CN103685272A - Authentication method and system - Google Patents

Authentication method and system Download PDF

Info

Publication number
CN103685272A
CN103685272A CN201310683030.2A CN201310683030A CN103685272A CN 103685272 A CN103685272 A CN 103685272A CN 201310683030 A CN201310683030 A CN 201310683030A CN 103685272 A CN103685272 A CN 103685272A
Authority
CN
China
Prior art keywords
dhcp
information
dynamic host
host configuration
configuration protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310683030.2A
Other languages
Chinese (zh)
Other versions
CN103685272B (en
Inventor
陈佳佳
王江胜
毕晓宇
熊莺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Shanghai Huawei Technologies Co Ltd
Original Assignee
Shanghai Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Huawei Technologies Co Ltd filed Critical Shanghai Huawei Technologies Co Ltd
Priority to CN201310683030.2A priority Critical patent/CN103685272B/en
Publication of CN103685272A publication Critical patent/CN103685272A/en
Application granted granted Critical
Publication of CN103685272B publication Critical patent/CN103685272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides an authentication method and system. The method and system is applied to a DHCP, wherein the method comprises the following steps that a DHCP server receives a DHCP DISCOVER message from a DHCP client side, and the message comprises first information encrypted by a DHCP client-side private key. The DHCP server acquires a digital certificate corresponding to the DHCP client side from an authentication server, and the encrypted first information is decrypted by utilizing a digital certificate public key and verified, and if verification is successful, the DHCP client side is identified; the DHCP server sends a DHCP OFFER message to the DHCP client side, the message comprises encrypted second information to enable the DHCP client side to decrypt and verify the encrypted second information, and if the verification is successful, the DHCP server is identified. By means of the embodiment of the authentication method and system, DOS impact is avoided, and a preset shared key is prevented from being used for identification, so that safety of the DHCP is further ensured.

Description

A kind of authentication method and system
Technical field
The present invention relates to DHCP (DHCP, Dynamic Host Configuration Protocol, particularly a kind of authentication method and system based on DHCP.
Background technology
DynamicHost arranges agreement (DHCP, Dynamic Host Configuration Protocol) be the procotol of a local area network (LAN), user's data pack protocol (UDP) work, can give IP address assignment the user side of login transmission control protocol/IP(Internet Protocol) (TCP/IP) network automatically.DHCP agreement is the application based on UDP layer, and the udp port number that server is used is 67, and the udp port number that client is used is 68.
In DHCP, there is an option parameter field (option), it is to allow manufacturer surely to discuss option (Vendor-SpecificArea), so that more setting information (as: network identity (Netmask), gateway (Gateway), address analyzing server (DNS) etc.) to be provided.Its variable-length, a plurality of options of while portability, first byte (byte) of each option is option coding as 43,60,90 etc., a byte is this data length thereafter, is finally the contents of a project.
Take base station is example as dhcp client, base station equipment requires only to need hardware installation personnel when beginning, and do not need technical professional to be configured to scene, or user buys back plug and play after equipment, this just needs equipment automatically to find and to configure, such as automatic acquisition IP address, webmaster IP address, the IP address of the key equipment on service channel etc., and DHCP is applied to this conventionally as a kind of efficient IP address assignment method, but DHCP does not have the safety problem of consideration itself when design, easily under attack, there is serious potential safety hazard.
Current security solution is to adopt the method that postpones to authenticate to guarantee the safety of DHCP, and the method provides two kinds of functions by definition DHCP Option90: the checking of the authentication of DHCP opposite end and dhcp message; At this, postpone client and the shared key of Dynamic Host Configuration Protocol server in authentication method.
Referring to Fig. 1, it is that existing DHCP adopts the method flow diagram that postpones authentication, usings base station (BS) as the client (Client) of DHCP in this example, illustrates how it connects with server (Server) end of DHCP.
Step 1, finds to carry authentication option Option90 in (DHCP Discover) message at the DHCP of dhcp client broadcast, in order to announcement server, need to authenticate, and carries client identity sign simultaneously.This identify label should be unique concerning Dynamic Host Configuration Protocol server or certificate server, or forms a unique sign that can identify dhcp client identity with other information fields, then to its local subnet, broadcasts this message;
Wherein, the implication of Option90 is: authentication information code authentication authorization and accounting option coding is 90; Also comprise length field, protocol domain, algorithm territory, replay detection (Replay Detection) territory and authentication information territory, wherein, protocol domain has defined the technology for authenticating in option; In algorithm territory, defined special-purpose algorithm, as far-end calls management (RDM, Remote Deployment Manager), it is a kind of system management facility; Postpone to find that (Replay Detection) territory is for each RDM; Authentication information is also for each agreement; If protocol domain is 0, authentication information will retain a simple configuration identifier, for transmitting plaintext configuration identifier or very weak authentication being provided.Receiving terminal authenticates by coupling, whether determines receipt message;
Step 2, Dynamic Host Configuration Protocol server on network (more than one of possibility) is received after this message, if judge that it can provide service, according to the sign of client and shared key, calculate session key K, and with session key K, calculate the authentication code of this message, fill Option90 option, structure DHCP provide (DHCPOFFER) message; Then, Dynamic Host Configuration Protocol server sends to dhcp client by DHCPOFFER message; Here, session key K=MAC (MK, unique-id), wherein MAC is message authentication code (Messege Authentication Code), and MK is that master key is the shared key of server and client, and unique-id represents unique identification,
Step 3, dhcp client is received after DHCPOFFER message, use the session key K of its local storage, verify on request whether the authorization message (Authentication Information) in Option90 option is correct, if authentication failed, according to its local security strategy, process accordingly, if dhcp client is received a plurality of DHCPOFFER, can be according to Dynamic Host Configuration Protocol server of certain policy selection.Then dhcp client structure DHCP asks (DHCPREQUEST) message, and with session key K, calculates the authentication code of this message, fills Option90 option; Dhcp client sends DHCPREQUEST message, request service to the Dynamic Host Configuration Protocol server of choosing;
Step 4, Dynamic Host Configuration Protocol server is received DHCPREQUEST message, and then uses key K to verify this message, if authentication failed, directly abandon this message, reply DHCP and unsuccessfully reply (DHCPNAK) message, otherwise structure DHCP successful respond (DHCPACK) message.No matter be that DHCPNAK or DHCPACK need to carry Option90 option, and fill it according to the requirement in standard; Dynamic Host Configuration Protocol server sends to dhcp client by DHCPNAK/DHCPNAK message, when dhcp client, receives after DHCPNAK/DHCPNAK message, according to the processing mode of the 3rd step, verifies this message.
Although but the method for above-mentioned delay authentication has realized the authentication of dhcp client and Dynamic Host Configuration Protocol server end, also at least has following problem:
1, do not support the authentication to DHCP DISCOVER message, be prone to dos attack.
2, the easy victim of wildcard authentication mode is stolen, and in concrete networking, wildcard brings very large impact to dispatch from the factory flow process and network management simultaneously.
Therefore need a kind of more perfect security mechanism to protect the mutual of DHCP inter-entity.Certificate mechanism be widely used at present, authentication mode that level of security is higher, in currently available technology, there is the relevant method of using certificate to authenticate, but be but difficult to realize in DHCP application.Main cause is that the packet that Ethernet maximum can be transmitted is 1500 bytes, and if to use dhcp message to carry the method for certificate infeasible because the length of certificate is generally in 1k-2k byte, and the message of broadcast is not supported subpackage.
Summary of the invention
The embodiment of the present invention is to provide a kind of authentication method and system, and the mode by certificate authenticates dhcp client and server end, thereby both can avoid dos attack, can avoid again using preset shared key to authenticate.
The embodiment of the present invention provides a kind of authentication method, is applied to DynamicHost and arranges in protocol DHCP, and described method comprises:
The DHCP that Dynamic Host Configuration Protocol server receives from dhcp client finds DHCP DISCOVER message, in described DHCP DISCOVER message, comprises the first information of applying described dhcp client encrypted private key;
Dynamic Host Configuration Protocol server obtains the digital certificate corresponding with described dhcp client from certificate server, and Applied Digital certificate PKI is decrypted and verifies the first information of described encryption, if be proved to be successful, described dhcp client is completed to authentication;
Dynamic Host Configuration Protocol server sends DHCP to dhcp client DHCP OFFER message is provided, the second information that comprises encryption in described DHCP OFFER message, so that described dhcp client is decrypted and verifies the second information of described encryption, if be proved to be successful, described Dynamic Host Configuration Protocol server is completed to authentication.
The embodiment of the present invention also provides a kind of Verification System, and between the Dynamic Host Configuration Protocol server and dhcp client that is applied to use DynamicHost that protocol DHCP is set, described system comprises: Dynamic Host Configuration Protocol server; Described Dynamic Host Configuration Protocol server is communicated by letter with dhcp client with certificate server respectively, wherein,
Described certificate server, for storing the digital certificate that each dhcp client is corresponding;
Described Dynamic Host Configuration Protocol server, finds DHCP DISCOVER message for the DHCP receiving from dhcp client, in described DHCP DISCOVER message, comprises the first information of applying described dhcp client encrypted private key; From certificate server, obtain the digital certificate corresponding with described dhcp client, Applied Digital certificate PKI is decrypted and verifies the first information of described encryption, if be proved to be successful, described dhcp client is completed to authentication; To dhcp client, send DHCP and provide DHCP OFFER message, the second information that comprises encryption in described DHCP OFFER message;
Described dhcp client, is decrypted and verifies for the second information to described encryption, if be proved to be successful, described Dynamic Host Configuration Protocol server is completed to authentication.
The application embodiment of the present invention authentication method and the Verification System that provide, the mode by certificate authenticates dhcp client and server end, has both avoided dos attack, has avoided again using preset shared key to authenticate.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is that existing DHCP adopts the method flow diagram that postpones authentication;
Fig. 2 is a kind of authentication method flow chart according to the embodiment of the present invention;
Fig. 3 is the schematic flow sheet of a specific embodiment according to the present invention;
Fig. 4 is the schematic flow sheet of another specific embodiment according to the present invention;
Fig. 5 is the schematic flow sheet of another specific embodiment according to the present invention;
Fig. 6 is according to the structural representation of a kind of Verification System of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Technical scheme of the present invention, can be applied to various communication systems, for example: global system for mobile communications (GSM, Global System for Mobile communications), code division multiple access (CDMA, Code Division Multiple Access) system, Wideband Code Division Multiple Access (WCDMA) (WCDMA, Wideband Code Division Multiple Access Wireless), GPRS (GPRS, General Packet Radio Service), Long Term Evolution (LTE, Long Term Evolution) etc.
In addition, in conjunction with subscriber equipment (UE, User Equipment) and/or base station, various aspects are described herein.Subscriber equipment can be to point to the equipment that user provides voice and/or data connectivity.Subscriber equipment can be connected to computing equipments such as laptop computer or desktop computer, or other communication equipments, for example, and the self-contained equipment such as personal digital assistant (PDA, Personal Digital Assistant).Wireless terminal also can be called system, subscriber unit (Subscriber Unit), subscriber station (Subscriber Station), mobile radio station (Mobile Station), travelling carriage (Mobile), distant station (Remote Station), access point (Access Point), remote terminal (Remote Terminal), access terminal (Access Terminal), user terminal (User Terminal), user agent (User Agent), subscriber equipment (User Device) or subscriber's installation (User Equipment).Subscriber equipment can be subscriber station, wireless device, cell phone, Personal Communications Services (PCS, Personal Communication Service) phone, cordless telephone, Session Initiation Protocol phone, wireless local loop (WLL, Wireless Local Loop) stand, personal digital assistant (PDA, Personal Digital Assistant), there is the portable equipment of wireless connecting function or be connected to other treatment facilities of radio modem.
Base station (for example, access point) can refer in Access Network aloft on interface by the equipment of one or more sectors and wireless terminal communications.Base station can be used for the air frame of receiving and IP grouping mutually to change, and as the router between wireless terminal and the remainder of Access Network, wherein the remainder of Access Network can comprise Internet protocol (IP) network.Base station is the attribute management of tunable to air interface also.For example, can be the base station (BTS, Base Transceiver Station) in GSM or CDMA, also can be the base station (NodeB) in WCDMA, can also be the evolved base station (eNB or e-NodeB, evolutional Node B) in LTE, the present invention limit.
Various aspects are by can comprise that the form of the system of one or more equipment, assembly, module or unit etc. describes.Should be appreciated that or understand, various systems can comprise equipment, assembly, module and/or the unit etc. that separately add, and/or can not comprise the whole of the equipment discussed by reference to the accompanying drawings, assembly, module, unit etc.In another aspect of this invention, also can use the combination of these ways.
In addition, term "and/or", is only a kind of incidence relation of describing affiliated partner herein, and expression can exist three kinds of relations, and for example, A and/or B, can represent: individualism A exists A and B, these three kinds of situations of individualism B simultaneously.In addition, symbol "/", generally represents that forward-backward correlation is to liking a kind of relation of "or" herein.
Referring to Fig. 2, it is a kind of authentication method flow chart according to the embodiment of the present invention, and the present embodiment is applied to DynamicHost and arranges in agreement (DHCP), and described authentication method can be as described below.
201, the DHCP that Dynamic Host Configuration Protocol server receives from dhcp client finds (DHCP DISCOVER) message, in described DHCP DISCOVER message, comprises the first information of applying described dhcp client encrypted private key.
202, Dynamic Host Configuration Protocol server obtains the digital certificate corresponding with dhcp client from certificate server, and Applied Digital certificate PKI is decrypted and verifies the first information of described encryption, if be proved to be successful, described dhcp client is completed to authentication.
Here, the step that Dynamic Host Configuration Protocol server obtains the digital certificate corresponding with dhcp client from certificate server can comprise:
Dynamic Host Configuration Protocol server is according to pre-configured address of the authentication server, by the Dynamic Host Configuration Protocol server set up and the escape way between certificate server, from described certificate server, obtains described digital certificate;
Wherein, the DHCP that the escape way between described Dynamic Host Configuration Protocol server and certificate server receives from dhcp client at Dynamic Host Configuration Protocol server finds to set up before or after DHCP DISCOVER message.
Wherein, pre-configured address of the authentication server is the fixed address of setting while dispatching from the factory, or pre-configured address of the authentication server is the URL(uniform resource locator) (URL, Universal Resource Locator) of carrying in DHCP DISCOVER message.
Above-mentioned by the Dynamic Host Configuration Protocol server set up and the escape way between certificate server, the step of obtaining described digital certificate from described certificate server comprises:
Dynamic Host Configuration Protocol server sends to certificate server by the escape way of having set up by the device identification of dhcp client, certificate server is handed down to Dynamic Host Configuration Protocol server by the escape way of having set up by the digital certificate of described dhcp client after verifying that according to described device identification described dhcp client is legal;
Dynamic Host Configuration Protocol server obtains the digital certificate of described dhcp client from the information receiving.
203, Dynamic Host Configuration Protocol server sends DHCP to dhcp client DHCP OFFER message is provided, the second information that comprises encryption in described DHCP OFFER message, so that described dhcp client is decrypted and verifies the second information of described encryption, if be proved to be successful, described Dynamic Host Configuration Protocol server is completed to authentication.
In step 203, the second information of described encryption can be for being used the information of the corresponding digital certificate public key signature of client; Now, dhcp client is used the private key of self that the second information of described encryption is decrypted and is verified; Or the second information of described encryption is for being used the information of the private key signature of Dynamic Host Configuration Protocol server; Now, described dhcp client is used the PKI of Dynamic Host Configuration Protocol server that the second information of described encryption is decrypted and is verified.
So far, mode by certificate has realized and has recognized each other card between dhcp client and Dynamic Host Configuration Protocol server, both guaranteed the safety of DHCP DISCOVER message, avoided dos attack, again because using public and private key can avoid using preset shared key to authenticate, thereby further guaranteed the safety of DHCP.Have, the Dynamic Host Configuration Protocol server in the embodiment of the present invention, by obtain the digital certificate of the client of DHCP from certificate server, avoids using dhcp message to carry certificate, makes to use certificate to become possibility between Dynamic Host Configuration Protocol server and client again.
It should be noted that, in order to use DHCP agreement to complete the automatic distribution of IP address, can also use the follow-up message of public private key pair to carry out integrity protection, like this, flow process shown in Fig. 1 can also comprise in one embodiment:
Dynamic Host Configuration Protocol server receives the DHCP request DHCP REQUEST message from dhcp client, comprises the 3rd information of applying described dhcp client encrypted private key in described DHCP REQUEST message;
Dynamic Host Configuration Protocol server is applied described PKI to the 3rd decrypts information of described encryption and after being proved to be successful, according to the information in described DHCP REQUEST message, carry out operational processes, afterwards, to described dhcp client, send DHCP and confirm DHCP ACK message, described DHCP ACK message comprises the 4th information of encryption, so that described dhcp client is decrypted and verifies the 4th information of described encryption, if be proved to be successful, described dhcp client is processed according to the information complete operation in described DHCP ACK message.
It should be noted that, the 4th information of above-mentioned encryption is for being used the information of the corresponding digital certificate public key signature of client; Now, described dhcp client is used the private key of self that the 4th information of described encryption is decrypted and is verified; Or the 4th information of above-mentioned encryption is for being used the information of the private key signature of Dynamic Host Configuration Protocol server; Now, dhcp client is used the PKI of Dynamic Host Configuration Protocol server that the 4th information of described encryption is decrypted and is verified.
Like this, between dhcp client and Dynamic Host Configuration Protocol server, use public and private key to complete follow-up mutual confirmation operation, avoided using preset shared key to authenticate, further guaranteed the safety of interactive information between dhcp client and server.
It should be noted that, in order to use DHCP agreement to complete the automatic distribution of IP address, can also use the first shared key jointly negotiating to carry out integrity protection to follow-up message, like this, in another embodiment, flow process shown in Fig. 1 can also comprise:
In the DHCP DISCOVER message that Dynamic Host Configuration Protocol server receives, also comprise the first common value;
In the DHCP OFFER message that Dynamic Host Configuration Protocol server sends to dhcp client, also comprise the second common value; Described Dynamic Host Configuration Protocol server and dhcp client calculate the first shared key according to described the first common value and the second common value respectively;
Dynamic Host Configuration Protocol server receives the DHCP request DHCP REQUEST message from dhcp client, comprises the 3rd information that application the first shared key is encrypted in described DHCP REQUEST message;
Dynamic Host Configuration Protocol server is applied described the first shared key to the 3rd decrypts information of described encryption and after being proved to be successful, according to the information in described DHCP REQUEST message, carry out operational processes, afterwards, to described dhcp client, send DHCP and confirm DHCP ACK message, described DHCP ACK message comprises the 4th information that described the first shared key of application is encrypted, so that described dhcp client is decrypted and verifies the 4th information of described encryption, if be proved to be successful, described dhcp client is processed according to the information complete operation in described DHCP ACK message.
It should be noted that, in the various embodiments described above, the involved first information can be dhcp client unique identification or DHCP DISCOVER message itself; The first information after encryption is put into the Option90 field of DHCP DISCOVER; The second involved information can be DHCP OFFER message itself; The second information after encryption is put into the Option90 field of DHCP OFFER message; The 3rd involved information is DHCP REQUEST message itself, and the 3rd information after encryption is put into the Option90 field of DHCP REQUEST message; The 4th involved information is DHCP ACK message itself, and the 4th information after described encryption is put into the Option90 field of DHCP ACK message.
Like this, between dhcp client and Dynamic Host Configuration Protocol server, not only use public and private key to complete mutual authentication, in follow-up mutual confirmation operation, use the first shared key negotiating, avoid using preset shared key to authenticate, further guaranteed the safety of interactive information between dhcp client and server.
Below in conjunction with specific embodiment, the present invention is elaborated again.In following examples, dhcp client, Dynamic Host Configuration Protocol server and certificate server have all carried out the configuration of dispatching from the factory.Wherein the configuration information that dispatches from the factory on dhcp client is certificate and manufacturer's root certificate or the certificate chain of device identification (ID), dhcp client, and with certificate in comprise the corresponding private key of PKI; The configuration of dispatching from the factory of Dynamic Host Configuration Protocol server is server certificate and manufacturer's root certificate; Dispatching from the factory in certificate server disposed the certificate of certificate server, and the CA certificate of manufacturer, the list of cert that dhcp client ID is corresponding have safeguarded the black and white lists list of dhcp client in certificate server.Wherein certificate server can be according to local policy selected as, ftp server etc.In following examples, using base station as dhcp client.
Referring to Fig. 3, it is the schematic flow sheet of a specific embodiment according to the present invention.In the present embodiment, be installed in the Default Value of Dynamic Host Configuration Protocol server with the mutual address of the authentication server of Dynamic Host Configuration Protocol server is default, this flow process can be as described below.
1, base station sends DHCP Discover message to Dynamic Host Configuration Protocol server, wherein carried and comprised base station Electronic Serial Number (ESN, the Option90 of the value of making a summary for No. ESN in Option60 ELECTRONIC SERIAL NUMBER) and the base station that has comprised the private key calculating of using base station, the algorithm domain identifier of the algorithm that digest calculations is used in Option90.
Here, base station is the aforementioned first information No. ESN.
2, Dynamic Host Configuration Protocol server receives after DHCP Discover message, can obtain that to be arranged in Option60 base station IDs be No. ESN, base station.Between Dynamic Host Configuration Protocol server and certificate server, authenticate and set up escape way and be connected as SSL, for safety, to certificate server, provide the ESN of base station and the download base station certificate of safety.
Escape way between Dynamic Host Configuration Protocol server and certificate server can be set up (as described in step 0) or set up afterwards (as shown in step 2) before Dynamic Host Configuration Protocol server receives from the DHCP DISCOVER message of base station.
It should be noted that, between Dynamic Host Configuration Protocol server and certificate server, set up after escape way, the explanation of this Dynamic Host Configuration Protocol server is authentic legal Dynamic Host Configuration Protocol server.Concrete, the checking between Dynamic Host Configuration Protocol server and certificate server can be used and dispatch from the factory one of manufacturer's CA certificate, Dynamic Host Configuration Protocol server certificate or certificate server certificate default and verify.
It should be noted that, the detailed process of setting up escape way between Dynamic Host Configuration Protocol server and certificate server is identical with existing technical scheme, repeats no more here.
It should be noted that, in the present embodiment, do not limit the concrete bearing protocol of escape way, as, can be the connection based on SSL, can be also the connection based on other security protocols.
3, by the escape way set up, connect as SSL, Dynamic Host Configuration Protocol server obtains base station certificate from certificate server; This step can be specially:
Dynamic Host Configuration Protocol server sends to certificate server by the device identification of dhcp client as ESN by the escape way set up; Certificate server confirms that by inquiring about the black and white lists of self preserving whether this ESN is legal, if legal,, again by list of cert corresponding to base station IDs, obtain the corresponding digital certificate in this base station, afterwards, by the escape way of having set up, the digital certificate of this base station is handed down to Dynamic Host Configuration Protocol server;
Dynamic Host Configuration Protocol server obtains the digital certificate of described dhcp client from the information receiving.
Like this, the digital certificate of this base station is from certificate server, to obtain under the protection of escape way.
4, Dynamic Host Configuration Protocol server is verified the base station certificate receiving, and obtains the PKI of base station certificate after being verified.
Here, can verify by the manufacturer's CA certificate that dispatches from the factory default in Dynamic Host Configuration Protocol server and certificate server.
5, Dynamic Host Configuration Protocol server is used the public key verifications private key signature of base station, deciphers digest value in Option90, with contrasting for No. ESN of the base station comprising in Option60, if coupling illustrates that base station has the private key with this credentials match really;
So far, Dynamic Host Configuration Protocol server has completed the authentication to base station by digital certificate.
6, Dynamic Host Configuration Protocol server carries out digital signature to DHCP OFFER message, and the content of interior perhaps other option that has comprised Option43 in this DHCP OFFER message is sent to base station by the DHCP OFFER message that comprises described DHCP OFFER message digital signature.
Wherein, above-mentioned DHCP OFFER message is equivalent to aforesaid the second information, and the information that DHCP OFFER message is carried out after digital signature is placed in the Option90 field of DHCP OFFER message.
Here, the mode that Dynamic Host Configuration Protocol server carries out digital signature to DHCP OFFER message has multiple:
Mode one: use the PKI of base station to carry out digital signature to DHCP OFFER message;
Mode two: use the private key of Dynamic Host Configuration Protocol server to carry out digital signature to DHCP OFFER message.
When employing mode two, can be divided into again following several situation:
In A, the DHCP OFFER message that issues, except comprising the signature to DHCP OFFER message, also comprise the digital certificate of Dynamic Host Configuration Protocol server;
In B, the DHCP OFFER message that issues except comprising the signature to DHCP OFFER message, also comprise the PKI of Dynamic Host Configuration Protocol server and Dynamic Host Configuration Protocol server the URL of corresponding digital certificate;
In C, the DHCP OFFER message that issues except comprising the signature to DHCP OFFER message, also comprise Dynamic Host Configuration Protocol server the URL of corresponding digital certificate and the sign of Dynamic Host Configuration Protocol server (ID).
It should be noted that, conventionally, the A situation of aforesaid way two is applicable to clean culture and sends DHCP OFFER message, and other situations are in addition applicable to broadcast or multicast and send DHCP OFFER message.
7, base station receives after DHCP OFFER message, and the signature of DHCP OFFER message is verified.
Due in step 6, the mode of DHCP OFFER message being carried out to digital signature is different, and therefore, the mode of checking is also corresponding different here:
If employing mode one in step 6, in this step, base station is used the private key of oneself to complete the checking to DHCPOFFER message, as be proved to be successful, illustrate that Dynamic Host Configuration Protocol server is through the legal Dynamic Host Configuration Protocol server of the checking of certificate server, and obtained the certificate of base station, now base station has completed authentication to Dynamic Host Configuration Protocol server.
If the A situation of employing mode two in step 6,, in this step, base station obtains the digital certificate of Dynamic Host Configuration Protocol server from the DHCP OFFER message receiving, then uses obtained digital certificate to verify signature.As be proved to be successful, illustrate that Dynamic Host Configuration Protocol server is through the legal Dynamic Host Configuration Protocol server of the checking of certificate server, and obtained the digital certificate of Dynamic Host Configuration Protocol server, now base station has completed authentication to Dynamic Host Configuration Protocol server.
It should be noted that, in base station, from the DHCP OFFER message receiving, obtain after the digital certificate of Dynamic Host Configuration Protocol server, can first to the digital certificate of this DHCP, carry out own authenticity, legitimacy and verify, after being proved to be successful, then the digital certificate that application obtains is verified signature.Here, the process of digital certification authentication is not limited, any method that can verify digital certificate can be applied in the embodiment of the present invention.
If the B situation of employing mode two in step 6, in this step, it is legal that Dynamic Host Configuration Protocol server is temporarily trusted in base station, the PKI that first obtains Dynamic Host Configuration Protocol server from the DHCP OFFER message receiving is to complete the checking of the DHCP OFFER message to receiving, thus the IP address that acquisition Dynamic Host Configuration Protocol server distributes; Afterwards, the Dynamic Host Configuration Protocol server that base station obtains from the message receiving the URL of corresponding digital certificate, digital certificate corresponding to this URL of IP address acquisition that uses Dynamic Host Configuration Protocol server to distribute; The PKI that use obtains from message mates with corresponding PKI in the digital certificate obtaining by URL, if both are consistent by the checking to server.Now base station has obtained the digital certificate of Dynamic Host Configuration Protocol server, and Dynamic Host Configuration Protocol server has been completed to authentication.
If the C situation of employing mode two in step 6,, in this step, the DHCP OFFER message that base station acquiescence receives is by checking, thus the IP address that acquisition Dynamic Host Configuration Protocol server distributes; Afterwards, the Dynamic Host Configuration Protocol server that base station obtains from the message receiving the URL of corresponding digital certificate, use the IP address that Dynamic Host Configuration Protocol server distributes by this URL, to obtain the digital certificate of Dynamic Host Configuration Protocol server; Or, the Dynamic Host Configuration Protocol server ID that base station obtains from the message receiving, according to pre-configured certificate server address, this locality, obtain again the digital certificate of Dynamic Host Configuration Protocol server, digital certificate to obtained Dynamic Host Configuration Protocol server is verified, after being proved to be successful, then the digital certificate that application obtains is verified the signature of DHCP OFFER message.Now base station has obtained the digital certificate of Dynamic Host Configuration Protocol server, and Dynamic Host Configuration Protocol server has been completed to authentication.Here, the process of digital certification authentication is not limited, any method that can verify digital certificate can be applied in the embodiment of the present invention.
So far, between base station and Dynamic Host Configuration Protocol server, mutually completed the authentication based on certificate.
Subsequently, base station sends DHCP Request message to certificate server, in this message, has carried Option43, and uses the signature packets of the DHCP Request message of own private key calculating to be contained in Option90, for confirming to Dynamic Host Configuration Protocol server.
Here, DHCP Request message is equivalent to aforesaid the 3rd information, and the 3rd information after this encryption is placed in the Option90 field of DHCP Request message.
8, Dynamic Host Configuration Protocol server receives after DHCP Request message, and the PKI of use base station is verified the integrality of message.Be verified, send DHCP ACK message.The method validation ACK message identical with the 7th step is used in base station.
Here, DHCP ACK message is equivalent to aforesaid the 4th information, and the 4th information after this encryption is to being placed in the Option90 field of DHCP ACK message.
So far, by DHCP agreement, completed the automatic distribution of IP address.
It should be noted that, in the above-described embodiments, in Option90, key identification territory can be set to 0, to represent using public private key pair DHCP Request message and DHCP ACK message to authenticate, rather than uses existing preset shared key to authenticate.
Application above-described embodiment; as using public and private key to complete mutual authentication between the base station of dhcp client and Dynamic Host Configuration Protocol server; avoided dos attack; and; in the present embodiment, also use public private key pair subsequent operation to protect; avoid using preset shared key to authenticate, further guaranteed the safety of interactive information between dhcp client and server.
Referring to Fig. 4, it is the schematic flow sheet of another specific embodiment according to the present invention.In the present embodiment, the address of the authentication server mutual with Dynamic Host Configuration Protocol server obtains by URL, rather than is installed in advance in the Default Value of Dynamic Host Configuration Protocol server, and this flow process specifically comprises:
1, base station sends DHCP Discover message to Dynamic Host Configuration Protocol server, the Option98 of the URL information of wherein carried the Option60 that comprises No. ESN, base station, having carried certificate server and having comprised is used the Option90 of the dhcp message signature that the private key of base station calculates, the algorithm domain identifier of the algorithm that digest calculations is used in Option90.Wherein Option98 is used for making Dynamic Host Configuration Protocol server to search out certificate server, different from embodiment mono-, in embodiment mono-, fixed configurations the address of certificate server.
2, Dynamic Host Configuration Protocol server receives after DHCP Discover message, can obtain URL address from Option98, from Option90, obtain the ESN encrypting, from Option60, obtain ESN, Dynamic Host Configuration Protocol server is according to the address of URL address acquisition certificate server, afterwards, between Dynamic Host Configuration Protocol server and certificate server, authenticate and set up SSL and be connected, for safety, to certificate server, provide the ESN of base station and the download base station certificate of safety.
Escape way between Dynamic Host Configuration Protocol server and certificate server can be set up (as described in step 0) or set up afterwards (as shown in step 2) before Dynamic Host Configuration Protocol server receives from the DHCP DISCOVER message of base station.
It should be noted that, between Dynamic Host Configuration Protocol server and certificate server, set up after escape way, the explanation of this Dynamic Host Configuration Protocol server is authentic legal Dynamic Host Configuration Protocol server.Concrete, the checking between Dynamic Host Configuration Protocol server and certificate server can be used and dispatch from the factory one of manufacturer's CA certificate, Dynamic Host Configuration Protocol server certificate or certificate server certificate default and verify.
It should be noted that, the detailed process of setting up escape way between Dynamic Host Configuration Protocol server and certificate server is identical with existing technical scheme, repeats no more here.
It should be noted that, in the present embodiment, do not limit the concrete bearing protocol of escape way, as, can be the connection based on SSL, can be also the connection based on other security protocols.
3-8, identical with step embodiment illustrated in fig. 3, repeat no more herein.
Application above-described embodiment; as using public and private key to complete mutual authentication between the base station of dhcp client and Dynamic Host Configuration Protocol server; avoided dos attack; and; in the present embodiment, also use public private key pair subsequent operation to protect; avoid using preset shared key to authenticate, further guaranteed the safety of interactive information between dhcp client and server.
Referring to Fig. 5, it is the schematic flow sheet of another specific embodiment according to the present invention.In the present embodiment, the address of the authentication server mutual with Dynamic Host Configuration Protocol server is to be installed in advance in the Default Value of Dynamic Host Configuration Protocol server, and, base station and Dynamic Host Configuration Protocol server negotiate again one first shared key by public and private key, subsequent operation is that DHCP Request message and DHCP ACK message are used this first shared password negotiating to be encrypted, and this flow process specifically comprises:
1, base station sends DHCP Discover message to Dynamic Host Configuration Protocol server, the Option90 of the value of No. ESN summary in base station that has wherein carried the Option60 that comprises base station ESN and comprised the private key calculating of using base station, the algorithm domain identifier of the algorithm that digest calculations is used in Option90.In Option90, key ID is carried the first common value that DH Diffie-Hellman is used, or carries this first common value by expansion Option90.
Here, base station is the aforementioned first information No. ESN.Certainly, also can use before the private key of base station carries out DHCP Discover message, concrete with to calculate digest value to No. ESN similar, no longer repeat specification.
2-5, with embodiment illustrated in fig. 3 identical, repeats no more.
6, Dynamic Host Configuration Protocol server carries out digital signature to DHCP OFFER message, the content of interior perhaps other option that has comprised Option43 in this DHCP OFFER message, and same the second common values for DH exchange that carry in the possible mode of two kinds described in step 1 in Option90.
Wherein, above-mentioned DHCP OFFER message is equivalent to aforesaid the second information, and the information that DHCP OFFER message is carried out after digital signature is placed in the Option90 field of DHCP OFFER message.
7, base station receives after DHCP OFFER message, use the private key of oneself to complete the checking to DHCPOFFER message, as be proved to be successful, illustrate that Dynamic Host Configuration Protocol server is through the legal Dynamic Host Configuration Protocol server of the checking of certificate server, and obtained the certificate of base station, now base station has completed authentication to Dynamic Host Configuration Protocol server.Now between base station and Dynamic Host Configuration Protocol server, mutually completed the authentication based on certificate.
And the first common value that base station produces by self and the second common value obtaining from Dynamic Host Configuration Protocol server, calculate the first shared key between dhcp client and Dynamic Host Configuration Protocol server.
Subsequently, base station sends DHCP Request message to certificate server, in this message, carried the content of Option43 or other option, and used the signature packets of above-mentioned the first shared key calculating DHCP Request message to be contained in Option90, for confirming to Dynamic Host Configuration Protocol server.
It should be noted that, in the present embodiment, in Option90, key ID can be set to 1 entirely, shows to use the first shared key of DH exchanged form generation to protect.
Here, DHCP Request message is equivalent to aforesaid the 3rd information, and the 3rd information after this encryption is placed in the Option90 field of DHCP Request message.
8, Dynamic Host Configuration Protocol server receives after DHCP Request message, uses the first shared key to verify the integrality of message.Be verified, send DHCP ACK message.The method validation ACK message identical with the 7th step is used in base station.
Here, DHCP ACK message is equivalent to aforesaid the 4th information, and the 4th information after this encryption is placed in the Option90 field of DHCP ACK message.
So far, by DHCP agreement, completed the automatic distribution of IP address.
It should be noted that, in the embodiment shown in fig. 5, the address of the authentication server mutual with Dynamic Host Configuration Protocol server can obtain by URL, at this, the mode of access authentication server address do not limited.
Application above-described embodiment; as using public and private key to complete mutual authentication between the base station of dhcp client and Dynamic Host Configuration Protocol server; avoided dos attack; and; in the present embodiment, can also use the first shared key negotiating to protect subsequent operation; avoid using preset shared key to authenticate, further guaranteed the safety of interactive information between dhcp client and server.
The embodiment of the present invention also provides a kind of Verification System, between the Dynamic Host Configuration Protocol server and dhcp client that is applied to use DynamicHost that protocol DHCP is set, specifically referring to Fig. 6, this can system comprise: Dynamic Host Configuration Protocol server 602, described Dynamic Host Configuration Protocol server 602 is communicated by letter with dhcp client 603 with certificate server 601 respectively.Wherein,
Certificate server 601, for storing the digital certificate that each dhcp client is corresponding;
Dynamic Host Configuration Protocol server 602, finds dhcp discover for the DHCP receiving from dhcp client, in described DHCP DISCOVER message, comprises the first information of applying described dhcp client encrypted private key; From certificate server, obtain the digital certificate corresponding with described dhcp client, Applied Digital certificate PKI is decrypted and verifies the first information of described encryption, if be proved to be successful, described dhcp client is completed to authentication; To dhcp client, send DHCP and provide DHCP OFFER message, the second information that comprises encryption in described DHCP OFFER message;
Dhcp client 603, is decrypted and verifies for the second information to described encryption, if be proved to be successful, described Dynamic Host Configuration Protocol server is completed to authentication.
Wherein, above-mentioned Dynamic Host Configuration Protocol server 602, also, for receiving the DHCP request DHCP REQUEST message from dhcp client, comprises the 3rd information of applying described dhcp client encrypted private key in described DHCP REQUEST message; Apply described PKI to the 3rd decrypts information of described encryption and after being proved to be successful, according to the information in described DHCP REQUEST message, carry out operational processes, afterwards, to described dhcp client, send DHCP and confirm DHCP ACK message, described DHCP ACK message comprises the 4th information of encryption
Above-mentioned dhcp client 603, is also decrypted and verifies for the 4th information to described encryption, if be proved to be successful, described dhcp client is processed according to the information complete operation in described DHCP ACK message.
Wherein, in the DHCP DISCOVER message that above-mentioned Dynamic Host Configuration Protocol server 602 receives, also comprise the first common value; In the DHCP OFFER message that above-mentioned Dynamic Host Configuration Protocol server sends to dhcp client, also comprise the second common value; Dynamic Host Configuration Protocol server and dhcp client calculate the first shared key according to described the first common value and the second common value respectively;
Above-mentioned Dynamic Host Configuration Protocol server 602, also, for receiving the DHCP request DHCP REQUEST message from dhcp client, comprises the 3rd information that application the first shared key is encrypted in described DHCP REQUEST message; Apply described the first shared key to the 3rd decrypts information of described encryption and after being proved to be successful, according to the information in described DHCP REQUEST message, carry out operational processes, afterwards, to described dhcp client, send DHCP and confirm DHCP ACK message, described DHCP ACK message comprises the 4th information that described the first shared key of application is encrypted;
Above-mentioned dhcp client 603, is also decrypted and verifies for the 4th information to described encryption, if be proved to be successful, dhcp client is processed according to the information complete operation in described DHCP ACK message.
Wherein, the above-mentioned first information is dhcp client unique identification or DHCP DISCOVER message itself; The first information after above-mentioned encryption is put into the Option90 field of DHCP DISCOVER; The second information is DHCP OFFER message itself; The second information after encryption is put into the Option90 field of DHCP OFFER message; The 3rd information is DHCP REQUEST message itself, and the 3rd information after encryption is put into the Option90 field of DHCP REQUEST message; The 4th information is DHCP ACK message itself, and the 4th information after encryption is put into the Option90 field of DHCP ACK message.
The Verification System that the application embodiment of the present invention provides, mode by certificate has realized and has recognized each other card between dhcp client and Dynamic Host Configuration Protocol server, both guaranteed the safety of DHCP DISCOVER message, avoided dos attack, again because using public and private key can avoid using preset shared key to authenticate, thereby further guaranteed the safety of DHCP.Have, the Dynamic Host Configuration Protocol server in the embodiment of the present invention, by obtain the digital certificate of the client of DHCP from certificate server, avoids using dhcp message to carry certificate, makes to use certificate to become possibility between Dynamic Host Configuration Protocol server and client again.
The first shared key of using public and private key between dhcp client and Dynamic Host Configuration Protocol server or negotiating has completed follow-up mutual confirmation operation, avoid using preset shared key to authenticate, further guaranteed the safety of interactive information between dhcp client and server.
For system embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
It should be noted that, in this article, relational terms such as the first and second grades is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby the process, method, article or the equipment that make to comprise a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or be also included as the intrinsic key element of this process, method, article or equipment.The in the situation that of more restrictions not, the key element being limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
Those skilled in the art can be well understood to, for convenience and simplicity of description, the system of foregoing description, the specific works process of device and unit, can, with reference to the corresponding process in preceding method embodiment, not repeat them here.
In the several embodiment that provide in the application, should be understood that, disclosed system, apparatus and method, can realize by another way.For example, device embodiment described above is only schematic, for example, the division of described unit, be only that a kind of logic function is divided, during actual realization, can have other dividing mode, for example a plurality of unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, indirect coupling or the communication connection of device or unit can be electrically, machinery or other form.
The described unit as separating component explanation can or can not be also physically to separate, and the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in a plurality of network element.Can select according to the actual needs some or all of unit wherein to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can be also that the independent physics of unit exists, and also can be integrated in a unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, and also can adopt the form of SFU software functional unit to realize.
If the form of SFU software functional unit of usining described integrated unit realizes and during as production marketing independently or use, can be stored in a computer read/write memory medium.Understanding based on such, the all or part of of the part that technical scheme of the present invention contributes to prior art in essence in other words or this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) carry out all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium comprises: various media that can be program code stored such as USB flash disk, portable hard drive, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CDs.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.All any modifications of doing within the spirit and principles in the present invention, be equal to replacement, improvement etc., be all included in protection scope of the present invention.

Claims (33)

1. DynamicHost arranges a protocol DHCP server, is applied to DynamicHost and arranges in protocol DHCP, it is characterized in that, described Dynamic Host Configuration Protocol server comprises:
For receiving the unit of finding DHCP DISCOVER message from the DHCP of dhcp client, in described DHCP DISCOVER message, comprise the first information of applying described dhcp client encrypted private key;
For obtaining the digital certificate corresponding with described dhcp client from certificate server, Applied Digital certificate PKI is decrypted and verifies the first information of described encryption, if be proved to be successful, described dhcp client is completed the unit of authentication;
For sending DHCP to dhcp client, provide the DHCP OFFER unit of message, the second information that comprises encryption in described DHCP OFFER message, so that described dhcp client is decrypted and verifies the second information of described encryption, if be proved to be successful, described Dynamic Host Configuration Protocol server is completed to authentication;
Wherein, the second information of described encryption is for being used the information of the digital certificate public key signature that described dhcp client is corresponding; Or the second information of described encryption is for being used the information of the private key signature of described Dynamic Host Configuration Protocol server.
2. Dynamic Host Configuration Protocol server according to claim 1, is characterized in that, described Dynamic Host Configuration Protocol server also comprises:
For according to pre-configured address of the authentication server, by the Dynamic Host Configuration Protocol server set up and the escape way between certificate server, from described certificate server, obtain the unit of described digital certificate.
3. Dynamic Host Configuration Protocol server according to claim 2, it is characterized in that, described pre-configured address of the authentication server is the fixed address of setting while dispatching from the factory, or described pre-configured address of the authentication server is the corresponding uniform resource position mark URL of certificate server of carrying in DHCP DISCOVER message.
4. Dynamic Host Configuration Protocol server according to claim 2, is characterized in that, described Dynamic Host Configuration Protocol server also comprises:
For the device identification of dhcp client being sent to the unit of certificate server by the escape way of having set up, wherein, described certificate server is handed down to Dynamic Host Configuration Protocol server by the escape way of having set up by the digital certificate of described dhcp client after verifying that according to described device identification described dhcp client is legal;
For obtain the unit of the digital certificate of described dhcp client from the information receiving.
5. Dynamic Host Configuration Protocol server according to claim 1, is characterized in that,
The second information of described encryption is that while using the information of the corresponding digital certificate public key signature of dhcp client, described dhcp client is for being used the private key of self that the second information of described encryption is decrypted and is verified.
6. Dynamic Host Configuration Protocol server according to claim 1, is characterized in that,
The second information of described encryption is when being used the information of private key signature of Dynamic Host Configuration Protocol server, and described dhcp client is for being used the PKI of Dynamic Host Configuration Protocol server that the second information of described encryption is decrypted and is verified.
7. Dynamic Host Configuration Protocol server according to claim 1, is characterized in that, described Dynamic Host Configuration Protocol server also comprises:
For receiving the unit from the DHCP request DHCP REQUEST message of dhcp client, in described DHCP REQUEST message, comprise the 3rd information of applying described dhcp client encrypted private key;
For applying described PKI to the 3rd decrypts information of described encryption and after being proved to be successful, carrying out the unit of operational processes according to the information in described DHCP REQUEST message;
For sending to described dhcp client the unit that DHCP confirms DHCP ACK message, described DHCP ACK message comprises the 4th information of encryption, so that described dhcp client is decrypted and verifies the 4th information of described encryption, if be proved to be successful, described dhcp client is processed according to the information complete operation in described DHCP ACK message.
8. Dynamic Host Configuration Protocol server according to claim 7, is characterized in that,
The 4th information of described encryption is for being used the information of the corresponding digital certificate public key signature of client;
Described dhcp client is for being used the private key of self that the 4th information of described encryption is decrypted and is verified;
Or,
The 4th information of described encryption is for being used the information of the private key signature of Dynamic Host Configuration Protocol server;
Described dhcp client is for being used the PKI of Dynamic Host Configuration Protocol server that the 4th information of described encryption is decrypted and is verified.
9. Dynamic Host Configuration Protocol server according to claim 1, it is characterized in that, in described DHCP DISCOVER message, also comprise the first common value, in the described DHCP OFFER message sending to dhcp client, also comprise the second common value, described dhcp client is for calculating the first shared key according to described the first common value and the second common value;
Described Dynamic Host Configuration Protocol server also comprises:
For calculate the unit of the first shared key according to described the first common value and the second common value;
For receiving the unit from the DHCP request DHCP REQUEST message of dhcp client, in described DHCP REQUEST message, comprise the 3rd information that application the first shared key is encrypted;
For applying described the first shared key to the 3rd decrypts information of described encryption and after being proved to be successful, carrying out the unit of operational processes according to the information in described DHCP REQUEST message;
For sending to described dhcp client the unit that DHCP confirms DHCP ACK message, described DHCP ACK message comprises the 4th information that described the first shared key of application is encrypted, so that described dhcp client is decrypted and verifies the 4th information of described encryption, if be proved to be successful, described dhcp client is processed according to the information complete operation in described DHCP ACK message.
10. Dynamic Host Configuration Protocol server according to claim 1, is characterized in that,
The described first information is dhcp client unique identification or DHCP DISCOVER message itself;
Described the second information is DHCP OFFER message itself.
11. Dynamic Host Configuration Protocol server according to claim 8 or claim 9, is characterized in that,
Described the 3rd information is DHCP REQUEST message itself;
Described the 4th information is DHCP ACK message itself.
12. 1 kinds of authentication methods, are applied to DynamicHost and arrange in protocol DHCP, it is characterized in that,
Dhcp client sends DHCP to Dynamic Host Configuration Protocol server and finds DHCP DISCOVER message, in described DHCP DISCOVER message, comprises the first information of applying described dhcp client encrypted private key; Wherein, described Dynamic Host Configuration Protocol server obtains the digital certificate corresponding with described dhcp client from certificate server, and Applied Digital certificate PKI is decrypted and verifies the first information of described encryption, if be proved to be successful, described dhcp client is completed to authentication;
The DHCP that described dhcp client receives described Dynamic Host Configuration Protocol server transmission provides DHCP OFFER message, the second information that comprises encryption in described DHCP OFFER message;
Described dhcp client is decrypted and verifies described the second information, if be proved to be successful, described Dynamic Host Configuration Protocol server is completed to authentication;
Wherein, the second information of described encryption is for being used the information of the digital certificate public key signature that described dhcp client is corresponding; Or the second information of described encryption is for being used the information of the private key signature of described Dynamic Host Configuration Protocol server.
13. methods according to claim 12, is characterized in that, the step that described Dynamic Host Configuration Protocol server obtains the digital certificate corresponding with described dhcp client from certificate server comprises:
Described Dynamic Host Configuration Protocol server is according to pre-configured address of the authentication server, by the Dynamic Host Configuration Protocol server set up and the escape way between certificate server, from described certificate server, obtains described digital certificate.
14. methods according to claim 13, it is characterized in that, described pre-configured address of the authentication server is the fixed address of setting while dispatching from the factory, or described pre-configured address of the authentication server is the corresponding uniform resource position mark URL of certificate server of carrying in DHCP DISCOVER message.
15. methods according to claim 13, is characterized in that, described by the Dynamic Host Configuration Protocol server set up and the escape way between certificate server, the step of obtaining described digital certificate from described certificate server comprises:
Dynamic Host Configuration Protocol server sends to certificate server by the escape way of having set up by the device identification of dhcp client, certificate server is handed down to Dynamic Host Configuration Protocol server by the escape way of having set up by the digital certificate of described dhcp client after verifying that according to described device identification described dhcp client is legal;
Dynamic Host Configuration Protocol server obtains the digital certificate of described dhcp client from the information receiving.
16. methods according to claim 12, is characterized in that, described method also comprises:
The second information of described encryption is while using the information of the corresponding digital certificate public key signature of dhcp client, and described dhcp client is used the private key of self that the second information of described encryption is decrypted and is verified.
17. methods according to claim 12, is characterized in that, described method also comprises:
The second information of described encryption is when being used the information of private key signature of Dynamic Host Configuration Protocol server, and described dhcp client is used the PKI of Dynamic Host Configuration Protocol server that the second information of described encryption is decrypted and is verified.
18. methods according to claim 12, is characterized in that, described method also comprises:
Described dhcp client sends DHCP request DHCP REQUEST message to described Dynamic Host Configuration Protocol server, in described DHCP REQUEST message, comprise the 3rd information of applying described dhcp client encrypted private key, wherein, described Dynamic Host Configuration Protocol server is applied described PKI to the 3rd decrypts information of described encryption and after being proved to be successful, according to the information in described DHCP REQUEST message, is carried out operational processes;
Described dhcp client receives the DHCP confirmation DHCP ACK message that described Dynamic Host Configuration Protocol server sends, and described DHCP ACK message comprises the 4th information of encryption;
Described dhcp client is decrypted and verifies the 4th information of described encryption, if be proved to be successful, described dhcp client is processed according to the information complete operation in described DHCP ACK message.
19. methods according to claim 18, is characterized in that,
The 4th information of described encryption is for being used the information of the corresponding digital certificate public key signature of client;
Described dhcp client is used the private key of self that the 4th information of described encryption is decrypted and is verified;
Or,
The 4th information of described encryption is for being used the information of the private key signature of Dynamic Host Configuration Protocol server;
Described dhcp client is used the PKI of Dynamic Host Configuration Protocol server that the 4th information of described encryption is decrypted and is verified.
20. methods according to claim 12, is characterized in that,
In described DHCP DISCOVER message, also comprise the first common value, in described DHCP OFFER message, also comprise the second common value, dhcp client and described Dynamic Host Configuration Protocol server calculate the first shared key according to described the first common value and the second common value respectively;
Described dhcp client sends DHCP request DHCP REQUEST message to described Dynamic Host Configuration Protocol server, in described DHCP REQUEST message, comprise the 3rd information that application the first shared key is encrypted, wherein, described Dynamic Host Configuration Protocol server is applied described the first shared key to the 3rd decrypts information of described encryption and after being proved to be successful, according to the information in described DHCP REQUEST message, is carried out operational processes;
Described dhcp client receives the DHCP confirmation DHCP ACK message that described Dynamic Host Configuration Protocol server sends, and described DHCP ACK message comprises the 4th information that described the first shared key of application is encrypted;
Described dhcp client is decrypted and verifies the 4th information of described encryption, if be proved to be successful, described dhcp client is processed according to the information complete operation in described DHCP ACK message.
21. methods according to claim 12, is characterized in that,
The described first information is dhcp client unique identification or DHCP DISCOVER message itself;
Described the second information is DHCP OFFER message itself.
22. according to the method described in claim 19 or 20, it is characterized in that,
Described the 3rd information is DHCP REQUEST message itself;
Described the 4th information is DHCP ACK message itself.
23. 1 kinds of DynamicHosts arrange protocol DHCP client, are applied to, in DHCP, it is characterized in that, described dhcp client comprises:
For sending to Dynamic Host Configuration Protocol server the unit that DHCP finds DHCP DISCOVER message, in described DHCP DISCOVER message, comprise the first information of applying described dhcp client encrypted private key; Wherein, described Dynamic Host Configuration Protocol server obtains the digital certificate corresponding with described dhcp client from certificate server, and Applied Digital certificate PKI is decrypted and verifies the first information of described encryption, if be proved to be successful, described dhcp client is completed to authentication;
For receiving the DHCP of described Dynamic Host Configuration Protocol server transmission, provide the DHCP OFFER unit of message, the second information that comprises encryption in described DHCP OFFER message;
For described the second information is decrypted and is verified, if be proved to be successful, described Dynamic Host Configuration Protocol server is completed the unit of authentication;
Wherein, the second information of described encryption is to utilize the information of the digital certificate public key signature that described dhcp client is corresponding; Or the second information of described encryption is to utilize the information of the private key signature of described Dynamic Host Configuration Protocol server.
24. dhcp clients according to claim 23, it is characterized in that, wherein, described Dynamic Host Configuration Protocol server, also for according to pre-configured address of the authentication server, by the Dynamic Host Configuration Protocol server set up and the escape way between certificate server, from described certificate server, obtain described digital certificate.
25. dhcp clients according to claim 24, it is characterized in that, described pre-configured address of the authentication server is the fixed address of setting while dispatching from the factory, or described pre-configured address of the authentication server is the corresponding uniform resource position mark URL of certificate server of carrying in DHCP DISCOVER message.
26. dhcp clients according to claim 24, is characterized in that,
Described Dynamic Host Configuration Protocol server, also sends to certificate server for the escape way by having set up by the device identification of dhcp client;
Described certificate server, also, for after verifying that according to described device identification described dhcp client is legal, is handed down to Dynamic Host Configuration Protocol server by the escape way of having set up by the digital certificate of described dhcp client;
Described Dynamic Host Configuration Protocol server, also obtains the digital certificate of described dhcp client for the information from receiving.
27. dhcp clients according to claim 23, is characterized in that, described method also comprises:
The second information of described encryption is that while using the information of the corresponding digital certificate public key signature of dhcp client, described dhcp client also comprises:
The unit that the second information of described encryption is decrypted and is verified for the private key that uses self.
28. dhcp clients according to claim 23, is characterized in that, described method also comprises:
The second information of described encryption is when being used the information of private key signature of Dynamic Host Configuration Protocol server, and described dhcp client also comprises:
For the unit that uses the PKI of Dynamic Host Configuration Protocol server that the second information of described encryption is decrypted and is verified.
29. dhcp clients according to claim 23, is characterized in that, described dhcp client also comprises:
For send the unit of DHCP request DHCP REQUEST message to described Dynamic Host Configuration Protocol server, in described DHCP REQUEST message, comprise the 3rd information of applying described dhcp client encrypted private key, wherein, described Dynamic Host Configuration Protocol server is applied described PKI to the 3rd decrypts information of described encryption and after being proved to be successful, according to the information in described DHCP REQUEST message, is carried out operational processes;
The unit of confirming DHCP ACK message for receiving the DHCP of described Dynamic Host Configuration Protocol server transmission, described DHCP ACK message comprises the 4th information of encryption;
For the 4th information of described encryption is decrypted and is verified, if be proved to be successful, the unit of processing according to the information complete operation in described DHCP ACK message.
30. dhcp clients according to claim 29, is characterized in that,
The 4th information of described encryption is for being used the information of the corresponding digital certificate public key signature of client;
Described dhcp client also comprises: the unit that the 4th information of described encryption is decrypted and is verified for the private key that uses self;
Or,
The 4th information of described encryption is for being used the information of the private key signature of Dynamic Host Configuration Protocol server;
Described dhcp client also comprises: for the unit that uses the PKI of Dynamic Host Configuration Protocol server that the 4th information of described encryption is decrypted and is verified.
31. dhcp clients according to claim 23, is characterized in that,
In described DHCP DISCOVER message, also comprise the first common value, in described DHCP OFFER message, also comprise the second common value, described Dynamic Host Configuration Protocol server, for calculating the first shared key according to described the first common value and the second common value;
Described dhcp client also comprises:
For calculate the unit of the first shared key according to described the first common value and the second common value;
For send the unit of DHCP request DHCP REQUEST message to described Dynamic Host Configuration Protocol server, in described DHCP REQUEST message, comprise the 3rd information that application the first shared key is encrypted, wherein, described Dynamic Host Configuration Protocol server, also for applying described the first shared key to the 3rd decrypts information of described encryption and after being proved to be successful, carrying out operational processes according to the information in described DHCP REQUEST message;
For receiving the DHCP of described Dynamic Host Configuration Protocol server transmission, confirm the unit of DHCP ACK message, described DHCP ACK message comprises the 4th information that described the first shared key of application is encrypted;
For the 4th information of described encryption is decrypted and is verified, if be proved to be successful, the unit of processing according to the information complete operation in described DHCP ACK message.
32. dhcp clients according to claim 23, is characterized in that,
The described first information is dhcp client unique identification or DHCP DISCOVER message itself;
Described the second information is DHCP OFFER message itself.
33. according to the dhcp client described in claim 30 or 31, it is characterized in that,
Described the 3rd information is DHCP REQUEST message itself;
Described the 4th information is DHCP ACK message itself.
CN201310683030.2A 2011-03-03 2011-03-23 Authentication method and system Active CN103685272B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310683030.2A CN103685272B (en) 2011-03-03 2011-03-23 Authentication method and system

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
CN201110051348.X 2011-03-03
CN201110051348 2011-03-03
CN201110051348X 2011-03-03
CN2011100705653A CN102123157B (en) 2011-03-03 2011-03-23 Authentication method and system
CN201310683030.2A CN103685272B (en) 2011-03-03 2011-03-23 Authentication method and system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN2011100705653A Division CN102123157B (en) 2011-03-03 2011-03-23 Authentication method and system

Publications (2)

Publication Number Publication Date
CN103685272A true CN103685272A (en) 2014-03-26
CN103685272B CN103685272B (en) 2017-02-22

Family

ID=44251609

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201310683030.2A Active CN103685272B (en) 2011-03-03 2011-03-23 Authentication method and system
CN2011100705653A Active CN102123157B (en) 2011-03-03 2011-03-23 Authentication method and system

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN2011100705653A Active CN102123157B (en) 2011-03-03 2011-03-23 Authentication method and system

Country Status (2)

Country Link
CN (2) CN103685272B (en)
WO (1) WO2012116590A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105049546A (en) * 2015-06-25 2015-11-11 瑞斯康达科技发展股份有限公司 Client terminal IP address allocation method through DHCP server and device thereof
CN105450401A (en) * 2014-06-27 2016-03-30 奇点新源国际技术开发(北京)有限公司 Data communication method and device
CN105721496A (en) * 2016-03-31 2016-06-29 中国人民解放军国防科学技术大学 Security authentication method for automatic distribution protocol of lightweight address
CN109495445A (en) * 2018-09-30 2019-03-19 青岛海尔科技有限公司 Identity identifying method, device, terminal, server and medium based on Internet of Things
CN111737124A (en) * 2020-06-17 2020-10-02 特艺(中国)科技有限公司 Method for activating background debugging environment
CN113114610A (en) * 2020-01-13 2021-07-13 杭州萤石软件有限公司 Stream taking method, device and equipment

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685272B (en) * 2011-03-03 2017-02-22 上海华为技术有限公司 Authentication method and system
CN103067333B (en) 2011-10-18 2016-03-30 华为终端有限公司 The method of proof machine top box access identity and certificate server
CN103634266B (en) * 2012-08-21 2017-05-24 上海凌攀信息科技有限公司 A bidirectional authentication method for a server and a terminal
CN102970301B (en) * 2012-11-29 2015-04-29 无锡华御信息技术有限公司 Server and terminal admission control method and system based on dynamic host configuration protocol (DHCP)
TWI565277B (en) 2014-03-25 2017-01-01 鴻海精密工業股份有限公司 Method,server and client of configuring network parameters
WO2016065647A1 (en) 2014-10-31 2016-05-06 西安酷派软件科技有限公司 Mic verification method in d2d communications and d2d communications system
CN106411928A (en) * 2016-10-28 2017-02-15 上海斐讯数据通信技术有限公司 Authentication method and device of client access server and VDI system
CN107493294B (en) * 2017-09-04 2020-08-21 上海润欣科技股份有限公司 Safe access and management control method of OCF (optical clock and frequency conversion) equipment based on asymmetric encryption algorithm
CN109120738B (en) * 2018-08-17 2021-11-02 瑞斯康达科技发展股份有限公司 DHCP server and method for managing network internal equipment
CN109359977A (en) * 2018-09-10 2019-02-19 平安科技(深圳)有限公司 Network communication method, device, computer equipment and storage medium
CN111314269B (en) * 2018-12-11 2023-09-12 中兴通讯股份有限公司 Address automatic allocation protocol security authentication method and equipment
CN111654728B (en) * 2020-04-17 2023-10-20 视联动力信息技术股份有限公司 Certificate updating method and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100591013C (en) * 2006-09-05 2010-02-17 华为技术有限公司 Implementing authentication method and system
CN101083660A (en) * 2007-05-30 2007-12-05 北京润汇科技有限公司 Session control based IP network authentication method of dynamic address distribution protocol
CN101350809A (en) * 2007-07-19 2009-01-21 华为技术有限公司 Method and system for implementing authentication
US8239549B2 (en) * 2007-09-12 2012-08-07 Microsoft Corporation Dynamic host configuration protocol
CN101183932B (en) * 2007-12-03 2011-02-16 宇龙计算机通信科技(深圳)有限公司 Security identification system of wireless application service and login and entry method thereof
CN103685272B (en) * 2011-03-03 2017-02-22 上海华为技术有限公司 Authentication method and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105450401A (en) * 2014-06-27 2016-03-30 奇点新源国际技术开发(北京)有限公司 Data communication method and device
CN105049546A (en) * 2015-06-25 2015-11-11 瑞斯康达科技发展股份有限公司 Client terminal IP address allocation method through DHCP server and device thereof
CN105049546B (en) * 2015-06-25 2018-12-21 瑞斯康达科技发展股份有限公司 A kind of Dynamic Host Configuration Protocol server is the method and device of client distribution IP address
CN105721496A (en) * 2016-03-31 2016-06-29 中国人民解放军国防科学技术大学 Security authentication method for automatic distribution protocol of lightweight address
CN109495445A (en) * 2018-09-30 2019-03-19 青岛海尔科技有限公司 Identity identifying method, device, terminal, server and medium based on Internet of Things
CN113114610A (en) * 2020-01-13 2021-07-13 杭州萤石软件有限公司 Stream taking method, device and equipment
CN113114610B (en) * 2020-01-13 2022-11-01 杭州萤石软件有限公司 Stream taking method, device and equipment
CN111737124A (en) * 2020-06-17 2020-10-02 特艺(中国)科技有限公司 Method for activating background debugging environment

Also Published As

Publication number Publication date
CN103685272B (en) 2017-02-22
WO2012116590A1 (en) 2012-09-07
CN102123157B (en) 2013-12-04
CN102123157A (en) 2011-07-13

Similar Documents

Publication Publication Date Title
CN103685272A (en) Authentication method and system
US10412083B2 (en) Dynamically generated SSID
CN105706390B (en) Method and apparatus for performing device-to-device communication in a wireless communication network
CN101416176B (en) DynamicHost configuration and network access authentication
CN101160924B (en) Method for distributing certificates in a communication system
US8001379B2 (en) Credential generation system and method for communications devices and device management servers
US9515824B2 (en) Provisioning devices for secure wireless local area networks
US7653813B2 (en) Method and apparatus for address creation and validation
CN106464654B (en) Method, device and system for acquiring configuration file
JP5622011B2 (en) System and method for configuring a lightning sign at an advertising site
EP3197190A1 (en) Methods for fast, secure and privacy-friendly internet connection discovery in wireless networks
CN102231725B (en) Method, equipment and system for authenticating dynamic host configuration protocol message
CN102595405A (en) Authentication method, system and equipment for network access
JP2018500855A (en) Authenticating messages in wireless communication
CN101471767B (en) Method, equipment and system for distributing cipher key
CN102413103B (en) Message verification method, system and equipment
JP4550759B2 (en) Communication system and communication apparatus
CN111314269A (en) Address automatic allocation protocol security authentication method and equipment
EP2663049B1 (en) Authentication method based on dhcp, dhcp server and client
CN103200004B (en) Send the method for message, the method for establishing secure connection, access point and work station
US8359470B1 (en) Increased security during network entry of wireless communication devices
US20220361261A1 (en) Method for connecting a communication node and communication node
CN102761546A (en) Authentication implementation method, system and related devices
CN116074038B (en) Gateway system and method for IPv6 data security transmission
CN102378165B (en) Identity authentication method and system of evolved node B

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant