WO2014117600A1 - Procédé et système basés sur le dns et permettant une authentification de l'utilisateur et un contrôle d'accès à un nom de domaine - Google Patents

Procédé et système basés sur le dns et permettant une authentification de l'utilisateur et un contrôle d'accès à un nom de domaine Download PDF

Info

Publication number
WO2014117600A1
WO2014117600A1 PCT/CN2013/089836 CN2013089836W WO2014117600A1 WO 2014117600 A1 WO2014117600 A1 WO 2014117600A1 CN 2013089836 W CN2013089836 W CN 2013089836W WO 2014117600 A1 WO2014117600 A1 WO 2014117600A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
server
dns
resource record
Prior art date
Application number
PCT/CN2013/089836
Other languages
English (en)
Chinese (zh)
Inventor
延志伟
Original Assignee
中国科学院计算机网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院计算机网络信息中心 filed Critical 中国科学院计算机网络信息中心
Publication of WO2014117600A1 publication Critical patent/WO2014117600A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the invention belongs to the technical field of network technology and domain name system, and particularly relates to a DNS-based user authentication and domain name access control method, and a system using the same. Background technique
  • DNS is a key link between a domain name and an actual IP address.
  • users can achieve the ultimate communication through IP addresses by entering a friendly domain name.
  • DNSSEC can enable a domain operator to directly sign the DNS information through a specific mechanism.
  • the key used is between the parent domain and the parent domain. There is a binding, and the intermediate entity can find an acceptable final trust anchor through this logic.
  • the IETF established the DANE working group to use DNSSEC to implement secure binding between user domain names and their keys, thus enabling users to securely authenticate services.
  • this mechanism lacks the server-side authentication of users and the ability to differentiate services based on different users. Summary of the invention
  • the present invention provides a DNS-based user authentication and domain name access control method and system.
  • the user is guided to perform authentication before the service is established, and the access address of the corresponding server is obtained according to the authentication result.
  • Security key information which implements the function of authenticating the access user and assigning the server according to the user.
  • the present invention adopts the following technical solutions:
  • a DNS-based user authentication and domain name access control method the steps of which include:
  • the service provider establishes an authentication server for the service provided by the service provider, and registers the IP address of the authentication server in the DNS server, and the DNS server establishes the CA resource record according to the IP address and the type of the authentication protocol supported by the authentication server;
  • the user accesses the corresponding authentication server according to the obtained IP address in the CA resource record, and the authentication server authenticates the user by using the protocol type specified by the CA resource record;
  • the authentication server After the authentication is successful, the authentication server returns the key information required for the secure connection to the user, and assigns an application server to the user; 5) The user initiates a secure connection through the application server and accesses Internet resources.
  • the authentication protocol type may be RADIUS, Diameter, or the like.
  • the CA (Certificate Authority) resource record includes an IP address and an authentication protocol of the authentication server; preferably, the format is:
  • Domain-name indicates the domain name
  • TTL indicates the lifetime value (effective lifetime) of the resource record
  • Protocol is the authentication protocol used
  • IP is the address of the authentication server.
  • the meaning of the above record is: The service identified by the domain-name is authenticated by the authentication server with the IP address.
  • the authentication protocol used is Protocol.
  • the effective lifetime of the record is TTL.
  • the key information may be key information used when accessing the https website, or key information used when establishing a secure connection such as SSL.
  • a DNS-based user authentication system for implementing the above method, comprising a DNS server and a client, further comprising an authentication server; the DNS server storing an IP address of the authentication server, and according to the IP address and the authentication
  • the authentication protocol type supported by the server establishes a CA resource record; the DNS server receives the domain name query request of the user, and returns a CA resource record corresponding to the domain name to the user; the authentication server uses the protocol type specified by the CA resource record to perform the user Authentication, returning the key information required for a secure connection to the user after successful authentication, and assigning an application server to the user.
  • the invention introduces a new resource record in the DNS system, guides the user to perform authentication before the service establishment, and obtains an access address and security key information of the corresponding server according to the authentication result, thereby realizing authentication of the access user and assigning the server according to the user.
  • the invention supports the service provider's authentication to the user, and the separation of the service and the authentication ensures the security and reliability of the service provision; and the different users can be directed to different servers of the same service to serve as a differentiated service.
  • 1 is a flow chart of a DNS-based user authentication and domain name access control method of an embodiment.
  • FIG. 2 is a schematic diagram of the composition and workflow of a DNS-based user authentication system of an embodiment. detailed description
  • FIG. 1 is a flow chart of DNS-based user authentication and secure connection using the system.
  • FIG. 2 is a schematic diagram showing the composition and workflow of the DNS-based user authentication system in this embodiment.
  • the system includes a DNS server, a client, an application server, and an authentication server.
  • the service provider deploys and establishes an authentication server for the service provided by the service provider, and registers the IP address of the authentication server in the DNS server, and the DNS server establishes a CA resource record according to the IP address and the type of the authentication protocol.
  • the domain name can have multiple resource records on the DNS.
  • the A record records the IPv4 server address of the domain name
  • the AAAA records the IPv6 server address where the domain name is stored
  • the TLSA record stores the public key information of the domain name, and the like. Record the authentication server information of the domain name.
  • the user to be authenticated wants to initiate a secure connection to the domain name such as www.example.cn, first sends a query request to the DNS server, and queries the address information of the domain name via DNS.
  • the DNS server returns the CA resource record corresponding to the domain name, which includes the authentication server address and the type of security authentication protocol supported by the authentication server, such as RADIUS and Diameter.
  • the authentication protocol is determined by the service provider deploying the authentication server.
  • the DNS server finds that the domain name has a CA resource record, it responds to the CA resource record to the client, and the content of the CA resource record included in the response message is: www.example.com 100 CA Diameter® 1.1.1.1
  • the client is based on
  • the CA resource record indicates that the application server to be accessed is deployed with the authentication server.
  • the authentication protocol used is Diameter
  • the IP address of the server is 1.1.1.1
  • the effective lifetime of the record is 100s.
  • the factor of life time setting is mainly the effective time of this resource record. For example, when deploying the authentication server, if the server address or authentication protocol type is updated every 100s, the TTL should be set to 100s.
  • the user In order to establish a secure connection, the user initiates an authentication process to the authentication server, and the protocol used is the protocol returned from the DNS.
  • the client initiates a Diameter authentication request to the authentication server of 1.1.1.1, which carries the domain name that the client wants to access.
  • the authentication server and the client exchange Diameter signaling to authenticate the identity of the client.
  • the authentication server assigns the client the application server and the key information needed to establish a secure connection with the server.
  • the key information may be key information used when accessing the https website, or key information to be used when establishing a secure connection such as SSL.
  • the authentication server assigns the appropriate application server IP to the user, for example, assigning different servers according to the user's identity, thereby obtaining different rights of content, that is, different users can be directed to different servers of the same service to differentiate the services.
  • the application server 1 corresponding to www.example.com is the domain name accessible by the VIP user
  • the application server 2 is the domain name accessed by the ordinary user, as shown in FIG. 2 .
  • the client uses the key information to establish an SSL secure connection with the application server 2 assigned by the authentication server, thereby initiating a secure connection process and accessing the content corresponding to the domain name.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un système basés sur le DNS et permettant une authentification de l'utilisateur et un contrôle d'accès à un nom de domaine. Le procédé comprend les étapes suivantes : un fournisseur de services établit un serveur d'authentification pour un service fourni par le fournisseur de services, et enregistre une adresse IP du serveur d'authentification dans un serveur DNS, et le serveur DSN établit un registre de ressources CA (adresses client) en fonction de l'adresse IP et d'un type de protocole d'authentification; un utilisateur adresse une requête de nom de domaine au serveur DNS, et le serveur DNS retourne à l'utilisateur le registre de ressources CA correspondant au nom de domaine; l'utilisateur accède au serveur d'authentification et effectue l'authentification en fonction du registre de ressources CA; une fois l'authentification effectuée avec succès, le serveur d'authentification retourne à l'utilisateur les informations clés nécessaires pour une connexion sécurisée, et lui affecte un serveur d'applications; et l'utilisateur accède à une ressource internet au moyen du serveur d'applications. Selon la présente invention, un nouveau registre de ressources est introduit dans le système DNS, l'utilisateur est authentifié et le serveur d'applications est affecté à l'utilisateur, et la sécurité et la fiabilité de la fourniture de services sont assurées du fait que le service est séparé de l'authentification.
PCT/CN2013/089836 2013-01-31 2013-12-18 Procédé et système basés sur le dns et permettant une authentification de l'utilisateur et un contrôle d'accès à un nom de domaine WO2014117600A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310039730.8 2013-01-31
CN201310039730.8A CN103078877B (zh) 2013-01-31 2013-01-31 基于dns的用户认证和域名访问控制方法及系统

Publications (1)

Publication Number Publication Date
WO2014117600A1 true WO2014117600A1 (fr) 2014-08-07

Family

ID=48155281

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/089836 WO2014117600A1 (fr) 2013-01-31 2013-12-18 Procédé et système basés sur le dns et permettant une authentification de l'utilisateur et un contrôle d'accès à un nom de domaine

Country Status (2)

Country Link
CN (1) CN103078877B (fr)
WO (1) WO2014117600A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9380053B1 (en) * 2015-07-01 2016-06-28 International Business Machines Corporation Using resource records for digital certificate validation
CN114401143A (zh) * 2022-01-19 2022-04-26 欧瑞科斯科技产业(集团)有限公司 一种基于dns的证书加强认证系统及认证方法
CN116980233A (zh) * 2023-09-21 2023-10-31 宝略科技(浙江)有限公司 离散型数据高频访问时的授权校验方法、系统以及介质

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078877B (zh) * 2013-01-31 2015-09-16 中国科学院计算机网络信息中心 基于dns的用户认证和域名访问控制方法及系统
CN103763133B (zh) * 2014-01-06 2017-02-22 上海聚力传媒技术有限公司 一种实现访问控制的方法、设备与系统
CN104468859B (zh) * 2014-11-27 2018-01-30 中国科学院计算机网络信息中心 支持携带服务地址信息的dane扩展查询方法和系统
CN105991597A (zh) * 2015-02-15 2016-10-05 中兴通讯股份有限公司 认证处理方法及装置
CN105681047B (zh) * 2016-03-25 2019-01-04 中国互联网络信息中心 一种ca证书签发方法及系统
CN111049789B (zh) * 2018-10-15 2023-05-12 北京京东尚科信息技术有限公司 域名访问的方法和装置
CN113765905B (zh) * 2021-08-27 2023-04-18 深圳市风云实业有限公司 一种基于可信服务代理的数据通信方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030079125A1 (en) * 2001-09-28 2003-04-24 Hope Brian A. System and method for electronic certificate revocation
CN1505345A (zh) * 2002-12-02 2004-06-16 深圳市中兴通讯股份有限公司上海第二 一种接入用户强制访问认证服务器的方法
CN101242426A (zh) * 2007-02-06 2008-08-13 华为技术有限公司 建立传输层安全连接的方法、系统及装置
WO2010033126A1 (fr) * 2008-09-22 2010-03-25 Nokia Corporation Commande d'espace de nommage de dns selon le certificat
CN103078877A (zh) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 基于dns的用户认证和域名访问控制方法及系统

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1265579C (zh) * 2002-09-23 2006-07-19 华为技术有限公司 一种对网络接入用户进行认证的方法
CN101217575B (zh) * 2008-01-18 2010-07-28 杭州华三通信技术有限公司 一种在用户终端认证过程中分配ip地址的方法及装置
US8484289B2 (en) * 2009-12-11 2013-07-09 At&T Intellectual Property I, L.P. Network based audience measurement
JP5437785B2 (ja) * 2009-12-21 2014-03-12 富士通株式会社 認証方法、変換装置、中継装置、及び該プログラム
CN101924801B (zh) * 2010-05-21 2013-04-24 中国科学院计算机网络信息中心 Ip地址管理方法和系统、动态主机配置协议服务器
CN102111406B (zh) * 2010-12-20 2014-02-05 杭州华三通信技术有限公司 一种认证方法、系统和dhcp代理服务器

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030079125A1 (en) * 2001-09-28 2003-04-24 Hope Brian A. System and method for electronic certificate revocation
CN1505345A (zh) * 2002-12-02 2004-06-16 深圳市中兴通讯股份有限公司上海第二 一种接入用户强制访问认证服务器的方法
CN101242426A (zh) * 2007-02-06 2008-08-13 华为技术有限公司 建立传输层安全连接的方法、系统及装置
WO2010033126A1 (fr) * 2008-09-22 2010-03-25 Nokia Corporation Commande d'espace de nommage de dns selon le certificat
CN103078877A (zh) * 2013-01-31 2013-05-01 中国科学院计算机网络信息中心 基于dns的用户认证和域名访问控制方法及系统

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9380053B1 (en) * 2015-07-01 2016-06-28 International Business Machines Corporation Using resource records for digital certificate validation
US9641516B2 (en) 2015-07-01 2017-05-02 International Business Machines Corporation Using resource records for digital certificate validation
CN114401143A (zh) * 2022-01-19 2022-04-26 欧瑞科斯科技产业(集团)有限公司 一种基于dns的证书加强认证系统及认证方法
CN116980233A (zh) * 2023-09-21 2023-10-31 宝略科技(浙江)有限公司 离散型数据高频访问时的授权校验方法、系统以及介质
CN116980233B (zh) * 2023-09-21 2024-01-30 宝略科技(浙江)有限公司 离散型数据高频访问时的授权校验方法及系统

Also Published As

Publication number Publication date
CN103078877B (zh) 2015-09-16
CN103078877A (zh) 2013-05-01

Similar Documents

Publication Publication Date Title
WO2014117600A1 (fr) Procédé et système basés sur le dns et permettant une authentification de l'utilisateur et un contrôle d'accès à un nom de domaine
US10666608B2 (en) Transparent proxy authentication via DNS processing
JP5325974B2 (ja) ゲートウェイ装置、認証サーバ、その制御方法及びコンピュータプログラム
US20120254386A1 (en) Transfer of DNSSEC Domains
JP5480265B2 (ja) セキュアなリソース名前解決
US9813337B2 (en) Secure resource name resolution using a cache
JP4730118B2 (ja) ドメインネームシステム
WO2017036003A1 (fr) Système et procédé d'authentification et de gestion d'identité de réseau de confiance
EP3291514A1 (fr) Services de prestataires de services dns intégrés faisant appel à l'authentification basée sur des certificats
WO2008116416A1 (fr) Procédé, dispositif et système pour qu'un système de nom de domaine se mette à jour de façon dynamique
WO2007068167A1 (fr) Procede et dispositif de reseau permettant de configurer le nom de domaine dans un reseau d'acces ipv6
US9973590B2 (en) User identity differentiated DNS resolution
WO2006068108A1 (fr) Portail, configuration en réseau et procédé de contrôle d’accès à un serveur internet
WO2013040957A1 (fr) Procédé et système d'authentification unique, et procédé et système de traitement d'informations
WO2013056619A1 (fr) Procédé, idp, sp et système pour la fédération d'identités
WO2013013479A1 (fr) Système d'attribution d'identificateur d'entité, procédé de traçage et d'authentification et serveur
US20180062856A1 (en) Integrated dns service provider services using certificate-based authentication
US20120106399A1 (en) Identity management system
WO2016202397A1 (fr) Système pki reposant sur un dns
CN115580498B (zh) 融合网络中的跨网通信方法及融合网络系统
WO2011131002A1 (fr) Procédé et système pour la gestion d'identités
CN114006724B (zh) 一种加密dns解析器发现及认证的方法与系统
WO2007095806A1 (fr) Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système
JP2002183009A (ja) インターネット網で個人識別子による通信サービスを提供する装置及びその方法
TWI255629B (en) Method for allocating certified network configuration parameters

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13873389

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13873389

Country of ref document: EP

Kind code of ref document: A1