WO2013013481A1 - Procédé, dispositif, serveur et système d'authentification d'accès - Google Patents

Procédé, dispositif, serveur et système d'authentification d'accès Download PDF

Info

Publication number
WO2013013481A1
WO2013013481A1 PCT/CN2011/083703 CN2011083703W WO2013013481A1 WO 2013013481 A1 WO2013013481 A1 WO 2013013481A1 CN 2011083703 W CN2011083703 W CN 2011083703W WO 2013013481 A1 WO2013013481 A1 WO 2013013481A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
authentication
network
access control
network access
Prior art date
Application number
PCT/CN2011/083703
Other languages
English (en)
Chinese (zh)
Inventor
马迪
王利明
田野
沈烁
王伟
Original Assignee
中国科学院计算机网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算机网络信息中心 filed Critical 中国科学院计算机网络信息中心
Publication of WO2013013481A1 publication Critical patent/WO2013013481A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an access authentication method, device, server, and system. Background technique
  • the authentication methods are divided into two categories: The first category is to authenticate the physical information of network access devices. For example, the MAC address is bound to the physical information by the assigned IP address.
  • the second type is to authenticate the account information of the network access device, and then perform IP address allocation and binding of related information after the authentication is passed.
  • the first type of authentication method is related to the specific access environment. Once the network access device changes the access location, the identity form of the identity information changes.
  • the second type of authentication method is related to the application layer protocol, and the different access networks are different.
  • the embodiment of the invention provides an access authentication method, device, server and system, which avoids the problem that the existing authentication method has difficulty in performing source auditing on the network access device due to the change of the representation form of the network access device identity information. .
  • an embodiment of the present invention further provides an access authentication method, including:
  • an embodiment of the present invention provides a network access device, including:
  • An authentication requesting module configured to send an access authentication request to the access authentication server, where the source IP address of the access authentication request includes an entity identifier EI of the network access device;
  • the first receiving module is configured to receive an authentication response message returned by the access authentication server.
  • an embodiment of the present invention provides an access authentication server, including:
  • a second receiving module configured to receive an access authentication request sent by the network access device, where the source IP address of the access authentication request includes an entity identifier EI of the network access device;
  • an authentication module configured to authenticate the network access device according to the EI in the source IP address.
  • an access control device including:
  • a third receiving module configured to receive registration information sent by the access authentication server, where the registration information includes an entity identifier EI of the network access device;
  • an embodiment of the present invention provides an access authentication system, including: a network access device, an access control device, and an access authentication server, which are sequentially connected as described above.
  • the invention authenticates and controls access to the network access device by using the entity identifier EI uniquely identifying the identity of the network access device included in the IP address of the network access device, so that the network access device changes regardless of the access environment and location.
  • the EI contained in the IP address does not change, thus avoiding the existing In the authentication method, the representation of the identity information of the network access device changes, and it is difficult to perform source auditing on the network access device.
  • FIG. 1 is a schematic flowchart of Embodiment 1 of an access authentication method according to an embodiment of the present disclosure.
  • FIG. 2 is a schematic flowchart of Embodiment 2 of an access authentication method according to an embodiment of the present disclosure.
  • FIG. 3 is a schematic flowchart of Embodiment 3 of an access authentication method according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic flowchart of Embodiment 4 of an access authentication method according to an embodiment of the present disclosure.
  • FIG. 5 is a signaling flowchart of Embodiment 5 of an access authentication method according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of an embodiment of a network access device according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an embodiment of an access authentication server according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of an embodiment of an access control device according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of an embodiment of an access authentication system according to an embodiment of the present invention.
  • the main idea of the present invention is to provide an access authentication method for an entity identifier (Entity Identifier, hereinafter referred to as ⁇ ) in an IP address of a network access entity.
  • entity identifier Entity Identifier
  • entity identifier
  • an IPv6 address is an address type used by the Internet IPv6 protocol and has a length of 128 bits.
  • the first 64 bits of the IPv6 address can be used for the identifier of the subnet prefix, which is called the network prefix.
  • the router selects the forwarding path according to the network prefix.
  • the characteristics of EI include: 1) global uniqueness, EI uniquely identifies the network access entity, does not change with the change of access location and time; 2) verifiability of EI binding information, EI assigner is responsible for providing binding Query and verification of identity information on EI.
  • the EI of the network access entity is carried in the last 64 bits of the IPv6 address, so that the network access entity using the IP address can be identified based on the IP address.
  • the embodiment of the present invention solves the problem that the existing authentication method exists due to the verification of the EI in the IP address.
  • the manifestation of the identity information of the incoming entity changes, and it is difficult to perform source-audit auditing on the network access entity, and provides support for source IP address verification.
  • FIG. 1 is a schematic flow chart of Embodiment 1 of an access authentication method according to an embodiment of the present invention. As shown in Figure 1, the method includes:
  • Step 101 The network access device sends an access authentication request to the access authentication server, where the source IP address of the access authentication request includes the EI of the network access device.
  • the source IP address of the access authentication request here is the IP address of the network access device.
  • the EI here may be obtained by the network access device by using an outband mechanism before accessing the network, and the EI may be bound to the identity information of the user of the network access device and/or the network access device when the allocation is performed. This embodiment does not limit this.
  • the IP address of the network access device usually includes a subnet prefix.
  • the access parameter such as requesting a subnet prefix is a necessary step for the network access device to access the Internet.
  • the network access device here can use route advertisement or dynamic host. Setting up the agreement
  • the (Dynamic Host Configuration Protocol, DHCP for short) request obtains the subnet prefix.
  • Step 102 Receive an authentication response message returned by the access authentication server.
  • the network access device may access the network, and if the authentication response message indicates that the authentication fails, the network access device cannot access the network.
  • the embodiment of the present invention authenticates and controls access to the network access device by using the EI uniquely identifying the identity of the network access device included in the IP address of the network access device, so that the network access device IP is changed regardless of the access environment and location.
  • the EI included in the address does not change, thereby avoiding the problem that the existing authentication method has a change in the representation form of the network access device identity information and it is difficult to perform source auditing on the network access device.
  • the registration information in step 408 may include, in addition to the EI, the access validity time, the access key, and the medium access of the network access device. Control (Media Access Control, MAC for short) Any or both of the address and port number are included.
  • the registration information in step 408 includes an access validity time, an access key, a MAC address, or a port number
  • the access control in step 410 The record and the authentication response message in step 412 also contain the access validity time, access key, MAC address or port number accordingly.
  • the access control device Receiving, by the access control device, the data packet, determining whether the access control list includes an access control record of the EI, and if yes, processing the data packet according to the access control record, if If not, the data message is discarded.
  • the processing the data packet according to the access control record including the data packet Further verification.
  • the access control record includes an access key
  • the corresponding access authentication message also includes the access key.
  • the network access device performs data packet according to the access key.
  • the access control device can verify the signature of the data packet according to the access key in the access control record after receiving the data packet, and verify the signature of the data packet.
  • the data packet is sent out, and the signature can be removed and the signed data packet can be sent out.
  • the access control device may verify the signature of the data packet by using a key-related hash code authentication code (HMAC).
  • HMAC key-related hash code authentication code
  • the access network device may obtain the source MAC address of the data packet or the port number of the data packet after receiving the data packet. Verify the comparison with the MAC address or port number in the access control record. If the access control record includes the access validity time, the access network device may further determine, according to the receiving time, the access validity time in the access control record, and the generation time of the access control record, after receiving the data message, If the access time of the network access device expires, the data packet is discarded if it expires, and the data packet is released if it is not expired.
  • the access key is generated by the access authentication server and is an access key shared by the network access device and the access control device, which can improve the security of communication data between the network access device and the access control device.
  • the access time of the network access device can be controlled by the access validity time. After the access validity time expires, the network access device needs to re-access the access authentication server.
  • the implementation manner of re-requesting access includes but is not limited to the following two types:
  • the network access device may use the access key to sign the access authentication request and include the signature The authentication request is sent to the access authentication server.
  • the access authority can be updated.
  • the access authentication server can regenerate the access key, and then forward the registration information in step 408 and the authentication response message in step 412, respectively. Into the control device and network access device distribution.
  • the access authentication server may also cancel the access of the network access device.
  • the access authentication server may determine whether the network access device re-authenticates before the access validity time expires, and if not re-authentication, send the permission including the EI to the access control device. a message, to indicate that the access control device denies the network access device from accessing the network; correspondingly, the access control device receives a rights expiration message sent by the access authentication request, where the rights expiration message includes the EI And deleting the access control record containing the EI according to the rights expiration message.
  • the embodiment of the present invention authenticates and controls access to the network access device by using the EI uniquely identifying the identity of the network access device included in the IP address of the network access device, so that the network access device IP is changed regardless of the access environment and location.
  • the EI included in the address does not change, thereby avoiding the problem that the existing authentication method has a change in the representation form of the network access device identity information and it is difficult to perform source auditing on the network access device.
  • the access control device can not only determine the identity of the network access entity, but also associate each data packet with its transmission source, which can effectively prevent the source address forgery of the data packet.
  • Step 501 The network access device receives the access control information advertisement sent by the first hop router.
  • the network access device here may be a host such as a host accessing the network.
  • the access control information advertisement contains the IP address of the access authentication server.
  • Step 502 The network access device sends an access authentication request to the access authentication server.
  • the access authentication request includes the signature of the request by the EI and the private key of the network access device.
  • the access parameters herein may include an access validity time, an access key, and the like.
  • Step 504 The access authentication server performs access registration of the network access device to the access control device.
  • the registration information of the access network device is sent to the access control device, where the registration information includes an EI of the network access device, and optionally, the access parameter selected by the access authentication server.
  • the authentication response message here includes an EI, and optionally includes an access validity time, an access key, and the like.
  • the embodiment of the present invention authenticates and controls access to the network access device by using the EI uniquely identifying the identity of the network access device included in the IP address of the network access device, so that the network access device IP is changed regardless of the access environment and location.
  • the EI included in the address does not change, thereby avoiding the problem that the existing authentication method has a change in the representation form of the network access device identity information and it is difficult to perform source auditing on the network access device.
  • FIG. 6 is a schematic structural diagram of an embodiment of a network access device according to an embodiment of the present invention. As shown in Figure 6, the device includes:
  • the authentication requesting module 61 is configured to send an access authentication request to the access authentication server, where the source IP address of the access authentication request includes an EI of the network access device;
  • the first receiving module 62 is configured to receive an authentication response returned by the access authentication server.
  • the first sending module 64 is configured to send the signed data packet.
  • the device may further include:
  • the prefix obtaining module 65 is configured to obtain a subnet prefix by using a route advertisement or a DHCP request.
  • the address generating module 66 is configured to generate the source IP address according to the subnet prefix and the EI.
  • the specific implementation of this embodiment refers to the first, fourth or fifth embodiment of the access authentication method provided by the embodiment of the present invention.
  • the embodiment of the present invention includes the unique one included in the IP address of the network access device.
  • the EI that identifies the identity of the network access device authenticates the network access device and controls the access, so that the EI included in the IP address of the network access device does not change regardless of the access environment and location, thereby avoiding the existing
  • the problem that the representation mode of the network access device identity information changes in the authentication method is difficult to perform source auditing on the network access device.
  • FIG. 7 is a schematic structural diagram of an embodiment of an access authentication server according to an embodiment of the present invention. As shown in Figure 7, the server includes:
  • the second receiving module 71 is configured to receive an access authentication request sent by the network access device, where the source IP address of the access authentication request includes an EI of the network access device;
  • the authentication module 72 is configured to authenticate the network access device according to the EI in the source IP address.
  • the registration module 73 is configured to generate registration information of the network access device after the authentication is passed, where the registration information includes the EI;
  • the second sending module 74 is configured to send the registration message to the access control device, to indicate that the access control device allows the network access device to access the network;
  • the second receiving module 71 is further configured to: receive the registration response returned by the access control device:
  • the second sending module 74 is further configured to send an authentication response message to the network access device, where the authentication response message includes the registration message.
  • the registration response message here indicates that the registration is successful, and the authentication response message indicates that the authentication is passed.
  • the registration response message indicates that the registration fails, the authentication response message sent by the second sending module 74 to the network access device indicates that the authentication fails, and accordingly the registration information is not included.
  • the access authentication request includes a signature of the private key corresponding to the EI to the access authentication request, and the authentication module 72 is specifically configured to:
  • the registration message further includes an access validity time
  • the server further includes:
  • the authority update module 75 is configured to determine whether the network access device is in use when the access is valid The authentication is re-authenticated before the expiration, and if the re-authentication is not re-authenticated, the privilege expiration message including the EI is sent to the access control device, to indicate that the access control device refuses to access the network by the network access device.
  • the specific implementation of this embodiment refers to the second, fourth or fifth embodiment of the access authentication method provided by the embodiment of the present invention.
  • the embodiment of the present invention authenticates and controls access to the network access device by using the EI uniquely identifying the identity of the network access device included in the IP address of the network access device, so that the network access device IP is changed regardless of the access environment and location.
  • the EI included in the address does not change, thereby avoiding the problem that the existing authentication method has a change in the representation form of the network access device identity information and it is difficult to perform source auditing on the network access device.
  • FIG. 8 is a schematic structural diagram of an embodiment of an access control device according to an embodiment of the present invention. As shown in Figure 8, the device includes:
  • the third receiving module 81 is configured to receive registration information sent by the access authentication server, where the registration information includes an EI of the network access device;
  • the third sending module 83 is configured to send a registration response message to the access authentication server.
  • the third receiving module 81 is further configured to: receive a data packet sent by the network access device, where a source IP address of the data packet includes the EI; , the device also includes:
  • the message processing module 84 is configured to search whether the access control record includes the access control record of the EI, and if yes, process the data packet according to the access control record, if not, discard the data packet Data message.
  • the third receiving module 81 is further configured to: receive a rights expiration message that includes the EI sent by the access authentication server;
  • the access control module 82 is further configured to delete, according to the rights expiration message, the access control record that includes the EI and the access validity time.
  • the third sending module 83 is further configured to send the access authentication request to the authentication server.
  • the specific implementation of this embodiment refers to the third, fourth or fifth embodiment of the access authentication method provided by the embodiment of the present invention.
  • the embodiment of the present invention authenticates and controls access to the network access device by using the EI uniquely identifying the identity of the network access device included in the IP address of the network access device, so that the network access device IP is changed regardless of the access environment and location.
  • the EI included in the address does not change, thereby avoiding the problem that the existing authentication method has a change in the representation form of the network access device identity information and it is difficult to perform source auditing on the network access device.
  • Embodiments 1 to 5 of an access authentication method provided by an embodiment of the present invention The embodiment of the present invention authenticates and controls access to the network access device by using the EI uniquely identifying the identity of the network access device included in the IP address of the network access device, so that the network access device IP is changed regardless of the access environment and location.
  • the EI included in the address does not change, thereby avoiding the problem that the existing authentication method has a change in the representation form of the network access device identity information and it is difficult to perform source auditing on the network access device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Des modes de réalisation de la présente invention portent sur un procédé, un dispositif, un serveur et un système d'authentification d'accès. Le procédé comprend les opérations suivantes : un dispositif d'accès au réseau envoie une requête d'authentification d'accès à un serveur d'authentification d'accès, une adresse IP de source de la requête d'authentification d'accès comprenant un EI du dispositif d'accès au réseau ; et reçoit un message d'accusé de réception d'authentification renvoyé par le serveur d'authentification d'accès. Selon le mode de réalisation de la présente invention, l'EI, qui identifie d'une manière unique l'identité du dispositif d'accès au réseau dans l'adresse IP du dispositif d'accès au réseau, est utilisé pour l'authentification et le contrôle d'accès du dispositif d'accès au réseau. L'EI dans l'adresse IP du dispositif d'accès au réseau reste inchangé quel que soit la manière dont l'environnement d'accès et la position changent, ce qui évite le problème selon lequel, dans le procédé d'authentification existant, l'audit de traçage ne peut pas être mis en œuvre quand la forme d'expression des informations d'identité du dispositif d'accès au réseau change.
PCT/CN2011/083703 2011-07-26 2011-12-08 Procédé, dispositif, serveur et système d'authentification d'accès WO2013013481A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110210884.X 2011-07-26
CN201110210884XA CN102255916A (zh) 2011-07-26 2011-07-26 接入认证方法、设备、服务器及系统

Publications (1)

Publication Number Publication Date
WO2013013481A1 true WO2013013481A1 (fr) 2013-01-31

Family

ID=44982912

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/083703 WO2013013481A1 (fr) 2011-07-26 2011-12-08 Procédé, dispositif, serveur et système d'authentification d'accès

Country Status (2)

Country Link
CN (1) CN102255916A (fr)
WO (1) WO2013013481A1 (fr)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255916A (zh) * 2011-07-26 2011-11-23 中国科学院计算机网络信息中心 接入认证方法、设备、服务器及系统
CN103986769B (zh) * 2014-05-20 2015-01-21 东南大学 一种标识网业务访问控制方法
CN104378457A (zh) * 2014-11-26 2015-02-25 中国联合网络通信集团有限公司 一种分配ip地址的方法、装置及系统
CN106330836B (zh) * 2015-07-01 2020-09-01 北京京东尚科信息技术有限公司 一种服务端对客户端的访问控制方法
CN106936685A (zh) * 2015-12-30 2017-07-07 航天信息股份有限公司 一种基于实时交互的通讯方法及系统
CN105610841B (zh) * 2015-12-31 2020-10-23 国网智能电网研究院 一种基于可溯源的用户信息认证方法
CN107104872B (zh) 2016-02-23 2020-11-03 华为技术有限公司 接入控制方法、装置及系统
CN109257343B (zh) * 2018-09-05 2020-11-10 沈阳理工大学 一种基于矩阵映射的复合维度反接入认证方法
CN109525403B (zh) * 2018-12-29 2021-11-02 广州市溢信科技股份有限公司 一种支持用户全动态并行操作的抗泄露公开云审计方法
CN110611890B (zh) * 2019-09-17 2021-07-06 Oppo广东移动通信有限公司 通知消息控制方法及相关装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119206A (zh) * 2007-09-13 2008-02-06 北京交通大学 基于标识的一体化网络终端统一接入控制方法
CN102065423A (zh) * 2010-12-13 2011-05-18 中国联合网络通信集团有限公司 节点接入认证方法、接入认证节点、接入节点和通信系统
CN102255916A (zh) * 2011-07-26 2011-11-23 中国科学院计算机网络信息中心 接入认证方法、设备、服务器及系统

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100591011C (zh) * 2006-08-31 2010-02-17 华为技术有限公司 一种认证方法及系统
CN101145907B (zh) * 2006-09-11 2010-05-12 华为技术有限公司 基于dhcp实现用户认证的方法及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101119206A (zh) * 2007-09-13 2008-02-06 北京交通大学 基于标识的一体化网络终端统一接入控制方法
CN102065423A (zh) * 2010-12-13 2011-05-18 中国联合网络通信集团有限公司 节点接入认证方法、接入认证节点、接入节点和通信系统
CN102255916A (zh) * 2011-07-26 2011-11-23 中国科学院计算机网络信息中心 接入认证方法、设备、服务器及系统

Also Published As

Publication number Publication date
CN102255916A (zh) 2011-11-23

Similar Documents

Publication Publication Date Title
US11212294B2 (en) Data packet security with expiring time-based hash message authentication codes (HMACs)
WO2013013481A1 (fr) Procédé, dispositif, serveur et système d'authentification d'accès
CN106034104B (zh) 用于网络应用访问的验证方法、装置和系统
JP6086987B2 (ja) ホットスポットネットワークにおける未知のデバイスに対する制限付き証明書登録
US11368450B2 (en) Method for bidirectional authorization of blockchain-based resource public key infrastructure
WO2019017836A1 (fr) Procédé et dispositif de traitement de session
US8136144B2 (en) Apparatus and method for controlling communication through firewall, and computer program product
JP2018519706A (ja) ネットワークアクセスデバイスをワイヤレスネットワークアクセスポイントにアクセスさせるための方法、ネットワークアクセスデバイス、アプリケーションサーバ、および不揮発性コンピュータ可読記憶媒体
WO2010118666A1 (fr) Procédé d'enregistrement de noeud, procédé d'actualisation de routage, système de communication et dispositifs associés
WO2020224341A1 (fr) Procédé et appareil pour identifier un trafic chiffré tls
US8955088B2 (en) Firewall control for public access networks
WO2013040957A1 (fr) Procédé et système d'authentification unique, et procédé et système de traitement d'informations
US20240195790A1 (en) Centralized management of private networks
US8819790B2 (en) Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment
RU2447603C2 (ru) Способ передачи сообщений dhcp
US10341117B2 (en) Cloud authentication of layer 2-connected member devices via an IP-connected active device
US9307406B2 (en) Apparatus and method for authenticating access of a mobile station in a wireless communication system
EP1836559B1 (fr) Appareil et procede permettant de traverser un dispositif de passerelle au moyen de plusieurs temoins
WO2011131002A1 (fr) Procédé et système pour la gestion d'identités
Forsberg et al. RFC 5191: Protocol for Carrying Authentication for Network Access (PANA)
KR20080053160A (ko) Pana 인증 방법 및 장치
JP2007166552A (ja) 通信装置及び暗号通信方法
WO2024093684A1 (fr) Procédé, appareil et système de communication
WO2008086747A1 (fr) Système ip mobile et procédé pour mettre à jour une clé initiale d'agent domestique
CN118102310A (zh) 网络切片的切换方法、装置、设备及存储介质及产品

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11870073

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11870073

Country of ref document: EP

Kind code of ref document: A1