CN116132163A - Method for realizing device limiting local area network fence by using DHCP protocol - Google Patents
Method for realizing device limiting local area network fence by using DHCP protocol Download PDFInfo
- Publication number
- CN116132163A CN116132163A CN202310098583.5A CN202310098583A CN116132163A CN 116132163 A CN116132163 A CN 116132163A CN 202310098583 A CN202310098583 A CN 202310098583A CN 116132163 A CN116132163 A CN 116132163A
- Authority
- CN
- China
- Prior art keywords
- local area
- area network
- client
- dhcp
- uuid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
Abstract
The invention discloses a method for realizing equipment limiting local area network fence by using a DHCP protocol, which belongs to the technical field of Internet, wherein a DHCP service provides a global unique local area network identifier, a client device takes the local area network identifier and a user password as parameters and inputs the local area network identifier and the user password into a key derivation function at the same time, a binary key pair is generated for verification, and whether the client device meets unlocking use conditions is verified. In the invention, the server is only responsible for responding to the client request and responding to the DHCP message with the network UUID information, the client is not required to be checked, an additional service process is not required to be added, and the system resource consumption is very low. The client introduces a new binary key pair derivation algorithm, and can verify the functions of access local area network and user password. The newly added network UUID does not reduce the randomness of the input salt value, so the security of the key derivation algorithm is not affected.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a method for limiting that terminal equipment can only be used in a binding local area network by using a DHCP protocol.
Background
The DHCP protocol is a communication protocol that enables network administrators to centrally manage client configuration, and is widely used for IP resource allocation in local area networks, enabling network administrators to monitor and allocate IP addresses from a central node. DHCP is composed of two parts, namely 1, a protocol for interaction between a server and a client and transmitting configuration information, and 2, a mechanism for managing and distributing IP addresses by the server. The protocol supports three IP allocation mechanisms: static allocation, automatic allocation and dynamic allocation.
In a local area network, each Internet-connected device needs to be assigned a unique IP address, and when the client computer moves to other locations in the network, the DHCP protocol can automatically negotiate a new IP address or renew the IP address being used. In addition to IP configuration, the DHCP protocol also supports extended OPTIONs, passing on various custom configurations, such as TFTP server name in PXE, start file name, and other three-way extension information, etc.
In computer systems, cryptography is a traditional and very widely used method of user authentication and access control. The user is authenticated by entering a password to gain access to the system and information. There are many password authentication scenarios in practical applications: a system administrator password entering a BIOS management page in early start; to secure data, cryptographically verifying secure state transitions of the encrypted storage device, such as content locking, user configuration, access rights, secure erase, etc., as defined by the OPAL/OPALite/OPAL Pyrite security extension protocol family. Notably, security designs often require that only a minimal set of security functions be provided and limited input-output control be provided at system password verification, for reduced attack surface considerations.
The security intensity of the password set by the user is weak, the randomness is poor, the password is extremely easy to attack by a dictionary, and the password is not suitable for being directly used by the cryptography operation. In cryptography, salt (salt) is generally used, and the security is enhanced by techniques such as a secure key derivation function and increasing the number of iterative computations, and the specific method is as follows:
assuming that the user password is P, the salt value is S, the iteration number is set to be c, the final derived key is DK, and the key derivation function is KDF (refer to PBKDF2 defined in RFC 2898). The following key derivation formula exists:
dk=kdf (P, S, c), where P represents a password, a string of data of defined length; s represents the added salt value; c represents the number of iterative loops.
Define the user to set the password derivation key to dkpro.
The subsequent verification password derivation key is Dkverify.
The user password verifies correctly and only if dkverify= dkpro.
The technology can only check the current user password, and cannot realize the special function of checking that the client is in a certain limited local area network.
Disclosure of Invention
The invention solves the technical problems by providing a method for realizing equipment limiting local area network fence by using a DHCP protocol, wherein the method does not require complex connection management and transmission control by both interaction parties, does not need upper network protocol support, and is particularly suitable for local area network access verification of a client in an initial stage or a limited function state of a system.
The technical scheme is as follows: in order to solve the technical problems, the invention adopts the following technical scheme:
a method for realizing equipment limiting local area network fence by using DHCP protocol includes providing global unique local area network identification by DHCP service, inputting local area network identification and user cipher as parameters by client side equipment into key derivative function simultaneously to generate binary key pair for verification, and verifying whether client side equipment meets unlocking condition.
Further, if the key pair can pass verification, the client device is in the defined local area network, the user password is correct, and the device can be unlocked for use; otherwise, the client is not in user password input or incorrect in limiting local area network, and the device is still in a locked state and cannot be used.
Further, the method for providing the globally unique local area network identifier by the DHCP service comprises the following steps: the DHCP service deployed in the local area network automatically generates and stores a unique identifier UUID representing the local area network; and the DHCP service receives and responds to the UUID request sent by the client, sends an ACK message, and returns the generated UUID to the requesting client equipment.
Further, in the process of initial setting of the password and subsequent password input verification, the client device uses a DHCP protocol to acquire the identifier of the connected local area network, and after successful acquisition, the client device takes the local area network identifier and the user password as parameters and inputs the parameters into the key derivation function at the same time, so as to generate a binary key pair for verification.
Further, the client sends a UUID request to a selected DHCP service in the local area network; the client inputs the user password and the obtained UUID as parameters into a key derivation function, derives a key pair and deploys the key pair into a secure storage medium.
Further, the client sends a request for acquiring the local area network identifier to the selected DHCP service in the local area network; after obtaining the network identification, the client inputs the user password and the network identification as parameters into a key derivation function to derive a key pair; the client device determines that the device is in a limited network and the user password is input correctly by comparing the deployment keys generated when the local network is bound, if the deployment keys are consistent with the deployment keys, and the device is unlocked; if the verification fails, the device still maintains the locked state.
The beneficial effects are that: compared with the prior art, the invention has the following advantages:
(1) The invention selects the function of adding the network identifier UUID at the DHCP server side, the DHCP service is managed by a network administrator, the IP resource and the network topology information of the local area network are mastered, and the network identifier UUID can be represented and negotiated to be generated.
(2) In the invention, the server is only responsible for responding to the client request and responding to the DHCP message with the network UUID information, the client is not required to be checked, an additional service process is not required to be added, and the system resource consumption is very low.
(3) The invention uses the DHCP message to transfer information, and the network itself does not need to be changed because the local area network originally supports the transmission of the DHCP message and the transmission of the cross-network segment.
(4) In the invention, the server and the client use the DHCP protocol interaction, and the DHCP message is utilized to transmit the network UUID. The interaction two parties do not require complex connection management and transmission control, and upper network protocol support is not needed, so that the method is particularly suitable for local area network access verification of the client in the initial stage of the system or in a limited functional state. In addition, by means of the discovery, giving, requesting and responding (D.O.R.A) process in the DHCP protocol, the client can automatically discover the DHCP service in the local area network, and the server IP address is not required to be configured in advance, so that the use is convenient and flexible.
(5) The client introduces a new binary key pair derivation algorithm, and can verify the functions of access local area network and user password. The newly added network UUID does not reduce the randomness of the input salt value, so the security of the key derivation algorithm is not affected.
Drawings
FIG. 1 is a block and state transition diagram of a prior art cryptographic check.
Fig. 2 is a main module and an interactive flow related to the present invention, wherein gray is a new or modified module.
Fig. 3 is a flowchart of a DHCP server side adding algorithm in the present invention, wherein gray is adding logic.
Fig. 4 is a flow chart of the present invention for obtaining a network UUID using DHCP protocol, wherein the grey part is the newly added logic.
FIG. 5 is a flow chart of a binary key pair verification algorithm designed by the present invention.
Detailed Description
The invention will be further illustrated with reference to specific examples, which are carried out on the basis of the technical solutions of the invention, it being understood that these examples are only intended to illustrate the invention and are not intended to limit the scope thereof.
The invention uses DHCP protocol to realize the method of equipment limiting local area network fence, which provides global unique local area network identification by DHCP service, the client equipment uses DHCP protocol to obtain the identification of connecting local area network in the initial setting password and the subsequent password inputting verification process, after successfully obtaining, the client equipment takes local area network identification and user password as parameters, and simultaneously inputs the parameters into key derivation function to generate binary key pair for verification. Verifying whether the client device meets unlocking use conditions or not, if the key pair can pass verification, indicating that the client device is in a defined local area network and the user password is correct, and unlocking the device; otherwise, the client is not in user password input or incorrect in limiting local area network, and the device is still in a locked state and cannot be used.
The method for realizing the limit of the local area network fence by the equipment by using the DHCP protocol mainly comprises three parts: DHCP service comprising UUID function of newly added network; the terminal system newly obtains the network UUID function by using the DHCP protocol, and expands the binary key pair derivation and verification algorithm based on the network UUID.
The newly added functions of the local area network DHCP service are as follows: (1) The auto-negotiation generates a globally unique network identification UUID (UUID Universal Unique ID) that can represent the local area network.
As shown in fig. 3, the DHCP service generates or negotiates a globally unique network UUID based on its own information on the configuration of the local area network. When there are multiple DHCP services within the lan (e.g., to act as backups or to increase service bandwidth), it should be ensured that all DHCP services share the same UUID (fig. 3[1] [2 ]).
(2) Responding to the DHCP message containing the UUID of the request sent by the client, and returning a DHCP reply message containing the UUID of the network identifier to the client.
As shown in fig. 3 and 4, the DHCP message is intercepted, and only when the DHCP request message is received and contains a network UUID request special OPTION (fig. 3[3 ]), the service reply carries a reply message of the network UUID OPTION (fig. 3[4 ]).
Therefore, according to the new function of the local area network DHCP service, the method for providing the globally unique local area network identifier by the DHCP service is as follows: the DHCP service deployed in the local area network automatically generates and stores a unique identifier UUID representing the local area network; and the DHCP service receives and responds to the UUID request sent by the client, sends an ACK message, and returns the generated UUID to the requesting client equipment.
The method for realizing and limiting local area network binding by the terminal equipment comprises the following steps: the client sends a UUID request to a selected DHCP service in the local area network; the client inputs the user password and the obtained UUID as parameters into a key derivation function, derives a key pair and deploys the key pair into a secure storage medium.
The method for checking the local area network identifier by using the client comprises the following steps: the client sends a request for acquiring the local area network identifier to a selected DHCP service in the local area network; after obtaining the network identification, the client inputs the user password and the network identification as parameters into a key derivation function to derive a key pair; the client device determines that the device is in a limited network and the user password is input correctly by comparing the deployment keys generated when the local network is bound, if the deployment keys are consistent with the deployment keys, and the device is unlocked; if the verification fails, the device still maintains the locked state.
When the client deploys the secret key, firstly, a UUID request message is sent to the DHCP service, and a network identifier UUID is resolved from the reply message network . Binary key pair is derived using the new algorithm<DK_1' prov ,DK_2' prov >. The key pair is saved in a secure store and the client device and the defined network are bound.
The algorithm uses PBKDF2 as a primitive function KDF, respectively calls the KDF twice, and transmits different parameters to carry out user password and network verification.
Using the original key derivation function KDF as primitive (refer to PBKDF2 defined in RFC 2898), the client key pair derivation is updated in two steps:
step one: first, a user password and a local salt value are input, and a key pair first part is generated:
DK_1' prov =KDF(P,S,c)
wherein P represents a password, which is a string of data with a limited length; s represents the added salt value; c represents the number of iterative loops.
Step two: the second time, input the network password and key that the first step produced, produce the key pair second part:
DK_2' prov =KDF(DK_1' prov ,UUID network ,c)
wherein DK_1 'is generated' prov Based on the user password and the local salt value, the method is used for verifying the client user password; DK_2 'generation' prov Based on DK_1' prov And byThe network UUID acquired by DHCP is used to associate the key pair with the first portion while checking access to the local area network.
In the second step, the parameters comprise the output of the first step, and the first part and the second part of the key pair are cryptographically associated. By comparing the key pairs, not only is the user password authenticated, but also the access to the local area network is authenticated.
When the client side verifies, a UUID special request message is submitted to the DHCP service, and the UUID is analyzed from the returned reply message network . Deriving the key using the formula as above<DK_1' verify ,DK_2' verify >。
Client authentication of derivative key pairs<DK_1' verify ,DK_2' verify >And deploying a key pair<DK_1' prov ,DK_2' prov >Judging whether the user password is correct or not 1, and judging whether the local area network is a limited network or not 2. Both are correct, and only when binary key pairs<DK_1' verify ,DK_2' verify >==<DK_1' prov ,DK_2' prov >。
The process of obtaining the UUID by the client device in the invention is as follows:
step 11 the client first starts a standard DHCP Discovery (Discovery), give (Offer), request, response (ACK) (d.o.r.a.) procedure as in fig. 4[ 1]. After the process of D.O.R.A is successful, the client terminal automatically selects the DHCP service for obtaining the IP resource as a service node for obtaining the UUID of the network.
Step 12: the client in turn sends a network UUID request message to the selected DHCP service (as shown in fig. 2[1, fig. 4[3).
Step 13: the DHCP service listens to the message sent in step 12 (as shown in fig. 2, fig. 4, fig. 2) and replies to the client with an ACK message carrying the network UUID.
Step 14, the client receives the DHCP ACK message and analyzes the network UUID carried in the message (figure 2[3 ]).
The implementation process of binding the client device to the local area network in the invention is as follows:
step 21, the client obtains the UUID flow according to the client device to obtain the network UUID (as shown in figure 2[1] [2] [3], and figure 4).
Step 22, the client inputs the UUID, user password and salt value into the key derivation function to calculate the binary key pair<DK_1' prov ,DK_2' prov >As shown in (FIG. 2[3]][4]) Shown).
DK_1' prov =KDF(P,S,c)
DK_2' prov =KDF(DK_1' prov ,UUID network ,c)。
Step 23, client will generate<DK_1' prov ,DK_2' prov >Save to secure store (FIG. 2[5)])。
The realization process of the client device verification in the invention is as follows:
step 31, the client obtains the network UUID according to the process of obtaining the UUID by the client device (as shown in fig. 4 and fig. 5[1 ]).
Step 32, the client inputs the UUID, user password, salt value and key derivative function to calculate the key pair<DK_1' verify ,DK_2' verify >(as in FIG. 5[ 2]]Shown).
DK_1' verify =KDF(P,S,c)
DK_2' verify =KDF(DK_1' verify ,UUID network ,c)
Step 33, checking<DK_1' verify ,DK_2' verify >Traversing all deployed binary key pairs in secure storage<DK_n' prov ,DK_n+1' prov >(FIG. 5[ 3]][4])
a) If present<DK_n' prov ,DK_n+1' prov >==<DK_1' verify ,DK_2' verify >The customer is judged to enter the correct password and accesses the defined local area network. Verification success (as in figure 5[5][6]Shown).
b) If only DK_n 'exists' prov ==DK_1' verify And DKn +1 'is not present' prov ==DK_2' verify The customer is determined to enter the correct password but not access the restricted local area network. Failure of verification (as in figure 5[7)]Shown).
c) If DK_n 'is not present' prov ==DK_1' verify And DK_n+1' prov ==DK_2' verify It is determined that the customer entered the password incorrectly and did not access the defined lan network. Failure of verification (as in figure 5[7)]Shown).
The invention uses the DHCP service and DHCP message transmission and forwarding mechanism supported by the local area network to send the globally unique identifier of the local area network to the client in the network. The client uses the acquired network identification and the user input password as parameters to generate a binary key pair by the key derivation function. The client device can generate the correct binary key pair only when the network identification is correct and the user input password is correct, and the verification is passed; otherwise still in the locked state. Thereby realizing the device local area network limiting function.
The invention can meet the requirements that the client has and can only be used in a limited local area network. 1. The local area network needs to provide a globally unique network identifier representing itself for the client; 2. the client needs to correctly identify whether the access network is a defined lan without the limited configuration supported by the upper layer network protocol.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.
Claims (6)
1. A method for implementing a device-defined local area network fence using DHCP protocol, characterized by: the DHCP service provides a global unique local area network identifier, the client device takes the local area network identifier and a user password as parameters and inputs the local area network identifier and the user password into a key derivation function at the same time, a binary key pair is generated for verification, and whether the client device meets unlocking use conditions is verified.
