CN1394044A - IP-user ID authentication mechanism (method) for Internet - Google Patents
IP-user ID authentication mechanism (method) for Internet Download PDFInfo
- Publication number
- CN1394044A CN1394044A CN 01129583 CN01129583A CN1394044A CN 1394044 A CN1394044 A CN 1394044A CN 01129583 CN01129583 CN 01129583 CN 01129583 A CN01129583 A CN 01129583A CN 1394044 A CN1394044 A CN 1394044A
- Authority
- CN
- China
- Prior art keywords
- user
- internet
- address
- network
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses the mechanism of Internet IP-user's id authentication related to Internet based on TCP/IP protocol. The target of the invention is to bind the specific user's id with the specific IP at the specific time through Internet so as to realize the reliable conversion from the latter to the former. The main characters are as follows. The check information is transferred through the special IP connection, and checked timely. With IP being as the basis of authenticating the user's id, the mechanism can be applicable to various cases needed to know the user's id on the net (such as E-business, network transaction management, investigating trace of the illegal network activities). The invention is particularly suitable to the application in the wide band network.
Description
Relate to the field: based on the internet of ICP/IP protocol.
The internet that makes up on the ICP/IP protocol basis (InterNet) has been popularized the at all levels of society now.Develop into today, it is important that the authenticating user identification in the internet more and more seems, needs specific user's identity is authenticated under a lot of situations.On the one hand, need be based on user's authentication in the various commercial activitys on network: serve the provider and provide service, and require user's undertake obligations (as payment) to the specific user.On the other hand, also need be to the various management of network based on user's authentication, because a lot of particular job can only be finished by specific user (as the keeper).
When the people utilized network to carry out illegal activity, country or network manager more needed the means that define illegal activity person's identity.
Unique identification at user identity on the internet is the IP address of the current institute of user use main frame.If can define user identity by the IP address, the authenticating user identification on the internet will be realized very simple, and is very easy to use, promotes to be very easy to.Yet the IP address derives from the computer that unspecified person uses common computer places such as (particularly) Internet bars under a lot of situations, and wanting to find particular user according to this IP address is unusual difficulty.Here the purpose of the IP-authenticating user identification mechanism of Ti Chuing is by the internet particular user identity is arrived the former reliable conversion to the binding realization latter of specific IP of particular moment.One, current practice
In the internet, use in the traditional identity authentication method at present and all comprise the authentication center (CA) that authentication service is provided.Authentication center determines user identity according to the authentication information that user Xiang Qi provides.Service provider (network manager, state security department etc.) trusts and uses the user identity of authenticated center affirmation as the third party.At present commonly used in local area network (LAN) is the IP/MAC binding mechanism, uses in the internet more widely that authentication mode then comprises simple number of the account/cipher mechanism and digital signature, also has enciphered data passage etc. in addition.1.IP/MAC binding
This method can only be used for Ethernet (EtherNet), and it is based on the MAC Address of subscriber's main station network interface card, and authentication is towards the IP address but not the user.The inner ICP/IP protocol communication of Ethernet depends on subscriber computer mac address of nic (MAC), and these data are solidificated in its inside when network interface card is made, and the whole world is unique, and can not arbitrarily change.The IP/MAC binding requires the user using network forward direction authentication center (being exactly gateway usually) to register its MAC Address of Network Card.The user is during by gateway access external the Internet Internet resources, and whether whether the gateway that is positioned at same subnet inside mates decision according to the IP address of this host registration MAC use current with it allows this host access external network.Gateway can guarantee that this IP address only used by this main frame like this.If the right to use of this main frame belongs to the specific user, then can define this user's identity.
The IP/MAC binding mechanism has a lot of limitations: at first, authentication center must be positioned at same subnet inside with subscriber's main station, so the IP/MAC binding mechanism can only be used for the local area network (LAN) based on Ethernet, can't be generalized to whole internet.Secondly, IP/MAC binds towards main frame, and it can only determine that certain uses certain IP address of host constantly.If this main frame is that many people are shared or collective is public (as the Internet bar), then can't define user identity.Once more, the IP/MAC binding mechanism requires the user will remove to register its MAC to authentication center before using network at every turn, seriously restricts the use of mobile host.
The IP/MAC binding once was popular a kind of management means in the Ethernet.But because the network interface card MAC that has is revisable, and a lot of operating system all provides the means of change network interface card logic MAC, and this makes IP/MAC binding as a kind of authentication means in fact can not guarantee to realize this target, is eliminated gradually.
The IP/MAC binding can be regarded a kind of hardware based method as.Hardware based also have a lot of other methods, as switch ports themselves monitoring, virtual electronic link (VLan), exchange or the like to three layers of port.Because the restriction of hardware sphere of action all can only be used for local area network (LAN) by hard-wired way.In addition, realize to cause the increase of hardware cost, promote very difficulty on a large scale by hardware.2. traditional number of the account/cipher mechanism, digital signature and enciphered data passage
The use of this several method is not subjected to the restriction of network range, can use in local area network (LAN) and wide area network, and all be user oriented.In traditional number of the account/cipher mechanism, the user at first connects by TCP/IP provides user account and password (login) to authentication center.If password coupling (logining successfully), authentication center promptly trusts this connection.Using the third party (as the service provider) of identity information under this mechanism often itself is exactly authentication center, so the third party is to use same the connection with user's proper communication with authentication.Owing to realize simply, this is a kind of at the authentication mode that often uses on the internet.Reason for convenience, user's number of the account, password transmit with clear-text way in network usually, so the attacker is easy to by network monitoring being obtained user account and password.Digital signature technology in the data security theory can overcome this problem, and authentication center still can identifying user identity under the direct condition of transmitting in network to make user cipher.
These two kinds of mechanism in fact all are based on connection.Authentication center is indifferent to user's IP address, connects but trust the current TCP/IP that has set up.Therefore, all need identifying user identity again when rebuliding connection, even user's IP address does not change at every turn.And when having a plurality of the connection between user and the authentication center, wherein the authorization information of any one connection can not be connected by other and uses.
In addition, because ICP/IP protocol itself does not comprise security mechanism, remain unsafe even directly do not transmit the data signature mechanism of user cipher.After the user logined success, the attacker was easy to capture the user and is connected with the TCP/IP of service side, pretend to be original subscriber's identity, and authentication center can't discover.
The hidden danger of digital signature mode is that the network connection can be forged and be taken over.The VPN (virtual private network) (VPN) of encrypting can address this problem.VPN is actual can to regard an enciphered data passage as.Under this mode, the user sends to authentication center with data with encrypted format, and authentication center is decrypted data.Unless the attacker can crack the employed cryptographic algorithm of VPN, otherwise can't forge original subscriber's data for a long time, therefore this method can effectively be protected user identity.The shortcoming of encrypting VPN is and all data will be carried out cryptographic calculation that the computing expense is very huge.In addition, the third party can only obtain data (a kind of special circumstances are that authentication center is exactly third party oneself) from authentication center indirectly.Therefore the development of broadband network will cause increase considerably (the bandwidth blast) of customer flow, promote on a large scale to encrypt VPN and will be undoubtedly the computing capability of authentication center be proposed huge challenge.
Two, scheme purpose
Overcome the shortcoming of the various schemes in front, to the reliable conversion that the binding realization latter of specific IP of particular moment arrives the former, effectively protect user identity by the internet particular user identity.Three, specific implementation
1. the user should login to authentication center before using network, submits user name to, and carries out necessary identity and test
The card process.
2. authentication center is the IP address binding of user's use current with it, and the authentication authorization and accounting center is set up when specific
Quarter by binding IP address to the corresponding relation of particular user identity.
3. authentication center regularly sends the proof of identity request to the user, and the user side replys in should be at the appointed time;
Perhaps regularly report current state on one's own initiative according to ad hoc rules to authentication center by the user side.This school
The process of testing connects (comprising TCP and UDP) by normal IP and finishes.
4. if user answer mistake or overtime, then authentication center's kick out user.The user can before
Initiatively nullify to the server application.
5.IP (after the user uses this IP address to login successfully, nullify successfully before) the 3rd during the address binding
Can with according to the IP address to authentication center's searching user's information, and think this IP address of this moment
The all-network behavior be the behavior of corresponding user bound, up to user log off.
6. behind the user log off, it is right that the third party that authentication center should notify all using this authentication information removes
The trusting relationship of this IP address user of this IP address binding (and with).
The principle of this scheme guarantees that based on the internet realization mechanism any moment does not have the identical computer in IP address can be simultaneously and extraneous proper communication (the IP address is unique).It guarantees that by checking client and service end method for communicating the user holds his institute's registering IP address all the time.In the past, success attack means that former client is destroyed, and under this authentication mechanism, the assailant must guarantee that the original subscriber can normally communicate by letter with certificate server.The such attack of uniqueness assurance of IP address can not be achieved success.---if original subscriber's main frame is destroyed, and authentication center can discover in the reaction time, and cancellation is to original subscriber's trust, makes the attacker obtain unlawful interests by the mode of pretending to be original subscriber's identity or is engaged in unlawful activities.Four, scheme characteristic
1, based on IP address, user oriented.Authentication center can convert the IP address behavior of particular moment to the specific user behavior according to authentication information.After user's login, authentication center guarantees that the employed IP of user address can become the unique identification of its identity.Simultaneously, this mode does not require that the user uses particular ip address, only require in login and do not change the IP address therebetween, therefore can be fine in conjunction with DHCP (DHCP), give the user convenience, make the mobile subscriber in the common network environment, realize " plug and play (the Plug and Play) " of network with maximum
2, not limited by network range.Authentication center can be placed in the position that the Any user main frame can have access to.As long as user login, any third party can define user identity according to user-IP address binding information that IP address and authentication center provide in the whole internet.
3, safe and reliable.When the assailant attempts to use original subscriber IP address to use Internet resources, must interrupt between user and authentication center normal verification and communicate by letter, cause the user in the overtime time limit, to be forced to nullify.Nullifying the back user needn't be that be responsible for former IP address again, and the third party can stop to serve at once---the attacker is profitless, thereby effectively protects original subscriber's interests.In addition, when subscriber computer met accident (as crash), authentication center's also can take measures very soon (as kick out) realized user benefit is farthest protected.
4, this proof of identity mechanism does not rely on concrete checking algorithm.When logining, the user can finish by any existing authentication method in the timing verification process of authentication work and back, such as above-mentioned data signature mechanism and simple number of the account/cipher mechanism.When conditions permit, can use hardware means to come secondary au-thentication process.
5, according to present data security theory, this Verification System can be designed to disclose client, service segment program source code, communication data and checking mechanism between client, the server can be disclosed, can allow the attacker to monitor for a long time under the condition of network, service end is only determined user's legitimacy according to user key.The attacker who does not hold user key can't forge the communication data of user and viability.Therefore, this mechanism can realize open protocol and open source code, and realizes standard agreement.Anyone can write the client of customization for the operating system of oneself.The client that realizes with Java can run on any operating platform in principle.
6, user side's work can be finished by a specific client-side program.This program work is in pure application layer (ICP/IP protocol top), therefore can interference user other access to netwoks, also can not destroy user's operating system.
7, verification process does not rely on client-side program to the supervision of subscriber computer software and hardware system (the IP/MAC binding must suppose that the user can malice change the MAC Address of its network interface card).
8, hard real-time, light burden can effectively be supported a large number of users, and not limited by network traffic data, therefore are particularly suitable for broadband network.
9, this mechanism can be very easy to promote the use of under broadband wide area network, and can utilize existing Internet resources to greatest extent.Be not subjected to the concrete device-restrictive of network, not limited by network topology structure.This authentication mechanism realizes that needed additional hardware includes only certificate server.Include only a client-side program in the needed additional software condition of user side, this program even can in user browser, move with the form of Java Applet.The user does not need extra hardware condition.
10, top verification process is reversed, can be easy to realize the two-way authentication between user and the authentication center.
Claims (3)
- The technical characterictic that Internet IP-authenticating user identification mechanism (method) is asked for protection:1. the user uses specific encryption mechanism to be connected (comprising that the TCP connection is connected with UDP) transmission by a special internet network with the authentication information of authentication center.Authentication center is by realizing the protection to user identity to the protection of this connection.
- 2. take the measure of timing verification, the real time monitoring User Status is to reach the purpose of protection user identity.
- 3. use the basis of IP address, realize the binding of specific user by authentication center, and the latter is to the former conversion to the particular moment particular ip address as the Internet identity authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01129583 CN1394044A (en) | 2001-06-28 | 2001-06-28 | IP-user ID authentication mechanism (method) for Internet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01129583 CN1394044A (en) | 2001-06-28 | 2001-06-28 | IP-user ID authentication mechanism (method) for Internet |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1394044A true CN1394044A (en) | 2003-01-29 |
Family
ID=4669289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 01129583 Pending CN1394044A (en) | 2001-06-28 | 2001-06-28 | IP-user ID authentication mechanism (method) for Internet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1394044A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100396148C (en) * | 2004-10-15 | 2008-06-18 | 华为技术有限公司 | Method for implementing timing verification of calls between bureaus based on IP of packet |
| CN100478936C (en) * | 2004-07-09 | 2009-04-15 | 株式会社知识潮 | Unauthorized connection detection system and unauthorized connection detection method |
| CN101167079B (en) * | 2006-03-29 | 2010-11-17 | 日本三菱东京日联银行股份有限公司 | User affirming device and method |
| CN1893355B (en) * | 2005-07-05 | 2012-10-10 | 淘宝控股有限公司 | Method and system for identifying identity of network user end |
| CN103001845A (en) * | 2011-09-08 | 2013-03-27 | 北京智慧风云科技有限公司 | System for building cloud service |
| CN103400079A (en) * | 2013-07-23 | 2013-11-20 | 苏州汉清计算机有限公司 | Information confidentiality software |
| CN103731413A (en) * | 2013-11-18 | 2014-04-16 | 广州多益网络科技有限公司 | Abnormal login handling method |
| CN104184583A (en) * | 2013-05-23 | 2014-12-03 | 中国电信股份有限公司 | Method and system for distributing IP address |
-
2001
- 2001-06-28 CN CN 01129583 patent/CN1394044A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100478936C (en) * | 2004-07-09 | 2009-04-15 | 株式会社知识潮 | Unauthorized connection detection system and unauthorized connection detection method |
| CN100396148C (en) * | 2004-10-15 | 2008-06-18 | 华为技术有限公司 | Method for implementing timing verification of calls between bureaus based on IP of packet |
| CN1893355B (en) * | 2005-07-05 | 2012-10-10 | 淘宝控股有限公司 | Method and system for identifying identity of network user end |
| CN101167079B (en) * | 2006-03-29 | 2010-11-17 | 日本三菱东京日联银行股份有限公司 | User affirming device and method |
| CN103001845A (en) * | 2011-09-08 | 2013-03-27 | 北京智慧风云科技有限公司 | System for building cloud service |
| CN104184583A (en) * | 2013-05-23 | 2014-12-03 | 中国电信股份有限公司 | Method and system for distributing IP address |
| CN104184583B (en) * | 2013-05-23 | 2017-09-12 | 中国电信股份有限公司 | Method and system for distributing IP address |
| CN103400079A (en) * | 2013-07-23 | 2013-11-20 | 苏州汉清计算机有限公司 | Information confidentiality software |
| CN103731413A (en) * | 2013-11-18 | 2014-04-16 | 广州多益网络科技有限公司 | Abnormal login handling method |
| CN103731413B (en) * | 2013-11-18 | 2017-08-04 | 广州多益网络科技有限公司 | A kind of method for handling abnormal login |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kaeo | Designing network security | |
| CN100496025C (en) | Ternary equal identification based reliable network access control method | |
| Canavan | Fundamentals of network security | |
| CN100534036C (en) | A trusted network connection method based on three-element peer authentication | |
| US20030037258A1 (en) | Information security system and method` | |
| CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
| CN101741860A (en) | Computer remote security control method | |
| CN111770071A (en) | Method and device for gateway authentication of trusted device in network stealth scene | |
| CN114513339A (en) | Security authentication method, system and device | |
| CN106789524A (en) | The high speed parsing of VPN encrypted tunnels and restoring method | |
| CN101867588A (en) | Access control system based on 802.1x | |
| CN1394044A (en) | IP-user ID authentication mechanism (method) for Internet | |
| CN102315996B (en) | Network admission control method and system | |
| US20050066199A1 (en) | Identification process of application of data storage and identification hardware with IC card | |
| CN201846357U (en) | Security network architecture for non-field industries | |
| Pampori et al. | Securely eradicating cellular dependency for e-banking applications | |
| CN113794721A (en) | Government organization, financial institution and enterprise security direct connection method | |
| US20050066161A1 (en) | Mail sever security login identification system and method with IC card identification hardware device | |
| Savukynas | Internet of Things information system security for smart devices identification and authentication | |
| US20040010723A1 (en) | Network security method | |
| Reid | Plugging the holes in host-based authentication | |
| WO2021229749A1 (en) | Authentication method and authentication system in ip communication | |
| Li et al. | OAuth 2.0 protocol optimization based on CPK technology | |
| González Robles et al. | Doubtless identification and privacy preserving of user in cloud systems | |
| Krishnan et al. | Man in the Middle Attack Prevention using Token Generation Technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |