CN104468585A - Proxy-based user equipment trusted access authentication method - Google Patents
Proxy-based user equipment trusted access authentication method Download PDFInfo
- Publication number
- CN104468585A CN104468585A CN201410765889.2A CN201410765889A CN104468585A CN 104468585 A CN104468585 A CN 104468585A CN 201410765889 A CN201410765889 A CN 201410765889A CN 104468585 A CN104468585 A CN 104468585A
- Authority
- CN
- China
- Prior art keywords
- subscriber equipment
- packet
- authentication
- certificate server
- father node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a proxy-based user equipment trusted access authentication method. The method mainly solves the problems that in the prior art, the authentication time of user equipment is too long, the coverage of a wireless network is small, and the security of the wireless network cannot be guaranteed. According to the technical scheme, user equipment seeks an authentication server, the user equipment and the authentication server perform bidirectional identity authentication if the user equipment can find the authentication server, and the user equipment and a father node perform authority judgment if the user equipment cannot find the authentication server; if the father node is an authenticated node, the user equipment and the father node perform bidirectional identity authentication; if the father node is an unauthenticated node, the father node repeats the seeking and authentication processes of the user equipment and then executes authentication with the user equipment, so that trusted access authentication is completed. According to the proxy-based user equipment trusted access authentication method, the authentication time is shortened, the coverage of the wireless network is expanded, and the security of the network is improved. Accordingly, the method can be used for guaranteeing network security.
Description
Technical field
The invention belongs to radio network technique field, particularly the credible access authentication method of subscriber equipment, can be used for protecting network safety.
Background technology
In the last few years, radio network technique is rapidly developed, the new type of skill and application model emerge in an endless stream, the Intranet of service as ecommerce, E-Government, audio frequency and video business and enterprises and institutions in a large number towards communication network environment builds etc., can be used widely under wireless network environment.Wireless network has great convenience, user only needs a mobile device just can access network whenever and wherever possible, thus increase work efficiency greatly, but due to shortcomings such as mobile device computing capability are more weak, limited storage space, wireless signal are are easily intercepted and captured, there is also great potential safety hazard.For wireless network environment, smell spy, the attack pattern such as eavesdropping, identity are pretended to be, distributed denial of service is conventional means, after mobile device is under attack, sensitive data leakage may be caused, facility information is tampered, invader obtains network management authority etc. serious consequence by wireless network.
Potential safety hazard under the wireless network environment, traditional thinking of resolving safely may be unsatisfactory, and such as fire compartment wall does not play effect to wireless communication, and anyone can intercepted data within wireless signal coverage; Due to the restriction of volume and transmittability, the encryption/decryption algorithm that amount of calculation is large is not suitable for mobile device etc.Under this background, authentic authentication technology, as the new approaches for wireless network and mobile device security threat, becomes the focus that industry is paid close attention to.Authentic authentication is a kind of method of by cryptographic technique, user identity being carried out to two-way authentication, constructs network in this way, to the illegal node refusal access of forged identity, thus can guarantee that the subscriber equipment of access network is all believable.In the verification process of reality, due to the border uncertainty of wireless network and the mobility of subscriber equipment, the authentication request packet that subscriber equipment may be made to send cannot arrive certificate server, thus cause subscriber equipment authenticated time long, even cannot access network, and the fail safe of wireless network also can not be guaranteed.
Summary of the invention
The object of the invention is to propose a kind of credible access authentication method of subscriber equipment based on agency, long to solve prior art subscriber equipment authenticated time, wireless network coverage is little, and the fail safe of wireless network can not get the problem of guarantee.
The main thought realizing the object of the invention is: to be sent to certificate server by subscriber equipment and seek request data package, if certificate server receives and seeks request data package from subscriber equipment, then reply to subscriber equipment and seek response data packet; If subscriber equipment receives and seeks response data packet from certificate server, then subscriber equipment sends authentication request packet to carry out bidirectional identity authentication to certificate server; If subscriber equipment does not receive and seeks response data packet from certificate server, then subscriber equipment should send authentication request packet to its father node, if father node is authentication node, then subscriber equipment carries out bidirectional identity authentication with father node; If father node is unverified node, then it repeats the seeking and verification process of previous step subscriber equipment, to perform oneself bidirectional identity authentication with certificate server, then the bidirectional identity authentication of execution and subscriber equipment.After subscriber equipment certification completes, it has just accessed trustable network.
According to above thinking, performing step of the present invention is as follows:
(1) subscriber equipment A seeks certificate server R:
When subscriber equipment A needs access network, first send to the certificate server R in network and seek request data package, certificate server R receive from subscriber equipment A seek request data package after, reply to subscriber equipment A and seek response data packet, if subscriber equipment A receives and seeks response data packet from certificate server R, then seek process normal termination, perform step (2); If subscriber equipment A does not receive and seeks response data packet from certificate server R, then seek process exception and terminate, perform step (3);
(2) bidirectional identity authentication of three-way handshake is carried out between subscriber equipment A and certificate server R;
(3) authority judgement is carried out between subscriber equipment A and father node B:
Subscriber equipment A constructs authentication request packet, and by authentication request Packet Generation to father node B, after father node B receives authentication request packet, judge self to be whether authentication node: if, then perform step (4), if not, then perform step (5);
(4) bidirectional identity authentication of three-way handshake is carried out between subscriber equipment A and father node B;
(5) the seeking and verification process of father node B duplicate customer device A, to perform the bidirectional identity authentication of oneself and certificate server R, then performs and the bidirectional identity authentication of subscriber equipment A.
The present invention compared with prior art tool has the following advantages:
1., because the present invention uses credible access authentication technique, therefore can ensure that the subscriber equipment of access network is all believable, if set up network with the present invention, then can construct credible radio local network environment;
2. because the present invention uses father node authentication mechanism, if the while of therefore having a large amount of new user during access network, then the certification pressure of certificate server can be alleviated, makes new user be able to fast access into network;
3. because the present invention uses father node authentication mechanism, if when therefore subscriber equipment cannot communicate with the certificate server in network, also by sending the mode access network of authentication request to its father node, so, just greatly reducing the subscriber equipment that causes because of the mobility of equipment and the uncertainty of wireless network coverage cannot the situation of access network.
Accompanying drawing explanation
Fig. 1 is of the present invention realizes general flow chart;
Fig. 2 subscriber equipment and certificate server carry out the sub-process figure of bidirectional identity authentication;
Fig. 3 subscriber equipment and father node carry out the sub-process figure of bidirectional identity authentication.
Embodiment
With reference to Fig. 1, performing step of the present invention is as follows:
Step 1, optimum configurations
Key generation centre Trent chooses Big prime q, wherein a q>2 according to security parameter z
z, the addition cyclic group G on structure q rank
1with a q factorial method cyclic group G
2;
Construct a bilinear map e:G
1× G
1→ G
2;
From group G
1upper random selecting generator P;
Generate subscriber equipment identity ID
a, certificate server identity ID
r, father node identity ID
b;
Choose a kind of signature algorithm Sig, as RSA Algorithm etc.;
Generate the signature private key SK of subscriber equipment A
a, certificate server R signature private key SK
r, father node B signature private key SK
b;
Choose password one-way Hash function h (x).
Step 2, subscriber equipment A seeks certificate server R.
When subscriber equipment A needs access network, first send to the certificate server R in network and seek request data package;
Certificate server R receive from subscriber equipment A seek request data package after, reply to subscriber equipment A and seek response data packet: if subscriber equipment A receives and seeks response data packet from certificate server R, then seek process normal termination, perform step 3; If subscriber equipment A does not receive and seeks response data packet from certificate server R, then seek process exception and terminate, perform step 4;
Step 3, carries out the bidirectional identity authentication of three-way handshake between subscriber equipment A and certificate server R.
With reference to Fig. 2, this step is implemented as follows:
3a) carry out first time between subscriber equipment A and certificate server R to shake hands:
3a1) subscriber equipment A chooses X
aR∈ z
q *temporary private is exchanged as DH, then by formula Y
aR=X
aRp calculates DH and exchanges temporary public key Y
aR, subscriber equipment A generates random number N
aR;
3a2) subscriber equipment A uses signature algorithm Sig to the identity ID of subscriber equipment A
a, certificate server R identity ID
r, random number N
aR, DH exchanges temporary public key Y
aRcalculate, generate signature Sig
aR;
3a3) subscriber equipment A constructs authentication request packet P
1, and by authentication request packet P
1be sent to certificate server R, authentication request packet P
1content comprise:
ID
afield: the identity of subscriber equipment A;
ID
rfield: the identity of certificate server R;
N
aRfield: the random number that subscriber equipment A generates;
Y
aRfield: the DH that subscriber equipment A chooses exchanges temporary public key;
Sig
aRfield: subscriber equipment A uses self signature private key SK
ato ID
afield, ID
rfield, N
aRfield, Y
aRthe signature of field;
3a4) when certificate server R receives authentication request packet P
1time, certifying signature Sig
aRcorrectness: if incorrect, then abandon authentication request packet P
1if correctly, then perform step 3b).
3b) carry out second handshake between subscriber equipment A and certificate server R:
3b1) certificate server R chooses X
rA∈ z
q *temporary private is exchanged as DH, then by formula Y
rA=X
rAp calculates DH and exchanges temporary public key Y
rA, certificate server R generates random number N
rA;
3b2) certificate server R uses the signature private key SK of self
rto the identity ID of certificate server R
r, subscriber equipment A identity ID
a, random number N
rA, random number N
aR, DH exchanges temporary public key Y
rAcalculate, generate signature Sig
rA;
3b3) certificate server R exchanges temporary private X according to DH
rAwith authentication request packet P
1in DH exchange temporary public key Y
aR, by formula MK
rA=e (X
rA, Y
aR) calculate the master key MK communicated between R and A
rA;
3b4) certificate server R uses formula MIC
rA=h (MK
rA|| ID
r|| ID
a|| N
rA|| N
aR|| Y
rA) calculate message integrity check code MIC
rA;
3b5) certificate server R constructs authentication response packet P
2, and by authentication response packet P
2be sent to subscriber equipment A, authentication response packet P
2content comprise:
ID
afield: the identity of subscriber equipment A;
ID
rfield: the identity of certificate server R;
N
rAfield: the random number that certificate server R generates;
N
aRfield: the authentication request packet P that certificate server R receives
1in random number N
aR;
Y
rAfield: the DH that certificate server R chooses exchanges temporary public key;
Sig
rAfield: certificate server R uses self signature private key SK
rto ID
rfield, ID
afield, N
rAfield, N
aRfield, Y
rAthe signature of field;
MIC
rAfield: certificate server R is to MK
rAfield, ID
rfield, ID
afield, N
rAfield, N
aRfield, Y
rAthe message integrity check code that field calculates;
3b6) when subscriber equipment A receives authentication response packet P
2after, judge authentication response packet P
2in N
aRfield whether with authentication request packet P
1in N
aRidentical: if different, then to abandon authentication response packet P
2if, identical, then perform 3b7);
3b7) subscriber equipment A exchanges temporary private X to DH
aRwith authentication response packet P
2in DH exchange temporary public key Y
rAuse formula MK
aR=e (X
aR, Y
rA) calculate the master key MK communicated between A and R
aR;
3b8) subscriber equipment A is to MK
aR, ID
rfield, ID
afield, N
rAfield, N
aRfield, Y
rAfield uses formula MIC
rA1=h (MK
aR|| ID
r|| ID
a|| N
rA|| N
aR|| Y
rA) calculate message integrity check code MIC
rA1, checking MIC
rA1whether with authentication response packet P
2in MIC
rAidentical: if different, then to abandon authentication response packet P
2if, identical, then certifying signature Sig
rAcorrectness: if incorrect, then abandon authentication response packet P
2if, correct just execution step 3c);
3c) carry out third time between subscriber equipment A and certificate server R to shake hands:
3c1) subscriber equipment A is to master key MK
aR, subscriber equipment A identity ID
a, certificate server R identity ID
r, authentication response packet P
2in random number N
rAuse formula MIC
aR=h (MK
aR|| ID
a|| ID
r|| N
rA) calculate message integrity check code MIC
aR;
3c2) subscriber equipment A constructs authenticate-acknowledge packet P
3, and by authenticate-acknowledge packet P
3be sent to certificate server R, authenticate-acknowledge packet P
3content comprise:
ID
afield: the identity of subscriber equipment A;
ID
rfield: the identity of certificate server R;
N
rAfield: subscriber equipment A receives authentication response packet P
2in random number N
rA;
MIC
aRfield: subscriber equipment A is to MK
aRfield, ID
afield, ID
rfield, N
rAthe message integrity check code that field calculates;
3c3) when certificate server R receives authenticate-acknowledge packet P
3after, judge authenticate-acknowledge packet P
3in random number N
rAwhether with authentication response packet P
2in random number N
rAidentical: if different, then to abandon authenticate-acknowledge packet P
3if, identical, then perform 3c4);
3c4) certificate server R is to master key MK
rA, ID
rfield, ID
afield, N
rAfield uses formula MIC
aR1=h (MK
rA|| ID
r|| ID
a|| N
rA) calculate message integrity check code MIC
aR1, and verify MIC
aR1whether with authenticate-acknowledge packet P
3in MIC
aRidentical, if different, then abandon authentication response packet P
3if identical, then whole verification process completes.
Step 4, carries out authority judgement between subscriber equipment A and father node B.
Subscriber equipment A constructs authentication request packet, and by authentication request Packet Generation to father node B, after father node B receives authentication request packet, judges self to be whether authentication node: if then perform step 5, if not, then perform step 6;
Step 5, carries out the bidirectional identity authentication of three-way handshake between subscriber equipment A and father node B.
With reference to Fig. 3, this step is implemented as follows:
5a) carry out first time between subscriber equipment A and father node B to shake hands:
5a1) subscriber equipment A chooses X
aB∈ z
q *temporary private is exchanged as DH, then by formula Y
aB=X
aBp calculates DH and exchanges temporary public key Y
aB, subscriber equipment A generates random number N
aB;
5a2) subscriber equipment A uses signature algorithm Sig to the identity ID of subscriber equipment A
a, father node B identity ID
b, random number N
aB, DH exchanges temporary public key Y
aBcalculate, generate signature Sig
aB;
5a3) subscriber equipment A constructs authentication request packet P
4, and by authentication request packet P
4be sent to certification father node B, authentication request packet P
4content comprise:
ID
afield: the identity of subscriber equipment A;
ID
bfield: the identity of father node B;
N
aBfield: the random number that subscriber equipment A generates;
Y
aBfield: the DH that subscriber equipment A chooses exchanges temporary public key;
Sig
aBfield: subscriber equipment A uses self signature private key SK
ato ID
afield, ID
bfield, N
aBfield, Y
aBthe signature of field;
5a4) when father node B receives authentication request packet P
4after, judge self to be whether authentication node: if not authentication node, then perform step 5, if authentication node, then certifying signature Sig
aBcorrectness: if incorrect, then abandon authentication request packet P
4if correctly, then perform step 5b);
5b) carry out second handshake between subscriber equipment A and father node B:
5b1) father node B chooses X
bA∈ z
q *temporary private is exchanged as DH, then by formula Y
bA=X
bAp calculates DH and exchanges temporary public key Y
bA, father node B generates random number N
bA;
5b2) father node B uses the signature private key SK of self
bto the identity ID of father node B
b, subscriber equipment A identity ID
a, random number N
bA, random number N
aB, DH exchanges temporary public key Y
bAcalculate, generate signature Sig
bA;
5b3) father node B exchanges temporary private X according to DH
bAwith authentication request packet P
4in DH exchange temporary public key Y
aB, by formula MK
bA=e (X
bA, Y
aB) calculate the master key MK communicated between B and A
bA;
5b4) father node B uses formula MIC
bA=h (MK
bA|| ID
b|| ID
a|| N
bA|| N
aB|| Y
bA) calculate message integrity check code MIC
bA;
5b5) father node B constructs authentication response packet P
5, and by authentication response packet P
5be sent to subscriber equipment A, authentication response packet P
5content comprise:
ID
afield: the identity of subscriber equipment A;
ID
bfield: the identity of father node B;
N
bAfield: the random number that father node B generates;
N
aBfield: the authentication request packet P that father node B receives
4in random number N
aB;
Y
bAfield: the DH that father node B chooses exchanges temporary public key;
Sig
bAfield: father node B uses self signature private key SK
bto ID
bfield, ID
afield, N
bAfield, N
aBfield, Y
bAthe signature of field;
MIC
bAfield: father node B is to MK
bAfield, ID
bfield, ID
afield, N
bAfield, N
aBfield, Y
bAthe message integrity check code that field calculates.
5b6) when subscriber equipment A receives authentication response packet P
5after, judge authentication response packet P
5in N
aBfield whether with authentication request packet P
4in N
aBidentical: if different, then to abandon authentication response packet P
5if, identical, then perform step 5b7);
5b7) subscriber equipment A exchanges temporary private X to DH
aBwith authentication response packet P
5in DH exchange temporary public key Y
bAuse formula MK
aB=e (X
aB, Y
bA) calculate the master key MK communicated between A and B
aB;
5b8) subscriber equipment A is to MK
aB, ID
bfield, ID
afield, N
bAfield, N
aBfield, Y
bAfield uses formula MIC
bA1=h (MK
aB|| ID
b|| ID
a|| N
bA|| N
aB|| Y
bA) calculate message integrity check code MIC
bA1, checking MIC
bA1whether with authentication response packet P
5in MIC
bAidentical: if different, then to abandon authentication response packet P
5if, identical, then certifying signature Sig
bAcorrectness: if incorrect, then abandon authentication response packet P
5if, correct just execution step 5c);
5c) carry out third time between subscriber equipment A and father node B to shake hands:
5c1) subscriber equipment A is to master key MK
aB, subscriber equipment A identity ID
a, father node B identity ID
b, authentication response packet P
5in random number N
bAuse formula MIC
aB=h (MK
aB|| ID
a|| ID
b|| N
bA) calculate message integrity check code MIC
aB;
5c2) subscriber equipment A constructs authenticate-acknowledge packet P
6, and by authenticate-acknowledge packet P
6be sent to father node B, authenticate-acknowledge packet P
6content comprise:
ID
afield: the identity of subscriber equipment A;
ID
bfield: the identity of father node B;
N
bAfield: subscriber equipment A receives authentication response packet P
5in random number N
bA;
MIC
aBfield: subscriber equipment A is to MK
aBfield, ID
afield, ID
bfield, N
bAthe message integrity check code that field calculates;
5c3) when father node B receives authenticate-acknowledge packet P
6after, judge authenticate-acknowledge packet P
6in random number N
bAwhether with authentication response packet P
5in random number N
bAidentical: if different, then to abandon authenticate-acknowledge packet P
6if, identical, then perform step 5c4);
5c4) father node B is to master key MK
bA, ID
bfield, ID
afield, N
bAfield uses formula MIC
aB1=h (MK
bA|| ID
b|| ID
a|| N
bA) calculate message integrity check code MIC
aB1, and verify MIC
aB1whether with authenticate-acknowledge packet P
6in MIC
aBidentical: if different, then to abandon authentication response packet P
6if identical, then whole verification process completes.
Step 6, seeking and verification process of father node B duplicate customer device A, to perform the bidirectional identity authentication of oneself and certificate server R, then performs and the bidirectional identity authentication of subscriber equipment A.
Explanation of nouns
Trent: key generation centre;
Z: the security parameter that key generation centre Trent chooses;
Q: what key generation centre Trent chose is greater than 2
zbig prime;
G
1: the q rank addition cyclic group that key generation centre Trent chooses;
G
2: the q factorial method cyclic group that key generation centre Trent chooses;
E: the G that key generation centre Trent chooses
1and G
2on bilinear map, i.e. e:G
1× G
1→ G
2;
P:G
1on generator, by key generation centre Trent random selecting;
Z
q *: based on the non-zero multiplicative group of prime number q;
ID
a: the identity of the subscriber equipment A that key generation centre Trent generates;
ID
r: the identity of the certificate server R that key generation centre Trent generates;
ID
b: the identity of the father node B that key generation centre Trent generates;
SK
a: the signature private key of subscriber equipment A;
SK
r: the signature private key of certificate server R;
SK
b: the signature private key of father node B;
X
aR: the DH that subscriber equipment A chooses exchanges temporary private;
Y
aR: subscriber equipment A is according to X
aRthe DH calculated exchanges temporary public key, Y
aR=X
aRp;
X
rA: the DH that certificate server R chooses exchanges temporary private;
Y
rA: certificate server R is according to X
rAthe DH calculated exchanges temporary public key, Y
rA=X
rAp;
X
aB: the DH that subscriber equipment A chooses exchanges temporary private;
Y
aB: subscriber equipment A is according to X
aBthe DH calculated exchanges temporary public key, Y
aB=X
aBp;
X
bA: the DH that father node B chooses exchanges temporary private;
Y
bA: father node B is according to X
bAthe DH calculated exchanges temporary public key, Y
bA=X
bAp;
N
aR: the random number that subscriber equipment A generates, for being sent to certificate server R;
N
rA: the random number that certificate server R generates, for being sent to subscriber equipment A;
N
aB: the random number that subscriber equipment A generates, for being sent to father node B;
N
bA: the random number that father node B generates, for being sent to subscriber equipment A;
Sig: the signature algorithm that key generation centre Trent chooses;
H (x): password one-way Hash function;
MK
aR: the communication master key that subscriber equipment A calculates, MK
aR=e (X
aR, Y
rA);
MK
rA: the communication master key that certificate server R calculates, MK
rA=e (X
rA, Y
aR);
MK
aB: the communication master key that subscriber equipment A calculates, MK
aB=e (X
aB, Y
bA);
MK
bA: the communication master key that father node B calculates, MK
bA=e (X
bA, Y
aB);
A||B: the cascade representing A and B, wherein A and B link gets up to be A||B, can obtain A and B by separating linked operation to A||B;
MIC
rA: the message integrity check code that certificate server R calculates, for being sent to subscriber equipment A, wherein, MIC
rA=h (MK
rA|| ID
r|| ID
a|| N
rA|| N
aR|| Y
rA);
MIC
rA1: subscriber equipment A uses the message integrity check code that calculates of own public key, for verify whether with the message integrity check code MIC received
rAidentical, wherein, MIC
rA1=h (MK
aR|| ID
r|| ID
a|| N
rA|| N
aR|| Y
rA);
MIC
aR: the message integrity check code that subscriber equipment A calculates, for being sent to certificate server R, wherein, MIC
aR=h (MK
aR|| ID
a|| ID
r|| N
rA);
MIC
aR1: certificate server R uses the message integrity check code that calculates of own public key, for verify whether with the message integrity check code MIC received
aRidentical, wherein, MIC
aR1=h (MK
rA|| ID
a|| ID
r|| N
rA);
MIC
bA: the message integrity check code that father node B calculates, for being sent to subscriber equipment A, wherein, MIC
bA=h (MK
bA|| ID
b|| ID
a|| N
bA|| N
aB|| Y
bA);
MIC
bA1: subscriber equipment A uses the message integrity check code that calculates of own public key, for verify whether with the message integrity check code MIC received
bAidentical, wherein, MIC
bA1=h (MK
aB|| ID
b|| ID
a|| N
bA|| N
aB|| Y
bA);
MIC
aB: the message integrity check code that subscriber equipment A calculates, for being sent to father node B, wherein, MIC
aB=h (MK
aB|| ID
a|| ID
b|| N
bA);
MIC
aB1: father node B uses the message integrity check code that calculates of own public key, for verify whether with the message integrity check code MIC received
aBidentical, wherein, MIC
aB1=h (MK
bA|| ID
a|| ID
b|| N
bA).
Claims (7)
1., based on the agency's credible access authentication method of subscriber equipment, comprise the steps:
(1) subscriber equipment A seeks certificate server R:
When subscriber equipment A needs access network, first send to the certificate server R in network and seek request data package, certificate server R receive from subscriber equipment A seek request data package after, reply to subscriber equipment A and seek response data packet, if subscriber equipment A receives and seeks response data packet from certificate server R, then seek process normal termination, perform step (2); If subscriber equipment A does not receive and seeks response data packet from certificate server R, then seek process exception and terminate, perform step (3);
(2) bidirectional identity authentication of three-way handshake is carried out between subscriber equipment A and certificate server R;
(3) authority judgement is carried out between subscriber equipment A and father node B:
Subscriber equipment A constructs authentication request packet, and by authentication request Packet Generation to father node B, after father node B receives authentication request packet, judge self to be whether authentication node: if, then perform step (4), if not, then perform step (5);
(4) bidirectional identity authentication of three-way handshake is carried out between subscriber equipment A and father node B;
(5) the seeking and verification process of father node B duplicate customer device A, to perform the bidirectional identity authentication of oneself and certificate server R, then performs and the bidirectional identity authentication of subscriber equipment A.
2. the credible access authentication method of subscriber equipment based on agency according to claim 1, the three-way handshake bidirectional identity authentication process of carrying out between the subscriber equipment A in wherein said step (2) and certificate server R, it is expressed as follows:
2a) subscriber equipment A constructs authentication request packet P
1, and by authentication request packet P
1be sent to certificate server R, when certificate server R receives authentication request packet P
1time, certifying signature Sig
aRcorrectness: if incorrect, then abandon authentication request packet P
1if correctly, then perform step 2b);
2b) certificate server R constructs authentication response packet P
2, and by authentication response packet P
2be sent to subscriber equipment A, when subscriber equipment A receives authentication response packet P
2after, judge authentication response packet P
2in random number N
aRfield whether with the authentication request packet P received
1in N
aRfield is identical: if different, then abandon authentication response packet P
2if, identical, then perform step 2c);
2c) subscriber equipment A uses own public key calculating certificate server R to be sent to the message integrity check code MIC of subscriber equipment A
rA1, and verify MIC
rA1whether with the authentication response packet P received
2in message integrity check code MIC
rAfield is identical: if different, then abandon authentication response packet P
2if, identical, then certifying signature Sig
rAcorrectness: if incorrect, then abandon authentication response packet P
2if correctly, then perform step 2d);
2d) subscriber equipment A constructs authenticate-acknowledge packet P
3, and by authenticate-acknowledge packet P
3be sent to certificate server R, when certificate server R receives authenticate-acknowledge packet P
3after, judge authenticate-acknowledge packet P
3in random number N
rAwhether with the authentication response packet P received
2in random number N
rAidentical: if different, then to abandon authenticate-acknowledge packet P
3if, identical, then perform step 2e);
2e) certificate server R uses own public key calculating subscriber equipment A to be sent to the message integrity check code MIC of certificate server R
aR1, and verify MIC
aR1whether with the authenticate-acknowledge packet P received
3in message integrity check code MIC
aRfield is identical: if different, then abandon authenticate-acknowledge packet P
3if identical, then whole verification process completes.
3. the credible access authentication method of subscriber equipment based on agency according to claim 1, the three-way handshake bidirectional identity authentication process of carrying out between the subscriber equipment A in wherein said step (4) and father node B, it is expressed as follows:
4a) subscriber equipment A constructs authentication request packet P
4, and by authentication request packet P
4be sent to father node B, when father node B receives authentication request packet P
4after, certifying signature Sig
aBcorrectness: if incorrect, then abandon authentication request packet P
4if correctly, then perform step 4b);
4b) father node B constructs authentication response packet P
5, and by authentication response packet P
5be sent to subscriber equipment A, when subscriber equipment A receives authentication response packet P
5after, judge authentication response packet P
5in random number N
aBfield whether with the authentication request packet P received
4in N
aBfield is identical: if different, then abandon authentication response packet P
5if, identical, then perform step 4c);
4c) subscriber equipment A uses own public key calculating father node B to be sent to the message integrity check code MIC of subscriber equipment A
bA1, and verify this MIC
bA1code whether with the authentication response packet P received
5in message integrity check code MIC
bAfield is identical: if different, then abandon authentication response packet P
5if, identical, then certifying signature Sig
bAcorrectness: if incorrect, then abandon authentication response packet P
5if correctly, then perform step 4d);
4d) subscriber equipment A constructs authenticate-acknowledge packet P
6, and by authenticate-acknowledge packet P
6be sent to father node B, when father node B receives authenticate-acknowledge packet P
6after, judge authenticate-acknowledge packet P
6in random number N
bAwhether with the authentication response packet P received
5in random number N
bAidentical: if different, then to abandon authenticate-acknowledge packet P
6if, identical, then perform step 4e);
4e) father node B uses own public key calculating subscriber equipment A to be sent to the message integrity check code MIC of father node B
aB1, and verify this MIC
aB1code whether with the authenticate-acknowledge packet P received
6in message integrity check code MIC
aBfield is identical: if different, then abandon authenticate-acknowledge packet P
6if identical, then whole verification process completes.
4. the three-way handshake bidirectional identity authentication process of carrying out between subscriber equipment A according to claim 2 and certificate server R, wherein said step 2c) in subscriber equipment A use own public key to calculate message integrity check code MIC that certificate server R is sent to subscriber equipment A
rA1, undertaken by following formula:
MIC
RA1=h(MK
AR||ID
R||ID
A||N
RA||N
AR||Y
RA)
Wherein, h (x) is password one-way Hash function, MK
aRfor the communication master key between subscriber equipment A and certificate server R, ID
rfor the authentication response packet P that subscriber equipment A receives
2in certificate server identity field, ID
afor the authentication response packet P that subscriber equipment A receives
2in subscriber equipment identity field, N
rAfor the authentication response packet P that subscriber equipment A receives
2in certificate server R be sent to the random number field of subscriber equipment A, N
aRfor the authentication response packet P that subscriber equipment A receives
2in subscriber equipment A be sent to random number field with certificate server R, Y
rAfor the authentication response packet P that subscriber equipment A receives
2in certificate server public key field.
5. the three-way handshake bidirectional identity authentication process of carrying out between subscriber equipment A according to claim 2 and certificate server R, wherein said step 2e) in certificate server R use own public key to calculate message integrity check code MIC that subscriber equipment A is sent to certificate server R
aR1, undertaken by following formula:
MIC
AR1=h(MK
RA||ID
R||ID
A||N
RA)
Wherein, h (x) is password one-way Hash function, MK
rAfor the communication master key between certificate server R and subscriber equipment A, ID
rfor the authenticate-acknowledge packet P that certificate server R receives
3in certificate server identity field, ID
afor the authenticate-acknowledge packet P that certificate server R receives
3in user identity field, N
rAfor the authenticate-acknowledge packet P that certificate server R receives
3in certificate server R be sent to the random number field of subscriber equipment A.
6. the three-way handshake bidirectional identity authentication process of carrying out between subscriber equipment A according to claim 3 and father node B, wherein said step 4c) in subscriber equipment A use own public key to calculate message integrity check code MIC that father node B is sent to subscriber equipment A
bA1, undertaken by following formula:
MIC
BA1=h(MK
AB||ID
B||ID
A||N
BA||N
AB||Y
BA)
Wherein, h (x) is password one-way Hash function, MK
aBfor the communication master key between subscriber equipment A and father node B, ID
bfor the authentication response packet P that subscriber equipment A receives
5in father node identity field, ID
afor the authentication response packet P that subscriber equipment A receives
5in subscriber equipment identity field, N
bAfor the authentication response packet P that subscriber equipment A receives
5in father node B be sent to the random number field of subscriber equipment A, N
aBfor the authentication response packet P received
5in subscriber equipment A be sent to the random number field of father node B, Y
bAfor the authentication response packet P that subscriber equipment A receives
5in father node public key field.
7. the three-way handshake bidirectional identity authentication process of carrying out between subscriber equipment A according to claim 3 and father node B, wherein said step 4e) in father node B use own public key to calculate message integrity check code MIC that subscriber equipment A is sent to father node B
aB1, undertaken by following formula:
MIC
AB1=h(MK
BA||ID
B||ID
A||N
BA)
Wherein, h (x) is password one-way Hash function, MK
bAfor the communication master key between father node B and subscriber equipment A, ID
bfor the authenticate-acknowledge packet P that father node B receives
6in father node identity field, ID
afor the authenticate-acknowledge packet P that father node B receives
6in subscriber equipment identity field, N
bAfor the authenticate-acknowledge packet P that father node B receives
6in father node B be sent to the random number field of subscriber equipment A.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410765889.2A CN104468585B (en) | 2014-12-12 | 2014-12-12 | The credible access authentication method of user equipment based on agency |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410765889.2A CN104468585B (en) | 2014-12-12 | 2014-12-12 | The credible access authentication method of user equipment based on agency |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104468585A true CN104468585A (en) | 2015-03-25 |
CN104468585B CN104468585B (en) | 2017-10-24 |
Family
ID=52913957
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410765889.2A Active CN104468585B (en) | 2014-12-12 | 2014-12-12 | The credible access authentication method of user equipment based on agency |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104468585B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109639426A (en) * | 2019-02-26 | 2019-04-16 | 中国人民解放军国防科技大学 | Bidirectional self-authentication method based on identification password |
CN112822214A (en) * | 2021-02-09 | 2021-05-18 | 广州慧睿思通科技股份有限公司 | Network attack defense method, device, system, storage medium and electronic equipment |
CN113364807A (en) * | 2021-06-30 | 2021-09-07 | 四川更元科技有限公司 | Network node credibility authentication implementation method |
CN114070568A (en) * | 2021-11-04 | 2022-02-18 | 北京百度网讯科技有限公司 | Data processing method and device, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7809941B1 (en) * | 2005-09-09 | 2010-10-05 | Rockwell Collins, Inc. | Certifier hierarchy for public key infrastructure in an ad-hoc network |
CN101883115A (en) * | 2010-06-25 | 2010-11-10 | 北京交通大学 | Access authentication method and system thereof |
WO2010127684A1 (en) * | 2009-05-05 | 2010-11-11 | Nokia Siemens Networks Oy | Topology based fast secured access |
CN102612035A (en) * | 2012-04-13 | 2012-07-25 | 北京工业大学 | Energy-efficient identity authentication method in multi-level clustering wireless sensor network |
US20120237033A1 (en) * | 2011-03-16 | 2012-09-20 | Yasuyuki Tanaka | Node, a root node, and a computer readable medium |
CN103813324A (en) * | 2012-11-07 | 2014-05-21 | 中国移动通信集团公司 | Node signature method and mobile node access method of hierarchical MIPv6 |
-
2014
- 2014-12-12 CN CN201410765889.2A patent/CN104468585B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7809941B1 (en) * | 2005-09-09 | 2010-10-05 | Rockwell Collins, Inc. | Certifier hierarchy for public key infrastructure in an ad-hoc network |
WO2010127684A1 (en) * | 2009-05-05 | 2010-11-11 | Nokia Siemens Networks Oy | Topology based fast secured access |
CN101883115A (en) * | 2010-06-25 | 2010-11-10 | 北京交通大学 | Access authentication method and system thereof |
US20120237033A1 (en) * | 2011-03-16 | 2012-09-20 | Yasuyuki Tanaka | Node, a root node, and a computer readable medium |
CN102612035A (en) * | 2012-04-13 | 2012-07-25 | 北京工业大学 | Energy-efficient identity authentication method in multi-level clustering wireless sensor network |
CN103813324A (en) * | 2012-11-07 | 2014-05-21 | 中国移动通信集团公司 | Node signature method and mobile node access method of hierarchical MIPv6 |
Non-Patent Citations (2)
Title |
---|
LI,HX;YANG,YF;PANG,LJ: "An Efficient Autjentication Protocol with User Anonymity for Mobile Networks", 《IEEE WIRELESS COMMUNICATIONS AND NETWORKING CONFERENCE(WCNC)》 * |
伍华凤,戴新发,陈鹏: "一种层次化移动IP接入认证机制", 《计算机工程》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109639426A (en) * | 2019-02-26 | 2019-04-16 | 中国人民解放军国防科技大学 | Bidirectional self-authentication method based on identification password |
CN109639426B (en) * | 2019-02-26 | 2022-03-01 | 中国人民解放军国防科技大学 | Bidirectional self-authentication method based on identification password |
CN112822214A (en) * | 2021-02-09 | 2021-05-18 | 广州慧睿思通科技股份有限公司 | Network attack defense method, device, system, storage medium and electronic equipment |
CN113364807A (en) * | 2021-06-30 | 2021-09-07 | 四川更元科技有限公司 | Network node credibility authentication implementation method |
CN114070568A (en) * | 2021-11-04 | 2022-02-18 | 北京百度网讯科技有限公司 | Data processing method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN104468585B (en) | 2017-10-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110138538B (en) | Smart grid security and privacy protection data aggregation method based on fog calculation | |
US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
CN105873031B (en) | Distributed unmanned plane cryptographic key negotiation method based on credible platform | |
CN102983965A (en) | Transformer substation quantum communication model, quantum secret key distribution center and model achieving method | |
Wang et al. | A secure and efficient multiserver authentication and key agreement protocol for internet of vehicles | |
CN102752269A (en) | Cloud computing-based method and system for identity authentication and cloud server | |
CN105577377A (en) | Identity-based authentication method and identity-based authentication system with secret key negotiation | |
CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
WO2021103772A1 (en) | Data transmission method and apparatus | |
CN104468585A (en) | Proxy-based user equipment trusted access authentication method | |
Premarathne et al. | Secure and reliable surveillance over cognitive radio sensor networks in smart grid | |
Wazid et al. | TACAS-IoT: trust aggregation certificate-based authentication Scheme for edge-enabled IoT systems | |
Tanveer et al. | Towards a secure and computational framework for internet of drones enabled aerial computing | |
Li et al. | Efficient and fault‐diagnosable authentication architecture for AMI in smart grid | |
Hussain et al. | A security mechanism for IEEE C37. 118.2 PMU communication | |
CN108390866A (en) | Trusted remote method of proof based on the two-way anonymous authentication of dual-proxy | |
US8954728B1 (en) | Generation of exfiltration-resilient cryptographic keys | |
Lu et al. | Modeling and verification of IEEE 802.11 i security protocol in UPPAAL for Internet of Things | |
Sani et al. | SPrivAD: A secure and privacy-preserving mutually dependent authentication and data access scheme for smart communities | |
Dwivedi et al. | Design of blockchain and ecc-based robust and efficient batch authentication protocol for vehicular ad-hoc networks | |
CN101888383B (en) | Method for implementing extensible trusted SSH | |
CN115242412B (en) | Certificateless aggregation signature method and electronic equipment | |
CN108601024B (en) | A kind of Lightweight Identify Authentication and platform identify appraisal procedure | |
Patil et al. | A Secure and Efficient Identity based Proxy Signcryption Scheme for Smart Grid Network. | |
CN114615006A (en) | Edge layer data security protection method and system for power distribution Internet of things and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |