UA58439A - Method for authorization and authentication of a customer for access to the information network server - Google Patents

Abstract

The proposed method for authorization and authentication of a customer for access to the information network server consists in establishing the connection of the customer to the communication processor via the service signaling link (SSL), transmitting the globally unique identifier (GUID) of the customer and service data to the communication processor, verifying the availability of the customer right of access to the network server from the information on the customer stored in the billing system data base, assigning and transferring the identification code, which consists of one or several random numbers, to the customer, terminating the connection via the SSL link, providing the connection of the customer to the access management processor, verifying the identification data of the customer, and permitting or prohibiting the access depending on the verification results.

Description

Description of the invention

The invention relates to the fields of communication and computer technology, to means of information protection, in particular, to technologies of digital protection of information flows from unauthorized access. It is advisable to use it in systems of transmission and exchange of information (including multimedia), which require restriction of access to it.

The spread of various information transmission technologies, including multimedia, acutely raises the question of regulation or restriction of access to it. The growth of the number of companies offering commercial solutions for 70 transmission of information flows over the Internet makes the development of information protection technologies relevant.

It is quite common to provide access to broadcast services through proxies (rhohu - English, "to trust") - servers or authorization and authentication servers (AA - servers). By authentication (atsshepiysayop) we understand the personification of the client by checking whether he is allowed to connect to of the server as a whole, and under authorization (atsiRogigayop) - establishing its powers. Currently, both built-in AA tools and separate products that provide a very wide range of authorization and authentication protocols are used in 712 servers. These are common implementations of KASI - the protocol (KetoiiieAciPpepiiisayop Oia! ip Oveg begmise), which is described by the document KES (Kedtsevi iTog Soptttepiv) Mo 2058: Sivigop Kaiiiv /(mlum/.sivigop.gadiiv.pI) and

EgeeKadiiv (m/mlu іTeegadiiv.oga), TASASeya (Tegptipa!I Assezz SopigoYi!I Assezz bZegueg Riv) protocol and its implementation, in particular Russian development - iasrra (rgomideg.KNiE gi/rgodisivLasrra).

But these servers use OP - protocol (Ozeg Yuagadgat Rgoiiosoi), which, unlike TSR - protocol (Tgapztivviop Sopigo! Rgoiiosoi), firstly, is not focused on establishing a connection, but transmits information in portions, so each parcel contains authorization information, and secondly, there is the so-called /unreliable", that is, it does not guarantee the arrival of the information portion. If a permanent connection is established, then the following scheme is implemented: the client opens a TOR socket (according to the terminology of ZosKey - English, "socket", means connection) - in order to establish a connection connection, the client exchanges authentication and authorization information with the server, after which the server either allows the connection or breaks it. If the transmission channel is not secured, authentication and authorization information can be intercepted and become known to others.

Encryption of transmitted information is used to protect channels at the connection level. Most existing encryption algorithms use cryptographic keys that encode and decode information. Currently, the 551 (ZoskKei zesyge Iaueg) public key encryption protocol is very common. Version of co

This protocol allows you to encrypt data with a 128-bit key, which meets all the requirements for the protection of the vast majority of information exchange channels. WITH

This well-known 55II connection protocol is taken as a prototype. But it has disadvantages that slow down the exchange of information, which limits its scope of use. 3o The problem is that Z5I is a high-level protocol in relation to TSR, therefore, if a connection is established using the 551 protocol, then it is impossible to change its protocol to TSR in the future, which is not necessary at the stage of authentication and authorization, but after that the data, in particular, multimedia ones are also transmitted over closed channels

ZI - channel with digitization and necessary Z5I - information, which leads to excessive growth of traffic and "general slowing down of information exchange. This is especially relevant for multimedia information, because after the exchange of information begins, there is no need to encrypt it. And the transition to an open channel c requires disconnection and reconnection, which cancels the previous authentication and authorization.

From" The invention is based on the task of creating such a method of authentication and authorization, which, thanks to new operations, would eliminate the possibility of unauthorized access to information and facilitate the speed of information exchange, as well as provide the ability to manage information flows.

The task is solved by the method of authorization and authentication of the client when connecting to the server, which involves the installation of Z5I - connection to the proxy server, and after installing 551 -

Ge | the connection sends the client's unique customer number and service information to the proxy server, which contains, for example, the nature of the information to be received, the presence of such a client is checked against the database of the billing system, and in case of a positive result of the check, they generate and send to the client two or so 20 more random numbers, which are correlated with (z3SHIO - the client's unique number and entered into the database in the information about the current connection, then 551 - the connection is broken, the client is connected to Bgoaasavi - the so server on the open TSR - channel and send the requisites received by him, valid only during the current session, where their authenticity is checked, and based on the result of the check, the connection is made or refused, and in case of connection, information is transmitted. 25 The essence of the proposed method is explained by the attached drawings, where clients are depicted (any electronic devices capable of receiving information via the Internet or Intranet), the authorization server authentication and accounting (AAA - server, where AAA - ApshiPepiisayop, Ap Pogigayop apa Assoipiipo), consisting of a proxy server and a billing system and a server for transmitting any consumer information or a database. 60 At the first stage, the client creates 551 a connection with the proxy server. The client sends to the server its ZHIO - a unique number stored in a secure form in the client's PZP (permanent storage device) and other service information, for example, the nature of the information to be received, etc. All customer IDs are stored in the billing system database.

The proxy server checks the presence of such a client against the database, and in case of a positive result, it generates and sends two or more random numbers to the client (for example, session ID and session password). These same numbers are correlated with the client's ZTCIUO and are entered into the database in the information about the current connection. Then 551. - the connection is broken and the first stage is completed. At the second stage, the client already connects to Bgoadsavzi - a server (broadcast server or other information server) over an open

TOR - channel and sends the received details, which have value only during the current session. Vgoaasavi - the server checks their validity by checking the values stored in the database, and allows the connection or refuses the client. In the case of establishing a connection, the transfer of information begins. Thus, even if the session IDs are intercepted, they will not have any practical value, because they are valid only for one session. And really secret information - the client's Social Security Number is transmitted only through the encrypted 5513 channel. 7/0 The number of temporary parameters is important only to increase the level of protection when connecting via an open channel and can be easily increased to reduce the probability of their coincidence with a sufficiently large number of simultaneous connections.

The given method of authorization and authentication during connection is of great importance for the development of the information industry, because it provides an opportunity to reliably control access to user information by its /5 suppliers. After all, firstly, the development of commercial systems leads to an increase in the quality of broadcasting, stimulates the development of the entire industry as a whole, and secondly, it becomes possible to manage information flows.

Claims (2)

The formula of the invention, Shchi, Shchi, , , and 1. The method of authorization and authentication of the client when connecting to the server, which includes the establishment of a Z5I connection with the proxy server, which differs in that after establishing a 551 connection, the SOCIO proxy server is sent a unique client number and service information, check the presence of such a client in the database of the billing system, and in the case of a positive result of the check, generate and send two or more random numbers to the client, which are correlated with the customer's unique customer number and entered into the database in the information about the current connection, then ЗИ - with the connection is broken, the client is connected to the rgoadsazi server via an open TSR channel and the credentials received by it are sent, which are valid only during the current session, where their authenticity is checked, and based on the result of the check, the connection is made or refused, and in case connections transmit information. about zo 2. The method according to claim 1, which differs in that the service information contains, for example, the nature of the information to be received. about « (ee) Is) - and? 1 (ee) sh" (95) 3e) 60 b5