WO2009052676A1 - Procédé et système d'authentification d'utilisateur - Google Patents

Procédé et système d'authentification d'utilisateur Download PDF

Info

Publication number
WO2009052676A1
WO2009052676A1 PCT/CN2007/003851 CN2007003851W WO2009052676A1 WO 2009052676 A1 WO2009052676 A1 WO 2009052676A1 CN 2007003851 W CN2007003851 W CN 2007003851W WO 2009052676 A1 WO2009052676 A1 WO 2009052676A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
user terminal
information
authentication
terminal
Prior art date
Application number
PCT/CN2007/003851
Other languages
English (en)
Chinese (zh)
Inventor
Jinshu Lu
Qing Li
Yunpeng Xie
Huannan Ma
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Publication of WO2009052676A1 publication Critical patent/WO2009052676A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of optical communications, and in particular, to a user authentication method and system.
  • the current authentication method is to first store device information in a device in advance, and then the user terminal sends the device information to an optical line terminal (OLT) for authentication. If the authentication is passed, the device is considered to be legal;
  • OLT optical line terminal
  • the authentication uses the user name and password for authentication.
  • PON passive optical network
  • the user terminal such as the optical network unit ONU/Optical Network Terminal (ONT) needs to be authenticated, and the authentication operation is based on the uniquely identifiable identifier assigned to each user terminal in advance (each user terminal separately stores its unique unique identification)
  • the identification is implemented by applying the unique identification identifier to initiate the authentication.
  • the user terminal when the user terminal is replaced, the user needs to register with the operator, and the operator is likely to need complicated operations such as database modification; Inconvenience to both users and operators, and to some extent limit the user The choice of the user terminal is not conducive to the development of the entire industry.
  • the current authentication method is user terminal authentication or user authentication.
  • any user (even if the user is not a legitimate user) owns the When the user terminal is used, the network can be used normally.
  • the user name and password are only used for user authentication, if the user name and password are stolen, anyone who obtains the user name and password can use the network normally.
  • the current authentication method will give The benefits of users and operators are lost, and the security is low.
  • future business applications such as telephone, Internet TV, etc.
  • the current authentication method cannot support future services.
  • a user authentication method is applied to a passive optical network, and a memory card reader/writer is added to the user terminal, the method further includes: the user terminal from the The user terminal information and the user information are acquired in the peripheral device connected to the memory card reader/writer; and the user terminal information and the user information acquired by the user terminal are subjected to the dual authentication including the user terminal recognition and the user recognition.
  • the process of performing the dual authentication is: sending the user terminal information and the user information acquired by the user terminal to the OLT/authentication server, and the OLT/authentication server sequentially performs the user terminal according to the received user terminal information and the user information. And user authentication.
  • the user terminal recognizes that the positive method is: comparing the user terminal information with the pre-stored user terminal authentication information, and if the two types of information are consistent, determining that the user terminal recognizes that it is passing; otherwise, determining that the user terminal does not pass the authentication .
  • the user recognizes that the positive method is: performing legality judgment on the user information, and if the legality judgment is passed, determining that the user authentication is passed; otherwise, determining that the user authentication fails.
  • After the user terminal passes the authentication further establishing support
  • the user of the communication interaction in the user authentication process recognizes the positive channel.
  • the authentication result of the user terminal authentication and/or the user authentication is further returned to the user terminal.
  • the method further includes: the user terminal authentication and the user recognition In the case of passing, opening the user terminal The network authority used, allowing the user terminal to use the network; and the user terminal authentication and the user acknowledging that one of the authentications fails, the user terminal is not allowed to use the network.
  • the method further includes: The user terminal information and the user information are pre-stored in the peripheral device; the user terminal information and the user information are confirmed when the user opens a service.
  • the user terminal information is a media access control address of the user terminal. Or; is, the serial number identifier information of the user terminal; the user information is a user name and a password.
  • the password is further modified; the modification method is: writing a new password to the peripheral device.
  • a user authentication system The method includes: a peripheral device for storing user terminal information and user information; a memory card reader/writer for reading user terminal information and user information from the peripheral device; and a user terminal for acquiring the user terminal from the memory card reader/writer Information and user information, and transmitting user terminal information and user information through a passive optical network;
  • the terminal is configured to perform dual authentication including the user terminal authentication and the user authentication for the user terminal information and the user information acquired by the user terminal.
  • the user authentication system further includes: an authentication server, configured to root from the optical line The user terminal information and the user information of the terminal are sequentially authenticated by the user terminal and the user is authenticated.
  • the authentication server includes: a first unit, configured to compare the user terminal information with the pre-stored user terminal authentication information, if two The information is consistent, and the user terminal is determined to pass the authentication; otherwise, the user terminal authentication is determined to be unsuccessful; the second unit is configured to perform legality judgment on the user information, and if the legality judgment is passed, determine that the user authentication passes; otherwise, determine the user authentication.
  • the user authentication system further includes: a channel module, configured to: after the user terminal passes the authentication, establish a user authentication channel that supports the communication interaction in the user authentication process.
  • the user authentication system further includes: a return module , for The user terminal returns the authentication result of the user terminal and/or the user's authentication.
  • the user authentication system further includes: a permission module, configured to open the user terminal when the user terminal authentication and the user authentication are both passed.
  • the network permissions used allowing the user terminal to make With the network; and in the case where one of the user terminal authentication and the user authentication fails, the user terminal is not allowed to use the network.
  • the user terminal information is media access control address information of the user terminal; or is serial code identifier information of the user terminal; the user information is a user name and a password.
  • the user authentication system further comprises: a cryptographic module, configured to write the new password back to the peripheral device.
  • the user authentication method and system provided by the present invention separate the user terminal and the user terminal information and the user information by adding a memory card reader/writer on the user terminal, so that it is no longer necessary to permanently store the user terminal information and the user information.
  • the user terminal enabling the user to purchase a user terminal from the market and can replace the user terminal at will, which can promote the development of the entire industry chain.
  • the memory card reader/writer it is possible to automatically enter the double prefix of the user terminal recognition and the user's recognition.
  • the flexibility of authentication The security of the user is obviously improved, so that the user satisfaction can be effectively improved.
  • FIG. 1 is a flowchart of user authentication according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a composition of a user authentication system according to an embodiment of the present invention.
  • the present invention is described in detail below with reference to the accompanying drawings.
  • FIG. 1 is a flowchart of user authentication according to an embodiment of the present invention.
  • the process includes the following steps: Step 101: Obtain user terminal information and user from an external device In order to realize the operation of this step, it is necessary to add a circuit design of the memory card reader to the printed circuit board (PCB) circuit of the user terminal, and to read and write the read/write pin of the memory card reader and the user terminal.
  • PCB printed circuit board
  • the central processing unit (CPU) is connected; thus, when a peripheral device is inserted into the memory card reader/writer on the user terminal, the memory card reader can be externally
  • the information is read in the medium, and the read information is sent to the CPU of the user terminal through its own read/write pin for subsequent processing by the user terminal.
  • the interface card reader is provided with an interface reader/writer.
  • the interface reader reads and reads information from the peripheral by the interface reader.
  • an interface reader that supports Universal Serial Bus (USB) can be designed on the user terminal, and the circuit of the interface reader can be designed according to the current USB standard. Secure digital (SD) storage can also be designed on the user terminal.
  • USB Universal Serial Bus
  • SD Secure digital
  • the interface reader of the card designs the circuit of the interface reader according to the current SD memory card standard. It should be noted that: When designing its memory card reader on the user terminal, it is generally recommended to adopt some common protocol standards (such as USB standard, IC card standard, SD memory card standard, SIM card standard, etc.), so that each manufacturer Products between the two can be interoperable to achieve product compatibility. In practical applications, the operator can pre-store user terminal information and user information (which is usually confirmed when the user opens the service) in a standard peripheral. When the peripheral device is inserted into the memory card reader/writer on the user terminal, the memory card reader/writer can read the user terminal information and the user information in the peripheral device.
  • some common protocol standards such as USB standard, IC card standard, SD memory card standard, SIM card standard, etc.
  • Step 102 The user terminal parses the user terminal information acquired from the peripheral device, and sends the parsed user terminal information to the OLT, and the OLT performs the user terminal identification.
  • the specific user terminal authentication method is as follows: The OLT compares the received user terminal information with the user terminal authentication information saved by itself, if the two types of information are consistent > the OLT determines that the authentication is passed; otherwise, the OLT determines that the authentication fails. Of course, the OLT returns the authentication result to the user terminal regardless of whether the authentication is passed. It should be noted that the information involved in performing user terminal authentication may be different in different application environments.
  • the information involved in user terminal authentication includes at least the media access control (MAC) address information of the user terminal, and the MAC address information passes the Multipoint Control Protocol (MPCP).
  • MPCP Multipoint Control Protocol
  • the protocol is sent to the OLT for the user terminal to recognize i; in the Gigabit Passive Optical Network (GPON) system, the user terminal is authenticated.
  • the information includes at least the serial number (SN) identifier information of the user terminal, and the SN identifier information is sent to the OLT through a protocol message such as physical layer operation management and maintenance (PLOAM) for user terminal authentication.
  • PLOAM physical layer operation management and maintenance
  • the OLT can also forward the received user terminal information to a specific authentication server, and the authentication server performs subsequent operations such as user terminal authentication and authentication result feedback.
  • Step 103 Perform subsequent different operations according to different results of whether the user terminal authentication passes. If it is confirmed that it is passing, proceed to step 104; otherwise, proceed directly to step 107.
  • the OLT establishes a user authentication channel between itself and the user terminal, and the user authentication channel can be implemented by multiple transmission channels, such as: operation management and maintenance (OAM) in the EPON system. ) Channel, or ONT Management Control Interface (OMCI) channel in a GPON system.
  • OAM operation management and maintenance
  • OMCI ONT Management Control Interface
  • the transmission channel can also be taken by a communication message (such as a PLOAM message in GPON).
  • a communication message such as a PLOAM message in GPON.
  • the user authentication protocol package is used for subsequent user authentication, such as: a point-to-point protocol ( ⁇ ) on the Ethernet, or a user name, a password, and the like.
  • the other networks 4 for the user terminal are all closed, and the user terminal is temporarily not allowed to use the network.
  • Step 104 The user terminal parses the user information obtained from the peripheral device, and sends the parsed user information to the OLT, where the user performs user authentication.
  • the specific user authentication method is: the user terminal assembles the received user information (such as a user name, a password, and the like) into a user authentication protocol package (which may include a frame structure), and passes the user authentication protocol packet through the user authentication.
  • the channel is sent to the OLT.
  • the user terminal can also directly send the received user information to the OLT.
  • the OLT After receiving the user information from the user terminal, the OLT performs legality judgment on the information such as the user name and password included therein, and further combines the device information of the user terminal when performing the legality judgment. If the legality judgment is passed, the OLT determines that the authentication is passed; otherwise, the OLT determines that the authentication fails. And, regardless of whether the authentication passes, the OLT returns the authentication result to the user terminal. In an actual application, the OLT may forward the received user information to a specific authentication server, and the authentication server performs subsequent operations such as user authentication and feedback of the authentication result. Step 105: Perform subsequent different operations according to different results of whether the user authentication passes. If the authentication is passed, go to step 106; otherwise, go directly to step 107.
  • Step 106 The OLT or the authentication server that performs user terminal authentication determines that the authentication is successful, and opens the network authority used by the user terminal, and allows the user terminal to use the network.
  • Step 107 The OLT or the authentication server that performs the user terminal authentication determines that the authentication fails, and does not allow the user terminal 4 to use the network.
  • the function of the foregoing indicator light can be extended. In addition to indicating the read/write status, the status of sending the user terminal information and the user information, and the status indicating the authentication pass/fail can also be indicated. In this way, if a device failure occurs, the positioning can be performed, and the cause of the failure can be clearly known after the authentication failure.
  • the above process is completely automatic after inserting the peripheral into the memory card reader, without manual intervention.
  • FIG. 2 is a schematic diagram of a composition of a user authentication system 100 according to an embodiment of the present invention, including: a peripheral device 10 for storing user terminal information and user information; and a memory card reader/writer 20 for reading user terminal information from a peripheral device.
  • the user terminal 30 is configured to acquire the user terminal information and the user information from the memory card reader, and send the user terminal information and the user information through the passive optical network.
  • the optical line terminal 40 is configured to acquire the user terminal.
  • the user terminal information and the user information include the two-factor authentication including the user terminal authentication and the user authentication.
  • the user authentication system separates the user terminal and the user terminal information from the user information by adding a memory card reader/writer on the user terminal. Therefore, it is no longer necessary to store the user terminal information and the user information in the user terminal.
  • the user authentication system further includes: an authentication server 50, configured to perform user terminal authentication and user authentication according to user terminal information and user information from the optical line terminal.
  • the authentication server 50 includes: For comparing the user terminal information with the pre-stored user terminal authentication information, if the two types of information are consistent, it is determined that the authentication is passed; otherwise, it is determined that the authentication is not passed.
  • the authentication server 50 includes: a second unit, configured to perform legality judgment on the user information, and if the legality judgment passes, determine that the authentication passes; otherwise, determine that the authentication fails.
  • the user authentication system further includes: a channel module, configured to establish a user authentication channel that supports communication interaction in the user authentication process after the user terminal passes the authentication.
  • the user authentication system further includes: a returning module, configured to return an authentication result of the user terminal authentication and/or the user authentication to the user terminal.
  • the user authentication system further includes: a permission module, configured to open the network 4 used by the user terminal in a case where both the user terminal authentication and the user authentication pass, and allow the user terminal 4 to use the network; In the case that one of the user terminal authentication and the user authentication fails, the user terminal 4 is not allowed to use the network.
  • the user terminal information is media access control address information of the user terminal; or is serial code identifier information of the user terminal; the user information is a user name and a password.
  • the user authentication system further comprises: a cryptographic module, configured to write the new password back to the peripheral device.
  • the user authentication method and system provided by the present invention separate the user terminal and the user terminal information and the user information by adding a memory card reader/writer on the user terminal, so that the user terminal information and the user terminal information are no longer needed.
  • the user information is fixedly stored in the user terminal; enabling the user to purchase a user terminal from the market and can replace the user terminal at will, thereby promoting the development of the entire PON industry chain.
  • the user terminal authentication and the user authentication can be automatically performed. Obviously, the flexibility and security of the authentication. The invention is significantly improved, and thus the user satisfaction can be effectively improved.

Abstract

La présente invention concerne un procédé et un système permettant d'authentifier un utilisateur. Ces procédé et système sont utilisés dans un réseau optique passif et instaurent un appareil d'écriture/de lecture de carte mémoire dans le terminal utilisateur. Le procédé comprend également un terminal utilisateur qui : obtient les informations de terminal utilisateur et les informations d'utilisateur de la part de l'équipement périphérique connecté à l'appareil d'écriture/de lecture de carte mémoire ; effectue la double authentification incluant l'authentification du terminal utilisateur et l'authentification de l'utilisateur à l'égard des informations de terminal utilisateur et des informations d'utilisateur obtenues par le terminal utilisateur.
PCT/CN2007/003851 2007-10-24 2007-12-27 Procédé et système d'authentification d'utilisateur WO2009052676A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710176305.8 2007-10-24
CN2007101763058A CN101145903B (zh) 2007-10-24 2007-10-24 一种用户认证方法

Publications (1)

Publication Number Publication Date
WO2009052676A1 true WO2009052676A1 (fr) 2009-04-30

Family

ID=39208220

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/003851 WO2009052676A1 (fr) 2007-10-24 2007-12-27 Procédé et système d'authentification d'utilisateur

Country Status (2)

Country Link
CN (1) CN101145903B (fr)
WO (1) WO2009052676A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2330755A1 (fr) * 2009-12-07 2011-06-08 Nokia Siemens Networks Oy Procédé et dispositif de traitement de données dans un réseau optique
CN102439899A (zh) * 2011-10-27 2012-05-02 华为技术有限公司 光网络系统的认证方法、光网络终端及光网络系统
CN103618751A (zh) * 2013-12-12 2014-03-05 绵阳芯联芯网络科技有限公司 基于分离映射机制的无源光网络业务保护方法

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083589B (zh) 2007-07-13 2010-08-11 华为技术有限公司 无源光网络中的终端检测认证方法、装置及操作管理系统
CN103107884B (zh) * 2013-01-07 2016-09-28 广州广电运通金融电子股份有限公司 一种基于金融自助设备的认证方法及装置
CN103716366A (zh) * 2013-09-13 2014-04-09 汉柏科技有限公司 云计算服务器接入系统及接入方法
SG11201605622UA (en) * 2014-01-31 2016-08-30 Ricoh Co Ltd Access control device, communication system, program, and method for controlling access
US20170332236A1 (en) * 2014-11-29 2017-11-16 Huawei Technologies Co., Ltd. Identity authentication method and wearable device
CN104852925B (zh) * 2015-05-28 2018-08-28 江南大学 移动智能终端数据防泄漏安全存储、备份方法
CN107979571B (zh) * 2016-10-25 2021-10-26 中国移动通信有限公司研究院 一种文件使用处理方法、终端和服务器
CN106713270A (zh) * 2016-11-24 2017-05-24 北京康易联技术有限公司 一种进行信息验证的方法和设备
CN107124422A (zh) * 2017-05-12 2017-09-01 北京明朝万达科技股份有限公司 一种终端准入控制方法及系统
CN107342998A (zh) * 2017-07-04 2017-11-10 四川云物益邦科技有限公司 通过移动存储设备实现的个人信息提取方法
CN107332667A (zh) * 2017-07-04 2017-11-07 四川云物益邦科技有限公司 一种采用数字证书的查询系统
CN113422879A (zh) * 2020-03-03 2021-09-21 富士施乐实业发展(中国)有限公司 复合机及其控制方法和用户终端及其控制方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060078809A (ko) * 2004-12-31 2006-07-05 삼성전자주식회사 수동 광가입자망 시스템에서 가입자 인증 후 암호화 키의전달 방법 및 장치
CN1968089A (zh) * 2006-09-29 2007-05-23 华为技术有限公司 一种无源光网络的用户认证方法

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7187678B2 (en) * 2001-08-13 2007-03-06 At&T Labs, Inc. Authentication for use of high speed network resources
CN2587116Y (zh) * 2002-11-13 2003-11-19 上海宽讯时代科技有限公司 无线局域网安全防卫墙系统设备
KR100594024B1 (ko) * 2003-03-10 2006-07-03 삼성전자주식회사 Epon에서의 인증 방법과 인증 장치과 인증 장치 및상기 방법을 실현시키기 위한 프로그램을 기록한 컴퓨터로읽을 수 있는 기록매체
CN100544252C (zh) * 2003-12-09 2009-09-23 联想(北京)有限公司 网络计算机用户安全管理方法及系统

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060078809A (ko) * 2004-12-31 2006-07-05 삼성전자주식회사 수동 광가입자망 시스템에서 가입자 인증 후 암호화 키의전달 방법 및 장치
CN1968089A (zh) * 2006-09-29 2007-05-23 华为技术有限公司 一种无源光网络的用户认证方法

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2330755A1 (fr) * 2009-12-07 2011-06-08 Nokia Siemens Networks Oy Procédé et dispositif de traitement de données dans un réseau optique
CN102439899A (zh) * 2011-10-27 2012-05-02 华为技术有限公司 光网络系统的认证方法、光网络终端及光网络系统
WO2012163022A1 (fr) * 2011-10-27 2012-12-06 华为技术有限公司 Terminaison de réseau optique, système de réseau optique et procédé d'authentification pour un système de réseau optique
CN102439899B (zh) * 2011-10-27 2013-12-18 华为技术有限公司 光网络系统的认证方法、光网络终端及光网络系统
CN103618751A (zh) * 2013-12-12 2014-03-05 绵阳芯联芯网络科技有限公司 基于分离映射机制的无源光网络业务保护方法
CN103618751B (zh) * 2013-12-12 2016-08-31 绵阳芯联芯网络科技有限公司 基于分离映射机制的无源光网络业务保护方法

Also Published As

Publication number Publication date
CN101145903A (zh) 2008-03-19
CN101145903B (zh) 2010-06-16

Similar Documents

Publication Publication Date Title
WO2009052676A1 (fr) Procédé et système d'authentification d'utilisateur
JP3844762B2 (ja) Eponにおける認証方法及び認証装置
EP2073444B1 (fr) Procédé, dispositif et système de gestion opérationnelle d'authentification de détection de terminal dans un réseau optique passif
US8719915B2 (en) Method for improving network application security and the system thereof
WO2010135936A1 (fr) Procédé et appareil d'authentification dans un réseau optique passif et réseau optique passif associé
US20110265151A1 (en) Method of adding a client device or service to a wireless network
CN103795545A (zh) 一种安全通信的方法和系统
US10819708B2 (en) Method for authenticating optical network unit, optical line terminal, and optical network unit
EP3007384B1 (fr) Procédé, appareil, et système d'authentification de terminal dans un réseau optique passif
CN102571353B (zh) 无源光网络中验证家庭网关合法性的方法
CN101795263A (zh) 宽带安全接入方法、认证方法和装置及系统
CN102271133A (zh) 认证方法、装置和系统
CN112491829B (zh) 基于5g核心网和区块链的mec平台身份认证方法及装置
WO2017005163A1 (fr) Dispositif d'authentification de sécurité en fonction d'une communication sans fil
JP4812339B2 (ja) 加入者通信ネットワークにおけるアクセス制御方法、アクセス認証装置、及びアクセス認証用コンピュータプログラム
CN102170421A (zh) 一种混合认证的实现方法和系统
CN101600169A (zh) 一种对访问邮件服务器设备的认证方法及装置
CN106878280A (zh) 用户认证的方法和装置、获取用户号码信息的方法和装置
JP2007208759A (ja) Macアドレスとユーザ認証を組み合わせた認証セキュリティシステム
CN108123918A (zh) 一种账户认证登录方法及装置
JP2017092556A (ja) 局側装置、情報管理装置、端末認証方法および情報管理方法
CN109495481A (zh) Olt设备与onu设备相互认证方法及控制端
CN101478554A (zh) 802.1x认证方法、装置、系统、客户端和网络设备
WO2010109871A1 (fr) Procédé d'authentification et de connexion d'un dispositif de communication optique dans un réseau de communication optique
WO2012163022A1 (fr) Terminaison de réseau optique, système de réseau optique et procédé d'authentification pour un système de réseau optique

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07855852

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07855852

Country of ref document: EP

Kind code of ref document: A1