WO2011035514A1 - Tunneling-technique-based tri-element authentication extensible method and system thereof - Google Patents

Tunneling-technique-based tri-element authentication extensible method and system thereof Download PDF

Info

Publication number
WO2011035514A1
WO2011035514A1 PCT/CN2009/075647 CN2009075647W WO2011035514A1 WO 2011035514 A1 WO2011035514 A1 WO 2011035514A1 CN 2009075647 W CN2009075647 W CN 2009075647W WO 2011035514 A1 WO2011035514 A1 WO 2011035514A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
access controller
ternary
requester
packet
Prior art date
Application number
PCT/CN2009/075647
Other languages
French (fr)
Chinese (zh)
Inventor
肖跃雷
曹军
黄振海
葛莉
Original Assignee
西安西电捷通无线网络通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信有限公司 filed Critical 西安西电捷通无线网络通信有限公司
Publication of WO2011035514A1 publication Critical patent/WO2011035514A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Definitions

  • the invention belongs to the technical field of network security, and in particular relates to a ternary authentication scalable method based on tunnel technology and a system thereof. Background technique
  • EAP Extensible Authentication Protocol
  • the Extensible Authentication Protocol is an authentication framework that is used for point-to-point authentication and supports multiple authentication mechanisms. EAP does not specify the authentication method during the link control phase, but defers the process to the authentication phase. This way the discriminator can ask for more information and decide what authentication method to use later. This mechanism allows a "back-end" authentication server to be used to actually perform the authentication mechanism, while the discriminator simply passes the authentication exchange information.
  • EAP is only an authentication framework suitable for point-to-point authentication protocols
  • EAP is not suitable for implementing three-party authentication protocols, such as: Ternary Peer-to-Peer Authentication Protocol—Identify both parties to implement two-way authentication based on trusted third parties.
  • a suitable authentication for the three-party authentication protocol is 11 architecture.
  • FIG. 1 is a schematic diagram of a format structure of a TAEP packet in the prior art.
  • the format of a TAEP packet is as shown in FIG. 1 , where:
  • the Code field is 1 octet in length, indicating the type of TAEP packet:
  • the Identifier field is 1 octet long and is used to match the Request. Grouped with Response.
  • the Length field has a length of 2 octets, which indicates the number of octets of the entire TAEP group, that is, the sum of the lengths of all fields including Code, Identifier, Length, and Data.
  • the length of the Data field is variable.
  • the group contains 0 or more octets.
  • the format is determined by the value of the Code field. If the value of the Code field is Request or Response, the Data field contains a Type field and a Type-Data field, and the Type field may be an Identity and a TP Authentication. If the value of the Code field is Success or Failure, the Data field does not exist.
  • FIG. 2 is a schematic structural diagram of a TAEP multiplexing model in the prior art.
  • the TAEP multiplexing model is shown in FIG. 2, and the steps of TAEP message exchange are as follows:
  • Step a The authentication access controller sends a Request packet to the requester to start authentication, and the Request has a Tpye field indicating the type of the request, and the Type field is Identity, indicating the identity;
  • Step b The requester sends a Response packet to the authentication access controller to respond to the valid Request.
  • the Response packet includes a Type field corresponding to the Type field in the Request packet, and the Type-Data includes the identity of the peer.
  • Step c The authentication access controller sends a Request packet to the authentication server, and the Request has a Type field indicating the type of the request, and the Type is TP Authentication, which is used to request the authentication method type from the authentication server;
  • Step d The authentication server sends a Response packet to the authentication access controller, and the Response packet includes a Type field corresponding to the Type field in the Request packet.
  • Step e The authentication access controller selects an authentication method to start the authentication process according to the type of the authentication method returned by the authentication server.
  • the Request packet is sent to the requester, and the requester responds to the Response packet to the authentication access controller, and the sequence of Request and Response continues to interact as needed.
  • the authentication access controller sends a Request packet to the authentication server, and the authentication server responds to the authentication access controller with a Response packet. The sequence of this Request and Response will continue to be the required length.
  • Authentication access The controller is responsible for retransmitting the Request packet;
  • Step f the conversation continues until the authentication access controller cannot authenticate the requester, the authentication access controller will send the Failure packet to the requester; or the authentication access controller determines that the successful authentication has been completed, authenticates the access controller or stops sending the Request packet. End the message interaction, or send a Success packet to the requester.
  • Step 0 and step d above are optional. In some cases, when the authentication method is determined or otherwise determined by the authentication method and identity, step c, step d may be selectively performed.
  • EAP supports tunnel-based EAP authentication methods, such as: Trusted Computing Group (TCG) Trusted Network Connection (Trusted Network Connect)
  • TCG Trusted Computing Group
  • Trusted Network Connection Trusted Network Connect
  • the TNC architecture leverages tunnel EAP to implement the TNC architecture platform authentication protocol.
  • the authentication process for establishing a secure tunnel can be referred to as an external authentication process, and the authentication process within a secure tunnel can be referred to as an internal authentication process.
  • TAEP also needs a TAEP authentication method that supports tunneling technology to enhance the security of the ternary authentication mechanism or adapt to specific application scenarios.
  • a trusted network connection architecture based on ternary peer authentication needs to support tunneling technology.
  • the TAEP authentication method is used to implement platform authentication. Therefore, it is necessary to establish a ternary authentication scalable method based on tunnel technology. Summary of the invention
  • the present invention provides a tunnel-based ternary authentication scalable method and system thereof that can increase the applicability of the tunnel TAEP and enhance the security of the intra-authentication process.
  • the present invention provides a ternary authentication scalable method based on tunneling technology, the method comprising the following steps:
  • Step 1 The requester, the authentication access controller, and the authentication server perform an external authentication process, and establish a secure tunnel between the requester and the authentication access controller.
  • Step 2 the requester, the authentication access controller, and the internal authentication server perform an internal authentication process, where The inner TAEP packet between the requester and the authentication access controller is protected by the secure tunnel established in step 1;
  • Step 3 The authentication access controller ends the authentication process by using TAEP's Success packet or Failure packet.
  • step 1 The specific implementation of step 1 above is:
  • Step 1.1 The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the external authentication identity of the requester.
  • Step 1.2 The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the authentication server.
  • Step 1.3 The authentication access controller selects an authentication method to perform an external authentication process with the requester and the authentication service server, and establishes a secure tunnel between the requester and the authentication access controller.
  • step 1.1 The specific implementation of step 1.1 above is:
  • Step 1.1.1 The authentication access controller sends a request packet of the TAEP to the requester, where the value of the Type field is Identity;
  • Step 1.1.2 The requester sends a TAEP Response packet to the authentication access controller, where
  • the Type field corresponds to the Type field in the Request packet of TAEP in step 1.1.1, and the Type-Data contains the external authentication identity of the requester.
  • step 1.2 The specific implementation of step 1.2 above is:
  • Step 1.2.1 The authentication access controller sends a TAEP Request packet to the authentication server, where the value of the Type field is TP Authentication, and the Type-Data includes the external authentication identity of the requester and the authentication access controller.
  • Step 1.2.2 The authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.2.1, and the Type-Data includes the authentication method type.
  • the specific implementation manner of the foregoing step 1.3 is: identifying a request packet and a Response packet between the access controller and the requester, and between the authentication access controller and the authentication server, and interacting with the authentication server. Until the security tunnel between the requester and the authentication access controller is established, where the Type field is the authentication method selected by the authentication access controller in step 1.3, the Type-Data includes the authentication protocol message corresponding to the value of the Type field.
  • step 2 is:
  • Step 2.1 The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the internal identity of the requester.
  • Step 2.2 The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the internal authentication server.
  • Step 2.3 The authentication access controller selects an authentication method and performs an internal authentication process with the requester and the internal authentication server.
  • step 2.1 The specific implementation of step 2.1 above is:
  • Step 2.1.1 The authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is the authentication method selected by the authentication access controller in step 1.3, and the value of the Type-Data field is the inner TAEP packet, and the inner TAEP packet.
  • the value of the Code field is Request, and the value of the Type field is Identity.
  • Step 2.1.2 The requester sends a Response packet of the TAEP to the authentication access controller, where the Type field corresponds to the Type field in the Request packet of the TAEP in step 2.1.1.
  • the value of the Type-Data field is the inner TAEP packet, the value of the Code field of the inner TAEP packet is Response, the Type field corresponds to the Type field in the Request packet of the TAEP packet in step 2.1.1, and the Type-Data field contains the requester's Identify identity internally.
  • step 2.2 The specific implementation of step 2.2 above is:
  • Step 2.2.1 The authentication access controller sends a TAEP Request packet to the internal authentication server, where the value of the Type field is TP Authentication, and the Type-Data includes the internal authentication identity of the requester and the authentication access controller.
  • Step 2.2.2 the internal authentication server sends a Response packet of the TAEP to the authentication access controller, where the Type field corresponds to the Type field in the Request packet of the TAEP in step 2.2.1, and the Type-Data includes the authentication method type.
  • the specific implementation manner of the foregoing step 2.3 is: authenticating a request packet and a Response packet between the access controller and the requester, and between the authentication access controller and the internal authentication server, until the internal authentication process is completed.
  • the value of the Type field is the authentication method selected by the authentication access controller in step 1.3
  • the value of the Type-Data field is the inner TAEP packet.
  • the value of the Type field of the inner TAEP packet is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field; for the interaction between the authentication access controller and the internal authentication server A series of TAEP Request packets and Response packets, where the value of the Type field is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field.
  • step 3 is:
  • Step 3.1 If the access controller successfully authenticates the requester during the internal authentication process in step 2.3, sending a success packet of the TAEP to the requester;
  • Step 3.2 If the authentication access controller fails to authenticate the requester during the internal authentication process in step 2.3, the TAEP Failure packet is sent to the requester.
  • the present invention provides a tunneling-based ternary authentication scalable system, the tunneling-based ternary authentication scalable system including a requester, an authentication access controller, an authentication server, and an internal authentication server;
  • the authentication server and the internal authentication server are respectively connected to the authentication access controller through the TAEP;
  • the requester, the authentication access controller, and the authentication server perform an external authentication process, establishing a secure tunnel between the requester and the authentication access controller;
  • the authentication access controller and the internal authentication server perform an internal authentication process.
  • the applicability of TAEP in the tunnel can be increased.
  • the data transmitted by the invention in the security tunnel is an inner TAEP packet, which can support multiple internal authentication mechanisms, and increases the applicability of the tunnel TAEP;
  • the invention protects the inner TAEP packet between the requester and the authentication access controller by a secure tunnel established by the external authentication process, and can provide an internal authentication identity protection. Protection, thereby enhancing the security of the internal authentication process;
  • the present invention enables a requester and an authentication access controller to implement multiple TAEP authentication methods in a TAEP authentication session, which can be applied to an access control method based on ternary peer authentication.
  • FIG. 1 is a schematic diagram showing the format of a TAEP packet in the prior art
  • FIG. 2 is a schematic structural diagram of a TAEP multiplexing model in the prior art
  • FIG. 3 is a schematic structural diagram of a tunneling-based ternary authentication scalable method referred to in the present invention. detailed description
  • FIG. 3 is a schematic structural diagram of a tunneling-based ternary authentication scalable method according to the present invention.
  • the present invention provides a ternary authentication scalable method based on tunnel technology, and the specific steps are as follows:
  • Step 1 The requester, the authentication access controller, and the authentication server perform an external authentication process, and establish a secure tunnel between the requester and the authentication access controller, such as: they perform a user authentication process and establish a requester and an authentication access controller.
  • Step 1.1.1 The authentication access controller sends a request packet of the TAEP to the requester, where the value of the Type field is Identity;
  • Step 1.1.2 The requester sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in Step 1.1.1, and the Type-Data includes the requester's external authentication identity;
  • Step 1.1 above is an optional step. If the authentication access controller is aware of the requester's external authentication identity, then step 1.1 is not required.
  • Step 1.2 The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the authentication server, such as: a certificate-based WAI protocol in the Chinese WLAN standard or a WAI protocol based on a pre-shared key;
  • the authentication access controller sends a TAEP Request packet to the authentication server, wherein the value of the Type field is TP Authentication, and the Type-Data includes the external authentication identity of the requester and the authentication access controller;
  • Step 1.2.2 The authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.2.1, and the Type-Data includes the authentication method type.
  • Step 1.2 above is an optional step. If the authentication access controller has been configured with a specific authentication method, then step 1.2 is not required.
  • Step 1.3 The authentication access controller selects an authentication method to perform an external authentication process with the requester and the authentication service server, and establishes a secure tunnel between the requester and the authentication access controller, such as: performing certificate-based WAI in the Chinese WLAN standard. Protocol or WAI protocol based on pre-shared key; etc.; Step 1.3.1, between the authentication access controller and the requester, between the authentication access controller and the authentication server, a series of TAEP Request packets and Response packets are exchanged until the request is established. And the secure tunnel between the authentication access controller, where the Type field is the authentication access controller selected in step 1.3.
  • Type-Data includes an authentication protocol message corresponding to the value of the Type field;
  • Step 2 the requester, the authentication access controller, and the internal authentication server perform an internal authentication process, such as: they execute a platform authentication protocol, where the requester And the internal TAEP packet between the authentication access controller is protected by the secure tunnel established in step 1;
  • Step 2.1 The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the internal identity of the requester.
  • Step 2.1.1 The authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is the authentication method selected by the authentication access controller in step 1.3, and the value of the Type-Data field is the inner TAEP packet.
  • the value of the Code field of the inner TAEP packet is Request, and the value of the Type field is Identity.
  • Step 2.1.2 The requester sends a TAEP Response packet to the authentication access controller, where
  • the Type field corresponds to the Type field in the Request packet of TAEP in step 2.1.1, and the value of the Type-Data field is the inner TAEP packet.
  • the value of the Code field of the inner TAEP packet is Response, and the Type field corresponds to the Type field in the Request packet of the TAEP packet in step 2.1.1, and the Type-Data field contains the internal authentication identity of the requester;
  • Step 2.1 above is an optional step.
  • Step 2.2 The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the internal authentication server.
  • Step 2.2.1 The authentication access controller sends a TAEP Request packet to the internal authentication server, where the value of the Type field is TP Authentication, and the Type-Data includes the internal authentication identity of the requester and the authentication access controller.
  • Step 2.2.2 The internal authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in Step 2.2.1, and the Type-Data includes the authentication method type.
  • the Type-Data in the above step 2.2.2 may further include an authentication policy of the authentication method, for example, the internal authentication server includes a platform authentication policy in the Type-Data of the step, and is used to deliver a platform authentication policy to the authentication access controller. .
  • Step 2.2 above is an optional step. If the authentication access controller has configured a specific authentication method and authentication policy for the internal authentication process, step 2.2 is not required.
  • Step 2.3 The authentication access controller selects an authentication method to perform an internal authentication process with the requester and the internal authentication server, such as: they execute a platform authentication protocol;
  • Step 2.3.1 The authentication access controller and the requester, the authentication access controller and the internal authentication server exchange a series of TAEP Request packets and Response packets until the internal authentication process is completed.
  • TAEP Request packets and Response packets for authenticating the interaction between the access controller and the requester, where the value of the Type field is the authentication method selected by the authentication access controller in step 1.3, and the value of the Type-Data field is the inner TAEP packet. .
  • the value of the Type field of the inner TAEP packet is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field; for the interaction between the authentication access controller and the internal authentication server A series of TAEP Request packets and Response packets, where the value of the Type field is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field.
  • Step 3 The authentication access controller ends the authentication process by using the TAEP Success packet or the Failure packet;
  • Step 3.1 If the access controller successfully authenticates the requester during the internal authentication process in step 2.3, sending a success packet of the TAEP to the requester;
  • Step 3.2 If the authentication access controller fails to authenticate the requester during the internal authentication process in step 2.3, the TAEP Failure packet is sent to the requester.
  • the present invention provides a ternary authentication scalable method based on tunnel technology, and provides a ternary authentication scalable system based on tunnel technology, the system includes a requester, an authentication access controller, an authentication server, and an internal The authentication server; the requester, the authentication server, and the internal authentication server are respectively connected to the authentication access controller through the TAEP; the requester, the authentication access controller, and the authentication server perform an external authentication process, and establish a secure tunnel between the requester and the authentication access controller.
  • the requester, the authentication access controller, and the internal authentication server perform an internal authentication process.
  • the requester, the authentication access controller, and the authentication server perform an external authentication process, establishing a relationship between the requester and the authentication access controller Secure tunnels, such as: They perform a user authentication process and establish a session key between the requester and the authentication access controller, wherein the authentication server may not participate in the external authentication process.
  • the requester, the authentication access controller, and the internal authentication server perform an internal authentication process, such as: they execute a platform authentication protocol, wherein the value of the Type field of the TAEP packet transmitted between the access controller and the internal authentication server is identified as an internal authentication process method, The value of the Type-Data field is an intra-authentication process message, and the Type field of the TAEP packet transmitted between the requester and the authentication access controller is an external authentication process method, the Type-Data field is an inner TAEP packet, and the Type field of the inner TAEP packet is The value is the internal authentication process method, and the value of the Type-Data field is the internal authentication process message.

Abstract

A tunneling-technique-based tri-element authentication extensible method and system thereof are provided by the invention. The method comprises steps as follows: 1) an outer authentication process is executed by an applicant, an authentication access controller and an authentication server, and a safe tunnel between the applicant and the authentication access controller is established; 2) an inner authentication process is executed by the applicant, the authentication access controller and an inner authentication server, wherein the inner tri-element authentication extensible protocol (TAEP) packet between the applicant and the authentication access controller is protected via the safe tunnel established in step 1); 3) the authentication process is ended by the authentication access controller with a success packet or a failure packet of TAEP. The invention provides a tunneling-technique-based tri-element authentication extensible method and system thereof that can increase the applicability of the tunnel TAEP, and enhance the security of the inner authentication process.

Description

一种基于隧道技术的三元鉴别可扩展方法及其系统 技术领域  Three-dimensional authentication scalable method based on tunnel technology and system thereof
本发明属于网络安全技术领域, 尤其涉及一种基于隧道技术的三元鉴别 可扩展方法及其系统。 背景技术  The invention belongs to the technical field of network security, and in particular relates to a ternary authentication scalable method based on tunnel technology and a system thereof. Background technique
可扩展鉴别协议 ( Extensible Authentication Protocol, EAP )是一个鉴别 框架, 它用于点到点的鉴别, 可支持多种鉴别机制。 EAP并不在链路控制阶 段指定鉴别方法, 而是把这个过程推迟到鉴别阶段。 这样鉴别器就可以要求 更多的信息以后再决定使用什么鉴别方法。 这种机制允许使用一台 "后端" 鉴别服务器来真正执行鉴别机制, 而鉴别器只是传递鉴别交换信息。  The Extensible Authentication Protocol (EAP) is an authentication framework that is used for point-to-point authentication and supports multiple authentication mechanisms. EAP does not specify the authentication method during the link control phase, but defers the process to the authentication phase. This way the discriminator can ask for more information and decide what authentication method to use later. This mechanism allows a "back-end" authentication server to be used to actually perform the authentication mechanism, while the discriminator simply passes the authentication exchange information.
由于 EAP仅仅是一个适合点到点鉴别协议的鉴别框架, 所以 EAP不适合 实现三方鉴别协议, 如: 三元对等鉴别协议——鉴别双方基于可信第三方来 实现双向鉴别。 为了满足三方鉴别协议的需要, 一种适合三方鉴别协议的鉴 别才 11架构 三元鉴别可扩展协议 ( Tri-element Authentication Extensible Since EAP is only an authentication framework suitable for point-to-point authentication protocols, EAP is not suitable for implementing three-party authentication protocols, such as: Ternary Peer-to-Peer Authentication Protocol—Identify both parties to implement two-way authentication based on trusted third parties. In order to meet the needs of the three-party authentication protocol, a suitable authentication for the three-party authentication protocol is 11 architecture. Tri-element Authentication Extensible
Protocol, TAEP )被提出, 其中 TAEP包的格式与 EAP包的格式类同, 但 TAEP 的层次模型与 EAP不相同。 图 1为现有技术中 TAEP包的格式结构示意图, TAEP包的格式如图 1所示, 其中: Protocol, TAEP) is proposed, where the format of the TAEP packet is the same as that of the EAP packet, but the hierarchical model of TAEP is different from EAP. FIG. 1 is a schematic diagram of a format structure of a TAEP packet in the prior art. The format of a TAEP packet is as shown in FIG. 1 , where:
代码(Code ) 字段: Code字段长度为 1个八位位组, 表示 TAEP分组的类 型:  Code field: The Code field is 1 octet in length, indicating the type of TAEP packet:
1、 请求(Request )分组  1, request (Request) grouping
2、 应答 ( Response )分组  2, response (Response) grouping
3、 成功 ( Success )分组  3. Success group
4、 失败(Failure )分组  4, failure (Failure) grouping
标识( Identifier )字段: Identifier字段长度为 1个八位位组,用于匹配 Request 和 Response分组。 Identifier field: The Identifier field is 1 octet long and is used to match the Request. Grouped with Response.
长度(Length )字段: Length字段的长度为 2个八位位组, 表示整个 TAEP 分组的八位位组数, 即指包括 Code、 Identifier, Length和 Data所有字段的长度 总和。  Length field: The Length field has a length of 2 octets, which indicates the number of octets of the entire TAEP group, that is, the sum of the lengths of all fields including Code, Identifier, Length, and Data.
数据(Data ) 字段: Data字段的长度可变, 分组含 0个或多个八位位组, 其格式由 Code字段的值决定。 若 Code字段的值为 Request或 Response, 则 Data 字段包含类型 (Type )字段和类型数据(Type-Data ) 字段, 其中 Type字段可 为身份(Identity )和第三方鉴别 ( TP Authentication )等。 若 Code字段的值为 Success或 Failure, 则 Data字段不存在。  Data field: The length of the Data field is variable. The group contains 0 or more octets. The format is determined by the value of the Code field. If the value of the Code field is Request or Response, the Data field contains a Type field and a Type-Data field, and the Type field may be an Identity and a TP Authentication. If the value of the Code field is Success or Failure, the Data field does not exist.
图 2为现有技术中 TAEP复用模型的结构示意图, TAEP复用模型如图 2所 示, TAEP消息交换的步骤如下:  2 is a schematic structural diagram of a TAEP multiplexing model in the prior art. The TAEP multiplexing model is shown in FIG. 2, and the steps of TAEP message exchange are as follows:
步骤 a、鉴别访问控制器发送 Request分组给请求者要求开始鉴别, Request 有一个 Tpye字段指示请求的类型, Type字段是 Identity, 表示身份;  Step a: The authentication access controller sends a Request packet to the requester to start authentication, and the Request has a Tpye field indicating the type of the request, and the Type field is Identity, indicating the identity;
步骤 b、 请求者发送 Response分组给鉴别访问控制器来响应有效的 Request, Response分组中包含一个 Type字段, 对应于 Request分组中的 Type字 段, Type-Data中包含有对等体的身份;  Step b: The requester sends a Response packet to the authentication access controller to respond to the valid Request. The Response packet includes a Type field corresponding to the Type field in the Request packet, and the Type-Data includes the identity of the peer.
步骤 c、 鉴别访问控制器发送 Request分组给鉴别服务器, Request有一个 Type字段指示请求的类型, Type是 TP Authentication, 用于向鉴别服务器请求 鉴别方法类型;  Step c: The authentication access controller sends a Request packet to the authentication server, and the Request has a Type field indicating the type of the request, and the Type is TP Authentication, which is used to request the authentication method type from the authentication server;
步骤 d、 鉴别服务器发送 Response分组给鉴别访问控制器, Response分组 中包含一个 Type字段, 对应于 Request分组中的 Type字段;  Step d: The authentication server sends a Response packet to the authentication access controller, and the Response packet includes a Type field corresponding to the Type field in the Request packet.
步骤 e、 鉴别访问控制器根据鉴别服务器返回的鉴别方法类型, 选择一种 鉴别方法开始鉴别过程。 发送 Request分组给请求者, 请求者响应 Response分 组给鉴别访问控制器, Request和 Response的序列根据需要持续交互。 鉴别访 问控制器向鉴别服务器发送 Request分组, 而鉴别服务器向鉴别访问控制器响 应 Response分组。 此 Request和 Response的序列会持续需要的长度。 鉴别访问 控制器负责重传 Request分组; Step e: The authentication access controller selects an authentication method to start the authentication process according to the type of the authentication method returned by the authentication server. The Request packet is sent to the requester, and the requester responds to the Response packet to the authentication access controller, and the sequence of Request and Response continues to interact as needed. The authentication access controller sends a Request packet to the authentication server, and the authentication server responds to the authentication access controller with a Response packet. The sequence of this Request and Response will continue to be the required length. Authentication access The controller is responsible for retransmitting the Request packet;
步骤 f、 对话一直持续到鉴别访问控制器不能鉴别请求者, 鉴别访问控制 器将发送 Failure分组给请求者; 或者鉴别访问控制器判断成功的鉴别已经完 成, 鉴别访问控制器或停止发送 Request分组, 结束消息交互, 或发送 Success 分组给请求者。  Step f, the conversation continues until the authentication access controller cannot authenticate the requester, the authentication access controller will send the Failure packet to the requester; or the authentication access controller determines that the successful authentication has been completed, authenticates the access controller or stops sending the Request packet. End the message interaction, or send a Success packet to the requester.
上述步骤0、 步骤 d是可选的。 在某些情况下, 鉴别方法是确定的或通过 其他方式确定鉴别方法及身份时, 步骤 c、 步骤 d可有选择的进行。  Step 0 and step d above are optional. In some cases, when the authentication method is determined or otherwise determined by the authentication method and identity, step c, step d may be selectively performed.
为了增强鉴别机制的安全性, 或适应特殊的应用场景, EAP支持基于隧 道技术的 EAP鉴别方法, 如: 国际可信计算组织 (Trusted Computing Group, TCG )所制定的可信网络连接 ( Trusted Network Connect, TNC )架构就利用 了隧道 EAP来实现 TNC架构的平台鉴别协议。 建立安全隧道的鉴别过程可称 为外鉴别过程,而在安全隧道内的鉴别过程可称为内鉴别过程。类似地, TAEP 也需要支持隧道技术的 TAEP鉴别方法, 用于增强三元鉴别机制的安全性, 或 适应特殊的应用场景, 如: 基于三元对等鉴别的可信网络连接架构需要支持 隧道技术的 TAEP鉴别方法来实现平台鉴别。 因此, 需要建立一种基于隧道技 术的三元鉴别可扩展方法。 发明内容  In order to enhance the security of the authentication mechanism or adapt to specific application scenarios, EAP supports tunnel-based EAP authentication methods, such as: Trusted Computing Group (TCG) Trusted Network Connection (Trusted Network Connect) The TNC architecture leverages tunnel EAP to implement the TNC architecture platform authentication protocol. The authentication process for establishing a secure tunnel can be referred to as an external authentication process, and the authentication process within a secure tunnel can be referred to as an internal authentication process. Similarly, TAEP also needs a TAEP authentication method that supports tunneling technology to enhance the security of the ternary authentication mechanism or adapt to specific application scenarios. For example, a trusted network connection architecture based on ternary peer authentication needs to support tunneling technology. The TAEP authentication method is used to implement platform authentication. Therefore, it is necessary to establish a ternary authentication scalable method based on tunnel technology. Summary of the invention
为了解决背景技术中存在的上述技术问题, 本发明提供了一种可增加该 隧道 TAEP的应用性以及增强内鉴别过程的安全性的基于隧道技术的三元鉴 别可扩展方法及其系统。  In order to solve the above technical problems in the prior art, the present invention provides a tunnel-based ternary authentication scalable method and system thereof that can increase the applicability of the tunnel TAEP and enhance the security of the intra-authentication process.
本发明提供了一种基于隧道技术的三元鉴别可扩展方法, 该方法包括以 下步骤:  The present invention provides a ternary authentication scalable method based on tunneling technology, the method comprising the following steps:
步骤 1、 请求者、 鉴别访问控制器和鉴别服务器执行外鉴别过程, 并建立 请求者与鉴别访问控制器之间的安全隧道;  Step 1. The requester, the authentication access controller, and the authentication server perform an external authentication process, and establish a secure tunnel between the requester and the authentication access controller.
步骤 2、 请求者、 鉴别访问控制器和内鉴别服务器执行内鉴别过程, 其中 请求者和鉴别访问控制器之间的内 TAEP包是利用步骤 1中建立的安全隧道进 行保护的; Step 2, the requester, the authentication access controller, and the internal authentication server perform an internal authentication process, where The inner TAEP packet between the requester and the authentication access controller is protected by the secure tunnel established in step 1;
步骤 3、 鉴别访问控制器利用 TAEP的 Success分组或 Failure分组结束鉴别 过程。  Step 3. The authentication access controller ends the authentication process by using TAEP's Success packet or Failure packet.
上述步骤 1的具体实现方式是:  The specific implementation of step 1 above is:
步骤 1.1、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获 取请求者的外鉴别身份;  Step 1.1: The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the external authentication identity of the requester.
步骤 1.2、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来向 鉴别服务器获取鉴别方法类型;  Step 1.2: The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the authentication server.
步骤 1.3、 鉴别访问控制器选取一种鉴别方法与请求者、 鉴别服服务器执 行外鉴别过程, 并建立请求者与鉴别访问控制器之间的安全隧道。  Step 1.3: The authentication access controller selects an authentication method to perform an external authentication process with the requester and the authentication service server, and establishes a secure tunnel between the requester and the authentication access controller.
上述步骤 1.1的具体实现方式是:  The specific implementation of step 1.1 above is:
步骤 1.1.1、鉴别访问控制器向请求者发送 TAEP的 Request分组,其中 Type 字段的值为 Identity;  Step 1.1.1: The authentication access controller sends a request packet of the TAEP to the requester, where the value of the Type field is Identity;
步骤 1.1.2、 请求者向鉴别访问控制器发送 TAEP的 Response分组, 其中 Step 1.1.2: The requester sends a TAEP Response packet to the authentication access controller, where
Type字段对应步骤 1.1.1中 TAEP的 Request分组中的 Type字段, Type-Data中包 含请求者的外鉴别身份。 The Type field corresponds to the Type field in the Request packet of TAEP in step 1.1.1, and the Type-Data contains the external authentication identity of the requester.
上述步骤 1.2的具体实现方式是:  The specific implementation of step 1.2 above is:
步骤 1.2.1、鉴别访问控制器向鉴别服务器发送 TAEP的 Request分组,其中 Type字段的值为 TP Authentication, Type-Data中包含请求者和鉴别访问控制器 的外鉴别身份;  Step 1.2.1: The authentication access controller sends a TAEP Request packet to the authentication server, where the value of the Type field is TP Authentication, and the Type-Data includes the external authentication identity of the requester and the authentication access controller.
步骤 1.2.2、 鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其 中 Type字段对应步骤 1.2.1中 TAEP的 Request分组中的 Type字段, Type-Data中 包含鉴别方法类型。  Step 1.2.2: The authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.2.1, and the Type-Data includes the authentication method type.
上述步骤 1.3的具体实现方式是: 鉴别访问控制器与请求者之间、 鉴别访 问控制器与鉴别服务器之间交互一系列 TAEP的 Request分组和 Response分组, 直到建立请求者与鉴别访问控制器之间的安全隧道, 其中 Type字段为步骤 1.3 中鉴别访问控制器选取的鉴别方法, Type-Data中包含 Type字段的值对应的鉴 别协议消息。 The specific implementation manner of the foregoing step 1.3 is: identifying a request packet and a Response packet between the access controller and the requester, and between the authentication access controller and the authentication server, and interacting with the authentication server. Until the security tunnel between the requester and the authentication access controller is established, where the Type field is the authentication method selected by the authentication access controller in step 1.3, the Type-Data includes the authentication protocol message corresponding to the value of the Type field.
上述步骤 2的具体实现方式是:  The specific implementation of step 2 above is:
步骤 2.1、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获 取请求者的内鉴别身份;  Step 2.1: The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the internal identity of the requester.
步骤 2.2、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来向 内鉴别服务器获取鉴别方法类型;  Step 2.2: The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the internal authentication server.
步骤 2.3、 鉴别访问控制器选取一种鉴别方法与请求者、 内鉴别服务器执 行内鉴别过程。  Step 2.3: The authentication access controller selects an authentication method and performs an internal authentication process with the requester and the internal authentication server.
上述步骤 2.1的具体实现方式是:  The specific implementation of step 2.1 above is:
步骤 2.1.1鉴别访问控制器向请求者发送 TAEP的 Request分组, 其中 Type 字段的值为步骤 1.3中鉴别访问控制器选取的鉴别方法, Type-Data字段的值为 内 TAEP包, 内 TAEP包的 Code字段的值为 Request, Type字段的值为 Identity; 步骤 2.1.2、 请求者向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 2.1.1中 TAEP的 Request分组中的 Type字段, Type-Data字段 的值为内 TAEP包, 内 TAEP包的 Code字段的值为 Response, Type字段对应步 骤 2.1.1中内 TAEP包的 Request分组中的 Type字段, Type-Data字段中包含请求 者的内鉴别身份。  Step 2.1.1 The authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is the authentication method selected by the authentication access controller in step 1.3, and the value of the Type-Data field is the inner TAEP packet, and the inner TAEP packet. The value of the Code field is Request, and the value of the Type field is Identity. Step 2.1.2. The requester sends a Response packet of the TAEP to the authentication access controller, where the Type field corresponds to the Type field in the Request packet of the TAEP in step 2.1.1. The value of the Type-Data field is the inner TAEP packet, the value of the Code field of the inner TAEP packet is Response, the Type field corresponds to the Type field in the Request packet of the TAEP packet in step 2.1.1, and the Type-Data field contains the requester's Identify identity internally.
上述步骤 2.2的具体实现方式是:  The specific implementation of step 2.2 above is:
步骤 2.2.1、鉴别访问控制器向内鉴别服务器发送 TAEP的 Request分组,其 中 Type字段的值为 TP Authentication, Type-Data中包含请求者和鉴别访问控制 器的内鉴别身份;  Step 2.2.1: The authentication access controller sends a TAEP Request packet to the internal authentication server, where the value of the Type field is TP Authentication, and the Type-Data includes the internal authentication identity of the requester and the authentication access controller.
步骤 2.2.2、 内鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 2.2.1中 TAEP的 Request分组中的 Type字段, Type-Data 中包含鉴别方法类型。 上述步骤 2.3的具体实现方式是: 鉴别访问控制器与请求者之间、 鉴别访 问控制器与内鉴别服务器之间交互一系列 TAEP的 Request分组和 Response分 组, 直到内鉴别过程完成。 对于鉴别访问控制器与请求者之间交互的一系列 TAEP的 Request分组和 Response分组,其中 Type字段的值为步骤 1.3中鉴别访问 控制器选取的鉴别方法, Type-Data字段的值为内 TAEP包。 内 TAEP包的 Type 字段的值为步骤 2.3中鉴别访问控制器选取的鉴别方法, Type-Data字段中包含 Type字段的值对应的鉴别协议消息; 对于鉴别访问控制器与内鉴别服务器之 间交互的一系列 TAEP的 Request分组和 Response分组,其中 Type字段的值为步 骤 2.3中鉴别访问控制器选取的鉴别方法, Type-Data字段中包含 Type字段的值 对应的鉴别协议消息。 Step 2.2.2, the internal authentication server sends a Response packet of the TAEP to the authentication access controller, where the Type field corresponds to the Type field in the Request packet of the TAEP in step 2.2.1, and the Type-Data includes the authentication method type. The specific implementation manner of the foregoing step 2.3 is: authenticating a request packet and a Response packet between the access controller and the requester, and between the authentication access controller and the internal authentication server, until the internal authentication process is completed. For a series of TAEP Request packets and Response packets for authenticating the interaction between the access controller and the requester, wherein the value of the Type field is the authentication method selected by the authentication access controller in step 1.3, and the value of the Type-Data field is the inner TAEP packet. . The value of the Type field of the inner TAEP packet is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field; for the interaction between the authentication access controller and the internal authentication server A series of TAEP Request packets and Response packets, where the value of the Type field is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field.
上述步骤 3的具体实现方式是:  The specific implementation of step 3 above is:
步骤 3.1、 若在步骤 2.3中的内鉴别过程中鉴别访问控制器成功认证请求 者, 则向请求者发送 TAEP的 Success分组;  Step 3.1: If the access controller successfully authenticates the requester during the internal authentication process in step 2.3, sending a success packet of the TAEP to the requester;
步骤 3.2、若在步骤 2.3中的内鉴别过程中鉴别访问控制器不能成功认证请 求者, 则向请求者发送 TAEP的 Failure分组。  Step 3.2: If the authentication access controller fails to authenticate the requester during the internal authentication process in step 2.3, the TAEP Failure packet is sent to the requester.
本发明提供了一种基于隧道技术的三元鉴别可扩展系统, 所述基于隧道 技术的三元鉴别可扩展系统包括请求者、 鉴别访问控制器、 鉴别服务器以及 内鉴别服务器; 所述请求者、 鉴别服务器以及内鉴别服务器分别和鉴别访问 控制器通过 TAEP连通; 所述请求者、 鉴别访问控制器和鉴别服务器执行外鉴 别过程, 建立请求者和鉴别访问控制器之间的安全隧道; 所述请求者、 鉴别 访问控制器和内鉴别服务器执行内鉴别过程。  The present invention provides a tunneling-based ternary authentication scalable system, the tunneling-based ternary authentication scalable system including a requester, an authentication access controller, an authentication server, and an internal authentication server; The authentication server and the internal authentication server are respectively connected to the authentication access controller through the TAEP; the requester, the authentication access controller, and the authentication server perform an external authentication process, establishing a secure tunnel between the requester and the authentication access controller; The authentication access controller and the internal authentication server perform an internal authentication process.
本发明的优点是:  The advantages of the invention are:
1、 可增加该隧道 TAEP的应用性。 本发明在安全隧道中传输的数据为内 TAEP包, 可支持多种内鉴别机制, 增加了该隧道 TAEP的应用性;  1. The applicability of TAEP in the tunnel can be increased. The data transmitted by the invention in the security tunnel is an inner TAEP packet, which can support multiple internal authentication mechanisms, and increases the applicability of the tunnel TAEP;
2、 可增强内鉴别过程的安全性。 本发明在请求者和鉴别访问控制器之间 的内 TAEP包由外鉴别过程建立的安全隧道进行保护, 可提供内鉴别身份保 护, 从而增强了内鉴别过程的安全性; 2. It can enhance the security of the internal authentication process. The invention protects the inner TAEP packet between the requester and the authentication access controller by a secure tunnel established by the external authentication process, and can provide an internal authentication identity protection. Protection, thereby enhancing the security of the internal authentication process;
3、 本发明使得请求者和鉴别访问控制器可在一个 TAEP鉴别会话中实现 多个 TAEP鉴别方法, 可应用于基于三元对等鉴别的访问控制方法。 附图说明  3. The present invention enables a requester and an authentication access controller to implement multiple TAEP authentication methods in a TAEP authentication session, which can be applied to an access control method based on ternary peer authentication. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下 面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在 不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1为现有技术中 TAEP包的格式结构示意图;  1 is a schematic diagram showing the format of a TAEP packet in the prior art;
图 2为现有技术中 TAEP复用模型的结构示意图;  2 is a schematic structural diagram of a TAEP multiplexing model in the prior art;
图 3为本发明所提及的基于隧道技术的三元鉴别可扩展方法的结构示意 图。 具体实施方式  FIG. 3 is a schematic structural diagram of a tunneling-based ternary authentication scalable method referred to in the present invention. detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于 本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获 得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图 3为本发明所提及的基于隧道技术的三元鉴别可扩展方法的结构示意 图, 参见图 3 , 本发明提供了一种基于隧道技术的三元鉴别可扩展方法, 其具 体步骤如下:  FIG. 3 is a schematic structural diagram of a tunneling-based ternary authentication scalable method according to the present invention. Referring to FIG. 3, the present invention provides a ternary authentication scalable method based on tunnel technology, and the specific steps are as follows:
步骤 1、 请求者、 鉴别访问控制器和鉴别服务器执行外鉴别过程, 并建立 请求者与鉴别访问控制器之间的安全隧道, 如: 它们执行用户鉴别过程并建 立请求者和鉴别访问控制器之间的会话密钥; 步骤 1.1、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获 取请求者的外鉴别身份, 如: 用户身份; Step 1. The requester, the authentication access controller, and the authentication server perform an external authentication process, and establish a secure tunnel between the requester and the authentication access controller, such as: they perform a user authentication process and establish a requester and an authentication access controller. Session key Step 1.1: The authentication access controller uses the TAEP Request packet and the Response packet to obtain the requester's external authentication identity, such as: user identity;
步骤 1.1.1、鉴别访问控制器向请求者发送 TAEP的 Request分组,其中 Type 字段的值为 Identity;  Step 1.1.1: The authentication access controller sends a request packet of the TAEP to the requester, where the value of the Type field is Identity;
步骤 1.1.2、 请求者向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 1.1.1中 TAEP的 Request分组中的 Type字段, Type-Data中包 含请求者的外鉴别身份;  Step 1.1.2: The requester sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in Step 1.1.1, and the Type-Data includes the requester's external authentication identity;
上述步骤 1.1为可选步骤。 若鉴别访问控制器已知晓请求者的外鉴别身 份, 则不需要执行步骤 1.1。  Step 1.1 above is an optional step. If the authentication access controller is aware of the requester's external authentication identity, then step 1.1 is not required.
步骤 1.2、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来向 鉴别服务器获取鉴别方法类型, 如: 中国 WLAN标准中基于证书的 WAI协议 或基于预共享密钥的 WAI协议;  Step 1.2: The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the authentication server, such as: a certificate-based WAI protocol in the Chinese WLAN standard or a WAI protocol based on a pre-shared key;
总部后 1.2.1、鉴别访问控制器向鉴别服务器发送 TAEP的 Request分组,其 中 Type字段的值为 TP Authentication, Type-Data中包含请求者和鉴别访问控制 器的外鉴别身份;  After the headquarters 1.2.1, the authentication access controller sends a TAEP Request packet to the authentication server, wherein the value of the Type field is TP Authentication, and the Type-Data includes the external authentication identity of the requester and the authentication access controller;
步骤 1.2.2、 鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其 中 Type字段对应步骤 1.2.1中 TAEP的 Request分组中的 Type字段, Type-Data中 包含鉴别方法类型;  Step 1.2.2: The authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.2.1, and the Type-Data includes the authentication method type.
上述步骤 1.2为可选步骤。 若鉴别访问控制器已配置了特定的鉴别方法, 则不需要执行步骤 1.2。  Step 1.2 above is an optional step. If the authentication access controller has been configured with a specific authentication method, then step 1.2 is not required.
步骤 1.3、 鉴别访问控制器选取一种鉴别方法与请求者、 鉴别服服务器执 行外鉴别过程, 并建立请求者与鉴别访问控制器之间的安全隧道, 如: 执行 中国 WLAN标准中基于证书的 WAI协议或基于预共享密钥的 WAI协议等; 步骤 1.3.1、 鉴别访问控制器与请求者之间、 鉴别访问控制器与鉴别服务 器之间交互一系列 TAEP的 Request分组和 Response分组,直到建立请求者与鉴 别访问控制器之间的安全隧道, 其中 Type字段为步骤 1.3中鉴别访问控制器选 取的鉴别方法, Type-Data中包含 Type字段的值对应的鉴别协议消息; 步骤 2、 请求者、 鉴别访问控制器和内鉴别服务器执行内鉴别过程, 如: 它们执行平台鉴别协议, 其中请求者和鉴别访问控制器之间的内 TAEP包是利 用步骤 1中建立的安全隧道进行保护的; Step 1.3: The authentication access controller selects an authentication method to perform an external authentication process with the requester and the authentication service server, and establishes a secure tunnel between the requester and the authentication access controller, such as: performing certificate-based WAI in the Chinese WLAN standard. Protocol or WAI protocol based on pre-shared key; etc.; Step 1.3.1, between the authentication access controller and the requester, between the authentication access controller and the authentication server, a series of TAEP Request packets and Response packets are exchanged until the request is established. And the secure tunnel between the authentication access controller, where the Type field is the authentication access controller selected in step 1.3. In the authentication method, Type-Data includes an authentication protocol message corresponding to the value of the Type field; Step 2, the requester, the authentication access controller, and the internal authentication server perform an internal authentication process, such as: they execute a platform authentication protocol, where the requester And the internal TAEP packet between the authentication access controller is protected by the secure tunnel established in step 1;
步骤 2.1、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获 取请求者的内鉴别身份;  Step 2.1: The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the internal identity of the requester.
步骤 2.1.1、鉴别访问控制器向请求者发送 TAEP的 Request分组,其中 Type 字段的值为步骤 1.3中鉴别访问控制器选取的鉴别方法, Type-Data字段的值为 内 TAEP包。 内 TAEP包的 Code字段的值为 Request, Type字段的值为 Identity; 步骤 2.1.2、 请求者向鉴别访问控制器发送 TAEP的 Response分组, 其中 Step 2.1.1: The authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is the authentication method selected by the authentication access controller in step 1.3, and the value of the Type-Data field is the inner TAEP packet. The value of the Code field of the inner TAEP packet is Request, and the value of the Type field is Identity. Step 2.1.2: The requester sends a TAEP Response packet to the authentication access controller, where
Type字段对应步骤 2.1.1中 TAEP的 Request分组中的 Type字段, Type-Data字段 的值为内 TAEP包。 内 TAEP包的 Code字段的值为 Response, Type字段对应步 骤 2.1.1中内 TAEP包的 Request分组中的 Type字段, Type-Data字段中包含请求 者的内鉴别身份; The Type field corresponds to the Type field in the Request packet of TAEP in step 2.1.1, and the value of the Type-Data field is the inner TAEP packet. The value of the Code field of the inner TAEP packet is Response, and the Type field corresponds to the Type field in the Request packet of the TAEP packet in step 2.1.1, and the Type-Data field contains the internal authentication identity of the requester;
上述步骤 2.1为可选步骤。  Step 2.1 above is an optional step.
步骤 2.2、 鉴别访问控制器利用 TAEP的 Request分组和 Response分组来向 内鉴别服务器获取鉴别方法类型;  Step 2.2: The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the authentication method type from the internal authentication server.
步骤 2.2.1、鉴别访问控制器向内鉴别服务器发送 TAEP的 Request分组,其 中 Type字段的值为 TP Authentication, Type-Data中包含请求者和鉴别访问控制 器的内鉴别身份;  Step 2.2.1: The authentication access controller sends a TAEP Request packet to the internal authentication server, where the value of the Type field is TP Authentication, and the Type-Data includes the internal authentication identity of the requester and the authentication access controller.
步骤 2.2.2、 内鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 2.2.1中 TAEP的 Request分组中的 Type字段, Type-Data 中包含鉴别方法类型;  Step 2.2.2: The internal authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in Step 2.2.1, and the Type-Data includes the authentication method type.
上述步骤 2.2.2中的 Type-Data中还可以包含鉴别方法的鉴别策略, 如: 内 鉴别服务器在该步骤的 Type-Data中包含平台鉴别策略, 用于向鉴别访问控制 器下发平台鉴别策略。 上述步骤 2.2为可选步骤。 若鉴别访问控制器为内鉴别过程已配置了特定 的鉴别方法和鉴别策略, 则不需要执行步骤 2.2。 The Type-Data in the above step 2.2.2 may further include an authentication policy of the authentication method, for example, the internal authentication server includes a platform authentication policy in the Type-Data of the step, and is used to deliver a platform authentication policy to the authentication access controller. . Step 2.2 above is an optional step. If the authentication access controller has configured a specific authentication method and authentication policy for the internal authentication process, step 2.2 is not required.
步骤 2.3、 鉴别访问控制器选取一种鉴别方法与请求者、 内鉴别服务器执 行内鉴别过程, 如: 它们执行平台鉴别协议;  Step 2.3: The authentication access controller selects an authentication method to perform an internal authentication process with the requester and the internal authentication server, such as: they execute a platform authentication protocol;
步骤 2.3.1、 鉴别访问控制器与请求者之间、 鉴别访问控制器与内鉴别服 务器之间交互一系列 TAEP的 Request分组和 Response分组,直到内鉴别过程完 成。 对于鉴别访问控制器与请求者之间交互的一系列 TAEP的 Request分组和 Response分组, 其中 Type字段的值为步骤 1.3中鉴别访问控制器选取的鉴别方 法, Type-Data字段的值为内 TAEP包。 内 TAEP包的 Type字段的值为步骤 2.3中 鉴别访问控制器选取的鉴别方法, Type-Data字段中包含 Type字段的值对应的 鉴别协议消息; 对于鉴别访问控制器与内鉴别服务器之间交互的一系列 TAEP 的 Request分组和 Response分组, 其中 Type字段的值为步骤 2.3中鉴别访问控制 器选取的鉴别方法, Type-Data字段中包含 Type字段的值对应的鉴别协议消息。  Step 2.3.1: The authentication access controller and the requester, the authentication access controller and the internal authentication server exchange a series of TAEP Request packets and Response packets until the internal authentication process is completed. For a series of TAEP Request packets and Response packets for authenticating the interaction between the access controller and the requester, where the value of the Type field is the authentication method selected by the authentication access controller in step 1.3, and the value of the Type-Data field is the inner TAEP packet. . The value of the Type field of the inner TAEP packet is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field; for the interaction between the authentication access controller and the internal authentication server A series of TAEP Request packets and Response packets, where the value of the Type field is the authentication method selected by the authentication access controller in step 2.3, and the Type-Data field contains the authentication protocol message corresponding to the value of the Type field.
步骤 3、 鉴别访问控制器利用 TAEP的 Success分组或 Failure分组结束鉴别 过程;  Step 3. The authentication access controller ends the authentication process by using the TAEP Success packet or the Failure packet;
步骤 3.1、 若在步骤 2.3中的内鉴别过程中鉴别访问控制器成功认证请求 者, 则向请求者发送 TAEP的 Success分组;  Step 3.1: If the access controller successfully authenticates the requester during the internal authentication process in step 2.3, sending a success packet of the TAEP to the requester;
步骤 3.2、若在步骤 2.3中的内鉴别过程中鉴别访问控制器不能成功认证请 求者, 则向请求者发送 TAEP的 Failure分组。  Step 3.2: If the authentication access controller fails to authenticate the requester during the internal authentication process in step 2.3, the TAEP Failure packet is sent to the requester.
本发明在提供一种基于隧道技术的三元鉴别可扩展方法的同时, 还提供 了一种基于隧道技术的三元鉴别可扩展系统, 该系统包括请求者、 鉴别访问 控制器、 鉴别服务器以及内鉴别服务器; 请求者、 鉴别服务器以及内鉴别服 务器分别和鉴别访问控制器通过 TAEP连通; 请求者、 鉴别访问控制器和鉴别 服务器执行外鉴别过程, 建立请求者和鉴别访问控制器之间的安全隧道; 请 求者、 鉴别访问控制器和内鉴别服务器执行内鉴别过程。 请求者、 鉴别访问 控制器和鉴别服务器执行外鉴别过程, 建立请求者和鉴别访问控制器之间的 安全隧道, 如: 它们执行用户鉴别过程并建立请求者和鉴别访问控制器之间 的会话密钥, 其中鉴别服务器可以不参与该外鉴别过程。 请求者、 鉴别访问 控制器和内鉴别服务器执行内鉴别过程, 如: 它们执行平台鉴别协议, 其中 鉴别访问控制器和内鉴别服务器之间传输的 TAEP包的 Type字段的值为内鉴 别过程方法, Type-Data字段的值为内鉴别过程消息, 而请求者和鉴别访问控 制器之间传输 TAEP包的 Type字段为外鉴别过程方法, Type-Data字段为内 TAEP包, 内 TAEP包的 Type字段的值为内鉴别过程方法, Type-Data字段的值 为内鉴别过程消息。 The present invention provides a ternary authentication scalable method based on tunnel technology, and provides a ternary authentication scalable system based on tunnel technology, the system includes a requester, an authentication access controller, an authentication server, and an internal The authentication server; the requester, the authentication server, and the internal authentication server are respectively connected to the authentication access controller through the TAEP; the requester, the authentication access controller, and the authentication server perform an external authentication process, and establish a secure tunnel between the requester and the authentication access controller. The requester, the authentication access controller, and the internal authentication server perform an internal authentication process. The requester, the authentication access controller, and the authentication server perform an external authentication process, establishing a relationship between the requester and the authentication access controller Secure tunnels, such as: They perform a user authentication process and establish a session key between the requester and the authentication access controller, wherein the authentication server may not participate in the external authentication process. The requester, the authentication access controller, and the internal authentication server perform an internal authentication process, such as: they execute a platform authentication protocol, wherein the value of the Type field of the TAEP packet transmitted between the access controller and the internal authentication server is identified as an internal authentication process method, The value of the Type-Data field is an intra-authentication process message, and the Type field of the TAEP packet transmitted between the requester and the authentication access controller is an external authentication process method, the Type-Data field is an inner TAEP packet, and the Type field of the inner TAEP packet is The value is the internal authentication process method, and the value of the Type-Data field is the internal authentication process message.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权利 要求 Rights request
1、 一种基于隧道技术的三元鉴别可扩展方法, 其特征在于: 该方法包括 以下步骤:  A ternary authentication scalable method based on tunneling technology, characterized in that: the method comprises the following steps:
步骤 1、 请求者、 鉴别访问控制器和鉴别服务器执行外鉴别过程, 并建立 请求者与鉴别访问控制器之间的安全隧道;  Step 1. The requester, the authentication access controller, and the authentication server perform an external authentication process, and establish a secure tunnel between the requester and the authentication access controller.
步骤 2、 请求者、 鉴别访问控制器和内鉴别服务器执行内鉴别过程, 其中 请求者和鉴别访问控制器之间的内三元鉴别可扩展协议包是利用步骤 1中建 立的安全隧道进行保护的;  Step 2: The requester, the authentication access controller, and the internal authentication server perform an internal authentication process, wherein the inner ternary authentication scalable protocol package between the requester and the authentication access controller is protected by using the secure tunnel established in step 1. ;
步骤 3、鉴别访问控制器利用三元鉴别可扩展协议的成功分组或失败分组 结束鉴别过程。  Step 3. The authentication access controller uses the ternary authentication scalable protocol to successfully packet or fail the packet to end the authentication process.
2、 根据权利要求 1所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 1的具体实现方式是:  The tunneling technology-based ternary authentication scalable method according to claim 1, wherein: the specific implementation manner of the step 1 is:
步骤 1.1、 鉴别访问控制器利用三元鉴别可扩展协议的请求分组和应答分 组来获取请求者的外鉴别身份;  Step 1.1: The authentication access controller uses the request packet and the response packet of the ternary authentication scalable protocol to obtain the external authentication identity of the requester;
步骤 1.2、 鉴别访问控制器利用三元鉴别可扩展协议的请求分组和应答分 组来向鉴别服务器获取鉴别方法类型;  Step 1.2: The authentication access controller uses the request packet and the response packet of the ternary authentication scalable protocol to obtain the authentication method type from the authentication server;
步骤 1.3、 鉴别访问控制器选取一种鉴别方法与请求者、 鉴别服服务器执 行外鉴别过程, 并建立请求者与鉴别访问控制器之间的安全隧道。  Step 1.3: The authentication access controller selects an authentication method to perform an external authentication process with the requester and the authentication service server, and establishes a secure tunnel between the requester and the authentication access controller.
3、 根据权利要求 2所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 1.1的具体实现方式是:  The tunneling technology-based ternary authentication scalable method according to claim 2, wherein: the specific implementation manner of the step 1.1 is:
步骤 1丄 1、 鉴别访问控制器向请求者发送三元鉴别可扩展协议的请求分 组, 其中的类型字段的值为身份;  Step 1: 1. The authentication access controller sends a request packet of the ternary authentication scalable protocol to the requester, where the value of the type field is an identity;
步骤 1丄 2、 请求者向鉴别访问控制器发送三元鉴别可扩展协议的应答分 组, 其中的类型字段对应步骤 1.1.1中三元鉴别可扩展协议的请求分组中的类 型字段, 其中的类型数据字段中包含请求者的外鉴别身份。  Step 1: 2. The requester sends a response packet of the ternary authentication scalable protocol to the authentication access controller, where the type field corresponds to the type field in the request packet of the ternary authentication scalable protocol in step 1.1.1, where the type The data field contains the external authentication identity of the requester.
4、 根据权利要求 3所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 1.2的具体实现方式是: 4. The tunneling-based ternary authentication scalable method according to claim 3, characterized in that The specific implementation manner of the step 1.2 is as follows:
步骤 1.2.1、 鉴别访问控制器向鉴别服务器发送三元鉴别可扩展协议的请 求分组, 其中的类型字段的值为第三方鉴别, 其中的类型数据字段中包含请 求者和鉴别访问控制器的外鉴别身份;  Step 1.2.1: The authentication access controller sends a request packet of the ternary authentication scalable protocol to the authentication server, where the value of the type field is a third-party authentication, where the type data field includes the requester and the authentication access controller. Identification of identity;
步骤 1.2.2、 鉴别服务器向鉴别访问控制器发送三元鉴别可扩展协议的应 答分组, 其中的类型字段对应步骤 1.2.1中三元鉴别可扩展协议的请求分组中 的类型字段, 其中的类型数据字段中包含鉴别方法类型。  Step 1.2.2, the authentication server sends a response packet of the ternary authentication scalable protocol to the authentication access controller, where the type field corresponds to the type field in the request packet of the ternary authentication scalable protocol in step 1.2.1, where the type The data field contains the authentication method type.
5、 根据权利要求 4所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 1.3的具体实现方式是: 鉴别访问控制器与请求者之间、 鉴别 访问控制器与鉴别服务器之间交互一系列三元鉴别可扩展协议的请求分组和 应答分组, 直到建立请求者与鉴别访问控制器之间的安全隧道, 其中的类型 字段为步骤 1.3中鉴别访问控制器选取的鉴别方法, 其中的类型数据字段中包 含类型字段的值对应的鉴别协议消息。  The tunneling technology-based ternary authentication scalable method according to claim 4, wherein: the specific implementation manner of the step 1.3 is: authenticating between the access controller and the requester, authenticating the access controller, and authenticating The server interacts with a series of ternary authentication scalable request packets and acknowledgment packets until a secure tunnel between the requester and the authentication access controller is established, wherein the type field is the authentication method selected by the authentication access controller in step 1.3. , wherein the type data field contains an authentication protocol message corresponding to the value of the type field.
6、 根据权利要求 1或 2或 3或 4或 5所述的基于隧道技术的三元鉴别可扩展 方法, 其特征在于: 所述步骤 2的具体实现方式是:  The tunneling technology-based ternary authentication scalable method according to claim 1 or 2 or 3 or 4 or 5, wherein: the specific implementation manner of the step 2 is:
步骤 2.1、 鉴别访问控制器利用三元鉴别可扩展协议的请求分组和应答分 组来获取请求者的内鉴别身份;  Step 2.1: The authentication access controller uses the request packet and the response packet of the ternary authentication scalable protocol to obtain the internal identity of the requester;
步骤 2.2、 鉴别访问控制器利用三元鉴别可扩展协议的请求分组和应答分 组来向内鉴别服务器获取鉴别方法类型;  Step 2.2: The authentication access controller uses the request packet and the response packet of the ternary authentication scalable protocol to obtain the authentication method type from the internal authentication server;
步骤 2.3、 鉴别访问控制器选取一种鉴别方法与请求者、 内鉴别服务器执 行内鉴别过程。  Step 2.3: The authentication access controller selects an authentication method and performs an internal authentication process with the requester and the internal authentication server.
7、 根据权利要求 6所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 2.1的具体实现方式是:  The tunneling technology-based ternary authentication scalable method according to claim 6, wherein: the specific implementation manner of the step 2.1 is:
步骤 2.1.1、 鉴别访问控制器向请求者发送三元鉴别可扩展协议的请求分 组, 其中的类型字段的值为步骤 1.3中鉴别访问控制器选取的鉴别方法, 其中 的类型数据字段的值为内三元鉴别可扩展协议包, 内三元鉴别可扩展协议包 的代码字段的值为请求, 其中的类型字段的值为身份; Step 2.1.1, the authentication access controller sends a request packet of the ternary authentication scalable protocol to the requester, where the value of the type field is the authentication method selected by the authentication access controller in step 1.3, wherein the value of the type data field is Internal ternary authentication scalable protocol packet, inner ternary authentication scalable protocol packet The value of the code field is the request, where the value of the type field is the identity;
步骤 2.1.2、 请求者向鉴别访问控制器发送三元鉴别可扩展协议的应答分 组, 其中的类型字段对应步骤 2.1.1中三元鉴别可扩展协议的请求分组中的类 型字段, 类型数据字段的值为内三元鉴别可扩展协议包, 内三元鉴别可扩展 协议包的代码字段的值为应答, 内三元鉴别可扩展协议包的类型字段对应步 骤 2丄 1中内三元鉴别可扩展协议包的请求分组中的类型字段, 内三元鉴别可 扩展协议包的类型数据字段中包含请求者的内鉴别身份。  Step 2.1.2. The requester sends a response packet of the ternary authentication scalable protocol to the authentication access controller, where the type field corresponds to the type field, the type data field in the request packet of the ternary authentication scalable protocol in step 2.1.1. The value of the inner ternary authentication scalable protocol packet, the value of the code field of the inner ternary authentication scalable protocol packet is a response, and the type field of the inner ternary authentication scalable protocol packet corresponds to the ternary authentication in step 2丄1. The type field in the request packet of the extended protocol packet, and the type data field of the inner ternary authentication scalable protocol packet contains the requester's internal authentication identity.
8、 根据权利要求 7所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 2.2的具体实现方式是:  The tunnel technology-based ternary authentication scalable method according to claim 7, wherein: the specific implementation manner of the step 2.2 is:
步骤 2.2.1、 鉴别访问控制器向内鉴别服务器发送三元鉴别可扩展协议的 请求分组, 其中类型字段的值为第三方鉴别, 其中的类型数据字段中包含请 求者和鉴别访问控制器的内鉴别身份;  Step 2.2.1: The authentication access controller sends a request packet of the ternary authentication scalable protocol to the inward authentication server, where the value of the type field is a third party authentication, where the type data field includes the requester and the authentication access controller. Identification of identity;
步骤 2.2.2、 内鉴别服务器向鉴别访问控制器发送三元鉴别可扩展协议的 应答分组, 其中类型字段对应步骤 2.2.1中三元鉴别可扩展协议的请求分组中 的类型字段, 其中的类型数据字段中包含鉴别方法类型。  Step 2.2.2, the internal authentication server sends a response packet of the ternary authentication scalable protocol to the authentication access controller, where the type field corresponds to the type field in the request packet of the ternary authentication scalable protocol in step 2.2.1, wherein the type The data field contains the authentication method type.
9、 根据权利要求 8所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 2.3的具体实现方式是: 鉴别访问控制器与请求者之间、 鉴别 访问控制器与内鉴别服务器之间交互一系列三元鉴别可扩展协议的请求分组 和应答分组, 直到内鉴别过程完成; 对于鉴别访问控制器与请求者之间交互 的一系列三元鉴别可扩展协议的请求分组和应答分组, 其中的类型字段的值 为步骤 1.3中鉴别访问控制器选取的鉴别方法, 其中的类型数据字段的值为内 三元鉴别可扩展协议包; 内三元鉴别可扩展协议包的类型字段的值为步骤 2.3 中鉴别访问控制器选取的鉴别方法, 内三元鉴别可扩展协议包的类型数据字 段中包含类型字段的值对应的鉴别协议消息; 对于鉴别访问控制器与内鉴别 服务器之间交互的一系列三元鉴别可扩展协议的请求分组和应答分组, 其中 的类型字段的值为步骤 2.3中鉴别访问控制器选取的鉴别方法, 其中的类型数 据字段中包含类型字段的值对应的鉴别协议消息。 The tunneling technology-based ternary authentication scalable method according to claim 8, wherein: the specific implementation manner of the step 2.3 is: authenticating between the access controller and the requester, authenticating the access controller and the internal The authentication server interacts with a series of ternary authentication scalable request packets and acknowledgment packets until the internal authentication process is completed; a request packet and a series of ternary authentication scalable protocols for authenticating the interaction between the access controller and the requester a response packet, wherein the value of the type field is an authentication method selected by the authentication access controller in step 1.3, wherein the value of the type data field is an inner ternary authentication scalable protocol packet; the type field of the inner ternary authentication scalable protocol packet The value is the authentication method selected by the authentication access controller in step 2.3, and the type data field of the inner ternary authentication scalable protocol packet includes an authentication protocol message corresponding to the value of the type field; for the authentication access controller and the internal authentication server Interacting a series of ternary authentication scalable request packets and acknowledgment packets, The value of the type field is the authentication method selected by the authentication access controller in step 2.3, and the number of types According to the authentication protocol message corresponding to the value of the type field in the field.
10、根据权利要求 9所述的基于隧道技术的三元鉴别可扩展方法, 其特征 在于: 所述步骤 3的具体实现方式是:  The tunneling technology-based ternary authentication scalable method according to claim 9, wherein: the specific implementation manner of the step 3 is:
步骤 3.1、 若在步骤 2.3中的内鉴别过程中鉴别访问控制器成功认证请求 者, 则向请求者发送三元鉴别可扩展协议的成功分组;  Step 3.1: If the access controller successfully authenticates the requester during the internal authentication process in step 2.3, sending a successful packet of the ternary authentication scalable protocol to the requester;
步骤 3.2、若在步骤 2.3中的内鉴别过程中鉴别访问控制器不能成功认证请 求者, 则向请求者发送三元鉴别可扩展协议的失败分组。  Step 3.2: If the authentication access controller fails to authenticate the requester during the internal authentication process in step 2.3, the failure packet of the ternary authentication scalable protocol is sent to the requester.
11、 一种基于隧道技术的三元鉴别可扩展系统, 其特征在于: 所述基于 隧道技术的三元鉴别可扩展系统包括请求者、 鉴别访问控制器、 鉴别服务器 以及内鉴别服务器; 所述请求者、 鉴别服务器以及内鉴别服务器分别和所述 鉴别访问控制器通过三元鉴别可扩展协议连通; 所述请求者、 鉴别访问控制 器和鉴别服务器执行外鉴别过程, 建立请求者和所述鉴别访问控制器之间的 安全隧道; 所述请求者、 鉴别访问控制器和内鉴别服务器执行内鉴别过程。  11. A ternary authentication scalable system based on tunneling technology, characterized in that: the tunneling-based ternary authentication scalable system comprises a requester, an authentication access controller, an authentication server, and an internal authentication server; And the authentication server and the internal authentication server are respectively connected to the authentication access controller by a ternary authentication scalable protocol; the requester, the authentication access controller and the authentication server perform an external authentication process, establishing a requester and the authentication access A secure tunnel between the controllers; the requester, the authentication access controller, and the internal authentication server perform an internal authentication process.
PCT/CN2009/075647 2009-09-22 2009-12-16 Tunneling-technique-based tri-element authentication extensible method and system thereof WO2011035514A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910307462.7 2009-09-22
CN2009103074627A CN101662410B (en) 2009-09-22 2009-09-22 Tri-element authentification expandable method based on tunneling technique and system thereof

Publications (1)

Publication Number Publication Date
WO2011035514A1 true WO2011035514A1 (en) 2011-03-31

Family

ID=41790215

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075647 WO2011035514A1 (en) 2009-09-22 2009-12-16 Tunneling-technique-based tri-element authentication extensible method and system thereof

Country Status (2)

Country Link
CN (1) CN101662410B (en)
WO (1) WO2011035514A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707621B (en) * 2009-12-11 2012-05-09 西安西电捷通无线网络通信股份有限公司 Network transmission method suitable for ternary peer authentication of trusted network connection architecture
CN102006291A (en) * 2010-11-10 2011-04-06 西安西电捷通无线网络通信股份有限公司 Network transmission method and system suitable for trusted connection framework

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527718A (en) * 2009-04-16 2009-09-09 西安西电捷通无线网络通信有限公司 Method for building ternary-equally recognizing credible network connecting architecture
CN101527717A (en) * 2009-04-16 2009-09-09 西安西电捷通无线网络通信有限公司 Implementation method of ternary-equally recognizing credible network connecting architecture
CN101572704A (en) * 2009-06-08 2009-11-04 西安西电捷通无线网络通信有限公司 Access control method suitable for tri-element peer authentication trusted network connect architecture

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527718A (en) * 2009-04-16 2009-09-09 西安西电捷通无线网络通信有限公司 Method for building ternary-equally recognizing credible network connecting architecture
CN101527717A (en) * 2009-04-16 2009-09-09 西安西电捷通无线网络通信有限公司 Implementation method of ternary-equally recognizing credible network connecting architecture
CN101572704A (en) * 2009-06-08 2009-11-04 西安西电捷通无线网络通信有限公司 Access control method suitable for tri-element peer authentication trusted network connect architecture

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"GB 15629.11-2003 Information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements-Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer(PHY) Specifications.", GENERAL ADMINISTRATION OF QUALITY SUPERVISION, INSPECTION AND QUARANTINE OF THE PEOPLE'S REPUBLIC OF CHINA., 12 March 2003 (2003-03-12), pages 49 - 54 *
HUANG, ZHENHAI. ET AL.: "Summarization of WLAN Authentication and Privacy Infrastructure WAPI.", MOBILE COMMUNICATION., 25 May 2006 (2006-05-25), pages 31 - 36 *

Also Published As

Publication number Publication date
CN101662410B (en) 2012-07-04
CN101662410A (en) 2010-03-03

Similar Documents

Publication Publication Date Title
RU2623197C2 (en) Methods, devices and systems for creation of cross-secure safety connections and for safe transmission of data packages
US6996714B1 (en) Wireless authentication protocol
CN103621126B (en) The method and apparatus that machine to machine service is provided
AU2003284144B2 (en) Lightweight extensible authentication protocol password preprocessing
US8037514B2 (en) Method and apparatus for securely disseminating security server contact information in a network
EP3535926B1 (en) System, method and devices for mka negotiation between the devices
KR101002799B1 (en) mobile telecommunication network and method for authentication of mobile node in mobile telecommunication network
WO2014056454A1 (en) Method and system for ike packet negotiation
US8336082B2 (en) Method for realizing the synchronous authentication among the different authentication control devices
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
KR20120052396A (en) Security access control method and system for wired local area network
WO2010115326A1 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
US20040010713A1 (en) EAP telecommunication protocol extension
WO2012068922A1 (en) Ims multimedia communication method and system, terminal and ims core network
TW201108766A (en) Fast authentication between heterogeneous wireless networks
WO2006086931A1 (en) A peer-to-peer access control method based on ports
WO2011022915A1 (en) Method and system for pre-shared-key-based network security access control
JP5581382B2 (en) Access control method suitable for three-factor peer authentication trusted network access architecture
WO2011109960A1 (en) Mutual authentication method and system based on identities
US8213364B2 (en) Method for releasing a high rate packet data session
WO2014176997A1 (en) Method and system for transmitting and receiving data, method and device for processing message
CN111541776A (en) Safe communication device and system based on Internet of things equipment
WO2010118613A1 (en) Implementation method for a tri-element peer authentication tursted network connection framework
WO2011035514A1 (en) Tunneling-technique-based tri-element authentication extensible method and system thereof
WO2011069355A1 (en) Network transmission method adapted for tri-element peer authentication trusted network connection architecture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09849700

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09849700

Country of ref document: EP

Kind code of ref document: A1