WO2012048551A1 - Procédé et système de contrôle d'accès au réseau - Google Patents

Procédé et système de contrôle d'accès au réseau Download PDF

Info

Publication number
WO2012048551A1
WO2012048551A1 PCT/CN2011/071770 CN2011071770W WO2012048551A1 WO 2012048551 A1 WO2012048551 A1 WO 2012048551A1 CN 2011071770 W CN2011071770 W CN 2011071770W WO 2012048551 A1 WO2012048551 A1 WO 2012048551A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
req
visitor
identity
access
Prior art date
Application number
PCT/CN2011/071770
Other languages
English (en)
Chinese (zh)
Inventor
李剑雄
杜志强
铁满霞
曹军
周吉阳
王俊峰
张莎
Original Assignee
天维讯达无线电设备检测(北京)有限责任公司
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天维讯达无线电设备检测(北京)有限责任公司, 西安西电捷通无线网络通信股份有限公司 filed Critical 天维讯达无线电设备检测(北京)有限责任公司
Publication of WO2012048551A1 publication Critical patent/WO2012048551A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Definitions

  • the present invention belongs to the field of network security applications in information security technologies, and in particular, to a network access control method and system. Background technique
  • the access controller in the destination network completes the authentication and authorization of the visitor, thereby implementing access control to the visitor.
  • the access controller may not be directly connected to the authentication server because of access to the controller itself or the destination network, thereby preventing the access controller from directly using the access controller.
  • the authentication service provided by the authentication server.
  • the prior art access control method in which the access controller directly connects and uses the authentication server to provide the authentication service will not be able to meet the practical application requirements for access control of the visitor. Summary of the invention
  • the present invention provides a network access control method and system capable of satisfying application requirements for access control of a visitor.
  • the present invention provides a network access control method, including:
  • Step 1) a visitor sends an access request message to an access controller in a destination network, where the access request message includes a random number N REQ ;
  • Step 2) after the access controller receives the access request message, constructing a first identity
  • the access authentication request message of the authentication information is sent to the visitor, and the first identity authentication information is symmetrically used by the shared key K AS , AC between the access controller and an authentication server to the N REQ
  • Step 3 after receiving the access authentication request message, the visitor constructs an identity authentication request message and sends the identifier to the authentication server.
  • the identity authentication request message includes the first identity authentication information and the second Identity identification information; the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
  • Step 4 after receiving the identity authentication request message, the authentication server uses the K AS , AC to authenticate the first identity authentication information to obtain a first authentication result, and utilizes the first authentication result. Encrypting the K AS , REQ to form a first publicly identifiable authentication result to the access controller; and authenticating the second identity authentication information by using the K AS , REQ to obtain a second authentication result, and The second authentication result is encrypted by the K AS , AC to form a second publicly identifiable authentication result for the visitor; and the authentication server constructs an identity authentication response message sent to the visitor, the identity The authentication response message includes the first publicly available authentication result and the second publicly available authentication result;
  • Step 5 after receiving the identity authentication response message, the visitor decrypts the first publicly available authentication result to obtain the first authentication result, and constructs an access authentication response message according to the first authentication result. Giving the access controller; the access authentication response message includes the second publicly available authentication result;
  • Step 6 after receiving the access authentication response message, the access controller decrypts the second publicly available authentication result, obtains the second authentication result, and constructs an access response message according to an authorization policy.
  • the authorization policy refers to a policy for the access controller to authorize the access request.
  • the present invention provides an access device, including:
  • An access request interaction module configured to send an access request message to an access controller of a destination network, where the access request message includes a random number N REQ ; and receive the packet sent by the access controller An access authentication request message including first identity authentication information; the first identity authentication information is a symmetric cryptographic operation on the N REQ by using a shared key K AS , AC between the access controller and an authentication server Result produced;
  • An authentication request interaction module configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and second identity authentication information, where the second identity authentication information is a result obtained by the visitor using a shared key K AS , REQ between the user and the authentication server to perform a symmetric cryptographic operation on the N REQ ; and receiving an identity authentication response message sent by the authentication server, the identity authentication
  • the response message includes a first publicly available authentication result and a second publicly available authentication result, where the first publicly available authentication result is an identity authentication of the access controller according to the first identity authentication information.
  • An authentication result is further formed by using the K AS; REQ , and the second publicly available authentication result is a second authentication result after the identity authentication of the visitor according to the second identity authentication information. Encrypting is performed by using the K AS and Ae ;
  • An authentication result interaction module configured to send, according to the first authentication result, an access authentication response message that includes the publicly available second authentication result to the access controller, and receive the sent by the accessor Access response message.
  • the invention also provides an authentication server, comprising:
  • An authentication request receiving module configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor;
  • the first identity authentication information is performed by the access controller by using a shared key ⁇ ⁇ ⁇ between the self and the authentication server for a random number N REQ included in the access request message sent by the visitor.
  • the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
  • An authentication execution module configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and re-encrypting the first authentication result by using the K AS and REQ a first publicly identifiable result for the access controller; and according to the second The identity authentication information generates a second authentication result after the identity authentication of the visitor, and encrypts the second authentication result by using the K AS , AC to form a second publicly discriminable result for the visitor;
  • the authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.
  • the invention also provides an access controller, comprising:
  • An access request receiving module configured to receive an access request message sent by a visitor, where the access request message carries a random number N REQ ;
  • An access authentication request constructing module configured to send an access authentication request message including first identity authentication information to the visitor, where the first identity authentication information is shared by using the access controller and the authentication server a result of a symmetric cryptographic operation performed by the key K AS , Ae on the N REQ ;
  • an access authentication response receiving module configured to receive an access authentication response message sent by the visitor, and decrypt the second authentication result;
  • the access authentication response message is constructed by the visitor according to the first authentication result included in the identity authentication response message sent by the destination network to the authentication server, and includes the second authentication result; the first authentication result is
  • the authentication server determines, by using the K AS , the AC , the first identity authentication information included in the identity authentication request message sent by the visitor, and the second authentication result is determined by the authentication server. after using the shared key K AS between the visitor, REQ second authentication information transmitted by said visitor identification determination
  • the second authentication information is the result of the visitor with the K AS, REQ N REQ said symmetric cryptographic operation;
  • the access request response module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
  • the present invention also provides a network access control system, including a visitor, an access controller of a destination network, and an authentication server, where:
  • the visitor is configured to send an access request message to the access controller, where the access request message carries a random number N REQ ; Receiving an access authentication request message returned by the access controller, where the access authentication request message includes first identity authentication information;
  • the access authentication response message being constructed according to the first authentication result, and including the second publicly available authentication result;
  • the access controller is configured to receive an access request message sent by the visitor, and send an access authentication request message that includes the first identity authentication information to the visitor; Accessing a shared key K AS between the controller and the authentication server, AC performing a symmetric cryptographic operation on the N REQ ;
  • the authentication server is configured to receive the identity authentication request message sent by the visitor, and generate a first authentication result after performing identity authentication on the access controller according to the first identity authentication information, and Decoding the first authentication result by using the K AS , REQ to form a first publicly identifiable authentication result to the access controller, and generating an identity authentication for the visitor according to the second identity authentication information a second authentication result, and encrypting the second authentication result by using the K A ⁇ to form a second publicly discriminable result for the visitor; and returning an identity authentication response message to the visitor, including The first publicly discriminable authentication result and the second publicly discriminable authentication node fruit.
  • the network access control method and system provided by the present invention is a network access control method for completing identity authentication of a visitor in the case where an authentication server participates and the access controller of the destination network cannot directly utilize the authentication service provided by the authentication server. .
  • the invention is based on a symmetric crypto mechanism. After the visitor makes an access request, the access controller in the destination network processes the access request, and the visitor initiates an authentication request for the identity of the visitor to the authentication server, and the access in the destination network. The controller completes the authentication of the identity of the visitor according to the publicly available authentication result of the authentication server forwarded by the visitor, and authorizes the successful authenticated visitor according to the authorization policy.
  • the present invention solves the problem that the access control cannot be implemented when the access controller cannot directly use the authentication service provided by the authentication server, and satisfies the practical application requirements.
  • FIG. 1 is a flow chart of a network access control method provided by the present invention.
  • FIG. 2 is a schematic diagram of the operation of the network access control system provided by the present invention.
  • FIG. 3 is a detailed block diagram of step S 1 in Figure 2.
  • FIG. 4 is a detailed block diagram of step S 2 in Figure 2.
  • FIG. 5 is a detailed block diagram of step S3 in Figure 2.
  • FIG. 6 is a detailed block diagram of step S 4 in Figure 2.
  • FIG. 7 is a detailed block diagram of step S 5 in Figure 2.
  • FIG 8 is a detailed block diagram of step S6 in Figure 2. Detailed ways
  • the present invention provides a network access control system 100.
  • the access control system 100 includes a visitor REQ, an authentication server AS, and an access controller AC.
  • the shared key K AS , REQ is shared between the visitor REQ and the authentication server AS
  • the keys K AS , AC are shared between the access controller AC and the authentication server AS.
  • the network access control system 100 completes the authentication and authorization of the visitor REQ through six steps of SI to S6.
  • Step S1 Referring to FIG. 3, the visitor REQ sends an access request message M1 to the access controller AC in the destination network.
  • the access request message M1 contains N RE oQ REQ .
  • N REQ represents the random number generated by the visitor REQ
  • Q REQ represents the access request of the visitor REQ, the same below.
  • Step S2 Referring to FIG. 4, after receiving the access request message M1, the access controller AC constructs an access authentication request message M2 and sends it to the visitor REQ.
  • the access authentication request message M2 contains the identity authentication information 11 of the access controller AC.
  • the identity authentication information 11 is used to prove the validity of the access controller AC identity to the authentication server AS, and is a result of performing a symmetric cryptographic operation on the N REQ by using the shared key K AS , Ae .
  • Step S3 Referring to FIG. 5, after the visitor REQ receives the access authentication request message M2, the constructive identity authentication request message M3 is sent to the authentication server AS.
  • the identity authentication request message M3 includes the identity authentication information 11 and the identity authentication information 12 of the visitor REQ.
  • the identity authentication information 12 is used to prove the validity of the visitor REQ identity to the authentication server AS, and is a result of performing a symmetric cryptographic operation on the N REQ by using the shared key K AS , REQ .
  • Step S4 Referring to FIG. 6, the authentication server AS provides an authentication service according to the identity authentication request message M3 and generates an authentication result.
  • the authentication server AS authenticates the identity authentication information 11 in the identity authentication request message M3 by using the shared key K AS , Ae and obtains the first authentication result to the access controller AC, and uses the shared key K AS , REQ for the identity authentication request.
  • the identity authentication information 11 in the message M3 is authenticated and the second authentication result is obtained for the visitor REQ, and the authentication server AS encrypts the first authentication result by using the shared key K AS , REQ to form an access controller AC.
  • the publicly available authentication result C1 is encrypted by using the shared key K AS , Ae to form a publicly discriminable authentication result C 2 to the visitor REQ, and the authentication server AS constructs the identity authentication response message M4 to be sent to the access REQ.
  • the identity authentication response message M4 includes publicly discriminable authentication results C 1 and C 2 .
  • Step S5 Referring to FIG. 7, after receiving the identity authentication response message M4, the visitor REQ decrypts the publicly available authentication result C1 to obtain the first authentication result, and constructs an access authentication response message M5 according to the first authentication result.
  • the access authentication response message M5 includes a publicly available authentication result C2;
  • Step S6 Referring to FIG. 8, after receiving the access authentication response message M5, the access controller AC decrypts the publicly available authentication result C2 in the authentication response message M5, obtains the second authentication result, and constructs an access response according to the authorization policy.
  • the message M6 is sent to the visitor REQ, and the access response message M6 contains information as to whether the accessor REQ is authorized to access the destination network.
  • the authorization policy refers to a policy in which the access controller AC authorizes the access request Q REQ of the visitor REQ.
  • the authorization policy may come from a certain server, such as the authentication server AS, or may be from the access controller AC local.
  • the authorization policy has been previously built in the authentication server AS or the access controller AC, and the present invention only invokes the authorization policy.
  • the authentication and authorization of the visitor REQ can be realized to meet the practical application requirements for access control of the visitor REQ.
  • the present invention provides an access device, including: an access request interaction module, configured to send an access request message to an access controller of a destination network, where the access request message includes a random number N REQ; the access controller transmits and receives a first authentication information comprises an access authentication request message; the first authentication information using the shared secret between the access controller and an authentication server a result of a symmetric cryptographic operation performed by the key K AS , AC on the N REQ ;
  • An authentication request interaction module configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and second identity authentication information, where the second identity authentication information is a result obtained by the visitor using a shared key K AS , REQ between the user and the authentication server to perform a symmetric cryptographic operation on the N REQ ; and receiving an identity authentication response message sent by the authentication server, the identity authentication
  • the response message includes a first publicly available authentication result and a second publicly available authentication result, where the first publicly available authentication result is an identity authentication of the access controller according to the first identity authentication information.
  • An authentication result is further utilized by the K AS; the REQ is formed by encryption, and the second publicly available authentication result is a second authentication result after the identity authentication of the visitor according to the second identity authentication information. Encrypting is performed by using the K AS and Ae ;
  • An authentication result interaction module configured to construct, according to the first authentication result, the publicly available The access authentication response message of the second authentication result is sent to the access controller, and receives an access response message sent by the accessor.
  • the invention also provides a corresponding authentication server, comprising:
  • An authentication request receiving module configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor;
  • the first identity authentication information is performed by the access controller by using a shared key K A ⁇ between itself and the authentication server for a random number N REQ included in an access request message sent by the visitor.
  • the second identity authentication information is a result of the symmetric cryptographic operation performed by the visitor on the N REQ by using the shared key K AS , REQ between the user and the authentication server;
  • An authentication execution module configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and re-encrypting the first authentication result by using the K AS and REQ a first publicly available authentication result to the access controller; and generating a second authentication result after the identity identification of the visitor according to the second identity authentication information, and using the second authentication result K AS , AC performs encryption to form a second publicly discriminable result for the visitor;
  • the authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.
  • an access controller including:
  • An access request receiving module configured to receive an access request message sent by a visitor, where the access request message carries a random number N REQ ;
  • An access authentication request constructing module configured to send an access authentication request message including first identity authentication information to the visitor, where the first identity authentication information is shared by using the access controller and the authentication server a result of a symmetric cryptographic operation performed by the key K AS , Ae on the N REQ ;
  • an access authentication response receiving module configured to receive an access authentication response message sent by the visitor, and decrypt the second authentication result;
  • the access authentication response message is used by the visitor according to the purpose Constructing, by the network-authentication server, the first authentication result included in the identity authentication response message, and including the second authentication result;
  • the first authentication result is used by the authentication server by using the K AS , AC pair Determining, by the first identity authentication information included in the identity authentication request message sent by the visitor, that the second authentication result is that the authentication server utilizes a shared key K with the visitor.
  • AS , REQ determines, after the second identity authentication information sent by the visitor, the second identity authentication information, after the visitor uses the K AS , REQ to perform symmetric cryptographic operations
  • the access request response module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
  • a network access control system having a corresponding function includes a visitor, an access controller of a destination network, and an authentication server, wherein:
  • the visitor is configured to send an access request message to the access controller, where the access request message carries a random number N REQ ;
  • the access authentication response message being constructed according to the first authentication result, and including the second publicly available authentication result;
  • the access controller is configured to receive an access request message sent by the visitor, and send an access authentication request message that includes the first identity authentication information to the visitor; Other information using the shared key K AS between the access controller and the authentication server, AC symmetric cryptographic computation result of the generated N REQ; and
  • the authentication server is configured to receive the identity authentication request message sent by the visitor, and generate a first authentication result after performing identity authentication on the access controller according to the first identity authentication information, and Decoding the first authentication result by using the K AS , REQ to form a first publicly identifiable authentication result to the access controller, and generating an identity authentication for the visitor according to the second identity authentication information a second authentication result, and using the second authentication result
  • K A ⁇ is encrypted to form a second publicly identifiable result for the visitor; and an identity authentication response message is returned to the visitor, including the first publicly identifiable authentication result and the second publicly identifiable authentication result.
  • the visitor REQ constructs the N REQ
  • Q REQ is the access request message M1.
  • the request message M1 may also be other messages.
  • the other message includes at least N REQ
  • means that the two messages before and after are connected in series, the same below.
  • the access controller AC After receiving the access request message M1, that is, N REQ
  • the access authentication request message M2 is a message including at least N REQ
  • N AC represents a random number generated by the access controller AC
  • 6 (1 ⁇ , ⁇ represents the result of encrypting N REQ by using the shared key K AS , Ae , that is, the identity authentication information II of the access controller AC
  • E is A symmetric encryption algorithm; the same below.
  • Step S3 After receiving the access authentication request message M2, that is, N REQ
  • the ID AC is the identity of the access controller AC, the same below.
  • the identity authentication request message M3 is a message containing at least ID AC
  • the authentication server AS determines, according to the ID Ae, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4. 2. 1 ); If the key K AS , AC is shared, go to step 4. 2. 2 ).
  • the authentication server AS decrypts E (K AS; AC , N REQ ), that is, the identity authentication information 11 by using the shared key K AS , Ae , and determines whether the N REQ obtained after decryption is in the step with the visitor REQ S 3 is transmitted to the authentication server AS identity authentication request message is equal to N REQ message M3 is, if the decrypted N visitors REQ REQ and authentication transmitted to the authentication server AS in step S3 in the request information message M3 If N REQ is not equal, then 4. 2. 2. 1 ) is executed; if the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then Execute 4. 2. 2. 2).
  • the authentication server AS constructs an identity authentication response message M4 ie ID AC
  • MIC 2 is sent to the visitor REQ.
  • Res (AC) is the publicly discriminable result CI
  • Res (REQ) is the publicly discriminable result C 2
  • Res (AC) E (K AS; REQ , R (AC) )
  • Res (REQ E (K AS; AC , R (REQ) )
  • R (AC) is the first discrimination result
  • R (REQ) is the
  • MIC 2 H (K AS;REQ , ID AC
  • the authentication server AS decrypts E (K AS; REQ , N REQ ) by using the shared key K AS , REQ , and determines whether the N REQ obtained after decryption and the identity of the visitor REQ are sent to the authentication server AS in step S3.
  • the information N REQ in the authentication request message M3 is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then 4.3.1 is performed.
  • the authentication server AS decrypts E (K AS , REQ , the obtained N REQ and the visitor REQ in the identity authentication request message M 3 sent to the authentication server AS in step S 3 by using the shared key K AS , REQ If the information N REQ is equal, then 4.3.2).
  • the authentication server AS determines, according to the ID AC, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4.3.1.1); Keys K AS , AC , then execute 4.3.1.2).
  • the authentication server AS terminates the authentication.
  • the authentication server AS decrypts E (K AS , AC , N REQ ;) by using the shared key K A ⁇ , and determines whether the N REQ obtained after decryption is sent to the authentication server in step S 3 with the visitor REQ.
  • the information N REQ in the identity authentication request message M3 of the AS is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, the execution is performed. 4.3.1.2.1); If the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, 4.3.1.2.2) is performed.
  • the authentication server terminates the authentication.
  • the authentication server AS constructs the identity authentication response message M4
  • MIC 2 is sent to the visitor REQ.
  • R(AC) True, indicating that the authentication server AS successfully authenticates the access controller AC
  • R(REQ) Failure, indicating that the authentication server AS fails to authenticate the visitor REQ;
  • MIC 2 H (K AS ;REQ , ID AC
  • H is a one-way hash Algorithm, the same below.
  • the authentication server AS determines, according to the ID AC, whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, executes 4.3.2.1); Key K AS , AC , then execute 4.3.2.2);
  • the authentication server AS constructs the identity response message M4
  • the authentication server AS determines to use the shared key K AS , Ae to decrypt 6 (1 ⁇ , ⁇ obtained)
  • the authentication server AS generates a session key KACREQ between the visitor REQ and the access controller AC, and then calculates E (K AS; using the shared key K A ⁇ OK as , req and the session key K ac , req ; AC , ID REQ
  • the authentication server AS further constructs an identity authentication response message M4 at this time, that is, ID AC
  • MIC 2 is sent to the visitor REQ.
  • the message integrity authentication code MIC 2 H(K AS , REQ , ID AC
  • the identity authentication response message M4 is ID AC
  • the identity authentication response Message M4 is a message containing at least ID AC
  • the identity authentication response message M4 is ID AC
  • the identity authentication response message M4 is at least including ID AC
  • the interviewer REQ receives the identity identification response message ⁇ 4
  • Step 5.2 the visitor REQ discards the identity authentication response message M4.
  • Step 5.3 the visitor REQ judges the integrity of the corresponding message according to the MIC 2 , if not, executes 5.3.1); if complete, executes 5.3.2).
  • the visitor REQ uses K AS , REQ to decrypt the publicly identifiable result C1, ie Res (AC), to determine the legitimacy of the access controller AC, and if the Res (AC) is decrypted, the R is obtained.
  • the visitor REQ decrypts the E (K AS , REQ , K AC , REQ ) in the identity authentication response message M4 to obtain the session key K Ae , REQ , and generates the random number N′ REQ , and calculates the message integrity.
  • the authentication code MIC 3 H (K AC , N AC
  • the message integrity authentication code MIC 3 is used to verify the integrity of the message N AC
  • the access authentication response message M5 is at least one of
  • the access controller AC receives the identity authentication response message M5 ie N AC
  • the access controller AC receives the identity authentication response message M5 ie N AC
  • Access Controller AC denied access to the visitor REQ.
  • Access Controller AC deny access to the visitor REQ.
  • the access controller AC decrypts E (K AS , AC , ID REQ
  • Access Controller AC deny access to the visitor REQ.
  • access controller AC confirmation ID REQ decrypts E (K AS, AC, ID REQ
  • Access Controller AC deny access to the visitor REQ.
  • the access controller AC determines, according to the authorization policy, whether the access request Q REQ sent by the visitor REQ in step S1 is legal, and if not, performs 6.3.2.2.2.1); if legal, Implementation of 6.3.2.2.2.2
  • Access Controller AC denies access to the visitor REQ.
  • MIC 4, is sent to the visitor REQ.
  • the R AC is used by the access controller AC to notify the visitor REQ whether to have access to the destination network.
  • the message integrity authentication code MIC 4 is used to verify the integrity of the message N' REQ
  • the AC local may also be provided by another server such as the authentication server AS.
  • the identity authentication response message M4 in step S4 is required to be ID AC
  • E in the MIC 2 K AS , AC , ID REQ
  • K AC , REQ ) is modified to E (K AS , AC , ID REQ
  • the access controller AC authenticates and authorizes the visitor REQ, and the access control to the access controller AC is realized.
  • the visitor REQ breaks the message N' REQ
  • the visitor REQ discards the access response message M6.
  • the visitor REQ decrypts E (K AC R AC ) to obtain the response data R AC , and judges whether the access controller AC authorizes access to the destination network according to the response data RAC, and then accesses the destination network accordingly.
  • the access response message M6 is a message containing at least N' REQ
  • the access controller AC After receiving the access request message M1, that is, N REQ
  • REQ in other embodiments, the access authentication request message M2 is a message containing at least N REQ
  • N REQ ) represents the result of hashing K AS , AC
  • the visitor REQ After receiving the access authentication request message M2, that is, N REQ
  • N REQ ), the visitor REQ first determines whether the N REQ is a random number generated by the visitor REQ, and if not, The authentication request message M2 is discarded; if yes, the visitor REQ calculates the message integrity authentication code MIC 5 H (K AS; REQ , ID AC
  • the message integrity authentication code MIC 5 is used to verify the integrity of the ID AC
  • the authentication request message M3 is at least one of
  • the authentication server AS After the authentication server AS receives the identity authentication request message M3, ie ID AC
  • the authentication server AS judges according to the ID Ae whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, performs 4.2.); if the shared key K AS , AC , then 4.2. V ).
  • the authentication server AS terminates the authentication.
  • the authentication server AS constructs an identity authentication response message M4 ie ID AC
  • MIC 2 is sent to the visitor REQ.
  • Res (AC) is the publicly discriminable result CI
  • Res (REQ) is the publicly discriminable result C 2
  • Res (AC) E (K AS; REQ , R (AC) )
  • Res (REQ) E (K AS; AC , R (REQ) )
  • R (AC) is the first verification result
  • R (REQ) is the second verification result
  • MIC 2 is the message integrity authentication code.
  • the AC identification was successful.
  • MIC 2 H(K AS , REQ , ID AC
  • the authentication server AS judges according to the MIC 5 in the identity authentication request message M3
  • the authentication server AS discards the identity authentication request message M3.
  • the authentication server AS uses the ID Ae to determine whether the access controller AC has been authenticated with the server.
  • the authentication server AS verifies the integrity of H (K AS; AC
  • the authentication server AS constructs an identity authentication response message M4, ie ID AC
  • R (AC) Fai lure, indicating that the authentication server AS fails authentication to the access controller AC;
  • R (REQ) True, indicating that the authentication server AS successfully authenticates the visitor REQ.
  • MIC 2 H(K AS , REQ , ID AC
  • the authentication server AS generates a session key K Ae , REQ between the visitor REQ and the access controller AC, and then utilizes the shared keys K AS , Ae and K AS , REQ and the session key K Ae , REQ calculates E (K AS; AC , ID REQ
  • K A c, REQ ) and E (K AS; REQ , KACKEQ), and then calculates the message integrity authentication code MIC 2 H (K Q , ID AC ) at this time.
  • the message integrity authentication code MIC 2 H (K AS , REQ , ID AC
  • the identity authentication response message ⁇ 4 is ID AC
  • the identity authentication response message M4 is a message including at least ID AC
  • the identity authentication response message M4 is a message including at least ID AC
  • the invention is based on a symmetric cryptographic mechanism in cryptography, and provides two specific implementation methods for realizing authentication between the access controller AC and the visitor REQ when the authentication server AS provides the authentication service, and one method is based on symmetric encryption operation.
  • a method based on the hash operation that is, the latter embodiment, can implement the authentication between the visitor REQ and the authentication server AS when the access controller AC cannot directly use the authentication service provided by the authentication server AS.
  • the access control process for authorizing the visitor REQ is completed by the access controller AC.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can be embodied in the form of one or more computer program products embodied on a computer-usable storage medium (including but not limited to disk storage, CD-ROM, optical storage, etc.) in which computer usable program code is embodied.
  • a computer-usable storage medium including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention.
  • the flow chart can be implemented by computer program instructions And/or a combination of the processes and/or blocks in the block diagrams, and the flowcharts and/or blocks in the flowcharts and/or block diagrams.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention porte sur un procédé et un système de contrôle d'accès au réseau. Après qu'un visiteur réalise une demande d'accès, un contrôleur d'accès dans un réseau cible traite la demande d'accès et initie une demande d'authentification de l'identité du visiteur à un serveur d'authentification par l'intermédiaire du visiteur; le contrôleur d'accès dans le réseau cible achève l'authentification de l'identité du visiteur selon les résultats d'authentification publiables du serveur d'authentification envoyés par le visiteur, et réalise une gestion d'autorisation pour le visiteur à l'aide d'une authentification réussie selon des stratégies d'autorisation. Ainsi, le problème de l'état antérieur de la technique selon lequel un contrôle d'accès ne peut pas être mis en œuvre, provoqué lorsqu'un contrôleur d'accès ne peut pas utiliser directement les services d'authentification fournis par un serveur d'authentification, est résolu, et les exigences d'application pratique sont satisfaites.
PCT/CN2011/071770 2010-10-13 2011-03-14 Procédé et système de contrôle d'accès au réseau WO2012048551A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010504262.3 2010-10-13
CN201010504262 2010-10-13

Publications (1)

Publication Number Publication Date
WO2012048551A1 true WO2012048551A1 (fr) 2012-04-19

Family

ID=44844269

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071770 WO2012048551A1 (fr) 2010-10-13 2011-03-14 Procédé et système de contrôle d'accès au réseau

Country Status (2)

Country Link
CN (1) CN102231736B (fr)
WO (1) WO2012048551A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113551B (zh) * 2014-07-28 2017-06-23 百度在线网络技术(北京)有限公司 一种平台授权方法、平台服务端及应用客户端和系统
CN104113549B (zh) * 2014-07-28 2017-07-18 百度在线网络技术(北京)有限公司 一种平台授权方法、平台服务端及应用客户端和系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159660A (zh) * 2007-11-16 2008-04-09 西安西电捷通无线网络通信有限公司 一种基于三元对等鉴别的可信网络接入控制方法
CN101364875A (zh) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 一种实现实体的公钥获取、证书验证及双向鉴别的方法
CN101958908A (zh) * 2010-10-13 2011-01-26 西安西电捷通无线网络通信股份有限公司 网络访问控制方法及系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2851104A1 (fr) * 2003-02-10 2004-08-13 France Telecom Procede et systeme d'authentification d'un utilisateur au niveau d'un reseau d'acces lors d'une connexion de l'utilisateur au reseau internet
CN101431517B (zh) * 2008-12-08 2011-04-27 西安西电捷通无线网络通信股份有限公司 一种基于三元对等鉴别的可信网络连接握手方法
CN101635624B (zh) * 2009-09-02 2011-06-01 西安西电捷通无线网络通信股份有限公司 引入在线可信第三方的实体鉴别方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159660A (zh) * 2007-11-16 2008-04-09 西安西电捷通无线网络通信有限公司 一种基于三元对等鉴别的可信网络接入控制方法
CN101364875A (zh) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 一种实现实体的公钥获取、证书验证及双向鉴别的方法
CN101958908A (zh) * 2010-10-13 2011-01-26 西安西电捷通无线网络通信股份有限公司 网络访问控制方法及系统

Also Published As

Publication number Publication date
CN102231736A (zh) 2011-11-02
CN102231736B (zh) 2014-07-23

Similar Documents

Publication Publication Date Title
US11849029B2 (en) Method of data transfer, a method of controlling use of data and cryptographic device
WO2020087805A1 (fr) Procédé d'authentification de confiance utilisant deux valeurs cryptographiques et un chiffrement chaotique dans un réseau de mesure et de commande
US9467430B2 (en) Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware
JP3999655B2 (ja) レベル化された機密保護があるアクセス制御のための方法及び装置
JP5123209B2 (ja) モバイルネットワークに基づくエンドツーエンド通信での認証の方法、システム、および認証センタ
TW201701226A (zh) 電子處方操作方法、裝置及系統
WO2013087039A1 (fr) Procédé, dispositif et système de transmission de données sécurisée
WO2011140924A1 (fr) Procédé, dispositif et système pour passerelle, nœud et serveur d'authentification
CN110198295A (zh) 安全认证方法和装置及存储介质
WO2010069180A1 (fr) Procédé, système et dispositif de distribution de clef
WO2014187206A1 (fr) Procédé et système pour sauvegarder une clé privée dans un jeton de signature électronique
WO2014187210A1 (fr) Procédé et système de sauvegarde de la clé privée d'un jeton de signature électronique
CN101958907A (zh) 一种传输密钥的方法、系统和装置
WO2016011588A1 (fr) Entité de gestion de mobilité, serveur domestique, terminal, et système et procédé d'authentification d'identité
JP2016514913A (ja) セッション鍵を確立する方法および装置
KR20120072032A (ko) 모바일 단말의 상호인증 시스템 및 상호인증 방법
US20240113885A1 (en) Hub-based token generation and endpoint selection for secure channel establishment
KR101515312B1 (ko) 네트워크 액세스의 제어 방법 및 시스템
CN111526130B (zh) 一种轻量级的无证书工业物联网访问控制方法和系统
WO2014187208A1 (fr) Procédé et système de sauvegarde de clé privée d'un jeton de signature électronique
KR20210126319A (ko) 키 관리 장치 및 방법
WO2012048551A1 (fr) Procédé et système de contrôle d'accès au réseau
WO2022135399A1 (fr) Procédé d'authentification d'identité, contrôleur d'accès d'authentification, dispositif de demande, support de stockage, programme et produit de programme
JP4554264B2 (ja) デジタル署名処理方法及びそのためのプログラム
JPWO2020205217A5 (fr)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11831948

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11831948

Country of ref document: EP

Kind code of ref document: A1