CN101764693A - Authentication method, system, client and network equipment - Google Patents
Authentication method, system, client and network equipment Download PDFInfo
- Publication number
- CN101764693A CN101764693A CN200910259730A CN200910259730A CN101764693A CN 101764693 A CN101764693 A CN 101764693A CN 200910259730 A CN200910259730 A CN 200910259730A CN 200910259730 A CN200910259730 A CN 200910259730A CN 101764693 A CN101764693 A CN 101764693A
- Authority
- CN
- China
- Prior art keywords
- client
- key
- message
- data
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 74
- 230000008569 process Effects 0.000 claims abstract description 44
- 230000004044 response Effects 0.000 claims description 50
- 238000012545 processing Methods 0.000 claims description 38
- 238000012937 correction Methods 0.000 claims description 36
- 238000012508 change request Methods 0.000 claims description 35
- 239000000284 extract Substances 0.000 claims description 27
- 238000012795 verification Methods 0.000 claims description 25
- 230000008859 change Effects 0.000 claims description 24
- 239000000523 sample Substances 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 14
- 238000004519 manufacturing process Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 2
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 240000005373 Panax quinquefolius Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an authentication method, a system, a client and network equipment. The authentication method includes the steps of decrypting encrypted data to obtain decrypted data according to a pre-generated first shared reciprocal secret key corresponding to the client when judging the receiving of re-authentication message generated and sent by the client within the set effective time, wherein the re-authentication message includes the encrypted data generated by the encryption of authentication data by the client according to a pre-generated second shared reciprocal secret key which is the same as the first shared reciprocal secret key; and judging whether the decrypted data is consistent with comparison data, wherein the re-authentication is successful if the decrypted data is consistent with the comparison data. The technical scheme of the embodiment of the invention does not need an authentication server in the re-authentication process by the client, thereby reducing load of the authentication server.
Description
Technical field
The embodiment of the invention relates to the authentication techniques field, particularly a kind of authentication method, system, client and the network equipment.
Background technology
At present, broadband access network is finished the network insertion control of client usually according to the 802.1x agreement.Verification System based on the 802.1x agreement comprises: client, the network equipment and certificate server.Wherein, client is as the requestor in the verification process (Supplicant), can be installed among the user PC, certificate server can reside in the charging Certificate Authority center of operator, and the network equipment can be used as the authenticator (Authenticator) in the verification process.Extended authentication based on local area network (LAN) (the Extensible Authentication Protocol over LAN of operation 802.1x definition between the client and the network equipment, hereinafter to be referred as: EAPOL) agreement, (Remote Authentication Dial In User Service is hereinafter to be referred as RADIUS) agreement to move remote authentication dial between the network equipment and the certificate server.In the client access network process, the network equipment authenticates client by certificate server, if authentication success then allow the client access network, this moment, client can the accesses network resource.And whether according to the re-authentication mechanism of the client of stipulating in the 802.1x agreement, behind the client access network, the network equipment can also carry out re-authentication to client, online to know client.
The network equipment can not in time detect the problem that client rolls off the production line when avoiding the client abnormal off-line, adopts regularly re-authentication method that client is carried out re-authentication in the prior art usually.The network equipment regularly sends the re-authentication request to client, and client is returned response to the network equipment after receiving the re-authentication request, and the network equipment authenticates client by certificate server, thereby finishes the re-authentication process to client.
But, the re-authentication process of client all being needed the participation of certificate server in the prior art at every turn, this causes the certificate server load overweight.
Summary of the invention
The embodiment of the invention provides a kind of authentication method, system, client and the network equipment, in order to reduce the load of certificate server.
The embodiment of the invention provides a kind of authentication method, comprising:
Receive the re-authentication message that client generates and sends when judging in the effective time that is being provided with, described re-authentication message comprises enciphered data, described enciphered data be described client according to generate in advance second when sharing reciprocity key verify data being carried out encryption and generated, share reciprocity key according to first of the described client correspondence that generates in advance described enciphered data is decrypted processing acquisition data decryption, it is identical that the described first shared reciprocity key and described second is shared reciprocity key;
Judge whether described data decryption conforms to correction data, if then re-authentication success.
The embodiment of the invention provides a kind of network equipment, comprising:
First receiver module, be used to receive the re-authentication message that client generates and sends, described re-authentication message comprises enciphered data, and to be described client second share reciprocity key and verify data is carried out encryption generate according to what generate in advance described enciphered data;
First judge module is used to judge whether described first receiver module receives the re-authentication message that client generates and sends in the effective time that is provided with;
Deciphering module, be used for judging when in the effective time that is provided with, receiving the re-authentication message that client generates and sends when described first judge module, share reciprocity key according to first of the described client correspondence that generates in advance described enciphered data is decrypted processing acquisition data decryption, it is identical that the described first shared reciprocity key and described second is shared reciprocity key;
Second judge module is used to judge whether described data decryption conforms to correction data, and re-authentication success when judging described data decryption and conform to correction data.
The embodiment of the invention provides a kind of client, comprising:
The 4th generation module is used for according to the second shared reciprocity key that generates in advance verify data being carried out encryption and generates enciphered data, and generates the re-authentication message, and described re-authentication message comprises enciphered data;
Second sending module is used for sending described re-authentication message to the network equipment, for
The network equipment receives the re-authentication message that client generates and sends in the effective time that is provided with, share reciprocity key according to first of the described client correspondence that generates in advance described enciphered data is decrypted processing acquisition data decryption, judge whether described data decryption conforms to correction data, and re-authentication success when judging described data decryption and conform to correction data, described first to share reciprocity key identical with the described second shared reciprocity key.
The embodiment of the invention provides a kind of Verification System, comprising: the client and the network equipment;
Described client is used for second sharing reciprocity key and verify data is carried out encryption generating enciphered data according to what generate in advance, generates and sends the re-authentication message to the described network equipment, and described re-authentication message comprises described enciphered data;
The described network equipment, be used to judge in the effective time that is provided with and receive the re-authentication message that client generates and sends, according to the first right shared reciprocity key of the described client that generates in advance described enciphered data is decrypted processing and obtains data decryption, judge whether described data decryption conforms to correction data, re-authentication success when judging described data decryption and conform to correction data, described first to share reciprocity key identical with the described second shared reciprocity key.
In the technical scheme of the embodiment of the invention, the network equipment receives the re-authentication message that comprises enciphered data that client sends in effective time, to be client share reciprocity key according to second to this enciphered data verify data is encrypted generates, according to the first shared reciprocity key identical enciphered data is decrypted data and is decrypted processing acquisition data decryption with the second shared reciprocity key, and when judging data decryption and conform to correction data, then re-authentication success, thereby finish re-authentication process to client, in re-authentication process, need not the participation of certificate server, thereby reduced the load of certificate server client.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The flow chart of a kind of authentication method that Fig. 1 provides for the embodiment of the invention one;
The flow chart of a kind of authentication method that Fig. 2 a provides for the embodiment of the invention two;
Fig. 2 b is that the network equipment is carried out flow chart to the verification process of client by certificate server in the embodiment of the invention;
The flow chart of a kind of authentication method that Fig. 3 provides for the embodiment of the invention three;
The flow chart of a kind of authentication method that Fig. 4 provides for the embodiment of the invention four;
The structural representation of a kind of network equipment that Fig. 5 provides for the embodiment of the invention five;
The structural representation of a kind of network equipment that Fig. 6 provides for the embodiment of the invention six;
The structural representation of a kind of client that Fig. 7 provides for the embodiment of the invention seven;
The structural representation of a kind of client that Fig. 8 provides for the embodiment of the invention eight;
The structural representation of a kind of Verification System that Fig. 9 provides for the embodiment of the invention nine.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The flow chart of a kind of authentication method that Fig. 1 provides for the embodiment of the invention one, as shown in Figure 1, this method comprises:
In the present embodiment, the re-authentication message can comprise initiatively hello packet, verify data can comprise mainboard sequence number summary info, and then client second is shared reciprocity key and verify data is carried out encryption generated enciphered data and be specially according to what generate in advance: client second is shared reciprocity key and mainboard sequence number summary info is carried out encryption is generated enciphered data according to what generate in advance;
Further, verify data can also comprise timestamp, and then client second is shared reciprocity key and verify data is carried out encryption generated enciphered data and be specially according to what generate in advance: client second is shared reciprocity key and mainboard sequence number summary info and timestamp are carried out encryption is generated enciphered data according to what generate in advance.
In the present embodiment, when each step is carried out by the network equipment, it is that the network equipment generates in advance that first of this client correspondence is shared reciprocity key, and this client correspondence first to share the second shared reciprocity key that this client generates in advance in reciprocity key and the step 101 identical.
In the present embodiment, when verify data comprised mainboard sequence number summary info, data decryption can comprise the mainboard sequence number summary info that decryption processing obtains; When verify data comprised mainboard sequence number summary info and timestamp, data decryption can comprise the mainboard sequence number summary info of decryption processing acquisition and the timestamp that decryption processing obtains.
In the present embodiment, when judging this data decryption and conform to, show re-authentication success, thereby finish re-authentication process client to client with correction data.
In the present embodiment, when verify data comprises mainboard sequence number summary info, correction data can comprise the mainboard sequence number summary info that obtains in advance, for example, mainboard sequence number summary info can obtain generating in the cipher key change request message of sharing customer end adopted in the reciprocity cipher key processes the verification process of client from carrying out by certificate server.
In the present embodiment, when verify data also comprised timestamp, correction data can also comprise the timestamp in the re-authentication message, and the re-authentication message is hello packet initiatively.
In the technical scheme of present embodiment, in effective time, receive the re-authentication message that comprises enciphered data that client sends, to be client share reciprocity key according to second to this enciphered data verify data is encrypted generates, according to the first shared reciprocity key identical enciphered data is decrypted data and is decrypted processing acquisition data decryption with the second shared reciprocity key, and when judging data decryption and conform to correction data, then re-authentication success, thereby finish re-authentication process to client, in re-authentication process, need not the participation of certificate server, thereby reduced the load of certificate server client.
The flow chart of a kind of authentication method that Fig. 2 a provides for the embodiment of the invention two, shown in Fig. 2 a, this method comprises:
Fig. 2 b is that the network equipment is by the flow chart of certificate server execution to the verification process of client in the embodiment of the invention, and shown in Fig. 2 b, in the present embodiment, step 201 specifically comprises:
Step 2011, client send EAPOL to the network equipment and begin (EAPOL-START) message;
In this step, the purpose that client transmission EAPOL begins message is to send authentication request, thereby initiates verification process.
Step 2012, the network equipment receive after EAPOL begins message, send Extensible Authentication Protocol (Extensible Authentication Protocol to client, hereinafter to be referred as: EAP) request (EAP-Request) message, with the user name of requesting client;
In this step, user name also can be described as user ID.
Step 2013, client send EAP to the network equipment and reply (EAP-Response) message, and this EAP response message is packaged with the user name of this client;
In this step, after client receives EAP request, the user name of this client is encapsulated in the EAP response message and with the EAP response message sends to the network equipment.
Step 2014, the network equipment send radius access request (RADIUSAccess-Request) message to certificate server, and this radius access request message is packaged with this EAP response message;
In this step, after the network equipment receives the EAP response message, the EAP response message is encapsulated in the radius access request message.Further, the network equipment can also be with network access service IP address (NetworkAccess Server IP, hereinafter to be referred as: NAS IP), network access service port (Network AccessServer Port, hereinafter to be referred as: NAS Port) etc. information is encapsulated into this RADIUS and inserts request message, and then the radius access request message that sends this moment also is packaged with information such as NAS IP, NAS Port.
Extract user name in step 2015, the certificate server EAP response message from the radius access request message, store this user name in the database if inquire, then from database, extract the user cipher of this user name correspondence, adopt this user cipher that the encrypted word that generates is at random carried out encryption, generate first ciphertext;
In the present embodiment, at random the encrypted word of Sheng Chenging can for informative abstract (Message-digestAlgorithm 5, hereinafter to be referred as: MD5) value.
In the present embodiment, do not store this user name in the database if inquire, then directly abandon this radius access request message, flow process finishes.
Step 2016, certificate server send radius access challenge (RADIUSAccess-Challenge) message to the network equipment, this radius access challenge message is packaged with EAP challenge request (EAP-Challenge Request) message, and this EAP challenge request message is packaged with the encrypted word that this generates at random;
In this step, the encrypted word that certificate server at first will generate at random is encapsulated in this EAP challenge request message, and this EAP challenge request message is encapsulated in EAP information (EAP-Message) attribute of radius access challenge message.
Step 2017, the network equipment will be challenged the EAP challenge request message that extracts the message from radius access and send to client;
Step 2018, customer end adopted user cipher carry out encryption to the encrypted word of extracting that generates at random from EAP challenge request message, generate second ciphertext, and second ciphertext is encapsulated in EAP challenge response (EAP-Challenge Response) message;
Step 2019, client are opened the authentication search switch of setting, and client generation group ID (Group-ID) and safe prime (Safe-Prime) generate first public-key cryptography (Exchange-Key-C) according to this Group-ID and Safe-Prime; Read mainboard sequence number (Motherboard serialID), generate mainboard sequence number summary info (Motherboardserial ID MD5) according to this Motherboard serial ID;
In the present embodiment, the authentication search switch can be set, when the authentication search switch was opened, client can begin the process in the execution in step 2019.
Wherein, can generate Motherboard serial IDMD5 according to this Motherboard serial ID and be specifically as follows: by the MD5 algorithm Motherboard serial ID be carried out computing, generate Motherboard serial ID MD5.
Step 2020, client are encapsulated into Group-ID, Safe-Prime, Exchange-Key-C and Motherboard serial ID MD5 in cipher key change request (Key-Exchange Request) message;
Step 2021, client are encapsulated into the cipher key change request message in the EAP challenge response message;
Particularly, client can be encapsulated into the cipher key change request message afterbody of EAP challenge response message.
The EAP challenge response message that is packaged with the cipher key change request message in the present embodiment is as follows:
0 1 2 3 4
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Src?MAC |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| Dst?MAC |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type(0x888e) | Ver(0x01) |Type(0x00) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Code(0x02) | ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Type |?Value-Size |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- -
- Value -
- -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- -
- Extra?Data -
- -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- -
- Group-ID -
- -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
Safe-Prime
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
Exchange-Key-C
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Motherboard?serial?ID?MD5 |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In the present embodiment, Group-ID is that a global variable that can be used as in the D-H IKE is announced to the network equipment by a big integer of client statement, and Group-ID is the primitive root of Safe-Prime, and this Group-ID can be set to 16byte; Safe-Prime is that the global variable that this Safe-Prime can be used as in the D-H IKE is announced to the network equipment by a prime number of client statement, and this Safe-Prime can be set to 16byte; The Motherboard serialID MD5 that generates can be set to 16byte.
In the present embodiment, generate Exchange-Key-C according to this Group-ID and Safe-Prime and be specially: generate the first privately owned random number Key_C (0<=Key_C<=Safe-Prime) at random; According to formula Exchange-Key-C=Group-ID
Key_CMod Safe-Prime carries out computing to Key_C, Group-ID and Safe-Prime, generates Exchange-Key-C.
Step 2022, client send EAP challenge response message to the network equipment, are packaged with second ciphertext and cipher key change request message in this EAP challenge response message;
Step 2023, the network equipment extract the cipher key change request message from EAP challenge response message, the EAP challenge response message that will be packaged with second ciphertext sends to certificate server;
Step 2024, certificate server extract second ciphertext from the EAP challenge response message that is packaged with second ciphertext, when first ciphertext that generates in judging second ciphertext and step 2015 is consistent, EAP success (EAP-Success) message is encapsulated in radius access acceptance (RADIUS Access-Accept) message;
In the present embodiment, when first ciphertext that generates in judging second ciphertext and step 2015 is consistent, the expression authentication success, and specifically the successful message of EAP can be encapsulated into radius access and accept in the attribute of message.
Further, when first ciphertext that generates in judging second ciphertext and step 2015 is inconsistent, the expression authentification failure, then directly return the RADIUS access-reject message to the network equipment, the network equipment is after receiving this RADIUS access-reject message, the blocking state that keeps the port of the network equipment, by these port access Internet resources, flow process finishes with the refusal client.
Step 2025, certificate server send radius access to the network equipment and accept message, and this radius access inserts message and is packaged with EAP success message;
Step 2026, the network equipment are accepted message according to the radius access that receives, and the state of port is changed to licensing status, and accept to extract the message EAP success message from radius access; Generate second public-key cryptography (Exchange-Key-S) according to Group-ID in the cipher key change request message that extracts in the step 2023 and Safe-Prime, this Exchange-Key-S is encapsulated into cipher key change replys in (Key-Exchange Reponse) message, and the cipher key change response message is encapsulated in the EAP success message;
In the present embodiment, generate Exchange-Key-S according to the Group-ID in the cipher key change request message that extracts in the step 2023 and Safe-Prime and be specifically as follows: generate the second random number Key_S (0<=Key_S<=Safe-Prime) at random; According to formula Exchange-Key-S=Group-ID
Key_ SmodSafe-Prime carries out computing to Key_S, Group-ID and Safe-Prime, generates Exchange-Key-S.
The EAP success message that is packaged with the cipher key change response message in the present embodiment is as follows:
0 1 2 3 4
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Src?MAC |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| Dst?MAC |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type(0x888e) | Ver(0x01) |Type(0x00) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Code(0x03) | ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
- -
- Data -
- -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
Exchange-Key-S
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
And the cipher key change response message is encapsulated in the EAP success message is specifically as follows: the afterbody that this cipher key change response message is encapsulated into EAP success message.
Step 2027, the network equipment generate first of this client correspondence according to the Exchange-Key-C in second public-key cryptography, the cipher key change request message that extracts and Safe-Prime and share reciprocity key from step 2023;
Particularly, the network equipment can be according to formula Key=Exchange-Key-S
Exchange-Key-CModSafe-Prime carries out computing to Exchange-Key-S, Exchange-Key-C and Safe-Prime, generates first and shares reciprocity key (Key).
Step 2028, the network equipment send EAP success message to client, and this EAP success message is packaged with the cipher key change response message;
Step 2029, client extract the cipher key change response message from EAP success message, generate second according to the Exchange-Key-S in Exchange-Key-C, Safe-Prime and the cipher key change response message and share reciprocity key (Key);
Particularly, client can be according to formula Key=Exchange-Key-C
Exchange-Key-SModSafe-Prime carries out computing to Exchange-Key-C, Exchange-Key-S and Safe-Prime, generates second and shares reciprocity key.
Because the network equipment is to generate the first shared reciprocity key according to Exchange-Key-C, Exchange-Key-S and Safe-Prime, client is to generate the second shared reciprocity key according to Exchange-Key-C, Exchange-Key-S and Safe-Prime, and Exchange-Key-S
Exchange-Key-CModSafe-Prime=Exchange-Key-C
Exchange-Key-SMod Safe-Prime, so the first shared reciprocity key that the network equipment generates in the step 2027 is identical with the second shared reciprocity key of client generation in the step 2029.
In the present embodiment, after execution of step 2019, promptly finished verification process first, and client and the network equipment have generated shared reciprocity key in verification process first to client.
In the present embodiment, judge in the effective time that is provided with, to be specifically as follows to judge whether to reach effective time by timer.
In the present embodiment, client can generate initiatively hello packet at interval according to setting-up time, and sends this active hello packet to the network equipment, and the active hello packet of generation can be as follows:
0 1 2 3 4
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ver | Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Ciphertext +
| |
+ +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- -
- User?Name -
- -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This active hello packet can be the message of privately owned definition on the basis of EAPOL message, and the concrete field of this active hello packet comprises: version (Ver), type (Type), length (Length), timestamp (Timestamp), enciphered data (Ciphetext) and user name (User Name).
Ver can be set to 0x01, is 802.1x authentication protocol version number.
Type can be set to private type 0Xc2, represents that this message is the active hello packet.
Length represents the length of load in the message, and promptly the length from the Ver field to User Name field is unit with byte.
The Timestamp express time stabs, and length can be set to 4byte.
Cliphetext represents enciphered data, and length can be set to 20byte.In the present embodiment, client can be shared reciprocity key according to second and Motherboard serial ID MD5 and Timestamp are carried out encryption generate this enciphered data, particularly, client can be shared reciprocity key according to second by the RC4 algorithm and Motherboard serial ID MD5 and Timestamp are carried out encryption generates this enciphered data.
User Name represents as the user, is used to identify the user name of client.
In the present embodiment, because each timestamp that generates the active hello packet is different, therefore the enciphered data that generates according to timestamp also is different.
Particularly, the network equipment can be decrypted to handle to the enciphered data in the hello packet according to the first shared reciprocity key and obtain Motherboard serial ID MD5 and Timestamp by the RC4 algorithm.
The network equipment can generate the shared reciprocity key of different client correspondences.In the present embodiment, the network equipment can find out the shared reciprocity key of this client correspondence from the shared reciprocity key of different client correspondences.Particularly, the network equipment can find out the first shared reciprocity key of the user name correspondence of this client according to the user name that comprises in the active hello packet from the shared reciprocity key of different client correspondences, wherein, first of this user name correspondence shares the first shared reciprocity key that reciprocity key is this client correspondence.
If judge that Motherboard serial ID MD5 that decryption processing obtains conforms to Motherboard serial ID MD5 in the cipher key change request message that extracts and the Timestamp of decryption processing acquisition conforms to Timestamp in the hello packet from step 2023, then execution in step 205; If judge that Motherboard serial ID MD5 that decryption processing obtains does not conform to Motherboard serial ID MD5 in the cipher key change request message that extracts and/or the Timestamp of decryption processing acquisition does not conform to Timestamp in the hello packet from step 2023, then execution in step 206;
In the present embodiment, when the network equipment judge that Motherboard serial IDMD5 that decryption processing obtains conforms to Motherboard serial IDMD5 in the cipher key change request message that extracts from step 2023 and the Timestamp of decryption processing acquisition when Timestamp in the hello packet conforms to, promptly represent the success of re-authentication this time, the timer of then resetting to client.
In the present embodiment, the replacement timer is timer is made zero, and restarts timing.
Further, in the present embodiment, when client initiatively rolled off the production line, client can send (Logoff) message that initiatively rolls off the production line to the network equipment, and then the network equipment is deleted the first shared reciprocity key of this client and this client correspondence.
In the present embodiment, when the network equipment is judged when not receiving the active hello packet that client generates and sends in the effective time that is provided with, show that client rolls off the production line, then the network equipment will be deleted the first shared reciprocity key of this client and this client correspondence.
In the technical scheme of present embodiment, in the network equipment is carried out verification process to client by certificate server, client generates second by second public-key cryptography that obtains from the network equipment and shares reciprocity key, the network equipment generates first by first public-key cryptography that obtains from client and shares reciprocity key, it is identical that this first shared reciprocity key and second is shared reciprocity key, client is being carried out in the re-authentication process, client is shared reciprocity key according to second mainboard sequence number summary info and timestamp is encrypted the generation enciphered data, the network equipment receives in effective time that client sends when comprising the active hello packet of enciphered data, share reciprocity key according to first enciphered data is decrypted data acquisition mainboard sequence number summary info and timestamp, and judge mainboard sequence number summary info that deciphering obtains and timestamp respectively with the cipher key change request message in mainboard sequence number summary info and initiatively the timestamp in the hello packet whether conform to, thereby finish re-authentication process to client, in re-authentication process, need not the participation of certificate server, thereby reduced the load of certificate server client.In the present embodiment, the timestamp of hello packet is that enciphered data different and that generate according to timestamp also is different because client generates initiatively at every turn, therefore client also is different to the re-authentication message that the network equipment sends at every turn, thereby effectively avoided on the client after authenticated user rolls off the production line, other user pretends to be this authenticated user logging on client accesses network problem of resource, avoided giving that authenticated user causes damage, guaranteed the fail safe of network.
The flow chart of a kind of authentication method that Fig. 3 provides for the embodiment of the invention three, as shown in Figure 3, this method comprises:
Can be to describing particularly of step 301 referring to the description of step 201 among Fig. 2 b and the embodiment two.
In the present embodiment, when network equipment generation anomalous event, for example MAC Address conflict then can initiatively generate and sends the active probe message to client.
In the present embodiment, the active probe message of generation can be as follows:
0 1 2 3 4
0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1?2?3?4?5?6?7?8?9?0?1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ver | Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- -
- User?Name -
- -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This active probe message can be the message of privately owned definition on the basis of EAPOL message, and the concrete field of this active probe message comprises: version (Ver), type (Type), length (Length) and user name (User Name).
Ver can be set to 0x01, is 802.1x authentication protocol version number.
Type can be set to private type 0Xc3, represents that this message is the active probe message.
Length represents the length of load in the message, is unit with byte.
User Name represents as the user, is used to identify the user name of authenticated user on the client.
Description to step 303 can be referring to the step 202 among the embodiment two.
Description to step 304 can be referring to the step 203 among the embodiment two.
Description to step 305 can be referring to the step 204 among the embodiment two.
Description to step 306 can be referring to the step 205 among the embodiment two.
Description to step 308 can be referring to the step 207 among the embodiment two.
In the technical scheme of present embodiment, in the network equipment is carried out verification process to client by certificate server, client generates second by second public-key cryptography that obtains from the network equipment and shares reciprocity key, the network equipment generates first by first public-key cryptography that obtains from client and shares reciprocity key, it is identical that this first shared reciprocity key and second is shared reciprocity key, client is being carried out in the re-authentication process, when client receives the active probe message of network equipment transmission, client is shared reciprocity key according to second mainboard sequence number summary info and timestamp is encrypted the generation enciphered data, the network equipment receives in effective time that client sends when comprising the active hello packet of enciphered data, share reciprocity key according to first enciphered data is decrypted data acquisition mainboard sequence number summary info and timestamp, and judge mainboard sequence number summary info that deciphering obtains and timestamp respectively with the cipher key change request message in mainboard sequence number summary info and initiatively the timestamp in the hello packet whether conform to, thereby finish re-authentication process to client, in re-authentication process, need not the participation of certificate server, thereby reduced the load of certificate server client.In the present embodiment, the timestamp of hello packet is that enciphered data different and that generate according to timestamp also is different because client generates initiatively at every turn, therefore client also is different to the re-authentication message that the network equipment sends at every turn, thereby effectively avoided on the client after authenticated user rolls off the production line, other user pretends to be this authenticated user logging on client accesses network problem of resource, avoided giving that authenticated user causes damage, guaranteed the fail safe of network.
The flow chart of a kind of authentication method that Fig. 4 provides for the embodiment of the invention four, as shown in Figure 4, this method comprises:
Can be to describing particularly of step 401 referring to the description of step 201 among Fig. 2 b and the embodiment two.
Description to step 402 can be referring to the step 302 among the embodiment three.
Description to step 403 can be referring to the step 303 among the embodiment three.
Description to step 405 can be referring to the step 404 among the embodiment three.
Description to step 406 can be referring to the step 306 among the embodiment three.
For example in the present embodiment, the threshold value of setting can be 3.
Description to step 409 can be referring to the step 308 among the embodiment three.
The difference of the technical scheme of present embodiment and the foregoing description three is, in the present embodiment threshold value can be set, judge when the network equipment and delete on client and this client corresponding first when the number of times that sends the active probe message to client reaches the threshold value of setting again and share reciprocity key.
The structural representation of a kind of network equipment that Fig. 5 provides for the embodiment of the invention five, as shown in Figure 5, this network equipment comprises: first receiver module 11, first judge module 12, deciphering module 13 and second judge module 14;
The structural representation of a kind of network equipment that Fig. 6 provides for the embodiment of the invention six, as shown in Figure 6, on the basis of the foregoing description five, this network equipment also comprises first sending module 15 and first generation module 16.This first generation module 16 is used to generate the active probe message, and first sending module 15 is used for the active probe message that described first generation module 16 generates is sent to described client.
Further, this network equipment can also comprise discard module 17.This discard module 17 is used for abandoning described re-authentication message when described second judge module 14 is judged described data decryption and do not conformed to correction data.
Further, this network equipment can also comprise that first extraction module 18, second generation module 19, package module 20 and the 3rd generate module 21.
Described first receiver module 11 also is used to receive the EAP challenge response message that described client sends, described EAP challenge response message is packaged with the cipher key change request message, described cipher key change request message is packaged with group ID, safe prime, first public-key cryptography and mainboard sequence number summary info, described first public-key cryptography is for generating according to first random number, described group of ID and the described safe prime that generate at random, and described mainboard sequence number summary info is for generating according to the mainboard sequence number that reads; First extraction module 18 is used for extracting the cipher key change request message from the described EAP challenge response message that described first receiver module 11 receives; Second generation module 19 is used for generating second public-key cryptography according to the group ID and the safe prime of second random number that generates at random, cipher key change request message that described first extraction module 18 extracts; Package module 20 is used for second public-key cryptography that described second generation module 19 generates is encapsulated into the cipher key change response message, and described cipher key change response message is encapsulated in the EAP success message; The 3rd generates first public-key cryptography and the safe prime of second public-key cryptography that module 21 is used for generating according to described second generation module 19, cipher key change request message that described first extraction module 18 extracts, generates first and shares reciprocity key; Described first sending module 15 is used for sending described EAP success message to described client.
The network equipment of the foregoing description five and embodiment six, in effective time, receive the re-authentication message that comprises enciphered data that client sends, to be client share reciprocity key according to first to this enciphered data verify data is encrypted generates, according to the second shared reciprocity key identical enciphered data is decrypted data and is decrypted processing acquisition data decryption with the first shared reciprocity key, and judge whether data decryption conforms to correction data, thereby finish re-authentication process to client, in re-authentication process, need not the participation of certificate server, thereby reduced the load of certificate server client.
The structural representation of a kind of client that Fig. 7 provides for the embodiment of the invention seven, as shown in Figure 7, this client comprises: the 4th generation module 22 and second sending module 23.
The 4th generation module 22 is used for according to the second shared reciprocity key that generates in advance verify data being carried out encryption and generates enciphered data, and generates the re-authentication message, and described re-authentication message comprises enciphered data; Second sending module 23 is used for sending described re-authentication message to the network equipment, in the effective time that is provided with, receive the re-authentication message that client generates and sends for the network equipment, share reciprocity key according to first of the client correspondence that generates in advance described enciphered data is decrypted processing acquisition data decryption, judge whether described data decryption conforms to correction data, re-authentication success when judging described data decryption and conform to correction data, first to share reciprocity key identical with the second shared reciprocity key for this.
The structural representation of a kind of client that Fig. 8 provides for the embodiment of the invention eight, as shown in Figure 8, on the basis of the foregoing description seven, the client in the present embodiment also comprises: second receiver module 24 and the 5th generation module 25, second extraction module 26 and the 6th generation module 27;
The 5th generation module 25 is used for generating first public-key cryptography according to first random number that generates at random, the group ID and the safe prime of generation, and generates mainboard sequence number summary info according to the mainboard sequence number that reads; Second receiver module 24 is used to receive the EAP success message that the network equipment sends, and described EAP success message is packaged with the cipher key change response message, and described cipher key change response message is packaged with second public-key cryptography; Second extraction module 26 is used for extracting described cipher key change response message from described EAP success message; The 6th generation module 27 is used for second public-key cryptography of the cipher key change response message that extracts according to first public-key cryptography, safe prime and described second extraction module 26 that described the 5th generation module 25 generates, generates second and shares reciprocity key.
The client of the foregoing description seven and embodiment eight, share reciprocity key according to second verify data is encrypted the generation enciphered data, and send the re-authentication message comprise enciphered data to the network equipment, according to the first shared reciprocity key identical enciphered data is decrypted data by the network equipment and is decrypted processing acquisition data decryption with the second shared reciprocity key, and judge whether data decryption conforms to correction data, thereby finish re-authentication process to client, in re-authentication process, need not the participation of certificate server, thereby reduced the load of certificate server client.
The structural representation of a kind of Verification System that Fig. 9 provides for the embodiment of the invention nine, as shown in Figure 9, this system comprises the network equipment 1 and client 2.
Client 2 is used for second sharing reciprocity key and verify data is carried out encryption generating enciphered data according to what generate in advance, generates and sends the re-authentication message to the network equipment 1, and described re-authentication message comprises described enciphered data; The network equipment 1 is used to judge in the effective time that is provided with and receives the re-authentication message that client generates and sends, share reciprocity key according to first of these client 2 correspondences that generate in advance described enciphered data is decrypted processing acquisition data decryption, and judge whether data decryption conforms to correction data, re-authentication success when judging described data decryption and conform to correction data, first to share reciprocity key identical with this second shared reciprocity key for this.
The Verification System of present embodiment, the network equipment receives the re-authentication message that comprises enciphered data that client sends in effective time, to be client share reciprocity key according to second to this enciphered data verify data is encrypted generates, according to the first identical shared reciprocity key of the second shared reciprocity key enciphered data is decrypted data and is decrypted processing acquisition data decryption, and judge whether data decryption conforms to correction data, thereby finish re-authentication process to client, the network equipment need not the participation of certificate server in the re-authentication process to client, thereby has reduced the load of certificate server.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (14)
1. an authentication method is characterized in that, comprising:
Receive the re-authentication message that client generates and sends when judging in the effective time that is being provided with, described re-authentication message comprises enciphered data, described enciphered data be described client according to generate in advance second when sharing reciprocity key verify data being carried out encryption and generated, share reciprocity key according to first of the described client correspondence that generates in advance described enciphered data is decrypted processing acquisition data decryption, it is identical that the described first shared reciprocity key and described second is shared reciprocity key;
Judge whether described data decryption conforms to correction data, if then re-authentication success.
2. method according to claim 1 is characterized in that, described judging also comprises receive the re-authentication message that client generates and sends in the effective time that is provided with before:
Generate and send the active probe message to described client.
3. method according to claim 1 is characterized in that, when judging when not receiving the re-authentication message that client generates and sends in the effective time that is provided with, deletes described client.
4. method according to claim 1 is characterized in that, when judging described data decryption and do not conform to correction data, then re-authentication failure abandons described re-authentication message.
5. according to the arbitrary described method of claim 1 to 4, it is characterized in that, also comprise:, in described verification process, generate described first and share the reciprocity key and the described second shared reciprocity key by the verification process of certificate server execution to described client;
Describedly in described verification process, generate described first and share reciprocity key and described second and share reciprocity key and comprise:
Receive the Extensible Authentication Protocol EAP challenge response message that described client sends, described EAP challenge response message is packaged with the cipher key change request message, described cipher key change request message is packaged with group ID, safe prime, first public-key cryptography and mainboard sequence number summary info, described first public-key cryptography is for generating according to first random number, described group of ID and the described safe prime that generate at random, and described mainboard sequence number summary info is for generating according to the mainboard sequence number that reads;
From described EAP challenge response message, extract the cipher key change request message;
When receiving that message is accepted in remote authentication dial in radius access that certificate server returns, generate second public-key cryptography according to group ID and safe prime in second random number that generates at random, the cipher key change request message that extracts;
Described second public-key cryptography is encapsulated in the cipher key change response message, described cipher key change response message is encapsulated in the EAP success message;
According to first public-key cryptography and the safe prime in described second public-key cryptography, the cipher key change request message that extracts, generate first and share reciprocity key;
Send described EAP success message to client, from described EAP success message, extract described cipher key change response message for described client, according to second public-key cryptography in first public-key cryptography, safe prime and the described cipher key change response message, generate second and share reciprocity key.
6. method according to claim 5, it is characterized in that, described re-authentication message comprises initiatively hello packet, described verify data comprises mainboard sequence number summary info, described data decryption comprises the mainboard sequence number summary info that decryption processing obtains, and described correction data comprises the mainboard sequence number summary info in the cipher key change request message that extracts;
Then describedly judge described data decryption and conform to correction data and comprise: judge mainboard sequence number summary info that described decryption processing obtains and conform to mainboard sequence number summary info in the described cipher key change request message that extracts.
7. method according to claim 6, it is characterized in that described active hello packet also comprises timestamp, described verify data also comprises timestamp, described data decryption also comprises the timestamp that decryption processing obtains, and described correction data also comprises the timestamp in the described active hello packet;
Then describedly judge described data decryption and conform to correction data and also comprise: judge timestamp that described decryption processing obtains and conform to timestamp in the described active hello packet.
8. a network equipment is characterized in that, comprising:
First receiver module, be used to receive the re-authentication message that client generates and sends, described re-authentication message comprises enciphered data, and to be described client second share reciprocity key and verify data is carried out encryption generate according to what generate in advance described enciphered data;
First judge module is used to judge whether described first receiver module receives the re-authentication message that client generates and sends in the effective time that is provided with;
Deciphering module, be used for judging when in the effective time that is provided with, receiving the re-authentication message that client generates and sends when described first judge module, share reciprocity key according to first of the described client correspondence that generates in advance described enciphered data is decrypted processing acquisition data decryption, it is identical that the described first shared reciprocity key and described second is shared reciprocity key;
Second judge module is used to judge whether described data decryption conforms to correction data, and re-authentication success when judging described data decryption and conform to correction data.
9. the network equipment according to claim 8 is characterized in that, also comprises:
First generation module is used to generate the active probe message;
First sending module is used for the active probe message that described first generation module generates is sent to described client.
10. the network equipment according to claim 8 is characterized in that, also comprises:
Discard module is used for abandoning described re-authentication message when described second judge module is judged described data decryption and do not conformed to correction data.
11. the network equipment according to claim 8 is characterized in that, also comprises: first extraction module, second generation module, package module, the 3rd generate the module and first receiver module;
Described first receiver module also is used to receive the EAP challenge response message that described client sends, described EAP challenge response message is packaged with the cipher key change request message, described cipher key change request message is packaged with group ID, safe prime, first public-key cryptography and mainboard sequence number summary info, described first public-key cryptography is for generating according to first random number, described group of ID and the described safe prime that generate at random, and described mainboard sequence number summary info is for generating according to the mainboard sequence number that reads;
First extraction module is used for extracting the cipher key change request message from the described EAP challenge response message that described first receiver module receives;
Second generation module is used for generating second public-key cryptography according to the group ID and the safe prime of second random number that generates at random, cipher key change request message that described first extraction module extracts;
Package module is used for second public-key cryptography that described second generation module generates is encapsulated into the cipher key change response message, and described cipher key change response message is encapsulated in the EAP success message;
The 3rd generates module, and first public-key cryptography and the safe prime of second public-key cryptography that is used for generating according to described second generation module, the cipher key change request message that described extraction module extracts generate first and share reciprocity key;
First sending module is used for sending described EAP success message to described client.
12. a client is characterized in that, comprising:
The 4th generation module is used for according to the second shared reciprocity key that generates in advance verify data being carried out encryption and generates enciphered data, and generates the re-authentication message, and described re-authentication message comprises enciphered data;
Second sending module is used for sending described re-authentication message to the network equipment, for
The network equipment receives the re-authentication message that client generates and sends in the effective time that is provided with, share reciprocity key according to first of the described client correspondence that generates in advance described enciphered data is decrypted processing acquisition data decryption, judge whether described data decryption conforms to correction data, and re-authentication success when judging described data decryption and conform to correction data, described first to share reciprocity key identical with the described second shared reciprocity key.
13. client according to claim 12 is characterized in that, also comprises: second receiver module, second extraction module, the 5th generation module and the 6th generation module;
The 5th generation module is used for generating first public-key cryptography according to first random number that generates at random, the group number and the safe prime of generation, and generates mainboard sequence number summary info according to the mainboard sequence number that reads;
Second receiver module is used to receive the EAP success message that the network equipment sends, and described EAP success message is packaged with the cipher key change response message, and described cipher key change response message is packaged with second public-key cryptography;
Second extraction module is used for extracting described cipher key change response message from described EAP success message;
The 6th generation module is used for second public-key cryptography of the cipher key change response message that extracts according to first public-key cryptography, safe prime and described second extraction module that described the 5th generation module generates, generates second and shares reciprocity key.
14. a Verification System is characterized in that, comprising: the client and the network equipment;
Described client is used for second sharing reciprocity key and verify data is carried out encryption generating enciphered data according to what generate in advance, generates and sends the re-authentication message to the described network equipment, and described re-authentication message comprises described enciphered data;
The described network equipment, be used to judge in the effective time that is provided with and receive the re-authentication message that client generates and sends, according to the first right shared reciprocity key of the described client that generates in advance described enciphered data is decrypted processing and obtains data decryption, judge whether described data decryption conforms to correction data, re-authentication success when judging described data decryption and conform to correction data, described first to share reciprocity key identical with the described second shared reciprocity key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102597302A CN101764693B (en) | 2009-12-24 | 2009-12-24 | Authentication method, system, client and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102597302A CN101764693B (en) | 2009-12-24 | 2009-12-24 | Authentication method, system, client and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101764693A true CN101764693A (en) | 2010-06-30 |
