WO2012048554A1

WO2012048554A1 - Method and system for access control

Info

Publication number: WO2012048554A1
Application number: PCT/CN2011/072029
Authority: WO
Inventors: 王俊峰; 杜志强; 铁满霞; 黄振海; 曹军; 陶洪波; 刘晓勇
Original assignee: 天维讯达无线电设备检测（北京）有限责任公司; 西安西电捷通无线网络通信股份有限公司
Priority date: 2010-10-13
Filing date: 2011-03-22
Publication date: 2012-04-19
Also published as: CN102202065A

Abstract

A method and system for network access control on the basis of asymmetric cryptography mechanism are provided. After a visitor proposes an access request, an access controller in the destination network processes the access request, and the visitor initiates a request for authenticating the identity of the visitor to an authentication server. The access controller in the destination network accomplishes the authentication of the identity of the visitor on the basis of the releasable authentication result which is generated by the authentication server and forwarded by the visitor, and performs, according to the authorization policy, the authorization management of the visitor which has been successfully authenticated. The invention solves the problem that the access control can not be performed when the access controller can not directly use the authentication service provided by the authentication server, and satisfies the practical application requirement.

Description

The present invention claims the priority of the Chinese patent application entitled "An Access Control Method and System" by the Chinese Patent Office, the application number is 201010505950.1, which is filed on October 13, 2010. The citations are incorporated herein by reference. Technical field

The present invention belongs to the field of network security applications in information security technologies, and in particular, to an access control method and system. Background technique

In the existing network access control method, after the visitor initiates an access request to the destination network, the access controller in the destination network completes the authentication and authorization of the visitor, thereby implementing access control to the visitor. In an access control scenario where a third party, such as an authentication server, is involved in identity authentication, the access controller may not be directly connected to the authentication server because of access to the controller itself or the destination network, thereby preventing the access controller from directly using the access controller. The authentication service provided by the authentication server. In this case, the prior art access control method in which the access controller directly connects to the authentication server and uses the authentication server to provide the authentication service will not be able to meet the actual application requirements for access control of the visitor. Summary of the invention

In order to solve the above-mentioned technical problems existing in the background art, the present invention provides an access control method and system capable of satisfying application requirements for access control of a visitor.

The present invention provides an access control method, including:

Step 1), a visitor sends an access request message to an access controller of a destination network; the access request message includes the second identity authentication information and the access request of the visitor;

Step 2), after the access controller receives the access request message, construct an access authentication request Sending a message to the visitor; the access authentication request message includes a first digital signature and first identity authentication information of the access controller;

Step 3), after receiving the access authentication request message, the visitor constructs an identity authentication request message and sends the message to the authentication server. The identity authentication request message includes the first identity authentication information and the Describe the second identity authentication information;

Step 4), after receiving the identity authentication request message, the authentication server authenticates the first identity authentication information and the second identity authentication information, and generates a first publicly available to the access controller. And a second publicly identifiable result of the visitor; the authentication server constructing an identity authentication response message including the first publicly identifiable authentication result and the second publicly identifiable authentication result To the visitor;

Step 5), after receiving the identity authentication response message, the visitor verifies the first digital signature according to the first publicly available authentication result, and selects whether to construct an access authentication response according to the verification result. Sending a message to the access controller; the access authentication response message includes the second publicly available authentication result and a second digital signature of the visitor;

Step 6), after receiving the access authentication response message, the access controller verifies the second digital signature according to the second publicly available authentication result, and constructs an access response according to the verification result and an authorization policy. A message is sent to the visitor; the authorization policy is a policy for the access controller to authorize the access request.

The present invention provides an access device, including:

An access request interaction module, configured to send an access request message to an access controller of a destination network, where the access request message includes the second identity authentication information of the visitor; and receive the content that is sent by the access controller a first digital signature and an access authentication request message of the first identity authentication information of the access controller;

An authentication request interaction module, configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and the second identity authentication information; and receiving the identifier sent by the authentication server An identity authentication response message, where the identity authentication response message includes the identity authentication of the access controller according to the first identity authentication information a publicly discriminable authentication result and a second publicly identifiable authentication result after authenticating the visitor according to the second identity authentication information;

An authentication result interaction module, configured to verify the first digital signature according to the first publicly available authentication result, and select whether to construct the second publicly available authentication result and the visitor according to the verification result The second digitally signed access authentication response message is sent to the access controller, and receives an access response message sent by the accessor.

The invention provides an authentication server, comprising:

An authentication request receiving module, configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor;

An authentication execution module, configured to generate, according to the first identity authentication information, a first publicly available authentication result after performing identity authentication on the access controller, and generate, according to the second identity authentication information, the visitor a second publicly identifiable authentication result after identity authentication;

The authentication response sending module is configured to send an identity authentication response message to the visitor, where the identity authentication response message includes the first publicly available authentication result and the second publicly available authentication result.

The present invention provides an access controller, including:

An access request receiving module, configured to receive an access request message sent by a visitor, where the access request message carries the second identity authentication information of the visitor;

An access authentication request constructing module, configured to send an access authentication request message to the visitor, where the access authentication request message includes first identity authentication information and a first digital signature of the access controller;

An access authentication response receiving module, configured to receive an access authentication response message sent by the visitor, to obtain a second publicly available authentication result, and a second digital signature sent by the visitor; a first publicly identifiable authentication result and a verification of the first digital signature by a post-construction; the first publicly identifiable authentication result is the first identity authentication sent by the authentication server to the visitor After the information is authenticated, it is determined that the second authentication result is The authentication server determines the second identity authentication information sent by the visitor, and the access response sending module is configured to verify the second digital signature according to the obtained second publicly available authentication result, and According to the verification result and the authorization policy, an access response message is constructed and sent to the visitor.

The present invention provides an access control system including a visitor, an authentication server, and an access controller of a destination network, wherein

The visitor is configured to send an access request message to the access controller, where the access request message carries the second identity authentication information of the visitor; and receives an access authentication request message sent by the access controller. The access authentication request message includes first identity authentication information and a first digital signature of the access controller;

And sending an identity authentication request message including the first identity authentication information and the second identity authentication information to the authentication server, and receiving the first publicly available authentication result and the second publicly available authentication result returned by the authentication server Identity authentication response message;

And configured to send, according to the first publicly discriminable result, the first digital signature to the access controller, the access authentication response message is sent to the access controller, where the access authentication response message includes the second a publicly discriminable authentication result and a second digital signature generated by the visitor, and receiving an access response message sent by the access controller;

The access controller is configured to receive an access request message sent by the visitor, and construct the access authentication request message to be sent to the visitor;

Receiving, by the access identifier sent by the visitor, the second publicly available authentication result and the second digital signature, according to the obtained second publicly available authentication result, the second number The signature is verified, and the access response message is constructed and sent to the visitor according to the verification result and the authorization policy;

The authentication server is configured to receive an identity authentication request message that is sent by the visitor and includes the first identity authentication information and the second identity authentication information, and return the first publicly available authentication result and the second An identity authentication response message of the disclosed authentication result; wherein the first publicly available authentication result is that the first identity card sent by the accessor by the authentication server After the identification of the other information, it is determined that the second publicly available authentication result is determined by the authentication server to identify the second identity authentication information sent by the visitor.

The advantages of the invention are:

The network access control method and system proposed by the present invention completes a network access control method for authenticating a visitor identity in the case where an authentication server participates and the access controller of the destination network cannot directly utilize the authentication service provided by the authentication server. The invention is based on an asymmetric cryptosystem, and after the visitor makes an access request, the access controller in the destination network processes the access request, and the visitor initiates an authentication request for the identity of the visitor to the authentication server, in the destination network. The access controller completes the authentication of the identity of the visitor according to the publicly available authentication result of the authentication server forwarded by the visitor, and authorizes the successful authenticated visitor according to the authorization policy. The invention solves the problem that the access control cannot be implemented when the access controller cannot directly use the authentication service provided by the authentication server, and satisfies the practical application requirements. DRAWINGS

1 is a flow chart of an access control method provided by the present invention.

2 is a schematic diagram of the operation of the access control system provided by the present invention.

Figure 3 is a detailed block diagram of step S1 in Figure 2.

Figure 4 is a detailed block diagram of step S2 in Figure 2.

Figure 5 is a detailed block diagram of step S3 in Figure 2.

Figure 6 is a detailed block diagram of step S4 in Figure 2.

Figure 7 is a detailed block diagram of step S5 in Figure 2.

Figure 8 is a detailed block diagram of step S6 in Figure 2. detailed description

Referring to FIG. 2, the present invention provides an access control system 100. The access control system 100 includes a visitor REQ, an authentication server AS, and an access controller AC:. Prior to the operation of system 100, both the visitor REQ and the access controller AC have the public key of the authentication server AS. Referring to FIG. 1 to FIG. 8, the network access control system 100 completes the authentication and authorization of the visitor REQ through six steps of S1 S6.

Step S1: Referring to FIG. 3, the visitor REQ sends an access request message M1 to the access controller AC of the destination network. The access request message M1 contains the identity authentication information of the QREQ and the visitor REQ. The QREQ indicates the access request of the visitor EQ, and the identity authentication information 12 is used to prove the validity of the visitor REQ identity to the authentication server AS, the same below.

Step S2: Referring to FIG. 4, after the access controller AC receives the access request message M1, the constructive access authentication request message M2 is sent to the visitor REQ. The access authentication request message M2 contains the digital signature SIG1 of the access controller AC and the identity authentication information II. The digital signature SIG1 is used to prove the validity of the access controller AC identity to the visitor REQ, and the identity authentication information II is used to authenticate the server AS. Prove the legality of accessing the controller's AC identity.

Step S3: Referring to FIG. 5, after the visitor REQ receives the access authentication request message M2, the constructive identity authentication request message M3 is sent to the authentication server AS. The identity authentication request message M3 contains the identity authentication information II of the access controller AC and the identity authentication information 12 of the visitor REQ.

Step S4: Referring to FIG. 6, the authentication server AS verifies the identity authentication information II of the access controller AC and the identity authentication information 12 of the visitor REQ in the identity authentication request message M3, and generates an access controller AC respectively. The publicly available authentication result C1 and the publicly available authentication result C2 to the visitor REQ, the authentication server AS constructs the identity authentication response message M4 and sends it to the visitor REQ. The identity authentication response message M4 includes the publicly available authentication results C1 and C2.

Step S5: Referring to FIG. 7, after receiving the identity authentication response message M4, the visitor REQ verifies the digital signature SIG1 according to the publicly available authentication result C1, and selects whether to construct the access authentication response message M5 according to the verification result. Give the access controller AC to the destination network. If transmitted, the access authentication response message M5 contains the publicly available authentication result C2 and the digital signature SIG2 of the visitor REQ. Digital Signature SIG2 is used to prove to the access controller AC the legitimacy of the visitor's REQ identity.

Step S6: Referring to FIG. 8, after the access controller AC receives the access authentication response message M5, the root The digital signature SIG2 is verified according to the publicly available authentication result C2, and the access response message M6 is constructed and sent to the visitor REQ according to the verification result and the authorization policy. The access response message M6 includes information for authorizing the visitor REQ to access the destination network. . So far, the process of authenticating and authorizing the visitor REQ of the present invention has been completed. The authorization policy refers to a policy for the access controller AC to authorize the access request QREQ of the visitor REQ, and the authorization policy may be from a certain server, such as the authentication server AS, or may be from the access controller AC. The authorization policy has been previously built in the authentication server AS or the access controller AC, and the present invention only invokes the authorization policy.

By operating the system 100 in the manner shown in steps S1 to S6, the identification and authorization of the visitor REQ can be realized to meet the practical application requirements for access control of the visitor.

According to the above method provided by the present invention, the present invention provides an access device having a corresponding function, including:

An authentication request interaction module, configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and the second identity authentication information; and receiving the identifier sent by the authentication server An identity authentication response message, where the identity authentication response message includes a first publicly available authentication result after authenticating the access controller according to the first identity authentication information, and a second identity authentication information according to the second identity authentication information Depicting a second publicly identifiable authentication result after the visitor performs identity authentication;

The invention also provides an authentication server, comprising: An authentication request receiving module, configured to receive an identity authentication request message sent by a visitor, where the identity authentication request message includes first identity authentication information of the destination network one access controller and second identity authentication information of the visitor;

The invention also provides an access controller, comprising:

An access authentication response receiving module, configured to receive an access authentication response message sent by the visitor, to obtain a second publicly available authentication result, and a second digital signature sent by the visitor; a first publicly identifiable authentication result and a verification of the first digital signature by a post-construction; the first publicly identifiable authentication result is the first identity authentication sent by the authentication server to the visitor After the information is authenticated, it is determined that the second authentication result is determined by the authentication server to identify the second identity authentication information sent by the visitor;

The access response sending module is configured to verify the second digital signature according to the obtained second publicly available authentication result, and construct an access response message to be sent to the visitor according to the verification result and the authorization policy.

According to the above method of the present invention, an access control system having a corresponding function includes a visitor, an authentication server, and an access controller of the destination network, wherein:

The visitor, configured to send an access request message to the access controller, where the access request is The message carries the second identity authentication information of the visitor; and receives an access authentication request message sent by the access controller, where the access authentication request message includes the first identity authentication information of the access controller and First digital signature;

And receiving, by the access identifier sent by the visitor, the second publicly available authentication result and the second digital signature, according to the obtained second publicly available authentication result, to the second The digital signature is verified, and the access response message is constructed and sent to the visitor according to the verification result and the authorization policy;

The authentication server is configured to receive an identity authentication request message that is sent by the visitor and includes the first identity authentication information and the second identity authentication information, and return the first publicly available authentication result and the second An identity authentication response message of the public authentication result; wherein, the first publicly available authentication result is determined by the authentication server to identify the first identity authentication information sent by the visitor, where The second publicly discriminable result is determined by the authentication server identifying the second identity authentication information sent by the visitor.

A specific embodiment of the above step S1 is:

The NREQIIIREQIIQREQ is sent to the access controller AC. In this embodiment, the NREQIIIREQIIQREQ is the access request message M1. In other embodiments, the request message M1 may also be other messages and the other messages include at least NREQIIIREQI IQREQD.

Where IREQ represents the identity authentication information of the visitor REQ, that is, the identity authentication information 12, used to The validity of the visitor REQ identity is proved to the authentication server AS, NREQ represents the random number generated by the visitor REQ, and 1" indicates that the two messages are connected in series, the same below.

A specific embodiment of the above step S2 is:

After receiving the access request message M1, that is, NREQI |IREQ| IQREQ, the access controller AC constructs an access authentication request message Μ2, that is, NREQIINACIIIREQIIIACIISA^NREQIINACIIIREQ), and sends it to the visitor REQ. In other embodiments, the access authentication request message M2 is one. A message containing at least NREQIINACIIIREQIIIACIISA^NREQIINACIIIREQ).

The N _AC represents the random number generated by the access controller AC, and the I _AC represents the identity authentication information of the access controller AC, that is, the identity authentication information II, which is used to prove the validity of the access controller AC identity to the authentication server AS, SA^ NREQIINACIIIREQ) indicates the signature of the access controller AC to the NREQIINAC REQ, ie the digital signature SIG1.

A specific embodiment of the above step S3 is:

After receiving the access authentication request message M2, that is, NREQIINACIIIREQIIIACIISA^NREQIINACIIIREQ, the visitor REQ first determines whether the NREQ is a random number generated by the visitor REQ, and if not, discards the authentication request message M2; if yes, constructs the identity authentication request message M3 That is, N'REQ||N _AC ||IREQ||I _{ac is} sent to the authentication server AS. Where N'REQ is the random number generated by the visitor REQ, the same below.

In other embodiments, the identity authentication request message M3 is a message containing at least N'REQ||N _AC ||IREQ||I _AC .

A specific embodiment of the above step S4 is:

After the authentication server AS receives the identity authentication request message M3 of the visitor REQ, that is, N'REQIINACIIIREQII C, it verifies the IREQ and I _AC , and constructs an identity authentication response message M4.

REQ.

The Res (I _AC ) is a publicly available authentication result C1, which includes the authentication result of the authentication server AS to the I _AC and the public key of the access controller AC; Res (lREQ) is the publicly available authentication result C2, where Contains the authentication result of the authentication server AS for the IREQ and the public key of the visitor REQ; S _AS (N, REQ||R _ES (I _AC )) and S _AS (N _AC ||R _eS (lREQ) respectively represent the authentication server AS Correct N, RE _Q ||Res(;i _AC ;) and N _AC ||Res(lREQ:) digital signature.

In other embodiments, the identity authentication response message M4 is one containing at least Res(lREQ)| |Res(I _AC )| IS _A S(N'REQ| |Res(I _AC ))|| S _AS (N _AC | |Res (lREQ) message.

A specific embodiment of the above step S5 is:

The visitor REQ receives the identity authentication response message of the authentication server AS, M4

After Re^lRE llRe^lACA^N'REQllRe^lAc IISA^NAcllRe^lREQ)), first verify the validity of the signature S _AS (N, REQ||: Res(I _AC 》) by using the public key of the authentication server AS If it is valid, it is determined whether the N'REQ in the signature S _AS (N, RE _Q ||Res (I _AC )) is consistent with the random number N'REQ sent by the visitor REQ to the authentication server AS in step S3. If they are consistent, the visitor REQ can determine whether the identity of the access controller AC is legal according to the authentication result C1 that can be publicized according to the authentication result Res(I _AC ). If it is legal, the access controller is obtained from Res (I _AC ). The public key of the AC, and using the public key to verify the validity of the digital signature SIG1 (SA^NREQIINACIIIREQ) sent by the access controller AC to the visitor REQ in step S2, if valid, the visitor REQ constructs an access authentication response message M5 is ResGw^llSAsCNAcllResGREo IISREQCNREQllNAcl llAc) is sent to the access controller AC, the message contains the publicly identifiable authentication result C2 (Res lREQ), and the SREQ NREQIINACII C) in the message indicates the visitor REQ to NREQ| |N _AC | The signature of I _ac , the digital signature SIG2.

The following circumstances, the visitor REQ will terminate the access:

1), verify that the signature S _AS (N'RE _Q ||Res(I _AC )) is invalid;

2), although the verification signature S _AS (N'REQ||Res(I _AC )) is valid, but the judgment random number N'REQ is inconsistent; 3), although the verification signature S _AS (N, REQ||Res(I _AC ) ) is valid, and the random number N'REQ is judged, but the access controller AC identity is illegal;

4), although the verification signature S _AS (N, REQ||Res (I _AC )) is valid, and the random number N'REQ is determined, and the access controller AC identity is determined to be valid, but the verification signature SA^NREQIINACIIIREQ) is invalid.

In other embodiments, the access authentication response message M5 is at least one of

llAc) message.

A specific embodiment of the above step S6 is:

The access controller AC receives the access authentication response message M5 of the visitor REQ. After Res lRj^llSAs NAcllRes lREQ^ISREQCNREQllNAclllAc), the validity of the signature S _AS (N _AC ||Res(lREQ)) is first verified by the public key of the authentication server AS, and if valid, according to Res(lRE _Q ) C2 may be disclosed authentication result determines whether legitimate visitors REQ, if valid, it is determined that the signature _{_{S AS (N AC || Res (}} lRE Q)) N AC in the access controller AC whether the random number transmitted in step S2 N _AC . If, in agreement, the access controller AC obtains the public key of the visitor REQ from Res (lREQ), and uses the public key to verify that the signature SREQ (NREQ||N _AC ||I _ac ) is valid. If yes, the access controller AC determines whether the I _AC included in the signature SRK^NREQIINACIIIAC) is consistent with the I _AC sent by the access controller AC in step S2, and if yes, determines the signature SREC^NREQIINACIIIAC) Whether the N _AC is consistent with the random number N _AC sent by the access controller AC in step S2, if the agreement is the same, the access controller AC determines, according to the authorization policy, whether the access request QREQ sent by the visitor REQ in step S1 is Legal, if legal, construct response data based on QREQ And configured to send access response visitors REQ message M6, M6 access response message comprising the response data to the visitors REQ, whether the response data for visitors REQ notifies the network has access to the destination. Based on this, the access behavior of the visitor REQ to the destination network is controlled.

The authorization policy of the access controller AC to the visitor REQ may be local, or may be provided by another server, such as the authentication server AS. When provided by the authentication server AS, the identity authentication response message M4 of step S4 needs to be Res ( lRE _Q )| |Res(I _AC )| IS _AS (N'REQ| |Res(I _AC ))|| S _AS (N _AC | |Res(lRE _Q )) Modified to Res(lRE _Q )| |Res (I _AC )| IS _AS (N'REQ| |Res(I _AC ))|| S _AS (N _AC | |Res(lREQ)| | AP _AS ), where AP _AS represents the authorization policy, and the step The access authentication response message M5 in S5 is Res(lRE _Q )| IS _AS (NAC| |Res(lRE _Q ))| I SREQ(NREQ| |N _AC | |IAC) needs to be modified to Res(I _REQ ) ||SA _S (N _A c||Res(I _REQ )||AP _AS )||S _RE Q(N _REQ ||N _A c||I _A c)o

Access to the controller AC will deny access to the visitor REQ in the following cases:

1), the verification signature S _AS (N _AC ||Res (lREQ)) is invalid;

2), although the verification signature S _AS (N _AC ||Res(lRE _Q )) is valid, it is determined that the visitor REQ is illegal;

3), although the verification signature S _AS (N _AC ||Res (lREQ)) is valid, and it is determined that the visitor REQ is legal, but the random number N _{AC is} determined to be inconsistent; 4), although the verification signature S _AS (N _AC ||Res(lREQ)) is valid, and it is judged that the visitor REQ is legal, and the random number N _{AC is} determined, but the verification signature SRK^NREQIINACIIIAC) is invalid;

5), although the verification signature S _AS (N _AC ||Res(lREQ)) is valid, and it is judged that the visitor REQ is legal, and the random number N _{AC is} judged, and the signature SREQ is verified (NREQ||N _AC ||I _ac ) is valid, but it is determined that the I _AC in the signature SREQ( REQ||N _AC | |I _ac ) is inconsistent with the identity information of the access controller AC;

6), although the verification signature S _AS (N _AC ||Res(lREQ)) is valid, and it is judged that the visitor REQ is legal, and the random number N _{AC is} judged, and the verification signature SREC^NREQIINACII C) is valid, and the signature SREQCNREQIINACI is judged. The I _{AC in} IIAC) is consistent with the identity information of the access controller AC, but it is determined that the random number N _AC in the signature SREQ (NREQ||N _AC | |I _ac ) is inconsistent;

7), although the verification signature S _AS (N _AC ||Res(lREQ)) is valid, and it is judged that the visitor REQ is legal, and the random number N _{AC is} judged, and the signature SREQ is verified (NREQ||N _AC ||I _ac Valid, and determine that the I _AC in the signature SREQ( REQ||N _AC | |I _ac ) is consistent with the identity information of the access controller AC, and determines the random number in the signature SREQ(NREQ| |N _AC | |IAC) N _{AC is} consistent, but it is judged that the access request QREQ sent by the visitor REQ in step S1 is invalid.

In summary, the present invention is based on a digital signature and verification mechanism in asymmetric cryptography, and is implemented between the visitor REQ and the authentication server AS when the access controller AC cannot directly use the authentication service provided by the authentication server AS. The access control process that authorizes and authorizes the visitor REQ is authenticated by the access controller AC.

Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.

The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a general purpose computer, a special purpose computer, An embedded processor or processor of another programmable data processing device to generate a machine such that instructions executed by a processor of a computer or other programmable data processing device are generated for implementation in a flow or a flow of flowcharts and/or Or a block diagram of a device in a box or a function specified in a plurality of boxes.

The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.

These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Although the preferred embodiment of the invention has been described, it will be apparent to those skilled in the < Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and modifications

It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of the inventions

Claims

Rights request

An access control method, comprising:

Step 2), after receiving the access request message, the access controller constructs an access authentication request message and sends the message to the visitor; the access authentication request message includes a first digital signature and the access control First identity authentication information of the device;

2. The method according to claim 1, wherein the access authentication request message further includes a random number N _AC generated by the access controller;

The identity authentication request message sent by the visitor further includes the N _AC ; The access authentication response message further includes a digital signature returned by the authentication server.

S _AS (N _AC ||Res(lREQ)), where Res(lRE _Q ) represents the second authentication result, "" indicates that the two pieces of information are in series, S _AS (N _AC ||Res(lREQ)) Represents the digital signature of the authentication server for N _AC ||Res(lREQ).

The method according to claim 2, wherein after the access controller receives the access authentication response message, if the public key of the authentication server is used to verify the digital signature S _AS (N _AC | If |Res(lREQ) is invalid, the visitor is denied access.

The method according to claim 2, wherein after the access controller receives the access authentication response message, if the public key of the authentication server is used to verify the digital signature S _AS (N _AC | |Res(lREQ)) is valid, and judges that the identity of the visitor is illegal according to the second publicly available authentication result, and denies access to the visitor.

The method according to claim 2, wherein after the access controller receives the access authentication response message, if the public key of the authentication server is used to verify the digital signature S _AS (N _AC | |Res(1⁄2Q)) is valid, and

The discrimination result of the second determining said visitor identity disclosed method, and the digital signature is determined in S _AS N _AC _{(N AC || Res (lREQ)} ) with the access authentication request message includes N _{If the AC is} inconsistent, the visitor is denied access.

The method according to claim 2, wherein the access request message further includes a random number NRE _Q generated by the visitor;

The second publicly available authentication result includes a verification result of the second identity authentication information by the authentication server and a public key of the visitor;

The second number INACII C), wherein the I _AC is the first identity authentication information of the access controller,

AC) indicates the visitor's digital signature for NREQ||N _AC ||I _ac .

7. The method according to claim 6, wherein the access controller, after receiving the access authentication response message, verifies the digital signature S _AS (N _AC | if the public key of the authentication server is used. |R _eS (lREQ)) is valid, and Determining the identity of a legitimate visitors, and the judgment of the digital signature _{_{_{S AS N AC (N AC ||}}} Res (lREQ " in the access authentication request message containing said second discrimination result according to the disclosed N _AC To, and

Obtaining the public key of the visitor from the second publicly available authentication result and verifying that the second digital signature SREQ (NREQ||N _AC ||I _ac ) is invalid by using the public key of the visitor, The visitor is denied access.

8. The method according to claim 6, wherein the access controller, after receiving the access authentication response message, verifies the digital signature S _AS (N _AC | if the public key of the authentication server is used. |Res(lREQ)) is valid, and

Determining the identity of a legitimate visitors, and the judgment of the digital signature _{_{S AS (N AC || Res N}} AC (lRE Q " in the access authentication request message containing the results of discrimination based on said second disclosed N _AC , and

Obtaining the public key of the visitor from the second publicly available authentication result and verifying that the second digital signature SREQ (NREQ||N _AC ||I _ac ) is valid by using the public key of the visitor, and

Determining the second digital signature

The I _AC in the INACIIIAC) is inconsistent with the first identity authentication information in the access authentication request message, and the visitor access is denied.

The method according to claim 6, wherein the access controller, after receiving the access authentication response message, verifies the digital signature S _AS (N _AC | if the public key of the authentication server is used. |Res(lREQ)) is valid, and

Determining the identity of a legitimate visitors, and the judgment of the digital signature _{_{_{S AS N AC (N AC ||}}} Res (lREQ " in the access authentication request message containing said second discrimination result according to the disclosed N _AC To, and

Obtaining the public key of the visitor from the second publicly available authentication result and verifying that the second digital signature SREC^NREQIINACIIIAC) is valid by using the public key of the visitor, and

Determining the second digital signature

INACIIIAC) in I _AC is consistent with the access authentication information in the authentication request message to the first identity and the second digital signature is determined _{SREQ (NREQ || N AC | |} I ac N AC) and in the The N _AC included in the access authentication request message is inconsistent. The visitor is denied access.

10. The method according to claim 6, wherein the access controller, after receiving the access authentication response message, verifies the digital signature S _AS (N _AC | if the public key of the authentication server is used. |Res(lREQ)) is valid, and

Determining the second digital signature

INACIIIAC) in I _AC is consistent with the access authentication of the first authentication information request message, N _AC determines the second digital signature _{SREQ (NREQ || N AC || I} AC) in contact with the The N _AC included in the authentication request message is determined, and according to the authorization policy, it is determined that the access request included in the access request message sent by the visitor is invalid, and the visitor is denied access.

The method according to claim 6, wherein after the access controller receives the access authentication response message, if the public key of the authentication server is used to verify the digital signature S _AS (N _AC | |Res(lREQ)) is valid, and

Determining the second digital signature

The I _AC in the INACIIIAC) is consistent with the first identity authentication information in the access authentication request message, and determines the second digital signature

And the N _AC in the access authentication request message is consistent with the N _AC included in the access authentication request message, and determines, according to the authorization policy, that the access request included in the access request message sent by the visitor is legal, and the access response message is passed. Notifying the visitor that the visitor has access to the destination network.

The method according to claim 1, wherein the first publicly available authentication result comprises a verification result of the first identity authentication information by the authentication server and a public key of the access controller;

And the access authentication response message is configured according to the first publicly available authentication result and the first digital signature is verified, and specifically includes:

Determining, by the visitor, whether the identity of the access controller is legal according to the first publicly available authentication result, and determining, when determining that the access controller is legal, obtaining the first publicly available authentication result. And accessing the public key of the controller, and verifying the first digital signature by using a public key of the access controller, and constructing the access authentication response message after the verification is passed.

Terminating the access when the visitor determines that the identity of the access controller is illegal according to the first publicly available authentication result; or

When the visitor determines that the access controller is legal according to the first publicly available authentication result, the first digital signature is verified by using the public key of the access controller, when the verification fails , terminate the access.

14. An access device, comprising:

An authentication request interaction module, configured to send an identity authentication request message to an authentication server, where the identity authentication request message includes the first identity authentication information and the second identity authentication information; and receiving the identifier sent by the authentication server An identity authentication response message, where the identity authentication response message includes a first publicly available authentication result after authenticating the access controller according to the first identity authentication information, and a second identity authentication information according to the second identity authentication information Visitors a second publicly identifiable result;

15. An authentication server, comprising:

16. An access controller, comprising:

An access authentication response receiving module, configured to receive an access authentication response message sent by the visitor, to obtain a second publicly available authentication result, and a second digital signature sent by the visitor; a first publicly identifiable authentication result and a verification of the first digital signature by a post-construction; the first publicly identifiable authentication result is the first identity authentication sent by the authentication server to the visitor After the information is authenticated, it is determined that the second authentication result is determined by the authentication server to identify the second identity authentication information sent by the visitor; The access response sending module is configured to verify the second digital signature according to the obtained second publicly available authentication result, and construct an access response message to be sent to the visitor according to the verification result and the authorization policy.

An access control system, comprising: an access controller including an accessor, an authentication server, and a destination network, wherein:

And the constructing an access authentication response message is sent to the access controller after the first digital signature is verified according to the first publicly discriminable result, where the access authentication response message includes the second And the public identification result and the second digital signature generated by the visitor, and receiving an access response message sent by the access controller;

The authentication server is configured to receive an identity authentication request message that is sent by the visitor and includes the first identity authentication information and the second identity authentication information, and return the first publicly available authentication result and the second An identity authentication response message of the public authentication result; wherein, the first publicly available authentication result is determined by the authentication server to identify the first identity authentication information sent by the visitor, where The second publicly available authentication result is determined by the authentication server The second authentication information transmitted by said visitor identification after determining _t