CN112492597A - Authentication method and device - Google Patents
Authentication method and device Download PDFInfo
- Publication number
- CN112492597A CN112492597A CN202011471508.1A CN202011471508A CN112492597A CN 112492597 A CN112492597 A CN 112492597A CN 202011471508 A CN202011471508 A CN 202011471508A CN 112492597 A CN112492597 A CN 112492597A
- Authority
- CN
- China
- Prior art keywords
- authentication
- network address
- terminal
- identifier
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Abstract
The application discloses an authentication method and device, and relates to the technical field of Internet of things. The authentication method comprises the following steps: responding to an authentication request sent by an authentication service node, and establishing network connection with a terminal; receiving an authentication identifier sent by a terminal, and acquiring a first network address according to the authentication identifier and pre-stored authentication information; acquiring a second network address according to the source network address information of the network connection; authenticating the terminal according to the first network address and the second network address to obtain an authentication result; the authentication result is sent to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result, and the password or the authentication certificate can be prevented from being preset in the terminal, so that the safety authentication of the terminal can be realized at lower cost.
Description
Technical Field
The application relates to the technical field of Internet of things, in particular to an authentication method and device.
Background
With the development of the technology of the internet of things, the safety problem of the internet of things is increasingly emphasized. An important link for guaranteeing the safety of the internet of things is that when a terminal accesses the server of the internet of things, the server authenticates the legality of the terminal so as to prevent an illegal terminal from accessing the internet of things. Because the communication between the terminal and the server of the Internet of things is not manually participated, the authentication method is different from the authentication method in the field of the Internet. At present, the field of internet of things mainly adopts a mode of presetting passwords or digital certificates to carry out authentication. That is, before the terminal leaves a factory or before the terminal is installed, an authentication password or a digital certificate is preset in the terminal, and the same password or the same root certificate is stored in the server of the internet of things. Before the terminal communicates with the server of the Internet of things, the terminal and the server of the Internet of things complete one-way authentication or two-way authentication through a preset password or a digital certificate. However, the password or the digital certificate is preset in the terminal, which puts higher requirements on the security of the terminal production environment, and meanwhile, the password and the digital certificate are stored in the server of the internet of things, which also puts higher requirements on the security of the server. To meet the above requirements, the production cost and the use cost of the terminal must be greatly increased.
Therefore, how to realize the security authentication of the terminal of the internet of things at a low cost becomes a problem to be solved in the field.
Disclosure of Invention
Therefore, the application provides an authentication method and an authentication device to solve the problem that the authentication method adopting the preset password or the data certificate causes higher production cost and use cost of the terminal.
In order to achieve the above object, a first aspect of the present application provides an authentication method including:
responding to an authentication request sent by an authentication service node, and establishing network connection with a terminal;
receiving an authentication identifier sent by a terminal, and acquiring a first network address according to the authentication identifier and pre-stored authentication information;
acquiring a second network address according to the source network address information of the network connection;
authenticating the terminal according to the first network address and the second network address to obtain an authentication result;
and sending the authentication result to the authentication service node so that the authentication service node can determine whether to allow the access operation of the terminal according to the authentication result.
Further, the pre-stored authentication information is information pre-stored by the authentication proxy node based on the authentication request.
Further, the authentication request comprises an identifier of a user identification card of the terminal, a first network address and an authentication identifier; the first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for the authentication operation.
Further, the authentication identifier includes one or more of a timestamp identifier, a random number identifier, and a counter identifier.
Further, in response to the authentication request sent by the authentication service node, establishing a network connection with the terminal includes:
acquiring an international mobile station integrated service digital network code of the subscriber identity card according to the identifier of the subscriber identity card;
according to the international mobile station integrated service digital network code of the user identification card, authentication connection information is sent to the terminal, so that the terminal establishes network connection with an authentication agent node according to the authentication connection information; the authentication connection information comprises an identifier of a card authentication application, a network address of the authentication proxy node and an authentication identifier, and the card authentication application is an application program with a function of analyzing the authentication connection information to acquire the network address and the authentication identifier of the authentication proxy node.
Further, according to the identification of the subscriber identity module card, acquiring the international mobile station integrated service digital network code of the subscriber identity module card, comprising:
determining the home operator of the user identification card according to the identification of the user identification card;
the international mobile station integrated service digital network code of the user identification card is obtained through the home operator.
Further, according to the international mobile station integrated service digital network code of the subscriber identity module card, sending authentication connection information to the terminal, comprising:
and sending the authentication connection information to the short message gateway so that the short message gateway sends the authentication connection information to the terminal according to the international mobile station integrated service digital network code of the subscriber identity module card.
Further, authenticating the terminal according to the first network address and the second network address to obtain an authentication result, including:
comparing the first network address and the second network address;
under the condition that the first network address is consistent with the second network address, obtaining an authentication result that the terminal passes the authentication;
and under the condition that the first network address is inconsistent with the second network address, obtaining an authentication result that the terminal fails to be authenticated.
In order to achieve the above object, a second aspect of the present application provides an authentication apparatus comprising:
the connection module is used for responding to an authentication request sent by the authentication service node and establishing network connection with the terminal;
the receiving module is used for receiving the authentication identifier sent by the terminal;
the first acquisition module is used for acquiring a first network address according to the authentication identifier and pre-stored authentication information;
the second acquisition module is used for acquiring a second network address according to the source network address information of the network connection;
the authentication module is used for authenticating the terminal according to the first network address and the second network address to obtain an authentication result;
and the sending module is used for sending the authentication result to the authentication service node so that the authentication service node can determine whether to allow the access operation of the terminal according to the authentication result.
Further, an authentication module comprising:
a comparison unit for comparing the first network address with the second network address;
and the obtaining unit is used for obtaining the authentication result that the terminal passes the authentication under the condition that the first network address is consistent with the second network address, and obtaining the authentication result that the terminal does not pass the authentication under the condition that the first network address is inconsistent with the second network address.
This application has following advantage:
the authentication method provided by the application responds to an authentication request sent by an authentication service node and establishes network connection with a terminal; receiving an authentication identifier sent by a terminal, and acquiring a first network address according to the authentication identifier and pre-stored authentication information; acquiring a second network address according to the source network address information of the network connection; authenticating the terminal according to the first network address and the second network address to obtain an authentication result; the authentication result is sent to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result, and the password or the authentication certificate can be prevented from being preset in the terminal, so that the safety authentication of the terminal can be realized at lower cost.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application and not to limit the application.
Fig. 1 is a block diagram illustrating an authentication system according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an authentication method according to an embodiment of the present application;
fig. 3 is a flowchart of another authentication method provided in an embodiment of the present application;
fig. 4 is a flowchart illustrating a work flow of an authentication system according to an embodiment of the present application;
fig. 5 is a schematic block diagram of an authentication apparatus according to an embodiment of the present application.
Detailed Description
The following detailed description of embodiments of the present application will be made with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present application, are given by way of illustration and explanation only, and are not intended to limit the present application.
The Internet of Things (IoT) is a network that extends and expands based on the Internet, and combines various information sensing devices with the Internet to form a huge network, thereby realizing the interconnection and intercommunication of people, machines and objects at any time and any place. At present, the technology of the internet of things is widely applied to the industries of energy, traffic, home furnishing, medical treatment and the like. With the development of the internet of things technology, the safety of the internet of things is widely concerned.
In the current security guarantee mechanism of the internet of things, identity authentication is mainly performed on a terminal to be accessed to a server of the internet of things, so that only a safe and legal terminal can access the server of the internet of things. Different from the internet field, the communication between the terminal and the internet-of-things server in the internet-of-things field is not manually participated, and the corresponding authentication method is also different from that in the internet field. In the prior art, one-way authentication or two-way authentication is generally realized by presetting passwords or digital certificates at a terminal and an internet of things server. However, the password or the digital certificate is preset in the terminal, which puts higher requirements on the security of the terminal production environment, and meanwhile, the password and the digital certificate are stored in the server of the internet of things, which also puts higher requirements on the security of the server. To meet the above requirements, the production cost and the use cost of the terminal must be greatly increased.
In view of this, the present application provides an authentication method and apparatus, in which an authentication proxy node obtains a network address of a terminal to be authenticated through two relatively independent manners, compares whether the two network addresses are consistent, and determines whether the terminal passes authentication according to a comparison result, so as to avoid presetting a password and a digital certificate in the terminal and a server, thereby implementing security authentication on the terminal at a low cost.
Fig. 1 is a block diagram illustrating an authentication system according to an embodiment of the present disclosure. As shown in fig. 1, the authentication system includes: an authentication server 11, an authentication agent 12 and a terminal 13.
The authentication server 11 is a server with an identity authentication function in the internet of things, and is in communication connection with the authentication agent 12 and the terminal 13, respectively. In some implementations, the authentication server 11 and the authentication agent 12 together authenticate the terminal 13. The authentication agent 12 is a functional entity that implements agent-property identity authentication, and is in communication connection with the authentication server 11 and the terminal 13, respectively (the authentication agent 12 establishes communication connection with the terminal 13 after receiving an authentication request). The terminal 13 is a terminal device to be accessed to the internet of things, and performs identity authentication through the authentication server 11 and the authentication agent 12.
In a specific implementation, when the terminal 13 needs to access the internet of things, the authentication server 11 sends an authentication request to the authentication agent 12, after receiving the authentication request, the authentication agent 12 establishes network connection with the terminal 13, and acquires two network addresses corresponding to the terminal according to pre-stored authentication information and the network connection between the authentication agent 12 and the terminal 13, respectively, obtains an authentication result for the terminal by comparing whether the two network addresses are consistent, and sends the authentication result to the authentication server 11. The authentication server 11 receives the authentication result and determines whether to allow the terminal 13 to access the internet of things according to the authentication result.
A first aspect of the present application provides an authentication method. Fig. 2 is a flowchart of an authentication method provided in an embodiment of the present application, where the authentication method may be applied to an authentication proxy node. As shown in fig. 2, the authentication method includes the steps of:
step S201, responding to the authentication request sent by the authentication service node, and establishing a network connection with the terminal.
The authentication service node is an abstract description of an authentication server, and the authentication proxy node is an abstract description of an authentication proxy. It is understood that the authentication request includes identification information for identifying the terminal, so that the authentication proxy node can uniquely determine the terminal according to the authentication request and establish a network connection with the terminal.
In some embodiments, the authentication request includes an identification of a Subscriber Identity Module (SIM) of the terminal, the first network address, and the authentication identification. The first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for the authentication operation. In some implementations, the authentication identification includes a timestamp identification and/or a nonce identification and/or a counter identification.
It should be noted that the authentication identifier is an identifier set for a specific authentication operation, so that the use range and the use authority of the authentication identifier are limited. Once the authentication identification exceeds the use range or the use authority, the authentication identification becomes an invalid identification, so that the safety of the authentication process and the accuracy of the authentication result can be guaranteed to a certain extent.
In a first embodiment, when the terminal has a need to access the internet of things, the terminal starts an authentication operation. Specifically, an internet of things application client installed in the terminal reads an identifier ICCID (integrated Circuit Card Identity) of the SIM Card, and simultaneously reads an IP address allocated when the terminal accesses the mobile communication network, where the IP address is a first network address. The terminal sends the ICCID and the first network address to an authentication service node. The authentication service node receives the ICCID and the first network address sent by the terminal, generates a corresponding authentication identifier for the authentication process, generates an authentication request based on the ICCID, the first network address and the authentication identifier, and then sends the authentication request to the authentication agent node. And the authentication proxy node receives the authentication request and establishes network connection with the terminal.
In a second embodiment, the authentication service node prestores a mapping relationship between the hardware identifier of the terminal and the ICCID. When the terminal has the requirement of accessing the Internet of things, the terminal sends the hardware identifier and the first network address to the authentication service node. The authentication service node receives the hardware identifier and the first network address sent by the terminal, obtains the ICCID corresponding to the terminal according to the mapping relation between the hardware identifier and the pre-stored hardware identifier and the ICCID, generates a corresponding authentication identifier aiming at the authentication process, generates an authentication request based on the ICCID, the first network address and the authentication identifier, and then sends the authentication request to the authentication agent node. And the authentication proxy node receives the authentication request and establishes network connection with the terminal.
The network connection between the authentication agent node and the terminal can be realized through a short message gateway.
In one embodiment, the authentication proxy node obtains the MSISDN (Mobile Subscriber International ISDN/PSTN number) of the SIM card according to the identification ICCID of the SIM card. In a specific implementation, the authentication proxy node determines a home operator of the SIM card according to the ICCID, and obtains the MSISDN of the SIM card through a BSS (Business Support System) of the home operator.
After the MSISDN of the SIM card is acquired, the authentication agent node generates authentication connection information based on the identification of the card authentication application, the network address of the authentication agent node and the authentication identification, and sends the authentication connection information to the short message gateway, and after the short message gateway receives the authentication connection information, the authentication connection information is forwarded to the terminal according to the MSISDN of the SIM card. The card authentication application is an application program having a function of analyzing the authentication connection information to acquire a network address and an authentication identifier of the authentication agent node.
The terminal receives the authentication connection information, determines the corresponding card authentication application according to the identification of the card authentication application in the authentication connection information, analyzes the authentication connection information through the card authentication application, obtains the network address and the authentication identification of the authentication agent node, and establishes network connection with the authentication agent node based on the network address of the authentication agent node.
It should be noted that the above sending method of the authentication connection information is only an example, and may be specifically set according to actual situations, and other sending methods of the authentication connection information that are not described are also within the protection scope of the present application, and are not described herein again.
Step S202, receiving the authentication identification sent by the terminal, and acquiring the first network address according to the authentication identification and the pre-stored authentication information.
The pre-stored authentication information is information pre-stored according to the authentication request after the authentication proxy node receives the authentication request. In some implementations, the authentication request includes an identification of a SIM card of the terminal, the first network address, and an authentication identification. After receiving the authentication request, the authentication proxy node stores the authentication identifier and the first network address in the authentication request, so that when the terminal is authenticated, the network address (i.e. the first network address) of the terminal corresponding to the authentication identifier can be determined according to the authentication identifier.
In one embodiment, the authentication proxy node receives an authentication identifier sent by the terminal, and determines the first network address based on the authentication identifier and according to a mapping relation between the authentication identifier and the first network address in pre-stored authentication information.
Step S203, obtaining a second network address according to the source network address information of the network connection.
The source network address information includes, but is not limited to, a source IP (Internet Protocol) address. The source IP address is the current actual network address of the terminal that establishes network connection with the authentication proxy node, i.e., the second network address. In some implementations, the source network address information is in the form of a four-tuple including a source IP address, a source port, a destination IP address, and a destination port. The source IP address is a network address corresponding to the terminal, the source port is a network port corresponding to the terminal, the destination IP address is a network address corresponding to the authentication proxy node, and the destination port is a network port corresponding to the authentication proxy node.
Specifically, after the authentication proxy node acquires the first network address, in order to ensure that the terminal with which the network connection is currently established is the terminal corresponding to the first network address, the authentication proxy node acquires source network address information of the current network connection, acquires the second network address according to the source network address information, compares whether the first network address and the second network address are the same, and determines whether the terminals corresponding to the two network addresses are the same according to the comparison result.
In one embodiment, the authentication proxy node obtains the quadruple information of the current network connection through a collection tool, wherein the quadruple information comprises a source IP address, a source port, a destination IP address and a destination port. Wherein the source IP address is the second network address.
It should be noted that the above-mentioned manner for acquiring the second network address is only an example, and may be specifically set according to an actual situation, and other manners for acquiring the second network address that are not described are also within the protection scope of the present application, and are not described herein again.
And step S204, authenticating the terminal according to the first network address and the second network address to obtain an authentication result.
The first network address is the network address of the terminal acquired by the authentication agent node according to the pre-stored information, the second network address is the network address of the terminal acquired by the authentication agent node according to the current network connection, and when the two network addresses are the same, the identity of the terminal can be proved to be a real identity, namely the terminal passes the identity authentication of the authentication agent node.
In one embodiment, the authentication proxy node compares whether the first network address and the second network address are consistent. Under the condition that the first network address is consistent with the second network address, the authentication proxy node determines the identity of the terminal to be a real and credible identity and obtains an authentication result that the terminal passes the authentication; and under the condition that the first network address is inconsistent with the second network address, the authentication proxy node determines that the identity of the terminal is not a real and credible identity, and obtains an authentication result that the terminal fails to pass the authentication.
Step S205, sending the authentication result to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.
The authentication service node needs to determine whether to allow the access operation of the terminal according to the authentication result of the authentication proxy node.
In one embodiment, the authentication proxy node sends the authentication result to the authentication service node. The authentication service node receives the authentication result. When the authentication result is that the terminal passes the authentication, the authentication service node allows the terminal to perform access operation; and when the authentication result is that the terminal is not authenticated, the authentication service node forbids the access operation of the terminal.
Fig. 3 is a flowchart of another authentication method provided in an embodiment of the present application, and the authentication method may be applied to an authentication proxy node. As shown in fig. 3, the authentication method includes the steps of:
step S301, responding to the authentication request sent by the authentication service node, and determining the home operator of the user identification card according to the identification of the user identification card in the authentication request.
In some implementations, the authentication request includes a SIM identity of the terminal, the first network address, and an authentication identity. The first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for the authentication operation.
And the authentication agent node receives and responds to the authentication request sent by the authentication service node, and determines the home operator of the SIM card according to the SIM card identifier in the authentication request.
Step S302, obtaining the international mobile station integrated service digital network code of the user identification card through the home operator.
The international mobile station integrated service digital network code can uniquely identify the mobile station number, namely, the information can be sent to a designated terminal or a designated user through the international mobile station integrated service digital network code.
In one embodiment, the authentication proxy node obtains the MSISDN of the SIM card through the BSS system of the home operator.
Step S303, the authentication connection information is sent to the short message gateway, so that the short message gateway sends the authentication connection information to the terminal according to the international mobile station integrated service digital network code of the subscriber identity module card.
In one embodiment, the authentication proxy node generates authentication connection information based on the identifier of the card authentication application, the network address of the authentication proxy node, and the authentication identifier, and sends the authentication connection information to the short message gateway, and after receiving the authentication connection information, the short message gateway forwards the authentication connection information to the terminal according to the MSISDN of the SIM card. The card authentication application is an application program having a function of analyzing the authentication connection information to acquire a network address and an authentication identifier of the authentication agent node.
The terminal receives the authentication connection information, determines the corresponding card authentication application according to the identification of the card authentication application in the authentication connection information, analyzes the authentication connection information through the card authentication application, thereby obtaining the network address and the authentication identification of the authentication agent node, and establishes network connection with the authentication agent node based on the network address of the authentication agent node.
And step S304, receiving the authentication identifier sent by the terminal, and acquiring the first network address according to the authentication identifier and the pre-stored authentication information.
Step S305, obtaining a second network address according to the source network address information of the network connection.
And step S306, authenticating the terminal according to the first network address and the second network address to obtain an authentication result.
Step S307, the authentication result is sent to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.
Steps S304 to S307 in this embodiment are the same as steps S202 to S205 in the previous embodiment of this application, and are not described herein again.
According to the authentication method provided by the embodiment of the application, the network address corresponding to the terminal is acquired through two relatively independent information acquisition channels of pre-stored authentication information and current network connection information, whether the terminal passes the authentication is judged by comparing whether the network addresses acquired through the two information acquisition channels are the same, and a password and a digital certificate do not need to be preset on the terminal and a server, so that the terminal can be safely authenticated at a low cost.
Fig. 4 is a flowchart of an authentication system according to an embodiment of the present application. As shown in fig. 4, the authentication system includes a terminal 41, an authentication service node 42, and an authentication proxy node 43.
The work flow of the authentication system comprises the following steps:
in step S401, the terminal 41 sends the identification of the subscriber identity card and the first network address to the authentication service node 42.
In step S402, the authentication service node 42 receives the identifier and the first network address of the user identification card sent by the terminal 41, generates a corresponding authentication identifier for the current authentication operation, and generates an authentication request based on the identifier, the first network address, and the authentication identifier of the user identification card.
In step S403, the authentication service node 42 sends an authentication request to the authentication proxy node 43.
Step S404, the authentication proxy node 43 receives and responds to the authentication request, determines the home operator of the subscriber identity card according to the identifier of the subscriber identity card in the authentication request, and obtains the isdn number of the subscriber identity card through the home operator.
In step S405, the authentication proxy node 43 sends the authentication connection information to the terminal 41 according to the imsi card.
In step S406, the terminal 41 receives the authentication connection information, analyzes the authentication connection information to obtain the network address of the authentication proxy node, and establishes a network connection with the authentication proxy node 43 according to the network address of the authentication proxy node.
In step S407, the terminal 41 transmits an authentication identity to the authentication proxy node 43.
In step S408, the authentication proxy node 43 receives the authentication identifier sent by the terminal 41, and acquires the first network address according to the authentication identifier and the pre-stored authentication information.
In step S409, the authentication proxy node 43 obtains the second network address according to the source network address information of the network connection.
In step S410, the authentication proxy node 43 authenticates the terminal 41 according to the first network address and the second network address, and obtains an authentication result.
In step S411, the authentication proxy node 43 transmits the authentication result to the authentication service node 42.
In step S412, the authentication service node 42 receives the authentication result sent by the authentication proxy node 43, and determines whether to allow the access operation of the terminal 41 according to the authentication result.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A second aspect of the present application provides an authentication apparatus. Fig. 5 is a schematic block diagram of an authentication apparatus according to an embodiment of the present application. As shown in fig. 5, the authentication apparatus includes: a connection module 501, a receiving module 502, a first obtaining module 53, a second obtaining module 504, an authentication module 505, and a sending module 506.
A connection module 501, configured to establish a network connection with a terminal in response to an authentication request sent by an authentication service node.
The authentication request comprises identification information used for identifying the terminal, so that the authentication proxy node can uniquely determine the terminal according to the authentication request and establish network connection with the terminal. In some embodiments, the authentication request comprises an identification of a subscriber identity card of the terminal, the first network address and the authentication identification. The first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for the authentication operation. In some implementations, the authentication identification includes a timestamp identification and/or a nonce identification and/or a counter identification.
In a first embodiment, when the terminal has a need to access the internet of things, the terminal starts an authentication operation. Specifically, an internet of things application client installed on the terminal reads an identifier ICCID of the SIM card, and simultaneously reads an IP address allocated when the terminal accesses a mobile communication network, where the IP address is a first network address. The terminal sends the ICCID and the first network address to an authentication service node. The authentication service node receives the ICCID and the first network address sent by the terminal, generates a corresponding authentication identifier for the authentication process, generates an authentication request based on the ICCID, the first network address and the authentication identifier, and then sends the authentication request to the authentication agent node. The authentication proxy node receives the authentication request and establishes a network connection with the terminal through the connection module 501.
In a second embodiment, the authentication service node prestores a mapping relationship between the hardware identifier of the terminal and the ICCID. When the terminal has the requirement of accessing the Internet of things, the terminal sends the hardware identifier and the first network address to the authentication service node. The authentication service node receives the hardware identifier and the first network address sent by the terminal, obtains the ICCID corresponding to the terminal according to the mapping relation between the hardware identifier and the pre-stored hardware identifier and the ICCID, generates a corresponding authentication identifier aiming at the authentication process, generates an authentication request based on the ICCID, the first network address and the authentication identifier, and then sends the authentication request to the authentication agent node. The authentication proxy node receives the authentication request and establishes a network connection with the terminal through the connection module 501.
In one specific implementation, the establishing, by the authentication proxy node, a network connection with the terminal through the connection module 501 includes:
and the authentication agent node acquires the MSISDN of the SIM card according to the identification ICCID of the SIM card. In a specific implementation, the authentication proxy node determines a home operator of the SIM card according to the ICCID, and obtains the MSISDN of the SIM card through a BSS system of the home operator.
After the MSISDN of the SIM card is acquired, the authentication agent node generates authentication connection information based on the identification of the card authentication application, the network address of the authentication agent node and the authentication identification, and sends the authentication connection information to the short message gateway, and after the short message gateway receives the authentication connection information, the authentication connection information is forwarded to the terminal according to the MSISDN of the SIM card. The card authentication application is an application program having a function of analyzing the authentication connection information to acquire a network address and an authentication identifier of the authentication agent node.
The terminal receives the authentication connection information, determines the corresponding card authentication application according to the identification of the card authentication application in the authentication connection information, analyzes the authentication connection information through the card authentication application, obtains the network address and the authentication identification of the authentication agent node, and establishes network connection with the authentication agent node based on the network address of the authentication agent node.
It should be noted that the above sending method of the authentication connection information is only an example, and may be specifically set according to actual situations, and other sending methods of the authentication connection information that are not described are also within the protection scope of the present application, and are not described herein again.
A receiving module 502, configured to receive the authentication identifier sent by the terminal.
The receiving module 502 is a module having an information receiving function. In this embodiment, the receiving module receives an authentication identifier sent by the terminal. The authentication identifier is information which is generated by the authentication service node and sent to the authentication agent node. In some implementations, the authentication proxy node packages the authentication identifier into authentication connection information and sends the authentication connection information to the terminal through the short message gateway. And the terminal receives the authentication connection information and obtains an authentication identifier based on the authentication connection information.
A first obtaining module 503, configured to obtain the first network address according to the authentication identifier and the pre-stored authentication information.
The pre-stored authentication information is information pre-stored according to the authentication request after the authentication proxy node receives the authentication request. In some implementations, the authentication request includes an identification of a SIM card of the terminal, the first network address, and an authentication identification. After receiving the authentication request, the authentication proxy node stores the authentication identifier and the first network address in the authentication request, so that when the terminal is authenticated, the network address (i.e. the first network address) of the terminal corresponding to the authentication identifier can be determined according to the authentication identifier.
In one embodiment, after receiving the authentication identifier sent by the terminal, the authentication proxy node obtains the first network address through the first obtaining module 503 based on the mapping relationship between the authentication identifier and the first network address in the pre-stored authentication information.
The second obtaining module 504 is configured to obtain a second network address according to the source network address information of the network connection.
The source network address information includes, but is not limited to, a source IP address. The source IP address is the current actual network address of the terminal that establishes network connection with the authentication proxy node, i.e., the second network address.
After the authentication agent node acquires the first network address, in order to ensure that the terminal which establishes the network connection with the authentication agent node is the terminal corresponding to the first network address, the authentication agent node acquires source network address information of the current network connection, acquires a second network address according to the source network address information, compares whether the first network address and the second network address are the same, and determines whether the terminals corresponding to the two network addresses are the same terminal according to the comparison result.
In one embodiment, the authentication proxy node obtains the quadruple information of the current network connection through the collection tool, and obtains the second network address through the second obtaining module 504. The four-tuple information comprises a source IP address, a source port, a destination IP address and a destination port, and the second network address is the source IP address.
And the authentication module 505 is configured to authenticate the terminal according to the first network address and the second network address, and obtain an authentication result.
The first network address is the network address of the terminal acquired by the authentication agent node according to the pre-stored information, the second network address is the network address of the terminal acquired by the authentication agent node according to the current network connection, and when the two network addresses are the same, the identity of the terminal can be proved to be a real identity, namely the terminal passes the identity authentication of the authentication agent node.
In one embodiment, the authentication proxy node compares, via the authentication module 505, whether the first network address and the second network address are consistent. Under the condition that the first network address is consistent with the second network address, the authentication proxy node determines the identity of the terminal to be a real and credible identity and obtains an authentication result that the terminal passes the authentication; and under the condition that the first network address is inconsistent with the second network address, the authentication proxy node determines that the identity of the terminal is not a real and credible identity, and obtains an authentication result that the terminal fails to pass the authentication.
A sending module 506, configured to send the authentication result to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.
The authentication service node needs to determine whether to allow the access operation of the terminal according to the authentication result of the authentication proxy node.
In one embodiment, the authentication proxy node sends the authentication result to the authentication service node via the sending module 506. The authentication service node receives the authentication result. When the authentication result is that the terminal passes the authentication, the authentication service node allows the terminal to perform access operation; and when the authentication result is that the terminal is not authenticated, the authentication service node forbids the access operation of the terminal.
It should be noted that each module referred to in this embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present application, a unit that is not so closely related to solving the technical problem proposed by the present application is not introduced in the present embodiment, but it does not indicate that no other unit exists in the present embodiment.
It is to be understood that the above embodiments are merely exemplary embodiments that are employed to illustrate the principles of the present application, and that the present application is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the application, and these changes and modifications are to be considered as the scope of the application.
Claims (10)
1. An authentication method, comprising:
responding to an authentication request sent by an authentication service node, and establishing network connection with a terminal;
receiving an authentication identifier sent by the terminal, and acquiring a first network address according to the authentication identifier and pre-stored authentication information;
acquiring a second network address according to the source network address information of the network connection;
authenticating the terminal according to the first network address and the second network address to obtain an authentication result;
and sending the authentication result to the authentication service node so that the authentication service node can determine whether to allow the access operation of the terminal according to the authentication result.
2. The authentication method according to claim 1, wherein the pre-stored authentication information is information pre-stored by the authentication proxy node based on the authentication request.
3. The authentication method according to claim 1 or 2, wherein the authentication request includes an identification of a subscriber identity card of the terminal, the first network address, and the authentication identification; the first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for the authentication operation.
4. The authentication method according to claim 3, wherein the authentication identifier comprises one or more of a timestamp identifier, a random number identifier, and a counter identifier.
5. The authentication method according to claim 3, wherein the establishing a network connection with the terminal in response to the authentication request sent by the authentication service node comprises:
acquiring an international mobile station integrated service digital network code of the subscriber identity card according to the identifier of the subscriber identity card;
according to the international mobile station integrated service digital network code of the user identification card, authentication connection information is sent to the terminal, so that the terminal can establish network connection with the authentication agent node according to the authentication connection information; the authentication connection information comprises an identifier of a card authentication application, a network address of the authentication proxy node and the authentication identifier, and the card authentication application is an application program with a function of analyzing the authentication connection information to acquire the network address of the authentication proxy node and the authentication identifier.
6. The authentication method of claim 5, wherein the obtaining of the international mobile station integrated service digital network code of the subscriber identity card according to the identity of the subscriber identity card comprises:
determining the home operator of the user identification card according to the identification of the user identification card;
and acquiring the international mobile station integrated service digital network code of the subscriber identity module card through the home operator.
7. The authentication method of claim 5, wherein the sending authentication connection information to the terminal according to the international mobile station integrated service digital network code of the subscriber identity card comprises:
and sending the authentication connection information to a short message gateway so that the short message gateway can send the authentication connection information to the terminal according to the international mobile station integrated service digital network code of the subscriber identity module card.
8. The authentication method according to claim 1, wherein the authenticating the terminal according to the first network address and the second network address to obtain an authentication result comprises:
comparing the first network address and the second network address;
under the condition that the first network address is consistent with the second network address, obtaining the authentication result that the terminal passes the authentication;
and under the condition that the first network address is inconsistent with the second network address, obtaining the authentication result that the terminal fails to be authenticated.
9. An authentication apparatus, comprising:
the connection module is used for responding to an authentication request sent by the authentication service node and establishing network connection with the terminal;
the receiving module is used for receiving the authentication identifier sent by the terminal;
the first acquisition module is used for acquiring a first network address according to the authentication identifier and pre-stored authentication information;
the second acquisition module is used for acquiring a second network address according to the source network address information of the network connection;
the authentication module is used for authenticating the terminal according to the first network address and the second network address to obtain an authentication result;
and the sending module is used for sending the authentication result to the authentication service node so that the authentication service node can determine whether to allow the access operation of the terminal according to the authentication result.
10. The authentication device of claim 9, wherein the authentication module comprises:
a comparing unit configured to compare the first network address with the second network address;
an obtaining unit, configured to obtain the authentication result that the terminal passes the authentication when the first network address is consistent with the second network address, and obtain the authentication result that the terminal does not pass the authentication when the first network address is inconsistent with the second network address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011471508.1A CN112492597B (en) | 2020-12-14 | 2020-12-14 | Authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011471508.1A CN112492597B (en) | 2020-12-14 | 2020-12-14 | Authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112492597A true CN112492597A (en) | 2021-03-12 |
| CN112492597B CN112492597B (en) | 2023-03-24 |
Family
ID=74917050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011471508.1A Active CN112492597B (en) | 2020-12-14 | 2020-12-14 | Authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112492597B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030186680A1 (en) * | 2002-03-14 | 2003-10-02 | Aditya Bhasin | Method and apparatus for authenticating users of mobile devices |
| JP2005339093A (en) * | 2004-05-26 | 2005-12-08 | Nippon Telegr & Teleph Corp <Ntt> | Authentication method, authentication system, authentication proxy server, network access authenticating server, program, and storage medium |
| KR20080050200A (en) * | 2006-12-01 | 2008-06-05 | 한국전자통신연구원 | System and signaling method for interlocking wireless lan and portable internet |
| US20080310366A1 (en) * | 2007-06-08 | 2008-12-18 | Toshiba America Research, Inc | MIH Pre-Authentication |
| CN101436934A (en) * | 2008-10-20 | 2009-05-20 | 福建星网锐捷网络有限公司 | Method, system and equipment for controlling user upper wire |
| WO2010129475A2 (en) * | 2009-05-03 | 2010-11-11 | Kabushiki Kaisha Toshiba | Media independent handover protocol security |
| JP2017072979A (en) * | 2015-10-07 | 2017-04-13 | Kddi株式会社 | Authentication system, authentication server, provider server, and user terminal |
| CN107360184A (en) * | 2017-08-14 | 2017-11-17 | 杭州迪普科技股份有限公司 | terminal device authentication method and device |
| CN107659485A (en) * | 2017-10-31 | 2018-02-02 | 新华三技术有限公司 | A kind of method and device of equipment and server communication in VPN VPN |
| CN108024248A (en) * | 2016-10-31 | 2018-05-11 | 中兴通讯股份有限公司 | The method for authenticating and device of a kind of platform of internet of things |
-
2020
- 2020-12-14 CN CN202011471508.1A patent/CN112492597B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030186680A1 (en) * | 2002-03-14 | 2003-10-02 | Aditya Bhasin | Method and apparatus for authenticating users of mobile devices |
| JP2005339093A (en) * | 2004-05-26 | 2005-12-08 | Nippon Telegr & Teleph Corp <Ntt> | Authentication method, authentication system, authentication proxy server, network access authenticating server, program, and storage medium |
| KR20080050200A (en) * | 2006-12-01 | 2008-06-05 | 한국전자통신연구원 | System and signaling method for interlocking wireless lan and portable internet |
| US20080310366A1 (en) * | 2007-06-08 | 2008-12-18 | Toshiba America Research, Inc | MIH Pre-Authentication |
| CN101436934A (en) * | 2008-10-20 | 2009-05-20 | 福建星网锐捷网络有限公司 | Method, system and equipment for controlling user upper wire |
| WO2010129475A2 (en) * | 2009-05-03 | 2010-11-11 | Kabushiki Kaisha Toshiba | Media independent handover protocol security |
| JP2017072979A (en) * | 2015-10-07 | 2017-04-13 | Kddi株式会社 | Authentication system, authentication server, provider server, and user terminal |
| CN108024248A (en) * | 2016-10-31 | 2018-05-11 | 中兴通讯股份有限公司 | The method for authenticating and device of a kind of platform of internet of things |
| CN107360184A (en) * | 2017-08-14 | 2017-11-17 | 杭州迪普科技股份有限公司 | terminal device authentication method and device |
| CN107659485A (en) * | 2017-10-31 | 2018-02-02 | 新华三技术有限公司 | A kind of method and device of equipment and server communication in VPN VPN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112492597B (en) | 2023-03-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| US8533798B2 (en) | Method and system for controlling access to networks | |
| JP5199405B2 (en) | Authentication in communication systems | |
| US9716999B2 (en) | Method of and system for utilizing a first network authentication result for a second network | |
| US10348721B2 (en) | User authentication | |
| US20130035067A1 (en) | Method and apparatus for authenticating communication device | |
| US20190289463A1 (en) | Method and system for dual-network authentication of a communication device communicating with a server | |
| KR20080009046A (en) | Provision of user policy to terminal | |
| DK2924944T3 (en) | Presence authentication | |
| CN112437456A (en) | Communication method and device in non-public network | |
| CN106790251B (en) | User access method and user access system | |
| KR20180079377A (en) | A method, apparatus and system for authenticating to a mobile network, and a server for authenticating devices to the mobile network | |
| CN112423299B (en) | Method and system for wireless access based on identity authentication | |
| CN112492597B (en) | Authentication method and device | |
| EP2961208A1 (en) | Method for accessing a service and corresponding application server, device and system | |
| US11882447B2 (en) | Computer-implemented method and network access server for connecting a network component to a network with an extended network access identifier | |
| KR100723678B1 (en) | Method and System for Preventing Handset Replication in 1x EV-DO Packet Network | |
| US20040152448A1 (en) | Method and arrangement for authenticating terminal equipment | |
| CN116868609A (en) | User equipment authentication and authorization procedure for edge data networks | |
| CN117678255A (en) | Edge enabler client identification authentication procedure | |
| GB2594930A (en) | Authentication of devices to third party services | |
| CN116782219A (en) | WAPI authentication method and system | |
| CN116016426A (en) | Data transmission method, device, storage medium and equipment | |
| KR20190036910A (en) | Apparatus for authenticating controlling SMS based on SMPP | |
| KR20050088988A (en) | Method for identifying a communications terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |