WO2017028807A1 - Procédé, dispositif et système d'authentification d'identité destinés à un réseau de transport optique - Google Patents

Procédé, dispositif et système d'authentification d'identité destinés à un réseau de transport optique Download PDF

Info

Publication number
WO2017028807A1
WO2017028807A1 PCT/CN2016/095962 CN2016095962W WO2017028807A1 WO 2017028807 A1 WO2017028807 A1 WO 2017028807A1 CN 2016095962 W CN2016095962 W CN 2016095962W WO 2017028807 A1 WO2017028807 A1 WO 2017028807A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity
slave
information
identity verification
authentication
Prior art date
Application number
PCT/CN2016/095962
Other languages
English (en)
Chinese (zh)
Inventor
郑靖
王春光
杜凯
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017028807A1 publication Critical patent/WO2017028807A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an identity verification method, apparatus, and system for an optical transport network.
  • OTN Optical Transport Network
  • the implementation of identity verification is verified by means of a username and a password.
  • the solution has the following problems: First, the user name and password are easily stolen by others, and the security strength is not enough. Second, if the traditional authentication mechanism needs to increase security, it needs to add supporting basic settings, such as public key infrastructure, which will increase implementation costs and have low reliability.
  • the main purpose of the embodiments of the present invention is to provide an identity verification method, apparatus, and system for an optical transport network, which are intended to improve the security and reliability of identity verification.
  • an embodiment of the present invention provides an identity verification method for an optical transport network, including:
  • the obtaining the random number constructing the identity verification request message comprises:
  • acquiring the random number constructing the authentication request message, and sending the identity verification request message to the slave end includes:
  • the identity verification request message is resent to the slave end, and after the number of failed identity authentication requests reaches a preset number of times, The authentication request message is resent after the second preset time or the presence of the light input.
  • the method further comprises:
  • the two symmetric service boards determine the primary end and the secondary end according to the auto-negotiation algorithm or the receiving network management protocol configuration command, and the primary end and the secondary end respectively receive the authentication link configuration information delivered by the network management, and the identity verification link
  • the configuration information includes the password information of the primary end, the password information of the secondary end, the port information of the primary end, and the port information of the secondary end.
  • the parsing the identity authentication response message to obtain the first slave identity information, and determining whether the identity verification is successful according to the first slave identity information and the saved second slave identity information includes:
  • the second slave identity information is generated according to the password information of the slave end, the port information of the slave end, and the random number, and is saved.
  • the primary end and the secondary end receive or send a message by using a preset overhead byte.
  • an embodiment of the present invention further provides an identity verification apparatus for an optical transport network, where the identity verification apparatus of the optical transport network includes:
  • Obtaining a module configured to acquire a random number constructing an authentication request message when the authentication is started, and send the authentication request message to the slave end;
  • a receiving module configured to receive an identity authentication response message fed back by the slave end
  • the verification module is configured to parse the identity authentication response message to obtain the first slave identity information, and determine, according to the first slave identity information and the saved second slave identity information, whether the identity verification is successful.
  • the obtaining module comprises:
  • And generating a unit configured to generate a random number by using a hash algorithm and a random number algorithm according to the local time stamp information, and construct an identity verification request message according to the random number.
  • the identity verification device of the optical transport network further includes:
  • the processing module is configured to resend the identity verification request message to the slave end when the identity authentication response message fed back by the slave end for the identity verification request message is not received within the first preset time, and the number of failed authentication request reaches After the preset number of times, the identity verification request message is retransmitted after the second preset time or the presence of the light input.
  • the identity verification device of the optical transport network further includes:
  • the two symmetric service boards are configured to determine the primary end and the secondary end according to the auto-negotiation algorithm or the receiving network management protocol configuration command, and the primary end and the secondary end respectively receive the configuration information of the authentication link delivered by the network management system.
  • the authentication link configuration information includes password information of the primary end, password information of the secondary end, port information of the primary end, and port information of the secondary end.
  • the identity verification device of the optical transport network further includes:
  • the saving module is configured to save the second slave identity information according to the password information of the slave end, the port information of the slave end, and the random number.
  • the primary end and the secondary end receive or send a message by using a preset overhead byte.
  • an embodiment of the present invention further provides an identity verification system for an optical transport network, where the identity verification system of the optical transport network includes a primary end and a secondary end, where
  • the primary end is configured to acquire a random number constructing an authentication request message when the authentication is initiated, and send the authentication request message to the slave end;
  • the slave end is configured to receive the identity verification request message, and construct an identity authentication response message to be sent to the primary end;
  • the primary end is configured to parse the identity authentication response message to obtain the first slave identity information, and determine, according to the first slave identity information and the saved second slave identity information, whether the identity verification is successful.
  • the primary end is further configured to obtain local timestamp information
  • the primary end is further configured to resend the identity verification request message to the slave end when the identity authentication response message fed back by the terminal for the identity verification request message is not received within the first preset time, and After the number of failed authentication requests reaches the preset number of times, the authentication request message is resent after the second preset time or the presence of optical input.
  • the identity verification system of the optical transport network further includes:
  • the two symmetric service boards determine the primary end and the secondary end according to the auto-negotiation algorithm or the receiving network management protocol configuration command;
  • the primary end is further configured to receive the authentication link configuration information sent by the network management, where the authentication link configuration information includes password information of the primary end, password information of the secondary end, port information of the primary end, and port information of the secondary end.
  • the slave end is further configured to receive the authentication link configuration information sent by the network management, where the identity verification link configuration information includes password information of the primary end, password information of the secondary end, port information of the primary end, and port information of the secondary end.
  • the primary end is further configured to: according to password information of the slave end, port information of the slave end And the random number generates second slave identity information for saving.
  • the primary end and the secondary end receive or send a message by using a preset overhead byte.
  • a storage medium is also provided.
  • the storage medium is arranged to store program code for performing the following steps:
  • the primary end initiates the identity verification, and obtains the random number to construct the identity verification request message, and then sends the message to the slave end.
  • the constructive identity authentication response message is sent to the primary end.
  • the primary end resolves the identity authentication response message to obtain the first slave identity information, and compares the first slave identity information with the saved second slave identity information to determine whether the identity verification is successful.
  • the message is transmitted or received according to the primary end and the secondary end set in the optical transport network, and the identity information generated by the random number is verified, thereby improving the security and reliability of the identity verification in the optical transport network.
  • FIG. 1 is a schematic flow chart of a first embodiment of an identity verification method for an optical transport network according to the present invention
  • FIG. 2 is a schematic flow chart of a second embodiment of an identity verification method for an optical transport network according to the present invention
  • FIG. 3 is a schematic flowchart of a third embodiment of an identity verification method for an optical transport network according to the present invention.
  • FIG. 4 is a schematic flow chart of a fourth embodiment of an identity verification method for an optical transport network according to the present invention.
  • FIG. 5 is a schematic diagram of functional modules of a first embodiment of an identity verification apparatus for an optical transport network according to the present invention
  • FIG. 6 is a schematic diagram of functional modules of a second embodiment of an identity verification apparatus for an optical transport network according to the present invention.
  • FIG. 7 is a schematic diagram of functional modules of a third embodiment of an identity verification apparatus for an optical transport network according to the present invention.
  • FIG. 8 is a schematic diagram of functional modules of a fourth embodiment of an identity verification apparatus for an optical transport network according to the present invention.
  • FIG. 9 is a schematic diagram of functional modules of an embodiment of an identity verification system of an optical transport network according to the present invention.
  • the identity verification method of the optical transport network of this embodiment includes:
  • Step S10 When the authentication is started, acquiring a random number constructing an authentication request message, and sending the identity verification request message to the slave end;
  • the authentication method is a module in the OTN encryption transmission system.
  • the primary state machine when the primary end initiates identity information verification, the primary state machine enters the verification request state, and the primary state machine is mainly used to control the timing of the primary end.
  • the primary end generates a random number constructing the authentication request message by using a hash algorithm and a random number algorithm, specifically,
  • the primary end reads the local timestamp information generated by the corresponding chip of the primary service card, and imports the local timestamp information into a function consisting of a hash algorithm and a random number algorithm to generate a random number, according to The random number constructs identity information.
  • the hash algorithm can be flexibly set according to a specific situation.
  • 10 bytes of local time stamp information can be obtained by using hash 256 to generate a 32-byte binary number, and then a 32-byte binary number can be passed.
  • the random number algorithm generates a 32-byte binary random number. It should be noted that the local time stamp information is incremented to ensure that the time stamp information obtained each time is different.
  • the hash algorithm and the random number algorithm are used to calculate the random number and construct the identity information, which has high security.
  • the primary end and the secondary end receive or send a message through a preset overhead byte
  • the preset overhead byte can be dynamically configured according to actual requirements, that is, the preset overhead can be implemented according to different interface addresses configured. Dynamic configuration of bytes.
  • the dynamic configuration of overhead bytes makes it difficult for the thief to track the overhead bytes for actual transmission, further increasing the security of authentication.
  • the primary end sends an identity verification request message to the slave end by using the first preset overhead byte, and the master state machine enters a sending state, and starts a counter built in the master end to start timing, so as to detect that the slave end obtains the identity verification. The time at which the request message feeds back the authentication response message.
  • the primary end uses the scheduling ODUk overhead byte 4 rows and 13 columns to send information, that is, the first preset overhead byte can be set to 4 rows and 13 columns. It should be noted that the first preset overhead byte can be dynamically configured according to actual needs.
  • Step S20 Receive an identity authentication response message fed back by the slave end.
  • the slave Since the receiving message is passive, the slave needs to detect whether it can send a message to receive the message in time. After the primary end completes the sending of the authentication request message, the slave polls the message sent by the detecting terminal in a predefined period.
  • the predefined period can be set to 1 second, or can be set according to actual needs.
  • the slave receives the information by using the scheduling ODUk overhead byte 4 rows and 13 columns by default, that is, the second preset overhead byte can be set to 4 rows and 13 columns. Need It is noted that the second preset overhead byte can be dynamically configured according to actual needs.
  • the received identity verification request message is verified according to the verification mechanism, specifically, the first byte in the identity verification request message is extracted from the terminal to determine its type, and the second byte is extracted. Obtain the length, and then compare the length with the length returned from the master chip of the slave end. If they are consistent, the identity verification request message is valid; if it is inconsistent, it is invalid, and the slave end feeds back to the master end failure state information, so that the master end After receiving the failure status information fed back from the terminal, the authentication request message is resent to the slave.
  • the slave After verifying that the authentication request message is valid, the slave obtains the content of the identity verification request message, and obtains a random number by parsing the identity verification request message, where the random number is an identity verification request message constructed by the primary end according to the random number. Then, the slave end generates the first slave identity information by using a hash algorithm according to the password information of the slave end, the port information of the slave end, and the parsed random number, and the first slave identity information is a binary number.
  • the slave end constructs an identity authentication response message according to the first slave identity information, and sends the identity authentication response message to the master, and the master receives the identity authentication response message.
  • the identity authentication response message is configured by using the first slave identity information, for example, a 4-byte header and a 32-byte first slave identity.
  • the information is combined to obtain an identity authentication response message, and the first byte of the 4-byte header can indicate that the message type is an identity authentication response message.
  • the slave sends the identity authentication response message to the master through the third preset overhead byte.
  • the slave uses the scheduling ODUk overhead byte 4 rows and 14 columns to send information by default, that is, the third preset overhead byte can be set to 4 rows and 14 columns. It should be noted that the third preset overhead byte can be dynamically configured.
  • the slave state machine is modified to the sending state.
  • Step S30 Parse the identity authentication response message to obtain the first slave identity information, and determine whether the identity verification is successful according to the first slave identity information and the saved second slave identity information.
  • the primary end polls and detects the message sent from the secondary end within a preset period.
  • the preset period can be set to 1 second, or can be set according to actual needs.
  • the primary end uses the scheduling ODUk overhead byte 4 rows and 14 columns to receive information, that is, the fourth preset overhead byte can be set to 4 rows and 14 columns.
  • the fourth preset overhead byte can be dynamically configured according to actual needs. If the master has not received the identity authentication response message after the counter built in the master terminal exceeds the preset time, the master resends the identity verification request message to the slave.
  • the primary end verifies the received identity authentication response message according to the verification mechanism. Specifically, the primary end extracts the first byte in the identity authentication response message to determine its type, and extracts the second byte. The length is obtained, and then the length is compared with the length returned by the master chip of the master. If they are consistent, the identity verification request message is valid, and the master state machine enters the response state; if not, it is invalid.
  • the primary end After verifying that the identity authentication response message is valid, the primary end obtains the content of the identity authentication response message, and extracts the first slave identity information by parsing the identity authentication response message, where the first slave identity information is the password information of the slave end according to the slave end. The first slave identity information generated by the port information of the slave end and the random number. Then, the primary end compares the first slave identity information obtained by the parsing with the second slave identity information stored locally, that is, determines the second slave identity information saved locally and the first identity obtained by parsing the identity authentication response message. Whether the binary number of the slave identity information is consistent. If the inconsistency, the primary state machine continues to maintain the verification request state, and the identity verification is unsuccessful, the primary end restarts a new round of identity verification process.
  • the primary state machine enters the verification success state, the authentication is successful, that is, the authentication process is completed, and then the primary state machine enters the other modules such as the secret key delivery module and the lossless switching module in the OTN encrypted transmission system.
  • the primary end and the secondary end detect the alarm status of the OTN encrypted transmission system in real time: if it detects that the encrypted path is from invalid to normal, restarts the authentication process, so that the identity verification is performed after the link is restored to normal, and the authentication is improved. reliability. If it is detected that the encryption path is normal to invalid, the link is disconnected and the authentication process needs to be restarted.
  • the primary end actively initiates the identity verification, obtains the random number and constructs the identity verification request message, and sends the message to the slave end.
  • the resolving the authentication request message acquires a random number, and generates the first slave identity information according to the password information of the slave end, the port information of the slave end, and the random number.
  • the slave then constructs an identity authentication response message based on the slave identity information and sends it to the master.
  • the primary end After receiving the identity authentication response message and verifying the validity, the primary end resolves the identity authentication response message to obtain the first slave identity information, and compares the locally stored second slave identity information with the parsed first slave identity information to determine Whether the authentication was successful.
  • the method further comprises: transmitting and receiving messages according to the dynamically configured configurable overhead bytes according to the primary end and the slave end set in the optical transport network, and verifying the identity information generated by the hash algorithm and the random number algorithm, thereby greatly Increased security and reliability of identity verification.
  • the foregoing step S10 may include:
  • Step S40 When the identity authentication response message fed back by the slave end to the identity verification request message is not received within the first preset time, the identity verification request message is resent to the slave end, and the number of failed authentication request reaches the preset. After the number of times, the identity verification request message is retransmitted after the second preset time or the presence of the light input.
  • the built-in counter of the primary end starts counting, and the primary end determines, according to the timing of the counter, whether the identity authentication response message received by the secondary end for the authentication request message exceeds the first pre-predicted.
  • Set the time if the identity authentication response message is not collected within the first preset time, it indicates that the current authentication request fails, and the current counter value of the counter is cleared, and the current failure number is accumulated, and the identity verification is continued.
  • Request message can be flexibly set according to specific situations.
  • the random number is recalculated by the hash algorithm and the random algorithm according to the reacquisition of the local time stamp information, and the new authentication request message is reconstructed by the new random number. Therefore, the random number contained in the authentication request message sent each time is different.
  • the primary end may accumulate the authentication request failure. After the preset number of times has elapsed, the sent authentication request message is stopped and the number of failures is cleared. The preset number of times can be set to 5 times, or can be set according to actual needs. After the second preset time, the primary end sends an identity verification request message to the secondary end, or after the service is restored, that is, after the optical input exists, the primary end resends the identity verification request message to the secondary end.
  • the second preset time can be flexibly set according to specific situations.
  • the method may include:
  • Step S50 The two symmetric service boards determine the primary end and the secondary end according to the auto-negotiation algorithm or the receiving network management protocol configuration command, where the primary end and the secondary end respectively receive the authentication link configuration information delivered by the network management, where the identity
  • the verification link configuration information includes the password information of the primary end, the password information of the secondary end, the port information of the primary end, and the port information of the secondary end.
  • the primary and secondary ends of the two symmetric service boards forming the link need to be determined before the identity verification is performed.
  • one of the two service boards is set to be the master and the other is set as the slave. Then, the master actively initiates an authentication request to the slave to verify the validity of the identity information.
  • the development is extended on the basis of the existing hardware, and the central controller is not required to be erected, thereby greatly saving the cost.
  • the master and the slave are set to verify the identity information, and the identity information is verified by the central controller in the traditional identity verification mechanism with respect to the symmetry, thereby improving the security of the identity verification.
  • the method for confirming the primary end and the secondary end may include: mode 1, the two symmetric service boards determine the primary end and the secondary end by using a self-negotiating algorithm, that is, in the process of sending and receiving messages between the two symmetric service boards, The negotiation algorithm calculates the size of the two symmetric service boards based on the parameters such as the IP address, the slot number, and the port number. The large one is designated as the primary end and the small one is designated as the secondary end.
  • the master and the slave are configured by the network management protocol, that is, the network management device sends the protocol packet, and the protocol packet includes the information of the two symmetric service boards as the master end and which is the slave end, thereby reporting according to the protocol.
  • Text Specify the primary and secondary.
  • the NMS sends the authentication link configuration information to the primary end and the secondary end, so that both the primary end and the secondary end receive the authentication link configuration information and store the information.
  • the authentication link information is mainly used to generate the identity information of the master or the slave, and the identity information is the key to the success of the subsequent identity verification.
  • the authentication link configuration information may include: password information of the primary end, password information of the secondary end, port information of the primary end, port information of the secondary end, a key material update period of the primary end, and an update mode.
  • the port information can be the IP address of the NE, the slot number, and so on.
  • the password information and port information can be numbers or characters, etc., and will be converted to binary numbers when generating random numbers through the hash algorithm.
  • both the primary state machine and the secondary state machine are initialized to the initial value state. It can be understood that, in order to perform the corresponding function when the role is switched between the master and the slave, the master and the slave simultaneously receive the identity verification link configuration information including the information of the two ends. After the authentication link configuration is completed, the master can send an authentication request message to the slave.
  • a fourth embodiment of the method for authenticating the optical transport network of the present invention is proposed.
  • the foregoing step S30 may include:
  • Step S60 The second slave identity information is generated according to the password information of the slave end, the port information of the slave end, and the random number, and is saved.
  • the primary end can compare the first slave identity information obtained by the identity authentication response message sent from the terminal with the second slave identity information generated by itself, in this embodiment, the master The terminal generates the second slave identity information according to the hash algorithm according to the obtained random number, the password information of the slave end, and the port information of the slave end, and saves the generated second slave identity information locally, in the process of identity verification.
  • the primary end verifies the saved second slave identity information and the first slave identity information fed back from the terminal.
  • the hash algorithm is consistent with the hash algorithm utilized by the slave end to generate the first slave identity information. Password information and port information can be flexibly set according to the specific situation.
  • the primary end constructs an identity verification request message according to the 32-byte binary random number obtained above, for example, 4 bytes can be eliminated.
  • the header is combined with a 32-byte random number to obtain an authentication request message, and the first byte of the 4-byte header can indicate that its message type is an authentication request message.
  • the identity verification device of the optical transport network of this embodiment includes:
  • the obtaining module 100 is configured to: when the authentication is initiated, acquire a random number constructing an authentication request message, and send the identity verification request message to the slave end;
  • the authentication method is a module in the OTN encryption transmission system.
  • the primary state machine enters the verification request state, and the primary state machine is mainly used for the primary end. Timing is controlled.
  • the main body call obtaining module 100 generates a random number to construct an identity verification request message by using a hash algorithm and a random number algorithm.
  • the obtaining module 100 may include:
  • And generating a unit configured to generate a random number by using a hash algorithm and a random number algorithm according to the local time stamp information, and construct an identity verification request message according to the random number.
  • the calling end acquires the local time stamp information generated by the corresponding chip of the service card of the primary end, and the generating unit imports the local time stamp information into a function composed of a hash algorithm and a random number algorithm.
  • a random number is generated to construct identity information based on the random number.
  • the hash algorithm can be flexibly set according to a specific situation.
  • 10 bytes of local time stamp information can be obtained by using hash 256 to generate a 32-byte binary number, and then a 32-byte binary number can be passed.
  • the random number algorithm generates a 32-byte binary random number. It should be noted that the local time stamp information is incremented to ensure that the time stamp information obtained each time is different.
  • the hash algorithm and the random number algorithm are used to calculate the random number and construct the identity information, which has high security.
  • the primary end and the secondary end receive or send a message through a preset overhead byte
  • the preset overhead byte can be dynamically configured according to actual requirements, that is, the preset overhead can be implemented according to different interface addresses configured.
  • Dynamic configuration of bytes The dynamic configuration of overhead bytes makes it difficult for the thief to track the overhead bytes for actual transmission, further increasing the security of authentication.
  • the primary end sends an identity verification request message to the slave end through the first preset overhead byte, and the master state machine enters the sending state, and starts the counter built in by the master end to start timing, so as to detect that the slave end obtains feedback for the identity verification request message. The time when the identity authentication response message.
  • the primary end uses the scheduling ODUk overhead byte 4 rows and 13 columns to send information, that is, the first preset overhead byte can be set to 4 rows and 13 columns. It should be noted that the first preset overhead byte can be dynamically configured according to actual needs.
  • the receiving module 200 is configured to receive an identity authentication response message fed back by the slave end;
  • the slave Since the receiving message is passive, the slave needs to detect whether it can send a message to receive the message in time. After the primary end completes the sending of the authentication request message, the slave polls the message sent by the detecting terminal in a predefined period.
  • the predefined period can be set to 1 second, or can be set according to actual needs.
  • the slave receives the information by using the scheduling ODUk overhead byte 4 rows and 13 columns by default, that is, the second preset overhead byte can be set to 4 rows and 13 columns. It should be noted that the second preset overhead byte can be dynamically configured according to actual needs.
  • the received identity verification request message is verified according to the verification mechanism, specifically, the first byte in the identity verification request message is extracted from the terminal to determine its type, and the second byte is extracted. Obtain the length, and then compare the length with the length returned from the master chip of the slave end. If they are consistent, the identity verification request message is valid; if it is inconsistent, it is invalid, and the slave end feeds back to the master end failure state information, so that the master end After receiving the failure status information fed back from the terminal, the authentication request message is resent to the slave.
  • the slave After verifying that the authentication request message is valid, the slave obtains the content of the identity verification request message, and obtains a random number by parsing the identity verification request message, where the random number is an identity verification request message constructed by the primary end according to the random number. Then, the slave end generates the first slave identity information by using a hash algorithm according to the password information of the slave end, the port information of the slave end, and the parsed random number, and the first slave identity information is a binary number.
  • the slave end constructs an identity authentication response message according to the first slave identity information, and the identity authentication should be The answer message is sent to the primary end, and the primary end calls the receiving module 200 to receive the identity authentication response message.
  • the identity authentication response message is configured by using the first slave identity information, for example, a 4-byte header and a 32-byte first slave identity. The information is combined to obtain an identity authentication response message, and the first byte of the 4-byte header can indicate that the message type is an identity authentication response message. Then, the slave sends the identity authentication response message to the master through the third preset overhead byte.
  • the slave uses the scheduling ODUk overhead byte 4 rows and 14 columns to send information by default, that is, the third preset overhead byte can be set to 4 rows and 14 columns. It should be noted that the third preset overhead byte can be dynamically configured.
  • the slave state machine is modified to the sending state.
  • the verification module 300 is configured to parse the identity authentication response message to obtain the first slave identity information, and determine whether the identity verification is successful according to the first slave identity information and the saved second slave identity information.
  • the primary end polls and detects the message sent from the secondary end within a preset period.
  • the preset period can be set to 1 second, or can be set according to actual needs.
  • the primary end uses the scheduling ODUk overhead byte 4 rows and 14 columns to receive information, that is, the fourth preset overhead byte can be set to 4 rows and 14 columns.
  • the fourth preset overhead byte can be dynamically configured according to actual needs. If the master has not received the identity authentication response message after the counter built in the master terminal exceeds the preset time, the master resends the identity verification request message to the slave.
  • the primary end calling verification module 300 verifies the received identity authentication response message according to the verification mechanism. Specifically, the primary end extracts the first byte in the identity authentication response message to determine its type, and The two bytes acquire the length, and then compare the length with the length returned by the master chip of the master. If they are consistent, the identity verification request message is valid, and the master state machine enters the response state; if not, it is invalid.
  • the primary end After the primary end authenticates the identity authentication response message, the primary end obtains the identity authentication response message.
  • the first slave identity information is extracted by parsing the identity authentication response message, and the first slave identity information is the first slave identity information generated by the slave according to the password information of the slave, the port information of the slave, and the random number.
  • the primary end compares the first slave identity information obtained by the parsing with the second slave identity information stored locally, that is, determines the second slave identity information saved locally and the first identity obtained by parsing the identity authentication response message. Whether the binary number of the slave identity information is consistent. If the inconsistency, the primary state machine continues to maintain the verification request state, and the identity verification is unsuccessful, the primary end restarts a new round of identity verification process.
  • the primary state machine enters the verification success state, the authentication is successful, that is, the authentication process is completed, and then the primary state machine enters the other modules such as the secret key delivery module and the lossless switching module in the OTN encrypted transmission system.
  • the primary end and the secondary end detect the alarm status of the OTN encrypted transmission system in real time: if it detects that the encrypted path is from invalid to normal, restarts the authentication process, so that the identity verification is performed after the link is restored to normal, and the authentication is improved. reliability. If it is detected that the encryption path is normal to invalid, the link is disconnected and the authentication process needs to be restarted.
  • the primary end actively initiates the identity verification, obtains the random number and constructs the identity verification request message, and sends the message to the slave end.
  • the resolving the authentication request message acquires the random number, and generates the first slave identity information according to the password information of the slave end, the port information of the slave end, and the random number.
  • the slave then constructs an identity authentication response message based on the slave identity information and sends it to the master.
  • the primary end After receiving the identity authentication response message and verifying the validity, the primary end resolves the identity authentication response message to obtain the first slave identity information, and compares the locally stored second slave identity information with the parsed first slave identity information to determine Whether the authentication was successful.
  • the method further comprises: transmitting and receiving messages according to the dynamically configured configurable overhead bytes according to the primary end and the slave end set in the optical transport network, and verifying the identity information generated by the hash algorithm and the random number algorithm, thereby greatly Increased security and reliability of identity verification.
  • the identity verification apparatus of the optical transport network in the embodiment further includes:
  • the processing module 400 is configured to resend the identity verification request message to the slave end when the identity authentication response message fed back by the slave end for the identity verification request message is not received within the first preset time, and the number of authentication request failures After the preset number of times is reached, the identity verification request message is retransmitted after the second preset time or the presence of the light input.
  • the primary end When the primary end sends an authentication request message to the secondary end, the counter built in the primary end starts counting, and the primary calling processing module 400 determines, according to the timing of the counter, whether the identity authentication response message fed back by the secondary end for the identity verification request message is received. If the first authentication time is not received, the current authentication request fails, and the current counter value is cleared, and the current failure number is accumulated. Continue to send an authentication request message.
  • the first preset time can be flexibly set according to specific situations. It can be understood that, due to the retransmitted authentication request message, the random number is recalculated by the hash algorithm and the random algorithm according to the reacquisition of the local time stamp information, and the new authentication request message is reconstructed by the new random number. Therefore, the random number contained in the authentication request message sent each time is different.
  • the primary end callable processing module 400 may fail to accumulate the number of authentication requests. After the number of times, the sending of the authentication request message is stopped and the number of failures is cleared.
  • the preset number of times can be set to 5 times, or can be set according to actual needs.
  • the primary end sends an identity verification request message to the secondary end, or after the service is restored, that is, after the optical input exists, the primary end resends the identity verification request message to the secondary end.
  • the second preset time can be flexibly set according to specific situations.
  • a third embodiment of the identity verification apparatus of the optical transport network of the present invention is proposed.
  • the identity verification apparatus of the optical transport network in the embodiment further includes:
  • the determining module 500 is configured to determine the primary end and the secondary end according to the auto-negotiation algorithm or the receiving network management protocol configuration command, where the primary end and the secondary end respectively receive the network management
  • the authentication link configuration information includes password information of the primary end, password information of the secondary end, port information of the primary end, and port information of the secondary end.
  • the determining module 500 needs to determine the primary end and the secondary end of the two symmetric service boards forming the link.
  • one of the two service boards is set to be the master and the other is set as the slave.
  • the master actively initiates an authentication request to the slave to verify the validity of the identity information.
  • the development is extended on the basis of the existing hardware, and the central controller is not required to be erected, thereby greatly saving the cost.
  • the master and the slave are set to verify the identity information, and the identity information is verified by the central controller in the traditional identity verification mechanism with respect to the symmetry, thereby improving the security of the identity verification.
  • the method for confirming the primary end and the secondary end may include: mode 1, the two symmetric service boards determine the primary end and the secondary end by using a self-negotiating algorithm, that is, in the process of sending and receiving messages between the two symmetric service boards,
  • the negotiation algorithm calculates the size of the two symmetric service boards based on the parameters such as the IP address, the slot number, and the port number. The large one is designated as the primary end and the small one is designated as the secondary end.
  • the master and the slave are configured by the network management protocol, that is, the network management device sends the protocol packet, and the protocol packet includes the information of the two symmetric service boards as the master end and which is the slave end, thereby reporting according to the protocol.
  • the text specifies the primary and secondary.
  • the NMS sends the authentication link configuration information to the primary end and the secondary end, so that both the primary end and the secondary end receive the authentication link configuration information and store the information.
  • the authentication link information is mainly used to generate the identity information of the master or the slave, and the identity information is the key to the success of the subsequent identity verification.
  • the authentication link configuration information may include: password information of the primary end, password information of the secondary end, port information of the primary end, port information of the secondary end, a key material update period of the primary end, and an update mode.
  • the port information can be the IP address of the NE, the slot number, and so on.
  • the password information and port information can be numbers or characters, etc., and will be converted to binary numbers when generating random numbers through the hash algorithm.
  • both the primary state machine and the secondary state machine are initialized to the initial value state. It can be understood that, in order to perform the corresponding function when the role is switched between the master and the slave, the master and the slave simultaneously receive the identity verification link configuration information including the information of the two ends. After the authentication link configuration is completed, the master can send an identity to the slave. Certificate request message.
  • a fourth embodiment of the identity verification apparatus of the optical transport network of the present invention is proposed.
  • the identity verification apparatus of the optical transport network in the embodiment further includes:
  • the saving module 600 is configured to save the second slave identity information according to the password information of the slave end, the port information of the slave end, and the random number.
  • the primary end can compare the first slave identity information obtained by the identity authentication response message sent from the terminal with the second slave identity information generated by itself, in this embodiment, the master The end calling save module 600 generates the second slave identity information according to the hash algorithm by using the acquired random number, the password information of the slave end, and the port information of the slave end, and saves the generated second slave identity information locally to During the verification process, the primary end authenticates the saved second slave identity information and the first slave identity information fed back from the slave.
  • the hash algorithm is consistent with the hash algorithm utilized by the slave end to generate the first slave identity information. Password information and port information can be flexibly set according to the specific situation.
  • the primary end constructs an identity verification request message according to the 32-byte binary random number obtained above.
  • a 4-byte header can be combined with a 32-byte random number to obtain an authentication request message.
  • the first byte of a byte header can indicate that its message type is an authentication request message.
  • the identity verification system of the optical transport network includes a primary end 10 and a secondary end 20, wherein
  • the primary end 10 is configured to acquire a random number constructing an authentication request message when the authentication is initiated, and send the authentication request message to the slave end;
  • the authentication method is a module in the OTN encryption transmission system.
  • the primary state machine enters the verification request state, and the primary state machine is mainly used for the timing of the primary terminal 10. Take control.
  • Master 10 passes the hash algorithm and random number The algorithm generates a random number to construct an authentication request message.
  • the master 10 is further configured to
  • the primary end 10 reads local timestamp information generated by the chip corresponding to the service board of the primary end 10, and imports the local timestamp information into a function composed of a hash algorithm and a random number algorithm to generate a random number.
  • the hash algorithm can be flexibly set according to a specific situation.
  • 10 bytes of local time stamp information can be obtained by using hash 256 to generate a 32-byte binary number, and then a 32-byte binary number can be passed.
  • the random number algorithm generates a 32-byte binary random number. It should be noted that the local time stamp information is incremented to ensure that the time stamp information obtained each time is different.
  • the hash algorithm and the random number algorithm are used to calculate the random number and construct the identity information, which has high security.
  • the primary end 10 and the secondary end 20 receive or send a message through a preset overhead byte
  • the preset overhead byte can be dynamically configured according to actual needs, that is, the interface address can be implemented according to different configuration interfaces.
  • the dynamic configuration of overhead bytes makes it difficult for the thief to track the overhead bytes for actual transmission, further increasing the security of authentication.
  • the primary end 10 sends an identity verification request message to the secondary end through the first preset overhead byte, and the primary state machine enters the sending state, and starts the counter built in the primary terminal 10 to start timing, so as to detect that the obtained secondary end is targeted to the The time when the authentication request message feeds back the identity authentication response message.
  • the primary end 10 uses the scheduling ODUk overhead byte 4 rows and 13 columns to send information by default, that is, the first preset overhead byte can be set to 4 rows and 13 columns. It should be noted that the first preset overhead byte can be dynamically configured according to actual needs.
  • the slave 20 Since the message received from the terminal 20 is passive, the slave 20 needs to detect to know if a message has been sent to receive the message in time.
  • the secondary terminal 20 polls the message sent by the detecting primary end 10 within a predefined period.
  • the predefined period can be set to 1 second, or it can be set according to actual needs.
  • the slave terminal 20 uses the scheduling ODUk overhead byte 4 rows and 13 columns to receive information by default, that is, the second preset overhead byte can be set to 4 rows and 13 columns. It should be noted that the second preset overhead byte can be dynamically configured according to actual needs.
  • the received authentication request message from the terminal 20 is verified according to the verification mechanism. Specifically, the first byte in the identity verification request message is extracted from the terminal 20 to determine its type, and the second is extracted. The byte is obtained by length, and then the length is compared with the length returned from the master chip of the terminal 20. If they are consistent, the identity verification request message is valid; if not, the invalidity is invalid, and the slave terminal 20 feeds back to the master 10 for failure. The information is such that the primary end 10 resends the authentication request message to the secondary 20 after receiving the failure status information fed back from the terminal 20.
  • the terminal 20 After verifying that the authentication request message is valid, the terminal 20 obtains the content of the authentication request message, and obtains a random number by parsing the identity verification request message, where the random number is an identity verification request message constructed by the primary terminal 10 according to the random number. . Then, the slave terminal 20 generates the first slave identity information by using a hash algorithm according to the password information of the slave terminal 20, the port information of the slave terminal 20, and the parsed random number, and the first slave identity information is a binary number.
  • the slave 20 constructs an identity authentication response message according to the first slave identity information, and sends the identity authentication response message to the master 10, and the master 10 receives the identity authentication response message.
  • the identity authentication response message is constructed by using the first slave identity information, for example, a 4-byte header and a 32-byte first slave can be configured.
  • the identity information is combined to obtain an identity authentication response message, and the first byte of the 4-byte header can indicate that the message type is an identity authentication response message.
  • the identity authentication response message is sent from the terminal 20 to the master terminal 10 through the third preset overhead byte.
  • the slave terminal uses the scheduling ODUk overhead byte 4 rows and 14 columns to send information by default, that is, the third preset overhead byte can be used. Set to 4 rows and 14 columns. It should be noted that the third preset overhead byte can be dynamically configured. After the identity authentication response message is sent from the terminal 20, the slave state machine is modified to the transmission state.
  • the primary end 10 is configured to parse the identity authentication response message to obtain the first slave identity information, and determine whether the identity verification is successful according to the first slave identity information and the saved second slave identity information.
  • the primary end 10 polls and detects the message sent from the secondary end within a preset period.
  • the preset period may be set to 1 second, or may be set according to actual needs.
  • the primary end 10 uses the scheduling ODUk overhead byte 4 rows and 14 columns to receive information by default, that is, the fourth preset overhead byte can be set to 4 rows and 14 columns.
  • the fourth preset overhead byte can be dynamically configured according to actual needs. If the master 10 has not received the identity authentication response message after the counter built in the master 10 exceeds the preset time, the master 10 resends the identity verification request message to the slave 20.
  • the primary end 10 verifies the received identity authentication response message according to the verification mechanism. Specifically, the primary end 10 extracts the first byte in the identity authentication response message to determine its type, and extracts the second The byte is obtained by length, and then the length is compared with the length returned by the master chip of the master 10. If they are consistent, the identity verification request message is valid, and the master state machine enters the response state; if not, it is invalid.
  • the master terminal 10 After verifying that the identity authentication response message is valid, the master terminal 10 obtains the content of the identity authentication response message, and extracts the first slave identity information by parsing the identity authentication response message, where the first slave identity information is the slave terminal according to the slave terminal 20 The password information, the port information of the terminal 20, and the first slave identity information generated by the random number. Then, the primary end 10 compares the parsed first slave identity information with the second slave identity information stored locally, that is, determines the second slave identity information saved locally and the identifier obtained by parsing the identity authentication response message. Whether the binary number of a slave identity information is consistent. If the inconsistency, the primary state machine continues to maintain the verification request state, and the identity verification is unsuccessful, the primary terminal 10 restarts a new round of identity verification process.
  • the primary state machine enters the verification success state, the authentication is successful, that is, the authentication process is completed, and then the primary state machine enters the other modules such as the secret key delivery module and the lossless switching module in the OTN encrypted transmission system.
  • the primary end 10 and the secondary end 20 detect the alarm status of the OTN encrypted transmission system in real time: If the encryption path is detected from failure to normal, the authentication process is restarted, so that the identity verification is performed after the link is restored to improve the reliability of the authentication. If the encrypted path is detected from normal to invalid, the link is disconnected and the restart authentication process needs to be restarted.
  • the primary end 10 after determining the primary end 10 and the secondary end 20 of the two symmetric service boards, the primary end 10 actively initiates identity verification, obtains a random number configuration identity verification request message, and sends the message to the secondary end 20.
  • the resolving the authentication request message After receiving the authentication request message from the terminal 20 and verifying the validity, the resolving the authentication request message acquires the random number, and generates the first slave identity information according to the password information of the slave terminal 20, the port information of the slave terminal 20, and the random number.
  • the slave 20 then sends an identity authentication response message based on the slave identity information and sends it to the master 10.
  • the resolving the identity authentication response message acquires the first slave identity information, and compares the locally stored second slave identity information with the parsed first slave identity information. Determine if the authentication is successful. It is implemented that the primary end 10 and the secondary end 20 are configured to send or receive messages according to dynamically configured configurable overhead bytes in the optical transport network, and the identity information is constructed by using a hash algorithm and a random number algorithm to construct identity information. This greatly increases the security and reliability of identity verification.
  • the primary end 10 is further configured to: when the identity authentication response message fed back by the terminal 20 for the identity verification request message is not received within the first preset time, The authentication request message is resent to the slave 20, and after the number of failed authentication requests reaches a preset number of times, the identity verification request message is retransmitted after the second preset time or the presence of the optical input.
  • the master terminal 10 When the master terminal 10 sends an identity verification request message to the slave terminal 20, the counter built in the master terminal 10 starts counting, and the master terminal 10 determines that the slave terminal 20 receives the identity authentication response message fed back by the terminal 20 for the identity verification request message according to the timer time of the counter. If the first preset time is exceeded, if the identity authentication response message is not received within the first preset time, it indicates that the current authentication request fails, and the current counter value of the counter is cleared, and the current failure number is accumulated. , continue to send an authentication request message.
  • the first preset time can be flexibly set according to specific situations. It can be understood that the re-acquisition of the local timestamp information is based on the re-acquisition of the authentication request message.
  • the random number is recalculated by the hash algorithm and the random algorithm, and the new authentication request message is reconstructed by the new random number. Therefore, the random number included in the identity verification request message sent each time is different.
  • the primary terminal 10 may reach the pre-acquisition number of failed authentication requests. After the number of times, the sending of the authentication request message is stopped and the number of failures is cleared.
  • the preset number of times can be set to 5 times, or can be set according to actual needs.
  • the primary terminal 10 sends an identity verification request message to the secondary terminal 20 again, or after the service is restored, that is, after the optical input exists, the primary terminal 10 resends the identity verification request message to the secondary terminal 20.
  • the second preset time can be flexibly set according to specific situations.
  • the identity verification system of the optical transport network further includes: the two symmetric service boards determine the primary end 10 and the secondary end 20 according to the auto-negotiation algorithm or the receiving network management protocol configuration instruction;
  • the primary end 10 is further configured to receive the authentication link configuration information delivered by the network management, where the authentication link configuration information includes the password information of the primary end 10, the password information of the secondary end 20, and the port information of the primary end 10. And port information from the terminal 20;
  • the slave terminal 20 is further configured to receive the authentication link configuration information sent by the network management, where the identity verification link configuration information includes password information of the master terminal 10, password information of the slave terminal 20, and port information of the master terminal 10. And the port information from the terminal 20.
  • the primary end 10 and the secondary end 20 need to be determined for the two symmetric service boards forming the link before the identity verification is performed.
  • the two service boards are set to be the primary end 10 and the other service boards are set to the secondary end 20.
  • the master 10 then actively initiates an authentication request to the slave 20 to verify the validity of the identity information.
  • the development is extended on the basis of the existing hardware, and the central controller is not required to be erected, thereby greatly saving the cost.
  • the master terminal 10 and the slave terminal 20 are configured to verify the identity information, and the identity information is verified by each controller in the traditional identity verification mechanism with respect to the symmetry, thereby improving the security of the identity verification.
  • the manner of confirming the primary end 10 and the secondary end 20 may include: mode 1, the two symmetric service boards determine the primary end 10 and the secondary end 20 by using a self-negotiation algorithm, that is, the two symmetric service boards send and receive messages to each other. In the process, the size of the two symmetric service boards is calculated based on the parameters such as the IP address, the slot number, and the port number. The large one is designated as the primary end 10 and the small one is designated as the secondary end 20.
  • the master end 10 and the slave end 20 are configured by the network management protocol, that is, the protocol packet is sent by the network management system, and the protocol packet includes one of the two symmetric service boards as the master end 10 and which is the slave end 20 information.
  • the primary end 10 and the secondary end 20 are specified according to the protocol message.
  • the network management sends the authentication link configuration information to the primary end 10 and the secondary end 20, so that both the primary end 10 and the secondary end 20 receive the authentication link configuration information and store the information.
  • the authentication link information is mainly used to generate the identity information of the primary terminal 10 or the secondary terminal 20.
  • the identity information is the key to the success of subsequent authentication.
  • the authentication link configuration information may include: password information of the primary terminal 10, password information of the secondary terminal 20, port information of the primary terminal 10, port information of the secondary terminal 20, a key material update period of the primary terminal 10, and an update mode.
  • the port information can be the IP address of the NE, the slot number, and so on.
  • the password information and port information can be numbers or characters, etc., and will be converted to binary numbers when generating random numbers through the hash algorithm.
  • both the primary state machine and the secondary state machine are initialized to the initial value state. It can be understood that, in order to complete the corresponding function when the role is switched between the master 10 and the slave 20, the master 10 and the slave 20 simultaneously receive the authentication link configuration information including the information of the two ends. . After completing the authentication link configuration, the master 10 can send an authentication request message to the slave 20.
  • the primary end 10 is further configured to save the second slave identity information according to the password information of the slave terminal 20, the port information of the slave terminal 20, and the random number. .
  • the primary end 10 can compare the first secondary identity information obtained by the identity authentication response message sent from the terminal 20 with the second secondary identity information generated by itself.
  • the master 10 generates the first slave identity letter according to the hash algorithm by using the acquired random number, the password information of the slave 20, and the port information of the slave 20 according to the hash algorithm. And storing the generated first slave identity information locally, so that in the process of the identity verification, the master 10 verifies the saved first slave identity information and the second slave identity information fed back from the slave. Password information and port information can be flexibly set according to the specific situation.
  • the primary end 10 constructs an identity verification request message according to the 32-byte binary random number obtained above. For example, a 4-byte header can be combined with a 32-byte random number to obtain an authentication request message. The first byte of the 4-byte header can indicate that its message type is an authentication request message.
  • Embodiments of the present invention also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • S3 Parsing the identity authentication response message to obtain the first slave identity information, and determining whether the identity verification is successful according to the first slave identity information and the saved second slave identity information.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. Execution shown or described The steps are either made into individual integrated circuit modules, or a plurality of modules or steps are made into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
  • the primary end initiates the identity verification, and obtains the random number to construct the identity verification request message, and then sends the message to the slave end.
  • the constructive identity authentication response message is sent to the primary end.
  • the primary end resolves the identity authentication response message to obtain the first slave identity information, and compares the first slave identity information with the saved second slave identity information to determine whether the identity verification is successful.
  • the message is transmitted or received according to the primary end and the secondary end set in the optical transport network, and the identity information generated by the random number is verified, thereby improving the security and reliability of the identity verification in the optical transport network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé d'authentification d'identité pour un réseau de transport optique. Le procédé consiste : lorsqu'une authentification d'identité est démarrée, à acquérir un nombre aléatoire pour construire un message de requête d'authentification d'identité, et à envoyer le message de requête d'authentification d'identité à un côté esclave ; à recevoir un message de réponse d'authentification d'identité renvoyé par le côté esclave ; et à analyser le message de réponse d'authentification d'identité, à acquérir des premières informations d'identité de côté esclave, et à déterminer si l'authentification d'identité réussit ou non selon les premières informations d'identité de côté esclave et des secondes informations d'identité de côté esclave sauvegardées. L'invention concerne également un dispositif et un système d'authentification d'identité pour le réseau de transport optique. La présente invention augmente la sécurité et la fiabilité de l'authentification d'identité dans le réseau de transport optique.
PCT/CN2016/095962 2015-08-20 2016-08-19 Procédé, dispositif et système d'authentification d'identité destinés à un réseau de transport optique WO2017028807A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510516255.8 2015-08-20
CN201510516255.8A CN106470198B (zh) 2015-08-20 2015-08-20 光传送网的身份验证方法、装置及系统

Publications (1)

Publication Number Publication Date
WO2017028807A1 true WO2017028807A1 (fr) 2017-02-23

Family

ID=58051995

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/095962 WO2017028807A1 (fr) 2015-08-20 2016-08-19 Procédé, dispositif et système d'authentification d'identité destinés à un réseau de transport optique

Country Status (2)

Country Link
CN (1) CN106470198B (fr)
WO (1) WO2017028807A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103210606A (zh) * 2010-04-22 2013-07-17 华为技术有限公司 用于验证光网络单元的无线备份系统的方法
CN103475475A (zh) * 2003-11-21 2013-12-25 菲尼萨公司 具认证控制器的收发器
CN104219222A (zh) * 2013-06-04 2014-12-17 阿尔特拉公司 交换路径网络中用于中间消息认证的系统和方法

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005057447A1 (fr) * 2003-12-09 2005-06-23 Matsushita Electric Industrial Co., Ltd. Systeme d'authentification, dispositif d'authentification et support d'enregistrement
CN103905437B (zh) * 2014-03-22 2017-02-22 哈尔滨工程大学 一种基于口令的远程认证协议方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103475475A (zh) * 2003-11-21 2013-12-25 菲尼萨公司 具认证控制器的收发器
CN103210606A (zh) * 2010-04-22 2013-07-17 华为技术有限公司 用于验证光网络单元的无线备份系统的方法
CN104219222A (zh) * 2013-06-04 2014-12-17 阿尔特拉公司 交换路径网络中用于中间消息认证的系统和方法

Also Published As

Publication number Publication date
CN106470198B (zh) 2021-02-23
CN106470198A (zh) 2017-03-01

Similar Documents

Publication Publication Date Title
US11177967B2 (en) Template based credential provisioning
KR101243073B1 (ko) 단말기 구성 및 관리를 위한 방법 및 단말기 장치
US11101978B2 (en) Establishing and managing identities for constrained devices
US20160105410A1 (en) OMA DM Based Terminal Authentication Method, Terminal and Server
CN113099443B (zh) 设备认证方法、装置、设备和系统
US20140298037A1 (en) Method, apparatus, and system for securely transmitting data
CN108134713B (zh) 一种通信方法及装置
US9154503B2 (en) Authorization method and terminal device
JP2011504261A (ja) 認証方法、システム、サーバ、およびクライアント
WO2010135936A1 (fr) Procédé et appareil d'authentification dans un réseau optique passif et réseau optique passif associé
CN112105021B (zh) 一种认证方法、装置及系统
CN104836784A (zh) 一种信息处理方法、客户端和服务器
WO2011127731A1 (fr) Procédé et système d'activation de référencement pour une unité de réseau optique
WO2012024851A1 (fr) Procédé et système de traitement pour démarrage par liaison radio
Pratas et al. Massive machine-type communication (mMTC) access with integrated authentication
CN114205139A (zh) 算力资源管理方法、节点、系统和存储介质
WO2017005163A1 (fr) Dispositif d'authentification de sécurité en fonction d'une communication sans fil
CN111831974A (zh) 接口保护方法、装置、电子设备及存储介质
CN105407102B (zh) http请求数据可靠性验证方法
US20140044260A1 (en) Communication apparatus, communication method, computer-readable medium, and communication system
US9065692B2 (en) Information notification apparatus, method, and program product
CN107750470B (zh) 替换用于认证安全元件的至少一个认证参数的方法和相应的安全元件
CN109962781A (zh) 一种数字证书分发装置
CN110545253B (zh) 一种信息处理方法、装置、设备及计算机可读存储介质
WO2016086356A1 (fr) Procédé d'authentification dans un réseau de communication sans fil, appareil associé et système

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16836671

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16836671

Country of ref document: EP

Kind code of ref document: A1