WO2015174823A1 - System and method for accessing a network - Google Patents

System and method for accessing a network Download PDF

Info

Publication number
WO2015174823A1
WO2015174823A1 PCT/MY2015/050028 MY2015050028W WO2015174823A1 WO 2015174823 A1 WO2015174823 A1 WO 2015174823A1 MY 2015050028 W MY2015050028 W MY 2015050028W WO 2015174823 A1 WO2015174823 A1 WO 2015174823A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
network
server
access
information
Prior art date
Application number
PCT/MY2015/050028
Other languages
French (fr)
Inventor
Swee Leong @ Low Kwang Hao LOW
Hoey Yew OOI
Putri Shahnim Khalid
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2015174823A1 publication Critical patent/WO2015174823A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the invention relates to network communications and in particular providing a system and method for accessing a network.
  • the Dynamic Host Client Protocol is used to automatically assign network configuration parameters such as Internet Protocol (IP) addresses to devices for connecting to a network.
  • IP Internet Protocol
  • a conventional DHCP system where once a device is plugged into a local network, the Media Access Control (MAC) address of the device is sent over to the network within the DHCP protocol.
  • the MAC address sent over the network within DHCP protocol is not a spoof proof method.
  • the current DHCP systems are not equipped to handle authentication especially when the first message is sent to the server by an uninitialized device. Hence, an unauthorized personnel inside or outside the network can easily abuse the network. Virus creation kits, hostile software, logical bombs and remote access tools are examples of compromises the network security faces and these are seldom detected by computer virus software.
  • US patent application number 20010047484 A1 discloses a system which integrates Kerberos Security with a dynamic address assignment scheme, i.e. DHCP.
  • the method discloses an uninitialized client obtaining credentials from a server which is then used to provide authenticated exchange for network configuration parameter assignment.
  • the method can only be used in systems that integrate Kerberos Security.
  • US patent number 7,983,418 B2 discloses a method to provide an improved support of DHCP service for a DHCP client. The method disclosed provides a robust solution for authentication as well as authorization for DHCP services.
  • This method is performed by implementing an Authentication, Authorization and Accounting (AAA) infrastructure to assign the appropriate DHCP server to a DHCP user.
  • AAA Authentication, Authorization and Accounting
  • a research paper entitled "The Secure DHCP System With User Authentication” addresses the security threat mentioned above by introducing a user authentication and a session between the sending of messages from a DHCP server and DHCP client. This method prevents unauthenticated users from obtaining an IP address from the DHCP server. However no part of the paper discloses the use of a session to authenticate both the user identity and the device identity.
  • the present invention relates to a system and method for accessing a network.
  • the system comprises at least a user that requires access into a network, at least a server that allows the user to access the network based on access information of the server and a secured information provided by the user, at least a storage database for receiving and storing the access information and the secured information, characterized in that the user provides the secured information to the server in a message in order for the server to identify and decrypt the secured information based on the access information and provides access into the network to the user when the secured information is decrypted.
  • the method for accessing a network comprising the steps of sending a message to a server by a user to request access into a network, determining whether there is a secured information in the message provided by the user, obtaining access information from the storage database when the server determines that the secured information is in the message, decrypting the secured information using the access information obtained from the storage database, and providing access into the network to the user when the secured information is decrypted by the server.
  • Figure 1 illustrates the system for accessing a network, as described in the present invention.
  • Figure 2 illustrates the flow diagram of the method for accessing a network, as described in the present invention.
  • the present invention discloses a system (1 ) and method (2) for accessing a network.
  • the system (1 comprises at least a user (1 1 ) that requires access into a network, at least a server (12) that allows the user (1 1 ) to access the network based on access information of the server (12) and a secured information provided by the user (1 1 ), at least a storage database (13) for receiving and storing the access information and the secured information, characterized in that the user (1 1 ) provides the secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and provides access into the network to the user (1 1 ) when the secured information is decrypted.
  • the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user, which the user (1 1 ) may be a device that has a custom DHCP client installed within the device.
  • DHCP Dynamic Host Client Protocol
  • the user (1 1 ) first sends a message to the server (12).
  • the server (12) mentioned herein is a Dynamic Host Client Protocol (DHCP) server.
  • the message that the user (1 1 ) sends to the server (12) is a Dynamic Host Client Protocol (DHCP) message, where it contains secured information.
  • the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device, which the configuration parameter comprise one or a combination of user identification and device identification.
  • the user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password.
  • the device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device.
  • IMSI international mobile subscriber identity
  • the serial number may also be a hard disk serial number.
  • the custom DHCP client in the user's (1 1 ) device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification.
  • the value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information.
  • the server (12) Upon receiving the DHCP message from the user (1 1 ), the server (12) first determines whether the message contains the secured information. If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is used as a decryption key to decrypt the secured information provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ).
  • MAC Media Access Control
  • the custom DHCP client in the user's device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification.
  • the value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information.
  • the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device, which the configuration parameter comprise one or a combination of user identification and device identification.
  • the user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password.
  • the device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device.
  • IMSI international mobile subscriber identity
  • the serial number may also be a hard disk serial number.
  • the server (12) Upon receiving the message from the user (1 1 ), the server (12) determines whether the secured information is in the message (22). If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is obtained from the storage database (13) (23) where the access information is used as a decryption key to decrypt the secured information (24) provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ) (25).
  • MAC Media Access Control

Abstract

The present invention discloses a system (1) and method (2) for accessing a network that is capable of controlling and securing user access into the network. The system (1) and method (2) discloses that the user (11) provides secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and thereafter provides access into the network to the user (11) when the secured information is decrypted.

Description

SYSTEM AND METHOD FOR ACCESSING A NETWORK TECHNICAL FIELD OF THE INVENTION
The invention relates to network communications and in particular providing a system and method for accessing a network.
BACKGROUND OF THE INVENTION
The Dynamic Host Client Protocol (DHCP) is used to automatically assign network configuration parameters such as Internet Protocol (IP) addresses to devices for connecting to a network. A conventional DHCP system where once a device is plugged into a local network, the Media Access Control (MAC) address of the device is sent over to the network within the DHCP protocol. However, the MAC address sent over the network within DHCP protocol is not a spoof proof method. One can easily change the MAC address and gain access to the local network. This breach of security therefore poses as a threat for high security organizations as any user can sneak into the server with a spoof MAC address and gain access to the network.
The current DHCP systems are not equipped to handle authentication especially when the first message is sent to the server by an uninitialized device. Hence, an unauthorized personnel inside or outside the network can easily abuse the network. Virus creation kits, hostile software, logical bombs and remote access tools are examples of compromises the network security faces and these are seldom detected by computer virus software.
In view of the abovementioned security threats, several methods have been developed to provide a secured network access including firewalls which has been an integral part of network protection. US patent application number 20010047484 A1 discloses a system which integrates Kerberos Security with a dynamic address assignment scheme, i.e. DHCP. The method discloses an uninitialized client obtaining credentials from a server which is then used to provide authenticated exchange for network configuration parameter assignment. However, the method can only be used in systems that integrate Kerberos Security. US patent number 7,983,418 B2 discloses a method to provide an improved support of DHCP service for a DHCP client. The method disclosed provides a robust solution for authentication as well as authorization for DHCP services. This method is performed by implementing an Authentication, Authorization and Accounting (AAA) infrastructure to assign the appropriate DHCP server to a DHCP user. This method only identifies the user and without further identification, the DHCP protocol can be susceptible to spoof user identification entering the network.
A research paper entitled "The Secure DHCP System With User Authentication" addresses the security threat mentioned above by introducing a user authentication and a session between the sending of messages from a DHCP server and DHCP client. This method prevents unauthenticated users from obtaining an IP address from the DHCP server. However no part of the paper discloses the use of a session to authenticate both the user identity and the device identity.
In terms of security protection, the existing methods have their limitations. Therefore, it is an aim of this present invention to provide a system and method that is capable of securing and controlling network access.
SUMMARY OF THE PRESENT INVENTION
The present invention relates to a system and method for accessing a network. The system comprises at least a user that requires access into a network, at least a server that allows the user to access the network based on access information of the server and a secured information provided by the user, at least a storage database for receiving and storing the access information and the secured information, characterized in that the user provides the secured information to the server in a message in order for the server to identify and decrypt the secured information based on the access information and provides access into the network to the user when the secured information is decrypted. The method for accessing a network comprising the steps of sending a message to a server by a user to request access into a network, determining whether there is a secured information in the message provided by the user, obtaining access information from the storage database when the server determines that the secured information is in the message, decrypting the secured information using the access information obtained from the storage database, and providing access into the network to the user when the secured information is decrypted by the server.
It is an object of the present invention to provide a system and method for accessing a network that is capable of controlling user access into the network.
It is another object of the present invention to provide a system and method for accessing a network that is capable of securing user access into the network. It is further an object of the present invention to provide a system and method that decrypts secured information provided by a user based on the access information of the server prior to the provision of access to the user into the network. It is still further an object of the present invention to provide a system and method that decrypts secured information comprising user identification and device identification prior to the provision of access to the user into the network.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates the system for accessing a network, as described in the present invention. Figure 2 illustrates the flow diagram of the method for accessing a network, as described in the present invention.
DETAILED DESCRIPTION OF THE PRESENT INVENTION
The above mentioned and other features and objects of this invention will become more apparent and better understood by reference to the following detailed description. It should be understood that the detailed description made known below is not intended to be exhaustive or limit the invention to the precise form disclosed as the invention may assume various alternative forms. On the contrary, the detailed description covers all the relevant modifications and alterations made to the present invention, unless the claims expressly state otherwise.
The present invention discloses a system (1 ) and method (2) for accessing a network. The system (1 ), as illustrated in Figure 1 , comprises at least a user (1 1 ) that requires access into a network, at least a server (12) that allows the user (1 1 ) to access the network based on access information of the server (12) and a secured information provided by the user (1 1 ), at least a storage database (13) for receiving and storing the access information and the secured information, characterized in that the user (1 1 ) provides the secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and provides access into the network to the user (1 1 ) when the secured information is decrypted. One of the embodiment of the present invention discloses that the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user, which the user (1 1 ) may be a device that has a custom DHCP client installed within the device. In order to access the network, the user (1 1 ) first sends a message to the server (12). The server (12) mentioned herein is a Dynamic Host Client Protocol (DHCP) server. The message that the user (1 1 ) sends to the server (12) is a Dynamic Host Client Protocol (DHCP) message, where it contains secured information. The secured information is a configuration parameter obtained from the user (1 1 ) and the user's device, which the configuration parameter comprise one or a combination of user identification and device identification. The user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password. The device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device. The serial number may also be a hard disk serial number.
Thereafter, the custom DHCP client in the user's (1 1 ) device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification. The value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information.
Upon receiving the DHCP message from the user (1 1 ), the server (12) first determines whether the message contains the secured information. If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is used as a decryption key to decrypt the secured information provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ). The method (2), as illustrated in Figure 2, for accessing a network comprises a first step to send a message to the server (12) by the user (1 1 ) (- 21 ) to request access into a network. Prior to the sending of the message, the custom DHCP client in the user's device calculates a value by encrypting the device identification with a key generated by a hash message algorithm of the user identification. The value is a 64 bytes message embedded within a DHCP vendor extension message field with a code of 231 , which forms the secured information. As mentioned earlier, the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device, which the configuration parameter comprise one or a combination of user identification and device identification. The user identification is obtained by prompting the user (1 1 ) with the insertion of a key configuration, or in other words, a password. The device identification is one or a combination of serial number or international mobile subscriber identity (IMSI) of the device. The serial number may also be a hard disk serial number.
Upon receiving the message from the user (1 1 ), the server (12) determines whether the secured information is in the message (22). If so, the server (12) extracts Media Access Control (MAC) address of the device and uses the address as a key to locate the access information. The access information is obtained from the storage database (13) (23) where the access information is used as a decryption key to decrypt the secured information (24) provided by the user (1 1 ). Upon decrypting the secured information, the server (12) parses the decrypted secured information and conducts a check in the storage database (13) to determine whether the decrypted secured information matches the access information. If so, the server (12) will respond to the user (1 1 ) by providing access into the network to the user (1 1 ) (25).
The invention described herein is susceptible to variations, modifications and/or additions other than those specifically described and it is to be understood that the invention includes all such variations, modifications and/or additions which fall within the scope of the following claims.

Claims

1 . A system (1 ) for accessing a network comprising:
at least a user (1 1 ) that requires access into a network;
at least a server (12) that allows the user (1 1 ) to access the network based on access information of the server (12) and a secured information provided by the user (1 1 );
at least a storage database (13) for receiving and storing the access information and the secured information;
characterized in that the user (1 1 ) provides the secured information to the server (12) in a message in order for the server (12) to identify and decrypt the secured information based on the access information and provides access into the network to the user (1 1 ) when the secured information is decrypted.
2. A system (1 ) according to claim 1 , wherein the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user.
3. A system (1 ) according to claim 1 , wherein the server (12) is a Dynamic Host Client Protocol (DHCP) server.
4. A system (1 ) according to claim 1 , wherein the message is a Dynamic Host Client Protocol (DHCP) message.
5. A system (1 ) according to claim 1 , wherein the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device.
6. A method (2) for accessing a network comprising the steps of:
sending a message to a server (12) by a user (1 1 ) to request access into a network (21 );
determining whether there is a secured information in the message provided by the user (1 1 ) (22);
obtaining access information from the storage database (13) when the server (12) determines that the secured information is in the message (23); decrypting the secured information using the access information obtained from the storage database (13) (24); and
providing access into the network to the user (1 1 ) when the secured information is decrypted by the server (12) (25).
7. A method (2) according to claim 6, wherein the user (1 1 ) is a Dynamic Host Client Protocol (DHCP) client user.
8. A method (2) according to claim 6, wherein the server (12) is a Dynamic Host Client Protocol (DHCP) server.
9. A method (2) according to claim 6, wherein the message is a Dynamic Host Client Protocol (DHCP) message.
10. A method (2) according to claim 6, wherein the secured information is a configuration parameter obtained from the user (1 1 ) and the user's device.
PCT/MY2015/050028 2014-05-16 2015-05-06 System and method for accessing a network WO2015174823A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2014701263A MY187634A (en) 2014-05-16 2014-05-16 System and method for accessing a network
MYPI2014701263 2014-05-16

Publications (1)

Publication Number Publication Date
WO2015174823A1 true WO2015174823A1 (en) 2015-11-19

Family

ID=54480282

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2015/050028 WO2015174823A1 (en) 2014-05-16 2015-05-06 System and method for accessing a network

Country Status (2)

Country Link
MY (1) MY187634A (en)
WO (1) WO2015174823A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10242957A (en) * 1997-02-26 1998-09-11 Hitachi Software Eng Co Ltd User authentication method, system therefor and storage medium for user authentication
JP2001326696A (en) * 2000-05-18 2001-11-22 Nec Corp Method for controlling access

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10242957A (en) * 1997-02-26 1998-09-11 Hitachi Software Eng Co Ltd User authentication method, system therefor and storage medium for user authentication
JP2001326696A (en) * 2000-05-18 2001-11-22 Nec Corp Method for controlling access

Also Published As

Publication number Publication date
MY187634A (en) 2021-10-05

Similar Documents

Publication Publication Date Title
US10142297B2 (en) Secure communication method and apparatus
US11233790B2 (en) Network-based NT LAN manager (NTLM) relay attack detection and prevention
US10454887B2 (en) Allocation of local MAC addresses to client devices
US9948675B2 (en) Identity-based internet protocol networking
US7853783B2 (en) Method and apparatus for secure communication between user equipment and private network
US10136322B2 (en) Anonymous authentication system
WO2016141856A1 (en) Verification method, apparatus and system for network application access
US9596097B2 (en) Apparatus and method for transferring network access information of smart household appliances
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
US20100250921A1 (en) Authorizing a Login Request of a Remote Device
US11714914B2 (en) Secure storage of passwords
US20150052350A1 (en) System and method for authenticating a user
CA2939169A1 (en) Authentication system and method
CN106506295B (en) Method and device for accessing virtual machine to network
JP6079394B2 (en) Certificate generation method, certificate generation apparatus, information processing apparatus, communication device, and program
CN111512608A (en) Trusted execution environment based authentication protocol
CN108712364B (en) Security defense system and method for SDN (software defined network)
WO2005088892A1 (en) A method of virtual challenge response authentication
EP2706717A1 (en) Method and devices for registering a client to a server
US20190052623A1 (en) Authenticating Applications to a Network Service
US20140237627A1 (en) Protecting data in a mobile environment
CN116015928A (en) Single-packet authentication method, apparatus and computer-readable storage medium
US20150312222A1 (en) Digital encryption shredder and document cube rebuilder
US20180176774A1 (en) System and Method for Ensuring Secure Connections
EP3580885B1 (en) Private key updating

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15792444

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15792444

Country of ref document: EP

Kind code of ref document: A1