EAP authentication information exchange so that first routing device 61 with
EAP authentication process is carried out by the first Diameter server between secondary route equipment 62, and receives the first Diameter clothes
The MSK or shared key for the generation that business device is sent.
When consulting to be authenticated using EAP between first routing device 61 and secondary route equipment 62, and work as the first via
Trusting relationship is not configured between equipment 61 and secondary route equipment 62, between first routing device 61 and secondary route equipment 62
When setting up trusting relationship by two or more Ddiameter servers, the system further comprises:2nd Diameter is serviced
After device, the EAP Start message for receiving the transmission of secondary route equipment 62, EAP is forwarded to the first Diameter server
Start message;EAP authentication information exchange is carried out with the first Diameter server, so that the tunnel of first routing device 61 and second
EAP authentication process is carried out by the first Diameter server and the second Diameter server between equipment 62;And will receive
To the first Diameter server send generation MSK or shared key be sent to secondary route equipment 62;
First Diameter server, the EAP Start for being additionally operable to receive the transmission of the second Diameter server disappear
After breath, EAP authentication information exchange is carried out with the second Diameter server, so that first routing device 61 and secondary route equipment
EAP authentication process is carried out by the first Diameter server and the second Diameter server between 62, and in EAP authentication
After process success, the MSK or shared key of generation are sent to the second Diameter server;
The secondary route equipment 62, is additionally operable to, according to Diameter-EAP agreements, send out to the second Diameter server
EAP Start message is sent, and receives the MSK or shared key of the generation that the second Diameter server is sent.
Here, it is necessary to which what is illustrated is:The number of second Diameter server can be more than one.
Here, the first router in system of the present invention, the second router, the first Diameter server and second
The concrete processing procedure of Diameter server is hereinbefore described in detail, repeats no more.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (13)
1. extended authentication method of the one kind based on internet security alliance and IKMP (ISAKMP), it is characterised in that
This method includes:
When needing to send first route messages, promoter consults to be authenticated using Extensible Authentication Protocol (EAP) with respondent;
After the success of EAP authentication process, master session key (MSK) of the promoter with the respondent according to the generation of EAP processes
Or shared key, message authentication code (HMAC) value with key in AUTH load is calculated, and AUTH load is sent to other side,
Certification is completed in ISAKMP;
Wherein, the ISAKMP includes basic exchange, only identity protection exchange, authenticated exchange and four kinds of friendships of exchange of keeping forging ahead
Change type.
2. according to the method described in claim 1, it is characterised in that the promoter consults to be recognized using EAP with respondent
Card, including:
The promoter sends the EAP message not comprising AUTH load to the respondent;
The respondent is received after EAP message, and EAP Request (Request) is sent to the promoter by EAP load;
The promoter is received after EAP Request, and EAP responses (Response) are sent to the respondent by EAP load,
EAP authentication process is carried out with the respondent.
3. method according to claim 2, it is characterised in that send EAP message to the respondent in the promoter
Before, this method further comprises:
The promoter carries out initial safe alliance (SA) with the respondent and sets up process.
4. the method according to claim 1,2 or 3, it is characterised in that assisted between the promoter and the respondent
When business is using EAP authentication is carried out, and when not configuring trusting relationship between the promoter and the respondent, the promoter with
The respondent is between Diameter server during prior configured trusting relationship, and this method further comprises:
The respondent sends EAP according to Diameter-EAP agreements, to Diameter server and starts (Start) message;
Diameter server is received after EAP Start message, EAP authentication information exchange is carried out with the respondent, so that institute
State by Diameter server progress EAP authentication process between promoter and the respondent, and in the success of EAP authentication process
Afterwards, the MSK or shared key of generation are sent to the respondent.
5. method according to claim 4, it is characterised in that respondent's foundation Diameter-EAP agreements, to
Diameter server sends EAP Start message, is:
The respondent sends the Diameter-EAP-Request message for including empty EAP load to Diameter server;
The promoter carries out EAP authentication information exchange with the respondent, so that between the promoter and the respondent
EAP authentication process is carried out by Diameter server, is:
EAP Request are encapsulated in EAP load by Diameter server, the backward respondent return and carried comprising EAP
The Diameter-EAP-Answer message of lotus;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to the hair
Play person;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent,
Diameter server is sent to, and so on, until Diameter server confirms that EAP authentication process terminates.
6. method according to claim 5, it is characterised in that in MSK or common of the respondent according to the generation of EAP processes
Key is enjoyed, is calculated before the HMAC values in AUTH load, this method further comprises:
After the success of EAP authentication process, the MSK or shared that Diameter server generates EAP success messages and EAP authentication process
Key is sent to the respondent.
7. the method according to claim 1,2 or 3, it is characterised in that assisted between the promoter and the respondent
When business is using EAP authentication is carried out, and when not configuring trusting relationship between the promoter and the respondent, the promoter with
When setting up trusting relationship by two or more Diameter server between the respondent, this method further comprises:
The respondent sends EAP Start message according to Diameter-EAP agreements to Diameter Relay Servers;
Diameter Relay Servers forward EAP Start message to Diameter server;
Diameter server is received after EAP Start message, and EAP authentication information friendship is carried out with Diameter Relay Servers
Mutually, so as to be carried out between the promoter and the respondent by Diameter server and Diameter Relay Servers
EAP authentication process, and after the success of EAP authentication process, the MSK or shared key of generation are sent to Diameter relay services
Device;The MSK received or shared key are sent to the respondent by Diameter Relay Servers.
8. method according to claim 7, it is characterised in that respondent's foundation Diameter-EAP agreements, to
Diameter server sends EAP Start message, is:
The respondent sends the Diameter-EAP-Request message for including empty EAP load to Diameter server;
It is described that EAP authentication information exchange is carried out with Diameter Relay Servers so that the promoter and the respondent it
Between EAP authentication process is carried out by Diameter server and Diameter Relay Servers, be:
EAP Request are encapsulated in EAP load by Diameter server, backward Diameter Relay Servers return bag
The Diameter-EAP-Answer message of the load containing EAP;
Diameter Relay Servers forward the Diameter-EAP-Answer for including EAP load received to the respondent
Message;
The EAP Request received are encapsulated in ISAKMP extension load EAP load by the respondent, are sent to the hair
Play person;
The promoter returns to corresponding EAP Response according to the EAP Request received to the respondent;
The EAP Response received are encapsulated in the EAP load of Diameter-EAP-Request message by the respondent,
It is sent to Diameter Relay Servers;
Diameter Relay Servers forward the EAP Response received to Diameter server, and so on, until
Diameter server confirms that EAP authentication process terminates.
9. method according to claim 8, it is characterised in that in MSK or common of the respondent according to the generation of EAP processes
Key is enjoyed, is calculated before the HMAC values in AUTH load, this method further comprises:
After the success of EAP authentication process, the MSK or shared that Diameter server generates EAP success messages and EAP authentication process
Key is sent to Diameter Relay Servers;
The MSK or shared key that Diameter Relay Servers generate the EAP success messages received and EAP authentication process are forwarded
To the respondent.
10. a kind of extended authentication system based on ISAKMP, it is characterised in that the system includes:The first router and the second tunnel
By device;Wherein,
The first router, for needing to send during first route messages, consults to be recognized using EAP with secondary route equipment
Card;And after EAP authentication success, according to the MSK or shared key of the generation of EAP processes, calculate the value of AUTH load, and to second
Routing device sends AUTH load, and certification is completed in ISAKMP;
The second router, for consulting to be authenticated using EAP with first routing device;And after EAP authentication success, foundation
The MSK or shared key of EAP processes generation, calculate the value of AUTH load, and send AUTH load to first routing device,
Certification is completed in ISAKMP;
The ISAKMP includes basic exchange, only identity protection exchange, authenticated exchange and four kinds of exchange classes of exchange of keeping forging ahead
Type.
11. system according to claim 10, it is characterised in that when between first routing device and secondary route equipment
Negotiation is using EAP when being authenticated, and when not configuring trusting relationship between first routing device and secondary route equipment, and first
Routing device and secondary route equipment are between Diameter server during prior configured trusting relationship, and the system is further
Including:After first Diameter server, the EAP Start message for receiving the transmission of secondary route equipment, with secondary route
Equipment carries out EAP authentication information exchange, so as to pass through Diameter server between first routing device and secondary route equipment
EAP authentication process is carried out, and after the success of EAP authentication process, the MSK or shared key of generation is sent to secondary route and set
It is standby;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, EAP be sent to the first Diameter server
Start message, carries out EAP authentication information exchange, so that first routing device and secondary route with the first Diameter server
EAP authentication process is carried out by the first Diameter server between equipment, and receives what the first Diameter server was sent
The MSK or shared key of generation.
12. system according to claim 11, it is characterised in that assisted between first routing device and secondary route equipment
When business is authenticated using EAP, and when not configuring trusting relationship between first routing device and secondary route equipment, the first via by
When setting up trusting relationship by two or more Diameter server between equipment and secondary route equipment, the system is further wrapped
Include:After second Diameter server, the EAP Start message for receiving the transmission of secondary route equipment, to first
Diameter server forwards EAP Start message;EAP authentication information exchange is carried out with the first Diameter server, so that
Carried out between first routing device and secondary route equipment by the first Diameter server and the second Diameter server
EAP authentication process;And the MSK or shared key of the generation for sending the first Diameter server received are sent to the second tunnel
By equipment;
First Diameter server, is additionally operable to receive after the EAPStart message that the second Diameter server is sent,
EAP authentication information exchange is carried out with the second Diameter server, so as to lead between first routing device and secondary route equipment
Cross the first Diameter server and the second Diameter server carries out EAP authentication process, and in the success of EAP authentication process
Afterwards, the MSK or shared key of generation are sent to the second Diameter server;
The secondary route equipment, is additionally operable to, according to Diameter-EAP agreements, EAP be sent to the second Diameter server
Start message, and receive the MSK or shared key of the generation that the second Diameter server is sent.
13. system according to claim 12, it is characterised in that the number of second Diameter server is one
More than.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110213510.3A CN102904861B (en) | 2011-07-28 | 2011-07-28 | A kind of extended authentication method and system based on ISAKMP |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110213510.3A CN102904861B (en) | 2011-07-28 | 2011-07-28 | A kind of extended authentication method and system based on ISAKMP |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102904861A CN102904861A (en) | 2013-01-30 |
CN102904861B true CN102904861B (en) | 2017-10-03 |
Family
ID=47576903
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110213510.3A Active CN102904861B (en) | 2011-07-28 | 2011-07-28 | A kind of extended authentication method and system based on ISAKMP |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102904861B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111130775A (en) * | 2019-12-27 | 2020-05-08 | 广东电网有限责任公司电力科学研究院 | Key negotiation method, device and equipment |
CN112804268A (en) * | 2021-04-13 | 2021-05-14 | 北京太一星晨信息技术有限公司 | Synchronization method, first device, second device and synchronization system |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101594231A (en) * | 2008-05-27 | 2009-12-02 | 北京飞天诚信科技有限公司 | A kind of method and system based on the EAP authentication |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8625787B2 (en) * | 2010-01-14 | 2014-01-07 | Alcatel Lucent | Hierarchical key management for secure communications in multimedia communication system |
-
2011
- 2011-07-28 CN CN201110213510.3A patent/CN102904861B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101594231A (en) * | 2008-05-27 | 2009-12-02 | 北京飞天诚信科技有限公司 | A kind of method and system based on the EAP authentication |
Non-Patent Citations (2)
Title |
---|
IKE协议的安全性问题;陈忠良;《浙江大学学报》;20020531;第36卷(第3期);正文第1-2页 * |
基于扩展认证机制的IKEv2研究;谷雷;《中国优秀硕士论文电子期刊网》;20080815;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN102904861A (en) | 2013-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104660603B (en) | Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network) | |
CN103155512B (en) | System and method for providing secure access to service | |
CN101981885B (en) | Methods and entities using IPSEC ESP to support security functionality for UDP-based OMA enablers | |
EP3668048B1 (en) | Methods and apparatuses for bootstrapping machine-to-machine service | |
WO2017181894A1 (en) | Method and system for connecting virtual private network by terminal, and related device | |
CN102036230B (en) | Method for implementing local route service, base station and system | |
CN108400867A (en) | A kind of authentication method based on public encryption system | |
CN101156352A (en) | Authentication method, system and authentication center based on mobile network P2P communication | |
JP2010503329A (en) | Security method and security system for security processing of authentication key material in an ad hoc wireless network | |
JP2004241976A (en) | Mobile communication network system and method for authenticating mobile terminal | |
CN108712252B (en) | Symmetric key pool and relay-crossing based AKA identity authentication system and method | |
CN104468618B (en) | XMPP safety access method based on sensor network | |
CN110808834B (en) | Quantum key distribution method and quantum key distribution system | |
CN108768632B (en) | AKA identity authentication system and method based on symmetric key pool and relay communication | |
CN102904861B (en) | A kind of extended authentication method and system based on ISAKMP | |
CN105325020B (en) | For the communication means and femto access point between femto access point | |
CN100544247C (en) | The negotiating safety capability method | |
CN103401751B (en) | Internet safety protocol tunnel establishing method and device | |
CN106209384B (en) | Use the client terminal of security mechanism and the communication authentication method of charging unit | |
CN102469063B (en) | Routing protocol security alliance management method, Apparatus and system | |
CN102420740B (en) | Method and system for managing keys of routing protocol | |
CN103312495B (en) | The forming method of a kind of CA in groups and device | |
CN112636913B (en) | Networking method for key sharing | |
CN107171786A (en) | Network agent account control method | |
CN107135226A (en) | Transport-layer proxy communication means based on socks5 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20201229 Address after: 224300 Sheyang port, Sheyang County, Yancheng City, Jiangsu Province Patentee after: No.2 shrimp culture company, Sheyang port, Sheyang County Address before: 518057 Ministry of justice, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen, Guangdong Patentee before: ZTE Corp. |