CN105577618A - Authentication method and apparatus - Google Patents
Authentication method and apparatus Download PDFInfo
- Publication number
- CN105577618A CN105577618A CN201410545460.2A CN201410545460A CN105577618A CN 105577618 A CN105577618 A CN 105577618A CN 201410545460 A CN201410545460 A CN 201410545460A CN 105577618 A CN105577618 A CN 105577618A
- Authority
- CN
- China
- Prior art keywords
- authentication
- message
- authenticating party
- party
- device identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an authentication method and apparatus. The method comprises: an authentication request message is sent to an authentication server, wherein the authentication request message carries an identity certificate of a request-making side and a device identifier ID of the request-making side as well as an identity certificate of an authentication side and a device identifier ID of the authentication side, and the authentication request message is used for indicating the authentication server to authenticate whether a port of the request-making side is allowed to be connected with a port of the authentication side according to the authentication request message; and a result of authentication carried out by the authentication server according to the authentication request message is received. According to the invention, a problem that whether the ports of the network devices are connected legally is authenticated is solved and thus the network security is guaranteed.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of authentication method and device.
Background technology
Network security problem in current network is much from external network attack; also there is security risk in internal network in fact; when network security requirement is very high; need to carry out safeguard protection to internal network; a kind of very important means carry out authentication to the network equipment; only after authentication success, equipment could communicate by access network.
The transmission path of data on network of transmission over networks, be interconnected by each port of the network equipment and form, ensure that data traffic is transmitted on complete believable forward-path, need the connection authority of interconnective port between the network equipment to composition transmission path to carry out certification.
In correlation technique, propose and authentication is carried out to the network equipment, but authority is not connected to the port between the network equipment and carry out certification, only can ensure that the network equipment accessed in network is legal, but can not ensure that the network equipment is according to the correct access network of planning networking.
For connecting whether legal problem of carrying out certification to the port between the network equipment, at present effective solution is not yet proposed.
Summary of the invention
The invention provides a kind of authentication method and device, connect whether legal problem of carrying out certification with the port between solving the network equipment.
According to an aspect of the present invention, provide a kind of authentication method, comprise: send authentication request message to certificate server, wherein, the letter of identity of requesting party and the device identification ID of described request side is carried in described authentication request information, and the device identification ID of the letter of identity of authenticating party and described authenticating party, whether described authentication request information is used to indicate described certificate server and allows the port of described request side to be connected with the port of described authenticating party according to described authentication request message certification; Receive described certificate server carries out certification result according to described authentication request message.
Preferably, also comprised before sending described authentication request message to described certificate server: receive the certificate exchange message that described request side sends, wherein, the letter of identity of described request side and the device identification ID of described request side is carried in described certificate exchange message; Determine that the equipment of described request side is effective according to the letter of identity of described request side and the device identification ID of described request side.
Preferably, also comprise after receiving described certificate server to carry out the result of certification according to described authentication request message: the authentication result of carrying the IP address of described certificate server to described request side's feedback.
According to a further aspect in the invention, provide a kind of authentication method, comprise: receive the authentication request message that authenticating party sends, wherein, the letter of identity of requesting party and the device identification ID of described request side is carried in described authentication request information, and the device identification ID of the letter of identity of described authenticating party and described authenticating party; The port of described request side whether is allowed to be connected with the port of described authenticating party according to described authentication request message certification; The result of carrying out certification according to described authentication request message is sent to described authenticating party.
Preferably, also comprised before the result of carrying out certification according to described authentication request message is sent to described authenticating party: for described authenticating party generates the first response message, wherein, the device identification ID of described request side is carried, the device identification ID of described authenticating party and authentication result in described first response message; For described request side generates the second response message, wherein, in described second response message, carry the device identification ID of described request side, the device identification ID of described authenticating party, the certificate of authentication result and described certificate server.
According to a further aspect in the invention, provide a kind of authenticate device, comprise: the first sending module, for sending authentication request message to certificate server, wherein, the letter of identity of requesting party and the device identification ID of described request side is carried in described authentication request information, and the device identification ID of the letter of identity of authenticating party and described authenticating party, whether described authentication request information is used to indicate described certificate server and allows the port of described request side to be connected with the port of described authenticating party according to described authentication request message certification; First receiver module, to carry out the result of certification according to described authentication request message for receiving described certificate server.
Preferably, described device also comprises: the second receiver module, for receiving the certificate exchange message that described request side sends, wherein, carries the letter of identity of described request side and the device identification ID of described request side in described certificate exchange message; According to the letter of identity of described request side and the device identification ID of described request side, determination module, for determining that the equipment of described request side is effective.
Preferably, described device also comprises: feedback module, for carrying the authentication result of the IP address of described certificate server to described request side's feedback.
According to a further aspect in the invention, provide a kind of authenticate device, comprise: the 3rd receiver module, for receiving the authentication request message that authenticating party sends, wherein, the letter of identity of requesting party and the device identification ID of described request side is carried in described authentication request information, and the device identification ID of the letter of identity of described authenticating party and described authenticating party; Whether authentication module, for allowing the port of described request side to be connected with the port of described authenticating party according to described authentication request message certification; Second sending module, for sending to described authenticating party by the result of carrying out certification according to described authentication request message.
Preferably, described device also comprises: the first generation module, for generating the first response message for described authenticating party, wherein, carries the device identification ID of described request side, the device identification ID of described authenticating party and authentication result in described first response message; Second generation module, for generating the second response message for described request side, wherein, carries the device identification ID of described request side, the device identification ID of described authenticating party, the certificate of authentication result and described certificate server in described second response message.
Pass through the present invention, adopt and send authentication request message to certificate server, wherein, the letter of identity of requesting party and the device identification ID of described request side is carried in described authentication request information, and the device identification ID of the letter of identity of authenticating party and described authenticating party, whether described authentication request information is used to indicate described certificate server and allows the port of described request side to be connected with the port of described authenticating party according to described authentication request message certification; Receive described certificate server carries out certification result according to described authentication request message, the port between solving the network equipment connects whether legal problem of carrying out certification, thus ensure that the fail safe of network.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart one of a kind of authentication method according to the embodiment of the present invention;
Fig. 2 is the flowchart 2 of a kind of authentication method according to the embodiment of the present invention;
Fig. 3 is the block diagram one of a kind of authenticate device according to the embodiment of the present invention;
Fig. 4 is a kind of according to the preferred embodiment of the invention block diagram one of authenticate device;
Fig. 5 is a kind of according to the preferred embodiment of the invention block diagram two of authenticate device;
Fig. 6 is the block diagram two of a kind of authenticate device according to the embodiment of the present invention;
Fig. 7 is a kind of according to the preferred embodiment of the invention block diagram three of authenticate device;
Fig. 8 is the schematic diagram of the certification path according to the embodiment of the present invention;
Fig. 9 is the flow chart of the network equipment identification method according to the embodiment of the present invention;
Figure 10 is the schematic diagram of the network device authenticates according to the embodiment of the present invention;
Figure 11 is the structured flowchart of the request end network equipment according to the embodiment of the present invention;
Figure 12 is the structured flowchart of the certification end network equipment according to the embodiment of the present invention;
Figure 13 is the structured flowchart of the authentication subprocess server network device according to the embodiment of the present invention;
Figure 14 is the structured flowchart of the core authentication server according to the embodiment of the present invention.
Embodiment
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.
Provide a kind of authentication method in the present embodiment, Fig. 1 is the flow chart one of a kind of authentication method according to the embodiment of the present invention, and as shown in Figure 1, this flow process comprises the steps:
Step S102, authentication request message is sent to certificate server, wherein, the letter of identity of requesting party and the device identification ID of this requesting party is carried in this authentication request information, and the device identification ID of the letter of identity of authenticating party and this authenticating party, whether this authentication request information is used to indicate this certificate server and allows the port of this requesting party to be connected with the port of this authenticating party according to this authentication request message certification;
Step S104, receives this certificate server carries out certification result according to this authentication request message.
Pass through above-mentioned steps, authenticating party sends authentication request message to certificate server, wherein, the letter of identity of requesting party and the device identification ID of this requesting party is carried in this authentication request information, and the device identification ID of the letter of identity of authenticating party and this authenticating party, certificate server carries out certification according to the information of carrying in authentication request information to whether allowing the port of requesting party to be connected with the port of authenticating party, afterwards the result of certification is sent to authenticating party, authenticating party receives certificate server and sends authentication result, determine whether to allow the port of requesting party to be connected with the port of authenticating party, port between solving the network equipment connects whether legal problem of carrying out certification, thus ensure that the fail safe of network.
In the present embodiment, before sending authentication request message to certificate server, authenticating party first receives the certificate exchange message that requesting party sends, wherein, the letter of identity of this requesting party and the device identification ID of this requesting party is carried in this certificate exchange message, thus according to the device identification ID of the letter of identity of requesting party and requesting party, authenticating party can determine that whether the equipment of this requesting party is effective, in the effective situation of the equipment of requesting party, certification sends authentication request message to certificate server just now, improves the validity of certification.
In the present embodiment, one preferred embodiment, after receiving certificate server and carrying out the result of certification according to authentication request message, the authentication result of the IP address of this certificate server is carried to requesting party's feedback, requesting party is after the authentication result receiving the IP address of carrying this certificate server, because requesting party has the IP address of certificate server, therefore in certification afterwards, requesting party also can be processed as authenticating party.
The another aspect of the embodiment of the present invention, additionally provides a kind of authentication method, and Fig. 2 is the flowchart 2 of a kind of authentication method according to the embodiment of the present invention, as shown in Figure 2, comprising:
Step S202, receives the authentication request message that authenticating party sends, and wherein, carries the letter of identity of requesting party and the device identification ID of this requesting party in this authentication request information, and the device identification ID of the letter of identity of this authenticating party and this authenticating party;
Whether step S204, allow the port of this requesting party to be connected with the port of this authenticating party according to this authentication request message certification;
Step S206, sends to this authenticating party by the result of carrying out certification according to this authentication request message.
Pass through above-mentioned steps, receive the authentication request message that authenticating party sends, wherein, the letter of identity of requesting party and the device identification ID of this requesting party is carried in this authentication request information, and the device identification ID of the letter of identity of this authenticating party and this authenticating party, certification is carried out to whether allowing the port of this requesting party to be connected with the port of this authenticating party according to the information of carrying in authentication request message, the result of certification is sent to authenticating party, port between solving the network equipment connects whether legal problem of carrying out certification, thus ensure that the fail safe of network.
In the present embodiment, before the result of carrying out certification according to authentication request message is sent to this authenticating party, certificate server is respectively authenticating party and requesting party generates response message, comprise: for authenticating party generates the first response message, wherein, the device identification ID of this requesting party is carried, the device identification ID of this authenticating party and authentication result in this first response message; And generate the second response message for this requesting party, wherein, the device identification ID of this requesting party is carried in this second response message, the device identification ID of this authenticating party, the certificate of authentication result and this certificate server, afterwards the content that the first response message and the second response message are carried is sent to authenticating party in the lump, then feed back to requesting party by authenticating party.
According to a further aspect in the invention, provide a kind of authenticate device, this device is used for realizing above-described embodiment and preferred implementation, has carried out repeating no more of explanation.As used below, term " module " can realize the software of predetermined function and/or the combination of hardware.Although the device described by following examples preferably realizes with software, hardware, or the realization of the combination of software and hardware also may and conceived.
Fig. 3 is the block diagram one of a kind of authenticate device according to the embodiment of the present invention, as shown in Figure 3, comprising: the first sending module 32 and the first receiver module 34, is described these two modules below.
First sending module 32, for sending authentication request message to certificate server, wherein, the letter of identity of requesting party and the device identification ID of this requesting party is carried in this authentication request information, and the device identification ID of the letter of identity of authenticating party and this authenticating party, whether this authentication request information is used to indicate this certificate server and allows the port of this requesting party to be connected with the port of this authenticating party according to this authentication request message certification;
First receiver module 34, to carry out the result of certification according to this authentication request message for receiving this certificate server.
Fig. 4 is a kind of according to the preferred embodiment of the invention block diagram one of authenticate device, and as shown in Figure 4, this device also comprises:
Second receiver module 42, for receiving the certificate exchange message that this requesting party sends, wherein, carries the letter of identity of this requesting party and the device identification ID of this requesting party in this certificate exchange message;
According to the letter of identity of this requesting party and the device identification ID of this requesting party, determination module 44, for determining that the equipment of this requesting party is effective.
Fig. 5 is a kind of according to the preferred embodiment of the invention block diagram two of authenticate device, and as shown in Figure 5, this device also comprises:
Feedback module 52, for carrying the authentication result of the IP address of this certificate server to this requesting party feedback.
The another aspect of the embodiment of the present invention, additionally provide a kind of authenticate device, Fig. 6 is the block diagram two of a kind of authenticate device according to the embodiment of the present invention, as shown in Figure 6, comprise: the 3rd receiver module 62, authentication module 64, second sending module 66, be described modules below.
3rd receiver module 62, for receiving the authentication request message that authenticating party sends, wherein, in this authentication request information, carry the letter of identity of requesting party and the device identification ID of this requesting party, and the device identification ID of the letter of identity of this authenticating party and this authenticating party;
Whether authentication module 64, for allowing the port of this requesting party to be connected with the port of this authenticating party according to this authentication request message certification;
Second sending module 66, for sending to this authenticating party by the result of carrying out certification according to this authentication request message.
Fig. 7 is a kind of according to the preferred embodiment of the invention block diagram three of authenticate device, and as shown in Figure 7, this device also comprises:
First generation module 72, for generating the first response message for this authenticating party, wherein, carries the device identification ID of this requesting party, the device identification ID of this authenticating party and authentication result in this first response message;
Second generation module 74, for generating the second response message for this requesting party, wherein, carries the device identification ID of this requesting party, the device identification ID of this authenticating party, the certificate of authentication result and this certificate server in this second response message.
By above-mentioned authentication method and the device of the embodiment of the present invention, wherein, in this device, the network equipment is based on port, and interconnection guarantees that each network equipment node in access network is believable, and data traffic forward-path have passed certification, is believable.
Below in conjunction with embodiment, the embodiment of the present invention is further described.
The embodiment of the present invention, to realize carrying out certification based on the connection authority of port to network equipment port, ensures that the data traffic of network forwards on the path of certification, ensures internet security.Provide a kind of interconnection authentication method of the network equipment, network equipment port initial port is un-authenticated state, forbids other data message outside forward process message identifying, when network equipment port is verified status, and all data messages of this port of letting pass.Network equipment interconnection certification has three roles in running: requesting party, authenticating party, certificate server.Requesting party is for initiating the network equipment of ID authentication request, and authenticating party is the network equipment of response authentication request, and certificate server is believable Third Party Authentication server, and all-network equipment is all trusted it and returned results.Comprise following content:
Requesting party sends certificate exchange message packet, and certificate exchange message packet comprises the letter of identity of requesting party and the device id (network equipment uniquely indicates) of requesting party.Authenticating party receives the digital ID card postscript of requesting party, and digital certificate, as effectively, is buffered in this locality by authentication certificate, and send certificate exchange message to requesting party, this message comprises the letter of identity of authenticating party and the device id of authenticating party.Send authentication request message message to certificate server simultaneously, wherein in message, comprise the identity digital certificate of the identity digital certificate of requesting party and authenticating party, the device id of requesting party and the device id of authenticating party.
After certificate server receives authentication request message message, the checking letter of identity of requesting party and the letter of identity of authenticating party, if the verification passes, network insertion authority is confirmed further according to requesting party ID and authenticating party ID, if allow access, then return authentication success, otherwise return authentication failure.When return authentication response message message, be respectively authenticating party and requesting party produces two response messages and is packaged as a message.The response message of authenticating party comprises: requesting party ID, authenticating party ID, authentication state.The response message of requesting party comprises: requesting party ID, authenticating party ID, authentication state and certificate server certificate.
Authenticating party is after receiving authentication answer message, checking response message message, if authentication request is permitted, authenticating party sends authentication answer message to requesting party, authentication answer message message comprises the IP address of certificate server, and complete requesting party's response message that certificate server returns.Requesting party, after receiving authentication answer message, verifies this response message message, if authentication request is permitted, send certification to authenticating party and complete message, the network interface authentication state of this locality is set to certification, and certification terminates.Authenticating party authentication verification completes message packet, and the network interface authentication state of this locality is set to verified status, and certification terminates.
When network equipment interconnection certification, determine authenticating party and requesting party role by the following method: when the local terminal network equipment and peer network device carry out interconnection certification, need the authentication role of consulting local terminal between the interconnect port of the participation certification both sides network equipment.
Wherein, negotiations process should defer to following agreement: if this locality has address of the authentication server and opposite end does not have, then this locality is certification end, and opposite end is request end; If opposite end has address of the authentication server, this locality does not have, then this locality is request end, and opposite end is certification end; If both sides do not have, then ignore opposite end message, not certification; If both sides have address of the authentication server, then the request end that device id is little, what device id was large is certification end.
In certificate exchange message, include " connection certificate server " field, this value be this network equipment of 0 expression at that time without available address of the authentication server, for the non-zero expression network equipment had available address of the authentication server at that time.When the network equipment receives opposite end certificate exchange message packet, according to " connection certificate server " field and device id in message, hold consultation according to rule, determine authentication role.
The method of network device authenticates server address management, comprising: at a new network equipment with when carrying out access authentication by the network equipment of certification, in the final stage of certification, and authenticating party sends authentication response message to requesting party.If authentication result allows, then authenticating party carries the IP address list of certificate server in authentication response message, address notification is given the network equipment newly added.Certificate server IP address list should comprise at least one primary address of the authentication server, and address of the authentication server for subsequent use mostly is three most.The new network equipment is after certification completes, and whether the digital certificate of buffer memory certificate server, can with also ensureing to have at least an authentication service to be in upstate according to the address noticed probe authentication service immediately.In doing so, the new network equipment can become new authenticating party, for other network equipment be connected on present networks equipment provides access authentication service.
The network equipment periodically sends keep-alive message to each address of the authentication server.When certificate server receives keep-alive message, check message validity, send keep-alive back message to the network equipment.The network equipment, after receiving the keep-alive back message of certificate server, thinks that corresponding authentication service is in active state.The network equipment, after also correctly obtaining authentication response message to certificate server transmission authentication request, can restart the probe timer corresponding to this address of the authentication server, think that certificate server is available in this probe interval.Continuous several times is detected to the address of the authentication server all do not responded, be labeled as unavailable.If the address of the authentication server being in down state is in subsequent probe, that correctly received keep-alive response message, be then labeled as upstate.
The dispositions method of certificate server, comprising: certificate server is disposed with hierarchical manner, is divided into core authentication server and authentication subprocess server.Authenticate ruler is carried out synchronous between core authentication server and authentication subprocess server.Core authentication server is positioned at network core layer, all has authentication function to all equipment.Authentication subprocess server is positioned at Network Convergence Layer, and the authentication request only with the access device below to aggregation networks equipment has certification authority.Authentication subprocess server is to core authentication server registration, authentication service can not be provided when authentication subprocess server is initial, authentication subprocess service sends login request message, core authentication server is after receiving login request message, verify the completeness and efficiency of whole packet, if allow registration, then return and succeed in registration, otherwise return registration failure.Core authentication server sends response registration message, and authentication subprocess server, after receiving message, verifies the completeness and efficiency of whole packet, if registration request is permitted, represents that registration process terminates.Core authentication server takes device to authentication subprocess and issues rule, core authentication server sends authenticate ruler to authentication subprocess server, and the port that authenticate ruler item comprises between applicant's device id, authenticating party device id, two equipment connects the mark that could be connected to network.Authentication subprocess server receives new regularization term, joins in list of rules.
By the embodiment of the present invention, by the authenticate ruler of core authentication server, be synchronized to each authentication subprocess server, access network device, to authentication subprocess server authentication, makes have multiple certificate server available during access device certification, improves authentication reliability.In verification process, by the network equipment having the address of the authentication server of available authentication server network device to be advertised to new access, the network equipment of new access learns address of the authentication server, without manual configuration address of the authentication server, adds ease for use.Certificate server is when certification, demonstrate the digital certificate of two connected equipment, carry out access identity certification, ensure that access device is legal, simultaneously according to authenticate ruler, carried out certification to the connection authority of two device ports be connected, the port that have authenticated between two equipment has connection authority according to rule, thus ensures that the data message through network equipment transmission transmits on the forward-path of completely credible certification.
Fig. 8 is the schematic diagram of the certification path according to the embodiment of the present invention, and as shown in Figure 8, equipment is after dispatching from the factory before on-line running, by root certificate, upper strata certificate server certificate, the network equipment self digital certificate, the network equipment self digital certificate private key imports on the persistent storage medium of equipment.All aggregation networks equipment and access network device have all first installed the certificate of core authentication server.Core authentication server certificate has the signature of root CA, and core network device certificate and all aggregation networks device certificate all have the signature of core authentication server, and access network device certificate has the signature of authentication subprocess server.The legitimacy of couple in router by using the PKI of core authentication server certificate to verify aggregation networks device certificate, then judge whether aggregation networks equipment is legal authentication subprocess server by the device role information in aggregation networks device certificate subject area.
By extended certificate subject area in digital certificate, comprise: equipment uniquely indicates, i.e. device id, suggestion length is the integer of 128; Device name, suggestion maximum length is the character string of 128 bytes; Device role, has following role, core network device, aggregation networks equipment, access network device, certificate server.
Fig. 9 is the flow chart of the network equipment identification method according to the embodiment of the present invention, as shown in Figure 9, comprises the following steps:
Step S902, authentication subprocess server is to core authentication server registration, concrete, authentication service can not be provided during authentication subprocess service initial, authentication subprocess server sends login request message, login request message comprises the letter of identity of aggregation networks equipment and the device id of aggregation networks equipment, and finally local to whole message private key carries out digital signature.Core authentication server, after receiving login request message, with the completeness and efficiency of the whole packet of public key verifications of the convergence network equipment, if allow registration, returns and succeeds in registration, otherwise return registration failure.Core authentication server sends response registration message, signs to the private key of response registration message certificate server certificate.Aggregation networks equipment, after receiving response registration message, with the completeness and efficiency of the whole packet of the public key verifications of core authentication server, if registration request is permitted, then represents that registration process terminates.
Step S904, rule is handed down to authentication subprocess server by core authentication server, concrete, core authentication server sends relative authenticate ruler to authentication subprocess server, comprise the device id of requesting party and the device id of authenticating party, the port between two equipment connects the mark that could be connected to network.Regularization term joins in list of rules after receiving authenticate ruler message by authentication subprocess server.
Step S906, the request end network equipment sends certificate exchange information, and concrete, requesting party sends certificate exchange message, and certificate exchange message comprises the letter of identity of requesting party and the device id of requesting party.After authenticating party receives the letter of identity of requesting party, according to thresholding authentication certificates such as the terms of validity, as effectively, digital certificate is buffered in this locality.
Step S908, the certification end network equipment sends certificate exchange information, concrete, this message comprises the letter of identity of authenticating party and the device id of authenticating party, after requesting party receives the letter of identity of authenticating party, according to thresholding authentication certificates such as the terms of validity, as effectively, digital certificate is kept at this locality.
Step S910, certification end sends authentication request to certificate server, and concrete, transmission packet draws together the device id of the letter of identity of requesting party and authenticating party, the device id of requesting party and authenticating party, and finally local to whole message private key carries out digital signature.After certificate server receives authentication request message, with the completeness and efficiency of the whole packet of the public key verifications of authenticating party, the letter of identity of checking requesting party and authenticating party, if certification is passed through, network insertion authority is confirmed further according to the device id of requesting party and the device id of authenticating party, if allow access, then return authentication success, otherwise return authentication failure.
Step S912, certificate server responds authentication response to authenticating party, concrete, when return authentication response message, is respectively authenticating party and requesting party produces two message and is packaged as a message.The response message of authenticating party comprises: the device id of requesting party, the device id of authenticating party, authentication state, and signs to the private key of the response message certificate server certificate of authenticating party.The response message of requesting party comprises: requesting party's device id, authenticating party device id, authentication state and certificate server certificate, and signs to the private key of the response message certificate server certificate of requesting party.Authenticating party, after receiving authentication response message, reads certificate server certificate and obtains its PKI, with the completeness and efficiency of the response message of the public key verifications authenticating party of certificate server.
Step S914, certification end sends authentication response message to requesting party, concrete, complete requesting party's response message that message comprises the IP address of certificate server, certificate server returns, and carries out digital signature to the private key of whole message this locality.Requesting party is after receiving authentication response message, with the completeness and efficiency of the whole packet of the public key verifications of authenticating party, read certificate server certificate and obtain its PKI, with the completeness and efficiency of the authentication answer message of the public key verifications requesting party of certificate server.Send certification to authenticating party and complete message, the network interface authentication state of this locality is set to certification.
Step S916, request end sends certification and completes message to authenticating party, and concrete, authenticating party authentication verification completes message, and the network interface authentication state of this locality is set to verified status, and certification terminates.
Step S918, timed sending keep-alive message, concrete; after requesting party and authenticating party both sides enter verified status; both sides will carry out certification keep-alive processing procedure, reach two-way detection by certification keepalive method, determine that the other side is in the enable state of certification.Wherein, the keep-alive message of transmission comprises: a lattice random number of generation, authenticating party uses local private key to sign to whole message.Peer network device, when receiving keep-alive request message, uses the completeness and efficiency of the whole message of public key verifications of opposite equip., random number is added 1, structure keep-alive response message.
Step S920; response keep-alive message, concrete, the network equipment is when receiving keep-alive response message; use the completeness and efficiency of the whole message of public key verifications of peer network device, the random number whether random number checking local just generation equals in response message subtracts 1.
Figure 10 is the schematic diagram of the network device authenticates according to the embodiment of the present invention, as described in Figure 10, the network equipment 1, 2, 3, 4, 5 are access device, each port of the network equipment 1 is the port of certification, the port be connected with the network equipment 1 in the network equipment 2 is authentication port, the port be connected with the network equipment 3 in the network equipment 2 is unverified port, the port be connected with the network equipment 2 in the network equipment 3 is unverified port, the port be connected with the network equipment 2 in the network equipment 4 is authentication port, the port arrangement be connected with the network equipment 5 in the network equipment 4 is trusted port.Unverified port default stops other all messages except message identifying to pass through.Be configured to the port of trusted port, do not need by certification, allow all messages to pass through.
After the network equipment 2 is connected with the network equipment 3, connected port sends certificate exchange message each other, the network equipment 2 has available address of the authentication server, and address of the authentication server can manually configure, or notice from authenticating device in verification process come study to.In the certificate exchange message that the network equipment 2 sends, " connection certificate server " field value is non-zero, and the network equipment 3 is without available address of the authentication server, and in the certificate exchange message of transmission, " connection certificate server " field value is 0.
The network equipment 3 receives certificate exchange message packet, is non-zero according to " connection certificate server " field value in message, and local terminal does not have available address of the authentication server simultaneously, determines that local terminal is requestor.The network equipment 2 receives certificate exchange message packet, is 0 according to " connection certificate server " field value in message, and local terminal has available address of the authentication server simultaneously, determines that local terminal is authenticator.The network equipment 2 sends authentication request message to authentication subprocess server afterwards, after certificate server receives authentication request message, confirms network insertion authority according to the device id of requesting party and the device id of authenticating party, if allow access, then and return authentication success.When return authentication response message, be respectively authenticating party and requesting party produces two response messages and is packaged as a message.
The network equipment 2 is after receiving authentication response message, if authentication request is permitted, sends authentication response message to the network equipment 3, comprises the IP address list information of certificate server in message, address notification is given the network equipment 3 newly added.The network equipment 3, after receiving authentication response message, sends certification to the network equipment 2 and completes message, and the network interface authentication state of this locality is set to certification.The network equipment 2 authentication verification completes message, and the network interface authentication state of this locality is set to verified status, and certification terminates.
Whether the network equipment 3 can with also ensureing to have at least an authentication service to be in upstate according to the address noticed probe authentication service immediately.In doing so, the network equipment 3 can become new authenticating party, for the miscellaneous equipment be connected on present networks equipment provides access authentication service.
The port be connected with the network equipment 5 in the network equipment 4, has been configured to trusted port, and the port be connected with the network equipment 4 in the network equipment 5 can not need through certification, gets final product access network.
By above this authentication mode, can achieve a butt joint into all devices of network, and the port connection authority between all devices carries out certification, improves internet security.
Figure 11 is the structured flowchart of the request end network equipment according to the embodiment of the present invention, as shown in figure 11, the authenticate device of this network equipment can comprise: the first receiving element 112, first authentication unit 116, first setting unit 118, the function of above-mentioned module has the function in the embodiment of the present invention to be realized by the second receiver module 42 and determination module 44, is described below to modules.
First receiving element 112, for receiving certificate exchange message packet and the authentication response message of certification end network equipment transmission;
First transmitting element 114, for sending certificate exchange message packet to the certification end network equipment;
First authentication unit 116, for verifying the validity of the digital certificate in the message that receives;
First setting unit 118, for filtering port data message.When port is unverified port status, port does not forward IP datagram literary composition, only process authentication protocol message.When port is verified status, port repeat IP datagram literary composition.
Figure 12 is the structured flowchart of the certification end network equipment according to the embodiment of the present invention, as shown in figure 12, the authenticate device of this network equipment can comprise: the second receiving element 122, second transmitting element 124, second authentication unit 126, server admin unit 128, second setting unit 1210, the function of above-mentioned module has the second receiver module 42 in the embodiment of the present invention, determination module 44, first sending module 32 and the first receiver module 34 to realize together, is described below to modules.
Second receiving element 122, for receiving the certificate exchange message packet that the request end network equipment sends, and the authentication response message that certificate server sends;
Second transmitting element 124, for sending certificate exchange infomational message to the certification end network equipment, sends authentication request packet to certificate server, and sends certification back message to the request end network equipment;
Second authentication unit 126, for verifying the validity of the digital certificate in the message that receives;
Server admin unit 128, for the address of the authentication server newly learnt is joined in list of server addresses, the availability of timing probe server address;
Second setting unit 1210, for filtering port data message.When port is unverified port status, port does not forward IP datagram literary composition, only process authentication protocol message.When port is verified status, port repeat IP datagram literary composition.
Figure 13 is the structured flowchart of the authentication subprocess server network device according to the embodiment of the present invention, as shown in figure 13, the authenticate device of this network equipment can comprise: the 3rd transmitting element 132, the 3rd receiving element 134, the 3rd authentication unit 136, the 3rd authentication ' unit 138, the function of above-mentioned module has the second sending module 66 in the embodiment of the present invention, the 3rd receiver module 62 and authentication module 64 jointly to realize, and is described below to modules.
3rd transmitting element 132, for sending certification back message to the certification end network equipment, and sends registration request message to core authentication server;
3rd receiving element 134, for receiving the authentication request packet of the certification end network equipment, and reception core authentication server issues authenticate ruler;
3rd authentication unit 136, for verifying the validity of the digital certificate in the message that receives;
3rd authentication ' unit 138, receive the device id of the requesting party in authentication request packet and the device id of authenticating party for basis, the authenticate ruler in authentication query rule list unit, determines network insertion authority;
First authenticate ruler table unit 1310, for preserving relevant authenticate ruler, regularization term comprises the device id of requesting party and the device id of authenticating party, and the port of two equipment connects the mark that could be connected to network.
Figure 14 is the structured flowchart of the core authentication server according to the embodiment of the present invention, as shown in figure 14, this authenticate device can comprise: the 4th transmitting element 142, the 4th receiving element 144, the 4th authentication unit 146, second authenticate ruler table unit 148, the function of above-mentioned module has the authenticate device in the embodiment of the present invention to realize, and is described below to modules.
4th transmitting element 142, for sending relevant rule to authentication subprocess server;
4th receiving element 144, for receiving the registration request of authentication subprocess server;
4th authentication unit 146, for verifying the validity of the digital certificate in the message that receives;
Second authenticate ruler table unit 148, for preserving the rules of competence of all-network equipment in network.
The embodiment of the present invention also provides a kind of Verification System of the network equipment, comprises the request end as above network equipment, the certification end network equipment, authentication subprocess server-side network equipment and core authentication server.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, and in some cases, step shown or described by can performing with the order be different from herein, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. an authentication method, is characterized in that, comprising:
Authentication request message is sent to certificate server, wherein, the letter of identity of requesting party and the device identification ID of described request side is carried in described authentication request information, and the device identification ID of the letter of identity of authenticating party and described authenticating party, whether described authentication request information is used to indicate described certificate server and allows the port of described request side to be connected with the port of described authenticating party according to described authentication request message certification;
Receive described certificate server carries out certification result according to described authentication request message.
2. method according to claim 1, is characterized in that, also comprises before sending described authentication request message to described certificate server:
Receive the certificate exchange message that described request side sends, wherein, in described certificate exchange message, carry the letter of identity of described request side and the device identification ID of described request side;
Determine that the equipment of described request side is effective according to the letter of identity of described request side and the device identification ID of described request side.
3. method according to claim 1, is characterized in that, also comprises after receiving described certificate server to carry out the result of certification according to described authentication request message:
The authentication result of the IP address of described certificate server is carried to described request side's feedback.
4. an authentication method, is characterized in that, comprising:
Receive the authentication request message that authenticating party sends, wherein, in described authentication request information, carry the letter of identity of requesting party and the device identification ID of described request side, and the device identification ID of the letter of identity of described authenticating party and described authenticating party;
The port of described request side whether is allowed to be connected with the port of described authenticating party according to described authentication request message certification;
The result of carrying out certification according to described authentication request message is sent to described authenticating party.
5. method according to claim 4, is characterized in that, also comprises before the result of carrying out certification according to described authentication request message is sent to described authenticating party:
For described authenticating party generates the first response message, wherein, the device identification ID of described request side is carried in described first response message, the device identification ID of described authenticating party and authentication result;
For described request side generates the second response message, wherein, in described second response message, carry the device identification ID of described request side, the device identification ID of described authenticating party, the certificate of authentication result and described certificate server.
6. an authenticate device, is characterized in that, comprising:
First sending module, for sending authentication request message to certificate server, wherein, the letter of identity of requesting party and the device identification ID of described request side is carried in described authentication request information, and the device identification ID of the letter of identity of authenticating party and described authenticating party, whether described authentication request information is used to indicate described certificate server and allows the port of described request side to be connected with the port of described authenticating party according to described authentication request message certification;
First receiver module, to carry out the result of certification according to described authentication request message for receiving described certificate server.
7. device according to claim 6, is characterized in that, described device also comprises:
Second receiver module, for receiving the certificate exchange message that described request side sends, wherein, carries the letter of identity of described request side and the device identification ID of described request side in described certificate exchange message;
According to the letter of identity of described request side and the device identification ID of described request side, determination module, for determining that the equipment of described request side is effective.
8. device according to claim 1, is characterized in that, described device also comprises:
Feedback module, for carrying the authentication result of the IP address of described certificate server to described request side's feedback.
9. an authenticate device, is characterized in that, comprising:
3rd receiver module, for receiving the authentication request message that authenticating party sends, wherein, in described authentication request information, carry the letter of identity of requesting party and the device identification ID of described request side, and the device identification ID of the letter of identity of described authenticating party and described authenticating party;
Whether authentication module, for allowing the port of described request side to be connected with the port of described authenticating party according to described authentication request message certification;
Second sending module, for sending to described authenticating party by the result of carrying out certification according to described authentication request message.
10. device according to claim 9, is characterized in that, described device also comprises:
First generation module, for generating the first response message for described authenticating party, wherein, carries the device identification ID of described request side, the device identification ID of described authenticating party and authentication result in described first response message;
Second generation module, for generating the second response message for described request side, wherein, carries the device identification ID of described request side, the device identification ID of described authenticating party, the certificate of authentication result and described certificate server in described second response message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410545460.2A CN105577618A (en) | 2014-10-15 | 2014-10-15 | Authentication method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410545460.2A CN105577618A (en) | 2014-10-15 | 2014-10-15 | Authentication method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105577618A true CN105577618A (en) | 2016-05-11 |
Family
ID=55887284
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410545460.2A Withdrawn CN105577618A (en) | 2014-10-15 | 2014-10-15 | Authentication method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105577618A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105847253A (en) * | 2016-03-22 | 2016-08-10 | 燕南国创科技(北京)有限公司 | Method and apparatus for authentication |
| CN107528857A (en) * | 2017-09-28 | 2017-12-29 | 北京东土军悦科技有限公司 | A kind of authentication method based on port, interchanger and storage medium |
| WO2018001081A1 (en) * | 2016-06-28 | 2018-01-04 | 深圳市中兴微电子技术有限公司 | Network device identification method, apparatus, and storage medium |
| CN107948140A (en) * | 2017-11-10 | 2018-04-20 | 广州杰赛科技股份有限公司 | The method of calibration and system of portable set |
| CN109711133A (en) * | 2018-12-26 | 2019-05-03 | 广州市巽腾信息科技有限公司 | Authentication method, device and the server of identity information |
| CN110233836A (en) * | 2019-05-31 | 2019-09-13 | 顾宏超 | A kind of communication verification method, equipment, system and computer readable storage medium |
| CN111343193A (en) * | 2020-03-06 | 2020-06-26 | 咪咕文化科技有限公司 | Cloud network port security protection method and device, electronic equipment and storage medium |
| CN117155704A (en) * | 2023-10-26 | 2023-12-01 | 西安热工研究院有限公司 | Method, system, equipment and medium for quickly adding trusted DCS (distributed control system) upper computer nodes |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051898A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying method and its device for radio network end-to-end communication |
| CN101442411A (en) * | 2008-12-23 | 2009-05-27 | 中国科学院计算技术研究所 | Identification authentication method between peer-to-peer user nodes in P2P network |
| CN103036906A (en) * | 2012-12-28 | 2013-04-10 | 福建星网锐捷网络有限公司 | Network device authentication method and device and access device and controllable device |
| CN103618613A (en) * | 2013-12-09 | 2014-03-05 | 北京京航计算通讯研究所 | Network access control system |
| CN103780389A (en) * | 2012-10-26 | 2014-05-07 | 华为技术有限公司 | Port based authentication method and network device |
-
2014
- 2014-10-15 CN CN201410545460.2A patent/CN105577618A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051898A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying method and its device for radio network end-to-end communication |
| CN101442411A (en) * | 2008-12-23 | 2009-05-27 | 中国科学院计算技术研究所 | Identification authentication method between peer-to-peer user nodes in P2P network |
| CN103780389A (en) * | 2012-10-26 | 2014-05-07 | 华为技术有限公司 | Port based authentication method and network device |
| CN103036906A (en) * | 2012-12-28 | 2013-04-10 | 福建星网锐捷网络有限公司 | Network device authentication method and device and access device and controllable device |
| CN103618613A (en) * | 2013-12-09 | 2014-03-05 | 北京京航计算通讯研究所 | Network access control system |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105847253B (en) * | 2016-03-22 | 2019-01-15 | 燕南国创科技(北京)有限公司 | Method and apparatus for certification |
| CN105847253A (en) * | 2016-03-22 | 2016-08-10 | 燕南国创科技(北京)有限公司 | Method and apparatus for authentication |
| WO2018001081A1 (en) * | 2016-06-28 | 2018-01-04 | 深圳市中兴微电子技术有限公司 | Network device identification method, apparatus, and storage medium |
| CN107528857A (en) * | 2017-09-28 | 2017-12-29 | 北京东土军悦科技有限公司 | A kind of authentication method based on port, interchanger and storage medium |
| CN107948140B (en) * | 2017-11-10 | 2020-09-15 | 广州杰赛科技股份有限公司 | Portable equipment verification method and system |
| CN107948140A (en) * | 2017-11-10 | 2018-04-20 | 广州杰赛科技股份有限公司 | The method of calibration and system of portable set |
| CN109711133A (en) * | 2018-12-26 | 2019-05-03 | 广州市巽腾信息科技有限公司 | Authentication method, device and the server of identity information |
| CN110233836A (en) * | 2019-05-31 | 2019-09-13 | 顾宏超 | A kind of communication verification method, equipment, system and computer readable storage medium |
| CN110233836B (en) * | 2019-05-31 | 2021-06-08 | 顾宏超 | Communication verification method, device, system and computer readable storage medium |
| CN111343193A (en) * | 2020-03-06 | 2020-06-26 | 咪咕文化科技有限公司 | Cloud network port security protection method and device, electronic equipment and storage medium |
| CN111343193B (en) * | 2020-03-06 | 2022-06-07 | 咪咕文化科技有限公司 | Cloud network port security protection method and device, electronic equipment and storage medium |
| CN117155704A (en) * | 2023-10-26 | 2023-12-01 | 西安热工研究院有限公司 | Method, system, equipment and medium for quickly adding trusted DCS (distributed control system) upper computer nodes |
| CN117155704B (en) * | 2023-10-26 | 2024-01-16 | 西安热工研究院有限公司 | Method, system, equipment and medium for quickly adding trusted DCS (distributed control system) upper computer nodes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105577618A (en) | Authentication method and apparatus | |
| US11849052B2 (en) | Certificate in blockchain network, storage medium, and computer device | |
| CN101714978A (en) | SIP signaling without constant re-authentication | |
| CN104426656B (en) | Data receiving-transmitting method and system, the processing method and processing device of message | |
| CN107846447A (en) | A kind of method of the home terminal access message-oriented middleware based on MQTT agreements | |
| CN101534192B (en) | System used for providing cross-domain token and method thereof | |
| US20100138907A1 (en) | Method and system for generating digital certificates and certificate signing requests | |
| CN107277061A (en) | End cloud security communication means based on IOT equipment | |
| CN106060014A (en) | Method for simultaneously solving prefix hijacking, path hijacking and route leakage attacks | |
| CN101527632B (en) | Method, device and system for authenticating response messages | |
| CN103973658A (en) | Static user terminal authentication processing method and device | |
| CN108990062B (en) | Intelligent security Wi-Fi management method and system | |
| CN103701700A (en) | Node discovering method and system in communication network | |
| CN107508822A (en) | Access control method and device | |
| CN104580553A (en) | Identification method and device for network address translation device | |
| CN113852483B (en) | Network slice connection management method, terminal and computer readable storage medium | |
| WO2013040957A1 (en) | Single sign-on method and system, and information processing method and system | |
| CN112436940A (en) | Internet of things equipment trusted boot management method based on zero-knowledge proof | |
| CN104601566A (en) | Authentication method and device | |
| CN108011873A (en) | A kind of illegal connection determination methods based on set covering | |
| CN112398798A (en) | Network telephone processing method, device and terminal | |
| CN107342964A (en) | A kind of message parsing method and equipment | |
| CN107493293A (en) | A kind of method of sip terminal access authentication | |
| CN114827150A (en) | Internet of things terminal data uplink adaptation method, system and storage medium | |
| CN104753926B (en) | A kind of gateway admittance control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20160511 |