2. The method for defining a local area network fence using DHCP protocol according to claim 1, wherein: if the key pair can pass verification, the client device is in a defined local area network, the user password is correct, and the device can be unlocked for use; otherwise, the client is not in user password input or incorrect in limiting local area network, and the device is still in a locked state and cannot be used.
3. The method for defining a local area network fence using DHCP protocol according to claim 1, wherein: the method for providing the globally unique local area network identifier by the DHCP service comprises the following steps: the DHCP service deployed in the local area network automatically generates and stores a unique identifier UUID representing the local area network; and the DHCP service receives and responds to the UUID request sent by the client, sends an ACK message, and returns the generated UUID to the requesting client equipment.
4. The method for defining a local area network fence using DHCP protocol according to claim 1, wherein: and the client device uses a DHCP protocol to acquire the identifier of the connected local area network in the initial password setting and the subsequent password inputting verification process, and after successful acquisition, the client device takes the local area network identifier and the user password as parameters and simultaneously inputs the parameters into a key derivation function to generate a binary key pair for verification.
5. The method for defining a local area network fence using DHCP protocol according to claim 4, wherein: the client sends a UUID request to a selected DHCP service in the local area network; the client inputs the user password and the obtained UUID as parameters into a key derivation function, derives a key pair and deploys the key pair into a secure storage medium.
6. The new method for verifying a local area network identity using a client of claim 5, wherein: the client sends a request for acquiring the local area network identifier to a selected DHCP service in the local area network; after obtaining the network identification, the client inputs the user password and the network identification as parameters into a key derivation function to derive a key pair; the client device determines that the device is in a limited network and the user password is input correctly by comparing the deployment keys generated when binding the appointed local network, and unlocks the device if the deployment keys are consistent; if the verification fails, the device still maintains the locked state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310098583.5A CN116132163A (en) | 2023-02-10 | 2023-02-10 | Method for realizing device limiting local area network fence by using DHCP protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310098583.5A CN116132163A (en) | 2023-02-10 | 2023-02-10 | Method for realizing device limiting local area network fence by using DHCP protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116132163A true CN116132163A (en) | 2023-05-16 |
Family
ID=86309844
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310098583.5A Pending CN116132163A (en) | 2023-02-10 | 2023-02-10 | Method for realizing device limiting local area network fence by using DHCP protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116132163A (en) |
-
2023
- 2023-02-10 CN CN202310098583.5A patent/CN116132163A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
| US20080141333A1 (en) | Method and system for object-based multi-level security in a service oriented architecture | |
| US8892602B2 (en) | Secure configuration of authentication servers | |
| US9094409B2 (en) | Method for configuring access rights, control point, device and communication system | |
| US20220123950A1 (en) | Multi-party cloud authenticator | |
| US20040010713A1 (en) | EAP telecommunication protocol extension | |
| CN110336718A (en) | A kind of method of internet of things equipment safely and fast access-in management platform | |
| WO1989008887A1 (en) | Access security system for switched communications networks | |
| CN114363165A (en) | Configuration method of electronic equipment, electronic equipment and server | |
| Liou et al. | T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs | |
| US8972532B2 (en) | Providing hardware configuration management for heterogeneous computers | |
| CN116170409B (en) | SD-WAN network address planning system based on virtual domain name | |
| US11757827B2 (en) | Network security from host and network impersonation | |
| US11888898B2 (en) | Network configuration security using encrypted transport | |
| CN116132163A (en) | Method for realizing device limiting local area network fence by using DHCP protocol | |
| US11777917B2 (en) | Multi-party cloud authenticator | |
| CN114928459A (en) | Connection method and computer readable medium for private communication architecture | |
| CN107888383B (en) | Login authentication method and device | |
| KR101029205B1 (en) | Secure distributed system for management of local community representation within network devices | |
| CN101924636A (en) | Relevant authentication information issuing method, device and network equipment | |
| Vettorello et al. | Some notes on security in the service location protocol version 2 (slpv2) | |
| CN116389173B (en) | Method, system, medium and equipment for realizing enterprise production network ad hoc network | |
| JP2024515154A (en) | Secure key management device, authentication system, wide area network, and method for generating session keys - Patents.com | |
| JP2001103049A (en) | Method of user authentication | |
| CN115208603A (en) | Connection method and computer readable medium for private communication architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |