WO2014117600A1 - Dns-based method and system for user authentication and domain name access control - Google Patents

Dns-based method and system for user authentication and domain name access control Download PDF

Info

Publication number
WO2014117600A1
WO2014117600A1 PCT/CN2013/089836 CN2013089836W WO2014117600A1 WO 2014117600 A1 WO2014117600 A1 WO 2014117600A1 CN 2013089836 W CN2013089836 W CN 2013089836W WO 2014117600 A1 WO2014117600 A1 WO 2014117600A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
server
dns
resource record
Prior art date
Application number
PCT/CN2013/089836
Other languages
French (fr)
Chinese (zh)
Inventor
延志伟
Original Assignee
中国科学院计算机网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算机网络信息中心 filed Critical 中国科学院计算机网络信息中心
Publication of WO2014117600A1 publication Critical patent/WO2014117600A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the invention belongs to the technical field of network technology and domain name system, and particularly relates to a DNS-based user authentication and domain name access control method, and a system using the same. Background technique
  • DNS is a key link between a domain name and an actual IP address.
  • users can achieve the ultimate communication through IP addresses by entering a friendly domain name.
  • DNSSEC can enable a domain operator to directly sign the DNS information through a specific mechanism.
  • the key used is between the parent domain and the parent domain. There is a binding, and the intermediate entity can find an acceptable final trust anchor through this logic.
  • the IETF established the DANE working group to use DNSSEC to implement secure binding between user domain names and their keys, thus enabling users to securely authenticate services.
  • this mechanism lacks the server-side authentication of users and the ability to differentiate services based on different users. Summary of the invention
  • the present invention provides a DNS-based user authentication and domain name access control method and system.
  • the user is guided to perform authentication before the service is established, and the access address of the corresponding server is obtained according to the authentication result.
  • Security key information which implements the function of authenticating the access user and assigning the server according to the user.
  • the present invention adopts the following technical solutions:
  • a DNS-based user authentication and domain name access control method the steps of which include:
  • the service provider establishes an authentication server for the service provided by the service provider, and registers the IP address of the authentication server in the DNS server, and the DNS server establishes the CA resource record according to the IP address and the type of the authentication protocol supported by the authentication server;
  • the user accesses the corresponding authentication server according to the obtained IP address in the CA resource record, and the authentication server authenticates the user by using the protocol type specified by the CA resource record;
  • the authentication server After the authentication is successful, the authentication server returns the key information required for the secure connection to the user, and assigns an application server to the user; 5) The user initiates a secure connection through the application server and accesses Internet resources.
  • the authentication protocol type may be RADIUS, Diameter, or the like.
  • the CA (Certificate Authority) resource record includes an IP address and an authentication protocol of the authentication server; preferably, the format is:
  • Domain-name indicates the domain name
  • TTL indicates the lifetime value (effective lifetime) of the resource record
  • Protocol is the authentication protocol used
  • IP is the address of the authentication server.
  • the meaning of the above record is: The service identified by the domain-name is authenticated by the authentication server with the IP address.
  • the authentication protocol used is Protocol.
  • the effective lifetime of the record is TTL.
  • the key information may be key information used when accessing the https website, or key information used when establishing a secure connection such as SSL.
  • a DNS-based user authentication system for implementing the above method, comprising a DNS server and a client, further comprising an authentication server; the DNS server storing an IP address of the authentication server, and according to the IP address and the authentication
  • the authentication protocol type supported by the server establishes a CA resource record; the DNS server receives the domain name query request of the user, and returns a CA resource record corresponding to the domain name to the user; the authentication server uses the protocol type specified by the CA resource record to perform the user Authentication, returning the key information required for a secure connection to the user after successful authentication, and assigning an application server to the user.
  • the invention introduces a new resource record in the DNS system, guides the user to perform authentication before the service establishment, and obtains an access address and security key information of the corresponding server according to the authentication result, thereby realizing authentication of the access user and assigning the server according to the user.
  • the invention supports the service provider's authentication to the user, and the separation of the service and the authentication ensures the security and reliability of the service provision; and the different users can be directed to different servers of the same service to serve as a differentiated service.
  • 1 is a flow chart of a DNS-based user authentication and domain name access control method of an embodiment.
  • FIG. 2 is a schematic diagram of the composition and workflow of a DNS-based user authentication system of an embodiment. detailed description
  • FIG. 1 is a flow chart of DNS-based user authentication and secure connection using the system.
  • FIG. 2 is a schematic diagram showing the composition and workflow of the DNS-based user authentication system in this embodiment.
  • the system includes a DNS server, a client, an application server, and an authentication server.
  • the service provider deploys and establishes an authentication server for the service provided by the service provider, and registers the IP address of the authentication server in the DNS server, and the DNS server establishes a CA resource record according to the IP address and the type of the authentication protocol.
  • the domain name can have multiple resource records on the DNS.
  • the A record records the IPv4 server address of the domain name
  • the AAAA records the IPv6 server address where the domain name is stored
  • the TLSA record stores the public key information of the domain name, and the like. Record the authentication server information of the domain name.
  • the user to be authenticated wants to initiate a secure connection to the domain name such as www.example.cn, first sends a query request to the DNS server, and queries the address information of the domain name via DNS.
  • the DNS server returns the CA resource record corresponding to the domain name, which includes the authentication server address and the type of security authentication protocol supported by the authentication server, such as RADIUS and Diameter.
  • the authentication protocol is determined by the service provider deploying the authentication server.
  • the DNS server finds that the domain name has a CA resource record, it responds to the CA resource record to the client, and the content of the CA resource record included in the response message is: www.example.com 100 CA Diameter® 1.1.1.1
  • the client is based on
  • the CA resource record indicates that the application server to be accessed is deployed with the authentication server.
  • the authentication protocol used is Diameter
  • the IP address of the server is 1.1.1.1
  • the effective lifetime of the record is 100s.
  • the factor of life time setting is mainly the effective time of this resource record. For example, when deploying the authentication server, if the server address or authentication protocol type is updated every 100s, the TTL should be set to 100s.
  • the user In order to establish a secure connection, the user initiates an authentication process to the authentication server, and the protocol used is the protocol returned from the DNS.
  • the client initiates a Diameter authentication request to the authentication server of 1.1.1.1, which carries the domain name that the client wants to access.
  • the authentication server and the client exchange Diameter signaling to authenticate the identity of the client.
  • the authentication server assigns the client the application server and the key information needed to establish a secure connection with the server.
  • the key information may be key information used when accessing the https website, or key information to be used when establishing a secure connection such as SSL.
  • the authentication server assigns the appropriate application server IP to the user, for example, assigning different servers according to the user's identity, thereby obtaining different rights of content, that is, different users can be directed to different servers of the same service to differentiate the services.
  • the application server 1 corresponding to www.example.com is the domain name accessible by the VIP user
  • the application server 2 is the domain name accessed by the ordinary user, as shown in FIG. 2 .
  • the client uses the key information to establish an SSL secure connection with the application server 2 assigned by the authentication server, thereby initiating a secure connection process and accessing the content corresponding to the domain name.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a DNS-based method and system for user authentication and domain name access control. The method comprises: a service provider establishing an authentication server for a service provided by the service provider, and registering an IP address of the authentication server in a DNS server, and the DNS server establishing a CA resource record according to the IP address and an authentication protocol type; a user initiating a domain name query request to the DNS server, and the DNS server returning a CA resource record corresponding to the domain name to the user; the user accessing the authentication server and performing authentication according to the CA resource record; after the authentication succeeds, the authentication server returning, to the user, key information required by secure connection, and assigning an application server; and the user having access to an Internet resource by using the application server. In the present invention, a new resource record is introduced to the DNS system, the user is authenticated and the application server is assigned to the user, and the security and reliability of service providing are ensured by using separation of the service from the authentication.

Description

基于 DNS的用户认证和域名访问控制方法及系统  DNS-based user authentication and domain name access control method and system
技术领域 Technical field
本发明属于网络技术、域名系统技术领域, 具体涉及一种基于 DNS的用户认证和域名访 问控制方法, 以及采用该方法的系统。 背景技术  The invention belongs to the technical field of network technology and domain name system, and particularly relates to a DNS-based user authentication and domain name access control method, and a system using the same. Background technique
互联网实体通常由域名来标识,而 DNS是结合域名和实际 IP地址的关键纽带。通过 DNS 可以使用户通过输入易记的域名达到通过 IP地址进行最终通信的目的。  Internet entities are usually identified by a domain name, and DNS is a key link between a domain name and an actual IP address. Through DNS, users can achieve the ultimate communication through IP addresses by entering a friendly domain name.
为了保证 IP地址和域名绑定关系的可信度, IETF推出 DNSSEC系列标准, DNSSEC能 够通过特定的机制使一个域的运营者直接对 DNS信息进行签名,所使用的密钥和其父域之间 存在绑定,中间实体能够通过这种逻辑找到可接受的最终信任锚。借助 DNSSEC的功能, IETF 成立了 DANE工作组, 旨在利用 DNSSEC来实现用户域名及其密钥之间的安全绑定,从而实 现用户对服务进行安全认证的目的。 但是, 这一机制缺乏服务器端对用户的认证以及根据不 同用户进行区分服务的功能。 发明内容  In order to ensure the credibility of the IP address and domain name binding relationship, the IETF introduces the DNSSEC series of standards. DNSSEC can enable a domain operator to directly sign the DNS information through a specific mechanism. The key used is between the parent domain and the parent domain. There is a binding, and the intermediate entity can find an acceptable final trust anchor through this logic. With the help of DNSSEC, the IETF established the DANE working group to use DNSSEC to implement secure binding between user domain names and their keys, thus enabling users to securely authenticate services. However, this mechanism lacks the server-side authentication of users and the ability to differentiate services based on different users. Summary of the invention
本发明提出一种基于 DNS的用户认证和域名访问控制方法及系统, 通过在 DNS系统中 引入新的资源记录, 引导用户进行服务建立之前的认证, 并根据认证结果获取对应服务器的 接入地址以及安全密钥信息, 实现对访问用户进行认证并根据用户指派服务器的功能。  The present invention provides a DNS-based user authentication and domain name access control method and system. By introducing a new resource record in the DNS system, the user is guided to perform authentication before the service is established, and the access address of the corresponding server is obtained according to the authentication result. Security key information, which implements the function of authenticating the access user and assigning the server according to the user.
为实现上述目的, 本发明采用如下技术方案:  To achieve the above object, the present invention adopts the following technical solutions:
一种基于 DNS的用户认证和域名访问控制方法, 其步骤包括:  A DNS-based user authentication and domain name access control method, the steps of which include:
1 ) 服务提供商为其所提供的服务建立认证服务器, 并在 DNS服务器中注册该认证服务 器的 IP地址, 该 DNS服务器根据该 IP地址以及该认证服务器支持的认证协议类型建立 CA 资源记录;  1) The service provider establishes an authentication server for the service provided by the service provider, and registers the IP address of the authentication server in the DNS server, and the DNS server establishes the CA resource record according to the IP address and the type of the authentication protocol supported by the authentication server;
2) 用户向 DNS 服务器发起一域名查询请求, DNS 服务器向该用户返回该域名对应的 CA资源记录;  2) The user initiates a domain name query request to the DNS server, and the DNS server returns the CA resource record corresponding to the domain name to the user;
3) 用户根据获得的 CA资源记录中的 IP地址访问相应的认证服务器, 该认证服务器采 用该 CA资源记录指定的协议类型对用户进行认证;  3) The user accesses the corresponding authentication server according to the obtained IP address in the CA resource record, and the authentication server authenticates the user by using the protocol type specified by the CA resource record;
4)认证成功后, 该认证服务器向用户返回安全连接所需的密钥信息, 并为用户指派应用 服务器; 5) 用户通过该应用服务器发起安全连接, 访问互联网资源。 4) After the authentication is successful, the authentication server returns the key information required for the secure connection to the user, and assigns an application server to the user; 5) The user initiates a secure connection through the application server and accesses Internet resources.
上述方法中, 所述认证协议类型可以是 RADIUS、 Diameter等。  In the above method, the authentication protocol type may be RADIUS, Diameter, or the like.
上述方法中, 所述 CA (Certificate Authority, 认证中心) 资源记录包含认证服务器的 IP 地址和认证协议; 优选地, 其格式为:  In the above method, the CA (Certificate Authority) resource record includes an IP address and an authentication protocol of the authentication server; preferably, the format is:
Domain-name TTL CA Protocol® IP,  Domain-name TTL CA Protocol® IP,
其中 Domain-name表示域名, TTL表征该条资源记录的生命值(有效生存时间), Protocol 为所使用的认证协议, IP为认证服务器的地址。 上述记录的含义是: Domain-name所标识的 服务由地址为 IP的认证服务器进行安全认证, 所使用的认证协议为 Protocol, 该条记录的有 效生存时间是 TTL。  Domain-name indicates the domain name, TTL indicates the lifetime value (effective lifetime) of the resource record, Protocol is the authentication protocol used, and IP is the address of the authentication server. The meaning of the above record is: The service identified by the domain-name is authenticated by the authentication server with the IP address. The authentication protocol used is Protocol. The effective lifetime of the record is TTL.
上述方法中, 所述密钥信息可以是访问 https 网站时使用的密钥信息, 或者是建立 SSL 等安全连接时需要使用的密钥信息。  In the above method, the key information may be key information used when accessing the https website, or key information used when establishing a secure connection such as SSL.
一种实现上述方法的基于 DNS的用户认证系统, 包括 DNS服务器和客户端, 其特征在 于, 还包括认证服务器; 所述 DNS服务器存储所述认证服务器的 IP地址, 并根据该 IP地址 以及该认证服务器支持的认证协议类型建立 CA资源记录;所述 DNS服务器接收用户的域名 查询请求, 并向用户返回该域名对应的 CA资源记录; 所述认证服务器采用该 CA资源记录 指定的协议类型对用户进行认证, 在认证成功后向用户返回安全连接所需的密钥信息, 并为 用户指派应用服务器。  A DNS-based user authentication system for implementing the above method, comprising a DNS server and a client, further comprising an authentication server; the DNS server storing an IP address of the authentication server, and according to the IP address and the authentication The authentication protocol type supported by the server establishes a CA resource record; the DNS server receives the domain name query request of the user, and returns a CA resource record corresponding to the domain name to the user; the authentication server uses the protocol type specified by the CA resource record to perform the user Authentication, returning the key information required for a secure connection to the user after successful authentication, and assigning an application server to the user.
本发明通过在 DNS系统中引入新的资源记录, 引导用户进行服务建立之前的认证, 并根 据认证结果获取对应服务器的接入地址以及安全密钥信息, 实现对访问用户进行认证并根据 用户指派服务器的功能。 本发明支持服务提供者对用户的认证, 服务和认证的分离保证了服 务提供的安全性和可靠性; 且可以将不同的用户导向同一服务的不同服务器, 起到区分服务 的作用。 附图说明  The invention introduces a new resource record in the DNS system, guides the user to perform authentication before the service establishment, and obtains an access address and security key information of the corresponding server according to the authentication result, thereby realizing authentication of the access user and assigning the server according to the user. The function. The invention supports the service provider's authentication to the user, and the separation of the service and the authentication ensures the security and reliability of the service provision; and the different users can be directed to different servers of the same service to serve as a differentiated service. DRAWINGS
图 1是实施例的基于 DNS的用户认证和域名访问控制方法的流程图。  1 is a flow chart of a DNS-based user authentication and domain name access control method of an embodiment.
图 2是实施例的基于 DNS的用户认证系统的组成及工作流程示意图。 具体实施方式  2 is a schematic diagram of the composition and workflow of a DNS-based user authentication system of an embodiment. detailed description
下面通过具体实施例, 并配合附图, 对本发明做详细的说明。  The present invention will be described in detail below by way of specific embodiments and with reference to the accompanying drawings.
图 1是采用该系统进行的基于 DNS的用户认证并建立安全连接的流程图。图 2是本实施 例的基于 DNS的用户认证系统的组成及工作流程示意图。该系统包括 DNS服务器、客户端、 应用服务器以及认证服务器。  Figure 1 is a flow chart of DNS-based user authentication and secure connection using the system. FIG. 2 is a schematic diagram showing the composition and workflow of the DNS-based user authentication system in this embodiment. The system includes a DNS server, a client, an application server, and an authentication server.
下面结合图 1、 2具体说明本实施例的实施过程: 1 ) 服务提供商为其所提供的服务部署和建立认证服务器, 并在 DNS服务器中注册该认 证服务器的 IP地址, 该 DNS服务器根据该 IP地址以及认证协议类型建立 CA资源记录。 The implementation process of this embodiment will be specifically described below with reference to FIGS. 1) The service provider deploys and establishes an authentication server for the service provided by the service provider, and registers the IP address of the authentication server in the DNS server, and the DNS server establishes a CA resource record according to the IP address and the type of the authentication protocol.
域名在 DNS上可以有多个资源记录, 如 A记录存放该域名的 IPv4服务器地址, AAAA 记录存放该域名的 IPv6服务器地址, TLSA记录存放该域名的公钥信息等,本发明所述的 CA 资源记录存放域名的认证服务器信息。  The domain name can have multiple resource records on the DNS. For example, the A record records the IPv4 server address of the domain name, the AAAA records the IPv6 server address where the domain name is stored, the TLSA record stores the public key information of the domain name, and the like. Record the authentication server information of the domain name.
2)待认证的用户希望向如 www.example.cn的域名发起安全连接, 首先向 DNS服务器发 起查询请求, 经由 DNS查询该域名的地址信息。  2) The user to be authenticated wants to initiate a secure connection to the domain name such as www.example.cn, first sends a query request to the DNS server, and queries the address information of the domain name via DNS.
3) DNS服务器返回该域名对应的 CA资源记录, 其中包含认证服务器地址, 以及认证服 务器支持的安全认证协议类型, 比如 RADIUS、 Diameter等。 认证协议由部署认证服务器的 服务提供商决定。  3) The DNS server returns the CA resource record corresponding to the domain name, which includes the authentication server address and the type of security authentication protocol supported by the authentication server, such as RADIUS and Diameter. The authentication protocol is determined by the service provider deploying the authentication server.
具体的, DNS服务器如发现该域名存在 CA资源记录, 便向客户端响应该 CA资源记录, 响应消息包含的 CA资源记录的内容为: www.example.com 100 CA Diameter® 1.1.1.1 客户端 根据该 CA资源记录, 发现欲访问的应用服务器配合部署了认证服务器, 所采用的认证协议 为 Diameter, 服务器的 IP地址为 1.1.1.1, 该条记录的有效生存时间为 100s。  Specifically, if the DNS server finds that the domain name has a CA resource record, it responds to the CA resource record to the client, and the content of the CA resource record included in the response message is: www.example.com 100 CA Diameter® 1.1.1.1 The client is based on The CA resource record indicates that the application server to be accessed is deployed with the authentication server. The authentication protocol used is Diameter, the IP address of the server is 1.1.1.1, and the effective lifetime of the record is 100s.
生存时间的设定所考虑的因素主要是这个资源记录的有效时间,比如部署认证服务器时, 假设每 100s就更新一下服务器的地址或认证协议类型, 那么这个 TTL就应设置为 100s。  The factor of life time setting is mainly the effective time of this resource record. For example, when deploying the authentication server, if the server address or authentication protocol type is updated every 100s, the TTL should be set to 100s.
4) 为了建立安全连接, 用户向该认证服务器发起认证过程, 所用协议为从 DNS返回的 Protocol  4) In order to establish a secure connection, the user initiates an authentication process to the authentication server, and the protocol used is the protocol returned from the DNS.
具体的, 客户端向上述 1.1.1.1的认证服务器发起 Diameter认证请求, 其中携带了客户端 欲访问的域名。 该认证服务器和客户端交互 Diameter信令, 对客户端身份进行认证。  Specifically, the client initiates a Diameter authentication request to the authentication server of 1.1.1.1, which carries the domain name that the client wants to access. The authentication server and the client exchange Diameter signaling to authenticate the identity of the client.
该认证过程符合 IETF的既有协议的标准流程。  This certification process is in accordance with the standard procedures of the IETF's existing agreements.
5)认证成功之后, 认证服务器向该客户端指派应用服务器以及和该服务器建立安全连接 所需要的密钥信息。  5) After the authentication is successful, the authentication server assigns the client the application server and the key information needed to establish a secure connection with the server.
所述密钥信息可以是访问 https网站时使用的密钥信息, 或者建立 SSL等安全连接时需 要使用的密钥信息等。  The key information may be key information used when accessing the https website, or key information to be used when establishing a secure connection such as SSL.
认证服务器为用户指派适当的应用服务器 IP, 如根据用户身份指派不同的服务器, 从而 获得不同权限的内容, 即可以将不同的用户导向同一服务的不同服务器, 起到区分服务的作 用。  The authentication server assigns the appropriate application server IP to the user, for example, assigning different servers according to the user's identity, thereby obtaining different rights of content, that is, different users can be directed to different servers of the same service to differentiate the services.
本例中 www.example.com对应的应用服务器 1为 VIP用户方可访问的域名, 而应用服务 器 2为普通用户访问的域名, 如图 2所示。  In this example, the application server 1 corresponding to www.example.com is the domain name accessible by the VIP user, and the application server 2 is the domain name accessed by the ordinary user, as shown in FIG. 2 .
6) 客户端采用该密钥信息和认证服务器指派的应用服务器 2建立 SSL安全连接, 从而 发起安全连接过程, 访问该域名对应的内容。 以上实施例仅用以说明本发明的技术方案而非对其进行限制, 本领域的普通技术人员可 以对本发明的技术方案进行修改或者等同替换, 而不脱离本发明的精神和范围, 本发明的保 护范围应以权利要求所述为准。 6) The client uses the key information to establish an SSL secure connection with the application server 2 assigned by the authentication server, thereby initiating a secure connection process and accessing the content corresponding to the domain name. The above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to be limiting, and those skilled in the art can make modifications or equivalents to the embodiments of the present invention without departing from the spirit and scope of the present invention. The scope of protection shall be as stated in the claims.

Claims

权利要求书 claims
1、 一种基于 DNS的用户认证及域名访问控制方法, 其步骤包括: 1. A DNS-based user authentication and domain name access control method, the steps include:
1 ) 服务提供商为其所提供的服务建立认证服务器, 并在 DNS服务器中注册该认证服务 器的 IP地址, 该 DNS服务器根据该 IP地址以及该认证服务器支持的认证协议类型建立 CA 资源记录; 1) The service provider establishes an authentication server for the services it provides and registers the IP address of the authentication server in the DNS server. The DNS server establishes a CA resource record based on the IP address and the authentication protocol type supported by the authentication server;
2) 用户向 DNS 服务器发起一域名查询请求, DNS 服务器向该用户返回该域名对应的 CA资源记录; 2) The user initiates a domain name query request to the DNS server, and the DNS server returns the CA resource record corresponding to the domain name to the user;
3) 用户根据获得的 CA资源记录中的 IP地址访问相应的认证服务器, 该认证服务器采 用该 CA资源记录指定的协议类型对用户进行认证; 3) The user accesses the corresponding authentication server based on the IP address in the obtained CA resource record, and the authentication server uses the protocol type specified by the CA resource record to authenticate the user;
4)认证成功后, 该认证服务器向用户返回安全连接所需的密钥信息, 并为用户指派应用 服务器; 4) After successful authentication, the authentication server returns the key information required for secure connection to the user, and assigns an application server to the user;
5) 用户通过该应用服务器发起安全连接, 访问互联网资源。 5) The user initiates a secure connection through the application server and accesses Internet resources.
2、 如权利要求 1所述的方法, 其特征在于: 所述认证协议类型是 RADIUS或者 Diameter。 2. The method according to claim 1, characterized in that: the authentication protocol type is RADIUS or Diameter.
3、如权利要求 1所述的方法,其特征在于:所述 CA资源记录的格式为 Domain-name TTL CA Protocol® IP, 其中 Domain-name表示域名, TTL为该条资源记录的生命值, Protocol为所使 用的认证协议, IP为认证服务器的地址。 3. The method of claim 1, wherein the format of the CA resource record is Domain-name TTL CA Protocol® IP, where Domain-name represents the domain name, TTL is the life value of the resource record, and Protocol is the authentication protocol used, and IP is the address of the authentication server.
4、 如权利要求 3所述的方法, 其特征在于: 所述生命值为 100s。 4. The method according to claim 3, characterized in that: the health value is 100s.
5、 如权利要求 1所述的方法, 其特征在于: 所述密钥信息是访问 https网站时使用的密钥信 息, 或者是建立 SSL等安全连接时需要使用的密钥信息。 5. The method of claim 1, characterized in that: the key information is the key information used when accessing an https website, or the key information needed to establish a secure connection such as SSL.
6、 如权利要求 1所述的方法, 其特征在于: 所述认证服务器根据用户身份将不同的用户导向 同一服务的不同服务器。 6. The method of claim 1, characterized in that: the authentication server directs different users to different servers of the same service based on user identities.
7、 一种基于 DNS的用户认证系统, 包括 DNS服务器和客户端, 其特征在于, 还包括认证服 务器; 所述 DNS服务器存储该认证服务器的 IP地址, 并根据该 IP地址以及该认证服务器支 持的认证协议类型建立 CA资源记录; 所述 DNS服务器接收用户的域名查询请求, 并向用户 返回该域名对应的 CA资源记录; 所述认证服务器采用该 CA资源记录指定的协议类型对用 户进行认证, 在认证成功后向用户返回安全连接所需的密钥信息, 并为用户指派应用服务器。 7. A DNS-based user authentication system, including a DNS server and a client, characterized in that it also includes an authentication server; the DNS server stores the IP address of the authentication server, and performs authentication based on the IP address and the authentication server's support. The authentication protocol type establishes a CA resource record; the DNS server receives the user's domain name query request and returns the CA resource record corresponding to the domain name to the user; the authentication server uses the protocol type specified by the CA resource record to authenticate the user. After successful authentication, the key information required for secure connection is returned to the user, and an application server is assigned to the user.
8、如权利要求 7所述的系统,其特征在于:所述 CA资源记录的格式为 Domain-name TTL CA Protocol® IP, 其中 Domain-name表示域名, TTL为该条资源记录的生命值, Protocol为所使 用的认证协议, IP为认证服务器的地址。 8. The system of claim 7, wherein the format of the CA resource record is Domain-name TTL CA Protocol® IP, where Domain-name represents the domain name, TTL is the life value of the resource record, and Protocol is the authentication protocol used, and IP is the address of the authentication server.
9、 如权利要求 7所述的系统, 其特征在于: 所述密钥信息是访问 https网站时使用的密钥信 息, 或者是建立 SSL等安全连接时需要使用的密钥信息。 9. The system according to claim 7, characterized in that: the key information is the key information used when accessing an https website, or the key information needed to establish a secure connection such as SSL.
10、 如权利要求 7所述的系统, 其特征在于: 所述认证服务器根据用户身份将不同的用户导 向同一服务的不同服务器。 10. The system according to claim 7, characterized in that: the authentication server directs different users to different servers of the same service based on user identities.
PCT/CN2013/089836 2013-01-31 2013-12-18 Dns-based method and system for user authentication and domain name access control WO2014117600A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310039730.8A CN103078877B (en) 2013-01-31 2013-01-31 Based on the user authentication of DNS and domain name access control method and system
CN201310039730.8 2013-01-31

Publications (1)

Publication Number Publication Date
WO2014117600A1 true WO2014117600A1 (en) 2014-08-07

Family

ID=48155281

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/089836 WO2014117600A1 (en) 2013-01-31 2013-12-18 Dns-based method and system for user authentication and domain name access control

Country Status (2)

Country Link
CN (1) CN103078877B (en)
WO (1) WO2014117600A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9380053B1 (en) * 2015-07-01 2016-06-28 International Business Machines Corporation Using resource records for digital certificate validation
CN114401143A (en) * 2022-01-19 2022-04-26 欧瑞科斯科技产业(集团)有限公司 Certificate strengthening authentication system and method based on DNS (Domain name System)
CN116980233A (en) * 2023-09-21 2023-10-31 宝略科技(浙江)有限公司 Authorization verification method, system and medium for discrete data high-frequency access

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078877B (en) * 2013-01-31 2015-09-16 中国科学院计算机网络信息中心 Based on the user authentication of DNS and domain name access control method and system
CN103763133B (en) * 2014-01-06 2017-02-22 上海聚力传媒技术有限公司 Method, equipment and system for realizing access control
CN104468859B (en) * 2014-11-27 2018-01-30 中国科学院计算机网络信息中心 Support the DANE expanding query method and systems of carrying address of service information
CN105991597A (en) * 2015-02-15 2016-10-05 中兴通讯股份有限公司 Authentication processing method and device
CN105681047B (en) * 2016-03-25 2019-01-04 中国互联网络信息中心 A kind of CA certificate signs and issues method and system
CN111049789B (en) * 2018-10-15 2023-05-12 北京京东尚科信息技术有限公司 Domain name access method and device
CN113765905B (en) * 2021-08-27 2023-04-18 深圳市风云实业有限公司 Data communication method based on trusted service agent

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030079125A1 (en) * 2001-09-28 2003-04-24 Hope Brian A. System and method for electronic certificate revocation
CN1505345A (en) * 2002-12-02 2004-06-16 深圳市中兴通讯股份有限公司上海第二 A method for accessing user forced access identification server
CN101242426A (en) * 2007-02-06 2008-08-13 华为技术有限公司 Method, system and device for establishing secure connection at transmission layer
WO2010033126A1 (en) * 2008-09-22 2010-03-25 Nokia Corporation Certificate based dns name space control
CN103078877A (en) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 User authentication and domain name access control method and system based on DNS (domain name system)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1265579C (en) * 2002-09-23 2006-07-19 华为技术有限公司 Method for network access user authentication
CN101217575B (en) * 2008-01-18 2010-07-28 杭州华三通信技术有限公司 An IP address allocation and device in user end certification process
US8484289B2 (en) * 2009-12-11 2013-07-09 At&T Intellectual Property I, L.P. Network based audience measurement
JP5437785B2 (en) * 2009-12-21 2014-03-12 富士通株式会社 Authentication method, conversion device, relay device, and program
CN101924801B (en) * 2010-05-21 2013-04-24 中国科学院计算机网络信息中心 IP (Internet Protocol) address management method and system as well as DHCP (Dynamic Host Configuration Protocol) server
CN102111406B (en) * 2010-12-20 2014-02-05 杭州华三通信技术有限公司 Authentication method, system and DHCP proxy server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030079125A1 (en) * 2001-09-28 2003-04-24 Hope Brian A. System and method for electronic certificate revocation
CN1505345A (en) * 2002-12-02 2004-06-16 深圳市中兴通讯股份有限公司上海第二 A method for accessing user forced access identification server
CN101242426A (en) * 2007-02-06 2008-08-13 华为技术有限公司 Method, system and device for establishing secure connection at transmission layer
WO2010033126A1 (en) * 2008-09-22 2010-03-25 Nokia Corporation Certificate based dns name space control
CN103078877A (en) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 User authentication and domain name access control method and system based on DNS (domain name system)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9380053B1 (en) * 2015-07-01 2016-06-28 International Business Machines Corporation Using resource records for digital certificate validation
US9641516B2 (en) 2015-07-01 2017-05-02 International Business Machines Corporation Using resource records for digital certificate validation
CN114401143A (en) * 2022-01-19 2022-04-26 欧瑞科斯科技产业(集团)有限公司 Certificate strengthening authentication system and method based on DNS (Domain name System)
CN116980233A (en) * 2023-09-21 2023-10-31 宝略科技(浙江)有限公司 Authorization verification method, system and medium for discrete data high-frequency access
CN116980233B (en) * 2023-09-21 2024-01-30 宝略科技(浙江)有限公司 Authorization verification method and system for discrete data during high-frequency access

Also Published As

Publication number Publication date
CN103078877A (en) 2013-05-01
CN103078877B (en) 2015-09-16

Similar Documents

Publication Publication Date Title
WO2014117600A1 (en) Dns-based method and system for user authentication and domain name access control
US10666608B2 (en) Transparent proxy authentication via DNS processing
JP5325974B2 (en) Gateway device, authentication server, control method thereof, and computer program
US20120254386A1 (en) Transfer of DNSSEC Domains
JP5480265B2 (en) Secure resource name resolution
JP4730118B2 (en) Domain name system
WO2017036003A1 (en) Trusted network identity management and authentication system and method
EP3291514A1 (en) Integrated dns service provider services using certificate-based authentication
WO2008116416A1 (en) Method, device and system for domain name system to update dynamically
WO2007068167A1 (en) A method and network device for configuring the domain name in ipv6 access network
US9973590B2 (en) User identity differentiated DNS resolution
WO2006068108A1 (en) GATEWAY, NETWORK CONFIGURATION, AND METHOD FOR CONTROLLING ACCESS TO Web SERVER
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
WO2013013479A1 (en) Entity identifier allocation system, tracing and authentication method and server
US20180062856A1 (en) Integrated dns service provider services using certificate-based authentication
JP2007310781A (en) Fake website prevention method and intermediate node
US20120106399A1 (en) Identity management system
WO2016202397A1 (en) Dns based pki system
CN115580498B (en) Cross-network communication method in converged network and converged network system
WO2011131002A1 (en) Method and system for identity management
CN114006724B (en) Method and system for discovering and authenticating encryption DNS resolver
WO2007095806A1 (en) A general authentication system and a method for accessing the network application facility of the system
JP2002183009A (en) Device and method for providing communication service by individual identifier through internet
TWI255629B (en) Method for allocating certified network configuration parameters
Rafiee et al. Challenges and Solutions for DNS Security in IPv6

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13873389

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13873389

Country of ref document: EP

Kind code of ref document: A1