WO2009052676A1 - Method and systme for user authenticating - Google Patents

Method and systme for user authenticating Download PDF

Info

Publication number
WO2009052676A1
WO2009052676A1 PCT/CN2007/003851 CN2007003851W WO2009052676A1 WO 2009052676 A1 WO2009052676 A1 WO 2009052676A1 CN 2007003851 W CN2007003851 W CN 2007003851W WO 2009052676 A1 WO2009052676 A1 WO 2009052676A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
user terminal
information
authentication
terminal
Prior art date
Application number
PCT/CN2007/003851
Other languages
French (fr)
Chinese (zh)
Inventor
Jinshu Lu
Qing Li
Yunpeng Xie
Huannan Ma
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Publication of WO2009052676A1 publication Critical patent/WO2009052676A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method and a system for the user authenticating, which are used in a passive optical network and set a memory card read/write apparatus additionally in the user terminal. The method also comprise: a user terminal obtaining the user terminal information and the user information from the peripheral equipment connected with the memory card read/write apparatus; carrying out the duple authenticating included the user terminal authenticating and the user authenticating to the user terminal information and the user information obtained by the user terminal.

Description

一种用户认证方法和系统 技术领域 本发明涉及光通信领域, 具体涉及一种用户认 i E方法和系统。 背景技术 现在通常的认证方式是先将设备信息先预先保存在设备中,然后用户终 端将设备信息发送到光线路终端(OLT ), 进行认证, 如果认证通过, 则认为 该设备合法; 而对用户的认证则采用用户名和密码来进行认证, 通常是通过 用户输入用户名和密码, 通过一定的方式进 ^"认 i正, 通过则认为是合法的用 户。 在目前所应用的无源光网络(PON ) 中, 需要对光网络单元 ONU/光网 络终端 (ONT ) 等用户终端进行认证, 该认证操作是基于预先为各用户终端 所分配的可唯一识别标识 (各用户终端分别保存各自的可唯一识别标识, 应 用该可唯一识别标识发起认证) 实现的。 这种情况下, 在更换用户终端时, 用户需要到运营商处进行登记, 运营商很可能需要进行数据库修改等繁杂的 不必要操作; 这给用户和运营商均带来不便, 并且一定程度上限制了用户对 用户终端的选择, 不利于整个产业的发展。 再有, 目前的认证方式为用户终端认证或用户认证。 当仅对用户终端进 行认证时, 则任何一个用户 (即便该用户不是合法用户)拥有该用户终端时 均可正常使用网络; 当仅应用用户名和密码进行用户认 i 时, 如果用户名和 密码被盗, 则获得该用户名和密码的任何人均可正常使用网络。 显然, 目前 的认证方式会给用户和运营商的利益带来损失, 安全性较低。 另外, 当应用用户名和密码进行认证时, 通常需要手工输入用户名和密 码; 但未来的业务应用 (如电话、 网络电视等业务) 往往不需要连接电脑等 设备, 因此无法实现用户名和密码的手工输入。 显然, 目前的认证方式无法 支持未来业务。 由以上所述可见, 目前在 PON中所应用的认 i正方式需要各用户终端分 别保存各自的可唯一识别标识, 认证的 出过于固定化, 会给用户和运营商 带来不必要的额外操作; 并且, 认证安全性较低, 无法支持未来业务, 因而 会严重降低用户满意度。 发明内容 有鉴于此, 本发明的主要目的在于提供一种用户认证方法和系统, 提高 认证灵活性、 安全性, 提高用户满意度。 为达到上述目的, 本发明的技术方案是这样实现的: 一种用户认证方法, 应用于无源光网络, 在用户终端上增设存储卡读写 器, 该方法还包括: 用户终端从与所述存储卡读写器相连的外设中获取用户终端信息和用 户信息; 针对用户终端所获取的用户终端信息和用户信息进行包含用户终端 认 i正和用户认 i正在内的双重认证。 进行所述双重认证的过程为: 将用户终端所获取的用户终端信息和用户信息发送给 OLT/认证服务 器,由该 OLT/认证服务器根据收到的用户终端信息和用户信息先后进行用户 终端认 ^和用户认证。 所述用户终端认 i正方法为: 用所述用户终端信息与预先保存的用户终端认证信息进行比较,如果两 种信息一致, 确定用户终端认 i正通过; 否则, 确定用户终端认 ^未通过。 所述用户认 "ί正方法为: 针对所述用户信息进行合法性判断, 如果该合法性判断通过, 确定用户 认证通过; 否则, 确定用户认证未通过。 在用户终端认证通过后,进一步建立支持所述用户认证过程中通信交互 的用户认 i正通道。 进一步向用户终端返回用户终端认证和 /或用户认证的认证结果。 该方法进一步包括: 所述用户终端认证和所述用户认 i正均通过的情况下,打开所述用户终端 所使用的网络权限, 允许用户终端使用网络; 以及所述用户终端认证和所述 用户认 "i正中有一项认证未通过的情况下, 不允许所述用户终端使用网络。 该方法进一步包括: 将所述用户终端信息和所述用户信息预先存储在所述外设中; 所述用户终端信息和所述用户信息在用户开通业务时得到确认。 所述用户终端信息是用户终端的介质访问控制地址信息; 或者, 是用户 终端的序列码标识符信息; 所述用户信息为用户名和密码。 进一步修改所述密码; 该修改方法为: 将新密码反写入所述外设。 一种用户认证系统, 包括: 外设, 用于保存用户终端信息和用户信息; 存储卡读写器, 用于从外设读取用户终端信息和用户信息; 用户终端, 用于 从存储卡读写器获取用户终端信息和用户信息, 并通过无源光网络发送用户 终端信息和用户信息; 光线路终端, 用于针对用户终端所获取的用户终端信 息和用户信息进行包含用户终端认证和用户认证在内的双重认证。 优选的, 该用户认证系统还包括: 认证服务器, 用于根椐来自光线路终 端的用户终端信息和用户信息先后进行用户终端认证和用户认证。 优选的, 认证服务器包括: 第一单元, 用于^ ί吏用用户终端信息与预先保 存的用户终端认证信息进行比较, 如果两种信息一致, 确定用户终端认证通 过; 否则, 确定用户终端认证未通过; 第二单元, 用于针对用户信息进行合 法性判断, 如果该合法性判断通过, 确定用户认证通过; 否则, 确定用户认 证未通过。 优选的, 该用户认证系统还包括: 通道模块, 用于在用户终端认证通过 后, 建立支持用户认证过程中通信交互的用户认证通道。 优选的, 该用户认证系统还包括: 返回模块, 用于向用户终端返回用户 终端认 ϋ和 /或用户认 i正的认证结果。 优选的, 该用户认证系统还包括: 权限模块, 用于在用户终端认证和用 户认证均通过的情况下, 打开用户终端所使用的网络权限, 允许用户终端使 用网络; 以及在用户终端认证和用户认证中有一项认证未通过的情况下, 不 允许用户终端^ ί吏用网络。 优选的, 用户终端信息是用户终端的介质访问控制地址信息; 或者, 是 用户终端的序列码标识符信息; 用户信息为用户名和密码。 优选的,该用户认证系统还包括: 密码模块,用于将新密码反写入外设。 可见, 本发明所提供的用户认证方法和系统, 通过在用户终端上增加存 储卡读写器实现用户终端和用户终端信息和用户信息的分离, 因此不再需要 将用户终端信息和用户信息固定存储于用户终端中; 使得用户能够从市场上 任意购买一款用户终端使用, 并能随意更换用户终端, 能够推动整个 ΡΟΝ 的产业链发展。 并且, 在通过存储卡读写器从外设中读取用户终端信息和用 户信息的基础上, 能够自动进^ "用户终端认 i正和用户认 ΐ正的双重认 ΐ 。显然, 认证的灵活性、 安全性得到了明显提高, 因而可以有效提高用户满意度。 附图说明 图 1为本发明一实施例的用户认证流程图; 图 2为本发明一实施例的用户认证系统的组成示意图。 具体实施方式 下面结合附图对本发明技术详细描述。 参见图 1 , 图 1为本发明一实施例的用户认证流程图, 该流程包括以下 步骤: 步骤 101 : 从外 i殳中获取用户终端信息和用户信息。 要想实现本步骤的操作, 需要在用户终端的印刷电路板(PCB ) 电路中 增加存储卡读写器的电路设计, 并将该存储卡读写器的读写管脚与用户终端 的中央处理单元 (CPU ) 相连; 这样, 当用户终端上的存储卡读写器中插入 外设时, 该存储卡读写器能够从该外设中读取信息, 并将读取的信息通过自 身的读写管脚发送给用户终端的 CPU, 供用户终端进行后续处理。 当然, 所述存储卡读写器上要设置有接口读写器, 以保证外设能够插入 该接口读写器中, 并由该接口读写器读取该外设中的信息。 例如, 可以在用 户终端上设计支持通用串行总线 ( USB )的接口读写器, 按照当前的 USB标 准设计该接口读写器的电路; 也可以在用户终端上设计支持安全数字 (SD ) 存储卡的接口读写器,按照当前的 SD存储卡标准设计该接口读写器的电路。 需要说明的是: 在用户终端上设计其存储卡读写器时, 通常建议采用当 前通用的一些协议标准(如 USB标准、 IC卡标准, SD存储卡标准, SIM卡 标准等), 这样各个厂家之间的产品能够互通, 以实现产品兼容。 在实际应用中, 运营商可以将用户终端信息和用户信息(这些信息通常 在用户开通业务时得到确认) 预先存储在标准的外设中。 当所述外设被插入用户终端上的存储卡读写器后,该存储卡读写器就可 以读取外设中的用户终端信息和用户信息。 当然, 还可以在用户终端上设置方便外设插入和拔出的附加装置, 还可 以设置指示读写状态的指示灯。 可见,在用户终端上设置存储卡读写器能够实现用户终端和用户终端信 息和用户信息的分离; 并且, 用户终端能够通过存储卡读写器从外设中读取 用户终端信息和用户信息。 这样, 就不再需要将用户终端信息和用户信息固 定存储于用户终端中, 因此用户能够从市场上任意购买一款用户终端使用, 并能随意更换用户终端。 这显然能够推动整个 PON的产业链发展。 步骤 102: 用户终端解析从外设中获取的用户终端信息, 并将解析出的 用户终端信息发送给 OLT, 由 OLT进行用户终端认 i正。 具体的用户终端认证方法为: OLT 用收到的用户终端信息与自身保存 的用户终端认证信息进行比较, 如果两种信息一致 > OLT确定认证通过; 否 则, OLT确定认证未通过。 当然, 无论认证是否通过, OLT都向用户终端返 回认证结果。 需要说明的是, 在不同的应用环境中, 进行用户终端认证所涉及的信息 可能不同。 如: 在以太网无源光网络 ( EPON ) 系统中, 进行用户终端认证 所涉及的信息至少包含用户终端的介质访问控制( MAC )地址信息, 该 MAC 地址信息会通过多点控制协议 (MPCP ) 等协议被发送给 OLT, 以进行用户 终端认 i ; 在吉比特无源光网络 ( GPON ) 系统中, 进行用户终端认证所涉 及的信息至少包含用户终端的序列码 ( SN )标识符信息, 该 SN标识符信息 会通过物理层操作管理维护 (PLOAM ) 等协议消息被发送到 OLT, 以进行 用户终端认证。 在实际应用中, OLT 也可以将收到的用户终端信息转发给特定的认证 服务器, 由该认证服务器进行后续的用户终端认证、 认证结果反馈等后续操 作。 步骤 103 : 根据用户终端认证是否通过的不同结果执行后续的不同操 作。 果认 i正通过, 进入步骤 104; 否则, 直接进入步骤 107。 具体而言, 在用户终端认证通过的情况下, OLT 在自身与用户终端之 间建立用户认证通道, 该用户认证通道可以由多种传输通道实现, 如: 在 EPON系统中的操作管理维护 (OAM ) 通道, 或是在 GPON系统中的 ONT 管理控制接口(OMCI )通道。 实际上, 所述传输通道也可以被通信消息(如: GPON中的 PLOAM消息) 所取 4弋。 在用户认证通道上只传输必要的管理信息,以及用于进行后续用户认证 ό 用户认证协议包, 如: 以太网上点对点协议(ΡΡΡΟΕ )等, 或者是用户名、 密码等信息。 除此以外, 针对用户终端的其它网络 4又限则全部关闭, 暂时不 允许用户终端使用网络。 步骤 104: 用户终端解析从外设中获取的用户信息, 并将解析出的用户 信息发送给 OLT , 由 OLT进行用户认证。 具体的用户认证方法为: 用户终端将收到的用户信息 (如用户名、 密码 等)组装到用户认证协议包 (可包含 ΡΡΡΟΕ等帧结构) 中, 并将用户认证协 议包通过所述用户认证通道发送到 OLT。 当然, 用户终端也可以将收到的用 户信息直接发送给 OLT。 TECHNICAL FIELD The present invention relates to the field of optical communications, and in particular, to a user authentication method and system. BACKGROUND OF THE INVENTION The current authentication method is to first store device information in a device in advance, and then the user terminal sends the device information to an optical line terminal (OLT) for authentication. If the authentication is passed, the device is considered to be legal; The authentication uses the user name and password for authentication. Usually, the user enters the user name and password, and the user is authenticated in a certain way, and the user is considered to be a legitimate user. The passive optical network (PON) currently applied. In the above, the user terminal such as the optical network unit ONU/Optical Network Terminal (ONT) needs to be authenticated, and the authentication operation is based on the uniquely identifiable identifier assigned to each user terminal in advance (each user terminal separately stores its unique unique identification) The identification is implemented by applying the unique identification identifier to initiate the authentication. In this case, when the user terminal is replaced, the user needs to register with the operator, and the operator is likely to need complicated operations such as database modification; Inconvenience to both users and operators, and to some extent limit the user The choice of the user terminal is not conducive to the development of the entire industry. Furthermore, the current authentication method is user terminal authentication or user authentication. When only the user terminal is authenticated, any user (even if the user is not a legitimate user) owns the When the user terminal is used, the network can be used normally. When the user name and password are only used for user authentication, if the user name and password are stolen, anyone who obtains the user name and password can use the network normally. Obviously, the current authentication method will give The benefits of users and operators are lost, and the security is low. In addition, when applying username and password for authentication, it is usually necessary to manually enter the username and password; however, future business applications (such as telephone, Internet TV, etc.) are often not You need to connect to a computer and other devices, so you cannot manually enter the user name and password. Obviously, the current authentication method cannot support future services. As can be seen from the above, the current positive mode applied in the PON needs to be saved separately by each user terminal. Individually unique identification, certification Out too immobilized, will give users and operators to bring unnecessary additional operations; and authentication is less secure, not support future business, thus Will seriously reduce user satisfaction. SUMMARY OF THE INVENTION In view of the above, it is a primary object of the present invention to provide a user authentication method and system that improves authentication flexibility, security, and user satisfaction. In order to achieve the above object, the technical solution of the present invention is implemented as follows: A user authentication method is applied to a passive optical network, and a memory card reader/writer is added to the user terminal, the method further includes: the user terminal from the The user terminal information and the user information are acquired in the peripheral device connected to the memory card reader/writer; and the user terminal information and the user information acquired by the user terminal are subjected to the dual authentication including the user terminal recognition and the user recognition. The process of performing the dual authentication is: sending the user terminal information and the user information acquired by the user terminal to the OLT/authentication server, and the OLT/authentication server sequentially performs the user terminal according to the received user terminal information and the user information. And user authentication. The user terminal recognizes that the positive method is: comparing the user terminal information with the pre-stored user terminal authentication information, and if the two types of information are consistent, determining that the user terminal recognizes that it is passing; otherwise, determining that the user terminal does not pass the authentication . The user recognizes that the positive method is: performing legality judgment on the user information, and if the legality judgment is passed, determining that the user authentication is passed; otherwise, determining that the user authentication fails. After the user terminal passes the authentication, further establishing support The user of the communication interaction in the user authentication process recognizes the positive channel. The authentication result of the user terminal authentication and/or the user authentication is further returned to the user terminal. The method further includes: the user terminal authentication and the user recognition In the case of passing, opening the user terminal The network authority used, allowing the user terminal to use the network; and the user terminal authentication and the user acknowledging that one of the authentications fails, the user terminal is not allowed to use the network. The method further includes: The user terminal information and the user information are pre-stored in the peripheral device; the user terminal information and the user information are confirmed when the user opens a service. The user terminal information is a media access control address of the user terminal. Or; is, the serial number identifier information of the user terminal; the user information is a user name and a password. The password is further modified; the modification method is: writing a new password to the peripheral device. A user authentication system The method includes: a peripheral device for storing user terminal information and user information; a memory card reader/writer for reading user terminal information and user information from the peripheral device; and a user terminal for acquiring the user terminal from the memory card reader/writer Information and user information, and transmitting user terminal information and user information through a passive optical network; The terminal is configured to perform dual authentication including the user terminal authentication and the user authentication for the user terminal information and the user information acquired by the user terminal. Preferably, the user authentication system further includes: an authentication server, configured to root from the optical line The user terminal information and the user information of the terminal are sequentially authenticated by the user terminal and the user is authenticated. Preferably, the authentication server includes: a first unit, configured to compare the user terminal information with the pre-stored user terminal authentication information, if two The information is consistent, and the user terminal is determined to pass the authentication; otherwise, the user terminal authentication is determined to be unsuccessful; the second unit is configured to perform legality judgment on the user information, and if the legality judgment is passed, determine that the user authentication passes; otherwise, determine the user authentication. Preferably, the user authentication system further includes: a channel module, configured to: after the user terminal passes the authentication, establish a user authentication channel that supports the communication interaction in the user authentication process. Preferably, the user authentication system further includes: a return module , for The user terminal returns the authentication result of the user terminal and/or the user's authentication. Preferably, the user authentication system further includes: a permission module, configured to open the user terminal when the user terminal authentication and the user authentication are both passed. The network permissions used, allowing the user terminal to make With the network; and in the case where one of the user terminal authentication and the user authentication fails, the user terminal is not allowed to use the network. Preferably, the user terminal information is media access control address information of the user terminal; or is serial code identifier information of the user terminal; the user information is a user name and a password. Preferably, the user authentication system further comprises: a cryptographic module, configured to write the new password back to the peripheral device. It can be seen that the user authentication method and system provided by the present invention separate the user terminal and the user terminal information and the user information by adding a memory card reader/writer on the user terminal, so that it is no longer necessary to permanently store the user terminal information and the user information. In the user terminal; enabling the user to purchase a user terminal from the market and can replace the user terminal at will, which can promote the development of the entire industry chain. Moreover, on the basis of reading the user terminal information and the user information from the peripheral device through the memory card reader/writer, it is possible to automatically enter the double prefix of the user terminal recognition and the user's recognition. Obviously, the flexibility of authentication The security of the user is obviously improved, so that the user satisfaction can be effectively improved. FIG. 1 is a flowchart of user authentication according to an embodiment of the present invention; FIG. 2 is a schematic diagram of a composition of a user authentication system according to an embodiment of the present invention. The present invention is described in detail below with reference to the accompanying drawings. Referring to FIG. 1, FIG. 1 is a flowchart of user authentication according to an embodiment of the present invention. The process includes the following steps: Step 101: Obtain user terminal information and user from an external device In order to realize the operation of this step, it is necessary to add a circuit design of the memory card reader to the printed circuit board (PCB) circuit of the user terminal, and to read and write the read/write pin of the memory card reader and the user terminal. The central processing unit (CPU) is connected; thus, when a peripheral device is inserted into the memory card reader/writer on the user terminal, the memory card reader can be externally The information is read in the medium, and the read information is sent to the CPU of the user terminal through its own read/write pin for subsequent processing by the user terminal. Of course, the interface card reader is provided with an interface reader/writer. To ensure that peripherals can be inserted The interface reader reads and reads information from the peripheral by the interface reader. For example, an interface reader that supports Universal Serial Bus (USB) can be designed on the user terminal, and the circuit of the interface reader can be designed according to the current USB standard. Secure digital (SD) storage can also be designed on the user terminal. The interface reader of the card designs the circuit of the interface reader according to the current SD memory card standard. It should be noted that: When designing its memory card reader on the user terminal, it is generally recommended to adopt some common protocol standards (such as USB standard, IC card standard, SD memory card standard, SIM card standard, etc.), so that each manufacturer Products between the two can be interoperable to achieve product compatibility. In practical applications, the operator can pre-store user terminal information and user information (which is usually confirmed when the user opens the service) in a standard peripheral. When the peripheral device is inserted into the memory card reader/writer on the user terminal, the memory card reader/writer can read the user terminal information and the user information in the peripheral device. Of course, it is also possible to set an additional device for inserting and unplugging peripherals on the user terminal, and to set an indicator light indicating the read/write status. It can be seen that setting the memory card reader on the user terminal can separate the user terminal and the user terminal information from the user information; and, the user terminal can read the user terminal information and the user information from the peripheral device through the memory card reader/writer. In this way, it is no longer necessary to store the user terminal information and the user information in the user terminal, so that the user can purchase a user terminal from the market and replace the user terminal at will. This obviously promotes the development of the entire PON industry chain. Step 102: The user terminal parses the user terminal information acquired from the peripheral device, and sends the parsed user terminal information to the OLT, and the OLT performs the user terminal identification. The specific user terminal authentication method is as follows: The OLT compares the received user terminal information with the user terminal authentication information saved by itself, if the two types of information are consistent > the OLT determines that the authentication is passed; otherwise, the OLT determines that the authentication fails. Of course, the OLT returns the authentication result to the user terminal regardless of whether the authentication is passed. It should be noted that the information involved in performing user terminal authentication may be different in different application environments. For example, in an Ethernet Passive Optical Network (EPON) system, the information involved in user terminal authentication includes at least the media access control (MAC) address information of the user terminal, and the MAC address information passes the Multipoint Control Protocol (MPCP). The protocol is sent to the OLT for the user terminal to recognize i; in the Gigabit Passive Optical Network (GPON) system, the user terminal is authenticated. The information includes at least the serial number (SN) identifier information of the user terminal, and the SN identifier information is sent to the OLT through a protocol message such as physical layer operation management and maintenance (PLOAM) for user terminal authentication. In an actual application, the OLT can also forward the received user terminal information to a specific authentication server, and the authentication server performs subsequent operations such as user terminal authentication and authentication result feedback. Step 103: Perform subsequent different operations according to different results of whether the user terminal authentication passes. If it is confirmed that it is passing, proceed to step 104; otherwise, proceed directly to step 107. Specifically, in the case that the user terminal passes the authentication, the OLT establishes a user authentication channel between itself and the user terminal, and the user authentication channel can be implemented by multiple transmission channels, such as: operation management and maintenance (OAM) in the EPON system. ) Channel, or ONT Management Control Interface (OMCI) channel in a GPON system. In fact, the transmission channel can also be taken by a communication message (such as a PLOAM message in GPON). Only the necessary management information is transmitted on the user authentication channel, and the user authentication protocol package is used for subsequent user authentication, such as: a point-to-point protocol (ΡΡΡΟΕ) on the Ethernet, or a user name, a password, and the like. In addition, the other networks 4 for the user terminal are all closed, and the user terminal is temporarily not allowed to use the network. Step 104: The user terminal parses the user information obtained from the peripheral device, and sends the parsed user information to the OLT, where the user performs user authentication. The specific user authentication method is: the user terminal assembles the received user information (such as a user name, a password, and the like) into a user authentication protocol package (which may include a frame structure), and passes the user authentication protocol packet through the user authentication. The channel is sent to the OLT. Of course, the user terminal can also directly send the received user information to the OLT.
OLT 接收到来自用户终端的用户信息后, 针对其中所包含的用户名和 密码等信息进行合法性判断, 进行该合法性判断时还可以进一步结合用户终 端的设备信息。 如果所述合法性判断通过, OLT确定认证通过; 否则, OLT 确定认证未通过。 并且, 无论认证是否通过, OLT都会将认证结果返回给用 户终端。 在实际应用中, OLT也可以将收到的用户信息转发给特定的认证服 务器, 由该认证服务器进行后续的用户认证、 认证结果反馈等后续操作。 步骤 105: 根据用户认证是否通过的不同结果执行后续的不同操作。 如 果认证通过, 进入步骤 106; 否则, 直接进入步骤 107。 步骤 106: 进行用户终端认证的 OLT或认证服务器确定认证成功, 并 且打开用户终端所使用的网络权限, 允许用户终端使用网络。 步骤 107: 进行用户终端认证的 OLT或认证服务器确定认证失败, 并 且不允许用户终端 4吏用网络。 前述指示灯的作用可以进行扩展, 除了指示读写状态以外, 还可以指示 用户终端信息和用户信息的发送状态,以及指示认证通 i±/失败的状态。这样, 如果出现设备故障也能进行定位, 并且在认证失败后能清楚获知失败原因。 以上的处理过程是在将外设插入存储卡读写器之后完全自动进行的,不 需要人工的参与。 另外, 在认证通过后, 还允许用户修改密码 (将新密码反 写入到所述外设中之后才认为密码修改成功)。 图 2为本发明一实施例的用户认证系统 100的组成示意图, 包括: 外设 10, 用于保存用户终端信息和用户信息; 存储卡读写器 20, 用于从外设读取用户终端信息和用户信息; 用户终端 30, 用于从存储卡读写器获取用户终端信息和用户信息, 并 通过无源光网络发送用户终端信息和用户信息; 光线路终端 40, 用于针对用户终端所获取的用户终端信息和用户信息 进 4亍包含用户终端认 ΐ正和用户认证在内的双重认证。 该用户认证系统,通过在用户终端上增加存储卡读写器实现用户终端和 用户终端信息和用户信息的分离, 因此不再需要将用户终端信息和用户信息 固定存储于用户终端中。 优选的, 该用户认证系统还包括: 认证服务器 50, 用于根据来自光线 路终端的用户终端信息和用户信息先后进 ^"用户终端认证和用户认证。 优选的, 认证服务器 50包括: 第一单元, 用于使用用户终端信息与预 先保存的用户终端认证信息进行比较, 如果两种信息一致, 确定认证通过; 否则, 确定认 i正未通过。 优选的, 认证服务器 50包括: 第二单元, 用于针对用户信息进行合法 性判断, 如果该合法性判断通过, 确定认证通过; 否则, 确定认证未通过。 优选的, 该用户认证系统还包括: 通道模块, 用于在用户终端认证通过 后, 建立支持用户认证过程中通信交互的用户认证通道。 优选的, 该用户认证系统还包括: 返回模块, 用于向用户终端返回用户 终端认证和 /或用户认证的认证结果。 优选的, 该用户认证系统还包括: 权限模块, 用于在用户终端认证和用 户认证均通过的情况下, 打开用户终端所使用的网络 4又限, 允 i午用户终端 4吏 用网络; 以及在用户终端认证和用户认证中有一项认证未通过的情况下, 不 允 i午用户终端 4吏用网络。 优选的, 用户终端信息是用户终端的介质访问控制地址信息; 或者, 是 用户终端的序列码标识符信息; 用户信息为用户名和密码。 优选的,该用户认证系统还包括: 密码模块,用于将新密码反写入外设。 由以上所述可见, 本发明所提供的用户认证方法和系统, 通过在用户终 端上增加存储卡读写器实现用户终端和用户终端信息和用户信息的分离, 因 此不再需要将用户终端信息和用户信息固定存储于用户终端中; 使得用户能 够从市场上任意购买一款用户终端使用, 并能随意更换用户终端, 能够推动 整个 PON 的产业链发展。 并且, 在通过存储卡读写器从外设中读取用户终 端信息和用户信息的基础上, 能够自动进 ^"用户终端认证和用户认 ^正的双重 认证。 显然, 认证的灵活性、 安全性得到了明显提高, 因而可以有效提高用 户满意度。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 After receiving the user information from the user terminal, the OLT performs legality judgment on the information such as the user name and password included therein, and further combines the device information of the user terminal when performing the legality judgment. If the legality judgment is passed, the OLT determines that the authentication is passed; otherwise, the OLT determines that the authentication fails. And, regardless of whether the authentication passes, the OLT returns the authentication result to the user terminal. In an actual application, the OLT may forward the received user information to a specific authentication server, and the authentication server performs subsequent operations such as user authentication and feedback of the authentication result. Step 105: Perform subsequent different operations according to different results of whether the user authentication passes. If the authentication is passed, go to step 106; otherwise, go directly to step 107. Step 106: The OLT or the authentication server that performs user terminal authentication determines that the authentication is successful, and opens the network authority used by the user terminal, and allows the user terminal to use the network. Step 107: The OLT or the authentication server that performs the user terminal authentication determines that the authentication fails, and does not allow the user terminal 4 to use the network. The function of the foregoing indicator light can be extended. In addition to indicating the read/write status, the status of sending the user terminal information and the user information, and the status indicating the authentication pass/fail can also be indicated. In this way, if a device failure occurs, the positioning can be performed, and the cause of the failure can be clearly known after the authentication failure. The above process is completely automatic after inserting the peripheral into the memory card reader, without manual intervention. In addition, after the authentication is passed, the user is also allowed to modify the password (the password is successfully modified after the new password is reversely written into the peripheral). 2 is a schematic diagram of a composition of a user authentication system 100 according to an embodiment of the present invention, including: a peripheral device 10 for storing user terminal information and user information; and a memory card reader/writer 20 for reading user terminal information from a peripheral device. The user terminal 30 is configured to acquire the user terminal information and the user information from the memory card reader, and send the user terminal information and the user information through the passive optical network. The optical line terminal 40 is configured to acquire the user terminal. The user terminal information and the user information include the two-factor authentication including the user terminal authentication and the user authentication. The user authentication system separates the user terminal and the user terminal information from the user information by adding a memory card reader/writer on the user terminal. Therefore, it is no longer necessary to store the user terminal information and the user information in the user terminal. Preferably, the user authentication system further includes: an authentication server 50, configured to perform user terminal authentication and user authentication according to user terminal information and user information from the optical line terminal. Preferably, the authentication server 50 includes: For comparing the user terminal information with the pre-stored user terminal authentication information, if the two types of information are consistent, it is determined that the authentication is passed; otherwise, it is determined that the authentication is not passed. Preferably, the authentication server 50 includes: a second unit, configured to perform legality judgment on the user information, and if the legality judgment passes, determine that the authentication passes; otherwise, determine that the authentication fails. Preferably, the user authentication system further includes: a channel module, configured to establish a user authentication channel that supports communication interaction in the user authentication process after the user terminal passes the authentication. Preferably, the user authentication system further includes: a returning module, configured to return an authentication result of the user terminal authentication and/or the user authentication to the user terminal. Preferably, the user authentication system further includes: a permission module, configured to open the network 4 used by the user terminal in a case where both the user terminal authentication and the user authentication pass, and allow the user terminal 4 to use the network; In the case that one of the user terminal authentication and the user authentication fails, the user terminal 4 is not allowed to use the network. Preferably, the user terminal information is media access control address information of the user terminal; or is serial code identifier information of the user terminal; the user information is a user name and a password. Preferably, the user authentication system further comprises: a cryptographic module, configured to write the new password back to the peripheral device. It can be seen from the above that the user authentication method and system provided by the present invention separate the user terminal and the user terminal information and the user information by adding a memory card reader/writer on the user terminal, so that the user terminal information and the user terminal information are no longer needed. The user information is fixedly stored in the user terminal; enabling the user to purchase a user terminal from the market and can replace the user terminal at will, thereby promoting the development of the entire PON industry chain. Moreover, on the basis of reading the user terminal information and the user information from the peripheral device through the memory card reader/writer, the user terminal authentication and the user authentication can be automatically performed. Obviously, the flexibility and security of the authentication. The invention is significantly improved, and thus the user satisfaction can be effectively improved. The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and the present invention may have various modifications to those skilled in the art. And all modifications, equivalent substitutions, improvements, etc., within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 书 一种用户认证方法, 应用于无源光网络, 其特征在于, 在用户终端上 增设存储卡读写器, 该方法还包括:  A user authentication method is applied to a passive optical network, and is characterized in that a memory card reader/writer is added to the user terminal, and the method further includes:
用户终端从与所述存储卡读写器相连的外设中获取用户终端信 息和用户 4言息;  The user terminal acquires user terminal information and user information from peripheral devices connected to the memory card reader/writer;
针对用户终端所获取的用户终端信息和用户信息进行包含用户 终端认证和用户认证在内的双重 正。 根据权利要求 1 所述的方法, 其特征在于, 进行所述双重认证的过程 为: - 将用户终端所获取的用户终端信息和用户信息发送给光线路终 端 OLT/认证服务器, 由该 OLT7认证服务器根据收到的用户终端信息 和用户信息先后进行用户终端认证和用户认证。 根据权利要求 2所述的方法, 其特征在于, 所述用户终端认证方法为: 用所述用户终端信息与预先保存的用 户终端认证信息进行比较, 如果两种信息一致, 确定用户终端认证通 过; 否则, 确定用户终端认 i正未通过; 所述用户认证方法为: 针对所述用户信息进行合法性判断, 如果 该合法性判断通过, 确定用户认证通过; 否则, 确定用户认证未通过。 根据权利要求 1 至 3任一项所述的方法, 其特征在于, 该方法进一步 包括:  The user terminal information and the user information acquired by the user terminal are doubled including the user terminal authentication and the user authentication. The method according to claim 1, wherein the process of performing the dual authentication is: - transmitting user terminal information and user information acquired by the user terminal to the optical line terminal OLT/authentication server, and the OLT7 authentication server User terminal authentication and user authentication are performed according to the received user terminal information and user information. The method according to claim 2, wherein the user terminal authentication method is: comparing the user terminal information with pre-stored user terminal authentication information, and if the two types of information are consistent, determining that the user terminal authentication passes; Otherwise, it is determined that the user terminal does not pass the authentication; the user authentication method is: performing legality judgment on the user information, and if the legality judgment is passed, determining that the user authentication passes; otherwise, determining that the user authentication fails. The method according to any one of claims 1 to 3, wherein the method further comprises:
所述用户终端认证和所述用户认证均通过的情况下, 打开所述用 户终端所^ ί吏用的网络权限, 允许用户终端 4吏用网络; 以及所述用户终 端认 i正和所述用户认 中有一项认正未通过的情况下, 不允许所述用 户终端使用网络。 根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括:  When the user terminal authentication and the user authentication are both passed, the network authority used by the user terminal is opened, the user terminal 4 is allowed to use the network; and the user terminal recognizes the user and the user In the case where one of the recognitions fails, the user terminal is not allowed to use the network. The method according to claim 1, wherein the method further comprises:
将所述用户终端信息和所述用户信息预先存储在所述外设中; 所述用户终端信息和所述用户信息在用户开通业务时得到确认; 其中, 所述用户终端信息是用户终端的介质访问控制地址信息, 或者, 是用户终端的序列码标识符信息; And storing the user terminal information and the user information in the peripheral device; the user terminal information and the user information are confirmed when the user opens the service; The user terminal information is media access control address information of the user terminal, or is sequence code identifier information of the user terminal;
所述用户信息为用户名和密码。  The user information is a username and a password.
6. 根据权利要求 5所述的方法, 其特征在于, 进一步包括修改所述密码 的步骤; 该修改步骤为: 将新密码反写入所述外设。 6. The method of claim 5, further comprising the step of modifying the password; the modifying step of: writing a new password back to the peripheral.
7. 一种用户认证系统, 其特征在于, 包括: 7. A user authentication system, comprising:
外设, 用于保存用户终端信息和用户信息;  Peripheral for saving user terminal information and user information;
存储卡读写器, 用于从所述外设读取所述用户终端信息和用户信 息;  a memory card reader, configured to read the user terminal information and user information from the peripheral device;
用户终端, 用于从所述存储卡读写器获取所述用户终端信息和用 户信息, 并通过所述无源光网络发送所述用户终端信息和用户信息; 光线路终端, 用于针对所述用户终端所获取的用户终端信息和用 户信息进行包含用户终端认证和用户认证在内的双重认证。  a user terminal, configured to acquire the user terminal information and user information from the memory card reader, and send the user terminal information and user information through the passive optical network; and an optical line terminal, configured to The user terminal information and the user information acquired by the user terminal perform dual authentication including user terminal authentication and user authentication.
8. 根据权利要求 7所述的用户认证系统, 其特征在于, 还包括: 8. The user authentication system according to claim 7, further comprising:
认证服务器, 用于根据来自所述光线路终端的所述用户终端信息 和用户信息先后进 4亍用户终端认 ^和用户认证。  And an authentication server, configured to enter the user terminal and the user authentication according to the user terminal information and the user information from the optical line terminal.
9. 根据权利要求 8所述的用户认证系统, 其特征在于, 所述认证服务器 包括: 9. The user authentication system according to claim 8, wherein the authentication server comprises:
第一单元, 用于使用所述用户终端信息与预先保存的用户终端认 证信息进行比较, 如果两种信息一致, 确定用户终端认证通过; 否则, 确定用户终端 £未通过;  a first unit, configured to compare the user terminal information with the pre-stored user terminal authentication information, and if the two types of information are consistent, determine that the user terminal passes the authentication; otherwise, determine that the user terminal fails to pass;
第二单元, 用于针对所述用户信息进行合法性判断, 如果该合法 性判断通过, 确定用户认 ϋ通过; 否则, 确定用户认 i正未通过。  The second unit is configured to perform legality judgment on the user information, and if the legality judgment passes, determine that the user approves the pass; otherwise, determine that the user recognizes that the user has failed.
10. 根据权利要求 7至 9任一项所述的用户认证系统, 其特征在于, 还包 括: The user authentication system according to any one of claims 7 to 9, further comprising:
艮模块, 用于在所述用户终端认证和所述用户认证均通过的情 况下, 打开所述用户终端所使用的网络权限, 允许用户终端使用网络; 以及在所述用户终端认证和所述用户认证中有一项认证未通过的情况 下, 不允许所述用户终端 4吏用网络。 根据权利要求 7所述的用户认证系统, 其特征在于, a module, configured to: open a network permission used by the user terminal, permit the user terminal to use the network, and authenticate the user and the user in the user terminal, if the user terminal authentication and the user authentication are both passed There is a failure in the certification. Next, the user terminal 4 is not allowed to use the network. A user authentication system according to claim 7, wherein
所述用户终端信息是用户终端的介质访问控制地址信息; 是用户终端的序列码标识符信息;  The user terminal information is media access control address information of the user terminal; and is sequence code identifier information of the user terminal;
所述用户信息为用户名和密码。  The user information is a username and a password.
PCT/CN2007/003851 2007-10-24 2007-12-27 Method and systme for user authenticating WO2009052676A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710176305.8 2007-10-24
CN2007101763058A CN101145903B (en) 2007-10-24 2007-10-24 User authentication method

Publications (1)

Publication Number Publication Date
WO2009052676A1 true WO2009052676A1 (en) 2009-04-30

Family

ID=39208220

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/003851 WO2009052676A1 (en) 2007-10-24 2007-12-27 Method and systme for user authenticating

Country Status (2)

Country Link
CN (1) CN101145903B (en)
WO (1) WO2009052676A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2330755A1 (en) * 2009-12-07 2011-06-08 Nokia Siemens Networks Oy Method and device for data processing in an optical network
CN102439899A (en) * 2011-10-27 2012-05-02 华为技术有限公司 Authentication method of optical network system, optical network terminal and optical network system
CN103618751A (en) * 2013-12-12 2014-03-05 绵阳芯联芯网络科技有限公司 Passive optical network service protection method based on separation mapping mechanism

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083589B (en) 2007-07-13 2010-08-11 华为技术有限公司 Terminal detection authentication process, device and operation administrative system in passive optical network
CN103107884B (en) * 2013-01-07 2016-09-28 广州广电运通金融电子股份有限公司 A kind of authentication method based on financial self-service equipment and device
CN103716366A (en) * 2013-09-13 2014-04-09 汉柏科技有限公司 Cloud computing server access system and access method
SG11201605622UA (en) * 2014-01-31 2016-08-30 Ricoh Co Ltd Access control device, communication system, program, and method for controlling access
US20170332236A1 (en) * 2014-11-29 2017-11-16 Huawei Technologies Co., Ltd. Identity authentication method and wearable device
CN104852925B (en) * 2015-05-28 2018-08-28 江南大学 Mobile intelligent terminal anti-data-leakage secure storage, backup method
CN107979571B (en) * 2016-10-25 2021-10-26 中国移动通信有限公司研究院 File use processing method, terminal and server
CN106713270A (en) * 2016-11-24 2017-05-24 北京康易联技术有限公司 Information verification method and device
CN107124422A (en) * 2017-05-12 2017-09-01 北京明朝万达科技股份有限公司 A kind of terminal admittance control method and system
CN107342998A (en) * 2017-07-04 2017-11-10 四川云物益邦科技有限公司 The personal information extracting method realized by movable storage device
CN107332667A (en) * 2017-07-04 2017-11-07 四川云物益邦科技有限公司 A kind of inquiry system of use digital certificate
CN113422879A (en) * 2020-03-03 2021-09-21 富士施乐实业发展(中国)有限公司 Multifunction apparatus, control method thereof, user terminal, and control method thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060078809A (en) * 2004-12-31 2006-07-05 삼성전자주식회사 Transmission method and apparatus of a secure key after user authentication in a ethernet passive optical network system
CN1968089A (en) * 2006-09-29 2007-05-23 华为技术有限公司 Subscriber authentication method for passive optical network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7187678B2 (en) * 2001-08-13 2007-03-06 At&T Labs, Inc. Authentication for use of high speed network resources
CN2587116Y (en) * 2002-11-13 2003-11-19 上海宽讯时代科技有限公司 Wireless LAN safety fire wall system device
KR100594024B1 (en) * 2003-03-10 2006-07-03 삼성전자주식회사 Authentication Method And Apparatus in Ethernet Passive Optical Network
CN100544252C (en) * 2003-12-09 2009-09-23 联想(北京)有限公司 Network computer user safety management method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060078809A (en) * 2004-12-31 2006-07-05 삼성전자주식회사 Transmission method and apparatus of a secure key after user authentication in a ethernet passive optical network system
CN1968089A (en) * 2006-09-29 2007-05-23 华为技术有限公司 Subscriber authentication method for passive optical network

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2330755A1 (en) * 2009-12-07 2011-06-08 Nokia Siemens Networks Oy Method and device for data processing in an optical network
CN102439899A (en) * 2011-10-27 2012-05-02 华为技术有限公司 Authentication method of optical network system, optical network terminal and optical network system
WO2012163022A1 (en) * 2011-10-27 2012-12-06 华为技术有限公司 Optical network terminal, optical network system and authentication method for optical network system
CN102439899B (en) * 2011-10-27 2013-12-18 华为技术有限公司 Authentication method of optical network system, optical network terminal and optical network system
CN103618751A (en) * 2013-12-12 2014-03-05 绵阳芯联芯网络科技有限公司 Passive optical network service protection method based on separation mapping mechanism
CN103618751B (en) * 2013-12-12 2016-08-31 绵阳芯联芯网络科技有限公司 Passive optical network service protection method based on separate mapping mechanism

Also Published As

Publication number Publication date
CN101145903A (en) 2008-03-19
CN101145903B (en) 2010-06-16

Similar Documents

Publication Publication Date Title
WO2009052676A1 (en) Method and systme for user authenticating
JP3844762B2 (en) Authentication method and authentication apparatus in EPON
EP2073444B1 (en) Terminal detection authentication method, device and operational management system in passive optical network
US8719915B2 (en) Method for improving network application security and the system thereof
WO2010135936A1 (en) Method and apparatus for authentication in passive optical network and passive optical network thereof
US20110265151A1 (en) Method of adding a client device or service to a wireless network
CN103795545A (en) Safety communication method and system
US10819708B2 (en) Method for authenticating optical network unit, optical line terminal, and optical network unit
EP3007384B1 (en) Method, apparatus and system for terminal authentication in passive optical network
CN102571353B (en) The method of verifying legitimacy of home gateway in passive optical network
CN101795263A (en) Secure broadband access method, authentication method, device and system
CN102271133A (en) Authentication method, device and system
CN112491829B (en) MEC platform identity authentication method and device based on 5G core network and blockchain
WO2017005163A1 (en) Wireless communication-based security authentication device
JP4812339B2 (en) Access control method in subscriber communication network, access authentication device, and computer program for access authentication
CN102170421A (en) Method and system for realizing mixed authentication
CN101600169A (en) A kind of authentication method and device to the access mail server apparatus
CN106878280A (en) The method and apparatus of user authentication, the method and apparatus for obtaining user number information
JP2007208759A (en) Authentication security system obtained by combining mac address with user authentication
CN108123918A (en) A kind of account authentication login method and device
JP2017092556A (en) Station side device, information management device, terminal authentication method, and information management method
CN109495481A (en) OLT device and ONU equipment inter-authentication method and control terminal
CN101478554A (en) 802.1X authentication method, apparatus, system, customer terminal, and network equipment
WO2010109871A1 (en) Method of authenticating and connecting an optical communication device in an optical communication network
WO2012163022A1 (en) Optical network terminal, optical network system and authentication method for optical network system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07855852

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07855852

Country of ref document: EP

Kind code of ref document: A1