WO2012048552A1 - 网络访问控制方法及系统 - Google Patents
网络访问控制方法及系统 Download PDFInfo
- Publication number
- WO2012048552A1 WO2012048552A1 PCT/CN2011/071821 CN2011071821W WO2012048552A1 WO 2012048552 A1 WO2012048552 A1 WO 2012048552A1 CN 2011071821 W CN2011071821 W CN 2011071821W WO 2012048552 A1 WO2012048552 A1 WO 2012048552A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- visitor
- access
- identity
- req
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- the present invention belongs to the field of network security applications in information security technologies, and in particular, to a network access control method and system. Background technique
- the access controller in the destination network completes the authentication and authorization of the visitor, thereby implementing access control to the visitor.
- the access controller may not be directly connected to the authentication server because of access to the controller itself or the destination network, resulting in failure to directly use the authentication server. Identification service.
- the prior art access control method in which the access controller directly connects and uses the authentication server to provide the authentication service will not be able to satisfy the actual application requirements for access control of the visitor. Summary of the invention
- the present invention provides an access control method and system capable of satisfying application requirements for access control of a visitor.
- the present invention provides a network access control method, including:
- Step 1) the visitor sends an access request message to an access controller of the destination network, where The access request message includes an access request of the visitor;
- Step 2) after receiving the access request message, the access controller constructs an access authentication request message including the first identity authentication information, and sends the access authentication request message to the visitor;
- the first identity authentication information is the access control Identification information of the device;
- Step 3 After the visitor receives the access authentication request message, construct an identity authentication request message to be sent to an authentication server of the destination network, where the identity authentication request message includes the first identity authentication information. And second identity authentication information; the second identity authentication information is identity authentication information of the visitor;
- Step 4 after receiving the identity authentication request message, the authentication server generates a first authentication result that is authenticated by the access controller according to the first identity authentication information, and performs authentication according to the second identity.
- the information generates a second authentication result that is authenticated by the visitor; the authentication server constructs an identity authentication response message and sends the identifier to the visitor, where the identity authentication response message includes the first authentication result and the second Identification result;
- Step 5 after receiving the identity authentication response message, the visitor constructs an access authentication response message according to the first authentication result, and sends the message to the access controller, where the access authentication response message includes the Second identification result;
- Step 6 after receiving the access authentication response message, the access controller constructs an access response message to be sent to the visitor according to the second authentication result and an authorization policy, where the authorization policy is Is a policy for the access controller to authorize the access request.
- the invention also provides an access device, comprising:
- An access request interaction module configured to send an access request message to an access controller of a destination network, and receive an access authentication request message that includes the first identity authentication information sent by the access controller; the first identity authentication information Is identity authentication information of the access controller;
- the authentication request interaction module is configured to send an identity authentication request message to an authentication server of the destination network, where the identity authentication request message includes the first identity authentication information and the second identity authentication information, and the second identity authentication information Is the identity authentication information of the visitor; and receiving an identity authentication response message sent by the authentication server, where the identity authentication response message includes a Determining, by the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and a second authentication result after performing identity authentication on the visitor according to the second identity authentication information; And an interaction module, configured to send, according to the first authentication result, an access authentication response message that includes the second authentication result to the access controller, and receive an access response message sent by the accessor.
- the invention also provides an authentication server, comprising:
- An authentication request receiving module configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor;
- An authentication execution module configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and generate identity authentication by using the second identity authentication information Second identification result;
- the authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first authentication result and the second authentication result.
- the invention also provides an access controller, comprising:
- An access request receiving module configured to receive an access request message sent by a visitor
- an access authentication request constructing module configured to send an access authentication request message including the first identity authentication information to the visitor;
- the first identity authentication information is identity authentication information of the access controller;
- An access authentication response receiving module configured to receive an access authentication response message sent by the visitor to obtain a second authentication result, where the access authentication response message is configured by the visitor according to the first authentication result; And the second authentication result is sent by the authentication server to the visitor by using an identity authentication response message; wherein the first authentication result is included in the identity authentication request message sent by the authentication server according to the visitor
- the first identity authentication information is generated after performing identity authentication on the access controller, and the second authentication result is determined by the authentication server according to the second identity authentication information included in the identity authentication request message, The visitor generates an identity after the identity is generated;
- the access response sending module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
- the invention also provides a network access control system, comprising: a visitor, an access controller of the destination network, and an authentication server; wherein:
- the visitor is configured to send an access request message to the access controller, and receive an access authentication request message that is sent by the access controller and includes first identity authentication information; the first identity authentication information is Accessing the identity authentication information of the controller;
- an identity authentication request message including the first identity authentication information and the second identity authentication information, where the second identity authentication information is identity authentication information of the visitor, and receiving the identity server to send An identity authentication response message including a first authentication result and a second authentication result;
- the access controller is configured to receive the access request message, and send the access authentication request message;
- the authentication server is configured to perform identity authentication on the access controller according to the first identity authentication information sent by the visitor to obtain a first authentication result; and generate second identity authentication information according to the visitor. Performing identity authentication on the visitor to obtain a second authentication result; and transmitting an identity authentication response message including the first authentication result and the second authentication result to the visitor.
- the network access control method and system proposed by the present invention completes a network access control method for authenticating a visitor identity in the case where an authentication server participates and the access controller of the destination network cannot directly utilize the authentication service provided by the authentication server.
- the invention is based on a cryptographic mechanism, which is provided by the visitor After the access request is made, the access controller in the destination network processes the access request, and the visitor initiates an authentication request for the identity of the visitor to the authentication server, and the access controller in the destination network according to the authentication server forwarded by the visitor
- the publicly identifiable authentication result completes the identification of the identity of the visitor, and authorizes the successful authenticated visitor according to the authorization policy.
- the present invention solves the problem that the access control cannot be implemented when the access controller cannot directly use the authentication service provided by the authentication server, and the present invention can fully satisfy the practical application requirements for access control of the visitor.
- FIG. 1 is a flow chart of a network access control method provided by the present invention.
- FIG. 2 is a schematic diagram of the operation of the network access control system provided by the present invention.
- FIG. 3 is a detailed block diagram of step S1 in Figure 2.
- FIG. 4 is a detailed block diagram of step S2 in Figure 2.
- FIG. 5 is a detailed block diagram of step S3 in Figure 2.
- FIG. 6 is a detailed block diagram of step S4 in Figure 2.
- FIG. 7 is a detailed block diagram of step S5 in Figure 2.
- FIG 8 is a detailed block diagram of step S6 in Figure 2. Detailed ways
- the present invention provides a network access control system 100.
- the access control system 100 includes a visitor REQ, an authentication server AS, and an access controller AC. Prior to the operation of the system 100, authentication information for verifying mutual identities has been shared between the visitor REQ and the authentication server AS, between the access controller AC and the authentication server AS, respectively.
- the network access control system 100 completes the authentication and authorization of the visitor REQ through six steps S1 to S6.
- Step S1 Referring to FIG. 3, the visitor REQ sends an access request message M1 to the access controller AC of the destination network.
- the access request message M1 contains QRE Q .
- QREQ represents the access request of the visitor REQ, the same below.
- Step S2 Referring to FIG. 4, after receiving the access request message M1, the access controller AC of the destination network sends an access authentication request message M2 to the visitor REQ.
- the access authentication request message M2 contains the identity authentication information II of the access controller AC, and the identity authentication information II is used to prove the validity of the access controller AC identity to the authentication server AS.
- Step S3 Referring to FIG. 5, after the visitor REQ receives the access authentication request message M2, the constructive identity authentication request message M3 is sent to the authentication server AS.
- the identity authentication request message M3 includes the identity authentication information II and the identity authentication information 12 of the visitor REQ.
- the identity authentication information 12 is used to prove the legitimacy of the visitor REQ identity to the authentication server AS.
- Step S4 Referring to FIG. 6, the authentication server AS provides an authentication service according to the identity authentication request message M3 and generates a publicly identifiable authentication result, that is, generates the access controller AC according to the identity authentication information II and 12 in the identity authentication request message M3.
- the publicly available authentication result C1 and the publicly available authentication result C2 of the visitor REQ the authentication server AS, based on the publicly available authentication results C1 and C2, construct an identity authentication response message M4 to be sent to the visitor REQ.
- the identity authentication response message M4 includes the publicly available authentication results C1 and C2.
- Step S5 Referring to FIG. 7, after the visitor REQ receives the identity authentication response message M4, the access authentication response message M1 is constructed according to the publicly available authentication result C1 and sent to the access controller AC of the destination network.
- the access authentication response message M5 includes a publicly available authentication result C2;
- Step S6 Referring to FIG. 8, the access controller AC constructs an access response message M6 to the visitor REQ according to the authentication result C2 and the authorization policy that the authentication server AS can disclose. So far, the process of authenticating and authorizing the visitor REQ of the present invention has been completed.
- the authorization policy refers to a policy for the access controller AC to authorize the visitor REQ to request the QREQ, and the authorization policy may be from a certain server, such as the authentication server AS, or may be from the access controller AC local.
- the authorization policy has been previously built in the authentication server AS or the access controller AC, and the present invention only invokes the authorization policy.
- the present invention further provides an access device, including: An access request interaction module, configured to send an access request message to an access controller of a destination network, and receive an access authentication request message that includes the first identity authentication information sent by the access controller; the first identity authentication information Is identity authentication information of the access controller;
- the authentication request interaction module is configured to send an identity authentication request message to an authentication server of the destination network, where the identity authentication request message includes the first identity authentication information and the second identity authentication information, and the second identity authentication information Is the identity authentication information of the visitor; and receiving an identity authentication response message sent by the authentication server, where the identity authentication response message includes performing identity authentication on the access controller according to the first identity authentication information.
- a first authentication result and a second authentication result after authenticating the visitor according to the second identity authentication information; an authentication result interaction module configured to include, according to the first authentication result, the The access authentication response message of the second authentication node is sent to the access controller, and receives an access response message sent by the accessor.
- an authentication server including:
- the authentication request receiving module is configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor. ;
- An authentication execution module configured to generate, according to the first identity authentication information, a first authentication result after performing identity authentication on the access controller, and generate identity authentication by using the second identity authentication information Second identification result;
- the authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first authentication result and the second authentication result.
- an access controller including:
- An access request receiving module configured to receive an access request message sent by a visitor
- an access authentication request constructing module configured to send an access authentication request message including the first identity authentication information to the visitor;
- the first identity authentication information is identity authentication information of the access controller;
- An access authentication response receiving module configured to receive an access authentication response message sent by the visitor Obtaining a second authentication result; the access authentication response message is constructed by the visitor according to the first authentication result; the first authentication result and the second authentication result are sent by the authentication server to the access by using an identity authentication response message
- the first authentication result is generated by the authentication server according to the first identity authentication information included in the identity authentication request message sent by the visitor, and performing identity authentication on the access controller.
- the second authentication result is generated by the authentication server according to the second identity authentication information included in the identity authentication request message, after the identity authentication is performed on the visitor;
- the access response sending module is configured to send an access response message to the visitor according to the obtained second authentication result and the authorization policy.
- a network access control system with corresponding functions includes: a visitor, an access controller of a destination network, and an authentication server; wherein:
- the visitor is configured to send an access request message to the access controller, and receive an access authentication request message that is sent by the access controller and includes first identity authentication information; the first identity authentication information is Accessing the identity authentication information of the controller;
- an identity authentication request message including the first identity authentication information and the second identity authentication information, where the second identity authentication information is identity authentication information of the visitor, and receiving the identity server to send An identity authentication response message including a first authentication result and a second authentication result;
- the access controller is configured to receive the access request message, and send the access authentication request message;
- the authentication server is configured to perform identity authentication on the access controller according to the first identity authentication information sent by the visitor, to obtain a first authentication result, and send the message according to the visitor. And sending the second identity authentication information to the visitor for identity authentication to obtain a second authentication result; and sending an identity authentication response message including the first authentication result and the second authentication result to the visitor.
- step S1 is:
- the visitor REQ constructs the NREQI I QREQ and sends it to the access controller AC.
- the NREQI I QREQ is the access request message M1.
- the request message M1 may also be other messages and the other messages include at least NREQI
- NREQ represents the random number generated by the visitor REQ, and "
- step S2 is:
- access controller AC After receiving the access request message M1 of the visitor REQ, that is, the NREQI IQREQ, the access controller AC constructs an access authentication request message M2, that is, NREQ
- access The authentication request message M2 is a message containing at least NREQ
- the N AC represents the random number generated by the access controller AC
- the IA AC represents the identity authentication information of the access controller AC, that is, the identity authentication information II, which is the authentication information shared by the access controller AC and the authentication server AS.
- a result of the cryptographic operation, or the identity authentication information that can be directly sent to the authentication server AS without cryptographic operations, is used to prove the validity of the access controller AC identity to the authentication server AS.
- step S3 is:
- the accessor REQ After receiving the access authentication request message M2 of the access controller AC, that is, NREQ
- the ID AC is the identity of the access controller AC, the same below.
- the authentication request message M3 is a message containing at least IDACIINREQIIIAREQIIIAAC.
- step 4) is:
- the identity of the access controller AC is first authenticated according to the IA AC , and if the identity of the access controller AC is illegal, 4.2); If the identity of the controller AC is legal, then 4.3).
- the authentication server AS constructs an identity response message M4 ie ID AC
- Res(AC) is a publicly discriminable authentication result C1
- Res(REQ) is a publicly available authentication result C2, the same as below;
- Res(AC) is an authentication server AS to access controller AC The result of the discrimination, or the result of the authentication result of the access controller AC by using the authentication information shared with the visitor REQ, after a cryptographic operation, the same;
- Res (REQ) is the authentication server AS to the visitor REQ The result of the discriminating, or the result of the discriminating result of the visitor REQ by using the authentication information shared with the access controller AC, after a cryptographic operation, is the same; at this time, the authentication server AS accesses the controller AC.
- the authentication result is "Failure", indicating that the authentication server AS fails to authenticate to the access controller AC, that is, the access controller AC is illegal, and the authentication
- the authentication server AS authenticates the identity of the visitor REQ. If the identity of the visitor REQ is illegal, then 4.3.1); if the identity of the visitor REQ is legal, then 4.3.2).
- the authentication server AS constructs an identity authentication response message M4, ie ID AC
- the authentication result of the authentication server AS to the access controller AC is "True”, indicating that the access controller AC is legal; the authentication server AS's authentication result to the visitor REQ is "Failure”, indicating that the identity of the visitor REQ is illegal.
- the authentication server AS constructs an identity authentication response message M4 ID AC
- Res(REQ) is sent to the visitor REQ.
- the authentication result of the authentication server AS to the access controller AC is "True”, indicating that the access controller AC is legal; the authentication server AS's authentication result to the visitor REQ is "True”, indicating that the identity of the visitor REQ is legal.
- the identity authentication response message M4 is a message containing at least ID AC
- step S5 is:
- the visitor REQ After the visitor REQ receives the identity authentication response message M4 of the authentication server AS, that is, ID AC
- Res (AC) is the result of the cryptographic operation
- the visitor REQ performs a cryptographic operation on Res (AC) using the authentication information shared with the authentication server AS, which is used when generating Res (AC)
- the inverse operation of the cryptographic operation obtains the authentication result of the authentication server AS to the access controller AC.
- Res(AC) is the result of the cryptographic operation
- the authentication result of the access controller AC to the access controller AC is directly obtained. If the authentication result is "Failure”, indicating that the access controller AC is illegal, step 5.3.1 is performed. If it is "True”, it means that the access controller AC is legal, then execute 5.3.2).
- the visitor REQ regenerates the random number N'REQ and constructs an access authentication response message M5, ie, N AC
- the access authentication response message M5 is a message containing at least N AC
- step S6 is:
- the access controller AC After receiving the access authentication response message M5 of the visitor REQ, that is, N AC
- Access Controller AC denies access to the visitor REQ.
- Res (REQ) is the result of cryptographic operation
- access controller AC uses and The authentication information shared by the server AS performs a cryptographic operation on Res (REQ), which is an inverse operation of the cryptographic operation used when generating Res (REQ), and obtains the authentication result of the authentication server AS for the visitor REQ.
- Res(REQ) is the result of the cryptographic operation
- the authentication result of the accessor REQ by the authentication server AS is directly obtained. If the authentication result is "Failure”, indicating that the visitor REQ is illegal, the operation is performed 6.3.1); "True” means that the visitor REQ is legal, then line 6.3.2).
- the access controller AC determines, according to the authorization policy, whether the access request QREQ sent by the visitor REQ in step S1 is legal. If it is determined that the access request QREQ sent by the visitor REQ in step S1 is invalid, 6.3.2.1) If it is determined that the access request QREQ sent by the visitor REQ in step S1 is legal, then 6.3.2.2) is performed.
- Access Controller AC deny access to the visitor REQ.
- R & lt access controller AC AC response data according QREQ configuration, and a response message M6 that is configured to access the transmission N'REQ
- the response data R AC is used by the access controller AC to notify the visitor that the REQ has the right to access the destination network.
- the authorization policy of the access controller AC to the visitor REQ may be local or provided by another server.
- the identity authentication response message M4 in step S4 is needed. Modified to ID AC
- the access controller AC authenticates and authorizes the visitor REQ, and the access control to the access controller AC is realized.
- the visitor REQ After receiving the access response message M6, the visitor REQ first determines whether the random number N'REQ is the random number N'REQ generated by the visitor REQ, and if not, discards the access response message M6; if yes, judges according to the response data R AC Whether the access controller AC authorizes access to the destination network and accesses the destination network accordingly.
- the access response message M6 is a message containing at least N'REQ
- Step SI Step SI:
- the visitor REQ constructs the N REQ
- Q REQ is the access request message M1.
- the request message M1 may also be other messages.
- the other message includes at least N REQ
- the access controller AC After receiving the access request message M1, that is, N REQ
- the access authentication request message M2 is a message including at least N REQ
- N Ae represents a random number generated by the access controller AC
- (1 ⁇ , 1 ⁇ ) represents a result of encrypting the N REQ by using the shared key K AS ⁇ , that is, the identity authentication information II of the access controller AC
- K AS ⁇ that is, the identity authentication information II of the access controller AC
- a symmetric encryption algorithm the same below.
- the visitor REQ After receiving the access authentication request message M2, that is, N REQ
- ID Ae is the identity of the access controller AC, the same below.
- the identity authentication request message M3 is a message containing at least ID AC
- the authentication server AS receives the identity request request message M3
- the authentication server AS determines, according to the ID AC, whether the access controller AC has shared the key K AS , Ae with the authentication server AS , and if the key K AS , Ae is not shared, performs 4.2.1); K AS , Ae , then perform step 4.2.2). 4.2.1), the authentication server AS terminates the authentication.
- the authentication server AS decrypts E (K AS; AC , N REQ ), ie, the identity authentication information II, by using the shared key K AS , AC , and determines whether the N REQ obtained after decryption and the visitor REQ are in step S3.
- the information N REQ in the identity authentication request message M3 sent to the authentication server AS is equal.
- the information N REQ in the identity authentication request message M3 is not If they are equal, then 4.2.2.1); if the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then 4.2.2.2) is performed.
- the authentication server AS terminates the authentication.
- the authentication server AS constructs an identity authentication response message M4 ie ID AC
- MIC 2 is sent to the visitor REQ.
- Res (AC) is the publicly discriminable result CI
- Res (REQ) is the publicly discriminable result C 2
- Res (AC) E (K AS , REQ , R (AC) )
- Res (REQ E ( AS > AC , R (REQ) )
- R (AC) is the first authentication result
- R (REQ) is the second authentication result
- MIC 2 is the message integrity authentication code
- the authentication server AS decrypts E(K AS , REQ , N REQ ;) by using the shared key K AS , REQ , and determines whether the N REQ obtained after decryption and the visitor REQ are sent to the authentication server AS in step S3.
- the information N REQ in the identity authentication request message M3 is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then 4.3.
- the authentication server AS disconnects whether the controller AC has shared the key K AS , Ae with the authentication server AS , and if the key K AS , Ae is not shared, executes 4.3.1.1); The shared key K AS , Ae , then execute 4.3.1.2).
- the authentication server AS terminates the authentication. 4.3.1.2
- the authentication server AS decrypts E (K AS , AC , N REQ ) by using the shared key K A ⁇ , and determines whether the N REQ obtained after decryption and the visitor REQ are sent to the authentication server AS in step S 3
- the information N REQ in the identity authentication request message M3 is equal. If the N REQ obtained after decryption is not equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, then 4.3 is performed. .1.2.1); If the N REQ obtained after decryption is equal to the information N REQ in the identity authentication request message M3 sent by the visitor REQ to the authentication server AS in step S3, 4.3.1.2.2) is performed.
- the authentication server terminates the authentication.
- the authentication server AS constructs the identity authentication response message M4
- MIC 2 is sent to the visitor REQ.
- R(AC) True, indicating that the authentication server AS successfully authenticates the access controller AC
- R(REQ) Failure, indicating that the authentication server AS fails to authenticate the visitor REQ;
- MIC 2 H (K AS , RBQ , ID AC
- H is a one-way hash algorithm, the same below.
- the authentication server AS according to the ID A ''j access controller AC has shared the key K AS , AC with the authentication server AS, if the key K AS , Ae is not shared, then 4.3.2.1) ; If the shared key K AS , Ae is already shared, execute 4.3.2.2);
- MIC 2 is sent to the visitor REQ.
- R (AC) Failure, indicating that the authentication server AS fails authentication to the access controller AC;
- R (REQ) True, indicating that the authentication server AS successfully authenticates the visitor REQ.
- MIOH K AS; MQ , ID AC
- the authentication server AS determines whether the N REQ obtained by decrypting E (K AS , AC , 1 ⁇ ) by using the shared key K AS , AC and the identity of the visitor REQ sent to the authentication server AS in step S3
- the information N MQ in the request message M3 is equal, if not, then step 4.3.2.1); if yes, execute 4.3.2.3).
- the authentication server AS generates a session key AC.REQ between the visitor REQ and the access controller AC, and then calculates E (K) using the shared keys K AS , AE and ] req and the session keys K AE , REQ AS; AC , ID REQ
- K AC , REQ) and E (K AS , REQ , K Ae , REQ ), and then calculate the message integrity authentication code at this time MIC 2 H (K AS ID AC
- ID REQ is the identity of the visitor REQ, the same below.
- the message integrity authentication code MIC 2 at this time is used to verify the message ID AC
- R(AC) True, indicating that the authentication server AS successfully authenticates the access controller AC;
- R(REQ) True, indicating that the authentication server AS successfully authenticates the visitor REQ.
- the authentication server AS further constructs an identity authentication response message M4 at this time, that is, ID AC
- MIC 2 is sent to the visitor REQ.
- the message integrity authentication code MIC 2 H(K AS , RBQ , ID AC
- the identity authentication response message M4 is ID AC
- the identity authentication response Message M4 is a message containing at least ID AC
- the interviewer REQ receives the identity identification response message ⁇ 4
- Step 5.2 the visitor REQ discards the identity authentication response message M4.
- Step 5.3) the visitor REQ according to ( 2 judges the integrity of the corresponding message, if not complete, execute 5.3.1); if complete, execute 5.3.2). 5.3.1), the visitor REQ discards the identity authentication response message M4.
- the visitor REQ uses K AS , REQ to decrypt the publicly identifiable result C1, ie Res (AC), to determine the legitimacy of the access controller AC, and if the Res (AC) is decrypted, the R is obtained.
- the visitor REQ decrypts the E (K AS , REQ , K AC; REQ ) in the identity authentication response message M4 to obtain the session key K Ae , REQ , and generates the random number N' REQ , and calculates the message integrity.
- Authentication code MIC 3 H (K A EQ , N AC
- MIC 3 is sent to the access controller AC.
- the message integrity authentication code MIC 3 is used to verify the integrity of the message N AC
- the access authentication response message M5 is one or at least
- the access controller AC receives the identity authentication response message M5 ie N AC
- the access controller AC receives the identity authentication response message M5 ie N AC
- M5 ie N AC
- Access Controller AC denied access to the visitor REQ.
- Access Controller AC deny access to the visitor REQ.
- the access controller AC decrypts E (K AS , AC , ID REQ
- the access controller AC denies access to the visitor REQ. 6. 3.2.2), access controller AC confirmation decrypt E (K AS, AC, ID REQ
- Access Controller AC deny access to the visitor REQ.
- the access controller AC determines, according to the authorization policy, whether the access request Q RBQ sent by the visitor REQ in step S1 is legal, and if not, performs 6. 3.2.2.2.1); , then execute 6. 3.2.2.2.2
- Access Controller AC deny access to the visitor REQ.
- the message integrity authentication code MIC 4 is used for the integrity of the risk message N' REQ
- the controller AC is local, and may also be provided by another server, such as the authentication server AS.
- the identity verification message M4 in step S4 is required to be ID AC
- E K AS , AC , ID REQ
- E AS , REQ , K AC , REQ
- K AC , REQ ) is modified to E(K AS , AC , ID REQ
- the access controller AC authenticates the visitor REQ and 4 is authorized, and access control to the access controller AC is realized.
- the visitor REQ discards the access response message M6.
- visitors REQ decrypts E (K AC, REQ, R AC) to obtain the response data R AC, and determines whether the access controller AC authorized to access object data network in accordance with the response R AC, and accordingly the purpose of Network access.
- the access response message M6 is a message containing at least N, REQ
- steps S2 to S4 in the above second embodiment is:
- the access controller AC After receiving the access request message M1, that is, N RBQ
- REQ In other embodiments, the access authentication request message M2 is a message containing at least N REQ
- N represents the result of hashing K AS , Ae
- the visitor REQ After receiving the access authentication request message M2, that is, N REQ
- N REQ ), the visitor REQ first determines whether the N REQ is a random number generated by the visitor REQ, and if not, The authentication request message M2 is discarded; if yes, the visitor REQ calculates the message integrity authentication code MIC 5 H (K A EQ , ID AC
- the message integrity authentication code MIC 5 is used to verify the integrity of the ID AC
- the identity authentication request message M3 is one or at least
- the authentication server AS receives the identity verification request message M3
- the authentication server AS judges according to the ID AC whether the access controller AC has shared the key K AS , Ae with the authentication server AS , and if the key K AS , Ae is not shared, executes 4.2.1'); Key K AS , Ae , then 4.2. V ) 0
- the authentication server AS terminates the authentication.
- the authentication server AS constructs an identity authentication response message M4 ie ID AC
- MIC 2 is sent to the visitor REQ.
- Res (AC) is the publicly discriminable result CI
- Res (REQ) is the publicly discriminable result C 2
- Res (AC) E (K AS , REQ , R (AC) )
- Res (REQ E ( AS > AC , R (REQ) )
- R (AC) is the first verification result
- (REQ) is the second verification result
- MIC 2 is the message integrity authentication code.
- MIC 2 H(K AS , RBQ , ID AC
- the authentication server AS judges according to the MIC 5 in the identity authentication request message M3
- the authentication server AS discards the identity authentication request message M3.
- the authentication server AS uses 1 ⁇ to determine whether the access controller AC has shared the key K AS , AC with the authentication server AS , and if the key K AS , AC is not shared, then 4.3.2.1'); The shared key K AS , AC , then 4.3.2. V ).
- the authentication server AS constructs the identity response message M4
- MIC 2 is sent to the visitor REQ.
- R (AC) Failure, indicating that the authentication server AS fails authentication to the access controller AC;
- R (REQ) True, indicating that the authentication server AS successfully authenticates the visitor REQ.
- MIC 2 H (K AS; REQ , ID AC
- the authentication server AS verifies the integrity of H(K AS , Ae
- authentication server AS constructs identity authentication response message M4
- MIC 2 is sent to the visitor REQ.
- R (AC) Failure, indicating that the authentication server AS fails authentication to the access controller AC;
- R (REQ) True, indicating that the authentication server AS successfully authenticates the visitor REQ.
- MIC 2 H (K AS; MQ , ID AC
- the authentication server AS generates a session key K Ae , REQ between the visitor REQ and the access controller AC, and then utilizes the shared keys K AS , Ae and K AS , REQ and the session key K Ae , REQ calculates E (K AC , ID REQ
- K AC; REQ ) and E (K AS; REQ , ACREQ) , and then calculates the message integrity authentication code MIC 2 H (K AS , ID AC
- R(AC) True, indicating that the authentication server AS successfully authenticates the access controller AC;
- R(REQ) True, indicating that the authentication server AS successfully authenticates the visitor REQ.
- the authentication server AS and thus the identity authentication response message M4 at this time is ID AC
- MIC 2 is sent to the visitor REQ.
- the message integrity authentication code MIC 2 H(K AS , REQ , ID AC
- the identity authentication response message M4 is ID AC
- the identity authentication response message M4 is a message containing at least ID AC
- Embodiment 3 Step SI:
- the visitor REQ constructs the NREQIIIREQIIQREQ and sends it to the access controller AC.
- the NREQIIIREQIIQREQ is the access request message M1.
- the request message M1 may also be other messages and the other messages include at least NREQ
- the IREQ represents the identity authentication information of the visitor REQ, that is, the identity authentication information 12, which is used to prove the validity of the identity of the visitor REQ to the authentication server AS
- the NREQ represents the random number generated by the visitor REQ
- 1" represents the two information before and after. Between the series, the same below.
- the access controller AC After the access controller AC receives the access request message M1, that is, NREQIIIREQIIQREQ, the access authentication request message M2, that is, NREQIINACIIIREQIIIACIISA ⁇ NREQIINACIIIREQ) is sent to the visitor REQ.
- the access authentication request message M2 is at least including the NREQIINACIIIREQIIIACI ISA. ⁇ NREQIINACIIIREQ) message.
- the N AC represents the random number generated by the access controller AC
- the I AC represents the identity authentication information of the access controller AC, that is, the identity authentication information II, which is used to prove the validity of the access controller AC identity to the authentication server AS
- SAC ⁇ NREQIINACIIIREQ indicates the signature of the access controller AC to NREQIINACHIREQ, ie digital signature SIGK
- the visitor REQ After receiving the access authentication request message M2, that is, NREQIINACIIIREQIIIACI ISA ⁇ NREQIINACIIIREQ, the visitor REQ first determines whether the NREQ is a random number generated by the visitor REQ, and if not, discards the authentication request message M2; if yes, constructs the identity authentication request message M3 That is, N'REQIINACIIIREQIIIAC is sent to the authentication server AS. Among them, N'REQ is the random number generated by the visitor REQ, the same below.
- the identity authentication request message M3 is a message containing at least N'REQIINACIIIREQIIIAC.
- the authentication server receives the identity authentication request message M3 of the visitor REQ.
- Res(I AC ) is a publicly discriminable authentication result C1, which includes the authentication result of the authentication server AS for the I AC and the public key of the access controller AC;
- Res(lREQ) is the publicly discriminable authentication result C2, wherein Contains the authentication result of the authentication server AS for the IREQ and the public key of the visitor REQ;
- Res(lREQ)) respectively represent the authentication server AS pair
- the identity authentication response message M4 is at least one of
- the visitor REQ receives the identity authentication response message M4 of the authentication server AS. First, verifying the validity of the signature S AS (N, REQ
- the access authentication response message M5 is at least one of Message.
- the access controller AC receives the access authentication response message M5 of the visitor REQ, that is, Res(lRE Q )
- the access controller AC determines that the signature is included in the signature SREQ( REQ
- the response data is constructed according to the QREQ, and the access response message M6 is constructed and sent to the visitor REQ.
- the access response message M6 includes the response data sent to the visitor REQ, and the response data is used for notification. Whether the visitor REQ has access to the destination network. Thereby, the access behavior of the visitor REQ to the destination network is controlled.
- the authorization policy of the access controller AC to the visitor REQ may be local, or may be provided by another server, such as the authentication server AS.
- the identity authentication response message M4 of step S4 needs to be R eS. (lREQ)
- the access authentication response message M5 in step S5 is Res(lRE Q )
- IAC) needs to be modified to Res (I RE Q)
- the verification signature S AS (N AC
- the number N AC is identical, but it is judged that the access request QREQ sent by the visitor REQ in step S1 is invalid.
- embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can be embodied in the form of one or more computer program products embodied on a computer-usable storage medium (including but not limited to disk storage, CD-ROM, optical storage, etc.) in which computer usable program code is embodied.
- a computer-usable storage medium including but not limited to disk storage, CD-ROM, optical storage, etc.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013533072A JP5624219B2 (ja) | 2010-10-13 | 2011-03-15 | ネットワークアクセス制御方法およびシステム |
US13/879,136 US9038143B2 (en) | 2010-10-13 | 2011-03-15 | Method and system for network access control |
KR1020137012247A KR101515312B1 (ko) | 2010-10-13 | 2011-03-15 | 네트워크 액세스의 제어 방법 및 시스템 |
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010505950 | 2010-10-13 | ||
CN201010504262 | 2010-10-13 | ||
CN201010504262.3 | 2010-10-13 | ||
CN201010505950.1 | 2010-10-13 | ||
CN201010506041.X | 2010-10-13 | ||
CN201010506041XA CN101958908B (zh) | 2010-10-13 | 2010-10-13 | 网络访问控制方法及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012048552A1 true WO2012048552A1 (zh) | 2012-04-19 |
Family
ID=45937855
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2011/071821 WO2012048552A1 (zh) | 2010-10-13 | 2011-03-15 | 网络访问控制方法及系统 |
Country Status (4)
Country | Link |
---|---|
US (1) | US9038143B2 (zh) |
JP (1) | JP5624219B2 (zh) |
KR (1) | KR101515312B1 (zh) |
WO (1) | WO2012048552A1 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9171174B2 (en) | 2013-11-27 | 2015-10-27 | At&T Intellectual Property I, L.P. | Methods, systems, and computer program products for verifying user data access policies when server and/or user are not trusted |
US11356460B2 (en) * | 2019-12-31 | 2022-06-07 | Equifax Inc. | Secure online access control to prevent identification information misuse |
CN114696999A (zh) * | 2020-12-26 | 2022-07-01 | 西安西电捷通无线网络通信股份有限公司 | 一种身份鉴别方法和装置 |
CN114760045A (zh) * | 2020-12-26 | 2022-07-15 | 西安西电捷通无线网络通信股份有限公司 | 一种身份鉴别方法和装置 |
CN114760039A (zh) * | 2020-12-26 | 2022-07-15 | 西安西电捷通无线网络通信股份有限公司 | 一种身份鉴别方法和装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1783780A (zh) * | 2004-12-04 | 2006-06-07 | 华为技术有限公司 | 域认证和网络权限认证的实现方法及设备 |
US20060174322A1 (en) * | 2005-01-29 | 2006-08-03 | Cisco Technology, Inc | Techniques for presenting network identities at a human interface |
CN1996842A (zh) * | 2006-12-29 | 2007-07-11 | 西安西电捷通无线网络通信有限公司 | 采用分类终端证书实现基于wapi的wlan运营的方法 |
CN101431517A (zh) * | 2008-12-08 | 2009-05-13 | 西安西电捷通无线网络通信有限公司 | 一种基于三元对等鉴别的可信网络连接握手方法 |
CN101958908A (zh) * | 2010-10-13 | 2011-01-26 | 西安西电捷通无线网络通信股份有限公司 | 网络访问控制方法及系统 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH08297638A (ja) * | 1995-04-26 | 1996-11-12 | Nippon Telegr & Teleph Corp <Ntt> | 利用者認証方式 |
JPH08335208A (ja) | 1995-06-08 | 1996-12-17 | Nippon Telegr & Teleph Corp <Ntt> | 代理認証方法及びシステム |
US8341700B2 (en) | 2003-10-13 | 2012-12-25 | Nokia Corporation | Authentication in heterogeneous IP networks |
US9253151B2 (en) * | 2006-05-25 | 2016-02-02 | International Business Machines Corporation | Managing authentication requests when accessing networks |
CN100566251C (zh) * | 2007-08-01 | 2009-12-02 | 西安西电捷通无线网络通信有限公司 | 一种增强安全性的可信网络连接方法 |
CN100496025C (zh) * | 2007-11-16 | 2009-06-03 | 西安西电捷通无线网络通信有限公司 | 一种基于三元对等鉴别的可信网络接入控制方法 |
CN101247223B (zh) * | 2008-03-06 | 2010-06-09 | 西安西电捷通无线网络通信有限公司 | 一种基于可信第三方的实体双向鉴别方法 |
CN101547444B (zh) | 2009-03-11 | 2010-11-03 | 西安西电捷通无线网络通信股份有限公司 | 在wlan中为不同终端提供特定接入流程的方法 |
CN101572704B (zh) | 2009-06-08 | 2012-05-23 | 西安西电捷通无线网络通信股份有限公司 | 一种适合三元对等鉴别可信网络连接架构的访问控制方法 |
CN101631114B (zh) | 2009-08-19 | 2011-09-21 | 西安西电捷通无线网络通信股份有限公司 | 一种基于公钥证书的身份鉴别方法及其系统 |
-
2011
- 2011-03-15 JP JP2013533072A patent/JP5624219B2/ja active Active
- 2011-03-15 US US13/879,136 patent/US9038143B2/en active Active
- 2011-03-15 WO PCT/CN2011/071821 patent/WO2012048552A1/zh active Application Filing
- 2011-03-15 KR KR1020137012247A patent/KR101515312B1/ko active IP Right Grant
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1783780A (zh) * | 2004-12-04 | 2006-06-07 | 华为技术有限公司 | 域认证和网络权限认证的实现方法及设备 |
US20060174322A1 (en) * | 2005-01-29 | 2006-08-03 | Cisco Technology, Inc | Techniques for presenting network identities at a human interface |
CN1996842A (zh) * | 2006-12-29 | 2007-07-11 | 西安西电捷通无线网络通信有限公司 | 采用分类终端证书实现基于wapi的wlan运营的方法 |
CN101431517A (zh) * | 2008-12-08 | 2009-05-13 | 西安西电捷通无线网络通信有限公司 | 一种基于三元对等鉴别的可信网络连接握手方法 |
CN101958908A (zh) * | 2010-10-13 | 2011-01-26 | 西安西电捷通无线网络通信股份有限公司 | 网络访问控制方法及系统 |
Non-Patent Citations (1)
Title |
---|
HUANG ZHENHAI ET AL.: "The progress of Tri-element Peer Authentication (TePA) and Access Control Method", INFORMATION TECHNOLOGY & STANDARDIZATION, vol. 6, 2009 * |
Also Published As
Publication number | Publication date |
---|---|
KR20130103752A (ko) | 2013-09-24 |
JP5624219B2 (ja) | 2014-11-12 |
JP2013542521A (ja) | 2013-11-21 |
KR101515312B1 (ko) | 2015-04-24 |
US9038143B2 (en) | 2015-05-19 |
US20130205374A1 (en) | 2013-08-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7175269B2 (ja) | モノのインターネットデバイスの記録検証方法及び装置、ならびにid認証方法及び装置 | |
US9467430B2 (en) | Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware | |
CN111416807B (zh) | 数据获取方法、装置及存储介质 | |
US11849029B2 (en) | Method of data transfer, a method of controlling use of data and cryptographic device | |
WO2017071496A1 (zh) | 实现会话标识同步的方法及装置 | |
WO2016180264A1 (zh) | 获取电子文件的方法及装置 | |
WO2019020051A1 (zh) | 一种安全认证的方法及装置 | |
TW201701226A (zh) | 電子處方操作方法、裝置及系統 | |
CN110958209B (zh) | 基于共享密钥的双向认证方法及系统、终端 | |
WO2020173332A1 (zh) | 基于可信执行环境的应用激活方法及装置 | |
WO2013087039A1 (zh) | 一种安全传输数据方法,装置和系统 | |
JP2016082597A (ja) | セキュアセッションの確立と暗号化データ交換のためのコンピュータ利用システム及びコンピュータ利用方法 | |
CN110198295A (zh) | 安全认证方法和装置及存储介质 | |
TW201735578A (zh) | 受控的安全碼認證 | |
WO2009105996A1 (zh) | 实现服务访问的方法、设备及系统 | |
JP2005517347A (ja) | クライアントが許可を検証できるキー管理プロトコルを設けるためのシステムおよび方法 | |
TW200828944A (en) | Simplified management of authentication credientials for unattended applications | |
WO2014187206A1 (zh) | 一种备份电子签名令牌中私钥的方法和系统 | |
WO2010069180A1 (zh) | 一种密钥分发方法、系统及装置 | |
WO2014187210A1 (zh) | 一种电子签名令牌私钥的备份方法和系统 | |
WO2015054086A1 (en) | Proof of device genuineness | |
WO2016011588A1 (zh) | 移动管理实体、归属服务器、终端、身份认证系统和方法 | |
JP2016514913A (ja) | セッション鍵を確立する方法および装置 | |
WO2012048552A1 (zh) | 网络访问控制方法及系统 | |
CN111526130B (zh) | 一种轻量级的无证书工业物联网访问控制方法和系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11831949 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2013533072 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13879136 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 20137012247 Country of ref document: KR Kind code of ref document: A |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 11831949 Country of ref document: EP Kind code of ref document: A1 |