WO2015174823A1 - System and method for accessing a network - Google Patents
System and method for accessing a network Download PDFInfo
- Publication number
- WO2015174823A1 WO2015174823A1 PCT/MY2015/050028 MY2015050028W WO2015174823A1 WO 2015174823 A1 WO2015174823 A1 WO 2015174823A1 MY 2015050028 W MY2015050028 W MY 2015050028W WO 2015174823 A1 WO2015174823 A1 WO 2015174823A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- network
- server
- access
- information
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Definitions
- the invention relates to network communications and in particular providing a system and method for accessing a network.
- the Dynamic Host Client Protocol is used to automatically assign network configuration parameters such as Internet Protocol (IP) addresses to devices for connecting to a network.
- IP Internet Protocol
- a conventional DHCP system where once a device is plugged into a local network, the Media Access Control (MAC) address of the device is sent over to the network within the DHCP protocol.
- the MAC address sent over the network within DHCP protocol is not a spoof proof method.
- the current DHCP systems are not equipped to handle authentication especially when the first message is sent to the server by an uninitialized device. Hence, an unauthorized personnel inside or outside the network can easily abuse the network. Virus creation kits, hostile software, logical bombs and remote access tools are examples of compromises the network security faces and these are seldom detected by computer virus software.
- US patent application number 20010047484 A1 discloses a system which integrates Kerberos Security with a dynamic address assignment scheme, i.e. DHCP.
- the method discloses an uninitialized client obtaining credentials from a server which is then used to provide authenticated exchange for network configuration parameter assignment.
- the method can only be used in systems that integrate Kerberos Security.
- US patent number 7,983,418 B2 discloses a method to provide an improved support of DHCP service for a DHCP client. The method disclosed provides a robust solution for authentication as well as authorization for DHCP services.
- This method is performed by implementing an Authentication, Authorization and Accounting (AAA) infrastructure to assign the appropriate DHCP server to a DHCP user.
- AAA Authentication, Authorization and Accounting
- a research paper entitled "The Secure DHCP System With User Authentication” addresses the security threat mentioned above by introducing a user authentication and a session between the sending of messages from a DHCP server and DHCP client. This method prevents unauthenticated users from obtaining an IP address from the DHCP server. However no part of the paper discloses the use of a session to authenticate both the user identity and the device identity.
- the present invention relates to a system and method for accessing a network.
- the system comprises at least a user that requires access into a network, at least a server that allows the user to access the network based on access information of the server and a secured information provided by the user, at least a storage database for receiving and storing the access information and the secured information, characterized in that the user provides the secured information to the server in a message in order for the server to identify and decrypt the secured information based on the access information and provides access into the network to the user when the secured information is decrypted.
- the method for accessing a network comprising the steps of sending a message to a server by a user to request access into a network, determining whether there is a secured information in the message provided by the user, obtaining access information from the storage database when the server determines that the secured information is in the message, decrypting the secured information using the access information obtained from the storage database, and providing access into the network to the user when the secured information is decrypted by the server.
- Figure 1 illustrates the system for accessing a network, as described in the present invention.
- Figure 2 illustrates the flow diagram of the method for accessing a network, as described in the present invention.
- the present invention discloses a system (1 ) and method (2) for accessing a network.
- the system (1 comprises at least a user (1 1 ) that requires access into a network, at least a server (12) that allows the user (1 1 ) to access the network based on access information of the server (12) and a secured information provided by the user (1 1 ), at least a storage database (13) for receiving and storing the access information and the secured information, characterized in that the user (1 1 ) provides the secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and provides access into the network to the user (1 1 ) when the secured information is decrypted.
- the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user, which the user (1 1 ) may be a device that has a custom DHCP client installed within the device.
- DHCP Dynamic Host Client Protocol
- the user (1 1 ) first sends a message to the server (12).
- the server (12) mentioned herein is a Dynamic Host Client Protocol (DHCP) server.
- the message that the user (1 1 ) sends to the server (12) is a Dynamic Host Client Protocol (DHCP) message, where it contains secured information.
- the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device, which the configuration parameter comprise one or a combination of user identification and device identification.
- the user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password.
- the device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device.
- IMSI international mobile subscriber identity
- the serial number may also be a hard disk serial number.
- the custom DHCP client in the user's (1 1 ) device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification.
- the value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information.
- the server (12) Upon receiving the DHCP message from the user (1 1 ), the server (12) first determines whether the message contains the secured information. If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is used as a decryption key to decrypt the secured information provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ).
- MAC Media Access Control
- the custom DHCP client in the user's device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification.
- the value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information.
- the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device, which the configuration parameter comprise one or a combination of user identification and device identification.
- the user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password.
- the device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device.
- IMSI international mobile subscriber identity
- the serial number may also be a hard disk serial number.
- the server (12) Upon receiving the message from the user (1 1 ), the server (12) determines whether the secured information is in the message (22). If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is obtained from the storage database (13) (23) where the access information is used as a decryption key to decrypt the secured information (24) provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ) (25).
- MAC Media Access Control
Abstract
The present invention discloses a system (1) and method (2) for accessing a network that is capable of controlling and securing user access into the network. The system (1) and method (2) discloses that the user (11) provides secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and thereafter provides access into the network to the user (11) when the secured information is decrypted.
Description
SYSTEM AND METHOD FOR ACCESSING A NETWORK TECHNICAL FIELD OF THE INVENTION
The invention relates to network communications and in particular providing a system and method for accessing a network.
BACKGROUND OF THE INVENTION
The Dynamic Host Client Protocol (DHCP) is used to automatically assign network configuration parameters such as Internet Protocol (IP) addresses to devices for connecting to a network. A conventional DHCP system where once a device is plugged into a local network, the Media Access Control (MAC) address of the device is sent over to the network within the DHCP protocol. However, the MAC address sent over the network within DHCP protocol is not a spoof proof method. One can easily change the MAC address and gain access to the local network. This breach of security therefore poses as a threat for high security organizations as any user can sneak into the server with a spoof MAC address and gain access to the network.
The current DHCP systems are not equipped to handle authentication especially when the first message is sent to the server by an uninitialized device. Hence, an unauthorized personnel inside or outside the network can easily abuse the network. Virus creation kits, hostile software, logical bombs and remote access tools are examples of compromises the network security faces and these are seldom detected by computer virus software.
In view of the abovementioned security threats, several methods have been developed to provide a secured network access including firewalls which has been an integral part of network protection. US patent application number 20010047484 A1 discloses a system which integrates Kerberos Security with a dynamic address assignment scheme, i.e. DHCP. The method discloses an uninitialized client obtaining credentials from a
server which is then used to provide authenticated exchange for network configuration parameter assignment. However, the method can only be used in systems that integrate Kerberos Security. US patent number 7,983,418 B2 discloses a method to provide an improved support of DHCP service for a DHCP client. The method disclosed provides a robust solution for authentication as well as authorization for DHCP services. This method is performed by implementing an Authentication, Authorization and Accounting (AAA) infrastructure to assign the appropriate DHCP server to a DHCP user. This method only identifies the user and without further identification, the DHCP protocol can be susceptible to spoof user identification entering the network.
A research paper entitled "The Secure DHCP System With User Authentication" addresses the security threat mentioned above by introducing a user authentication and a session between the sending of messages from a DHCP server and DHCP client. This method prevents unauthenticated users from obtaining an IP address from the DHCP server. However no part of the paper discloses the use of a session to authenticate both the user identity and the device identity.
In terms of security protection, the existing methods have their limitations. Therefore, it is an aim of this present invention to provide a system and method that is capable of securing and controlling network access.
SUMMARY OF THE PRESENT INVENTION
The present invention relates to a system and method for accessing a network. The system comprises at least a user that requires access into a network, at least a server that allows the user to access the network based on access information of the server and a secured information provided by the user, at least a storage database for receiving and storing the access information and the secured information, characterized in that the user provides the secured information to the
server in a message in order for the server to identify and decrypt the secured information based on the access information and provides access into the network to the user when the secured information is decrypted. The method for accessing a network comprising the steps of sending a message to a server by a user to request access into a network, determining whether there is a secured information in the message provided by the user, obtaining access information from the storage database when the server determines that the secured information is in the message, decrypting the secured information using the access information obtained from the storage database, and providing access into the network to the user when the secured information is decrypted by the server.
It is an object of the present invention to provide a system and method for accessing a network that is capable of controlling user access into the network.
It is another object of the present invention to provide a system and method for accessing a network that is capable of securing user access into the network. It is further an object of the present invention to provide a system and method that decrypts secured information provided by a user based on the access information of the server prior to the provision of access to the user into the network. It is still further an object of the present invention to provide a system and method that decrypts secured information comprising user identification and device identification prior to the provision of access to the user into the network.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates the system for accessing a network, as described in the present invention.
Figure 2 illustrates the flow diagram of the method for accessing a network, as described in the present invention.
DETAILED DESCRIPTION OF THE PRESENT INVENTION
The above mentioned and other features and objects of this invention will become more apparent and better understood by reference to the following detailed description. It should be understood that the detailed description made known below is not intended to be exhaustive or limit the invention to the precise form disclosed as the invention may assume various alternative forms. On the contrary, the detailed description covers all the relevant modifications and alterations made to the present invention, unless the claims expressly state otherwise.
The present invention discloses a system (1 ) and method (2) for accessing a network. The system (1 ), as illustrated in Figure 1 , comprises at least a user (1 1 ) that requires access into a network, at least a server (12) that allows the user (1 1 ) to access the network based on access information of the server (12) and a secured information provided by the user (1 1 ), at least a storage database (13) for receiving and storing the access information and the secured information, characterized in that the user (1 1 ) provides the secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and provides access into the network to the user (1 1 ) when the secured information is decrypted. One of the embodiment of the present invention discloses that the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user, which the user (1 1 ) may be a device that has a custom DHCP client installed within the device. In order to access the network, the user (1 1 ) first sends a message to the server (12). The server (12) mentioned herein is a Dynamic Host Client Protocol (DHCP) server. The message that the user (1 1 ) sends to the server (12) is a Dynamic Host Client Protocol (DHCP) message, where it contains secured information. The secured information is a configuration parameter obtained from the user (1 1 ) and the
user's device, which the configuration parameter comprise one or a combination of user identification and device identification. The user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password. The device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device. The serial number may also be a hard disk serial number.
Thereafter, the custom DHCP client in the user's (1 1 ) device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification. The value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information.
Upon receiving the DHCP message from the user (1 1 ), the server (12) first determines whether the message contains the secured information. If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is used as a decryption key to decrypt the secured information provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ). The method (2), as illustrated in Figure 2, for accessing a network comprises a first step to send a message to the server (12) by the user (1 1 ) (- 21 ) to request access into a network. Prior to the sending of the message, the custom DHCP client in the user's device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification. The value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information. As mentioned earlier, the secured information is a configuration parameter
obtained from the user (1 1 ) and the user's device, which the configuration parameter comprise one or a combination of user identification and device identification. The user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password. The device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device. The serial number may also be a hard disk serial number.
Upon receiving the message from the user (1 1 ), the server (12) determines whether the secured information is in the message (22). If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is obtained from the storage database (13) (23) where the access information is used as a decryption key to decrypt the secured information (24) provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ) (25).
The invention described herein is susceptible to variations, modifications and/or additions other than those specifically described and it is to be understood that the invention includes all such variations, modifications and/or additions which fall within the scope of the following claims.
Claims
1 . A system (1 ) for accessing a network comprising:
at least a user (1 1 ) that requires access into a network;
at least a server (12) that allows the user (1 1 ) to access the network based on access information of the server (12) and a secured information provided by the user (1 1 );
at least a storage database (13) for receiving and storing the access information and the secured information;
characterized in that the user (1 1 ) provides the secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and provides access into the network to the user (1 1 ) when the secured information is decrypted.
2. A system (1 ) according to claim 1 , wherein the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user.
3. A system (1 ) according to claim 1 , wherein the server (12) is a Dynamic Host Client Protocol (DHCP) server.
4. A system (1 ) according to claim 1 , wherein the message is a Dynamic Host Client Protocol (DHCP) message.
5. A system (1 ) according to claim 1 , wherein the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device.
6. A method (2) for accessing a network comprising the steps of:
sending a message to a server (12) by a user (1 1 ) to request access into a network (21 );
determining whether there is a secured information in the message provided by the user (1 1 ) (22);
obtaining access information from the storage database (13) when the server (12) determines that the secured information is in the message (23);
decrypting the secured information using the access information obtained from the storage database (13) (24); and
providing access into the network to the user (1 1 ) when the secured information is decrypted by the server (12) (25).
7. A method (2) according to claim 6, wherein the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user.
8. A method (2) according to claim 6, wherein the server (12) is a Dynamic Host Client Protocol (DHCP) server.
9. A method (2) according to claim 6, wherein the message is a Dynamic Host Client Protocol (DHCP) message.
10. A method (2) according to claim 6, wherein the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
MYPI2014701263A MY187634A (en) | 2014-05-16 | 2014-05-16 | System and method for accessing a network |
MYPI2014701263 | 2014-05-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015174823A1 true WO2015174823A1 (en) | 2015-11-19 |
Family
ID=54480282
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/MY2015/050028 WO2015174823A1 (en) | 2014-05-16 | 2015-05-06 | System and method for accessing a network |
Country Status (2)
Country | Link |
---|---|
MY (1) | MY187634A (en) |
WO (1) | WO2015174823A1 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10242957A (en) * | 1997-02-26 | 1998-09-11 | Hitachi Software Eng Co Ltd | User authentication method, system therefor and storage medium for user authentication |
JP2001326696A (en) * | 2000-05-18 | 2001-11-22 | Nec Corp | Method for controlling access |
-
2014
- 2014-05-16 MY MYPI2014701263A patent/MY187634A/en unknown
-
2015
- 2015-05-06 WO PCT/MY2015/050028 patent/WO2015174823A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10242957A (en) * | 1997-02-26 | 1998-09-11 | Hitachi Software Eng Co Ltd | User authentication method, system therefor and storage medium for user authentication |
JP2001326696A (en) * | 2000-05-18 | 2001-11-22 | Nec Corp | Method for controlling access |
Also Published As
Publication number | Publication date |
---|---|
MY187634A (en) | 2021-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10142297B2 (en) | Secure communication method and apparatus | |
US11233790B2 (en) | Network-based NT LAN manager (NTLM) relay attack detection and prevention | |
US10454887B2 (en) | Allocation of local MAC addresses to client devices | |
US9948675B2 (en) | Identity-based internet protocol networking | |
US7853783B2 (en) | Method and apparatus for secure communication between user equipment and private network | |
US10136322B2 (en) | Anonymous authentication system | |
WO2016141856A1 (en) | Verification method, apparatus and system for network application access | |
US9596097B2 (en) | Apparatus and method for transferring network access information of smart household appliances | |
US11451959B2 (en) | Authenticating client devices in a wireless communication network with client-specific pre-shared keys | |
US20100250921A1 (en) | Authorizing a Login Request of a Remote Device | |
US11714914B2 (en) | Secure storage of passwords | |
US20150052350A1 (en) | System and method for authenticating a user | |
CA2939169A1 (en) | Authentication system and method | |
CN106506295B (en) | Method and device for accessing virtual machine to network | |
JP6079394B2 (en) | Certificate generation method, certificate generation apparatus, information processing apparatus, communication device, and program | |
CN111512608A (en) | Trusted execution environment based authentication protocol | |
CN108712364B (en) | Security defense system and method for SDN (software defined network) | |
WO2005088892A1 (en) | A method of virtual challenge response authentication | |
EP2706717A1 (en) | Method and devices for registering a client to a server | |
US20190052623A1 (en) | Authenticating Applications to a Network Service | |
US20140237627A1 (en) | Protecting data in a mobile environment | |
CN116015928A (en) | Single-packet authentication method, apparatus and computer-readable storage medium | |
US20150312222A1 (en) | Digital encryption shredder and document cube rebuilder | |
US20180176774A1 (en) | System and Method for Ensuring Secure Connections | |
EP3580885B1 (en) | Private key updating |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15792444 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15792444 Country of ref document: EP Kind code of ref document: A1 |