CN201294532Y - Network authentication apparatus and network authentication system - Google Patents
Network authentication apparatus and network authentication system Download PDFInfo
- Publication number
- CN201294532Y CN201294532Y CNU2008201238784U CN200820123878U CN201294532Y CN 201294532 Y CN201294532 Y CN 201294532Y CN U2008201238784 U CNU2008201238784 U CN U2008201238784U CN 200820123878 U CN200820123878 U CN 200820123878U CN 201294532 Y CN201294532 Y CN 201294532Y
- Authority
- CN
- China
- Prior art keywords
- random value
- authentication
- eapol
- message
- authenticator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The utility model discloses a network authenticate device and a network authenticate system, which comprise a supplicant device, which comprises an authenticate switch, an authenticate response unit, a random value storage unit and an authenticate exit unit, wherein the authenticate response unit judges whether the authenticate switch is opened, if yes, a random value N is added in an authenticate response EAP_response message, the random value N is stored in the random value storage unit, otherwise, the random value N is not added in the authenticate response EAP_response message. The authenticate exit unit obtains the random value N in the random value storage unit, and is added in an authenticate exit EAPOL_Logoff message. The scheme which is supplied by the embodiment of the utility model eliminates the hidden trouble that user are kicked maliciously existing during the using process of a 802.1x protocol, the random value is used to authenticate, the declassification difficulty is large, and the safety is high. Simultaneously, the scheme can be excellently compatible with the authenticate process of the standard 802.1x protocol.
Description
Technical field
The utility model relates to the computer network communication technology field, relates in particular to a kind of network authentication device and network authentication system.
Background technology
Ethernet has open characteristic, as long as the user is connected on the network equipment, just can use various network services by the network equipment.IEEE 802.1x standard definition a kind of input controlling mechanism and authentication protocol based on work station/server mode, the constraint network service only allows the user who conducts interviews to provide to those, overcomes the security vulnerabilities of legacy network.As shown in Figure 1, the role who uses for the IEEE802.1x typical case schematic diagram of classifying wherein, can be seen conjure man, authenticator, three roles of certificate server.
Conjure man (Supplicant) is an end user institute role, generally is the client software that operates on the PC.By the request of its initiation to network service access.The common software that meets IEEE 802.1x client standard, the IEEE802.1x client that carries as Windows XP operating system.
Authenticator (Authenticator), the control conjure man is to the visit of network service.Its reality approach of an authentication information exchange just in verification process is responsible for communicating by letter with the conjure man, and conjure man's authentication request is mail to certificate server, then according to the indication execution of the certificate server mandate to conjure man's access to netwoks.The authenticator is generally switch, access control equipments such as router.
Certificate server (Authentication Server) generally is the server software that operates on the PC.It is responsible for checking the identity of authenticated user and with authentication result notification authentication person.Server must be a safety system of supporting radius protocol.The IAS service (Internet Authentication Service) that typical certificate server software such as Windows 2000 Server operating systems carry.
Common verification process specifically comprises as shown in Figure 2:
1. the user moves conjure man's client software, and can send an EAPOL_STAR message this moment;
2. after the authenticator receives this message, send an EAP_request/identity message to the conjure man;
3. this moment, the conjure man answered the EAP_response/identity message to authenticator (generally subsidiary username information).
4. after the authenticator received the EAP_response/identity message that the conjure man sends, the authenticator just began to carry out the forwarding of message identifying for client and certificate server.If certificate server approval conjure man's identity, authentication success then, the authenticator will allow this user to use network, otherwise the user can't use network.
5. the user withdraws from authentication state if desired, sends an EAPOL_Logoff message notifying authenticator by the conjure man, after the authenticator receives this message, will close this user's Internet-related services.
The form of the EAPOL_Logoff message of standard, as shown in Table 1.
Table one
| The message attribute field name | Position (byte) |
| Destination MAC | 1_6 |
| Source MAC | 7_12 |
| PAE Ethernet Type | 13_14 |
| |
15 |
| |
16 |
| Packet Body Length | 17_18 |
| Packet Body | 19_N |
Wherein, the multicast address of Destination MAC:8021x agreement use.Data stationary is filled to 01_80_C2_00_00_03.
Be the mac address of nic of conjure man place PC in the Source MAC:1X application scheme.
PAE Ethernet Type: expression 1x agreement, data stationary is filled to 888e.
Protocol Version: presentation protocol version number, data stationary is filled to 01.
Packet Type: expression Logoff type of message, data stationary is filled to 02.
Packet Body Length: the field length of presentation protocol data field, data stationary is filled to 0.
During scheme was used, the message that rolls off the production line can not be forged easily, and caused this user illegally to be played to roll off the production line.But the EAPOL_Logoff message of stipulating in the 8021x agreement can find except Source MAC is filled to the mac address of nic of conjure man place PC that from message format analysis just now other fields are all fixing.As long as therefore know the physical network card address of wanting the attacker, promptly can pass through the EAPOL_Logoff message of other users under the same authentication port of structure easily, and send (as Sniffer) by the instrument of giving out a contract for a project, attack this user offline.
For example, among Fig. 1, conjure man 1 (PC1) and conjure man 2 (PC2) are linked into authenticator's port one simultaneously.PC1 and PC2 authentication are reached the standard grade; PC1 obtains the MAC Address (as ordering the MAC Address of learning PC2 by arp-a in the Windows operating system, supposing the 00d0f8123456 that is that gets access to) of PC2; The last structure of PC1 EAPOL_Logoff message, each field is filled in as follows in the message:
Destination MAC:01_80_C2_00_00_03
Source MAC:00d0f8123456 (MAC Address of PC2)
PAE Ethernet Type:888e
Protocol Version:01
Packet Type:02
Packet Body Length:0
Wherein, except Source MAC is the address that obtains in the step 3, other fields are the numerical value of agreement regulation.
By the instrument of giving out a contract for a project (as sniffer) transmission message as above.The authenticator can think the request of rolling off the production line that PC2 sends after receiving the EAPOL_Logoff message that PC1 malice forges, and PC2 played rolls off the production line, and makes PC2 can't use network.
The utility model content
The utility model embodiment provides a kind of network authentication device and network authentication system, has the problem of potential safety hazard that rolls off the production line in the existing network authentication techniques in order to solve, and can be good at the 802.1x protocol authentication process of compatibility standard.
A kind of conjure man's equipment, this equipment comprise that authentication switch, authentication response unit, random value memory cell and authentication withdraw from the unit, wherein,
Whether the described authentication switch of described authentication response unit judges is opened, if add random value N in authentication response EAP_response message, and described random value N is kept at described random value memory cell; Otherwise, in authentication response EAP_response message, do not add random value N;
Described authentication is withdrawed from the unit and is obtained random value N in the described random value memory cell, and is added on authentication and withdraws from the EAPOL_Logoff message.
A kind of network authentication system comprises authenticator and conjure man, comprises authentication switch among the described conjure man, wherein,
When described conjure man opens described authentication switch, in authentication response EAP_response message, add random value N, and withdraw from the authentication that sends to the authenticator and to add random value N in the EAPOL_Logoff message;
Described authenticator receives the random value N that adds in the authentication response EAP_response message and preserves; Withdraw from the random value N that carries in the EAPOL_Logoff message when the authentication that acknowledges receipt of and conform to, respond described EAPOL_Logoff message with the local random value N that preserves, otherwise, described EAPOL_Logoff message abandoned.
A kind of authenticator device, this equipment comprise authentication switch, authentication success unit, random value memory cell and authenticate-acknowledge unit, wherein,
Whether the described authentication switch of described authentication success unit judges is opened, if add random value N in authentication success EAPOL_Success message, and described random value N is kept at described random value memory cell; Otherwise, in authentication success EAPOL_Success message, do not add random value N;
The authentication that described authenticate-acknowledge unit acknowledges receipt of is withdrawed from the random value N that carries in the EAPOL_Logoff message and is conformed to the random value N that described random value memory cell is preserved, and responds described EAPOL_Logoff message, otherwise, abandon described EAPOL_Logoff message.
A kind of network authentication system comprises authenticator and conjure man, comprises authentication switch among the described authenticator, wherein,
When described authenticator opens authentication switch, in sending to conjure man's authentication success EAPOL_Success message, add random value N;
Described conjure man preserves described random value N, and withdraws from interpolation random value N in the EAPOL_Logoff message in the authentication that sends to the authenticator;
Described authenticator, be used for also verifying that the authentication that receives withdraws from the described random value N that the EAPOL_Logoff message carries and whether conform to the random value N of this locality storage, if respond described EAPOL_Logoff message, otherwise, abandon described EAPOL_Logoff message.
The utility model embodiment provides a kind of conjure man's equipment, this equipment comprises that authentication switch, authentication response unit, random value memory cell and authentication withdraw from the unit, whether the described authentication switch of described authentication response unit judges is opened, if, in authentication response EAP_response message, add random value N, and described random value N is kept at described random value memory cell; Otherwise, in authentication response EAP_response message, do not add random value N; Described authentication is withdrawed from the unit and is obtained random value N in the described random value memory cell, and is added on authentication and withdraws from the EAPOL_Logoff message.The scheme that the utility model embodiment provides has been eliminated the user who exists in the 802.1x protocol application process and has been played the hidden danger that rolls off the production line by malice, and, use random value to authenticate, it is big to crack difficulty, safe; Simultaneously, this scheme can be good at the 802.1x protocol authentication process of compatibility standard.
Description of drawings
The role that Fig. 1 uses for IEEE802.1x typical case in the prior art schematic diagram of classifying;
Fig. 2 is a network authentication process schematic diagram of the prior art;
The network authentication system schematic diagram that Fig. 3 provides for the utility model embodiment 1;
Conjure man's device structure schematic diagram that Fig. 4 provides for the utility model embodiment 1;
The network authentication system schematic diagram that Fig. 5 provides for the utility model embodiment 2;
The authenticator device structural representation that Fig. 6 provides for the utility model embodiment 2.
Embodiment
The main thought of the utility model embodiment is: increase an authentication switch the conjure man.Open under this switch situation, the conjure man adds a random value in the EAP_response message, need in the representation scheme EAPOL_Logoff message is differentiated.When the conjure man is rolled off the production line, in the EAPOL_Logoff message, increase this random value and send to the authenticator.The authenticator differentiates that random value meets, and just handles when message is legal, otherwise abandons.Do not open under the situation of this switch, then consistent with former processing flow process, with the 8021x protocol authentication process of compatibility standard.
Perhaps, the another one aspect, this authentication switch can be arranged at the authenticator, open authentication switch, when conjure man's authentication success, the authenticator informs random value of conjure man in the EAP_Success message, need in the representation scheme EAPOL_Logoff message is differentiated.When the conjure man is rolled off the production line, in the EAPOL_Logoff message, increase this random value and send to the authenticator.The authenticator differentiates that random value meets, and just handles when message is legal, otherwise abandons.Do not open under the situation of this switch, then consistent with former processing flow process, with the 8021x protocol authentication process of compatibility standard.
Be explained in detail to the main realization principle of the utility model embodiment technical scheme, embodiment and to the beneficial effect that should be able to reach below in conjunction with each accompanying drawing.
As shown in Figure 3, the network authentication system structural representation that comprises authentication switch that the utility model embodiment 1 provides, wherein,
The network authentication switch is arranged in the conjure man, and when opening authentication switch, the conjure man adds random value N1 in authentication response EAP_respoN1se message.Concrete, random value N1 can be added on the data field of EAPOL_Success message or other can add the place of data.Simultaneously, under the conjure man need preserve random value N1 in this locality.The random value N1 here can obtain by random algorithm.
The authenticator receives and preserves described random value N1.After the authenticator receives authentication response EAP_respoN1se message, extract random value N1 wherein and be kept at this locality.The authenticator can send the EAPOL_Success message to the conjure man according to the regulation of agreement.The conjure man is after receiving the EAPOL_Success message, and authentication success can access network.
