CN104184706A - AAA enhanced encryption and authentication method - Google Patents
AAA enhanced encryption and authentication method Download PDFInfo
- Publication number
- CN104184706A CN104184706A CN201310195880.8A CN201310195880A CN104184706A CN 104184706 A CN104184706 A CN 104184706A CN 201310195880 A CN201310195880 A CN 201310195880A CN 104184706 A CN104184706 A CN 104184706A
- Authority
- CN
- China
- Prior art keywords
- user
- access
- nas
- server
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 238000004891 communication Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an AAA enhanced encryption and authentication method, and relates to an authentication method. The encryption and authentication method comprises the following steps: a user accesses a network access server (NAS), the NAS uses an Access-Request data packet to submit user information to an RADIUS server, wherein the user password is encrypted via MD5, and both use a shared key; the RADIUS server carries out authentication on validity of the user name and the password; in the case of validity, an Access-Accept data packet is back to the NAS, and the user is allowed to perform the next step of work, and in the case of invalidity, an Access-Reject data packet is back, and user access is denied; in the case when access is allowed, the NAS brings forward an Account-Request to the RADIUS server, the RADIUS server responds to the Access-Accept, user charging is started, and the user can perform own related operation at the same time. Thus, security of AAA authentication in the mobile internet field is enhanced, and risks that authentication is attacked can be reduced.
Description
Technical field:
The present invention relates to a kind of authentication method, be specifically related to a kind of AAA and strengthen encryption and authentication method.
Background technology:
Aaa protocol is the abbreviation of authentication,authorization,accounting, and these have realized the accurate recording of network system to specific user's Internet usage situation together.So both effectively ensured to a certain extent the rights and interests of validated user, and can guarantee that again network system security moved reliably.
The aaa protocol of IETF is mainly radius protocol.It is the overall application of remote authentication dial-in customer service.RADIUS, with Client/Server work, has realized remote dial user's authentication, mandate and meter account function.Its client mostly is network access server (NAS), and the main radius server of being responsible for user profile to pass to appointment, then operates the response of returning; Radius server is responsible for receiving user's connection request, and then authenticated user identity is returned to client and served required whole configuration informations for user provides.For guaranteeing the fail safe of transmission, the communication between radius client and radius server authenticates mutually by shared key, and this shared key does not send on network.In addition, the data that transmit between client and server are all encrypted in MD5 mode, to have eliminated people, on insecure network, eavesdrop.Radius protocol is a kind of upper-layer protocol based on udp protocol.Generally, the listening port of authentication service number is 1812, and the listening port of billed services number is 1813.
Radius protocol becomes formal RFC (RFC2865) in June, 2000, and gradual perfection and expansion subsequently becomes the first-selected agreement of AAA.Yet, along with the continuous renewal of network technology, the especially fast development of wireless Internet and Internet of Things, the shortcoming of radius protocol also displays.
The security policy analysis being adopted by radius protocol, there is obvious security vulnerabilities in it:
(1) shared key based on user cipher (User-Password) attribute is attacked: owing to adopting stream encryption (Stream-Cipher) technology to protect user cipher attribute; if therefore assailant can observe network traffics; just can obtain the information of relevant shared key, and attempted authentication process.The password that assailant can know with certain is initiated authentication to client, the RADIUS access request bag that so just energy capture client is sent.By the bag of catching, carry out certain calculating, just can make assailant shared key be initiated to the thorough attack of off-line.
(2) all messages of Replay Attack: RADIUS are not through encrypting; The Access Authenticator of Access-Request message is a random number, and can not can be regarded as authentication code; Therefore radius server can not be differentiated Access-Request message; Although it is uncertain that agreement requires the request authentication code field of Access-Request message, and can not repeat within a period of time, radius server does not check his reusing, so may cause Replay Attack.
Summary of the invention:
The object of this invention is to provide a kind of AAA and strengthen encryption and authentication method, it has improved the fail safe of mobile Internet field aaa authentication, has reduced the risk that authentication is attacked.
In order to solve the existing problem of background technology, the present invention adopts following technical scheme: its authenticate device comprises mobile terminal 1, V IAD server 2, V certificate server 3, mobile terminal 1 is connected with 3G network by APN, 3G network is connected with V IAD server 2 through VPN encryption tunnel, and V IAD server 2 is connected with V certificate server 3 by network.
Its encrypting and authenticating flow process is as follows: user accesses NAS, and NAS is used Access-Request packet to submit user profile to radius server, and wherein user cipher is through md5 encryption, and both sides use shared key, and this key is without Internet communication; Radius server is tested to the legitimacy of username and password, can propose if desired a Challenge, requires further user to be authenticated, and also can similarly authenticate NAS; If legal, to NAS, return to Access-Accept packet, allow user to carry out further work, otherwise return to Access-Reject packet, refusal user access; If allow access, NAS proposes accounting request Account-Request to radius server, and radius server response Account-Accept, starts charging to user, and user can carry out the associative operation of oneself simultaneously.
The present invention has following characteristics:
One, client terminal/server structure;
Two, adopt shared key to guarantee Internet Transmission fail safe;
Three, good extensibility;
Four, authentication mechanism is flexible.
The present invention has following beneficial effect: improved the fail safe of mobile Internet field aaa authentication, reduced the risk that authentication is attacked.
Accompanying drawing explanation:
Fig. 1 is structural representation of the present invention,
Fig. 2 is schematic flow sheet of the present invention.
Embodiment:
Referring to Fig. 1-Fig. 2, this embodiment adopts following technical scheme: its authenticate device comprises mobile terminal 1, V IAD server 2, V certificate server 3, mobile terminal 1 is connected with 3G network by APN, 3G network is connected with V IAD server 2 through VPN encryption tunnel, and V IAD server 2 is connected with V certificate server 3 by network.
Its encrypting and authenticating flow process is as follows: user accesses NAS, and NAS is used Access-Request packet to submit user profile to radius server, and wherein user cipher is through md5 encryption, and both sides use shared key, and this key is without Internet communication; Radius server is tested to the legitimacy of username and password, can propose if desired a Challenge, requires further user to be authenticated, and also can similarly authenticate NAS; If legal, to NAS, return to Access-Accept packet, allow user to carry out further work, otherwise return to Access-Reject packet, refusal user access; If allow access, NAS proposes accounting request Account-Request to radius server, and radius server response Account-Accept, starts charging to user, and user can carry out the associative operation of oneself simultaneously.
The present invention has following characteristics:
One, client terminal/server structure;
Two, adopt shared key to guarantee Internet Transmission fail safe;
Three, good extensibility;
Four, authentication mechanism is flexible.
This embodiment has solved the Radius message identifying in mobile Internet and has not encrypted the safety defect bringing, and has eliminated the insecurity of MD5 agreement itself; Simultaneously each session adopts the method for consulting temporary key to guarantee secret key safety.
This embodiment has following beneficial effect: improved the fail safe of mobile Internet field aaa authentication, reduced the risk that authentication is attacked.
Claims (2)
1.AAA strengthens encryption and authentication method, the authenticate device that it is characterized in that it comprises mobile terminal (1), V IAD server (2), V certificate server (3), mobile terminal (1) is connected with 3G network by APN, 3G network is connected with V IAD server (2) through VPN encryption tunnel, and V IAD server (2) is connected with V certificate server (3) by network.
2.AAA strengthens encryption and authentication method, the encrypting and authenticating flow process that it is characterized in that it is as follows: user accesses NAS, NAS is used Access-Request packet to submit user profile to radius server, wherein user cipher is through md5 encryption, both sides use shared key, and this key is without Internet communication; Radius server is tested to the legitimacy of username and password, can propose if desired a Challenge, requires further user to be authenticated, and also can similarly authenticate NAS; If legal, to NAS, return to Access-Accept packet, allow user to carry out further work, otherwise return to Access-Reject packet, refusal user access; If allow access, NAS proposes accounting request Account-Request to radius server, and radius server response Account-Accept, starts charging to user, and user can carry out the associative operation of oneself simultaneously.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310195880.8A CN104184706A (en) | 2013-05-24 | 2013-05-24 | AAA enhanced encryption and authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310195880.8A CN104184706A (en) | 2013-05-24 | 2013-05-24 | AAA enhanced encryption and authentication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104184706A true CN104184706A (en) | 2014-12-03 |
Family
ID=51965456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310195880.8A Pending CN104184706A (en) | 2013-05-24 | 2013-05-24 | AAA enhanced encryption and authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104184706A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025593A (en) * | 2009-09-21 | 2011-04-20 | 中国移动通信集团公司 | Distributed user access system and method |
| CN102045304A (en) * | 2009-10-20 | 2011-05-04 | 中兴通讯股份有限公司 | Method and client for interacting with RADIUS server |
| CN102333289A (en) * | 2011-05-26 | 2012-01-25 | 迈普通信技术股份有限公司 | Short message-based comprehensive 3G (3rd Generation) network equipment management system and short message-based comprehensive 3G network equipment management method |
-
2013
- 2013-05-24 CN CN201310195880.8A patent/CN104184706A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025593A (en) * | 2009-09-21 | 2011-04-20 | 中国移动通信集团公司 | Distributed user access system and method |
| CN102045304A (en) * | 2009-10-20 | 2011-05-04 | 中兴通讯股份有限公司 | Method and client for interacting with RADIUS server |
| CN102333289A (en) * | 2011-05-26 | 2012-01-25 | 迈普通信技术股份有限公司 | Short message-based comprehensive 3G (3rd Generation) network equipment management system and short message-based comprehensive 3G network equipment management method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI426762B (en) | Method and system for managing network identity | |
| CN108270571B (en) | Internet of Things identity authorization system and its method based on block chain | |
| CN101212296B (en) | Certificate and SIM based WLAN access authentication method and system | |
| TWI293844B (en) | A system and method for performing application layer service authentication and providing secure access to an application server | |
| CN101212297B (en) | WEB-based WLAN access authentication method and system | |
| JP5579872B2 (en) | Secure multiple UIM authentication and key exchange | |
| CN105141425B (en) | A kind of mutual authentication method for protecting identity based on chaotic maps | |
| CN101371550B (en) | Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service | |
| CN103491540B (en) | The two-way access authentication system of a kind of WLAN based on identity documents and method | |
| US20110320802A1 (en) | Authentication method, key distribution method and authentication and key distribution method | |
| US9112879B2 (en) | Location determined network access | |
| KR20080047503A (en) | Method for distributing certificates in a communication system | |
| CN102196434A (en) | Authentication method and system for wireless local area network terminal | |
| WO2017185450A1 (en) | Method and system for authenticating terminal | |
| CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
| CN106534050A (en) | Method and device for realizing key agreement of virtual private network (VPN) | |
| CN112640385A (en) | Non-3 GPP device access to core network | |
| CN107026823A (en) | Applied to the access authentication method and terminal in WLAN WLAN | |
| CN101192927B (en) | Authorization based on identity confidentiality and multiple authentication method | |
| CN101483870A (en) | Cross-platform mobile communication security system implementing method | |
| WO2017020530A1 (en) | Enhanced wlan certificate authentication method, device and system | |
| Tseng et al. | Authentication and Billing Protocols for the Integration of WLAN and 3G Networks | |
| KR20130042266A (en) | Authentification method based cipher and smartcard for wsn | |
| CN104509144A (en) | Implementing a security association during the attachment of an a terminal to an access network | |
| Park | An authentication protocol offering service anonymity of mobile device in ubiquitous environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: BEIJING HUANYARUIDA TECHNOLOGY CO., LTD. Document name: Notification of Publication and of Entering the Substantive Examination Stage of the Application for Invention |
|
| DD01 | Delivery of document by public notice |
Addressee: BEIJING HUANYARUIDA TECHNOLOGY CO., LTD. Document name: the First Notification of an Office Action |
|
| DD01 | Delivery of document by public notice |
Addressee: BEIJING HUANYARUIDA TECHNOLOGY CO., LTD. Document name: Notification of an Office Action |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: BEIJING HUANYARUIDA TECHNOLOGY CO., LTD. Document name: Notification of an Office Action |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: BEIJING HUANYARUIDA TECHNOLOGY CO., LTD. Document name: Decision of Rejection |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141203 |
|
| RJ01 | Rejection of invention patent application after publication |