WO2008083628A1 - A authentication server and a method,a system,a device for bi-authenticating in a mesh network - Google Patents

A authentication server and a method,a system,a device for bi-authenticating in a mesh network Download PDF

Info

Publication number
WO2008083628A1
WO2008083628A1 PCT/CN2008/070064 CN2008070064W WO2008083628A1 WO 2008083628 A1 WO2008083628 A1 WO 2008083628A1 CN 2008070064 W CN2008070064 W CN 2008070064W WO 2008083628 A1 WO2008083628 A1 WO 2008083628A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
authentication
trust
authenticator
signature
Prior art date
Application number
PCT/CN2008/070064
Other languages
French (fr)
Chinese (zh)
Inventor
Hao Huang
Junping Zhang
Liangyue Mo
Huimin Zhang
Danfeng Feng
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008083628A1 publication Critical patent/WO2008083628A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the embodiments of the present invention relate to the field of network communication technologies, and in particular, to a method, system, and device for authenticating a server and a two-way authentication in a mesh network. Background technique
  • the wireless Mesh network also known as the "multi-hop” network, is a new wireless network technology that is completely different from traditional wireless networks.
  • Traditional wireless networks must first access a centralized AP (Access Point) to make a wireless connection. Thus, even if two nodes are adjacent, they must communicate through the access point.
  • any wireless device node can act as an AP or router at the same time. Each node can send and receive data, and can directly communicate with one or more peer nodes.
  • the role of the wireless Mesh network is different from that of the traditional BSS (Basic Service Set). Only the STA (Station, Site or Terminal), AP, and AS (Authentication Server) roles are included in the BSS domain.
  • STA Serving, Site or Terminal
  • AP Access to Packet Data Service
  • AS Authentication Server
  • the AS forces the STA to act as the requester, and the AP acts as the authenticator.
  • the main features of Mesh include:
  • Transport Transfers non-Mesh application data to and from neighbor nodes. Only send, receive, and not forward.
  • Access point Allows a STA to connect to the Mesh through the AP.
  • MAP Mobility Access Point
  • MPP Mesh Point Collocated With a Mesh Portal
  • Mesh and External Network Gateway Transmission + internal routing + forwarding + external routing, not shown in Figure 1;
  • MP Mel Point, Mesh node: transmission + internal route + forwarding
  • LWMP Light Weight Mesh Point
  • Each MP in the negotiation may have three roles to complete: Supplicant, Authenticator, and AS. Therefore, there are issues of how to negotiate and determine the joint security roles and security policies of both parties.
  • a management action is required to assign roles to individual devices and select an associated MP to securely complete authentication.
  • the nodes that need to be associated send reachability to the AS through Beacon or probe response. Then negotiate the role of authentication through reachability: (1) If only one of the parties is reachable to the AS, then the reachable party is the authenticator and the other party is the requester.
  • the party with the larger MAC address is selected as the certifier and the other party as the requester.
  • the 802.1x method is used to complete the authentication and access the Mesh network.
  • the prior art has at least the following disadvantages:
  • the prior art has at least the following disadvantages:
  • the authentication data will be forwarded to the MP for forwarding, but if this is the case, If the intermediate MP is attacked and destroyed, the attacker may obtain a large amount of user authentication information and return it to the EAP-Success (Extensible Authentication Protocol Success Message) message for the purpose of plain text or a failure message.
  • the certifier the certification result is a failure. The certifier is not reliable because it does not know which place is wrong and only re-switches the authentication point repeatedly. Summary of the invention
  • the embodiments of the present invention provide a method, a system, and a device for authenticating a two-way authentication in an authentication server and a Mesh network, which solve the disadvantages of the unreliable intermediate node of the Mesh network and the single authentication.
  • an embodiment of the present invention provides a method for bidirectional authentication in a mesh network, including: a node in a mesh network Mesh selects an association node based on a trust degree, and the association node authenticates the node, and The trust signature is fed back to the node, and the node is based on the trust degree The signature authenticates the associated node.
  • the embodiment of the present invention further provides a mesh network system, including: at least one AS and multiple nodes, where the AS is configured to authenticate the node according to the received information of the node that is requested to be authenticated, to determine the node. a security level, and a trust time stamp is generated after the authentication succeeds, and the signature is sent to the node requesting the authentication together with the signature algorithm identifier;
  • the node in the Mesh selects an association node for authentication based on the trust degree sent by the AS, and verifies the identity of the associated node according to the trust degree signature fed back by the associated node.
  • the embodiment of the present invention further provides an authentication server, including: a trust distribution module, configured to determine a security level of the node according to the received node information of the request authentication, and generate a trust time stamp after the authentication succeeds, after signing And the signature algorithm is sent to the node that is requested to be authenticated.
  • the trust management module is configured to store user identity information of all successfully authenticated nodes in the Mesh and the trust degree, signature, and timestamp information recognized by the authentication server.
  • the embodiment of the present invention provides a node that selects an access point according to the degree of trust when the node initially accesses the Mesh network, and then both parties negotiate the authentication role and pass the verification of the authenticator.
  • the trust signature verifies the legal identity of the authenticator, and realizes the two-way authentication that the original 802. lx needs to complete in two rounds.
  • the embodiment of the present invention implements the AS to manage the identity of the requester, manages the trust degree, and classifies the trust degree of the user and the device, and then distributes the corresponding signature message to implement centralized authentication management.
  • the best authentication path can be selected to complete the authentication and is independent of the routing mechanism. The authentication security will not be changed as the route changes. It also reduces the trust of certain points when detecting an attack, thereby reducing the risk of being attacked.
  • FIG. 1 is a schematic diagram of a basic hierarchical structure of a prior art Mesh network
  • FIG. 2 is a schematic diagram of a method for selecting a prior art authentication role
  • FIG. 3 is a flowchart of an embodiment of an access authentication process of the method according to the present invention
  • FIG. 4 is a flowchart of a flowchart of Embodiment 1 of an AS sending trust and authentication process according to the present invention
  • FIG. 6 is a schematic diagram of an embodiment of an authentication server according to the present invention. detailed description
  • the embodiment of the present invention selects an associated node based on the degree of trust, and achieves the purpose of mutual authentication between the requester and the authenticator by verifying the signature of the trust. Unified management of trust by the AS.
  • the requester is authenticated by the AS and then sends the trust and related signature information, which is used as the basis for accessing the Mesh network.
  • the AS is responsible for the deprivation or reduction of trust.
  • the following example illustrates the two-way authentication process by taking the node access authentication process in the Mesh network as an example.
  • the specific implementation process is as follows:
  • Step 1 The requester selects an intermediate node that interacts with the AS, that is, selects an authenticated access node as an intermediate querier to access the AS:
  • an MP, MAP, or STA When an MP, MAP, or STA initially wants to access a mesh network, it sends a probe request to all neighbors, and the neighbors feed back the message with a beacon or probe response.
  • the node When the node (MP, MAP, or STA) receives the trust carried in the Beacon or the probe response sent by all neighboring nodes, it selects the node that most wants to associate according to its own policy. For example, the trust degree can be selected.
  • the node that is the largest or meets the MPP global policy performs 802.1x authentication. For example, a certain Mesh network has previously agreed to a certain range of trust to complete the access, and other ranges to forward or other functions. In this case, the selected access node needs to satisfy the pre-agreed policy.
  • the trust degree is uniformly distributed and managed by the AS, and can be implemented by modifying the format of the current RSN IE.
  • the current RSN IE format is as shown in Table 1, and the capability information Capabilities can be modified, where before and after the modification.
  • the Capabilities information is shown in the following table:
  • Role Type indicates the trust role type, which occupies one bit. When the value is 0, it indicates the user type trust degree, such as STA trust degree. When the value is 1, it indicates that the Mesh device node, such as MP or MAP trust degree, guarantees that most of the STAs will not pass the STA as the authenticator.
  • the Mesh device node is used as an authenticator, such as MP, MAP, etc. as the authenticator, and the role of the authentication intermediary is completed.
  • the Trust Degree indicates the degree of trust, which occupies four bits. The user or device that passes the authentication will obtain the trust issued by the AS. The default is 0, which means that the certificate is not authenticated or the trust level is the lowest.
  • Each node selects the relatively secure authenticated access node based on the existing trust information, so the authentication path of any node is the most reliable. For data transmission, it can be encrypted according to the key negotiated by the authentication, and the route with the best route can be selected for forwarding.
  • Step 2 After the intermediate authenticator selects, the requester (MP, MAP or STA) is associated with the selected intermediate authenticator;
  • Step S301 First, the requester sends an authentication request to the selected intermediate authenticator
  • Step S302 The intermediate authenticator feeds back the security parameter supported by itself, the public key and signature algorithm used by the AS, and the signature of the trust degree to the requester.
  • the requester checks whether the signature algorithm is supported, and whether the signature algorithm of the entire Mesh network is consistent. If the signature algorithm fed back by the authenticator is not supported, or the signature algorithm of the entire Mesh network is inconsistent, the authenticator is considered invalid, otherwise it is valid. Then, according to the information of the AS, it is verified whether the trust signature is legal and valid.
  • the signature algorithm is represented by an identifier bit, and different values represent different algorithms, for example: When set to 1, the default is Public Key Algorithm RSA (Integer Factorization Based Public Key System); Set to 2 to indicate DSS (Digital Signature) Standard, digital signature standard); when set to 3, represents ECM (Elliptic Curves Cryptography) of WAPI (Wireless Local Area Network Authentication and Privacy Infrastucity); When set to 0, it indicates other signature algorithms that support scalability. All authentication-related messages sent by the requester to the AS can then be encrypted using the AS's public key, and subsequent symmetric key negotiation can guarantee transparency to the authenticator.
  • RSA Information Security
  • DSS Digital Signature
  • ECM Elliptic Curves Cryptography
  • Step S303 Perform open or pre-shared key authentication between the requester and the intermediate authenticator
  • the open system authentication belongs to non-cryptographic authentication, which is also called "zero authentication".
  • the node requesting access only needs to use an empty string as the SSID (Service Set Identifier) to respond.
  • the intermediate certifier establishes an association.
  • the pre-shared key authentication is based on a "request/response" mechanism with a shared key.
  • the node requesting access first sends an authentication request to the intermediate authenticator, and then the intermediate authenticator generates a random number response to the node requesting authentication, and the node requesting authentication then encrypts the random number response to the intermediate authenticator through the shared key. After the intermediate authenticator decrypts the comparison, the final confirmation message is sent.
  • Step S304 the intermediate authenticator returns an authentication result.
  • Step S305 The requester sends the required security parameter combination according to the security parameter supported by the intermediate authenticator
  • Step S306 the authenticator returns an association success or failure result.
  • Step 3 After the requester associates with the intermediate authenticator, the requester accesses the AS, and the AS completes the 802. lx authentication and distribution trust of the requester;
  • the requester performs port-based 802.1x access control authentication according to the existing 802.11 standard.
  • the authentication related message is transmitted between the requester and the authenticator via a LAN (Local Area Network), that is, using an EAPOL (Extensible Authentication Protocol over LAN) technology, and the EAPOL is supported by the EAPOL.
  • LAN Local Area Network
  • EAPOL Extensible Authentication Protocol over LAN
  • EAP-TLS Extensible Authentication Protocol - Transport Layer Security, Extended Authentication Protocol based on Transport Layer Security
  • EAP-TTLS .ayer Security extended authentication protocol based on tunnel transport layer security
  • PEAP Protected Extensible Authentication Protocol
  • LEAP Lightweight Extensible Authentication Protocol
  • EAP-MD5 Extensible Authentication Protocol-Message Digest Algorithm 5, extended authentication protocol based on message digest algorithm
  • EAP-SIM Extensible Authentication Protocol-Subscriber Identification Module based on user identity module
  • EAP-TLS can allocate the session ID for the data exchange between the client and the server, select the appropriate integrity protection encryption mechanism, assign the dynamic session key, and effectively protect the security of the interactive message during the 802.1x authentication process. It is transparent to the intermediate certifier, ie the authenticated access point does not see any certified content. Therefore, EAP-TLS can be used to complete the trust delivery and the AS authentication to the requester.
  • the AS can have only one certificate and the public key to provide the authentication of the AS identity, while other nodes can have no X.509 certificate.
  • a flow chart of Embodiment 1 of the AS sending trust and authentication process, as shown in FIG. 4, includes the following steps:
  • Step S401 After receiving the identity verification request of the intermediate authenticator (not shown in FIG. 4, because the subsequent interaction is transparent for it, so need not be considered), the requester sends an identity-related response, and the intermediate authentication is performed. Sent to the AS;
  • Step S402 After receiving the response, the AS sends a TLS (Transport Layer Security) start request to the requester.
  • TLS Transport Layer Security
  • Step S403 the requester feeds back TLS to start responding to the AS;
  • Step S404 After receiving the response, the AS sends its identity information, including the certificate and the public key, to the requester.
  • Step S405 the requester verifies the legality of the AS identity. After the verification is passed, the requester officially submits its own user, password, and the like to the AS for authentication, and the requester can fully recognize the authenticity of the AS;
  • the verification method may be based on a specific TLS negotiation verification method. If it is a user password MD5 method, it only needs to be compared; if it is a public key certificate verification, both parties need a certificate interaction certificate and a counterpart public key encryption. .
  • Step S406 the AS may determine the security level of the requester by the security capability information of the requester node, the user service level, or the policy of the centralized access control server. Successful authentication will result in a trust timestamp TimeStamp (the AS can guarantee the uniqueness of the timestamp), and the signature is sent to the requester along with the signature algorithm identifier used by the AS.
  • TimeStamp the AS can guarantee the uniqueness of the timestamp
  • the signature sent by the AS includes the following parameters:
  • RoleType Role type. If the value is 0, the node is a user type. For example, if the value is 1, the node is a Mesh network device type, such as MP or MAP.
  • TrustDegree indicates the trust of the user or device
  • ID AS IDsupHcant: AS, the identity identifier of the requester, such as the respective MAC address;
  • SK AS , PK AS the public key and private key of the AS
  • TimeStamp The timestamp of the success of the authentication, with a unique '1'.
  • the signature algorithm is as follows:
  • Step S407 the requester checks whether the signature algorithm is the same as the algorithm used by the authentication access point, that is, whether it is the same as the signature algorithm used by the intermediate authenticator, and after verifying the uniformity, verifying the trust signature and sending the verification feedback response. Message to AS.
  • the validity is determined mainly based on the TrustDegree and TimeStamp obtained from the verification.
  • TrustDegree is mainly used to determine whether to accept the new trust value instead of the original trust value. Because every time The association must be performed once for 802. lx authentication, but there are multiple associations in the Mesh. It is not necessary to obtain new trust when the two nodes that have been connected are associated, but only to judge the mutual legality of trust. .
  • the TimeStamp judgment is mainly used to verify the trustworthiness of the authenticator and to resist the replay attack of trust. If TimeStamp reuse is detected, the authenticator can be considered to be a counterfeiter; if there is no duplication, the unique designation of trust can be judged by interaction with the AS, and the AS is also recorded in the authentication phase. All other nodes.
  • Step S408 The AS sends an authentication success or failure message to the node requesting access.
  • a device MP or MAP
  • STA user
  • the authenticated device can be used as a new authenticator to authenticate other nodes.
  • FIG. 5 The flowchart of the second embodiment of the AS sending trust and authentication process is shown in FIG. 5, and includes the following steps:
  • Step S501 After receiving the identity verification request of the intermediate authenticator (not shown in the figure, because the subsequent interaction is transparent for it, so need not be considered), the requester sends an identity-related response, including the time of the authenticator. Stamping and random number encrypted with the AS public key, sent by the intermediate authenticator to the AS;
  • Step S502 after receiving the response, the AS detects that the requester is not replayed (not stolen), and then unpacks the random number, and then sends a TLS start request to the requester after signing;
  • Step S503 the requester feeds back TLS to start responding to the AS;
  • Step S504 after receiving the response, the AS sends its identity information, including the certificate and the public key, to the requester.
  • Step S505 The requester verifies the legality of the AS identity. After the verification is passed, the requester officially submits the user, the password, and the like to the AS for authentication, and the requester can completely recognize the authenticity of the AS;
  • Step S506 the AS verifies the identity information of the requester node, and then sends an authentication end message to the requester.
  • EAP-TLS not limited to EAP-TLS, but also includes other protocols that use certificates for authentication.
  • EAP-PEAP EAP-TTLS, etc. (the total number of steps can also be different).
  • MD5 method you only need to compare it. If it is a public key certificate verification, both parties need the certificate's interactive risk certificate and the other party's public key encryption.
  • Step S507 After receiving the authentication end message, the requester feeds back a response message to the AS, and when the trust time stamp needs to be acquired, sends a requesting AS to issue a signature of the signature to become a new legal authenticator.
  • the AS will generate a trust timestamp TimeStamp (the AS can guarantee the uniqueness of the timestamp), and determine the security level of the requester by the security capability information of the requester node, the user service level, or the policy of the centralized access control server.
  • the signature and signature method are the same as in the first embodiment.
  • Step S508 the AS sends an authentication success (or failure message) message together with the signature S, the signature algorithm identifier, and the trust degree TmstDegree—to the requester to the requester.
  • the requester checks whether the signature algorithm is the same as the algorithm used by the authenticated access point, that is, whether it is the same as the signature algorithm used by the intermediate authenticator. After confirming the uniformity, the trustworthiness signature is verified and verified to be accepted. The judgment method used is the same as that of the first embodiment.
  • Step 4 After a node wants to leave the Mesh network or the AS detects that a node receives an attack, the AS reduces or deprives the node of the trust degree;
  • the reduction or deprivation of trust by AS includes the following two situations:
  • the node informs all other nodes associated with it and unicast to the AS by broadcasting before ending the association, and the message uses a unified GTK (group temporary key) or The PMK (negotiated symmetric master key) encryption of the AS ensures the reliability of the message source.
  • two messages are sent mainly before the deassociation frame (disconnected frame): Sending a disconnect message with GTK broadcast encryption for all associated nodes; sending a disconnect message to the AS with PMK unicast.
  • the AS deletes the trust of the timestamp associated with it and the information of other associated nodes, indicating that the trust is no longer available.
  • Other nodes can also record timestamp obsolete information to ensure backward security of trust.
  • the trust is uniformly distributed and managed by the AS.
  • the AS uses the dynamic directory mechanism for the management and transmission of trust. In the Mesh network running, as the node joins, leaves, or forces offline, the AS will be updated and saved.
  • the AS stores the user identity information of all the nodes successfully authenticated in the Mesh network and the AS-approved trust, signature, and timestamp information.
  • the dynamic directory can be defined by using a triplet: TD_Mesh ⁇ M, td r , TimeStamp> where:
  • M contains all nodes that have been successfully authenticated
  • Td_r marks the trust relationship between all associated nodes
  • the timestamp contains a timestamp of all distributed trusts, the timestamps being unique and the trustworthiness being reusable.
  • the timestamp and the trust signature are one-to-one correspondences.
  • a policy definition language in the following format can be used in the AS's policy library:
  • the M policy library can be managed based on roles, and is divided into two categories:
  • Trust of the device role It only indicates the security level of the device or the difficulty of being attacked, mainly the trust degree of MP or MAP;
  • the trust degree of the user role not only can represent the security level of the node, but also the user service can be graded to adjust the level-based fairness or the user's access control, etc., mainly for the trust degree of the STA.
  • the definition of a security policy depends mainly on the actual network situation and the service class that you want to provide. Types and other parameters to determine, the granularity of the strategy needs to be further refined to meet the requirements of different user levels.
  • the above embodiment is described by taking access authentication as an example.
  • the requester and the authenticator may also be selected according to the size of the trust. The smaller party is the requester and the larger party is the certifier. If both parties have trust, it means that the two just want to establish an association and have nothing to do with access authentication.
  • the association can be established through the 802.1x method, without accepting the newly issued trust, or only the mutual trust.
  • the degree and signature can be associated, then the association can be established more quickly, so that the process of interaction can be completed faster, which mainly includes the following steps:
  • An embodiment of the present invention provides a two-way authentication system in a Mesh network, where the system includes at least one AS and multiple nodes, and the nodes include: MP, MAP, and STA.
  • the AS is used to distribute the trust degree to each node in the Mesh network, and the trust degree is uniformly managed.
  • a schematic diagram of an embodiment of the module is shown in FIG. 6, and includes:
  • the message receiving module is configured to receive a message sent by the node in the Mesh network, including: an authentication request message, a disconnect message, and the like;
  • the trust distribution module is configured to determine the security level of the node according to the security capability information of the node that is authenticated according to the received request, the user service level, or the policy of centrally accessing the controller, and distribute the authentication message to the requester.
  • the authentication message includes: a trust time stamp, an authenticator signature, a used signature algorithm, and the like.
  • the requester includes: MP, MAP or STA;
  • a node status detecting module configured to detect whether a node (MP, MAP, or STA) in the Mesh network is attacked;
  • Trust reduction/deprivation module used to receive a disconnect message or detect a node being attacked Reduce/deprive the trust of the node
  • the trust management module is configured to store user identity information of all successfully authenticated nodes in the mesh network and the trust degree, signature, and timestamp information recognized in the system.
  • the plurality of nodes in the Mesh network perform association authentication based on the trust degree of the AS distribution, and further includes the following modules:
  • the authenticator authentication module is configured to verify whether the identity of the authenticator is legal according to the identity of the authenticator in the received authentication message.
  • Each device node in the Mesh network includes an MP or a MAP, and after being authenticated, can be used as an authenticator to authenticate other nodes.
  • the embodiment of the present invention proposes that when a node initially accesses a Mesh network, the access point is selected according to the trust degree of the neighbor, and then both parties negotiate the authentication role, and verify the authenticator's trust by verifying the authenticity of the authenticator.
  • Legal identity one-time authentication that requires two rounds to complete the original 802.1x.
  • the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is a better implementation. the way.
  • the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium, including a plurality of instructions for making a A computer device (which may be a personal computer, server, or network device, etc.) performs the methods described in various embodiments of the present invention.

Abstract

An authentication server and a method, a system, a device for bi-authenticating in a mesh network are provided. The said authentication server includes: a credit degree distributing module for determining the security degree of the node based on the received node information of the node which requests for authenticating, and generating a credit degree time stamp after successful authenticating, then signing it and sending it down to the node which requests for authenticating with the identifier of sign arithmetic; a credit degree management module for storing the users identity information of all successful authentication nodes in mesh and the credit degree, signature and time stamp information which are certificated by the authentication server. The authentication server further includes a node status detecting module for detecting whether the nodes in mesh are attacked; a credit degree reducing/depriving module for reducing/depriving the credit degree of the notes when receives a disconnection information or after being attacked. The present invention realizes that each node in Mesh net can select the associated node based on the credit degree, and once realizes bi-authenticating by validating the credit degree signature which is feedback from the associated node.

Description

认证服务器及网状网中双向认证的方法、 系统和装置 技术领域  Method, system and device for mutual authentication in authentication server and mesh network
本发明实施例涉及网络通信技术领域,尤其涉及一种认证服务器及网状网 中双向认证的方法、 系统和装置。 背景技术  The embodiments of the present invention relate to the field of network communication technologies, and in particular, to a method, system, and device for authenticating a server and a two-way authentication in a mesh network. Background technique
无线 Mesh (网状网) 网络也称为 "多跳 " 网络, 它是一种与传统无线网 络完全不同的新型无线网络技术。 传统的无线网络必须首先访问集中的 AP ( Access Point, 接入点) 才能进行无线连接。 这样, 即使两个节点相邻, 它 们也必须通过接入点才能通信。 而在无线 Mesh网络中, 任何无线设备节点都 可以同时作为 AP或路由器,每个节点都可以发送和接收数据, 都可以与一个 或者多个对等节点直接进行通信。  The wireless Mesh network, also known as the "multi-hop" network, is a new wireless network technology that is completely different from traditional wireless networks. Traditional wireless networks must first access a centralized AP (Access Point) to make a wireless connection. Thus, even if two nodes are adjacent, they must communicate through the access point. In a wireless mesh network, any wireless device node can act as an AP or router at the same time. Each node can send and receive data, and can directly communicate with one or more peer nodes.
无线 Mesh网络与传统 BSS ( Basic Service Set, 基本业务区)的角色划分 不同。在 BSS域中只包括 STA( Station,站点或终端)、 AP和 AS( Authentication Server, 认证服务器)三种角色。 认证时 AS强制 STA充当请求者的角色, AP充当认证者的角色。  The role of the wireless Mesh network is different from that of the traditional BSS (Basic Service Set). Only the STA (Station, Site or Terminal), AP, and AS (Authentication Server) roles are included in the BSS domain. At the time of authentication, the AS forces the STA to act as the requester, and the AP acts as the authenticator.
而 Mesh的主要功能包括:  The main features of Mesh include:
( 1 )传输( Transport ): 与邻居节点之间传送非 Mesh的应用数据。 只发 送、 接收, 而不转发。  (1) Transport: Transfers non-Mesh application data to and from neighbor nodes. Only send, receive, and not forward.
( 2 ) 内部路由 ( Internal Routing ): Mesh设备之间建立转发路径。  (2) Internal Routing: A forwarding path is established between Mesh devices.
( 3 )外部路由 ( External Routing ): 与 Mesh外部设备建立转发路径。 ( 4 )转发( Forwarding ): 发送收到的其他设备产生的帧。  (3) External Routing: Establish a forwarding path with the Mesh external device. (4) Forwarding: Send the frames generated by other devices received.
( 5 )接入( Access point ): 允许一个 STA通过 AP连到 Mesh中。  (5) Access point: Allows a STA to connect to the Mesh through the AP.
Mesh的基本层次结构如图 1所示, Mesh中各种设备所完成的功能是不 一样的, 按照上述功能划分的角色为:  The basic hierarchy of Mesh is shown in Figure 1. The functions performed by various devices in Mesh are different. The roles according to the above functions are:
MAP ( Mesh Access Point, Mesh接入点): 传输 +内部路由 +转发 +接入; MPP ( Mesh Point Collocated With a Mesh Portal, Mesh与外网的网关) : 传输 +内部路由 +转发 +外部路由, 图 1中未示出; MAP (Mesh Access Point): Transmission + Internal Routing + Forwarding + Access; MPP (Mesh Point Collocated With a Mesh Portal): Mesh and External Network Gateway: Transmission + internal routing + forwarding + external routing, not shown in Figure 1;
MP ( Mesh Point, Mesh节点): 传输 +内部路由 +转发;  MP (Mesh Point, Mesh node): transmission + internal route + forwarding;
LWMP ( Light Weight Mesh Point, 轻量级 Mesh节点) : 传输, 图 1中 未示出;  LWMP (Light Weight Mesh Point): Transmission, not shown in Figure 1;
STA: 数据源。  STA: Data source.
可见 Mesh中的角色划分与 BSS域有很大差别。 而目前 802.11s中关于角 色的定义与执行中只对 STA和 MAP有较全面的定义, 而 LWMP、 MP、 MPP 认证则存在如下问题:  It can be seen that the role division in Mesh is very different from the BSS domain. Currently, the definition and implementation of roles in 802.11s only have a more comprehensive definition of STA and MAP, while LWMP, MP, and MPP authentication have the following problems:
( 1 )协商中每个 MP 可能有三种角色要完成: Supplicant (请求者), Authenticator (认证者), 和 AS , 因此, 存在如何协商并确定双方联合的安 全角色和安全策略问题。  (1) Each MP in the negotiation may have three roles to complete: Supplicant, Authenticator, and AS. Therefore, there are issues of how to negotiate and determine the joint security roles and security policies of both parties.
( 2 )需要一个管理行动来给各个设备分配角色和选择一个关联的 MP来 安全地完成认证等问题。  (2) A management action is required to assign roles to individual devices and select an associated MP to securely complete authentication.
目前, 关于角色协商问题提案的主要思路是: 在 RSN IE ( Robust Security Network Information Element, 健壮安全网络的信息元素) 中通过一个可达性 的元素 "AS Reach ability" 来做为衡量协商角色的依据, 如表 1所示。  At present, the main idea of the role negotiation proposal is: In the RSN IE (Robster Security Network Information Element), a reachable element "AS Reach ability" is used as the basis for measuring the negotiation role. , As shown in Table 1.
表 1  Table 1
Figure imgf000004_0001
Figure imgf000004_0001
具体实现过程如图 2所示,  The specific implementation process is shown in Figure 2.
首先在发现阶段, 需要关联的节点通过 Beacon (信标)或者探测响应来 发送对于 AS的可达性。 然后通过可达性来协商认证的角色: ( 1 ) 如果双方只有一个对 AS可达, 那么可达这方就是认证者, 而另一 方就是请求者。 First, in the discovery phase, the nodes that need to be associated send reachability to the AS through Beacon or probe response. Then negotiate the role of authentication through reachability: (1) If only one of the parties is reachable to the AS, then the reachable party is the authenticator and the other party is the requester.
( 2 ) 如果双方都可达或都不可达, 则选择较大 MAC地址的一方作为认 证者, 而另一方作为请求者。  (2) If both parties are reachable or unreachable, the party with the larger MAC address is selected as the certifier and the other party as the requester.
角色确定后用 802.1x的方式来完成认证, 接入 Mesh网络。  After the role is determined, the 802.1x method is used to complete the authentication and access the Mesh network.
在实现本发明的过程中, 发明人发现现有技术至少存在以下缺点: 认证中只有一方可达 AS时的情况类似于普通的 BSS, 但仍存在恶意 MP 攻击时切换认证点的问题。 而且与 BSS 非对称结构所不同的是, 原有一轮 802. lx认证只能完成对请求者的认证, 是一个单向认证, 现在 Mesh中 MP的 层次结构是对称平等的,要完成双向认证需两轮 802.1x认证, 不但浪费时间, 而且大多数情况下第二轮认证是已接入 Mesh的 MP所并不想要的。  In the process of implementing the present invention, the inventors have found that the prior art has at least the following disadvantages: When only one party in the authentication is reachable to the AS, the situation is similar to that of the ordinary BSS, but there is still a problem of switching the authentication point when the malicious MP attacks. Moreover, unlike the asymmetric structure of BSS, the original 802. lx authentication can only complete the authentication of the requester, which is a one-way authentication. Now the hierarchical structure of the MP in the Mesh is symmetric and equal, and the two-way authentication is required. Two rounds of 802.1x authentication not only wastes time, but in most cases the second round of authentication is not what MPs have access to Mesh.
另外, 对于 BSS认证而言不存在中间道路选择的问题, AP直接连到了 AS。 而对于 Mesh而言相对复杂, 认证中间节点的选择也要考虑安全, 必须 建立一条最安全(或者是用户最想要的安全) 的认证路径。 但存在如下情况 会使得可达性不可靠: 某个中间 MP 的路由性能是最好的, 此时无论想要加 入 Mesh的 MP怎么选择认证点认证数据都会交到该 MP来转发,但是如果此 中间 MP遭到了攻击被破坏, 那么攻击者可能大量获取用户认证信息, 并根 据 EAP-Success ( Extensible Authentication Protocol- Success, 可扩展认证协议 成功消息) 消息是明文的特点伪造或改为失败消息返回给认证者, 认证结果 就是失败的。 而认证者由于不知道哪个地方出错了只是反复地重新切换认证 点, 这时可达性就不可靠了。 发明内容  In addition, there is no intermediate road selection problem for BSS authentication, and the AP is directly connected to the AS. For Mesh, it is relatively complicated. The choice of authentication intermediate nodes must also consider security. It is necessary to establish a secure path (or the security that users want most). However, the following conditions may make the reachability unreliable: The routing performance of an intermediate MP is the best. In this case, no matter how the MP that wants to join the Mesh chooses the authentication point, the authentication data will be forwarded to the MP for forwarding, but if this is the case, If the intermediate MP is attacked and destroyed, the attacker may obtain a large amount of user authentication information and return it to the EAP-Success (Extensible Authentication Protocol Success Message) message for the purpose of plain text or a failure message. The certifier, the certification result is a failure. The certifier is not reliable because it does not know which place is wrong and only re-switches the authentication point repeatedly. Summary of the invention
本发明实施例提供一种认证服务器及 Mesh网络中双向认证的方法、系统 和装置, 解决了现有技术 Mesh网络中间节点不可靠及单项认证带来的弊端。  The embodiments of the present invention provide a method, a system, and a device for authenticating a two-way authentication in an authentication server and a Mesh network, which solve the disadvantages of the unreliable intermediate node of the Mesh network and the single authentication.
为达到上述目的, 本发明实施例提供一种网状网中双向认证的方法, 包 括: 网状网 Mesh中的节点基于信任度选择关联节点, 所述关联节点对节点进 行认证, 并将本身的信任度签名反馈给所述节点, 所述节点根据所述信任度 签名对所述关联节点进行认证。 To achieve the above objective, an embodiment of the present invention provides a method for bidirectional authentication in a mesh network, including: a node in a mesh network Mesh selects an association node based on a trust degree, and the association node authenticates the node, and The trust signature is fed back to the node, and the node is based on the trust degree The signature authenticates the associated node.
本发明实施例还提供一种网状网网络系统, 包括: 至少一个 AS及多个节 点, 所述 AS用于根据接收到的请求认证的节点的信息对所述节点进行认证, 以确定节点的安全等级, 并在认证成功后产生信任度时戳, 签名后连同签名 算法标识下发给所述请求认证的节点;  The embodiment of the present invention further provides a mesh network system, including: at least one AS and multiple nodes, where the AS is configured to authenticate the node according to the received information of the node that is requested to be authenticated, to determine the node. a security level, and a trust time stamp is generated after the authentication succeeds, and the signature is sent to the node requesting the authentication together with the signature algorithm identifier;
所述 Mesh中的节点,基于所述 AS下发的信任度选择关联节点进行认证, 并根据所述关联节点反馈的信任度签名对所述关联节点身份进行验证。  The node in the Mesh selects an association node for authentication based on the trust degree sent by the AS, and verifies the identity of the associated node according to the trust degree signature fed back by the associated node.
本发明实施例还提供一种认证服务器, 包括: 信任度分发模块, 用于根 据接收到的请求认证的节点信息确定所述节点的安全等级, 并在认证成功后 产生信任度时戳, 签名后连同签名算法标识下发给所述请求认证的节点; 信任度管理模块,用于存储 Mesh中所有认证成功的节点的用户身份信息 以及认证服务器认可的信任度、 签名和时间戳信息。  The embodiment of the present invention further provides an authentication server, including: a trust distribution module, configured to determine a security level of the node according to the received node information of the request authentication, and generate a trust time stamp after the authentication succeeds, after signing And the signature algorithm is sent to the node that is requested to be authenticated. The trust management module is configured to store user identity information of all successfully authenticated nodes in the Mesh and the trust degree, signature, and timestamp information recognized by the authentication server.
与现有技术相比, 本发明实施例具有以下优点: 本发明实施例提供了一 种节点最初接入 Mesh网络时根据信任度来选择接入点,然后双方协商认证角 色, 并通过验证认证者的信任度签名校验认证者的合法身份, 一次实现原有 802. lx需要两轮才能完成的双向认证。  Compared with the prior art, the embodiment of the present invention has the following advantages: The embodiment of the present invention provides a node that selects an access point according to the degree of trust when the node initially accesses the Mesh network, and then both parties negotiate the authentication role and pass the verification of the authenticator. The trust signature verifies the legal identity of the authenticator, and realizes the two-way authentication that the original 802. lx needs to complete in two rounds.
同时, 本发明实施例实现了 AS对请求者身份合法认证之后,对信任度进 行管理, 对用户和设备信任度进行了简单的分类, 然后分发相应的签名消息, 实现集中式的认证管理。 任意节点接入认证时也可选择最好的认证道路来完 成认证而与路由机制无关, 不会随着路由的改变而改变认证的安全性。 当检 测到攻击时也可降低某些点的信任度, 从而减少受到攻击的风险。 附图说明  In the meantime, the embodiment of the present invention implements the AS to manage the identity of the requester, manages the trust degree, and classifies the trust degree of the user and the device, and then distributes the corresponding signature message to implement centralized authentication management. When any node accesses the authentication, the best authentication path can be selected to complete the authentication and is independent of the routing mechanism. The authentication security will not be changed as the route changes. It also reduces the trust of certain points when detecting an attack, thereby reducing the risk of being attacked. DRAWINGS
图 1为现有技术 Mesh网络基本层级结构示意图;  1 is a schematic diagram of a basic hierarchical structure of a prior art Mesh network;
图 2为现有技术认证角色选择方法示意图;  2 is a schematic diagram of a method for selecting a prior art authentication role;
图 3为本发明所述方法接入认证过程关联阶段一种实施例流程图; 图 4为本发明 AS下发信任度和认证流程实施例一的流程图流程图; 图 5为本发明 AS下发信任度和认证流程实施例二的流程图; 图 6为本发明所述认证服务器一种实施例模块示意图。 具体实施方式 3 is a flowchart of an embodiment of an access authentication process of the method according to the present invention; FIG. 4 is a flowchart of a flowchart of Embodiment 1 of an AS sending trust and authentication process according to the present invention; Flow chart of the second embodiment of the trust and authentication process; FIG. 6 is a schematic diagram of an embodiment of an authentication server according to the present invention. detailed description
本发明实施例基于信任度来选择关联节点, 并且通过验证信任度的签名 来实现请求者和认证者之间双向认证的目的。由 AS对信任度进行统一的分发 管理。 请求者由 AS 认证通过后下发信任度和相关签名信息, 用于作为接入 Mesh网络的依据。 当某个节点离开 Mesh网络或受到攻击时, AS负责信任度 的剥夺或降低。  The embodiment of the present invention selects an associated node based on the degree of trust, and achieves the purpose of mutual authentication between the requester and the authenticator by verifying the signature of the trust. Unified management of trust by the AS. The requester is authenticated by the AS and then sends the trust and related signature information, which is used as the basis for accessing the Mesh network. When a node leaves the Mesh network or is attacked, the AS is responsible for the deprivation or reduction of trust.
下面的实施例以 Mesh 网络中的节点接入认证过程为例对双向认证过程 进行说明, 具体实现过程如下所述:  The following example illustrates the two-way authentication process by taking the node access authentication process in the Mesh network as an example. The specific implementation process is as follows:
步骤 1 , 请求者选择与 AS交互的中间节点, 即选择认证接入节点, 作为 接入 AS的中间认证者:  Step 1: The requester selects an intermediate node that interacts with the AS, that is, selects an authenticated access node as an intermediate querier to access the AS:
当 MP、 MAP或 STA最初想要接入 Mesh网络时, 它会向周围所有的邻 居发送探测请求, 而周围的邻居则以 beacon或者探测响应的方式反馈携带信 任度的消息。  When an MP, MAP, or STA initially wants to access a mesh network, it sends a probe request to all neighbors, and the neighbors feed back the message with a beacon or probe response.
当所述节点( MP、 MAP或 STA )收到周围所有邻居节点发过来的 Beacon 或者探测响应中携带的信任度后, 会根据自己的策略来选择最想要关联的节 点,如可以选择信任度最大的或者满足 MPP全局策略的节点进行 802.1x认证。 例如某个 Mesh网络已经事先约定某些范围的信任度来完成接入,其他范围来 转发或其他功能, 这时选择所述认证接入节点需要满足所述预先约定的策略。  When the node (MP, MAP, or STA) receives the trust carried in the Beacon or the probe response sent by all neighboring nodes, it selects the node that most wants to associate according to its own policy. For example, the trust degree can be selected. The node that is the largest or meets the MPP global policy performs 802.1x authentication. For example, a certain Mesh network has previously agreed to a certain range of trust to complete the access, and other ranges to forward or other functions. In this case, the selected access node needs to satisfy the pre-agreed policy.
所述信任度由 AS进行统一分发管理, 可以通过对当前 RSN IE的格式进 行改动来实现, 所述当前 RSN IE格式如表 1 所示, 可以对其中的能力信息 Capabilities进行修改, 其中修改前后的 Capabilities信息如下表所示:  The trust degree is uniformly distributed and managed by the AS, and can be implemented by modifying the format of the current RSN IE. The current RSN IE format is as shown in Table 1, and the capability information Capabilities can be modified, where before and after the modification. The Capabilities information is shown in the following table:
修改前:  before fixing:
Pre-Auth No Pairwise PTKSA GTKSA Reserved Mesh Auth Always PeerKey  Pre-Auth No Pairwise PTKSA GTKSA Reserved Mesh Auth Always PeerKey
Replay Replay Default Possible Enabled Replay Replay Default Possible Enabled
Counter Counter 修改后: Counter Counter After modification:
Figure imgf000008_0001
本发明实施例增加的两个字段包括: Role Type和 Trust Degree。其中 Role Type表示信任度角色类型, 占有一个 bit位。 当取值为 0时, 表示用户类型信 任度, 如 STA信任度; 取值为 1时表示 Mesh设备节点, 如 MP或 MAP信任 度, 此时保证大多不会通过 STA来作为认证者, 而只会通过 Mesh设备节点 作为认证者, 例如 MP、 MAP等来作为认证者, 完成认证中间人的角色。
Figure imgf000008_0001
The two fields added in the embodiment of the present invention include: Role Type and Trust Degree. Role Type indicates the trust role type, which occupies one bit. When the value is 0, it indicates the user type trust degree, such as STA trust degree. When the value is 1, it indicates that the Mesh device node, such as MP or MAP trust degree, guarantees that most of the STAs will not pass the STA as the authenticator. The Mesh device node is used as an authenticator, such as MP, MAP, etc. as the authenticator, and the role of the authentication intermediary is completed.
其中 Trust Degree表示信任度, 占有四个 bit位, 认证通过的用户或设备 都会获得由 AS下发的信任度。 默认为 0时,表示未通过认证或者信任级别最 低。  The Trust Degree indicates the degree of trust, which occupies four bits. The user or device that passes the authentication will obtain the trust issued by the AS. The default is 0, which means that the certificate is not authenticated or the trust level is the lowest.
每个节点根据已有的信任度信息来选择相对最安全的认证接入节点, 那 么任意节点的认证路径都是最可靠的。 对于数据传输则可以根据认证协商的 密钥加密, 并可选择路由最好的路径来转发。  Each node selects the relatively secure authenticated access node based on the existing trust information, so the authentication path of any node is the most reliable. For data transmission, it can be encrypted according to the key negotiated by the authentication, and the route with the best route can be selected for forwarding.
步骤 2, 中间认证者选择完成后, 请求者(MP、 MAP或 STA )与所述选 择的中间认证者进行关联;  Step 2: After the intermediate authenticator selects, the requester (MP, MAP or STA) is associated with the selected intermediate authenticator;
具体流程如图 3所示, 包括如下步骤:  The specific process is shown in Figure 3, including the following steps:
步骤 S301 , 首先请求者向选定的中间认证者发送认证请求;  Step S301: First, the requester sends an authentication request to the selected intermediate authenticator;
步骤 S302, 所述中间认证者将自己支持的安全参数、 AS使用的公钥和签 名算法、 对信任度的签名反馈给所述请求者。  Step S302: The intermediate authenticator feeds back the security parameter supported by itself, the public key and signature algorithm used by the AS, and the signature of the trust degree to the requester.
请求者检查是否支持签名算法, 并且整个 Mesh 网络的签名算法是否一 致,如果不支持认证者反馈的签名算法,或整个 Mesh网络的签名算法不一致, 则认为认证者无效, 否则有效。 然后根据 AS的信息来验证信任度签名是否合 法、 有效, 具体验证方法见后续介绍; 所述签名算法使用一个标识位来表示, 不同的数值表示不同的算法, 例如: 设置为 1时, 表示默认的公钥算法 RSA (基于整数因子分解的公钥系统); 设置为 2 时表示 DSS ( Digital Signature Standard,数字签名标准);设置为 3时,表示 WAPI( Wireless Local Area Network Authentication and Privacy Infrastucture , 无线局 i或网鉴别与保密基础结构) 的 ECC ( Elliptic Curves Cryptography, 椭圓曲线公钥系统); 设置为 0时, 表示 其它支持可扩充的签名算法。之后所有请求者向 AS发送的认证相关消息都可 以使用 AS 的公钥来加密, 以及后来对称密钥的协商均可保证对认证者的透 明。 The requester checks whether the signature algorithm is supported, and whether the signature algorithm of the entire Mesh network is consistent. If the signature algorithm fed back by the authenticator is not supported, or the signature algorithm of the entire Mesh network is inconsistent, the authenticator is considered invalid, otherwise it is valid. Then, according to the information of the AS, it is verified whether the trust signature is legal and valid. The specific verification method is described later; the signature algorithm is represented by an identifier bit, and different values represent different algorithms, for example: When set to 1, the default is Public Key Algorithm RSA (Integer Factorization Based Public Key System); Set to 2 to indicate DSS (Digital Signature) Standard, digital signature standard); when set to 3, represents ECM (Elliptic Curves Cryptography) of WAPI (Wireless Local Area Network Authentication and Privacy Infrastucity); When set to 0, it indicates other signature algorithms that support scalability. All authentication-related messages sent by the requester to the AS can then be encrypted using the AS's public key, and subsequent symmetric key negotiation can guarantee transparency to the authenticator.
步骤 S303 , 请求者与所述中间认证者之间进行开放式或者预共享密钥认 证;  Step S303: Perform open or pre-shared key authentication between the requester and the intermediate authenticator;
所述开放式系统认证属于非基于密码学认证, 也称为 "零认证", 请求接 入的节点只要使用一个空字符串作为 SSID ( Service Set Identifier, 服务集标 识符)进行响应, 即可与中间认证者建立关联。  The open system authentication belongs to non-cryptographic authentication, which is also called "zero authentication". The node requesting access only needs to use an empty string as the SSID (Service Set Identifier) to respond. The intermediate certifier establishes an association.
所述预共享密钥认证则是基于是否具有共享密钥的 "请求 /响应" 机制。 请求接入的节点首先向中间认证者发送认证请求, 然后中间认证者产生一个 随机数响应给所述请求认证的节点, 请求认证的节点然后通过共享的密钥加 密该随机数响应给中间认证者, 所述中间认证者解密比较后, 最后发送确认 消息。  The pre-shared key authentication is based on a "request/response" mechanism with a shared key. The node requesting access first sends an authentication request to the intermediate authenticator, and then the intermediate authenticator generates a random number response to the node requesting authentication, and the node requesting authentication then encrypts the random number response to the intermediate authenticator through the shared key. After the intermediate authenticator decrypts the comparison, the final confirmation message is sent.
步骤 S304, 中间认证者返回认证结果;  Step S304, the intermediate authenticator returns an authentication result.
步骤 S305 , 请求者根据中间认证者支持的安全参数发送自己需要的安全 参数组合;  Step S305: The requester sends the required security parameter combination according to the security parameter supported by the intermediate authenticator;
步骤 S306, 认证者返回关联成功或失败结果。  Step S306, the authenticator returns an association success or failure result.
步骤 3 , 请求者与中间认证者关联之后, 将请求者接入 AS, 由 AS完成 对请求者的 802. lx认证及分发信任度;  Step 3: After the requester associates with the intermediate authenticator, the requester accesses the AS, and the AS completes the 802. lx authentication and distribution trust of the requester;
请求者根据现有 802.11的标准进行基于端口的 802.1x接入控制认证。 所 述认证相关消息在请求者和认证者之间通过 LAN ( Local Area Network, 局域 网)传递, 即使用 EAPOL ( Extensible Authentication Protocol over LAN, 基于 LAN的可扩展认证协议 )技术, 所述 EAPOL是支持多认证机制的通用协议, 可以釆用的 EAP类型主要包括: EAP-TLS ( Extensible Authentication Protocol -Transport Layer Security , 基于传输层安全的扩展认证协议)、 EAP-TTLS .ayer Security , 基于隧道 传输层安全的扩展认证协议)、 PEAP ( Protected Extensible Authentication Protocol, 保护的扩展认证协议)、 LEAP ( Lightweight Extensible Authentication Protocol , 基于轻量级的扩展身份认证协议)、 EAP-MD5 ( Extensible Authentication Protocol-Message Digest Algorithm 5 , 基于消息摘要算法的扩展 认证协议)以及结合移动通信的 EAP-SIM ( Extensible Authentication Protocol- Subscriber Identification Module , 基于用户身份模块的扩展认证协议 )。 The requester performs port-based 802.1x access control authentication according to the existing 802.11 standard. The authentication related message is transmitted between the requester and the authenticator via a LAN (Local Area Network), that is, using an EAPOL (Extensible Authentication Protocol over LAN) technology, and the EAPOL is supported by the EAPOL. The general protocol of the authentication mechanism, the types of EAP that can be used mainly include: EAP-TLS (Extensible Authentication Protocol - Transport Layer Security, Extended Authentication Protocol based on Transport Layer Security), EAP-TTLS .ayer Security, extended authentication protocol based on tunnel transport layer security), PEAP (Protected Extensible Authentication Protocol), LEAP (Lightweight Extensible Authentication Protocol), EAP-MD5 (Extensible Authentication Protocol-Message Digest Algorithm 5, extended authentication protocol based on message digest algorithm) and EAP-SIM (Extensible Authentication Protocol-Subscriber Identification Module based on user identity module) combined with mobile communication.
其中 EAP-TLS可以为客户端和服务器之间的数据交换分配会话 ID、选择 合适的完整性保护加密机制、 分配动态会话密钥、 并能够有效的保护 802.1x 认证过程中交互消息的安全。 其对于中间认证者是透明的, 即认证接入点看 不到任何认证的内容。 因此可以釆用 EAP-TLS来完成信任度的下发和 AS对 请求者的认证。  EAP-TLS can allocate the session ID for the data exchange between the client and the server, select the appropriate integrity protection encryption mechanism, assign the dynamic session key, and effectively protect the security of the interactive message during the 802.1x authentication process. It is transparent to the intermediate certifier, ie the authenticated access point does not see any certified content. Therefore, EAP-TLS can be used to complete the trust delivery and the AS authentication to the requester.
为了便于 Mesh的部署时降低终端或设备的开销, 可以只令 AS有一个表 明身份的证书和公钥能够提供 AS 身份的认证即可, 而其他节点可以没有 X.509证书。  In order to reduce the overhead of the terminal or device during the deployment of the Mesh, the AS can have only one certificate and the public key to provide the authentication of the AS identity, while other nodes can have no X.509 certificate.
其 AS下发信任度和认证流程实施例一的流程图,如图 4所示, 包括如下 步骤:  A flow chart of Embodiment 1 of the AS sending trust and authentication process, as shown in FIG. 4, includes the following steps:
步骤 S401 , 请求者在接收到中间认证者 (图 4中未示出, 因为之后的交 互对于其而言是透明的所以不用考虑) 的身份验证请求后, 发送身份相关响 应, 由所述中间认证者发送给 AS;  Step S401: After receiving the identity verification request of the intermediate authenticator (not shown in FIG. 4, because the subsequent interaction is transparent for it, so need not be considered), the requester sends an identity-related response, and the intermediate authentication is performed. Sent to the AS;
步骤 S402, AS接收到所述响应后发送 TLS ( Transport Layer Security, 传 输层安全)开始请求给所述请求者;  Step S402: After receiving the response, the AS sends a TLS (Transport Layer Security) start request to the requester.
步骤 S403 , 请求者反馈 TLS开始响应给 AS;  Step S403, the requester feeds back TLS to start responding to the AS;
步骤 S404, AS接收到所述响应后将自己的身份信息, 包括证书和公钥一 同发送给请求者;  Step S404: After receiving the response, the AS sends its identity information, including the certificate and the public key, to the requester.
步骤 S405 , 请求者验证 AS身份的合法性, 验证通过之后, 请求者正式 将自己的用户、 密码等信息提交给 AS来进行认证, 请求者能够完全识别 AS 的真实性; 所述验证方式可根据具体的 TLS的协商验证方法,如果是用户密码 MD5 的方法, 则只需比较一下就可以; 如果是公钥证书验证, 则双方需要证书的 交互险证和对方公钥加密。 Step S405, the requester verifies the legality of the AS identity. After the verification is passed, the requester officially submits its own user, password, and the like to the AS for authentication, and the requester can fully recognize the authenticity of the AS; The verification method may be based on a specific TLS negotiation verification method. If it is a user password MD5 method, it only needs to be compared; if it is a public key certificate verification, both parties need a certificate interaction certificate and a counterpart public key encryption. .
步骤 S406, AS可以由请求者节点的安全能力信息、 用户服务级别, 或者 通过集中访问控制服务器的策略来决定请求者的安全等级。 认证成功将产生 信任度时戳 TimeStamp ( AS可以保证时间戳的唯一性), 签名之后连同 AS使 用的签名算法标识发送给请求者。  Step S406, the AS may determine the security level of the requester by the security capability information of the requester node, the user service level, or the policy of the centralized access control server. Successful authentication will result in a trust timestamp TimeStamp (the AS can guarantee the uniqueness of the timestamp), and the signature is sent to the requester along with the signature algorithm identifier used by the AS.
所述 AS下发的签名包含如下参数:  The signature sent by the AS includes the following parameters:
RoleType: 角色类型, 取值为 0时, 表示节点为用户类型, 如 STA, 取 值为 1时表示节点为 Mesh网络设备类型, 如 MP或 MAP;  RoleType: Role type. If the value is 0, the node is a user type. For example, if the value is 1, the node is a Mesh network device type, such as MP or MAP.
TrustDegree: 表示用户或设备的信任度;  TrustDegree: indicates the trust of the user or device;
IDAS、 IDsupHcant: AS、 请求者的身份标识符, 例如各自的 MAC地址;ID AS , IDsupHcant: AS, the identity identifier of the requester, such as the respective MAC address;
SKAS、 PKAS: AS的公钥、 私钥; SK AS , PK AS : the public key and private key of the AS;
TimeStamp: 认证成功产生的时间戳, 具有唯一' 1"生。  TimeStamp: The timestamp of the success of the authentication, with a unique '1'.
所述的签名算法如下:  The signature algorithm is as follows:
S = SigSKAs ( oleTypell TrustDegres || IDAS || IDSupHcant || TimeStamp) . 将所述签名算法连同信任度 TrustDegree—同发送给请求者; S = Sig SKAs ( oleTypell TrustDegres || ID AS || ID SupHcant || TimeStamp) . The signature algorithm is sent to the requester along with the trust degree TrustDegree.
步骤 S407,请求者检查所述签名算法是否与认证接入点使用的算法相同, 即是否与中间认证者使用的签名算法相同, 在确认统一性后, 再验证信任度 签名, 并发送验证反馈响应消息给 AS。  Step S407, the requester checks whether the signature algorithm is the same as the algorithm used by the authentication access point, that is, whether it is the same as the signature algorithm used by the intermediate authenticator, and after verifying the uniformity, verifying the trust signature and sending the verification feedback response. Message to AS.
首先判断信任度合法性;  First judge the legality of trust;
包括: 判断 RoleType的值是 0还是 1 , 为 1表示该节点为一个设备。 这 样的作用是不会把用户作为认证者, 认证时根据自己选择的方法判断是否合 法, 因为会有某些节点只要求能被设备认证接入, 而不允许终端作为认证者; 还包括: 判断 IDAS及 IDSupllcant; Including: Determine whether the value of RoleType is 0 or 1, and a value of 1 indicates that the node is a device. The role of this is that the user will not be the Authenticator. The authentication is based on the method chosen by the user to determine whether it is legal, because some nodes only need to be authenticated by the device, and the terminal is not allowed to be the Authenticator. ID AS and ID Supllcant ;
再判断信任度有效性;  Then judge the validity of trust;
主要根据校验所得的 TrustDegree 和 TimeStamp 判断有效性。 其中 TrustDegree主要用于判断是否接受新信任度值取代原有信任度值。 由于每次 关联都要进行一次 802. lx认证, 但是 Mesh中有多关联的情况, 已经接入的 两个节点之间关联时没有必要再获取新的信任度而只是判断一下相互的信任 度合法性即可。 The validity is determined mainly based on the TrustDegree and TimeStamp obtained from the verification. TrustDegree is mainly used to determine whether to accept the new trust value instead of the original trust value. Because every time The association must be performed once for 802. lx authentication, but there are multiple associations in the Mesh. It is not necessary to obtain new trust when the two nodes that have been connected are associated, but only to judge the mutual legality of trust. .
而 TimeStamp判断主要用于校验认证者的信任度, 可以抵抗信任度的重 放攻击。 如果检测到 TimeStamp重用, 则可认定认证者是个伪造者; 如果没 有重复, 则可通过与 AS的交互来判断信任度的唯一指定性, 在认证阶段 AS 同时记录了与某个时间戳相关联的其他所有节点。  The TimeStamp judgment is mainly used to verify the trustworthiness of the authenticator and to resist the replay attack of trust. If TimeStamp reuse is detected, the authenticator can be considered to be a counterfeiter; if there is no duplication, the unique designation of trust can be judged by interaction with the AS, and the AS is also recorded in the authentication phase. All other nodes.
步骤 S408, AS发送认证成功或失败消息给请求接入的节点。  Step S408: The AS sends an authentication success or failure message to the node requesting access.
通过这样的过程一个设备 ( MP或 MAP )或用户 ( STA )就获得了 AS的 认可, 使用所述信任度可以接入 Mesh网络。 其中通过认证的设备可以作为新 的认证者来认证其他节点。  Through such a process, a device (MP or MAP) or a user (STA) obtains the AS's approval, and the trust degree can be used to access the Mesh network. The authenticated device can be used as a new authenticator to authenticate other nodes.
其 AS下发信任度和认证流程实施例二的流程图如图 5所示,包括如下步 骤:  The flowchart of the second embodiment of the AS sending trust and authentication process is shown in FIG. 5, and includes the following steps:
步骤 S501 , 请求者在接收到中间认证者 (图中未示出, 因为之后的交互 对于其而言是透明的所以不用考虑)的身份验证请求后, 发送身份相关响应, 其中包括认证者的时间戳和用 AS公钥加密的随机数,由所述中间认证者发送 给 AS;  Step S501: After receiving the identity verification request of the intermediate authenticator (not shown in the figure, because the subsequent interaction is transparent for it, so need not be considered), the requester sends an identity-related response, including the time of the authenticator. Stamping and random number encrypted with the AS public key, sent by the intermediate authenticator to the AS;
步骤 S502, AS接收到所述响应后, 检测所述请求者非重放(非被盗用) 之后, 解开所述随机数, 并签名后发送 TLS开始请求给所述请求者;  Step S502, after receiving the response, the AS detects that the requester is not replayed (not stolen), and then unpacks the random number, and then sends a TLS start request to the requester after signing;
步骤 S503 , 请求者反馈 TLS开始响应给 AS;  Step S503, the requester feeds back TLS to start responding to the AS;
步骤 S504, AS接收到所述响应后将自己的身份信息, 包括证书和公钥一 同发送给所述请求者;  Step S504, after receiving the response, the AS sends its identity information, including the certificate and the public key, to the requester.
步骤 S505 , 请求者验证 AS身份的合法性, 验证通过之后, 请求者正式 将自己的用户、 密码等信息提交给 AS来进行认证, 请求者能够完全识别 AS 的真实性;  Step S505: The requester verifies the legality of the AS identity. After the verification is passed, the requester officially submits the user, the password, and the like to the AS for authentication, and the requester can completely recognize the authenticity of the AS;
步骤 S506, AS验证请求者节点的身份信息,之后发送认证结束消息给所 述请求者。  Step S506, the AS verifies the identity information of the requester node, and then sends an authentication end message to the requester.
不局限于 EAP-TLS , 还包括其他使用证书进行认证的协议例如 EAP-PEAP, EAP-TTLS等 (步骤总数也可不一样)。 码 MD5的方法, 则只需比较一下就可以; 如果是公钥证书验证, 则双方需要 证书的交互险证和对方公钥加密。 Not limited to EAP-TLS, but also includes other protocols that use certificates for authentication. EAP-PEAP, EAP-TTLS, etc. (the total number of steps can also be different). For the MD5 method, you only need to compare it. If it is a public key certificate verification, both parties need the certificate's interactive risk certificate and the other party's public key encryption.
步骤 S507, 请求者收到所述认证结束消息之后, 反馈响应消息给 AS, 并 在需要获取所述信任度时戳时,发送请求 AS颁发签名的标识, 以成为新的合 法认证者。  Step S507: After receiving the authentication end message, the requester feeds back a response message to the AS, and when the trust time stamp needs to be acquired, sends a requesting AS to issue a signature of the signature to become a new legal authenticator.
AS将产生信任度时戳 TimeStamp ( AS可以保证时间戳的唯一性), 并由 请求者节点的安全能力信息、 用户服务级别, 或者通过集中访问控制服务器 的策略来决定请求者的安全等级, 产生签名, 签名方法与实施例 1相同。  The AS will generate a trust timestamp TimeStamp (the AS can guarantee the uniqueness of the timestamp), and determine the security level of the requester by the security capability information of the requester node, the user service level, or the policy of the centralized access control server. The signature and signature method are the same as in the first embodiment.
步骤 S508, AS发送认证成功(或失败消息)消息连同签名 S、 签名算法 标识和信任度 TmstDegree—同发送给所述请求者给请求者。  Step S508, the AS sends an authentication success (or failure message) message together with the signature S, the signature algorithm identifier, and the trust degree TmstDegree—to the requester to the requester.
请求者检查所述签名算法是否与认证接入点使用的算法相同, 即是否与 中间认证者使用的签名算法相同, 在确认统一性后, 再验证信任度签名, 并 验证后判断是否接受。 使用的判断方法与实施例一相同。  The requester checks whether the signature algorithm is the same as the algorithm used by the authenticated access point, that is, whether it is the same as the signature algorithm used by the intermediate authenticator. After confirming the uniformity, the trustworthiness signature is verified and verified to be accepted. The judgment method used is the same as that of the first embodiment.
步骤 4, AS在某个节点想要离开 Mesh网络或 AS在检测到某个节点收到 攻击后, 降低或剥夺所述节点的信任度;  Step 4: After a node wants to leave the Mesh network or the AS detects that a node receives an attack, the AS reduces or deprives the node of the trust degree;
AS降低或剥夺信任度包括如下两种情况:  The reduction or deprivation of trust by AS includes the following two situations:
( 1 )节点主动想要离开 Mesh网络时: 节点在结束关联之前以广播的方 式告知所有与之关联的其他节点和单播发送给 AS, 消息都使用统一的 GTK (组临时密钥)或与 AS的 PMK (协商好的对称主密钥)加密, 保证了消息 源的可靠。 这时主要在 deassociation帧 (断开关联的帧)之前发送两个消息: 给所有已关联的节点用 GTK广播加密发送断开消息; 给 AS用 PMK单播发 送断开消息。之后, AS删除与之相关时间戳的信任度和其他关联节点的信息, 表示这个信任度不再可用了。 其他节点也可记录时间戳作废信息, 以保证信 任度的后向安全。  (1) When a node actively wants to leave the Mesh network: The node informs all other nodes associated with it and unicast to the AS by broadcasting before ending the association, and the message uses a unified GTK (group temporary key) or The PMK (negotiated symmetric master key) encryption of the AS ensures the reliability of the message source. At this time, two messages are sent mainly before the deassociation frame (disconnected frame): Sending a disconnect message with GTK broadcast encryption for all associated nodes; sending a disconnect message to the AS with PMK unicast. After that, the AS deletes the trust of the timestamp associated with it and the information of other associated nodes, indicating that the trust is no longer available. Other nodes can also record timestamp obsolete information to ensure backward security of trust.
( 2 ) 当 AS检测到某些节点受到恶意攻击时: 由 AS强制剥夺其信任度, AS通过单播发送强制断开、 信任度时间戳作废消息给与所述受攻击的节点相 关联的所有节点,这时主要在 deassociation帧之前发送一个消息: 给所有已与 所述受攻击节点关联的节点用各自 PMK广播发送断开消息。接收到所述消息 的节点在验证 AS的身份可靠性之后, 主动断开与所述受攻击节点的关联, 并 记录时间戳作废消息。 同时 AS通知受攻击节点如想继续接入, 必须重配置之 后再次认证。 此时 AS也可降低其信任度, 减少受到攻击的风险, 保证整个网 络接入的安全。 (2) When the AS detects that some nodes are maliciously attacked: The AS forcibly deprives them of trust, and the AS sends a forced disconnection, trust timestamp invalidation message to the attacked node by unicast. All nodes associated, at this time mainly send a message before the deassociation frame: Send a disconnect message to each node that has been associated with the attacked node with its own PMK broadcast. After verifying the identity reliability of the AS, the node receiving the message actively disconnects the attacked node and records a timestamp obsolete message. At the same time, the AS notifies the attacked node that if it wants to continue access, it must be reconfigured and then authenticated again. At this time, AS can also reduce its trust, reduce the risk of attack, and ensure the security of the entire network.
所述信任度由 AS进行统一分发和管理。 AS对信任度的管理和发送使用 动态目录机制, 在 Mesh网络运行中随着节点的加入、 离开或强制离线等情况 的发生, AS会不断被更新保存的相关信息。 所述 AS中保存了 Mesh网络中 认证成功的所有节点的用户身份信息以及 AS认可的信任度、签名和时间戳信 息,所述动态目录可以使用一个三元组来定义: TD_Mesh<M, td r, TimeStamp> 其中:  The trust is uniformly distributed and managed by the AS. The AS uses the dynamic directory mechanism for the management and transmission of trust. In the Mesh network running, as the node joins, leaves, or forces offline, the AS will be updated and saved. The AS stores the user identity information of all the nodes successfully authenticated in the Mesh network and the AS-approved trust, signature, and timestamp information. The dynamic directory can be defined by using a triplet: TD_Mesh<M, td r , TimeStamp> where:
M中包含已成功认证的所有节点;  M contains all nodes that have been successfully authenticated;
td_r中标记所有关联节点之间的信任关系;  Td_r marks the trust relationship between all associated nodes;
timestamp包含所有已分发信任度的时间戳, 所述时间戳是唯一的, 而信 任度是可以重用的。 时间戳和信任度签名是一一对应的关系。  The timestamp contains a timestamp of all distributed trusts, the timestamps being unique and the trustworthiness being reusable. The timestamp and the trust signature are one-to-one correspondences.
在 AS的策略库中可以釆用如下格式的策略定义语言:  A policy definition language in the following format can be used in the AS's policy library:
{RolesID} IF {conditions} THEN {actions}  {RolesID} IF {conditions} THEN {actions}
其中对于 M策略库可以基于角色进行管理, 分为两类:  Among them, the M policy library can be managed based on roles, and is divided into two categories:
( 1 )设备角色的信任度: 仅仅表示该设备的安全等级或被攻击的难易, 主要为 MP或者 MAP的信任度;  (1) Trust of the device role: It only indicates the security level of the device or the difficulty of being attacked, mainly the trust degree of MP or MAP;
( 2 )用户角色的信任度: 不但可以表示该节点的安全等级, 同时可以将 用户服务分级, 用来调整基于级别的公平性或进行用户的访问控制等, 主要 为 STA的信任度。  (2) The trust degree of the user role: not only can represent the security level of the node, but also the user service can be graded to adjust the level-based fairness or the user's access control, etc., mainly for the trust degree of the STA.
实际应用中用户可根据实际需要增加更多的功能来延伸该策略库, 包括 相应基于用户的负载均衡等都可以添加到其中, 需要对 condition (条件字段) 和 action (执行字段)进行不断扩充。  In practice, users can add more functions to extend the policy library according to actual needs, including the corresponding user-based load balancing, etc., and the condition (condition field) and action (execution field) need to be continuously expanded.
而对于安全策略的定义主要依赖于实际网络情况以及想要提供的服务类 型等参数来确定, 策略的粒度需进一步细化以满足不同用户级别的要求。 上述实施例以接入认证为例进行说明。 实际操作中当任意两个 MP想要 建立关联的时候, 也可以根据信任度的大小来选择请求者和认证者。 小的一 方为请求者, 大的一方为认证者。 如果双方都有信任度, 那么表示两者只是 想要建立关联而与接入认证无关, 这时可以通过 802.1x的方法来建立关联, 而不接受新发出的信任度, 或者仅仅两者交互信任度及签名就可关联, 那么 关联可以更快的建立, 这样交互的过程能够更快的完成, 其主要包括下列步 骤: The definition of a security policy depends mainly on the actual network situation and the service class that you want to provide. Types and other parameters to determine, the granularity of the strategy needs to be further refined to meet the requirements of different user levels. The above embodiment is described by taking access authentication as an example. In actual operation, when any two MPs want to establish an association, the requester and the authenticator may also be selected according to the size of the trust. The smaller party is the requester and the larger party is the certifier. If both parties have trust, it means that the two just want to establish an association and have nothing to do with access authentication. In this case, the association can be established through the 802.1x method, without accepting the newly issued trust, or only the mutual trust. The degree and signature can be associated, then the association can be established more quickly, so that the process of interaction can be completed faster, which mainly includes the following steps:
( 1 )请求者将自己的信任度签名信息交给认证者来验证;  (1) The requester submits his own trust signature information to the authenticator for verification;
( 2 )认证者验证成功之后, 用自己的信任度签名响应给请求者;  (2) After the authenticator has successfully verified, respond to the requester with his own trustworthiness signature;
( 3 )请求者验证成功之后, 返回成功或失败消息;  (3) After the requester successfully verifies, a success or failure message is returned;
( 4 )利用原有 802.11i的机制来进行密钥管理。  (4) Use the original 802.11i mechanism for key management.
如果双方都没有信任度, 则需要本地数据库来完成认证, 结果可能失败, 则需要等待其他能够完成认证的节点来接入 Mesh网络。 本发明实施例提供一种 Mesh网络中双向认证系统,所述系统包括至少一 个 AS及多个节点, 所述节点包括: MP、 MAP和 STA。 所述 AS用于为 Mesh 网络中各节点分发信任度, 并对所述信任度进行统一管理, 其一种实施例模 块示意图如图 6所示, 包括:  If both parties do not have trust, a local database is required to complete the authentication, and the result may fail. You need to wait for other nodes that can complete the authentication to access the Mesh network. An embodiment of the present invention provides a two-way authentication system in a Mesh network, where the system includes at least one AS and multiple nodes, and the nodes include: MP, MAP, and STA. The AS is used to distribute the trust degree to each node in the Mesh network, and the trust degree is uniformly managed. A schematic diagram of an embodiment of the module is shown in FIG. 6, and includes:
消息接收模块, 用于接收 Mesh网络中节点发送的消息, 包括: 认证请求 消息、 断开消息等;  The message receiving module is configured to receive a message sent by the node in the Mesh network, including: an authentication request message, a disconnect message, and the like;
信任度分发模块, 用于根据接收到的请求认证的节点的安全能力信息、 用户服务级别、 或通过集中访问控制器的策略确定所述节点的安全等级, 分 发认证消息给请求者。 所述认证消息中包括: 信任度时戳, 认证者签名、 使 用的签名算法等。 所述请求者包括: MP、 MAP或 STA;  The trust distribution module is configured to determine the security level of the node according to the security capability information of the node that is authenticated according to the received request, the user service level, or the policy of centrally accessing the controller, and distribute the authentication message to the requester. The authentication message includes: a trust time stamp, an authenticator signature, a used signature algorithm, and the like. The requester includes: MP, MAP or STA;
节点状态检测模块, 用于检测 Mesh网络中节点(MP、 MAP或 STA )是 否受到攻击;  a node status detecting module, configured to detect whether a node (MP, MAP, or STA) in the Mesh network is attacked;
信任度降低 /剥夺模块, 用于在接收到断开消息或检测到节点受到攻击后 降低 /剥夺节点的信任度; Trust reduction/deprivation module, used to receive a disconnect message or detect a node being attacked Reduce/deprive the trust of the node;
信任度管理模块,用于存储 Mesh网络中所有认证成功的节点的用户身份 信息以及系统中认可的信任度、 签名和时间戳信息。  The trust management module is configured to store user identity information of all successfully authenticated nodes in the mesh network and the trust degree, signature, and timestamp information recognized in the system.
所述 Mesh网络中的多个节点基于所述 AS分发的信任度进行关联认证, 其进一步包括如下模块:  The plurality of nodes in the Mesh network perform association authentication based on the trust degree of the AS distribution, and further includes the following modules:
认证者身份验证模块, 用于根据接收到认证消息中的认证者签名验证认 证者身份是否合法。  The authenticator authentication module is configured to verify whether the identity of the authenticator is legal according to the identity of the authenticator in the received authentication message.
所述 Mesh网络中的各设备节点包括 MP或 MAP , 在获得认证后可以作 为认证者来认证其他节点。  Each device node in the Mesh network includes an MP or a MAP, and after being authenticated, can be used as an authenticator to authenticate other nodes.
综上所述,本发明实施例提出了一种节点最初接入 Mesh网络时根据邻居 信任度来选择接入点, 然后双方协商认证角色, 并通过验证认证者的信任度 签名校验认证者的合法身份, 一次实现原有 802.1x需要两轮才能完成的双向 认证。  In summary, the embodiment of the present invention proposes that when a node initially accesses a Mesh network, the access point is selected according to the trust degree of the neighbor, and then both parties negotiate the authentication role, and verify the authenticator's trust by verifying the authenticity of the authenticator. Legal identity, one-time authentication that requires two rounds to complete the original 802.1x.
通过以上的实施方式的描述, 本领域的技术人员可以清楚地了解到本发 明可借助软件加必需的通用硬件平台的方式来实现, 当然也可以通过硬件, 但很多情况下前者是更佳的实施方式。 基于这样的理解, 本发明的技术方案 本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来, 该计算机软件产品存储在一个存储介质中, 包括若干指令用以使得一台计算 机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实 施例所述的方法。  Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is a better implementation. the way. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium, including a plurality of instructions for making a A computer device (which may be a personal computer, server, or network device, etc.) performs the methods described in various embodiments of the present invention.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本发明的 保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改 进等, 均应包含在本发明的保护范围之内。  In summary, the above description is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权利要求 Rights request
1、 一种网状网中双向认证的方法, 其特征在于, 包括: A method for mutual authentication in a mesh network, characterized in that it comprises:
网状网 Mesh中的节点基于信任度选择关联节点,所述关联节点对节点进 行认证, 并将本身的信任度签名反馈给所述节点, 所述节点根据所述信任度 签名对所述关联节点进行认证。  The node in the mesh Mesh selects the associated node based on the trust degree, the associated node authenticates the node, and feeds back its own trust degree signature to the node, and the node signs the associated node according to the trust degree signature. Certify.
2、 如权利要求 1 所述的方法, 其特征在于, 所述信任度由认证服务器 AS下发及管理。  2. The method according to claim 1, wherein the trust degree is issued and managed by the authentication server AS.
3、 如权利要求 2所述的方法, 其特征在于, 所述 AS釆用双向认证下发 信任度的方法包括:  The method according to claim 2, wherein the method for the AS to use the mutual authentication to deliver the trust degree comprises:
Mesh中的节点发送探测请求给部居节点, 并根据各邻居节点反馈的消息 中携带的信任度选择与 AS交互的中间认证者;  The node in the Mesh sends a probe request to the neighboring node, and selects an intermediate authenticator that interacts with the AS according to the trust degree carried in the message fed back by each neighbor node;
所述节点与所述选择的中间认证者进行关联, 根据中间认证者关联过程 中下发的信任度签名验证所述中间认证者的合法性, 并获得所述中间认证者 的认证后, 将所述节点接入 AS;  The node is associated with the selected intermediate authenticator, and the validity of the intermediate authenticator is verified according to the trust degree signature issued in the intermediate authenticator association process, and after obtaining the authentication of the intermediate authenticator, The node is connected to the AS;
AS对所述请求接入的节点进行认证,下发信任度给所述请求接入的节点。 The AS authenticates the node that requests the access, and sends a trust degree to the node that requests the access.
4、 如权利要求 3所述的方法, 其特征在于, 所述 Mesh中各节点选择中 间认证者的方法包括: The method according to claim 3, wherein the method for selecting an intermediate authenticator by each node in the Mesh includes:
在所有反馈消息的邻居节点中选择信任度最大的或满足事先约定信任度 范围的节点作为中间认证者。  The node with the highest degree of trust or meeting the pre-agreed trust degree is selected as the intermediate Authenticator among the neighbor nodes of all the feedback messages.
5、 如权利要求 3所述的方法, 其特征在于, 所述 Mesh中的节点与所述 选择的中间认证者进行关联的方法具体包括:  The method according to claim 3, wherein the method for associating the node in the Mesh with the selected intermediate authenticator comprises:
Mesh中的节点向选择的中间认证者发送认证请求;  The node in the Mesh sends an authentication request to the selected intermediate authenticator;
所述中间认证者将自己支持的安全参数、 AS使用的公钥和签名算法、 对 信任度的签名反馈给所述节点;  The intermediate authenticator feeds back the security parameters supported by itself, the public key and signature algorithm used by the AS, and the signature of the trust degree to the node;
所述节点验证所述中间认证者的有效性, 并与所述中间认证者进行开放 式或者预共享密钥认证;  The node verifies the validity of the intermediate authenticator and performs open or pre-shared key authentication with the intermediate authenticator;
所述中间认证者返回认证结果; 所述节点根据中间认证者支持的安全参数发送自己需要的安全参数组合 给中间认证者; The intermediate authenticator returns an authentication result; The node sends a security parameter combination required by the node to the intermediate authenticator according to the security parameter supported by the intermediate authenticator;
所述中间认证者返回关联成功或失败结果给所述节点。  The intermediate authenticator returns an association success or failure result to the node.
6、 如权利要求 5所述的方法, 其特征在于, 所述节点验证中间认证者合 法性的方法包括:  6. The method of claim 5, wherein the method for verifying the legitimacy of the intermediate authenticator by the node comprises:
各节点检查是否支持签名算法, 并且整个 Mesh的签名算法是否一致, 如 果不支持认证者反馈的签名算法, 或整个 Mesh的签名算法不一致, 则认为认 证者无效, 否则有效。  Each node checks whether the signature algorithm is supported, and whether the signature algorithm of the entire Mesh is consistent. If the signature algorithm fed back by the authenticator is not supported, or the signature algorithm of the entire Mesh is inconsistent, the authenticator is considered invalid, otherwise it is valid.
7、 如权利要求 3所述的方法, 其特征在于, 所述 AS对请求接入的节点 进行认证的方法包括:  The method according to claim 3, wherein the method for the AS to authenticate the node that requests access includes:
节点验证 AS身份的合法性;  The node verifies the legality of the AS identity;
验证通过之后, 所述节点将自己的信息提交给所述 AS来进行认证; AS由所述节点的信息确定所述节点的安全等级, 并产生信任度时戳, 签 名之后连同 AS使用的签名算法标识发送给所述节点;  After the verification is passed, the node submits its own information to the AS for authentication; the AS determines the security level of the node by the information of the node, and generates a trust time stamp, and the signature algorithm used after the signature together with the AS The identifier is sent to the node;
所述节点验证 AS的合法性,在所述 AS合法情况下所述节点获得信任度。 The node verifies the legality of the AS, and the node obtains the trust degree when the AS is legal.
8、 如权利要求 3所述的方法, 其特征在于, 所述 AS对请求接入的节点 进行认证的方法包括: The method according to claim 3, wherein the method for the AS to authenticate the node that requests access includes:
节点验证 AS身份的合法性;  The node verifies the legality of the AS identity;
验证通过之后, 所述节点将自己的信息提交给所述 AS来进行认证; 所述 AS对所述节点进行认证后, 向所述节点发送认证结束消息; 所述节点接收到所述认证结束消息后,发送响应消息, 同时请求 AS颁发 所述认证签名;  After the verification is passed, the node submits its own information to the AS for authentication; after the AS authenticates the node, sends an authentication end message to the node; the node receives the authentication end message. After sending a response message, requesting the AS to issue the authentication signature;
所述 AS接收到所述请求后, 产生所述信任度时戳、 签名之后连同 AS使 用的签名算法标识, 承载于认证成功或失败消息中发送给所述节点;  After receiving the request, the AS generates the trust time stamp, and the signature algorithm identifier used after the signature is used in the authentication success or failure message sent to the node;
所述节点验证 AS的合法性,在所述 AS合法情况下所述节点获得信任度。 The node verifies the legality of the AS, and the node obtains the trust degree when the AS is legal.
9、 如权利要求 2所述的方法, 其特征在于, 所述 AS对信任度的管理方 法包括: 9. The method according to claim 2, wherein the method for managing trust by the AS comprises:
在某个节点想要离开 Mesh或 AS检测到某个节点受到攻击时, 降低或剥  Reduce or strip when a node wants to leave the Mesh or the AS detects that a node is under attack.
2 夺所述节点的信任度。 2 Take the trust of the node.
10、 如权利要求 2所述的方法, 其特征在于, 所述 AS釆用动态目录下发 和管理信任度,所述动态目录包含 Mesh中认证成功的所有节点的用户身份信 息以及 AS认可的信任度、 签名和时间戳信息。  The method of claim 2, wherein the AS uses a dynamic directory to deliver and manage trust, and the dynamic directory includes user identity information of all nodes successfully authenticated in the Mesh and AS-approved trust. Degree, signature, and timestamp information.
11、 一种网状网网络系统, 其特征在于, 包括: 至少一个 AS及多个节点, 所述 AS用于根据接收到的请求认证的节点的信息对所述节点进行认证,以确 定节点的安全等级, 并在认证成功后产生信任度时戳, 签名后连同签名算法 标识下发给所述请求认证的节点;  A mesh network system, comprising: at least one AS and a plurality of nodes, wherein the AS is configured to authenticate the node according to the information of the node that is requested to be authenticated to determine the node. a security level, and a trust time stamp is generated after the authentication succeeds, and the signature is sent to the node requesting the authentication together with the signature algorithm identifier;
所述 Mesh中的节点,基于所述 AS下发的信任度选择关联节点进行认证, 并根据所述关联节点反馈的信任度签名对所述关联节点身份进行验证。  The node in the Mesh selects an association node for authentication based on the trust degree sent by the AS, and verifies the identity of the associated node according to the trust degree signature fed back by the associated node.
12、 如权利要求 11所述的系统, 其特征在于, 所述 AS进一步包括: 信任度分发模块, 用于根据接收到的请求认证的节点信息确定所述节点 的安全等级, 并在认证成功后产生信任度时戳, 签名后连同签名算法标识下 发给所述请求认证的节点;  The system according to claim 11, wherein the AS further comprises: a trust distribution module, configured to determine a security level of the node according to the received node information of the request authentication, and after the authentication succeeds Generating a trust time stamp, which is sent to the node requesting the authentication together with the signature algorithm identifier;
信任度管理模块,用于存储 Mesh中所有认证成功的节点的用户身份信息 以及 AS认可的信任度、 签名和时间戳信息。  The trust management module is configured to store user identity information of all successfully authenticated nodes in the Mesh, and AS-approved trust, signature, and timestamp information.
13、 如权利要求 11所述的系统, 其特征在于, 所述 Mesh中的节点上设 置有:  The system according to claim 11, wherein the nodes in the Mesh are provided with:
认证者身份验证模块, 用于根据所述关联节点反馈的信任度签名对所述 关联节点身份进行验证。  The authenticator authentication module is configured to verify the identity of the associated node according to the trust signature returned by the associated node.
14、 一种认证服务器, 其特征在于, 包括:  14. An authentication server, comprising:
信任度分发模块, 用于根据接收到的请求认证的节点信息确定所述节点 的安全等级, 并在认证成功后产生信任度时戳, 签名后连同签名算法标识下 发给所述请求认证的节点;  a trust distribution module, configured to determine a security level of the node according to the received node information of the request authentication, and generate a trust time stamp after the authentication succeeds, and send the signature to the node requesting the authentication together with the signature algorithm identifier ;
信任度管理模块,用于存储 Mesh中所有认证成功的节点的用户身份信息 以及认证服务器认可的信任度、 签名和时间戳信息。  The trust management module is configured to store user identity information of all successfully authenticated nodes in the mesh and the trust degree, signature, and timestamp information recognized by the authentication server.
15、 如权利要求 14所述的认证服务器, 其特征在于, 还包括:  The authentication server according to claim 14, further comprising:
节点状态检测模块, 用于检测 Mesh中节点是否受到攻击; 和 /或,  a node state detecting module, configured to detect whether a node in the mesh is attacked; and/or,
3 信任度降低 /剥夺模块, 用于在接收到断开消息或检测到节点受到攻击后 降低 /剥夺节点的信任度。 3 The trust reduction/deprivation module is configured to reduce/deprive the node's trust after receiving the disconnection message or detecting that the node is attacked.
4  4
PCT/CN2008/070064 2007-01-09 2008-01-09 A authentication server and a method,a system,a device for bi-authenticating in a mesh network WO2008083628A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710063346.6 2007-01-09
CN200710063346 2007-01-09

Publications (1)

Publication Number Publication Date
WO2008083628A1 true WO2008083628A1 (en) 2008-07-17

Family

ID=39608378

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070064 WO2008083628A1 (en) 2007-01-09 2008-01-09 A authentication server and a method,a system,a device for bi-authenticating in a mesh network

Country Status (2)

Country Link
CN (1) CN101222331B (en)
WO (1) WO2008083628A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110831005A (en) * 2019-11-11 2020-02-21 深圳创维数字技术有限公司 Device adding method of Mesh network, gateway device and storage medium
CN112839015A (en) * 2019-11-25 2021-05-25 杭州萤石软件有限公司 Method, device and system for detecting attack Mesh node
CN113949586A (en) * 2020-12-22 2022-01-18 技象科技(浙江)有限公司 Distributed efficient Internet of things equipment access system

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101394270B (en) * 2008-09-27 2011-01-19 上海交通大学 Wireless mesh network link layer ciphering method based on modularized routing
CN101447899B (en) * 2008-11-14 2011-07-20 北京工业大学 Method for detecting end-to-end-based wormhole attack in wireless Mesh network
CN101453733B (en) * 2008-11-28 2010-12-22 北京工业大学 Wormhole attack detection method based on monitor node in wireless Mesh network
CN101784085B (en) * 2009-01-20 2013-03-20 华为技术有限公司 Wireless mesh network gateway leaving method and device
CN102263787B (en) * 2011-07-08 2014-04-16 西安电子科技大学 Dynamic distributed certification authority (CA) configuration method
CN102421095B (en) * 2011-11-30 2014-04-02 广州杰赛科技股份有限公司 Access authentication method for wireless mesh network
US9391781B2 (en) * 2013-06-04 2016-07-12 Altera Corporation Systems and methods for intermediate message authentication in a switched-path network
CN104426874B (en) * 2013-08-30 2019-01-29 中兴通讯股份有限公司 A kind of authentication method and device for ubiquitous terminal network
CN103795728A (en) * 2014-02-24 2014-05-14 哈尔滨工程大学 EAP authentication method capable of hiding identities and suitable for resource-constrained terminal
CN105323754B (en) * 2014-07-29 2019-02-22 北京信威通信技术股份有限公司 A kind of distributed method for authenticating based on wildcard
CN105188065B (en) * 2015-08-11 2018-10-23 福建师范大学 A kind of wireless Mesh netword trust metrics system based on multiple criteria decision making (MCDM)
CN105577699B (en) * 2016-03-03 2018-08-24 山东航天电子技术研究所 A kind of secure access authentication method of two-way dynamic non-stop layer authentication
CN108933757B (en) * 2017-05-22 2021-09-17 北京君泊网络科技有限责任公司 Safe and reliable networking access method of hardware equipment
CN108234503B (en) * 2018-01-11 2020-12-11 中国电子科技集团公司第三十研究所 Automatic discovery method for safety neighbors of network nodes
CN109495892A (en) * 2018-12-06 2019-03-19 中国民航大学 Method is determined based on the wireless Mesh netword secure routing path of dynamic prestige
EP3667534B1 (en) * 2018-12-13 2021-09-29 Schneider Electric Industries SAS Time stamping of data in an offline node
CN109495889B (en) * 2018-12-20 2022-01-04 中山大学新华学院 Heterogeneous mobile network access control method based on mutual trust mechanism
CN112738907B (en) * 2019-10-28 2023-02-28 杭州萤石软件有限公司 Wireless network system
CN111147256B (en) * 2019-12-26 2021-07-09 荣耀终端有限公司 Authentication method and device
CN111865592A (en) * 2020-09-21 2020-10-30 四川科锐得电力通信技术有限公司 Internet of things equipment fast access method and device, Internet of things platform and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1558584A (en) * 2004-02-01 2004-12-29 中兴通讯股份有限公司 Safety proxy method
CN1630269A (en) * 2003-12-17 2005-06-22 微软公司 Mesh networks with end device recognition
CN1691603A (en) * 2004-04-28 2005-11-02 联想(北京)有限公司 A method for implementing equipment group and intercommunication between grouped equipments
WO2006119169A2 (en) * 2005-05-03 2006-11-09 Interdigital Technology Corporation Mesh network with digital rights management interoperability
CN1863090A (en) * 2006-01-13 2006-11-15 华为技术有限公司 Method of controlling coordinate network and its node

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1630269A (en) * 2003-12-17 2005-06-22 微软公司 Mesh networks with end device recognition
CN1558584A (en) * 2004-02-01 2004-12-29 中兴通讯股份有限公司 Safety proxy method
CN1691603A (en) * 2004-04-28 2005-11-02 联想(北京)有限公司 A method for implementing equipment group and intercommunication between grouped equipments
WO2006119169A2 (en) * 2005-05-03 2006-11-09 Interdigital Technology Corporation Mesh network with digital rights management interoperability
CN1863090A (en) * 2006-01-13 2006-11-15 华为技术有限公司 Method of controlling coordinate network and its node

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110831005A (en) * 2019-11-11 2020-02-21 深圳创维数字技术有限公司 Device adding method of Mesh network, gateway device and storage medium
CN112839015A (en) * 2019-11-25 2021-05-25 杭州萤石软件有限公司 Method, device and system for detecting attack Mesh node
CN113949586A (en) * 2020-12-22 2022-01-18 技象科技(浙江)有限公司 Distributed efficient Internet of things equipment access system

Also Published As

Publication number Publication date
CN101222331B (en) 2013-04-24
CN101222331A (en) 2008-07-16

Similar Documents

Publication Publication Date Title
WO2008083628A1 (en) A authentication server and a method,a system,a device for bi-authenticating in a mesh network
KR102134302B1 (en) Wireless network access method and apparatus, and storage medium
US8656153B2 (en) Authentication access method and authentication access system for wireless multi-hop network
Pirzada et al. Kerberos assisted authentication in mobile ad-hoc networks
US8561200B2 (en) Method and system for controlling access to communication networks, related network and computer program therefor
US7587598B2 (en) Interlayer fast authentication or re-authentication for network communication
US20090240941A1 (en) Method and apparatus for authenticating device in multi domain home network environment
KR101505590B1 (en) Security access control method and system for wired local area network
US20100293378A1 (en) Method, device and system of id based wireless multi-hop network authentication access
WO2006086932A1 (en) An access authentication method suitable for the wire-line and wireless network
CN107181597B (en) PMIPv6 authentication system and method based on identity agent group signature
Xu et al. BE-RAN: Blockchain-enabled open RAN with decentralized identity management and privacy-preserving communication
WO2009103214A1 (en) A network authentication communication method and a mesh network system
WO2011009268A1 (en) Wapi (wlan authentication and privacy infrastructure) -based authentication system and method
CN112351019A (en) Identity authentication system and method
WO2008002081A1 (en) Method and apparatus for authenticating device in multi domain home network environment
CN114884698A (en) Kerberos and IBC security domain cross-domain authentication method based on alliance chain
KR20090002328A (en) Method for joining new device in wireless sensor network
CN110752934B (en) Method for network identity interactive authentication under topological structure
JP5472977B2 (en) Wireless communication device
KR100972743B1 (en) Mutual Authentication Scheme between Mobile Routers using Authentication Token in MANET of MANEMO
Bansal et al. Threshold based Authorization model for Authentication of a node in Wireless Mesh Networks
WO2022135387A1 (en) Identity authentication method and apparatus
WO2022135386A1 (en) Method and device for identity authentication
Verma et al. Progressive authentication in ad hoc networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700088

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700088

Country of ref document: EP

Kind code of ref document: A1