CN201976122U - Internal/external network access authenticating system using USB KEY (universal serial bus key) as certificate medium - Google Patents
Internal/external network access authenticating system using USB KEY (universal serial bus key) as certificate medium Download PDFInfo
- Publication number
- CN201976122U CN201976122U CN2011200036221U CN201120003622U CN201976122U CN 201976122 U CN201976122 U CN 201976122U CN 2011200036221 U CN2011200036221 U CN 2011200036221U CN 201120003622 U CN201120003622 U CN 201120003622U CN 201976122 U CN201976122 U CN 201976122U
- Authority
- CN
- China
- Prior art keywords
- certificate
- usb key
- network access
- key
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The utility model discloses an internal/external network access authenticating system using a USB KEY (universal serial bus key) as a certificate medium, which comprises a server. CA (certification authority) software for determining the generation, the authorization and the cancellation of a user certificate and RADIUS (remote authentication dial in user service) software for authenticating a user are installed in the server; the RADIUS software of the server is connected with a client end by network access equipment such as an exchanger, a wireless router, a VPN (virtual private network) and the like; the USB KEY is plugged on a computer at the client end; and the certificate is stored in the USB KEY. The internal/external network access authenticating system using the USB KEY as the certificate medium has low cost, and easiness for management, and reliability and safety for use.
Description
Technical field
The utility model relates to a kind of intranet and extranet access authentication system.
Background technology
Along with the continuous maturation of network technology and constantly popularizing of network application, the network of each colleges and universities also will more be faced student group except the teaching and scientific research that will satisfy the teaching and administrative staff of whole school now.And along with the rapid increase of network user's number, the safety issue of network becomes increasingly conspicuous.Set up one more safe and feasible, can run, manageable network environment just put in face of.
Because the conventional authentication mode exists many problems, many Verification Systems are erected at the trunk exit, so unavoidably cause many computers not in advance through agreeing, the network equipment and resource are carried out improper use, just our usually said unauthorized access.And traditional authentication mode loaded down with trivial details processing has also caused the Network Transmission bottleneck to user data package in the campus network, if solve the lifting that transmission bottleneck certainly will cause network cost, therefore can't satisfy the user to internet security, high efficiency and requirement cheaply by increasing other network equipments.
802.1X authentication has at present obtained using very widely, and its deployment difficulty is little, and by authentication mode and authentication system structure are optimized, solved the problem that the conventional authentication mode is brought effectively, eliminate network bottleneck, alleviated the network encapsulation expense, reduced the networking cost.
But in general application, we can use the EAP-MD5 cipher authentication, and this method is stored in user cipher in the database, carry out the most basic contrast in the time of authentication and can finish authentication.This method is the simplest, also is most fragile simultaneously, and is potential multiple by risk of attacks.And because password is all by user oneself preservation, an account number of bringing is used by many people, and user cipher consequence such as be stolen is brought very big inconvenience to management work.Therefore, in actual applications, need to seek the authentication mode that is fit to more, as much as possible protect account safety.
Because there are problems such as identification cipher leakage, man-in-the-middle attack in EAP-MD5, need to use better authentication mode to replace.Although realize that the EAP-TLS lower deployment cost is higher, still have much based on PKI and Radius in conjunction with research.
Summary of the invention
The purpose of this utility model is to provide a kind of cost lower, and manageable, use reliable, safe with the intranet and extranet access authentication system of USB KEY as the certificate medium.
Technical solution of the present utility model is:
A kind of is the intranet and extranet access authentication system of certificate medium with USB KEY, it is characterized in that: the server that comprises the RADIUS software that the decision user certificate CA software that produces, authorize, cancel and authenticated user are housed, server is connected with client by network access equipment, plug-in mounting USB KEY on the client computer, certificate is stored among the USB KEY.
Described network access equipment comprises interchanger, wireless route, VPN (virtual private network) (VPN).
The utility model cost is lower, and manageable, use reliable, safety, and have following advantage:
1, selects appropriate C A certificate management system, can satisfy trans-regional application, management and granting digital certificate.Simultaneously, for high reliability and the non-reproduction that satisfies certificate, certificate is stored in USB KEY hardware and is used, and at client objectives operating system, uses appropriate certificate storage mode.
2, use the certificate verification mode of USB KEY, realize in all kinds of wired, the wireless and Dial-up Network environment application of safety certification as medium.
3, for realizing the backstage unified certification, the certificate of issuing for CA must use unified backstage authentication, and for this reason, in the certificate verification mode (EAP-TLS) of RADIUS, the certificate to CA provides and cancels makes certificate verification more timely and effective.
4, select to be fit to the hardware device of RADIUS authentication, and dispose and use the network access system as the unified certification backstage with RADIUS.
Description of drawings
The utility model is described in further detail below in conjunction with drawings and Examples.
Fig. 1 is the structural representation of an embodiment of the utility model.
Embodiment
A kind of is the intranet and extranet access authentication system of certificate medium with USB KEY, it is characterized in that: the server that comprises the RADIUS software that the decision user certificate CA software that produces, authorize, cancel and authenticated user are housed, server is connected with client by network access equipment, plug-in mounting USB KEY on the client computer, certificate is stored among the USB KEY.
Described network access equipment comprises interchanger, wireless route, VPN.
CA software is selected
EJBCA is the certificate verification program of a complete function, writes with Java fully, uses J2EE (Java2 Enterprise Edition, Java2 enterprise version) technology.It is built on the J2EE platform, be an opening, healthy and strong, high performance, platform independently, flexibly with based on the CA of assembly, can be used alone or be integrated in other J2EE application program, and it also provides a flexible powerful graphical interface of user based on Web.Because it has realized the nearly all important components among the PKI, such as RA (Registration Authority, registration center), CA (Certification Autohrity, authentication center), CRL (Certification Remove List, certificate revocation list) and certificate stored data base etc., therefore obtained using widely.
EJBCA assembling is simple, flexibly, be easy to management, the CA that can set up by its is the safety of supervising the network easily, EJBCA is an of great value system that increases income, therefore in native system first-selected EJBCA as the CA server software.
Version is selected
FreeRADIUS is most widely used radius server, have the advantages that operation is quick, extensibility is high, configurability is good, the agreement of supporting has surpassed most of commerce server, supports to comprise SQL, LDAP, radius proxy, load balancing and the dictionary file of 100 tame manufacturers almost.
The type of database that FreeRADIUS supports: Oracle, MySQL, PostgreSQL, Sybase, IBM DB2, MS SQLSERVER.
The auth type that FreeRADIUS supports: the Crypted password in the clear-text passwords in the local profile (PAP), the local profile, CHAP, MS-CHAP, MS-CHAPv2, the authentication of Windows domain controller, act on behalf of other radius servers, system authentication (usually by/etc/passwd), PAM (can plug authentication module), LDAP (only supporting PAP), CRAM, SIP Digest (Cisco VoIP, SER), the Netscape-MTA-MD5 password, the Kerberos that encrypt authenticate, X9.9 authenticates ring.
The embedded authentication method of EAP: EAP-MD5, CISCO LEAP, EAP-MSCHAP-V2, EAP-GTC, EAP-SIM, EAP-TLS, EAP-TTLS, EAP-PEAP.
FreeRADIUS 2.0 above versions have been repaired some mistakes, select for use this highest version to use EAP-TLS to provide some convenient to us.
Cooperation
The target of FreeRADIUS EAP-TLS design is to use EJBCA software and EAP-TLS to carry out collaborative work, solves the detailed problem of user management and authentication, and the renewal that certificate is authorized with CRL is the key of two software cooperations.
The work that need do mainly contains following three aspects
(1) certificate management is carried out in the selection of CA software, deployment and use;
(2) FreeRADIUS is installed, configuration EAP-TLS is so that certificate verification can normally be used;
(3) CA and FreeRADIUS's is related, real-time generation and the renewal of CRL.
EJBCA, this is the core of CA, all user certificates produce, authorize and cancel all decision here.JBOSS then is the platform of EJBCA operation, and this web server is all passed through in certificate request and issue.
For concerning two parts the most closely, EJBCA and FreeRADIUS can be installed on same server hardware, also can be on different server hardwares.If be in different servers, so, the installation of root certificate, server certificate and CRL certificate can be undertaken by move media, as USB flash disk; Also can obtain, adopt modes such as ftp by network.Under the situation by Network Transmission, need guarantee various certificate safe transmission, particularly often need the CRL certificate of renewal, after arrival, can use the root certificate that the validity of CRL certificate is examined.
Use USB Key hardware certificate
By using certificate, can solve the stolen problem of password, but certificate exists with text mode and still has reproducibility, after the clear crytpographic key of having known certificate, same certificate still can be used simultaneously by many people.How to make certificate not have copy function? this just needs to introduce hardware, and certificate is kept in the hardware, so just can guarantee the uniqueness of certificate.
USB Key has intelligent card chip, support all functions of smart card fully, as the digital signature function, but also the function of smart card and card reader is united two into one, need only the Security Authentication Service that can realize plug and play by the USB port of computer when the user uses.
Aspect EAP-TLS authentication is provided with, without any the special place of changing of needs.In the attribute of cable network link, authentication mode selects to use IEEE 802.1X authentication.Wireless network then selects authentication mode then to select WPA, and IEEE 802.1X is essential in the authentication option at this moment.In the EAP type, select smart card or certificate, further select to use smart card.So far, client configuration is promptly finished, and can use.When system prompt occurring, USB Key is inserted on the computer, input PIN (PIN) when system prompt then, through the FreeRADIUS server authentication by using network.When using USB Key mode to manage certificate as can be seen,, further raising has been arranged all in the fail safe in property easy to use.
Therefore, our first-selected USB KEY is as the certificate storage medium.Be in application cost and reason such as easy to operate, we have selected the sincere ePass1000 USB KEY of flying apsaras.
L database and Fedora Linux
PostgreSQL allows all can enjoy under two kinds of environment of commercial and non-commercial applications and freely obtains and the unrestricted right to use according to BSD copyright protocol issuance.PostgreSQL has the height autgmentability, and follows the exploitation direction of international ISO-SQL standard fully.
Fedora Linux is developed and issue by the RedHat support, although the purpose user of Fedora distribution version is a desktop user, owing to the characteristic of Linux, can be used as the server of general application and development phase use fully.And Fedora is the prediction version of RedHat enterprise version server, and a lot of enterprises version characteristic has been concentrated in the inside.Authentication needs the problem of solution
Basic ideas
EJBCA can come the CRL of intermittent establishment renewal by minimum two approach.
(1) CRL update service program
In EJBCA, a timing services program frame is arranged.In the web-based management interface, select ' Edit Services ' and add a service, editing service select ' CRL Updater ' working procedure, and fill out running time at interval, this service is set then for activating (Active).This service will move once at set intervals then, produces CRL according to each sub-CA.
(2) use the Cron timing operation
Cron only can use in class Unix system.' bin/ejbca.sh ca createcrl ' joins in the job task of cron, and the createcrl order can be checked all effective sub-CA, and the CRL that need will go to upgrade is separately arranged.If force the CRL of some CA to upgrade, can use ' bin/ejbca.sh ca createcrl caname '.Can be provided with reference to cron:
PATH=$PATH:/usr/local/java/bin
@daily?cd?/usr/local/ejbca;?/usr/local/ejbca/ca.sh?createcrl。
Claims (2)
1. one kind is the intranet and extranet access authentication system of certificate medium with USB KEY, it is characterized in that: the server that comprises the RADIUS software that the decision user certificate CA software that produces, authorize, cancel and authenticated user are housed, server is connected with client by network access equipment, plug-in mounting USB KEY on the client computer, certificate is stored among the USB KEY.
2. the intranet and extranet access authentication system that USB KEY according to claim 1 is the certificate medium is characterized in that: described network access equipment is interchanger, wireless route, VPN (virtual private network).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011200036221U CN201976122U (en) | 2011-01-07 | 2011-01-07 | Internal/external network access authenticating system using USB KEY (universal serial bus key) as certificate medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011200036221U CN201976122U (en) | 2011-01-07 | 2011-01-07 | Internal/external network access authenticating system using USB KEY (universal serial bus key) as certificate medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201976122U true CN201976122U (en) | 2011-09-14 |
Family
ID=44581221
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011200036221U Expired - Fee Related CN201976122U (en) | 2011-01-07 | 2011-01-07 | Internal/external network access authenticating system using USB KEY (universal serial bus key) as certificate medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201976122U (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663309A (en) * | 2012-05-11 | 2012-09-12 | 辽宁省电力有限公司盘锦供电公司 | Method for authenticating universal serial bus (USB) key utilized by computer equipment |
| CN106027535A (en) * | 2016-05-26 | 2016-10-12 | 湖南洋达信息科技有限公司 | Campus network security authentication system and method |
| CN107294952A (en) * | 2017-05-18 | 2017-10-24 | 四川新网银行股份有限公司 | A kind of method and system for realizing zero terminal network access |
| CN112182627A (en) * | 2020-10-27 | 2021-01-05 | 杭州云链趣链数字科技有限公司 | Block chain digital certificate management method and system based on mobile equipment |
| CN112512047A (en) * | 2020-11-19 | 2021-03-16 | 四川省肿瘤医院 | Detection method for wireless network security authentication |
-
2011
- 2011-01-07 CN CN2011200036221U patent/CN201976122U/en not_active Expired - Fee Related
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663309A (en) * | 2012-05-11 | 2012-09-12 | 辽宁省电力有限公司盘锦供电公司 | Method for authenticating universal serial bus (USB) key utilized by computer equipment |
| CN106027535A (en) * | 2016-05-26 | 2016-10-12 | 湖南洋达信息科技有限公司 | Campus network security authentication system and method |
| CN107294952A (en) * | 2017-05-18 | 2017-10-24 | 四川新网银行股份有限公司 | A kind of method and system for realizing zero terminal network access |
| CN112182627A (en) * | 2020-10-27 | 2021-01-05 | 杭州云链趣链数字科技有限公司 | Block chain digital certificate management method and system based on mobile equipment |
| CN112512047A (en) * | 2020-11-19 | 2021-03-16 | 四川省肿瘤医院 | Detection method for wireless network security authentication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Todorov | Mechanics of user identification and authentication: Fundamentals of identity management | |
| CN107239688B (en) | The purview certification method and system in Docker mirror image warehouse | |
| US9325698B2 (en) | Method and apparatus for on-site authorisation | |
| US8973122B2 (en) | Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method | |
| CN109257209A (en) | A kind of data center server centralized management system and method | |
| US10305887B2 (en) | Method and system for hand held terminal security | |
| CN109981561A (en) | Monomer architecture system moves to the user authen method of micro services framework | |
| CN107425983A (en) | A kind of unified identity authentication method and system platform based on WEB service | |
| US20070089163A1 (en) | System and method for controlling security of a remote network power device | |
| CN110535851A (en) | A kind of customer certification system based on oauth2 agreement | |
| CN201976122U (en) | Internal/external network access authenticating system using USB KEY (universal serial bus key) as certificate medium | |
| CN108964885A (en) | Method for authenticating, device, system and storage medium | |
| CN102571766A (en) | Registration and network access control | |
| WO2014048769A1 (en) | Single sign-on method, proxy server and system | |
| CN108965342A (en) | The method for authenticating and system of request of data side's access data source | |
| CN109587100A (en) | A kind of cloud computing platform user authentication process method and system | |
| CN102404112A (en) | Access authentication method for credible terminal | |
| CN114760070A (en) | Digital certificate issuing method, digital certificate issuing center and readable storage medium | |
| CN201491033U (en) | Unified certification platform for operation systems | |
| CN1738241A (en) | Identity attestation safety control method based on remote distributed assembly | |
| CN109587098A (en) | A kind of Verification System and method, authorization server | |
| Raj | Certificate based hybrid authentication for bring your own device (BYOD) in Wi-Fi enabled environment | |
| CN105959286A (en) | Rapid identity authentication method based on certificate secret key caching | |
| CN202059439U (en) | Cross-service-platform comprehensive authentication system | |
| CN102299805A (en) | Method for realizing single sign-on based on LDAP (Lightweight Directory Access Protocol) service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110914 Termination date: 20140107 |