[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108092988A - Unaware Certificate Authority network system and method based on dynamic creation temporary password - Google Patents

Unaware Certificate Authority network system and method based on dynamic creation temporary password Download PDF

Info

Publication number
CN108092988A
CN108092988A CN201711462151.9A CN201711462151A CN108092988A CN 108092988 A CN108092988 A CN 108092988A CN 201711462151 A CN201711462151 A CN 201711462151A CN 108092988 A CN108092988 A CN 108092988A
Authority
CN
China
Prior art keywords
server
authentication
user
aaa server
unaware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711462151.9A
Other languages
Chinese (zh)
Other versions
CN108092988B (en
Inventor
王君妍
王道佳
翁源
杨呈飞
丛群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING WRD TECHNOLOGY Co Ltd
Original Assignee
BEIJING WRD TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING WRD TECHNOLOGY Co Ltd filed Critical BEIJING WRD TECHNOLOGY Co Ltd
Priority to CN201711462151.9A priority Critical patent/CN108092988B/en
Publication of CN108092988A publication Critical patent/CN108092988A/en
Application granted granted Critical
Publication of CN108092988B publication Critical patent/CN108092988B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of unaware Certificate Authority network system and its method of work based on dynamic creation temporary password, the system include equipped with proxy AAA server or are not provided with two kinds of IP charging networks of proxy AAA server, have including network element:Authentication Client, Dynamic Host Configuration Protocol server, nas server and exterior I nternet networks, Portal server, aaa server and the proxy AAA server via its connection;And add, unaware authentication device for binding authentication client or intelligent terminal.The unaware authentication device dynamic creation disposable temporary password OTP corresponding with user account of the present invention realizes unaware Certificate Authority, when removing that user is non-to surf the Internet for the first time from, surfs the Internet be required for being manually entered the cumbersome of password every time;Meanwhile because of the disposable temporary password certification for using dynamic generation, without the use of user's original password;It and in verification process, is only interacted with trust node, avoids leakage user account information, it is ensured that communication security.

Description

Unaware Certificate Authority network system and method based on dynamic creation temporary password
Technical field
The present invention relates to a kind of based on the unaware Certificate Authority network system of dynamic creation temporary password and its work side Method belongs to the technical field of computer network management and control.
Background technology
AAA is three certification, mandate, charging (Authentication, Authorization, Accounting) English The abbreviation of word and a kind of request that can handle customer access network and for client provide certification, mandate, charging with And the mechanism or system of the network security management of account service, major function are management customer access networks, are accessed having The user of power provides the service of appropriate level.AAA uses client/server model, and client operates in network insertion service On device NAS (Network Access Server), client-side information is managed concentratedly by aaa server.Aaa server is usually same NS software, gateway server and the database network element device including user information, catalogue cooperate.
In existing IP charging networks (different type network including charging by flow or by online hours charging), now General solution is the certification, mandate, charging performed using entrance portal protocol cooperation aaa server to client Control and management.Referring to Fig. 1, its typical networking mode and structure are introduced:
In the system of this networking mode framework, the network element of setting includes:Authentication Client, nas server, DynamicHost Configuration protocol DHCP (Dynamic Host Configuration Protocol) server, Portal server, AAA services Device and the exterior I nternet networks via NAS connections.Wherein, Authentication Client is for user terminal computer or including intelligence The intelligent terminal of mobile phone, set-top box;Dynamic Host Configuration Protocol server purposes is when Authentication Client accesses network, and IP address is distributed for it; Nas server is the general designation of the gateway devices such as router, charging gateway, and effect is the network access of management and control Authentication Client, And before Authentication Client completes certification, its all HTTP request is redirected to Portal services Device, and in client authentication process by the interaction with Portal server, aaa server, completes the body of Authentication Client The function of part certification, mandate and charging in client certificate (including authentication and mandate) after, allows client End accesses authorized Internet resources;Portal server is the server system for receiving Authentication Client certification request, WEB doors and authentication interface are provided, by the authentication information with nas server interactive authentication client, nas server by with Aaa server interacts, and completes the certification to Authentication Client, authorizes charging.
Above-mentioned Authentication Client, nas server, Portal server, the interaction of aaa server are present networks Traditional Portal verifications flow, process are in system:
(1) Authentication Client sends IP address request to Dynamic Host Configuration Protocol server, and Dynamic Host Configuration Protocol server issues IP for Authentication Client Address.
(2) Authentication Client is when unverified, by one Internet Uniform Resource finger URL URL of browser input The HTTP access requests of location, the HTTP access requests are redirected to the WEB of Portal server when by nas server On certification webpage.
(3) authentication information that Authentication Client inputs in a browser is submitted to Portal server, Portal services After device receives authentication information input by user, nas server is sent it to.
(4) authentication information of Authentication Client is sent to AAA services by nas server and aaa server interactive communication Device, so as to certification of the aaa server execution to client, Authorized operation.
(5) for Certificate Authority by rear, nas server opens Authentication Client and the access of Internet, allows certification objective The IP address at family end accesses Internet;Nas server sends book keeping operation (i.e. charging) information to aaa server simultaneously.
(6) when Authentication Client terminates Internet access, the cancellation page and submission that access Portal server terminate Access request, Portal server notice nas server disconnect Authentication Client and the access of Internet, forbid certification client IP address is held to access Internet.Nas server notice aaa server terminates the charging to Authentication Client.
In addition, if Authentication Client does not nullify Internet connections actively (for example, Authentication Client directly disconnects network Connection, shutoff operation system, mobile client close wireless WIFI network etc.), nas server all can be in the free time of setting After time-out, Authentication Client IP address and the access of Internet are actively disconnected, and aaa server is notified to stop to certification client The charging at end.
Based on above-mentioned analysis, the accounting management of Authentication Client is had the disadvantage that at present:
It when Authentication Client accesses network every time, is required for into WEB certification pages, is manually entered account number cipher and carries out body After part certification, network could be accessed.For it is some without pattern manipulation interface terminal installation (such as:Printer, service-specific Device etc.) it can not be verified by Portal server.When therefore, how to present client request access network system Identity and the verification flow of charging are improved, and just become the new problem of scientific and technical personnel's concern in the industry.
The content of the invention
In view of this, the object of the present invention is to provide a kind of unaware Certificate Authority nets based on dynamic creation temporary password Network system and its method of work, system and method for the invention can be respectively suitable for being equipped with proxy AAA server and be not provided with There is the network system of two kinds of networking modes of proxy AAA server.Present system adds unaware authentication device, in unaware Authentication device binding authentication client or intelligent terminal, and dynamic creation is corresponding with its user account disposable interim Password realizes unaware Certificate Authority;Remove user from the case of the non-network of access for the first time, online every time is required for defeated manually Enter account number cipher be authenticated it is cumbersome.Simultaneously as in verification process, the disposable interim close of dynamic generation is used Code need not use the original password of user;And only (Dynamic Host Configuration Protocol server, nas server, Portal take with the node of trust Be engaged in device, unaware authentication device, aaa server) interaction, therefore the present invention be also avoided that user account or encrypted message leakage Risk, it is ensured that communications security.
In order to achieve the above object, the present invention provides a kind of unaware Certificate Authorities based on dynamic creation temporary password Network system, the system comprises equipped with proxy AAA server or be not provided with two kinds of IP charging networks of proxy AAA server System, described two network systems include following network elements respectively:Authentication Client, dynamic host configuration protocol DHCP (Dynamic Host Configuration Protocol) server, network access server NAS (Network Access Server) and Via exterior I nternet networks, entrance Portal server, aaa server and the proxy AAA server of its connection;Its feature It is:
In two kinds of network IP charging network systems of the unaware authentication and authorization system, all have additional for binding authentication The unaware authentication device of client or intelligent terminal, the unaware authentication device dynamic creation are corresponding with user account once Property the temporary password OTP (One-time Password) that uses, realize unaware Certificate Authority, removing user from and surfing the Internet every time needs It is manually entered the cumbersome of password;It is original without the use of user meanwhile because of the disposable temporary password certification for using dynamic generation Password;It and in verification process, is only interacted with trust node, avoids leakage user account information, it is ensured that communication security;Its In:
Authentication Client is user terminal computer or the intelligent terminal including smart mobile phone, set-top box;
Dynamic Host Configuration Protocol server, for when Authentication Client accesses network, IP address to be distributed for it;
Nas server and the exterior I nternet networks via its connection, NAS is the pass for including router, charging gateway Jaws equipment is referred to as, for controlling the network access with administrative authentication client:Before Authentication Client completes certification, by its institute There is HTTP request to be redirected to Portal server;In Authentication Client verification process, respectively with nothing Authentication device, Portal server, proxy AAA server or/and aaa server interaction are perceived, completes the body of Authentication Client Part certification, safety certification and the function of mandate and charging;After Authentication Client completes Certificate Authority, allow certification client End accesses authorized Internet resources;
Unaware authentication device, be responsible for respectively with Portal server, Dynamic Host Configuration Protocol server, nas server and act on behalf of AAA clothes Business device or aaa server interact, and perform the binding of Authentication Client or intelligent terminal, and dynamic creation is corresponding disposable The temporary password OTP used realizes unaware certification;
Portal server, to receive the access server of Authentication Client certification request, for providing WEB doors and recognizing Demonstrate,prove interface;
Aaa server is responsible for coordinating with above-mentioned related network elements, performs the complete authentication of Authentication Client, safety is recognized The function of card, mandate and charging;And when needed, user force offline;
Proxy AAA server is only arranged in the network system of proxy AAA server, is responsible for Authentication Client Certification is identified in disposable temporary password OTP, and after handling the AAA messages beyond OTP certifications, is forwarded to Aaa server.
In order to achieve the above object, the present invention also provides a kind of unawares the present invention is based on dynamic creation temporary password The method of work of Certificate Authority network system, it is characterised in that:When Authentication Client accesses network for the first time, its user is manually entered Account and original password carry out authentication mandate;After the Authentication Client every time access network when, Dynamic Host Configuration Protocol server for It while the Authentication Client issues IP address, also interacts with unaware authentication device, is sought according to the characteristic information of the client It looks for the internet account of the user, and is corresponding disposable of the user's account dynamic generation one by unaware authentication device The temporary password OTP used;Unaware authentication device with the user's account and corresponding disposable temporary password OTP to Nas server initiates logging request and authentication so that user no longer needs online to be every time manually entered account number cipher progress Unaware certification is realized in the operation of authentication;And leakage user password information is avoided, it ensures communication safety.
The present invention is based on the unaware Certificate Authority network system of dynamic creation temporary password and its innovations of method of work Advantage and technical characteristic are:
The key problem in technology of the present invention is to add unaware authentication device in systems, and is recognized in the binding of unaware authentication device Client or intelligent terminal, and dynamic creation disposable temporary password corresponding with its user account are demonstrate,proved, is realized noninductive Know Certificate Authority.
Other key technologies of the invention further include:Unaware authentication device in system can be the certification for having bound account The temporary password of client or intelligent terminal dynamic creation one disposably, with work timing, the dynamic generate disposable Temporary password randomly generates, and can only setting work timing in certification it is once effective, certification once after just fail;Or Even if person is more than setting time limit, the temporary password not yet for certification, also the same failure.In addition, the AAA clothes in present system Business can complete the verification of user identity according to disposable temporary password, remaining mandate, the operation of accounting process step are all still So carried out according to original flow.
The present invention has well solved can not safely and effectively carry out unaware certification under Portal certification modes at present Technological deficiency, now using after system and method for the present invention, user, can when accessing network again after completing to bind terminal Automatically to directly access network;Without again as it is previous it is non-access network for the first time when, it is necessary to online is required for hand every time Dynamic input account number cipher carries out the cumbersome of Portal certifications.Furthermore the present invention is not related to user account and original in verification process The operation of beginning password uses the disposable temporary password of dynamic generation;And only with the Dynamic Host Configuration Protocol server of trust, NAS The nodes network element communication interaction such as server, Portal server, unaware authentication device, aaa server, even if user is for the first time After binding is completed, account number cipher is changed again, without other any operating procedures are carried out again, can avoid leakage user's account Family or password, it is ensured that communication security.
Present system and its method of work can be (multiple including router and gateway etc. with the NAS device of multiple commercial vendors Critical point network element) realize cooperation, the network system of proxy AAA server is not only suitable for, is also applied for no proxy AAA server Network system.The present invention only changes the part flow of the authentication operation of aaa server on a small quantity:Using agency In the network system of aaa server, the authentication section function of aaa server is handed into proxy AAA server and is realized;And Without using in the network system of proxy AAA server, the authentication operation of aaa server needs to increase property temporary password again and again Verification operation step.Other subsequent authorizations, book keeping operation operating process nor affect on the charging plan of user without any change Slightly (situation that but access mandate effective including authentication is rejected).The present invention can also carry out standard and go out control, that is, support Portal certifications;It is compatible because it does not change the interfaces flow and business processing logic of any nas server, aaa server Property it is very strong, practice and extension is easy, easily.
In short, present system and its method of work have good popularizing application prospect.
Description of the drawings
Fig. 1 is the IP charging network system structure composition schematic diagrams used at present.
Fig. 2 is a kind of unaware Certificate Authority network system based on dynamic creation temporary password of the present invention:Equipped with generation Manage the system structure composition schematic diagram of aaa server.
Fig. 3 is another unaware Certificate Authority network system based on dynamic creation temporary password of the present invention:It does not set There is the system structure composition schematic diagram of proxy AAA server.
Fig. 4 is the method for work operation of the unaware Certificate Authority network system the present invention is based on dynamic creation temporary password Flow chart of steps.
Fig. 5 is the flow chart of the method for work operating procedure one of unaware Certificate Authority network system of the present invention.
Fig. 6 is the flow chart of the method for work operating procedure two of unaware Certificate Authority network system of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, the present invention is made below in conjunction with the accompanying drawings further Detailed description.
Referring to Fig. 2 and Fig. 3, a kind of unaware Certificate Authority network system based on dynamic creation temporary password of the present invention is introduced The structure composition of system includes two kinds of IP charging network systems:Equipped with proxy AAA server (as shown in Figure 2) or it is not provided with acting on behalf of (as shown in Figure 3) of aaa server.
Both network systems include following network elements respectively:Authentication Client, dynamic host configuration protocol DHCP server, Network access server NAS and via its connection exterior I nternet networks, entrance Portal server, aaa server and Proxy AAA server and the key equipment of the present invention added are recognized for the unaware of binding authentication client or intelligent terminal Card device, the unaware authentication device dynamic creation disposable temporary password OTP corresponding with user account realize nothing Certificate Authority is perceived, removing user from, online needs to be manually entered the cumbersome of password every time;Meanwhile because using dynamic generation once Property temporary password certification, without the use of user's original password;In verification process, only interacted with trust node (including DHCP Server, nas server, Portal server, unaware authentication device, aaa server and proxy AAA server), it avoids letting out Reveal user account information, it is ensured that communication security.Wherein:
Authentication Client is user terminal computer or the intelligent terminal including smart mobile phone, set-top box.
Dynamic Host Configuration Protocol server, for when Authentication Client accesses network, IP address to be distributed for it.
Nas server and the exterior I nternet networks via its connection, NAS is the pass for including router, charging gateway Jaws equipment is referred to as, for controlling the network access with administrative authentication client:Before Authentication Client completes certification, by its institute There is HTTP request to be redirected to Portal server;In Authentication Client verification process, respectively with nothing Authentication device, Portal server, proxy AAA server or/and aaa server interaction are perceived, completes the body of Authentication Client Part certification, safety certification and the function of mandate and charging;After Authentication Client completes Certificate Authority, allow certification client End accesses authorized Internet resources.
Unaware authentication device, be responsible for respectively with Portal server, Dynamic Host Configuration Protocol server, nas server and act on behalf of AAA clothes Business device or aaa server interact, and perform the binding of Authentication Client or intelligent terminal, and dynamic creation is corresponding disposable The temporary password OTP used realizes unaware certification.
Portal server, to receive the access server of Authentication Client certification request, for providing WEB doors and recognizing Demonstrate,prove interface.
Aaa server is responsible for coordinating with above-mentioned related network elements, performs the complete authentication of Authentication Client, safety is recognized The function of card, mandate and charging;And when needed, user force offline.
Proxy AAA server is only arranged in the network system of proxy AAA server, is responsible for Authentication Client Certification is identified in disposable temporary password OTP, and after handling the AAA messages beyond OTP certifications, is forwarded to AAA clothes Business device.
The present invention also provides a kind of work of the unaware Certificate Authority network system based on dynamic creation temporary password Method:When Authentication Client accesses network for the first time, its user account and original password are manually entered, carries out authentication mandate; When accessing network after the Authentication Client every time, Dynamic Host Configuration Protocol server for the Authentication Client while IP address is issued, also It is interacted with unaware authentication device, its MAC address (is included at least, i.e., according to the characteristic information of the client Hardware address) find the user internet account, and by unaware authentication device for the user's account dynamic generation one and its Corresponding disposable temporary password OTP;Unaware authentication device is with the user's account and corresponding disposable Temporary password OTP initiates logging request and authentication to nas server so that user no longer needs online to be every time manually entered Account number cipher carries out the operation of authentication, realizes unaware certification;And leakage user password information is avoided, ensure communication peace Entirely.
Referring to Fig. 4, the concrete operation step of introduction method of work of the present invention:
Step 1, when Authentication Client accesses network for the first time, its user account and original password are manually entered, carries out identity Certificate Authority.
Step 2, for Authentication Client in the non-network of access for the first time, Dynamic Host Configuration Protocol server issues IP address for the Authentication Client While, the feature that media access control MAC (Media Access Control) address is included at least according to the client is believed Breath is interacted with unaware authentication device;Unaware authentication device searches out the internet account of Authentication Client binding, and to be somebody's turn to do As soon as after the disposable temporary password OTP of internet account dynamic generation, with the user's account and its corresponding disposable Temporary password OTP initiates logging request and authentication to nas server, realizes unaware Certificate Authority so that user is not required to Online, which repeats, every time is manually entered the troublesome operation that original password carries out authentication, and communication security.
Referring to Fig. 5, the concrete operation step of introduction method of work step 1 of the present invention:
Step 11, Authentication Client initiates IP address request to Dynamic Host Configuration Protocol server.
Step 12, Dynamic Host Configuration Protocol server issues IP address for the Authentication Client.
Step 13, Authentication Client initiates HTTP access requests, which is redirected to Portal by nas server The WEB doors and authentication interface of server.
Step 14, user includes the authentication letter of user account and original password in WEB doors and authentication interface input The authentication information is sent to nas server by breath, Portal server.
Step 15, which is sent to proxy AAA server or aaa server by nas server, by acting on behalf of AAA The ID authentication request information is transmitted to upstream aaa server by server, carries out authentication information verification;Or AAA clothes Business device directly performs authentication information verification.
If verification is by the way that by verification result back to nas server, nas server will forbid certification client End accesses other Internet resources in addition to WEB doors and authentication interface, and terminates flow.
If the verification passes, then by verification result back to nas server, nas server again returns to the verification result To Portal server, step 16 is continued to execute.
Step 16, nas server is let pass the Authentication Client, its is allowed to access Internet resources, and to proxy AAA server It sends book keeping operation message or nas server and directly sends book keeping operation message to aaa server.
Unaware authentication device from Portal server receive it is having been verified by, including internet account and its association IP address Authentication Client verification result information, and obtain the Authentication Client from Dynamic Host Configuration Protocol server and include MAC Address Identity characteristic information, with regard to the binding of automated execution and the completion Authentication Client and user account.
Step 17, which is forwarded to upstream aaa server by proxy AAA server, so that aaa server utilizes Book keeping operation message detection trigger user reach the standard grade and charging policy, perform billing operation.
Or nas server directly transmits book keeping operation message to aaa server, aaa server utilizes message triggering inspection of keeping accounts Survey user reach the standard grade and charging policy, perform billing operation.
Up to user's expenses of surfing in Internet, Sorry, your ticket has not enough value, when needing to force user offline, and aaa server is using authorizing a change CoA (Change of Authorization) message forces the Authentication Client offline.
It should be noted that in step 1, if Authentication Client be can not use browser access WEB doors, including During the intelligent terminal of set-top box, then the corresponding operating content that following two steps perform is as follows:
Step 13a, user access WEB doors and authentication interface in other clients.
Step 14a, user manually select the Authentication Client IP address to be bound, Portal server in authentication interface Authentication information and the selected client-side information of user are sent to nas server.
And other operating procedure contents in step 11~step 17 are all consistent.
Another it should be noted that:Step 14 and step 15 in the above method of the present invention also have another processing Method:Whether unaware authentication device does not examine user identity legal by nas server, but it is directly serviced from Portal After device obtains the user account, original password and its IP address of Authentication Client, checked operation is voluntarily performed;Including following specific Operation content:
Step 14b, user include the authentication letter of user account and original password in WEB doors and authentication interface input The authentication information is directly sent to unaware authentication device by breath, Portal server.
Step 15b, unaware authentication device is by the body of the user account of the Authentication Client, original password and its IP address Part authentication information is sent to proxy AAA server or aaa server, by proxy AAA server by the ID authentication request information Upstream aaa server is transmitted to, carries out authentication information verification.Or aaa server directly performs authentication information and tests Card.
Verify whether by concrete operations content, identical with abovementioned steps 15, which is not described herein again.
Referring to Fig. 6, the concrete operation step of introduction method of work step 2 of the present invention:
Step 21, Authentication Client initiates IP address request to Dynamic Host Configuration Protocol server.
Step 22, Dynamic Host Configuration Protocol server issues IP address for the Authentication Client, and by the information of reaching the standard grade of the Authentication Client It is sent to unaware authentication device;Unaware authenticating device finds the user's binding according to the characteristic information of the Authentication Client Internet account, and be the disposable temporary password OTP of the internet account dynamic generation one.
In the step, unaware authentication device is one of the internet account dynamic generation of Authentication Client binding disposable Temporary password OTP is equipped with disposable work timing:I.e. can only setting work timing in certification it is once effective, after certification once With regard to failure;It is even if also the same to fail more than setting time limit, the password not yet for certification.
Step 23, unaware authentication device initiates logging request with the internet account to nas server, and the user is surfed the Internet The disposable temporary password created in account and step (22) is sent to nas server and carries out authentication.
Step 24, nas server receives the logging request and user account and corresponding disposable interim close After code, these data sendings are verified to proxy AAA server or aaa server.
Step 25, proxy AAA server or aaa server receive the user's account and temporary password, elder generation and the user Verification is compared in the actual original password of account;If authentication failed, then would verify temporary password to unaware authentication device Correctness.
If authentication failed, just by authentication failed result back to nas server, nas server will forbid the certification objective Family end accesses other Internet resources in addition to WEB doors and authentication interface, terminates the flow;Or user continues to execute The conventional authentication operating process of Portal server:It is manually entered the user's account and original password.
If the verification passes, verification result is just sent to nas server, nas server is let pass certification certification client End, and after proxy AAA server or aaa server send book keeping operation message, continue to execute step 26.
Step 26, book keeping operation message and user account are forwarded to the aaa server of upstream, AAA services by proxy AAA server Device using book keeping operation message detection trigger user reach the standard grade and charging policy, carry out billing operation.
Or after aaa server receives the book keeping operation message from nas server, keep accounts message and user's account are directly utilized Number detection trigger user reach the standard grade and charging policy, carry out billing operation.
Step 27, Sorry, your ticket has not enough value when user's expenses of surfing in Internet, when needing to force user offline, and aaa server transmission authorizes a change CoA Message is to proxy AAA server;The CoA message is sent to nas server by proxy AAA server again, is forced by nas server The unaware user offline, and return to Accounting message.
Or aaa server directly transmits CoA message to nas server, unaware user is forced offline, and returns Accounting message.
Implement experiment inventions have been multiple, one of simulation implementation experiment is in Beijing University of Post & Telecommunication school In the five phases optimization of garden net:It is employed in the network system of no proxy AAA server temporarily close the present invention is based on dynamic creation The structure composition and its method of work of the unaware authentication and authorization system of code.Authentication Client connects NAS services by campus network Device, Dynamic Host Configuration Protocol server, Portal server, aaa server and unaware authentication device, to accessing the certification of network system for the first time Client, user is manually entered user account and original password is authenticated, and unaware authentication device carries out terminal device and use The binding of family account, and create corresponding disposable temporary password.The non-Authentication Client for accessing network for the first time, unaware certification Device can use disposable temporary password corresponding with the user account of the terminal device to initiate logging request, manual without user It is authenticated.
The test of many times of the embodiment of the present invention is successful, realizes goal of the invention.

Claims (8)

1. a kind of unaware Certificate Authority network system based on dynamic creation temporary password, the system comprises equipped with agency Aaa server or two kinds of IP charging network systems for being not provided with proxy AAA server, described two network systems include respectively Following network elements:Authentication Client, dynamic host configuration protocol DHCP (Dynamic Host Configuration Protocol) Server, network access server NAS (Network Access Server) and the exterior I nternet nets via its connection Network, entrance Portal server, aaa server and proxy AAA server;It is characterized in that:
In two kinds of network IP charging network systems of the unaware authentication and authorization system, all have additional for binding authentication client End or the unaware authentication device of intelligent terminal, the unaware authentication device dynamic creation is corresponding with user account disposably to be made Temporary password OTP (One-time Password) realizes unaware Certificate Authority, and removing user from, online needs hand every time It is dynamic to input the cumbersome of password;It is original close without the use of user meanwhile because of the disposable temporary password certification for using dynamic generation Code;It and in verification process, is only interacted with trust node, avoids leakage user account information, it is ensured that communication security;Wherein:
Authentication Client is user terminal computer or the intelligent terminal including smart mobile phone, set-top box;
Dynamic Host Configuration Protocol server, for when Authentication Client accesses network, IP address to be distributed for it;
Nas server and via its connection exterior I nternet networks, NAS be include router, the critical point of charging gateway is set It is standby to be referred to as, for controlling the network access with administrative authentication client:It is before Authentication Client completes certification, its is all super Text transfer protocol HTTP request is redirected to Portal server;In Authentication Client verification process, respectively with unaware Authentication device, Portal server, proxy AAA server or/and aaa server interaction, the identity for completing Authentication Client are recognized Card, safety certification and the function of mandate and charging;After Authentication Client completes Certificate Authority, Authentication Client is allowed to visit Ask authorized Internet resources;
Unaware authentication device, be responsible for respectively with Portal server, Dynamic Host Configuration Protocol server, nas server and proxy AAA server Or aaa server interacts, and performs the binding of Authentication Client or intelligent terminal, and dynamic creation is corresponding disposable Temporary password OTP, realize unaware certification;
Portal server, to receive the access server of Authentication Client certification request, for providing WEB doors and certification circle Face;
Aaa server is responsible for coordinating with above-mentioned related network elements, performs the complete authentication of Authentication Client, safety certification, awards Power and the function of charging;And when needed, user force offline;
Proxy AAA server is only arranged in the network system of proxy AAA server, is responsible for Authentication Client once Certification is identified in the temporary password OTP that property uses, and after handling the AAA messages beyond OTP certifications, is forwarded to AAA Server.
2. system according to claim 1, it is characterised in that:The node of the trust includes Dynamic Host Configuration Protocol server, NAS takes Business device, Portal server, unaware authentication device, aaa server and proxy AAA server.
3. a kind of work of unaware Certificate Authority network system based on dynamic creation temporary password according to claim 1 Make method, it is characterised in that:When Authentication Client accesses network for the first time, its user account and original password are manually entered, is carried out Authentication mandate;When accessing network after the Authentication Client every time, Dynamic Host Configuration Protocol server is issuing IP for the Authentication Client It while address, is also interacted with unaware authentication device, the internet account of the user is found according to the characteristic information of the client, And by unaware authentication device it is the corresponding disposable temporary password OTP of the user's account dynamic generation one; Unaware authentication device is initiated to log in the user's account and corresponding disposable temporary password OTP to nas server Request and authentication so that user no longer needs online to be every time manually entered the operation that account number cipher carries out authentication, real Existing unaware certification;And leakage user password information is avoided, it ensures communication safety.
4. system according to claim 1, it is characterised in that:The characteristic information of the client is visited including at least its media Ask control MAC (Media Access Control) address, i.e. hardware address.
5. method of work according to claim 3, it is characterised in that:This method includes following operative step:
Step 1, when Authentication Client accesses network for the first time, its user account and original password are manually entered, carries out authentication It authorizes;The step 1 includes following operation content:
(11) Authentication Client initiates IP address request to Dynamic Host Configuration Protocol server;
(12) Dynamic Host Configuration Protocol server issues IP address for the Authentication Client;
(13) Authentication Client initiates HTTP access requests, which is redirected to Portal server by nas server WEB doors and authentication interface;
(14) user includes the authentication information of user account and original password in WEB doors and authentication interface input, The authentication information is sent to nas server by Portal server;
(15) authentication information is sent to proxy AAA server or aaa server by nas server, will by proxy AAA server The ID authentication request information is transmitted to upstream aaa server, carries out authentication information verification;Or aaa server is direct Perform authentication information verification;
If verification is by the way that by verification result back to nas server, nas server will forbid the Authentication Client to visit It asks other Internet resources in addition to WEB doors and authentication interface, and terminates flow;
If the verification passes, then by verification result back to nas server, nas server again returns to the verification result Portal server continues to execute step (16);
(16) nas server is let pass the Authentication Client, its is allowed to access Internet resources, and sends and remembers to proxy AAA server Account message or nas server directly send book keeping operation message to aaa server;
Unaware authentication device from Portal server receive it is having been verified by, including internet account and its associated IP The Authentication Client verification result information of address, and obtain the Authentication Client from Dynamic Host Configuration Protocol server and include the identity of MAC Address Characteristic information, with regard to the binding of automated execution and the completion Authentication Client and user account;
(17) the book keeping operation message is forwarded to upstream aaa server by proxy AAA server, so that aaa server is reported using book keeping operation Literary detection trigger user reach the standard grade and charging policy, perform billing operation;
Or nas server directly transmits book keeping operation message to aaa server, aaa server utilizes message detection trigger use of keeping accounts Family reach the standard grade and charging policy, perform billing operation;
Up to user's expenses of surfing in Internet, Sorry, your ticket has not enough value, when needing to force user offline, and aaa server is using authorizing a change CoA (Change Of Authorization) message by the Authentication Client force it is offline;
Step 2, for Authentication Client in the non-network of access for the first time, Dynamic Host Configuration Protocol server issues the same of IP address for the Authentication Client When, according to the client include at least media access control MAC (Media Access Control) address characteristic information with Unaware authentication device interacts;Unaware authentication device searches out the internet account of Authentication Client binding, and is the online As soon as after the disposable temporary password OTP of account dynamic generation, with the user's account and its corresponding disposable interim Password OTP initiates logging request and authentication to nas server, realizes unaware Certificate Authority so that user is not required to every time Online, which repeats, is manually entered the troublesome operation that original password carries out authentication, and communication security;
The step 2 includes following operation content:
(21) Authentication Client initiates IP address request to Dynamic Host Configuration Protocol server;
(22) Dynamic Host Configuration Protocol server issues IP address for the Authentication Client, and the information of reaching the standard grade of the Authentication Client is sent to nothing Perceive authentication device;Unaware authenticating device finds the online account of the user's binding according to the characteristic information of the Authentication Client Number, and be the disposable temporary password OTP of the internet account dynamic generation one;
(23) unaware authentication device initiates logging request with the internet account to nas server, by the user's internet account and The disposable temporary password created in step (22) is sent to nas server and carries out authentication;
It (24), will after nas server receives the logging request and user account and corresponding disposable temporary password These data sendings are verified to proxy AAA server or aaa server;
(25) proxy AAA server or aaa server receive the user's account and temporary password, the first reality with the user's account Verification is compared in border original password;If authentication failed, then the correctness to unaware authentication device verification temporary password;
If authentication failed, just by authentication failed result back to nas server, nas server will forbid the Authentication Client Other Internet resources in addition to WEB doors and authentication interface are accessed, terminate the flow;Or user continues to execute Portal clothes The conventional authentication operating process of business device:It is manually entered the user's account and original password;
If the verification passes, verification result being just sent to nas server, nas server is let pass the certification Authentication Client, and After proxy AAA server or aaa server send book keeping operation message, step (26) is continued to execute;
(26) book keeping operation message and user account are forwarded to the aaa server of upstream by proxy AAA server, and aaa server utilizes Book keeping operation message detection trigger user reach the standard grade and charging policy, carry out billing operation;
Or after aaa server receives the book keeping operation message from nas server, directly using keeping accounts message and user account touches Hair detection user reach the standard grade and charging policy, carry out billing operation;
(27) Sorry, your ticket has not enough value when user's expenses of surfing in Internet, when needing to force user offline, aaa server transmission authorize a change CoA message to Proxy AAA server;The CoA message is sent to nas server by proxy AAA server again, forces this noninductive by nas server Know user offline, and return to Accounting message;
Or aaa server directly transmits CoA message to nas server, unaware user is forced offline, and returns to book keeping operation Message.
6. method of work according to claim 5, it is characterised in that;In the step 1 of the method, if Authentication Client is When can not use browser access WEB doors, intelligent terminal including set-top box, then following two steps perform corresponding behaviour It is as follows to make content:
(13) user accesses WEB doors and authentication interface in other clients;
(14) user manually selects the Authentication Client IP address to be bound in authentication interface, and Portal server believes certification Breath and the selected client-side information of user are sent to nas server;
And other operation contents of step (11)~(17) are all consistent.
7. method of work according to claim 5 or 6, it is characterised in that;The step of the method (14) and (15) it is another A kind of processing method is:Unaware authentication device not by nas server examine user identity it is whether legal, but its directly from After Portal server obtains the user account, original password and its IP address of Authentication Client, checked operation is voluntarily performed;Bag Include following concrete operations content:
(14a) user includes the authentication information of user account and original password in WEB doors and authentication interface input, The authentication information is directly sent to unaware authentication device by Portal server;
(15a) unaware authentication device is by the authentication of the user account of the Authentication Client, original password and its IP address Information is sent to proxy AAA server or aaa server, is transmitted to the ID authentication request information by proxy AAA server Upstream aaa server carries out authentication information verification;Or aaa server directly performs authentication information verification;
Verify whether by concrete operations content, it is identical with step (15).
8. method of work according to claim 5, it is characterised in that:In the step (22), unaware authentication device is One disposable temporary password OTP of the internet account dynamic generation of Authentication Client binding is equipped with disposable work timing: I.e. can only setting work timing in certification it is once effective, certification once after just fail;More than the setting time limit, even if this is close Code is also the same to fail not yet for certification.
CN201711462151.9A 2017-12-28 2017-12-28 Non-perception authentication and authorization network system and method based on dynamic temporary password creation Active CN108092988B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711462151.9A CN108092988B (en) 2017-12-28 2017-12-28 Non-perception authentication and authorization network system and method based on dynamic temporary password creation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711462151.9A CN108092988B (en) 2017-12-28 2017-12-28 Non-perception authentication and authorization network system and method based on dynamic temporary password creation

Publications (2)

Publication Number Publication Date
CN108092988A true CN108092988A (en) 2018-05-29
CN108092988B CN108092988B (en) 2021-06-22

Family

ID=62180952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711462151.9A Active CN108092988B (en) 2017-12-28 2017-12-28 Non-perception authentication and authorization network system and method based on dynamic temporary password creation

Country Status (1)

Country Link
CN (1) CN108092988B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040148A (en) * 2018-11-01 2018-12-18 四川长虹电器股份有限公司 A kind of mobile terminal sends the safety certifying method of logging request to server
CN109299617A (en) * 2018-09-19 2019-02-01 中国农业银行股份有限公司贵州省分行 A kind of file encryption and decryption system
CN110012032A (en) * 2019-04-28 2019-07-12 新华三技术有限公司 A kind of user authen method and device
CN110535696A (en) * 2019-08-21 2019-12-03 新华三技术有限公司合肥分公司 Method for configuring network equipment, controller and the network equipment
CN110719276A (en) * 2019-09-30 2020-01-21 北京网瑞达科技有限公司 Network equipment safety access system based on cache password and working method thereof
CN110856174A (en) * 2019-12-13 2020-02-28 上海兴容信息技术有限公司 Access authentication system, method, device, computer equipment and storage medium
CN113361723A (en) * 2021-05-12 2021-09-07 北京网瑞达科技有限公司 IT operation and maintenance management system and method based on rule tree automatic matching

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932785A (en) * 2011-08-12 2013-02-13 中国移动通信集团浙江有限公司 Rapid authentication method, system and equipment of wireless local area network
US20130272290A1 (en) * 2010-12-09 2013-10-17 Huawei Technologies Co., Ltd. Method, apparatus, and system for centralized 802.1x authentication in wireless local area
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication
CN104954508A (en) * 2015-06-24 2015-09-30 北京网瑞达科技有限公司 System for DHCP (dynamic host configuration protocol) auxiliary accounting and auxiliary accounting method of system
CN106059802A (en) * 2016-05-25 2016-10-26 杭州华三通信技术有限公司 Terminal access authentication method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130272290A1 (en) * 2010-12-09 2013-10-17 Huawei Technologies Co., Ltd. Method, apparatus, and system for centralized 802.1x authentication in wireless local area
CN102932785A (en) * 2011-08-12 2013-02-13 中国移动通信集团浙江有限公司 Rapid authentication method, system and equipment of wireless local area network
CN103501495A (en) * 2013-10-16 2014-01-08 苏州汉明科技有限公司 Perception-free WLAN (Wireless Local Area Network) authentication method fusing Portal/Web authentication and MAC (Media Access Control) authentication
CN104954508A (en) * 2015-06-24 2015-09-30 北京网瑞达科技有限公司 System for DHCP (dynamic host configuration protocol) auxiliary accounting and auxiliary accounting method of system
CN106059802A (en) * 2016-05-25 2016-10-26 杭州华三通信技术有限公司 Terminal access authentication method and device

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109299617A (en) * 2018-09-19 2019-02-01 中国农业银行股份有限公司贵州省分行 A kind of file encryption and decryption system
CN109040148A (en) * 2018-11-01 2018-12-18 四川长虹电器股份有限公司 A kind of mobile terminal sends the safety certifying method of logging request to server
CN110012032A (en) * 2019-04-28 2019-07-12 新华三技术有限公司 A kind of user authen method and device
CN110012032B (en) * 2019-04-28 2021-11-23 新华三技术有限公司 User authentication method and device
CN110535696A (en) * 2019-08-21 2019-12-03 新华三技术有限公司合肥分公司 Method for configuring network equipment, controller and the network equipment
CN110719276A (en) * 2019-09-30 2020-01-21 北京网瑞达科技有限公司 Network equipment safety access system based on cache password and working method thereof
CN110719276B (en) * 2019-09-30 2021-12-24 北京网瑞达科技有限公司 Network equipment safety access system based on cache password and working method thereof
CN110856174A (en) * 2019-12-13 2020-02-28 上海兴容信息技术有限公司 Access authentication system, method, device, computer equipment and storage medium
CN113361723A (en) * 2021-05-12 2021-09-07 北京网瑞达科技有限公司 IT operation and maintenance management system and method based on rule tree automatic matching
CN113361723B (en) * 2021-05-12 2022-06-17 北京网瑞达科技有限公司 IT operation and maintenance management system and method based on rule tree automatic matching

Also Published As

Publication number Publication date
CN108092988B (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN108092988A (en) Unaware Certificate Authority network system and method based on dynamic creation temporary password
CN107172054B (en) Authority authentication method, device and system based on CAS
CN107528853A (en) The implementation method of micro services control of authority
CN107733861A (en) It is a kind of based on enterprise-level intranet and extranet environment without password login implementation method
CN106394486A (en) Authorization method and system of virtual key and server
CN103986584A (en) Double-factor identity verification method based on intelligent equipment
CN103780580B (en) Method, server and system for providing capability access strategy
CN101986598B (en) Authentication method, server and system
CN103856332A (en) Implementation method of one-to-multiple account mapping binding of convenient and rapid multi-screen multi-factor WEB identity authentication
CN103685204A (en) Resource authentication method based on internet of things resource sharing platform
CN106330816A (en) Method and system for logging in cloud desktop
CN105592046B (en) A kind of authentication-exempt access method and device
CN103327487A (en) Remote certification authentication service system
CN103986734B (en) Authentication management method and authentication management system applicable to high-security service system
CN108200039A (en) Unaware authentication and authorization system and method based on dynamic creation temporary account password
CN106101054A (en) The single-point logging method of a kind of multisystem and centralized management system
CN106302332A (en) The access control method of user data, Apparatus and system
CN109040069A (en) A kind of dissemination method, delivery system and the access method of cloud application program
CN108259457A (en) A kind of WEB authentication methods and device
CN107872445A (en) Access authentication method, equipment and Verification System
US20240354396A1 (en) Pre-registration of authentication devices
CN112039873A (en) Method for accessing business system by single sign-on
CN109962892A (en) A kind of authentication method and client, server logging in application
CN102045398B (en) Portal-based distributed control method and equipment
CN106102064B (en) The authentication method and router of wireless network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Deng Yuting

Inventor after: Zhang Yuming

Inventor after: Wang Junyan

Inventor after: Wang Daojia

Inventor after: Weng Yuan

Inventor after: Yang Chengfei

Inventor after: Cluster

Inventor before: Wang Junyan

Inventor before: Wang Daojia

Inventor before: Weng Yuan

Inventor before: Yang Chengfei

Inventor before: Cluster

CB03 Change of inventor or designer information