| CN101764693B CN101764693B (en) | 2013-01-30 |
Family
ID=42495690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102597302A Expired - Fee Related CN101764693B (en) | 2009-12-24 | 2009-12-24 | Authentication method, system, client and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101764693B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833746A (en) * | 2012-09-14 | 2012-12-19 | 福建星网锐捷网络有限公司 | User re-authentication method and AC (Access Controller) |
| CN103384249A (en) * | 2013-07-08 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network access authentication method, device and system and authentication server |
| WO2014153718A1 (en) * | 2013-03-26 | 2014-10-02 | 西门子公司 | Method and apparatus for protection command of transmission relay protection |
| CN104184580A (en) * | 2013-05-21 | 2014-12-03 | 北京神州泰岳软件股份有限公司 | Network operating method and network operating system |
| CN104683296A (en) * | 2013-11-28 | 2015-06-03 | 中国电信股份有限公司 | Safe authentication method and safe authentication system |
| CN104901946A (en) * | 2015-04-10 | 2015-09-09 | 中国民航大学 | Civil aviation SWIM user authentication method based on improved Diameter/EAP-MD5 protocol |
| CN104932794A (en) * | 2015-07-09 | 2015-09-23 | 科大讯飞股份有限公司 | Mobile terminal customer service rapid replying method and system |
| CN105471861A (en) * | 2015-11-19 | 2016-04-06 | 上海应用技术学院 | Dynamic message packaging method and dynamic tunnel construction method |
| CN106603740A (en) * | 2016-12-07 | 2017-04-26 | 广东欧珀移动通信有限公司 | Network connection abnormality processing method and terminal equipment |
| CN106714156A (en) * | 2015-07-13 | 2017-05-24 | 中兴通讯股份有限公司 | Wireless access point and management platform authentication method and device |
| CN110089073A (en) * | 2016-12-15 | 2019-08-02 | 萨罗尼科斯贸易与服务一人有限公司 | Equipment, system and method for the control actuator of system by wireless communication |
| CN111614692A (en) * | 2020-05-28 | 2020-09-01 | 广东纬德信息科技股份有限公司 | Inbound message processing method and device based on power gateway |
| CN114599033A (en) * | 2022-05-10 | 2022-06-07 | 中移(上海)信息通信科技有限公司 | Communication authentication processing method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1277396C (en) * | 2003-03-06 | 2006-09-27 | 华为技术有限公司 | Re-auditting method in 802.1X audit system |
| CN101232372B (en) * | 2007-01-26 | 2011-02-02 | 华为技术有限公司 | Authentication method, authentication system and authentication device |
-
2009
- 2009-12-24 CN CN2009102597302A patent/CN101764693B/en not_active Expired - Fee Related
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833746B (en) * | 2012-09-14 | 2015-11-25 | 福建星网锐捷网络有限公司 | User's re-authentication method and access controller |
| CN102833746A (en) * | 2012-09-14 | 2012-12-19 | 福建星网锐捷网络有限公司 | User re-authentication method and AC (Access Controller) |
| WO2014153718A1 (en) * | 2013-03-26 | 2014-10-02 | 西门子公司 | Method and apparatus for protection command of transmission relay protection |
| CN104184580A (en) * | 2013-05-21 | 2014-12-03 | 北京神州泰岳软件股份有限公司 | Network operating method and network operating system |
| CN103384249A (en) * | 2013-07-08 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network access authentication method, device and system and authentication server |
| CN104683296B (en) * | 2013-11-28 | 2018-07-06 | 中国电信股份有限公司 | Safety certifying method and system |
| CN104683296A (en) * | 2013-11-28 | 2015-06-03 | 中国电信股份有限公司 | Safe authentication method and safe authentication system |
| CN104901946A (en) * | 2015-04-10 | 2015-09-09 | 中国民航大学 | Civil aviation SWIM user authentication method based on improved Diameter/EAP-MD5 protocol |
| CN104932794A (en) * | 2015-07-09 | 2015-09-23 | 科大讯飞股份有限公司 | Mobile terminal customer service rapid replying method and system |
| CN104932794B (en) * | 2015-07-09 | 2018-01-12 | 科大讯飞股份有限公司 | A kind of mobile terminal customer service quickly revert method and system |
| CN106714156A (en) * | 2015-07-13 | 2017-05-24 | 中兴通讯股份有限公司 | Wireless access point and management platform authentication method and device |
| CN105471861A (en) * | 2015-11-19 | 2016-04-06 | 上海应用技术学院 | Dynamic message packaging method and dynamic tunnel construction method |
| CN105471861B (en) * | 2015-11-19 | 2018-08-07 | 上海应用技术学院 | Message dynamic encapsulation method and dynamic tunnel construction method |
| CN106603740A (en) * | 2016-12-07 | 2017-04-26 | 广东欧珀移动通信有限公司 | Network connection abnormality processing method and terminal equipment |
| CN110089073A (en) * | 2016-12-15 | 2019-08-02 | 萨罗尼科斯贸易与服务一人有限公司 | Equipment, system and method for the control actuator of system by wireless communication |
| CN111614692A (en) * | 2020-05-28 | 2020-09-01 | 广东纬德信息科技股份有限公司 | Inbound message processing method and device based on power gateway |
| CN114599033A (en) * | 2022-05-10 | 2022-06-07 | 中移(上海)信息通信科技有限公司 | Communication authentication processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101764693B (en) | 2013-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101764693B (en) | Authentication method, system, client and network equipment | |
| CN111416807B (en) | Data acquisition method, device and storage medium | |
| CN106656907B (en) | Method, device, terminal equipment and system for authentication | |
| US9621545B2 (en) | System and method for connecting client devices to a network | |
| US7992193B2 (en) | Method and apparatus to secure AAA protocol messages | |
| CN107769913B (en) | Quantum UKey-based communication method and system | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN111314072B (en) | Extensible identity authentication method and system based on SM2 algorithm | |
| CN103685282A (en) | Identity authentication method based on single sign on | |
| CN101599967B (en) | Authorization control method and system based on 802.1x authentication system | |
| TW201334493A (en) | Secure key generation | |
| CN110971593B (en) | Database secure network access method | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN109714176A (en) | Command identifying method, device and storage medium | |
| CN112751821A (en) | Data transmission method, electronic equipment and storage medium | |
| CN103236931A (en) | Trusted platform module (TPM)-based identity authentication method and system and related equipment | |
| US20110010544A1 (en) | Process distribution system, authentication server, distribution server, and process distribution method | |
| CN113204757A (en) | Information interaction method, device and system | |
| Alshahrani | Secure Multifactor Remote Access User Authentication Framework for IoT Networks. | |
| CN103944721A (en) | Method and device for protecting terminal data security on basis of web | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| US11729147B2 (en) | Authentication procedure in a virtual private network | |
| Yi et al. | An Improved Data Backup Scheme Based on Multi-Factor Authentication | |
| CN110535632B (en) | Quantum communication service station AKA key negotiation method and system based on asymmetric key pool pair and DH protocol | |
| US12010102B1 (en) | Hybrid cryptography virtual private networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee after: RUIJIE NETWORKS Co.,Ltd. Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee before: Fujian Star-net Ruijie Network Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130130 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |