:1294734 七、指定代表圖: ••第(四)圖。 號簡單說明: (一)本案指定代表圖為 (一)本代表圖之元件符 八、 本案若有化學式時,請揭示最能顯示發明特徵的化學式: 九、 發明說明: 【發明所屬之技術領域】 . 本發明涉及一種增加網路安全性的方法’尤指一種增加無線 網路明文認證安全性的方法。 【先前技術】 隨著網路技術的進步,無線區域網路(Wireless Local Area Network,WLAN)的技術已經成熟,透過無線網路上網已成趨勢。 φ 無線網路伴隨而來的問題是無線網路下的使用者身份認證、無線 網路安全、無線網路的頻寬管理及網路使用的費用收取等。由於 無線網路是以無線電廣播的方式傳送資訊,讓有心人只要可以接 收到無線網路的訊號便可以入侵系統、竊取使用者資料,為了保 障合法使用者權益,必須對使用者作身份認證及增強資料傳播的 安全性。 、 ' 然而,在現行的身份認證過程中,所有資料均採用明文傳輸, 這樣就存在一些安全漏洞。當前較為流行的無線網路安全策略是 由Cisco公司推出的輕量級可擴展認證協議(Lightweight:1294734 VII. Designated representative map: •• (4). Brief description: (1) The representative representative of the case is (1) the component of the representative figure. 8. If there is a chemical formula in this case, please disclose the chemical formula that best shows the characteristics of the invention: IX. Description of the invention: [Technical field to which the invention belongs The invention relates to a method for increasing network security, in particular to a method for increasing the security of wireless network clear text authentication. [Prior Art] With the advancement of network technology, the technology of the Wireless Local Area Network (WLAN) has matured, and the Internet through the wireless network has become a trend. The problem with the φ wireless network is user authentication under the wireless network, wireless network security, bandwidth management of the wireless network, and fee collection for network usage. Since the wireless network transmits information by means of radio broadcasting, the interested person can invade the system and steal user data as long as it can receive the signal of the wireless network. In order to protect the legitimate user rights, the user must be authenticated and enhanced. The security of data dissemination. , ' However, in the current identity authentication process, all data is transmitted in clear text, so there are some security holes. The current popular wireless network security policy is the lightweight scalable authentication protocol (Lightweight) introduced by Cisco.
Extensible Authentication Protocol, LEAP),該方法使用穷 .1294734 端進行確認,而且該方法只能等少數廠商的 軟體。細,LEAP仍然存在-些安全·,尤其是容易受 卞/、式的攻擊。 - 【發明内容】 法。本發明之目的在於提供一種增加網路明文認證安全性的方 ,•本發明提供的增加網路明文認證安全性的方法包括以下步 RQC\ (a)在無線區域網中建立基本服務組(Basic Service Set, ,(b)建立一空的學習表,用於儲存碍證過程中的用戶資訊; • / 假的用戶識別,(d)更新學習表;(e)對假的可擴展 認證進程進行初始化;(〇根據學習表每隔一固定時間進行二次 的假可擴展認證(Extensible Authentication Protocol ΕΑΡ) 進程;(g)判斷是否學習到新的用戶;(h)若學習到新尚用戶, 則更新學習表;(丨)依據更新後的學習表每隔一固定時間進行一 次假的可擴展認證進程。Extensible Authentication Protocol (LEAP), which uses the .1294734 side to confirm, and the method can only wait for a few vendors' software. Fine, LEAP still exists - some security, especially vulnerable to 卞 /, type of attack. - [Summary of the Invention] Law. The object of the present invention is to provide a method for increasing the security of network plaintext authentication. The method for increasing the security of network plaintext authentication provided by the present invention includes the following steps: RQC\ (a) establishing a basic service group in a wireless local area network (Basic) Service Set, , (b) establish an empty learning table for storing user information in the process of obstruction; • / fake user identification, (d) update the learning table; (e) initialize the fake extensible authentication process (〇) Perform a second Extensible Authentication Protocol (每隔) process at a fixed time according to the learning table; (g) determine whether a new user has been learned; (h) update if a new user is learned Learning table; (丨) Perform a fake extensible authentication process at regular intervals according to the updated learning table.
本發明所採用之增加網路明文認證安全性之方法對於一個真 用戶的認證採用多個假用戶認證作為掩護,增加了攻擊的難度, 對於字典式的攻擊則更加困難。同時就整個傳輸網路而言,該方 ❿ 法亦不會對網路流量造成嚴重的影響。 V 【實施方式】 參閱第一圖所示,係為本發明增加網路明文認證安全性方法 之應用環境圖方塊圖。在本實施方式中,該方法應用於無線網路 中。用戶終端20以無線通訊的方式與無線基地台(AccessP〇int, AP) 10建立連接,並通過無線基地台1〇與認證伺服器3〇建立連 接,以與現有的骨幹網路相連接。用戶終端20與無線基地台1〇 以及伺服器30構成一基本服務組(Basic Service Set, BSS)。 通訊時,用戶終端20首先會向無線基地台ι〇發出一個連接 請求(Associate-Request),以與無線基地台1〇建立連接。然 1294734 後無線基地台ίο對該連接請求做出答覆(Associate -Response), 同意或拒絕用戶終端20的連接請求,用戶終端20接收到同意連 接請求答覆後,開始與伺服器3〇建立連接,並開始認證的過程。 - 在整個認證過程中,無線基地台10作為用戶終端20與認證 伺服器30之間的通訊橋樑。用戶終端2〇首先發送一個可擴展認 證(Extensible Authentication Protocol,ΕΑΡ)開始封包至無 線基地台10。無線基地台1〇在接收到開始封包後發送一個 ΕΑΡ身份請求(EAP-Request/Identity)封包至用戶終端20,要 求用戶終端20將身份資訊傳送過來。在接收到該請求後,用戶終 φ & 20 傳送一ΕΑΡ 身份請求答覆(EAP_Response/Identity)封包 至無線基地台10,該封包中包含用戶終端2〇的身份資訊。無線基 地台10將ΕΑΡ身份請求答覆的報文封裝到認證伺服器訪問請求 (Radius Access-Request)封包中,並發送給認證伺服器3〇。認 證伺服器30產生質詢字符串對用戶終端2〇發出質詢 (Challenge),要求用戶終端20對該質詢字符串做出回應。在 本實施方式中,該質詢字符串係封裝在一質詢封包中。認證伺服 器30傳送一遠端認證撥入用戶服務(Rem〇te Authenticati〇n DiaMn User Service, RADIUS )訪問請求(Radius ❿ Access-Challenge)封包至無線基地台l〇,其中包含有對用戶終 端20的ΕΑΡ質詢(EAP-Request/Challenge)封包,該封包中包 含質詢字符串。無線基地台10將ΕΑΡ請求質詢封包發送至用戶終 端20,要求用戶終端20進行認證。用戶終端2〇收到ΕΑΡ質詢封 包後’對其中的質詢字符串進行處理後,回傳一 ΕΑΡ塑應 (EAP-Response)封包,該封包中包含處理後的質詢字符串。無 線基地台10將ΕΑΡ響應封包,連同認證伺服器30發出的訪問質 詢封包一起回傳至認證伺服器30,由認證伺服器30判斷用戶是否 合法。若認證成功,則認證伺服器30將發出訪問接受的封包至益 線基地台1 〇。無線基地台10在接收到該訪問接受封包後,發;关一 Ί294734 ΕΑΡ成功(ΕΑΡ-Success)訊息至用戶終端20。在上述認證過程中, 每一個資料封包發送之後,接收方都會自動產生一個Ack (Acknowledgement)封包傳輸至訊息的發送方。 本發明為了防止在認證過程中受到攻擊者的字典式攻擊,所 採用的方法是使無線基地台1〇自己製造上述認證過程中傳輸的封 包,以對真正的用戶認證形成掩護,使得攻擊者很難獲得真實的 資料,增加了對字典式攻擊的防禦性。 祥而S之’在網路傳輸過程中,無線基地台一旦開始工作 即開始製造假的終端用戶的身份識別。 參閱第二圖所示,係為無線基地台1〇為了製造假的用戶識別 所建立^一學習表1丨〇,本實施方式學習表i i 〇儲存了認證過程中 的用戶資訊,包括用戶識別類型、真用戶數目、假用戶數目、真 用戶識別以及假用戶識別,例如學習表丨丨0内的用戶識別類型列、 真用戶ji:目列、假用戶數目列、真用戶識別列以及假用戶識別列。 在本實施方式中,用戶識別類型可包括訊息摘要演算 (MessageDigestAlgorithmS,MD5)、輕量級可擴展認證協議 (Lightweight Extensible Authentication Protocol, LEAP) ,微軟質詢認證協議(Micr〇s〇ft Challenge Authenticati〇nThe method for increasing the security of network plaintext authentication adopted by the present invention uses multiple fake user authentication as a cover for a true user authentication, which increases the difficulty of the attack and is more difficult for a dictionary-style attack. At the same time, in terms of the entire transmission network, this method will not have a serious impact on network traffic. V [Embodiment] Referring to the first figure, it is a block diagram of an application environment diagram for increasing the security of network plaintext authentication according to the present invention. In the present embodiment, the method is applied to a wireless network. The user terminal 20 establishes a connection with the wireless base station (AP) 10 by means of wireless communication, and establishes a connection with the authentication server 3 through the wireless base station 1 to connect with the existing backbone network. The user terminal 20 and the radio base station 1 and the server 30 constitute a basic service set (BSS). During communication, the user terminal 20 first sends an association request (Associate-Request) to the wireless base station to establish a connection with the wireless base station. After 1294734, the wireless base station ίο responds to the connection request (Associate-Response), agrees or rejects the connection request of the user terminal 20, and after receiving the reply to the connection request, the user terminal 20 starts to establish a connection with the server 3〇. And start the process of certification. - The wireless base station 10 serves as a communication bridge between the user terminal 20 and the authentication server 30 throughout the authentication process. The user terminal 2 first sends an Extensible Authentication Protocol (ΕΑΡ) to start the packet to the wireless base station 10. The radio base station 1 transmits an EAP-Request/Identity packet to the user terminal 20 after receiving the start packet, and requests the user terminal 20 to transmit the identity information. After receiving the request, the user terminal φ & 20 transmits an identity request reply (EAP_Response/Identity) packet to the radio base station 10, where the packet contains the identity information of the user terminal 2〇. The wireless base station 10 encapsulates the message of the identity request reply into the authentication server access request (Radius Access-Request) packet and sends it to the authentication server. The authentication server 30 generates a challenge string to issue a challenge to the user terminal 2, requesting the user terminal 20 to respond to the challenge string. In this embodiment, the challenge string is encapsulated in a challenge packet. The authentication server 30 transmits a Rem〇te Authenticati〇n DiaMn User Service (RADIUS) access request (Radius ❿ Access-Challenge) packet to the wireless base station, which includes the pair of user terminals 20 The EAP-Request/Challenge packet, which contains the challenge string. The radio base station 10 transmits a request challenge packet to the user terminal 20, requesting the user terminal 20 to perform authentication. After receiving the challenge packet, the user terminal 2 processes the challenge string and returns an EAP-Response packet containing the processed challenge string. The wireless base station 10 transmits the response packet to the authentication server 30 along with the access challenge packet sent by the authentication server 30, and the authentication server 30 determines whether the user is legitimate. If the authentication is successful, the authentication server 30 will issue an access accepted packet to the benefit base station 1 . After receiving the access acceptance packet, the wireless base station 10 sends a 294734 ΕΑΡ success (ΕΑΡ-Success) message to the user terminal 20. In the above authentication process, after each data packet is sent, the receiver automatically generates an Ack (Acknowledgement) packet to be transmitted to the sender of the message. In order to prevent a dictionary attack by an attacker during the authentication process, the method is to enable the wireless base station 1 to manufacture the packet transmitted in the above authentication process to form a cover for the real user authentication, so that the attacker is very Difficult to obtain real data, increased the defensiveness of dictionary attacks. In the process of network transmission, once the wireless base station starts working, it begins to create the identity of the fake end user. Referring to the second figure, the wireless base station 1 is configured to create a fake user identification. The learning table ii of the present embodiment stores user information during the authentication process, including the user identification type. , number of true users, number of fake users, true user identification, and false user identification, such as user identification type column in learning table 、0, true user ji: directory, number of false users, true user identification column, and fake user identification Column. In this embodiment, the user identification type may include Message Digest Algorithm (MD5), Lightweight Extensible Authentication Protocol (LEAP), and Microsoft Challenge Authentication Protocol (Micr〇s〇ft Challenge Authenticati〇n).
Protocol V2,MSCHAPv2)等。 婼。在ί實施方式中,一個真用戶係利用十五個假用戶作為掩 α。在然線基地台10工作的初始化階段,尚未有 ,基地台iG建立通訊,故該學f表i财的真用戶數二〇7 …用戶識別列亦為空的,無線基地台10將直接使用一般攻合 =合法的字㈣造十五個假_戶識別儲存於學習表11 〇。在i 2 ’子串為隨機產生之十六進位字串,而且假用戶數目 :=更新。例如:對於leap類型的認證而言,若存在Ν個真用 個r用0Μ)Ρ’Ν為整數u,3...,則無線基地台10將製造(15*Ν) 個假用戶,即針對這Ν個戶—進行造假,賴在假用戶數 1294734 目列中會存在〔15* (N+l)〕個假用戶。 無線基地台ίο根據該學習表110中記錄之假用戶識別,進 假^可擴展驗進程的製造。當有其他用戶賴認證方 錄遠端伺服s 30 ’無線基地台1〇若接收到遠端伺服器3〇傳輸之 訪問接受訊息’則無線統纟1G將朗彳識觀其對應之可擴 認證進程_與學習表11G巾的絲進概對,若較該用戶= 別並未出現過’雌新的用戶認證成功,則無線基地台1()學 J新的用戶1線基地台1Q遂以制戶之認證方式將其用戶 記錄在對應的真實用戶列内,並更新學習表UQ中真用戶數目。 隨後無線基地台10根_真用戶識別,製造十五個假用戶識 亚將,假用戶識別儲存於該學習表則,同時自動更新假用戶數 目。然線基地台10繼續按照更新後的學習纟11〇 S行的假的 展認證進程,暨針對學習表中的假用戶識別 可擴= 證,2本魏方式巾,該假的可製認證進鱗關^^ 一二人。對^他類型之認證進程的造假亦是如此。 應注意的是,在上述實施方式中,無線基地台10係針對每一 個一用戶而製造出十五個_戶作為掩護 用戶識別之數量。她_方式巾,假用戶 ΐ;ιΐΐ; ν ^ Λ: j 中〜,、會存在〔x* (N+l)〕個假用戶。 w第個假的可擴展認證進程所需傳輸的封包以及各封 1不同%境下的時線(1^11116)表12()。在本實施方式中,盆 =用於不同環境,包括說llg/a環境或耻丨 亦即: =線封包傳輸可為微lla/b/g之無線封包。 J假 =二==4個,無線基地台“據不二 封=至母一個不同類型的封包,並將該等 封〇傳輸至稱中。例如··傳輸—個假的連接 求響應、假的ΕΑΡ身份請求、假的ΕΑρ雜請求答覆:彳=^ 1294734 質詢請求、假的ΕΑΡ質詢請求響應以及假的ΕΑΡ成功訊息等無線 封包。 參閱第四圖所示,係為本發明增加網路明文認證安全性方法 之流程圖。首先在無線區域網中建立基本服務組(Basi(:Servi(:e Set,BSS),該基本服務組包括無線用戶終端2〇、無線接入訪問 點10以及遠端登錄伺服器3〇 (步驟S401)。無線基地台10内建 一空的學習表110 (步驟S403)。無線基地台1〇依據隨機產生之 十六進位字串製造假的用戶識別(步驟S4〇5)。將該等隨機產生 之假甩戶的所有訊息儲存於學習表11〇中,對學習表11〇進行更 新(步驟S407)。無線基地台1〇對假的可擴展認證進程進行初始 化,生成如第三圖所示的假的可擴展認證進程所需之封包(步驟 S409)。燕線基地台1〇根據學習表HQ每隔一固定時間間隔進行 -人饭的可擴展認證(Extensible Authentication Protocol ΕΑΡ)進程(步驟S411)。在本實施方式中,該固定時間間隔為 15私。無線基地台1〇判斷是否學習到新的用戶(步驟別13)。 無線基地台10若學習到新的用戶,則對學習表11〇進行更新(步 驟S415)。無線基地台依據更新後的學習表11〇每隔一固定時^ 進行一次假的可擴展認證進。若未學習到新的用戶,則返回步 S411 ’無線基地台1〇繼續進行假的可擴展認證進程。 本,明在無線網路的明文認證中,採用多個假用戶對一個真 行掩護,極大的增加了明文認證的安全性使得攻擊者很莫隹 ’J用子典式的攻擊來獲得用戶的直實資料。 、 【圖式簡單說明】 /' '、 ^丁圖係為本發增加網路明文認證安全性方法之應㈣境方塊 ^了圖係為本發明增加網綱文認證安全性方法之學習表示意 第三圖係林發明增加纟_日肢廳安全财法之假認證進程中 1294734 的封包在不同環境中的時間軸列表。 第四圖係為本發明增加網路明文認證安全性方法之流程圖。 , 【主要元件符號說明】 無線基地台 10 用戶終端 20 伺服器 30 11Protocol V2, MSCHAPv2), etc. recalcitrant. In the ί implementation, a true user uses fifteen fake users as masks. In the initial stage of the work of the base station 10, there is no, the base station iG establishes communication, so the number of true users of the f table i is 2〇7...the user identification column is also empty, and the wireless base station 10 will be used directly. General attack = legal word (four) make fifteen fake _ household identification stored in study table 11 〇. The i 2 ' substring is a randomly generated hexadecimal string, and the number of fake users is == updated. For example, for a leap type authentication, if there is a real r with 0 Μ) Ρ 'Ν as an integer u, 3..., the wireless base station 10 will manufacture (15*Ν) fake users, ie For such a household - for fraud, there will be [15* (N + l)] fake users in the number of fake users 12,947,34. The wireless base station ίο can perform the manufacturing process according to the fake user identification recorded in the learning table 110. When there are other users relying on the authentication remote server s 30 'radio base station 1 接收 receiving the remote server 3 〇 transmission access acceptance message' then the radio reconciliation 1G will read its corresponding scalable authentication process _ Compared with the learning of the 11G towel, if the user does not have a 'new user authentication success, the wireless base station 1 () learns the new user 1 line base station 1Q The authentication method records its users in the corresponding real user columns and updates the number of true users in the learning table UQ. Then, the wireless base station 10 _ true user identification, manufacturing fifteen fake user identification, the fake user identification is stored in the learning table, and the number of fake users is automatically updated. The base station 10 continues to follow the updated learning process of the 纟11〇S line, and the fake user identification in the learning table can be expanded to 2, the Wei method, the fake can be certified. Scales ^^ One or two people. The same is true for the fraud of the authentication process of his type. It should be noted that in the above embodiment, the radio base station 10 creates fifteen _ households as the number of screen user identifications for each user. She _ method towel, fake user ΐ; ιΐΐ; ν ^ Λ: j in ~, there will be [x * (N + l)] fake users. w The first fake extensible authentication process needs to transmit the packet and the timeline (1^11116) in each case of 1%%. In this embodiment, the basin = is used in different environments, including the llg/a environment or shame, ie: the line packet transmission may be a wireless packet of lla/b/g. J false = two == 4, the wireless base station "is not the same = a different type of packet to the mother, and the transmission of the seal to the scale. For example · transmission - a fake connection request response, false ΕΑΡ ΕΑΡ 请求 、 、 、 ^ ^ ^ ^ 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 947 A flowchart of the authentication security method. First, a basic service group (Basi (:e Set, BSS) is established in the wireless local area network, and the basic service group includes the wireless user terminal 2, the wireless access point 10, and the far The terminal is logged in to the server 3 (step S401). The radio base station 10 has an empty learning table 110 (step S403). The radio base station 1 假 creates a false user identification based on the randomly generated hexadecimal string (step S4〇). 5) storing all the randomly generated fake subscribers in the learning table 11A, and updating the learning table 11 (step S407). The radio base station 1 initializes the fake extensible authentication process. Generate as The packet required for the fake scalable authentication process shown in the figure (step S409). The Yanxian base station 1 performs the Extensible Authentication Protocol (每隔) process at regular intervals according to the learning table HQ. (Step S411) In the present embodiment, the fixed time interval is 15 private. The radio base station 1 determines whether or not a new user has been learned (step 13). If the radio base station 10 learns a new user, The learning table 11 is updated (step S415). The wireless base station performs a fake scalable authentication at every fixed time according to the updated learning table 11. If the new user is not learned, the process returns to step S411. The wireless base station 1 continues to perform the fake scalable authentication process. Ben, in the clear text authentication of the wireless network, uses multiple fake users to cover a real line, greatly increasing the security of plaintext authentication, making the attacker very隹 'J uses the sub-style attack to obtain the user's direct data. [Simplified description of the schema] / ' ', ^ Ding map is the method for increasing the security of network plaintext authentication for this issue (4) The block ^ diagram is the study of the invention to increase the security of the network text authentication method. The third picture is the invention of the invention. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The fourth figure is a flow chart of the method for increasing the security of network plaintext authentication according to the present invention. [Description of main component symbols] Wireless base station 10 User terminal 20 Server 30 11