Here, the authenticator receives by judgement and whether carries random value N1 in the authentication response EAP_respoN1se message and determine whether authentication switch is opened.If carry random value N1 in the EAP_respoN1se message, then authentication switch is opened, and the authenticator carries out corresponding operating; If do not carry random value N1 in the EAP_respoN1se message, then authentication switch is not opened, and the authenticator carries out subsequent operation in the mode of existing 802.1x standard code.Accordingly, after the conjure man opens authentication switch, also can send the authenticator by specific message, notification authentication person's authentication switch is opened, and needs to extract the random value N1 that carries in the EAP_respoN1se message.
When the conjure man prepares to roll off the production line when exitting network, need at first to judge whether this locality preserves random number N 1, if do not have, then send authentication and withdraw from the EAPOL_Logoff message in the mode of existing 802.1x standard code; If random number N 1 is preserved in this locality, the conjure man withdraws from the same random value N1 that adds in the EAPOL_Logoff message in the authentication that sends to the authenticator, sends to the authenticator.
Here, random number N 1 can be obtained random number N 1 through specific cryptographic algorithm, also can be directly with N1 as N1.When carrying out computations, the cryptographic algorithm of employing can be existing any cryptographic algorithm, for example md5 encryption algorithm, des encryption algorithm, 3DES cryptographic algorithm and RSA cryptographic algorithms etc., and base is to can being user-defined algorithm.After as long as the conjure man encrypts for the EAPOL_Logoff message, the authenticator can carry out the legitimacy judgement to the message after encrypting and get final product.Because these several cryptographic algorithm are existing encryption technology commonly used, repeat no more herein.
In cryptographic algorithm, random value N1 and corresponding M AC address can be merged encryption, obtain random value N1.The MAC Address here can be replaced by the value of other any agreements such as user name, fixed value, also can establish also not add, and only random value N1 is carried out computations and obtains random value N1.
The authentication that the authenticator acknowledges receipt of is withdrawed from the random value N1 that carries in the EAPOL_Logoff message and is conformed to the local random value N1 that preserves, and responds described EAPOL_Logoff message, otherwise, abandon described EAPOL_Logoff message.
The authenticator extracts the random value N1 that wherein comprises behind the EAPOL_Logoff message that receives conjure man's transmission.And obtain the random value N1 of local storage, with N1 carry out with above-mentioned steps in after the same cryptographic algorithm, compare with the random value N1 that receives, if identical then think that the two conforms to, the EAPOL_Logoff message is legal message, responds described EAPOL_Logoff message; Otherwise, if the value that obtains is not inconsistent with the N1 that receives, illustrate that then this EAPOL_Logoff message is illegal, abandon this message.
Here, the authenticator is consistent to the cryptographic algorithm need of random value N1 with the conjure man, no matter adopt which kind of cryptographic algorithm, all needs both sides' unanimity.Authenticator and conjure man can perhaps ensure the unanimity of both sides' cryptographic algorithm by prior negotiation by user's setting.
Certainly, when authentication switch was closed, all operations process was identical with the mode of existing 802.1x standard code, is not giving unnecessary details herein.
Because authentication switch is contained in conjure man's equipment, therefore, the utility model provides a kind of conjure man's equipment, as shown in Figure 4, this conjure man's equipment comprises that this equipment comprises that authentication switch 11, authentication response unit 12, random value memory cell 13 and authentication withdraw from unit 14, and is specific as follows:
After corresponding authenticator device receives authentication response EAP_respoN1se message, judge wherein whether be added with random value N1, if have, confirm that authentication switch 11 is an open mode, need carry out this locality storage to random value N1, otherwise affirmation authentication switch 11 is closed, and handles message with the 802.1x protocol authentication process of standard.
When conjure man's equipment rolled off the production line, authentication was withdrawed from unit 14 and is obtained random value N1 in the random value memory cell 13, and was added on authentication and withdraws from the EAPOL_Logoff message.
Further, authentication is withdrawed from unit 14 and is judged whether store random value N1 in the random value memory cell 13, if obtain random value N1, and be added on to authenticate and withdraw from the EAPOL_Logoff message; Otherwise, do not withdraw from and add described random value N1 in the EAPOL_Logoff message in authentication.Here, for the random value N1 that ensures storage in the random value memory cell 13 is the random value N1 that the current authentication process is used, need after finishing, each verification process just after each conjure man's equipment normally rolls off the production line, empty random value memory cell 13.Perhaps, the random value N1 that generates in each verification process all adds different storage marks to distinguish different random value N1.
Corresponding authenticator device receives after authentication withdraws from the EAPOL_Logoff message, extracts random value N1 wherein, and compares with the random value N1 of this locality storage, if conform to, and then corresponding EAPOL_Logoff message, otherwise, abandon the EAPOL_Logoff message.
Preferable, the said equipment further comprises random value generation unit 15, is used to generate random value N1.
When authentication response unit 12 is opened at definite authentication switch 11, obtain random value N1 from random value generation unit 15, and add in the authentication response EAP_respoN1se message.
Preferable, the said equipment further comprises ciphering unit 16, is used for described random value N1 is carried out computations.
Here, need the random value N1 that be added in the message be encrypted, ciphering unit 16 obtains the random value N1 in random value generation unit 15 or the random value memory cell 13, carry out computations after, send to authentication response unit 11 or unit 14 is withdrawed from authentication.
The cryptographic algorithm that adopts can be existing any cryptographic algorithm, for example md5 encryption algorithm, des encryption algorithm, 3DES cryptographic algorithm and RSA cryptographic algorithms etc., and base is to can being user-defined algorithm.After as long as the conjure man encrypts for the EAPOL_Logoff message, the authenticator can carry out the legitimacy judgement to the message after encrypting and get final product.Because these several cryptographic algorithm are existing encryption technology commonly used, repeat no more herein.
In like manner, authentication switch can be arranged on the authenticator, as shown in Figure 5, and wherein,
When opening authentication switch, the authenticator adds random value N2 in sending to conjure man's authentication success EAPOL_Success message.
According to existing verification process standard, the authenticator can send an authentication success message---EAPOL_Success message to the conjure man behind conjure man's authentication success.The authenticator can add a random value N2 in this EAPOL_Success message.Concrete, random value N2 can be added on the data field of EAPOL_Success message or other can add the place of data.
Simultaneously, the authenticator need preserve this random value N2, and the method for preservation can generate a table in this locality, with conjure man's MAC Address as index, the corresponding random value N2 of MAC Address.Like this, when being necessary, the authenticator can inquire about the random value N2 of different conjure man's correspondences easily.The random value N2 here can obtain by random algorithm.
The conjure man is after receiving the EAPOL_Success message, and authentication success can access network.At this moment, if the conjure man finds to carry random value N2 in the EAPOL_Success message, then need random value N2 is kept at this locality, the method for preservation can to preserve the method for random value N2 identical with the authenticator.
When the conjure man prepares to roll off the production line when exitting network, need at first to judge whether this locality preserves random number N 2, if do not have, then send authentication and withdraw from the EAPOL_Logoff message in the mode of existing 802.1x standard code; If random number N 2 is preserved in this locality, then in the EAPOL_Logoff message, add random number N 2, send to the authenticator.
Here, random number N 2 can be obtained random number N 2 through specific cryptographic algorithm, also can be directly with N2 as N2.When carrying out computations, the cryptographic algorithm of employing can be existing any cryptographic algorithm, for example md5 encryption algorithm, des encryption algorithm, 3DES cryptographic algorithm and RSA cryptographic algorithms etc., and base is to can being user-defined algorithm.After as long as the conjure man encrypts for the EAPOL_Logoff message, the authenticator can carry out the legitimacy judgement to the message after encrypting and get final product.Because these several cryptographic algorithm are existing encryption technology commonly used, repeat no more herein.
In cryptographic algorithm, random value N2 and corresponding M AC address can be merged encryption, obtain random value N2.The MAC Address here can be replaced by the value of other any agreements such as user name, fixed value, also can establish also not add, and only random value N2 is carried out computations and obtains random value N2.
The authenticator extracts the random value N2 that wherein comprises behind the EAPOL_Logoff message that receives conjure man's transmission.And obtain the random value N2 of local storage, the N2 that this locality is preserved carry out with above-mentioned steps in after the same cryptographic algorithm, compare with the N2 that receives, if identical then think that the two conforms to, the EAPOL_Logoff message is legal message, responds described EAPOL_Logoff message; Otherwise, illustrate that this EAPOL_Logoff message is illegal, abandon this message.
Here, the authenticator is consistent to the cryptographic algorithm need of random value N2 with the conjure man, no matter adopt which kind of cryptographic algorithm, all needs both sides' unanimity.Authenticator and conjure man can perhaps ensure the unanimity of both sides' cryptographic algorithm by prior negotiation by user's setting.
Certainly, when authentication switch was closed, all operations process was identical with the mode of existing 802.1x standard code, is not giving unnecessary details herein.
Because authentication switch is contained in the authenticator device, therefore, the utility model provides a kind of authenticator device, and as shown in Figure 6, this equipment comprises authentication switch 21, authentication success unit 22, random value memory cell 23 and authenticate-acknowledge unit 24, and is specific as follows:
Corresponding conjure man's equipment is after receiving authentication success EAPOL_Success message, judge wherein whether add random value N2, if have, confirm that authentication switch 21 is an open mode, need carry out this locality storage to random value N2, otherwise affirmation authentication switch 21 is closed, and handles message with the 802.1x protocol authentication process of standard.When conjure man's equipment rolls off the production line, withdraw from the EAPOL_Logoff message sky in authentication and just like random value N2.
The authentication that authenticate-acknowledge unit 24 acknowledges receipt of is withdrawed from the random value N2 that carries in the EAPOL_Logoff message and is conformed to the random value N2 that random value memory cell 23 is preserved, and responds described EAPOL_Logoff message, otherwise, abandon described EAPOL_Logoff message.
Further, authenticate-acknowledge unit 24 also is used for, and judges whether store random value N2 in the random value memory cell 23, if obtain random value N2, and withdraw from the random value N2 that carries in the EAPOL_Logoff message with authentication and compare; Otherwise, handle message according to the 802.1x protocol authentication process of standard, response EAPOL_Logoff message.Here, for the random value N2 that ensures storage in the random value memory cell 23 is the random value N2 that the current authentication process is used, need after finishing, each verification process just after each conjure man's equipment normally rolls off the production line, empty random value memory cell 23.Perhaps, the random value N2 that generates in each verification process all adds different storage marks to distinguish different random value N2.
Preferable, the said equipment further comprises random value generation unit 25, is used to generate random value N2.
When authentication success unit 22 is opened at definite authentication switch 21, obtain random value N2 from random value generation unit 25, and add in the EAPOL_Success message.
Preferable, the said equipment further comprises ciphering unit 26, is used for described random value N2 is carried out computations.
Here, need the random value N2 that be added in the message be encrypted, ciphering unit 26 obtains the random value N2 in random value generation unit 25 or the random value memory cell 23, carry out computations after, send to authentication success unit 21 or authenticate-acknowledge unit 24.
The cryptographic algorithm that adopts can be existing any cryptographic algorithm, for example md5 encryption algorithm, des encryption algorithm, 3DES cryptographic algorithm and RSA cryptographic algorithms etc., and base is to can being user-defined algorithm.After as long as the conjure man encrypts for the EAPOL_Logoff message, the authenticator can carry out the legitimacy judgement to the message after encrypting and get final product.Because these several cryptographic algorithm are existing encryption technology commonly used, repeat no more herein.
Among the utility model embodiment, basic process mainly comprises 3 stages, and is specific as follows:
Stage 1: precondition
Open authentication switch, otherwise the 8021X protocol authentication process of adherence to standard;
Stage 2: conjure man's authentication phase:
The conjure man generates and sends the random value to the authenticator, and perhaps the authenticator issues random value and gives the conjure man, and authenticator and conjure man preserve this random value (random value is used for cryptographic algorithm) simultaneously;
Stage 3: the conjure man is rolled off the production line the stage:
When rolling off the production line, the conjure man use the MD5 algorithm to encrypt to the EAPOL_Logoff message; The authenticator carries out legitimacy to the EAPOL_Logoff message of receiving and judges, handles when legal, otherwise abandons.
The scheme that the utility model embodiment provides has been eliminated the user who exists in the 802.1x protocol application process and has been played the hidden danger that rolls off the production line by malice, and, use random value to authenticate, it is big to crack difficulty, safe; Simultaneously, this scheme can be good at the 802.1x protocol authentication process of compatibility standard.
Obviously, those skilled in the art can carry out various changes and modification to the utility model and not break away from spirit and scope of the present utility model.Like this, if of the present utility model these are revised and modification belongs within the scope of the utility model claim and equivalent technologies thereof, then the utility model also is intended to comprise these changes and modification interior.
Claims (10)
1, a kind of conjure man's equipment is characterized in that, this equipment comprises that authentication switch, authentication response unit, random value memory cell and authentication withdraw from the unit, wherein,
Whether the described authentication switch of described authentication response unit judges is opened, if add random value N in authentication response EAP_response message, and described random value N is kept at described random value memory cell; Otherwise, in authentication response EAP_response message, do not add random value N;
Described authentication is withdrawed from the unit and is obtained random value N in the described random value memory cell, and is added on authentication and withdraws from the EAPOL_Logoff message.
2, conjure man's equipment as claimed in claim 1 is characterized in that, described equipment further comprises the random value generation unit, is used to generate random value N.
3, conjure man's equipment as claimed in claim 1 or 2 is characterized in that, described equipment further comprises ciphering unit, is used for described random value N is carried out computations.
4, conjure man's equipment as claimed in claim 1 is characterized in that, described authentication is withdrawed from the unit and also is used for, judge in the described random value memory cell and whether store random value N, if, obtain described random value N, and be added on the authentication withdraw from the EAPOL_Logoff message; Otherwise, do not withdraw from and add described random value N in the EAPOL_Logoff message in described authentication.
5, a kind of network authentication system comprises authenticator and conjure man, it is characterized in that, comprises authentication switch among the described conjure man, wherein,
When described conjure man opens described authentication switch, in authentication response EAP_response message, add random value N, and withdraw from the authentication that sends to the authenticator and to add random value N in the EAPOL_Logoff message;
Described authenticator receives the random value N that adds in the authentication response EAP_response message and preserves; Withdraw from the random value N that carries in the EAPOL_Logoff message when the authentication that acknowledges receipt of and conform to, respond described EAPOL_Logoff message with the local random value N that preserves, otherwise, described EAPOL_Logoff message abandoned.
6, a kind of authenticator device is characterized in that, this equipment comprises authentication switch, authentication success unit, random value memory cell and authenticate-acknowledge unit, wherein,
Whether the described authentication switch of described authentication success unit judges is opened, if add random value N in authentication success EAPOL_Success message, and described random value N is kept at described random value memory cell; Otherwise, in authentication success EAPOL_Success message, do not add random value N;
The authentication that described authenticate-acknowledge unit acknowledges receipt of is withdrawed from the random value N that carries in the EAPOL_Logoff message and is conformed to the random value N that described random value memory cell is preserved, and responds described EAPOL_Logoff message, otherwise, abandon described EAPOL_Logoff message.
7, authenticator device as claimed in claim 6 is characterized in that, described equipment further comprises the random value generation unit, is used to generate random value N.
8, as claim 6 or 7 described authenticator device, it is characterized in that described equipment further comprises ciphering unit, be used for described random value N is carried out computations.
9, authenticator device as claimed in claim 6, it is characterized in that, described authenticate-acknowledge unit also is used for, judge in the described random value memory cell and whether store random value N, if, obtain described random value N, and withdraw from the random value N that carries in the EAPOL_Logoff message with authentication and compare; Otherwise, respond described EAPOL_Logoff message.
10, a kind of network authentication system comprises authenticator and conjure man, it is characterized in that, comprises authentication switch among the described authenticator, wherein,
When described authenticator opens authentication switch, in sending to conjure man's authentication success EAPOL_Success message, add random value N;
Described conjure man preserves described random value N, and withdraws from interpolation random value N in the EAPOL_Logoff message in the authentication that sends to the authenticator;
Described authenticator, be used for also verifying that the authentication that receives withdraws from the described random value N that the EAPOL_Logoff message carries and whether conform to the random value N of this locality storage, if respond described EAPOL_Logoff message, otherwise, abandon described EAPOL_Logoff message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNU2008201238784U CN201294532Y (en) | 2008-11-24 | 2008-11-24 | Network authentication apparatus and network authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNU2008201238784U CN201294532Y (en) | 2008-11-24 | 2008-11-24 | Network authentication apparatus and network authentication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201294532Y true CN201294532Y (en) | 2009-08-19 |
Family
ID=41008014
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNU2008201238784U Expired - Fee Related CN201294532Y (en) | 2008-11-24 | 2008-11-24 | Network authentication apparatus and network authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201294532Y (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103384249A (en) * | 2013-07-08 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network access authentication method, device and system and authentication server |
| CN105447699A (en) * | 2014-06-30 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Data processing method and device |
-
2008
- 2008-11-24 CN CNU2008201238784U patent/CN201294532Y/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103384249A (en) * | 2013-07-08 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network access authentication method, device and system and authentication server |
| CN105447699A (en) * | 2014-06-30 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Data processing method and device |
| CN105447699B (en) * | 2014-06-30 | 2019-12-10 | 阿里巴巴集团控股有限公司 | Data processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101112039B (en) | Wireless network system and communication method for external device to temporarily access wireless network | |
| CN101465735B (en) | Network user identification verification method, server and client terminal | |
| US10904753B2 (en) | Systems and methods for authentication | |
| CN101102188B (en) | A method and system for mobile access to VLAN | |
| CN105656859B (en) | Tax control equipment software safety online upgrading method and system | |
| CN101150406B (en) | Network device authentication method and system and relay forward device based on 802.1x protocol | |
| CN101772024B (en) | User identification method, device and system | |
| CN103313242B (en) | The verification method and device of key | |
| CN103763102B (en) | A kind of wifi safety management systems and management method based on message push | |
| EP2924944B1 (en) | Network authentication | |
| CN101399726B (en) | Method for WLAN terminal authentication | |
| CN101237325B (en) | Ethernet access authentication method, downlink authentication method and Ethernet device | |
| CN104247485B (en) | Network application function authorization in Generic Bootstrapping Architecture | |
| CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
| CN104284331B (en) | A kind of method and system connecting portable WLAN hot spot | |
| US20200274866A1 (en) | Method for implementing client side credential control to authorize access to a protected device | |
| CN101944216A (en) | Two-factor online transaction safety authentication method and system | |
| CN106506295A (en) | A kind of method and device of virtual machine access network | |
| CN101986598A (en) | Authentication method, server and system | |
| CN101605130B (en) | Heartbeat handshake method and heartbeat handshake system | |
| CN109040124A (en) | The method and apparatus of processing message for interchanger | |
| CN102025748A (en) | Method, device and system for acquiring user name of Kerberos authentication mode | |
| CN201294532Y (en) | Network authentication apparatus and network authentication system | |
| CN105188057B (en) | A kind of method and system for improving network access authentication safety | |
| CN101707604B (en) | Method, system and device for preventing malicious attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP02 | Change in the address of a patent holder |
Address after: 100036 Beijing City, Haidian District Fuxing Road No. 29 building 11 floor East Tower Austria Italy Peng Patentee after: Beijing Xingwang Ruijie Network Technologies Co., Ltd. Address before: 100036 Beijing Haidian District City 33 Fuxing Road Cuiwei East 1106 Patentee before: Beijing Xingwang Ruijie Network Technologies Co., Ltd. |
|
| DD01 | Delivery of document by public notice |
Addressee: Zhou Jian Document name: Notification of Passing Examination on Formalities |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090819 Termination date: 20141124 |
|
| EXPY | Termination of patent right or utility model |