CN116506168A - User authentication method and device - Google Patents
User authentication method and device Download PDFInfo
- Publication number
- CN116506168A CN116506168A CN202310432061.4A CN202310432061A CN116506168A CN 116506168 A CN116506168 A CN 116506168A CN 202310432061 A CN202310432061 A CN 202310432061A CN 116506168 A CN116506168 A CN 116506168A
- Authority
- CN
- China
- Prior art keywords
- information table
- node information
- table item
- user name
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000032683 aging Effects 0.000 claims description 18
- 230000002265 prevention Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 5
- 238000005336 cracking Methods 0.000 description 5
- COCAUCFPFHUGAA-MGNBDDOMSA-N n-[3-[(1s,7s)-5-amino-4-thia-6-azabicyclo[5.1.0]oct-5-en-7-yl]-4-fluorophenyl]-5-chloropyridine-2-carboxamide Chemical compound C=1C=C(F)C([C@@]23N=C(SCC[C@@H]2C3)N)=CC=1NC(=O)C1=CC=C(Cl)C=N1 COCAUCFPFHUGAA-MGNBDDOMSA-N 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 208000033748 Device issues Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2135—Metering
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Power Engineering (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The specification provides a user authentication method and device, and relates to the technical field of communication. A user authentication method is applied to an authentication server and comprises the following steps: receiving an authentication request sent by network equipment; if the received user name and password are not matched with the user name and password stored in the user name and password storage device, generating a node information table item marked as a state to be authenticated; if the unmatched times in one node information table item exceeds a preset value, marking the node information table item as an untrusted state, recording an enabling anti-attack mark in the node information table item, and sending the node information table item to the network equipment so as to enable the network equipment to terminate an authentication session corresponding to an authentication request matched to a user name or an MAC address in the node information table item or discard the authentication request matched to the user name or the MAC address in the node information table. By the method, the reliability of network authentication can be improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a user authentication method and apparatus.
Background
With the development of network technology, demands of users for network security are also increasing. In PPPOE (Point-to-Point protocol over ethernet) networking, authentication of a client is achieved through authentication interaction among the client, a network device (may also be referred to as a PPPOE server) and an authentication server, and after authentication, the client can access an intranet.
However, in the current application, an attacker can disguise as that the client initiates authentication to the network equipment and realizes violent cracking through more frequent authentication interaction, the process occupies a large amount of resources between an authentication server and the network equipment to influence the online time of a normal user, and once authentication information is cracked, the attacker can access an enterprise internal network to cause information security accidents, so that how to quickly identify attacks and intercept violent cracking flows is a problem to be solved urgently by technicians in the field.
Disclosure of Invention
In order to overcome the problems in the related art, the present specification provides a user authentication method and apparatus.
With reference to the first aspect of the embodiments of the present specification, the present application provides a user authentication method, applied to an authentication server, including:
receiving an authentication request sent by network equipment, wherein the authentication request at least carries a user name, a password and a Media Access Control (MAC) address of the user equipment;
if the received user name and password are not matched with the user name and password stored in the node information table, generating a node information table marked as a to-be-authenticated state, wherein the node information table records the received user name, MAC address, unmatched times and state information;
if the unmatched times in one node information table item exceeds a preset value, marking the node information table item as an untrusted state, recording an enabling anti-attack mark in the node information table item, and sending the node information table item to the network equipment so as to enable the network equipment to terminate an authentication session corresponding to an authentication request matched to a user name or an MAC address in the node information table item or discard the authentication request matched to the user name or the MAC address in the node information table.
Optionally, after receiving the authentication request sent by the network device based on the authentication session, the method further includes:
if the received user name and password are matched with the user name and password stored by the network equipment, generating a node information table item marked as a trust state, and sending the generated node information table item to the network equipment so that the network equipment forwards the data message sent by the user equipment based on the node information table item.
Optionally, after generating the node information table item marked as the to-be-authenticated state and before the unmatched times do not exceed the preset value, the method further includes:
if the received user name and password are matched with the user name and password stored in the network equipment, marking the node information table item as a trust state, eliminating unmatched times, and sending the node information table item to the network equipment.
Optionally, the aging time is also recorded in the node information table item;
the method further comprises the following steps:
if the node information table item marked as the trust state or the node information table item marked as the untrustworthy state reaches the aging time, marking the node information table item as a state to be authenticated, and enabling the anti-attack mark.
With reference to the second aspect of the embodiments of the present specification, the present application provides a user authentication method, applied to a network device, including:
receiving an authentication request sent by user equipment based on an authentication session, wherein the authentication request at least carries a user name, a password and an MAC address of the user equipment;
sending an authentication request to an authentication server so that the authentication server authenticates the user equipment based on the user name and the password, generating a node information table entry at least comprising the user name, the password, the unmatched times and the MAC address, and marking the node information table entry as an untrusted state when the unmatched times of the node information table entry exceed a preset value;
receiving and recording node information table items which are sent by an authentication server and marked as an untrusted state;
if the received subsequent authentication request contains the user name or the MAC address recorded in the node information table entry marked as the untrusted state, the authentication session corresponding to the subsequent authentication request between the user equipment is terminated, or the authentication request matched to the user name or the MAC address in the node information table marked as the untrusted state is discarded.
Optionally, after sending the authentication request to the authentication server, the method further includes:
receiving and recording node information table items which are sent by an authentication server and marked as trust states;
and if the received data message contains the user name and the MAC address recorded in the node information table item marked as the trust state, forwarding the data message.
With reference to a third aspect of embodiments of the present specification, there is provided a user authentication apparatus, applied to an authentication server, including:
the receiving unit is used for receiving an authentication request sent by the network equipment, wherein the authentication request at least carries a user name, a password and an MAC address of the user equipment;
the generating unit is used for generating a node information table item marked as a to-be-authenticated state if the received user name and password are not matched with the user name and password stored by the generating unit, wherein the received user name, MAC address, unmatched times and state information are recorded in the node information table item;
and the anti-attack unit is used for marking the node information table item as an untrustworthy state if the unmatched times in one node information table item exceeds a preset value, recording an enabling anti-attack mark in the node information table item, and sending the node information table item to the network equipment so as to enable the network equipment to terminate an authentication session corresponding to an authentication request matched to a user name or an MAC address in the node information table item or discard the authentication request matched to the user name or the MAC address in the node information table.
Optionally, the device further includes:
and the authentication unit is used for generating a node information table item marked as a trust state if the received user name and password are matched with the user name and password stored by the authentication unit, and sending the generated node information table item to the network equipment so that the network equipment forwards the data message sent by the user equipment based on the node information table item.
Optionally, the device further includes:
and the clearing unit is used for marking the node information table item as a trust state if the received user name and password are matched with the user name and password stored by the clearing unit, clearing unmatched times and sending the node information table item to the network equipment.
Optionally, the aging time is also recorded in the node information table item;
the apparatus further comprises:
and the aging unit is used for marking the node information table item as a state to be authenticated and enabling the anti-attack mark if the node information table item marked as a trust state or the node information table item marked as an untrustworthy state reaches the aging time.
With reference to the fourth aspect of the embodiments of the present specification, the present application provides a user authentication apparatus, applied to a network device, including:
the receiving unit is used for receiving an authentication request sent by the user equipment based on the authentication session, wherein the authentication request at least carries a user name, a password and an MAC address of the user equipment;
the sending unit is used for sending an authentication request to the authentication server so that the authentication server authenticates the user equipment based on the user name and the password, generates a node information table item at least comprising the user name, the password, the unmatched times and the MAC address, and marks the node information table item as an untrusted state when the unmatched times of the node information table item exceed a preset value;
the receiving unit is used for receiving and recording the node information table item which is sent by the authentication server and marked as an untrusted state;
and the anti-attack unit is used for terminating the authentication session corresponding to the subsequent authentication request between the user equipment or discarding the authentication request matched with the user name or the MAC address in the node information table marked as the untrusted state if the received subsequent authentication request contains the user name or the MAC address recorded in the node information table marked as the untrusted state.
Optionally, the receiving unit is further configured to receive and record a node information table entry sent by the authentication server and marked as a trust state;
and the sending unit is used for forwarding the data message if the received data message contains the user name and the MAC address recorded in the node information table item marked as the trust state.
In connection with a fifth aspect of the embodiments of the present specification, there is provided an authentication server comprising a transceiver, a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: method steps implementing any of the above.
In connection with a sixth aspect of the embodiments herein, there is provided a network device comprising a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: method steps implementing any of the above.
In connection with a seventh aspect of the embodiments herein, there is provided a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: method steps for implementing any of the preceding claims.
The technical scheme provided by the embodiment of the specification can comprise the following beneficial effects:
in the embodiment of the specification, the authentication server matches the user name and the MAC address stored by the authentication server based on the authentication request, generates a node information table, marks the node information table as an untrusted state and informs the network equipment under the condition that the unmatched times recorded in one node information table exceeds a preset value, and the network equipment directly terminates the authentication session matched with the user name or the MAC address based on the issued node information table marked as the untrusted state to perform anti-attack processing on the subsequent authentication request or discards the authentication request containing the user name or the MAC address, so that an attack message of an attacker is intercepted at one side of the network equipment, thereby avoiding violent cracking of the authentication server by the attacker and improving the reliability of network authentication.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a flowchart of a user authentication method according to the present application, applied to an authentication server;
FIG. 2 is a networking diagram to which a user authentication method according to the present application is applicable;
fig. 3 is a schematic diagram illustrating a processing of a node information table in a user authentication method according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating another processing of a node information table in a user authentication method according to an embodiment of the present application;
fig. 5 is a schematic view illustrating another processing of a node information table in a user authentication method according to an embodiment of the present application;
fig. 6 is a flowchart of a user authentication method according to the present application, applied to a network device;
fig. 7 is a schematic structural diagram of a user authentication device according to the present application, which is applied to an authentication server;
fig. 8 is a schematic structural diagram of a user authentication device according to the present application, which is applied to a network device;
fig. 9 is a schematic structural diagram of an authentication server according to the present application;
fig. 10 is a schematic structural diagram of a network device according to the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification.
The application provides a user authentication method, which is applied to an authentication server, as shown in fig. 1, and comprises the following steps:
s100, receiving an authentication request sent by the network equipment.
As shown in fig. 2, the networking includes a user device, a network device, and an authentication server. The user equipment may include normal user equipment and an attacker disguised as user equipment, and the network equipment is typically gateway equipment. When the user equipment needs to be authenticated, an authentication session is established with the network equipment based on the PPPOE protocol, and an authentication request is sent to an authentication server through the network equipment by the authentication session. The authentication request carries at least a user name, a password and a MAC (media access control ) address of the user equipment.
The authentication server can receive the authentication request for analysis and acquire various information carried in the authentication request.
It should be noted that, in the PPPOE protocol, the user equipment may be referred to as a PPPOE client, and the network equipment may be referred to as a PPPOE server.
A PPP (Point-to-Point) session is established between a user equipment and a network equipment by:
the ue broadcasts a PADI (PPPOE action discovery initiation, PPPOE Active Discovery Initial) message containing the service type information the ue wants to get.
After all network devices receive the PADI message, the requested service is compared with the service that can be provided by themselves, and if the requested service can be provided, a PADO (PPPOE action discovery offer, PPPOE Active Discovery Offer) message is unicast replied to.
According to the topology structure of the network, the user equipment may receive the PADO messages sent by the plurality of network devices, and the user equipment selects the network device corresponding to the PADO message received first as its own network device, and unicast sends a PADR (PPPOE action discovery request, PPPOE Active Discovery Request) message.
The network device generates a unique session identifier for identifying the session with the user device, and sends the session identifier to the user device by sending a PADS (PPPOE action discovery session acknowledgement, PPPOE Active Discovery Session-confirmation) message, and enters the PPPOE session stage (i.e., authentication session in the authentication process) after the session is established successfully.
After completion, both parties will know the session identification of PPPoE and the MAC address of the other party, which together determine the unique authentication session.
After the authentication session is established, PPP negotiation may be performed and subsequent PPP data transmission is effectuated.
At this time, an attacker can steal the user name of a normal user and the randomly generated password to initiate authentication by the authentication server, and because the user name and the password which can be accessed are stored in the authentication server in advance and the authentication server is required to authenticate the user equipment which initiates the authentication request, the network equipment can only forward the uploaded authentication request to the authentication server, so that in the process that the attacker randomly generates the password and frequently initiates the authentication request, the attacker occupies too much network resources between the network equipment and the authentication server, the authentication request of the normal user cannot be timely sent to the authentication server for authentication, and the reliability of the network is reduced.
And S101, if the received user name and password are not matched with the user name and password stored by the user name and password, generating a node information table item marked as a state to be authenticated.
The authentication server stores a plurality of user names and passwords which can be accessed, and after receiving the authentication request, the authentication server searches the received user names and passwords for the user names and passwords stored by the authentication server. If the user equipment can be matched, the user equipment using the user name and the password can be accessed to the network for access, and if the user equipment can not be matched, the user equipment using the wrong user name or password.
After one authentication, an authentication server generates a node information table, wherein the received user name, the MAC address, the unmatched times and the state information are recorded in the node information table.
If the user name and the password are matched, the state information in the generated node information table item is marked as a trust state, and the unmatched times are marked as 0.
If the user name and the password are not matched, the state information in the generated node information table item is marked as a state to be authenticated, and the authentication request from the user equipment (or the attacker) is continuously received. Since the user has a case of inputting a user name and a password in error, the user name and the error at one time cannot be regarded as an attacker, and the user input error is prevented from being recognized as an attacker by the error, but the number of times of mismatch in the node information table entry is increased.
Optionally, after receiving the authentication request sent by the network device based on the authentication session in step S100, the method further includes:
and S103, if the received user name and password are matched with the user name and password stored in the network equipment, generating a node information table item marked as a trust state, and sending the generated node information table item to the network equipment so that the network equipment forwards the data message sent by the user equipment based on the node information table item.
As shown in fig. 3, when the authentication server determines that the user equipment 1 is a normal user equipment, after generating a node information table entry according to information such as a user name, a password, a MAC address, etc., the number of times of mismatch in the node information table entry is marked as 0 (i.e., indicates that the match is correct), and the generated node information table entry is marked as a trust state (denoted as node information table entry 1). The trust status indicates that the user name and password have been authenticated and the network device can pass the subsequent data message.
At this time, the authentication server may issue the node information table item 1 to the network device, and the network device receives and records the node information table item 1. The network device issues a confirmation to the user device 1 to complete the authentication process. The user equipment 1 may send a data packet to the network equipment, and when the network equipment determines that the MAC address of the user equipment 1 is the MAC address recorded in the node information table entry 1, the data packet may be forwarded.
Optionally, after generating the node information table entry marked as the to-be-authenticated state in step S101 and before the unmatched times in step S102 do not exceed the preset value, the method further includes:
and S104, if the received user name and password are matched with the user name and password stored in the network equipment, marking the node information table item as a trust state, eliminating unmatched times, and sending the node information table item to the network equipment.
As shown in fig. 4, after a normal user equipment (user equipment 1) initiates an authentication request, since the user fails to input a user name and a password, the authentication server determines that the user equipment 1 fails to pass authentication, generates a node information table entry 2, records the user name and the MAC address, marks the node information table entry 2 as a state to be authenticated, and increases the number of times of mismatching to 1. At this time, since the authentication process is not completed and is not recognized as an attack, the authentication server may temporarily issue the node information table item 2. The to-be-authenticated state indicates that the user equipment fails authentication at this time, but the number of times of the failed authentication does not exceed a preset value, and the authentication server is required to continuously authenticate the subsequent authentication request.
At this time, the network device may issue a notification that the authentication is failed, and the user may re-input the user name and the password to perform the second authentication, where the user device sends an authentication request with the new user name and password. The authentication server determines that the new user name and password can be matched, and passes authentication. The authentication server updates the status information in the node information table entry 2 to be a trusted status, and clears the unmatched times to indicate that the user equipment 1 has passed authentication. The following is similar to that described in step S103, and a description thereof will not be repeated here.
S102, if the unmatched times in one node information table item exceeds a preset value, marking the node information table item as an untrusted state, recording an enabling anti-attack mark in the node information table item, and sending the node information table item to the network equipment so as to enable the network equipment to terminate an authentication session corresponding to an authentication request matched to a user name or an MAC address in the node information table item or discard the authentication request matched to the user name or the MAC address in the node information table.
As shown in fig. 5, if the user equipment 2 initiating authentication is an attacker, the user equipment 2 most likely adopts a mode of trying out a correct password through a random password to realize cracking under the condition of knowing a user name. When the authentication server fails to pass the first authentication, a node information table entry 3 with state information marked as a state to be authenticated is generated, and the unmatched times in the node information table entry 3 are 1. The subsequent attacker continues to send authentication requests, but fails to pass authentication, and the authentication server continues to accumulate unmatched times after matching any information in the user name or the MAC address to the node information table entry 3.
When the unmatched times in the node information table 3 are accumulated to a preset value (for example, 5), the authentication server considers the user equipment 2 as an attacker, marks the state information in the node information table 3 as an untrusted state, and enables an anti-attack strategy in the node information table 3, namely records an anti-attack mark in the node information table 3. Thereafter, the node information table 3 is sent to the network device for recording by the network device.
At this time, after receiving the authentication request of the attacker again, the network device checks the authentication request based on the recorded node information table entry 3, and performs a process of terminating the authentication session or discarding the authentication request.
For example, after the network device receives the node information table 3, since the authentication session is still maintained between the network device and the user device 2, in order to avoid that the attacker continues to occupy session resources of the network device, the network device may send a PADT (PPPOE action discovery termination, PPPOE Active Discovery Terminate) message to the user device 2 to terminate the authentication session between the user device 2 and the network device, so as to terminate the authentication attack of the current attacker on the authentication server as soon as possible.
After that, if the user equipment 2 seeks to reestablish the authentication session, when the network equipment receives the PADI message, the node information table item 3 can be searched based on the MAC address in the PADI message, and if the attacker adopts the user name or the MAC address in the PADI message to continuously initiate authentication, the network equipment can directly discard the PADI message, so that the occupation of the communication resource or the session resource of the network equipment by reestablishing the authentication session of the network equipment is avoided, and the reliability of the network equipment is further improved.
Optionally, the aging time is also recorded in the node information table item;
the method further comprises the following steps:
s105, if the node information table item marked as the trust state or the node information table item marked as the untrustworthy state reaches the aging time, marking the node information table item as a state to be authenticated, and enabling the anti-attack mark.
An aging time may also be set after the authentication server generates the node information entries marked as trusted or marked as untrusted. After the aging time is set, the authentication server may start a timer to count.
If the timer reaches the aging time, which means that the node information table has been active for a period of time, the current network situation may have changed, for example, the attack of an attacker has stopped, or the normal user equipment has stopped sending the data message.
At this time, the authentication server may mark the node information table entry as a state to be authenticated, and need to perform authentication again, and clear the attack prevention mark. If the node information table entry is marked as a trust state, no anti-attack mark is configured, and the processing or the clearing can be selected, so that the effect of the node information table entry is not affected.
Thereafter, the authentication server may issue a notification to the network device to delete the node information entry, even if the network device deletes the currently stored node information entry, for example, the issued notification may carry a user name and/or a MAC address, so that the network device can match to the corresponding node information entry stored by itself and delete.
For the node information table item marked as the trust state, if the network device continuously receives the data messages, for example, the number of the received data messages exceeds the preset number, the network device can send a keep-alive message to the authentication server and carry the MAC address, so that the authentication server clears a timer of the node information table item matched with the MAC address, and counts the time again.
Correspondingly, the application also provides a user authentication method applied to the network equipment, as shown in fig. 6, comprising the following steps:
s600, receiving an authentication request sent by the user equipment based on the authentication session.
The authentication request carries at least a user name, a password and a MAC address of the user equipment.
S601, sending an authentication request to an authentication server so that the authentication server authenticates the user equipment based on the user name and the password, generating a node information table item at least comprising the user name, the password, the unmatched times and the MAC address, and marking the node information table item as an untrusted state when the unmatched times of the node information table item exceed a preset value.
S602, receiving and recording a node information table item which is sent by the authentication server and marked as an untrusted state.
S603, if the received subsequent authentication request includes the user name or MAC address recorded in the node information table marked as the untrusted state, terminating the authentication session corresponding to the subsequent authentication request between the user equipment, or discarding the authentication request matched to the user name or MAC address in the node information table marked as the untrusted state.
Optionally, after sending the authentication request to the authentication server in step S601, the method further includes:
s604, receiving and recording node information table items which are sent by the authentication server and marked as trust states.
S605, if the received data message contains the user name and the MAC address recorded in the node information table item marked as the trust state, forwarding the data message.
The explanation on the network device side corresponds to the explanation on the authentication server side, and the description is not repeated here.
Correspondingly, the application also provides a user authentication device which is applied to the authentication server, as shown in fig. 7, and comprises:
the receiving unit is used for receiving an authentication request sent by the network equipment, wherein the authentication request at least carries a user name, a password and a Media Access Control (MAC) address of the user equipment;
the generating unit is used for generating a node information table item marked as a to-be-authenticated state if the received user name and password are not matched with the user name and password stored by the generating unit, wherein the received user name, MAC address, unmatched times and state information are recorded in the node information table item;
and the anti-attack unit is used for marking the node information table item as an untrustworthy state if the unmatched times in one node information table item exceeds a preset value, recording an enabling anti-attack mark in the node information table item, and sending the node information table item to the network equipment so as to enable the network equipment to terminate an authentication session corresponding to an authentication request matched to a user name or an MAC address in the node information table item or discard the authentication request matched to the user name or the MAC address in the node information table.
Optionally, the device further includes:
and the authentication unit is used for generating a node information table item marked as a trust state if the received user name and password are matched with the user name and password stored by the authentication unit, and sending the generated node information table item to the network equipment so that the network equipment forwards the data message sent by the user equipment based on the node information table item.
Optionally, the device further includes:
and the clearing unit is used for marking the node information table item as a trust state if the received user name and password are matched with the user name and password stored by the clearing unit, clearing unmatched times and sending the node information table item to the network equipment.
Optionally, the aging time is also recorded in the node information table item;
the device further comprises:
and the aging unit is used for marking the node information table item as a state to be authenticated and enabling the anti-attack mark if the node information table item marked as a trust state or the node information table item marked as an untrustworthy state reaches the aging time.
Correspondingly, the application also provides a user authentication device, which is applied to the network equipment, as shown in fig. 8, and comprises:
the receiving unit is used for receiving an authentication request sent by the user equipment based on the authentication session, wherein the authentication request at least carries a user name, a password and an MAC address of the user equipment;
the sending unit is used for sending an authentication request to the authentication server so that the authentication server authenticates the user equipment based on the user name and the password, generates a node information table item at least comprising the user name, the password, the unmatched times and the MAC address, and marks the node information table item as an untrusted state when the unmatched times of the node information table item exceed a preset value;
the recording unit is used for receiving and recording the node information table item which is sent by the authentication server and marked as an untrusted state;
and the anti-attack unit is used for terminating the authentication session corresponding to the subsequent authentication request between the user equipment or discarding the authentication request matched with the user name or the MAC address in the node information table marked as the untrusted state if the received subsequent authentication request contains the user name or the MAC address recorded in the node information table marked as the untrusted state.
Optionally, the receiving unit is further configured to receive and record a node information table entry sent by the authentication server and marked as a trust state;
and the sending unit is used for forwarding the data message if the received data message contains the user name and the MAC address recorded in the node information table item marked as the trust state.
Correspondingly, the application also provides an authentication server, as shown in fig. 9, comprising a transceiver, a processor and a machine-readable storage medium, wherein the machine-readable storage medium stores machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: method steps implementing any of the above.
Correspondingly, the application also provides a network device, as shown in fig. 10, comprising a transceiver, a processor and a machine-readable storage medium, wherein the machine-readable storage medium stores machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: method steps implementing any of the above.
Correspondingly, the application also provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: method steps implementing any of the authentication servers or any of the network devices described above.
The technical scheme provided by the embodiment of the specification can comprise the following beneficial effects:
in the embodiment of the specification, the authentication server matches the user name and the MAC address stored by the authentication server based on the authentication request, generates a node information table, marks the node information table as an untrusted state and informs the network equipment under the condition that the unmatched times recorded in one node information table exceeds a preset value, and the network equipment directly terminates the authentication session matched with the user name or the MAC address based on the issued node information table marked as the untrusted state to perform anti-attack processing on the subsequent authentication request or discards the authentication request containing the user name or the MAC address, so that an attack message of an attacker is intercepted at one side of the network equipment, thereby avoiding violent cracking of the authentication server by the attacker and improving the reliability of network authentication.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof.
The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.
Claims (15)
1. A user authentication method, applied to an authentication server, comprising:
receiving an authentication request sent by network equipment, wherein the authentication request at least carries a user name, a password and a Media Access Control (MAC) address of the user equipment;
if the received user name and password are not matched with the user name and password stored in the user name and password storage device, generating a node information table item marked as a to-be-authenticated state, wherein the node information table item records the received user name, the MAC address, the unmatched times and the state information;
if the unmatched times in one node information table item exceeds a preset value, marking the node information table item as an untrusted state, recording an enabling anti-attack mark in the node information table item, and sending the node information table item to the network equipment so that the network equipment terminates an authentication session corresponding to an authentication request matched to a user name or an MAC address in the node information table item or discards the authentication request matched to the user name or the MAC address in the node information table.
2. The method of claim 1, further comprising, after receiving an authentication request sent by the network device based on the authentication session:
if the received user name and password are matched with the user name and password stored by the network equipment, generating a node information table item marked as a trust state, and sending the generated node information table item to the network equipment so that the network equipment forwards a data message sent by the user equipment based on the node information table item.
3. The method according to claim 1, further comprising, after generating the node information entry marked as the state to be authenticated and before the number of unmatched times does not exceed the preset value:
if the received user name and password are matched with the user name and password stored in the network equipment, marking the node information table item as a trust state, eliminating the unmatched times, and sending the node information table item to the network equipment.
4. A method according to any one of claims 1-3, wherein the node information table entry also has an aging time recorded therein;
the method further comprises the steps of:
if the node information table item marked as the trust state or the node information table item marked as the untrustworthy state reaches the aging time, marking the node information table item as a state to be authenticated, and enabling the anti-attack mark.
5. A user authentication method, applied to a network device, comprising:
receiving an authentication request sent by user equipment based on an authentication session, wherein the authentication request at least carries a user name, a password and an MAC address of the user equipment;
sending the authentication request to an authentication server so that the authentication server authenticates the user equipment based on a user name and a password, generating a node information table item at least comprising the user name, the password, the unmatched times and the MAC address, and marking the node information table item as an untrusted state when the unmatched times of the node information table item exceed a preset value;
receiving and recording node information table items which are sent by the authentication server and marked as an untrusted state;
if the received subsequent authentication request contains the user name or the MAC address recorded in the node information table entry marked as the untrusted state, the authentication session corresponding to the subsequent authentication request between the user equipment is terminated, or the authentication request matched to the user name or the MAC address in the node information table marked as the untrusted state is discarded.
6. The method of claim 5, further comprising, after sending the authentication request to an authentication server:
receiving and recording node information table items which are sent by the authentication server and marked as trust states;
and if the received data message contains the user name and the MAC address recorded in the node information table item marked as the trust state, forwarding the data message.
7. A user authentication apparatus, applied to an authentication server, comprising:
the receiving unit is used for receiving an authentication request sent by the network equipment, wherein the authentication request at least carries a user name, a password and an MAC address of the user equipment;
the generating unit is used for generating a node information table item marked as a to-be-authenticated state if the received user name and password are not matched with the user name and password stored by the generating unit, wherein the received user name, MAC address, unmatched times and state information are recorded in the node information table item;
and the anti-attack unit is used for marking the node information table item as an untrustworthy state if the unmatched times in one node information table item exceed a preset value, recording an enabling anti-attack mark in the node information table item, and sending the node information table item to the network equipment so as to enable the network equipment to terminate an authentication session corresponding to an authentication request matched to a user name or an MAC address in the node information table item or discard the authentication request matched to the user name or the MAC address in the node information table.
8. The apparatus as recited in claim 7, further comprising:
and the authentication unit is used for generating a node information table item marked as a trust state if the received user name and password are matched with the user name and password stored by the network equipment, and transmitting the generated node information table item to the network equipment so that the network equipment forwards the data message transmitted by the user equipment based on the node information table item.
9. The apparatus as recited in claim 7, further comprising:
and the clearing unit is used for marking the node information table item as a trust state if the received user name and password are matched with the user name and password stored by the clearing unit, clearing the unmatched times and sending the node information table item to the network equipment.
10. The apparatus according to any one of claims 7-9, wherein the node information table entry further has an aging time recorded therein;
the device further comprises:
and the aging unit is used for marking the node information table item marked as the trust state or the node information table item marked as the untrustworthy state as the to-be-authenticated state if the node information table item marked as the trust state reaches the aging time, and enabling the attack prevention mark.
11. A user authentication apparatus, applied to a network device, comprising:
a receiving unit, configured to receive an authentication request sent by a user equipment based on an authentication session, where the authentication request at least carries a user name, a password and a MAC address of the user equipment;
the sending unit is used for sending the authentication request to the authentication server so that the authentication server authenticates the user equipment based on the user name and the password, generates a node information table entry at least comprising the user name, the password, the unmatched times and the MAC address, and marks the node information table entry as an untrusted state when the unmatched times of the node information table entry exceed a preset value;
the receiving unit is used for receiving and recording the node information table item which is sent by the authentication server and marked as an untrusted state;
and the anti-attack unit is used for terminating the authentication session corresponding to the subsequent authentication request between the user equipment or discarding the authentication request matched with the user name or the MAC address in the node information table marked as the untrusted state if the received subsequent authentication request contains the user name or the MAC address recorded in the node information table marked as the untrusted state.
12. The apparatus of claim 11, wherein the device comprises a plurality of sensors,
the receiving unit is further used for receiving and recording node information table items which are sent by the authentication server and marked as trust states;
and the sending unit is used for forwarding the data message if the received data message contains the user name and the MAC address recorded in the node information table item marked as the trust state.
13. An authentication server comprising a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: method steps of any of claims 1-4 are achieved.
14. A network device comprising a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: implementing the method steps of any one of claims 5 or 6.
15. A machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: method steps of any one of claims 1-4 or 5, 6 are achieved.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310432061.4A CN116506168A (en) | 2023-04-19 | 2023-04-19 | User authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310432061.4A CN116506168A (en) | 2023-04-19 | 2023-04-19 | User authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116506168A true CN116506168A (en) | 2023-07-28 |
Family
ID=87316031
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310432061.4A Pending CN116506168A (en) | 2023-04-19 | 2023-04-19 | User authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116506168A (en) |
-
2023
- 2023-04-19 CN CN202310432061.4A patent/CN116506168A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4376711B2 (en) | Access management method and apparatus | |
| US7665129B2 (en) | Method and system for managing access authorization for a user in a local administrative domain when the user connects to an IP network | |
| EP1986396B1 (en) | System and implementation method of controlled multicast | |
| Forsberg et al. | Protocol for carrying authentication for network access (PANA) | |
| US8125980B2 (en) | User terminal connection control method and apparatus | |
| Saint-Andre | Extensible messaging and presence protocol (XMPP): Core | |
| Mahy et al. | Traversal using relays around nat (turn): Relay extensions to session traversal utilities for nat (stun) | |
| Saint-Andre | RFC 6120: extensible messaging and presence protocol (XMPP): core | |
| JP3844762B2 (en) | Authentication method and authentication apparatus in EPON | |
| EP1751910B1 (en) | Preventing network reset denial of service attacks using embedded authentication information | |
| US20110264908A1 (en) | Method and device for preventing network attacks | |
| US7861076B2 (en) | Using authentication server accounting to create a common security database | |
| US20070121833A1 (en) | Method of Quick-Redial for Broadband Network Users and System Thereof | |
| WO2004008715A1 (en) | Eap telecommunication protocol extension | |
| Nelson et al. | Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes | |
| Mortensen et al. | DDoS open threat signaling (DOTS) requirements | |
| Biagioni | Preventing UDP flooding amplification attacks with weak authentication | |
| CN116506168A (en) | User authentication method and device | |
| EP1961149B1 (en) | Method for securely associating data with http and https sessions | |
| CN114338218B (en) | PPPoE dialing method | |
| Mahy et al. | Rfc 5766: Traversal using relays around nat (turn): relay extensions to session traversal utilities for nat (stun) | |
| US20090262738A1 (en) | Method for promptly redialing a broadband access server | |
| US20200259794A1 (en) | Communications methods, systems and apparatus for protecting against denial of service attacks and efficient allocation of bandwidth | |
| Forsberg et al. | RFC 5191: Protocol for Carrying Authentication for Network Access (PANA) | |
| Matthews et al. | RFC 8656: Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |