CN103368905A - Trustable cipher module chip-based network access authentication method - Google Patents
Trustable cipher module chip-based network access authentication method Download PDFInfo
- Publication number
- CN103368905A CN103368905A CN2012100862254A CN201210086225A CN103368905A CN 103368905 A CN103368905 A CN 103368905A CN 2012100862254 A CN2012100862254 A CN 2012100862254A CN 201210086225 A CN201210086225 A CN 201210086225A CN 103368905 A CN103368905 A CN 103368905A
- Authority
- CN
- China
- Prior art keywords
- authentication
- authenticator
- message
- access
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000004044 response Effects 0.000 claims abstract description 22
- 230000008569 process Effects 0.000 claims abstract description 11
- 238000005259 measurement Methods 0.000 claims description 14
- 230000006870 function Effects 0.000 claims description 12
- 230000006854 communication Effects 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 101100519159 Arabidopsis thaliana PCR3 gene Proteins 0.000 claims description 2
- 230000003287 optical effect Effects 0.000 claims description 2
- 238000012545 processing Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 8
- 230000006855 networking Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a trustable cipher module chip-based network access authentication method comprising the following steps: 1) an access requester initiates an authentication starting message, and authentication is started; 2) an authenticator processes the authentication starting message and obtains access requester identity authentication information from a trustable cipher module chip, and the message is responded through a protocol; 3) the authenticator packages a response message in a request message and sends the request message to an authentication server; 4) an request message for authentication is generated by the authentication server and is sent to the authenticator; 5) the authenticator takes out the request message and sends the request message to the access requester; 6) the access requester performs authentication operation according to a specified authentication mode and sends a request response message to the authenticator; 7) the authenticator packages the request response message in the request message for authentication and sends the request message for authentication to the authentication server; 8) authentication operation is performed by the authentication server, and an authentication success/failure message is returned to the authenticator; 9) the authenticator takes out the authentication success/failure message and sends the authentication success/failure message to the access requester.
Description
Technical Field
The invention relates to an authentication method in the field of data communication, in particular to a network access authentication method based on a trusted cryptography module chip.
Background
As shown In the ethernet networking diagram of fig. 1, a computer is connected to an ethernet switch In a wired manner or is connected to a wireless access point AP In a wireless manner, and is then connected to a core network, such as an enterprise local area network or a metropolitan area network, through an ethernet line. In an actual networking, the PC may be directly connected to the ethernet switch, may be cascaded to the ethernet switch through a hub, an ethernet switching device, and the like, and may also be connected to the VDSL switch through a Very High Speed Digital Subscriber Line (VDSL), where the VDSL Line transmits ethernet-based messages. In the wireless lan, wireless ethernet protocols such as IEEE (Institute of Electrical and Electronics Engineers) 802.11, 802.11a, 802.11b, 802.11g, etc. may be used to connect the PC and the AP.
The 802.1x protocol is called as a port-based access control protocol, and is an authentication protocol of a trusted Network access technology, and 802.1x provides rich authentication modes for users using various broadband access modes such as Asymmetric Digital Subscriber Line (ADSL), VDSL, Local Area Network (LAN), Wireless Local Area Network (WLAN) and the like, together with other authentication protocols, by virtue of the characteristics of safe protocol and simple implementation.
Extensible Authentication Protocol (EAP) Authentication is a new Authentication framework designed for Point-to-Point Protocol (PPP), and may include many Authentication methods, such as commonly used EAP-MD5(Message Digest 5, an encryption algorithm), EAP-TLS (Transport Layer Security), and the like. 802.1x provides encapsulation of EAPoL (EAP over LAN, EAP over LAN protocol) and a framework to support EAP authentication, and EAP has a number of applications as 802.1x protocol evolves.
The 802.1X authentication system includes three important components: access the supplicant, the authenticator, and the authentication server as shown in fig. 2.
The access requester is typically a user terminal system, and usually installs an access requester software, and the user initiates an authentication procedure of the 802.1x protocol by starting the access requester software. To support port-based access control, the access requester needs to support EAPoL protocol.
The authenticator is typically a network device supporting the 802.1x protocol. The Access requester accesses the network Access port of the lan through the authenticator, and the network Access port may be a physical port of the authenticator or a Media Access Control (MAC) address of the Access requester.
The network access port is divided into two virtual ports: a slave port and a non-slave port. The uncontrolled port is always in a bidirectional communication state and is mainly used for transmitting EAPoL authentication messages and ensuring that an access requester can always send or receive authentication. The controlled port is used for transmitting the service message, is blocked in an unauthorized state and is communicated in an authorized state. In order to adapt to different application environments, the operation controlled direction of the controlled port can be configured into two ways of bidirectional control and unidirectional control. As in fig. 2, the controlled port of the authenticator is in an unauthenticated, unauthorized state, and thus the access supplicant cannot access the services provided by the authenticator.
The authentication server is typically a RADIUS server for storing information about the user identity and device identity of the access requester, such as a device access control list of the access requester, etc. When the access requester passes the authentication, the authentication server transmits the relevant information of the access requester to the authenticator, the authenticator constructs a dynamic access control list, and the subsequent flow of the access requester receives the supervision of the parameters.
A Port Authentication Entity (PAE for short) of the authenticator communicates with the access requester PAE through an uncontrolled Port, and an EAPoL protocol is operated between the Port Authentication Entity (PAE) and the access requester PAE; the authenticator PAE runs an EAP protocol with the authentication server. If the authenticator PAE and the authentication server are integrated in the same system, the communication between the two may not employ EAP protocols.
EAP authentication is used in the 802.1x protocol. The user provides authentication information such as a user name and a user password, and the identity validity of the user is authenticated to the authenticator through a certain EAP authentication mode contained in the 802.1x protocol. Common EAP authentication methods include MD5, TLS, One Time Password (OTP) and the like. After receiving the authentication information of the user, the authenticator authenticates to the corresponding authentication server through an EAP (EAP over RADIUS, EAPoR for short) protocol carried on the RADIUS protocol.
The 802.1x authentication method is described below with EAP-MD5 as an example. In actual use, all 802.1x authentication methods can be used. As shown in fig. 3, a schematic diagram of the EAP-MD5 authentication method is shown. After the physical connection is established between the access requester and the authenticator, the access requester sends an EAPoL start message to the authenticator, 802.1x authentication is started, and the authenticator sends an EAP authentication request message to the access requester to request the access requester to submit a user name. The access requester responds an EAP authentication response message to the authenticator, wherein the response message contains the user name information. The authenticator sends an access request message containing an EAP authentication response message to the RADIUS authentication server in an EAPoR message format, and submits the user name to the RADIUS authentication server. The RADIUS authentication server generates a 128-bit challenge and responds to the authenticator with an access challenge message containing an EAP-MD5 challenge request message. The authenticator sends an EAP-MD5 challenge request message to the access requester, after the access requester receives the EAP-MD5 challenge request message, the password and the challenge are encrypted by adopting an MD5 algorithm to generate a challenge password, and the challenge password is sent to the authenticator through an EAP-MD5 challenge response message. The authenticator sends the challenge password to the RADIUS authentication server through the access request message, the RADIUS authentication server authenticates the challenge password, the RADIUS authentication server judges whether the access requester is legal or not according to the stored access requester information, and then the authentication success/failure message is responded to the authenticator; if the authentication is successful, the RADIUS authentication success message also contains negotiation parameters for the authorization of the access requester and relevant service attributes of the access requester. The authenticator responds to the EAP success/failure report to the access requester according to the authentication result and informs the access requester of the authentication result. If the authentication is successful, the address of the access requester is distributed, and then the processes of authorization, charging and the like are carried out.
The 802.1x protocol suggests that authentication be implemented on the device closest to the user, so 802.1x authentication is typically implemented on an ethernet switch or AP.
For a general enterprise network, as shown in fig. 4, an 802.1x authentication method may be used to authenticate a user on an AP or an ethernet switch. For a network with a high security requirement, access of external devices needs to be prohibited, for example, a network in a secret unit needs to authenticate a user and perform individual authentication on the devices before accessing the network.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a network access authentication method based on a Trusted Cryptography Module (TCM) chip, and provide a way for discriminating terminal equipment during network access by using the TCM chip, thereby solving the possibility of forging the terminal equipment in network access 802.1x authentication.
The present invention relates to an authentication method of an Extensible Authentication Protocol (EAP) carried on a higher layer protocol for authentication.
As shown in fig. 5, the difference between the access requester, the authenticator and the authentication server according to the present invention and the existing authentication system shown in fig. 2 is that a trusted cryptography module hardware chip is used as a support for hardware identification, and the access requester software collects the metric value stored in the chip for each boot-up and sends the metric value to the authentication point PAE through the authentication requester PAE. There is a dedicated database or a separate independent database on the authentication server for storing the TCM metric values of the authentication-enabled devices or MD5 values of the metric values, which are maintained in advance. The authentication server receives the stored metric value of the TCM chip from the access requester, which is sent by the authentication point each time.
As shown in fig. 6, according to the description in "trusted computing password support platform function and interface specification" formulated by the password administration, the trusted computing password support platform mainly comprises a Trusted Cryptographic Module (TCM) and a TCM Service Module (TSM), and the trusted computing password support platform uses the trusted cryptographic module as a trusted root and realizes a platform security function through the following three mechanisms and the platform security management function.
(1) And calculating the integrity metric value of the system platform by taking the credibility metric root as a starting point, establishing a trust chain of the system platform of the computer, and ensuring the credibility of the system platform.
(2) The credible report root marks the credibility of the platform identity, has uniqueness, and realizes platform identity certification and integrity report on the basis of the credible report root.
(3) Based on the trusted storage root, the functions of key management and platform data security protection are realized, and corresponding cryptographic services are provided.
A Trusted Cryptography Module (TCM) is a necessary key basic component of a trusted computing cryptography support platform and provides independent cryptographic algorithm support. The TCM is a set of hardware and firmware, and can be in an independent packaging form or integrated with other types of chips to provide a Trusted Cryptography Module (TCM) function. The basic structure is shown in fig. 7. Wherein,
I/O is an input/output hardware interface of the TCM;
SMS4 engine: a unit to perform an SMS4 symmetric cryptographic operation;
SM2 engine: a unit for generating SM2 key pairs and performing SM2 encryption/decryption, signature operations;
SM3 engine: a unit for performing a hash operation;
a random number generator: a unit that generates a random number;
HMAC engine: a calculated message authentication code unit based on the SM3 engine;
an execution engine: an arithmetic execution unit of the TCM;
non-volatile memory: a storage unit storing permanent data;
a volatile memory: and the memory unit of temporary data when the TCM is in operation.
The TCM Service Module (TSM), the trusted cryptography module defines a subsystem with storage protection and execution protection, the subsystem establishes a trust root for the computing platform, and the independent computing resources of the subsystem establish a strictly limited security protection mechanism. In order to prevent TCM from becoming a performance bottleneck of the computing platform, the functions that need to be protected and the functions that do not need to be protected in the subsystem are divided, the functions that do not need to be protected are executed by the computing platform main processor, and these supporting functions constitute the TCM service module, which is abbreviated as TSM. The TSM mainly provides support for TCM basic resources and is composed of a plurality of parts, and interface definitions among the parts are required to have interoperability. The TSM provides a normalized function interface.
As shown in fig. 8, the integrity measurement process is mainly to measure the software and hardware environment of the access requesting computer to ensure the trustworthiness of the access computer. The software and hardware environment for accessing the computer comprises a CPU, a memory, a mainboard, a display card, a hard disk, a CD driver, various PCI/PCI-E cards inserted on the mainboard, various USB devices and the like. The metrics of the motherboard include various controllers, such as a memory controller, a SATA controller, etc., carried by the motherboard.
The technical scheme of the invention is as follows:
a network access authentication method based on a trusted cryptography module chip comprises an access requester, an authenticator and an authentication server, wherein the access requester and the authenticator adopt a local area network bearing extended authentication protocol for communication, and the authenticator and the authentication server adopt an extended authentication protocol on a higher layer protocol for authentication for communication, and the authentication method comprises the following steps:
1) the access requester initiates an authentication start message to start authentication;
2) the authenticator processes the authentication start message, acquires identity authentication information containing an access requester from the computer trusted password module chip, wherein the identity authentication information of the access requester comprises user identity authentication information and/or equipment authentication information of the requester, and responds to the message through an extended authentication protocol;
3) the authenticator encapsulates the extended authentication protocol response message into an authentication high-level protocol access request message and sends the authentication high-level protocol access request message to an authentication server;
4) the authentication server generates an authentication high-level protocol access request message containing an extended authentication mode request message and sends the authentication high-level protocol access request message to the authenticator;
5) the authenticator takes out the extended authentication mode request message and sends the message to the access supplicant;
6) the access requester carries out authentication processing according to a specified extended authentication mode and sends a request response message to the authenticator;
7) the authenticator encapsulates the request response message into an authentication high-level protocol access request message and sends the authentication high-level protocol access request message to the authentication server;
8) the authentication server verifies the user identity authentication information and/or the equipment authentication information containing the system metric value calculated by the trusted password module chip;
9) if the verification fails, the authentication server returns an authentication failure message to the authenticator, the authenticator obtains the authentication failure message and sends the authentication failure message to the access requester, and the access requester is refused to access the network;
10) and if the verification is successful, the authentication server returns an authentication success message to the authenticator, and the authenticator accesses the access requester to different subnets according to an authentication strategy in the authentication success message.
The access requester corresponds to a user terminal, the authenticator corresponds to a wireless access point AP or an Ethernet switch, and the authentication server corresponds to a RADIUS server.
The step 2) further comprises the following steps: the authenticator sends an extended authentication protocol request message for submitting identity authentication information to the access requester; the access requester responds an extended authentication protocol response message containing identity authentication information to the authenticator.
The device authentication information in the step 2) is generated and stored by a trusted cryptography module chip, and the uniqueness of the device is identified through a trusted trust chain.
The authenticator acquires message information by adopting a message interception mode and forwards the message; the authenticator may include the step of repackaging the message prior to forwarding the message.
The step 6) further comprises the following steps: before the access authenticator sends a response message to the authenticator, user identity authentication information and equipment authentication information are generated.
The system metric value calculated by the trusted cryptography module chip in the step 8) comprises the following steps:
8.1) after the computer is powered on and started, the BIOS first completes the initialization of the trusted password module chip and determines that the trusted measurement root is trusted;
8.2) measuring the CPU microinstruction by using a built-in algorithm of a trusted cryptography module chip, and storing the result into a chip specific register zero (PCR 0);
8.3) utilizing a built-in algorithm of a trusted cryptography module chip to complete the measurement of initializing the ROM of each controller of the memory and the mainboard, and storing the result into a chip specific register I (PCR 1);
8.4) measuring the numbers of the ROM and the equipment of the external devices such as a hard disk, an optical drive, a USB and the like by utilizing a built-in algorithm of a chip of the trusted cryptography module, and storing the result into a second chip specific register (PCR 2);
8.5) measuring each process module of the operating system by using a built-in algorithm of a trusted cryptography module chip, and storing the result into a chip specific register III (PCR 3);
8.6) utilizing a built-in algorithm of a trusted cryptography module chip to complete the calculation of digest values of each register from the zero register (PCR0) to the three register (PCR3) of the specific register, thereby obtaining an integrity metric value.
The step 1) can also comprise the following steps before: and configuring whether the port control function of the authenticator is enabled.
The step 1) can also comprise the following steps before:
the access requester collects user identity authentication information and equipment authentication information and sends the user identity authentication information and the equipment authentication information to the authenticator in a trusted mode;
the authenticator sends the user identity authentication information and the equipment authentication information to the authentication server;
and the authentication server stores the user identity authentication information and the equipment authentication information.
The step 1) can also comprise the following steps before: the authentication server configures different network access policies for the user and the equipment.
According to the technical scheme, the invention has the following beneficial effects:
a network access authentication method is provided by using a trusted cryptographic module chip, and the counterfeit terminal access network is effectively prevented. And carrying out integrity measurement, storage and report on the access requester by using the trusted cryptography module chip to ensure that the access requester is trusted.
Drawings
Fig. 1 is a schematic networking diagram of a general ethernet network.
Fig. 2 is an architecture of an IEEE 802.1X authentication system.
FIG. 3 is a diagram illustrating a conventional EAP-MD5 authentication method.
Fig. 4 is a schematic diagram of a general enterprise network.
Fig. 5 is an architecture of an access supplicant, an authenticator, and an authentication server according to the present invention.
FIG. 6 is a functional architecture of a trusted computing password support platform.
Fig. 7 is a diagram of a trusted cryptography module.
Fig. 8 is an integrity measurement flow.
FIG. 9 is a diagram of an example authentication process according to an embodiment of the present invention.
Detailed Description
The present invention is further described below with reference to examples. The scope of the invention is not limited by these examples, which are set forth in the following claims.
As shown in fig. 9, which is a schematic diagram of the authentication method of the present invention, different authentication algorithms can be selected by the authentication system using the extensible capability of the EAP protocol, and the method of the present invention is described in detail below by taking an 802.1x authentication procedure of EAP-MD5 as an example.
The access requester corresponds to a user terminal, the authenticator corresponds to a wireless access point AP or an Ethernet switch, and the authentication server corresponds to a RADIUS server.
The user terminal firstly utilizes the cipher hash algorithm provided by the TCM chip to carry out integrity measurement on the access requester, and if the integrity is damaged, the user terminal gives up the current authentication request.
The integrity measurement process is mainly used for measuring the software and hardware environment of the access requesting computer so as to ensure the credibility of the access computer. The software and hardware environment for accessing the computer comprises a CPU, a memory, a mainboard, a display card, a hard disk, a CD driver, various PCI/PCI-E cards inserted on the mainboard and various USB devices. The metrics of the motherboard include various controllers, such as a memory controller, a SATA controller, etc., carried by the motherboard.
The measurement process is as follows:
1) after the computer is powered on and started, the BIOS first completes initialization of the TCM security chip and determines that the root of the credibility measurement is credible.
2) The measurement of CPU microinstructions is completed by using a secure chip built-in algorithm, and the result is saved into a chip-specific register zero (PCR 0).
3) Utilizing a built-in algorithm of a security chip to complete the measurement of initializing the ROM of each controller of the memory and the mainboard, and storing the result into a chip specific register I (PCR 1);
4) measuring external ROM such as hard disk, CD-ROM, USB and the like and equipment numbers by using a built-in algorithm of a security chip, and storing the result into a chip specific register II (PCR 2);
5) measuring each process module of the operating system by using a built-in algorithm of a security chip, and storing the result into a chip specific register III (PCR 3);
6) and (4) finishing the calculation of the digest values of the registers of the PCR0-PCR3 by utilizing a built-in algorithm of the security chip, thereby obtaining an integrity metric value.
The user terminal initiates an EAPoL start message to the AP and starts 802.1x authentication. The AP sends an EAP identity authentication request message to the user terminal to request the access requester to send a user name and an equipment name. The access requester responds an EAP identity authentication response message to the AP, wherein the EAP identity authentication response message comprises a user name and whether the TCM chip information is contained. And the AP packages the EAP identity authentication response message into a RADIUS access request message and sends an authentication server. After receiving the RADIUS access request message, the authentication server sends and generates a RADIUS access challenge message to the AP, wherein the RADIUS access challenge message contains an EAP-MD5 challenge request for verifying the identity of a user and a signature of equipment information for verifying the identity of equipment. After receiving the access inquiry message, the AP sends an EAP-MD5 inquiry request in the message to the user terminal to request inquiry. After receiving the EAP-MD5 challenge request message, the user terminal performs MD5 operation on the password and the challenge (wherein, the password part comprises a user identity password and a device integrity measurement value completed by a TCM chip before as a device identity identifier), and then sends the challenge, the challenge password and the user name to the AP through an EAP-MD5 challenge response message. And the AP encapsulates the EAP-MD5 challenge response message into a RADIUS access request message and sends the RADIUS access request message to the authentication server for authentication. The authentication server judges whether the user is legal or not according to the user information, judges whether the equipment used by the user is legal or not according to the integrity metric value of the equipment which is kept in the database before, and then responds an authentication success/failure message to the AP; if the authentication is successful, the RADIUS message contains the negotiation parameters authorized for the user and the related service attributes of the user. After AP obtains the corresponding message information, the EAP-success/failure is responded to the user terminal of the access requester, which indicates the success or failure of the authentication.
For the data message interception mode, the destination address of the message sent by the AP is the authentication server, and the AP needs to configure the same key for ensuring the security of the RADIUS message as the authentication server.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
Claims (10)
1. A network access authentication method based on a trusted cryptography module chip is characterized in that the authentication method based on the trusted cryptography module chip comprises an access requester, an authenticator and an authentication server, wherein the access requester and the authenticator adopt a local area network to bear an extended authentication protocol for communication, and the authenticator and the authentication server adopt an extended authentication protocol borne on a high-level protocol for authentication for communication, and the authentication method comprises the following steps:
1) the access requester initiates an authentication start message to start authentication;
2) the authenticator processes the authentication start message, acquires identity authentication information containing an access requester from the trusted password module chip, wherein the identity authentication information of the access requester comprises user identity authentication information and/or equipment authentication information of the requester, and responds to the message through an extended authentication protocol;
3) the authenticator encapsulates the extended authentication protocol response message into an authentication high-level protocol access request message and sends the authentication high-level protocol access request message to an authentication server;
4) the authentication server generates an authentication high-level protocol access request message containing an extended authentication mode request message and sends the authentication high-level protocol access request message to the authenticator;
5) the authenticator takes out the extended authentication mode request message and sends the message to the access supplicant;
6) the access requester carries out authentication processing according to a specified extended authentication mode and sends a request response message to the authenticator;
7) the authenticator encapsulates the request response message into an authentication high-level protocol access request message and sends the authentication high-level protocol access request message to the authentication server;
8) the authentication server verifies the user identity authentication information and/or the equipment authentication information containing the system metric value calculated by the trusted password module chip;
9) if the verification fails, the authentication server returns an authentication failure message to the authenticator, the authenticator obtains the authentication failure message and sends the authentication failure message to the access requester, and the access requester is refused to access the network;
10) and if the verification is successful, the authentication server returns an authentication success message to the authenticator, and the authenticator accesses the access requester to different subnets according to an authentication strategy in the authentication success message.
2. The method according to claim 1, wherein the access requester corresponds to a user terminal, the authenticator corresponds to a wireless access point AP or an ethernet switch, and the authentication server corresponds to a RADIUS server.
3. The network access authentication method based on the trusted cryptography module chip as claimed in claim 1, wherein said step 2) further comprises: the authenticator sends an extended authentication protocol request message for submitting identity authentication information to the access requester; the access requester responds an extended authentication protocol response message containing identity authentication information to the authenticator.
4. The method for authenticating network access based on the trusted cryptography module chip of claim 1, wherein the device authentication information of step 2) is generated and stored by the trusted cryptography module chip, and identifies the uniqueness of the device through a trusted trust chain.
5. The network access authentication method based on the trusted cryptography module chip as claimed in claim 1, wherein the authenticator acquires message information by message interception and forwards the message; the authenticator may include the step of repackaging the message prior to forwarding the message.
6. The network access authentication method based on the trusted cryptography module chip according to claim 1, wherein said step 6) further comprises: before the access authenticator sends a response message to the authenticator, user identity authentication information and equipment authentication information are generated.
7. The method for authenticating network access based on the trusted cryptography module chip of claim 1, wherein the system metric calculated by the trusted cryptography module chip in the step 8) comprises the following steps:
8.1) after the computer is powered on and started, the BIOS first completes the initialization of the trusted password module chip and determines that the trusted measurement root is trusted;
8.2) measuring the CPU microinstruction by using a built-in algorithm of a trusted cryptography module chip, and storing the result into a chip specific register zero (PCR 0);
8.3) utilizing a built-in algorithm of a trusted cryptography module chip to complete the measurement of initializing the ROM of each controller of the memory and the mainboard, and storing the result into a chip specific register I (PCR 1);
8.4) measuring the numbers of the ROM and the equipment of the external devices such as a hard disk, an optical drive, a USB and the like by utilizing a built-in algorithm of a chip of the trusted cryptography module, and storing the result into a second chip specific register (PCR 2);
8.5) measuring each process module of the operating system by using a built-in algorithm of a trusted cryptography module chip, and storing the result into a chip specific register III (PCR 3);
8.6) utilizing a built-in algorithm of a trusted cryptography module chip to complete the calculation of digest values of each register from the zero register (PCR0) to the three register (PCR3) of the specific register, thereby obtaining an integrity metric value.
8. The network access authentication method based on the trusted cryptography module chip according to claim 1, wherein said step 1) is preceded by: and configuring whether the port control function of the authenticator is enabled.
9. The network access authentication method based on the trusted cryptography module chip as claimed in claim 1, wherein said step 1) is preceded by the following steps:
an access requester collects user identity authentication information and equipment authentication information, and sends the user identity authentication information and the equipment authentication information to the authenticator in a trusted mode;
the authenticator sends the user identity authentication information and the equipment authentication information to the authentication server;
and the authentication server stores the user identity authentication information and the equipment authentication information.
10. The network access authentication method based on the trusted cryptography module chip according to claim 1, wherein said step 1) is preceded by: the authentication server configures different network access policies for the user and the device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100862254A CN103368905A (en) | 2012-03-29 | 2012-03-29 | Trustable cipher module chip-based network access authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100862254A CN103368905A (en) | 2012-03-29 | 2012-03-29 | Trustable cipher module chip-based network access authentication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103368905A true CN103368905A (en) | 2013-10-23 |
Family
ID=49369459
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012100862254A Pending CN103368905A (en) | 2012-03-29 | 2012-03-29 | Trustable cipher module chip-based network access authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103368905A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618268A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Network admission control method, authentication server and terminal |
| WO2015192453A1 (en) * | 2014-06-17 | 2015-12-23 | 中兴通讯股份有限公司 | Method for accessing wireless access point device by terminal, wireless access point device, and terminal |
| CN105488418A (en) * | 2015-11-24 | 2016-04-13 | 航天恒星科技有限公司 | Trusted boot method and system for virtualization platform server |
| CN106101111A (en) * | 2016-06-24 | 2016-11-09 | 郑州信大捷安信息技术股份有限公司 | Vehicle electronics safe communication system and communication means |
| CN106919846A (en) * | 2015-12-25 | 2017-07-04 | 中国科学院上海高等研究院 | A kind of message-oriented middleware processing method and system |
| CN108353085A (en) * | 2015-11-11 | 2018-07-31 | 阿尔卡特朗讯公司 | It supports to carry out IMEI inspections to the packet core of WLAN access to mobile network |
| CN109063489A (en) * | 2018-08-28 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of starting method and device |
| CN109951418A (en) * | 2017-12-20 | 2019-06-28 | 北京可信华泰信息技术有限公司 | A kind of safe verification method and terminal |
| CN109951416A (en) * | 2017-12-20 | 2019-06-28 | 北京可信华泰信息技术有限公司 | A kind of trust authentication method and terminal |
| CN110022561A (en) * | 2019-03-29 | 2019-07-16 | 联想(北京)有限公司 | Information processing method and information processing unit |
| CN110046489A (en) * | 2019-04-10 | 2019-07-23 | 山东超越数控电子股份有限公司 | A kind of credible access verifying system based on domestic Loongson processor, computer and readable storage medium storing program for executing |
| CN110298183A (en) * | 2019-06-26 | 2019-10-01 | 浪潮金融信息技术有限公司 | A kind of method of cascade protection data safety |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN115348112A (en) * | 2022-10-18 | 2022-11-15 | 中国人民解放军军事科学院系统工程研究院 | Method for local area network exchange equipment access authentication and trusted networking |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101527024A (en) * | 2008-03-06 | 2009-09-09 | 同方股份有限公司 | Safe web bank system and realization method thereof |
| WO2011116459A1 (en) * | 2010-03-25 | 2011-09-29 | Enomaly Inc. | System and method for secure cloud computing |
| CN102271120A (en) * | 2010-06-02 | 2011-12-07 | 清大安科(北京)科技有限公司 | Trusted network access authentication method capable of enhancing security |
-
2012
- 2012-03-29 CN CN2012100862254A patent/CN103368905A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101527024A (en) * | 2008-03-06 | 2009-09-09 | 同方股份有限公司 | Safe web bank system and realization method thereof |
| WO2011116459A1 (en) * | 2010-03-25 | 2011-09-29 | Enomaly Inc. | System and method for secure cloud computing |
| CN102271120A (en) * | 2010-06-02 | 2011-12-07 | 清大安科(北京)科技有限公司 | Trusted network access authentication method capable of enhancing security |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015192453A1 (en) * | 2014-06-17 | 2015-12-23 | 中兴通讯股份有限公司 | Method for accessing wireless access point device by terminal, wireless access point device, and terminal |
| CN104618268A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Network admission control method, authentication server and terminal |
| CN108353085A (en) * | 2015-11-11 | 2018-07-31 | 阿尔卡特朗讯公司 | It supports to carry out IMEI inspections to the packet core of WLAN access to mobile network |
| CN108353085B (en) * | 2015-11-11 | 2021-04-13 | 阿尔卡特朗讯公司 | IMEI checking for packet core supporting WLAN access to mobile network |
| CN105488418B (en) * | 2015-11-24 | 2019-12-13 | 航天恒星科技有限公司 | trusted starting method and system of virtualization platform server |
| CN105488418A (en) * | 2015-11-24 | 2016-04-13 | 航天恒星科技有限公司 | Trusted boot method and system for virtualization platform server |
| CN106919846A (en) * | 2015-12-25 | 2017-07-04 | 中国科学院上海高等研究院 | A kind of message-oriented middleware processing method and system |
| CN106919846B (en) * | 2015-12-25 | 2020-03-24 | 中国科学院上海高等研究院 | Message middleware processing method and system |
| CN106101111A (en) * | 2016-06-24 | 2016-11-09 | 郑州信大捷安信息技术股份有限公司 | Vehicle electronics safe communication system and communication means |
| CN109951418B (en) * | 2017-12-20 | 2021-07-27 | 北京可信华泰信息技术有限公司 | Security verification method and terminal |
| CN109951416B (en) * | 2017-12-20 | 2021-07-06 | 北京可信华泰信息技术有限公司 | Credible verification method and terminal |
| CN109951418A (en) * | 2017-12-20 | 2019-06-28 | 北京可信华泰信息技术有限公司 | A kind of safe verification method and terminal |
| CN109951416A (en) * | 2017-12-20 | 2019-06-28 | 北京可信华泰信息技术有限公司 | A kind of trust authentication method and terminal |
| CN109063489A (en) * | 2018-08-28 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of starting method and device |
| CN110022561A (en) * | 2019-03-29 | 2019-07-16 | 联想(北京)有限公司 | Information processing method and information processing unit |
| CN110022561B (en) * | 2019-03-29 | 2020-10-27 | 联想(北京)有限公司 | Information processing method and information processing apparatus |
| CN110046489A (en) * | 2019-04-10 | 2019-07-23 | 山东超越数控电子股份有限公司 | A kind of credible access verifying system based on domestic Loongson processor, computer and readable storage medium storing program for executing |
| CN110046489B (en) * | 2019-04-10 | 2023-02-24 | 超越科技股份有限公司 | Trusted access verification system based on domestic Loongson processor, computer and readable storage medium |
| CN110298183A (en) * | 2019-06-26 | 2019-10-01 | 浪潮金融信息技术有限公司 | A kind of method of cascade protection data safety |
| CN110298183B (en) * | 2019-06-26 | 2021-07-20 | 浪潮金融信息技术有限公司 | Method for protecting data security in grading manner |
| CN113904856A (en) * | 2021-10-15 | 2022-01-07 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
| CN115348112A (en) * | 2022-10-18 | 2022-11-15 | 中国人民解放军军事科学院系统工程研究院 | Method for local area network exchange equipment access authentication and trusted networking |
| CN115348112B (en) * | 2022-10-18 | 2022-12-09 | 中国人民解放军军事科学院系统工程研究院 | Method for local area network exchange equipment access authentication and trusted networking |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103368905A (en) | Trustable cipher module chip-based network access authentication method | |
| US10027664B2 (en) | Secure simple enrollment | |
| US9467430B2 (en) | Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware | |
| CN113545006B (en) | Remote authorized access locked data storage device | |
| US8510553B2 (en) | Secure credential management | |
| EP3073668B1 (en) | Apparatus and method for authenticating network devices | |
| TWI582638B (en) | Electronic device, method for establishing and enforcing a security policy associated with an access control element, and secure element | |
| KR100831437B1 (en) | Method, apparatuses and computer program product for sharing cryptographic key with an embedded agent on a network endpoint in a network domain | |
| JP6896940B2 (en) | Symmetrical mutual authentication method between the first application and the second application | |
| US7826427B2 (en) | Method for secure transfer of data to a wireless device for enabling multi-network roaming | |
| US20080077592A1 (en) | method and apparatus for device authentication | |
| EP2633716B1 (en) | Data processing for securing local resources in a mobile device | |
| US8832811B2 (en) | Network access control for trusted platforms | |
| US8452954B2 (en) | Methods and systems to bind a device to a computer system | |
| JP2011222010A (en) | Method and system for securely and remotely startup, boot, and login from mobile device to computer | |
| TW201735578A (en) | Controlled secure code authentication | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| JP2004508619A (en) | Trusted device | |
| KR101739203B1 (en) | Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption | |
| CN112733129B (en) | Trusted access method for server out-of-band management | |
| CN103368906A (en) | Trustable cipher module chip-based trustable network access authentication system | |
| CN114175574A (en) | Wireless security protocol | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| CN114765551A (en) | SDP access control method and device based on block chain | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131023 |