Authentication system and authentication method based on central nodeTechnical Field
The present invention relates to the field of secure communications technologies, and in particular, to an authentication system and an authentication method based on a central node.
Background
An access authentication device is the device closest to the access terminal and is typically used to interact with an authentication server in messages to forward access requests from the access terminal to the authentication server for network access authentication by the authentication server.
The traditional authentication mode is mostly unidirectional, namely, the external equipment sends request information to the access authentication equipment, the access authentication equipment verifies after receiving the request information, the external equipment can access the request information after verification, the security during information transmission cannot be guaranteed while authentication is completed, the external equipment can only authenticate with the appointed access authentication equipment and cannot simultaneously authenticate and communicate with the multi-terminal equipment, and under the general authentication condition, if mobile behaviors occur, the terminal equipment cannot authenticate with other equipment under the condition of no authentication information of other equipment.
Disclosure of Invention
The invention aims to provide an authentication system and an authentication method based on a central node, which are used for solving the technical defects that in the prior art, external equipment can only authenticate with appointed access authentication equipment, the information transmission safety cannot be ensured, and the external equipment cannot simultaneously authenticate and communicate with multi-terminal equipment.
The technical scheme of the invention is realized as follows:
the authentication system based on the central node comprises a local verification authentication unit and a remote verification authentication unit, wherein the local verification authentication unit comprises local authentication equipment, the local authentication equipment is provided with a local proxy authentication module, the remote verification authentication unit comprises authentication central equipment, the authentication central equipment is provided with a remote proxy authentication module, the remote proxy authentication module can be connected with a plurality of local proxy authentication modules, the remote proxy authentication module and the plurality of local proxy authentication modules are also respectively connected with key relay equipment, and the local verification authentication unit is connected with corresponding external equipment.
Preferably, a key relay device is connected between the external device and the remote verification authentication unit.
Preferably, the key relay device is a quantum key relay device.
The invention also provides a center node-based authentication method, which comprises the following steps:
local verification authentication
1) The external equipment sends an authentication request message to a local verification authentication unit, the local authentication equipment performs verification authentication on the authentication request message, if the verification authentication is passed, an authentication key of the local authentication equipment is returned to the external equipment, and if the verification authentication is not passed, the local authentication equipment enters remote verification authentication;
2) The external equipment receives the self-authentication key returned by the local authentication equipment, the external equipment verifies whether the self-authentication key is correct or not, if the self-authentication key is incorrect, authentication failure is returned, if the self-authentication key is correct, a session link is created, and authentication success is returned;
3) After receiving the authentication success message, the local authentication equipment creates a corresponding session link, if receiving the authentication failure message, does not process,
remote verification authentication
1) The external equipment sends an authentication request message to the local verification authentication unit, the local authentication equipment performs verification authentication on the authentication request message, and if the verification authentication does not pass, the authentication request message is transmitted to the local agent authentication module;
2) After receiving the authentication request message, the local proxy authentication module creates an encrypted information packet based on the request, and the authentication request message is added into the encrypted information packet and is sent to the remote proxy authentication module;
3) After receiving the information package, the remote proxy authentication module decrypts the information package and then transmits the authentication request message to an authentication module of a remote check authentication unit;
4) The authentication module decrypts after receiving the authentication request message, verifies the authentication information, and encrypts authentication result data needing to be returned to the external device through shared key encryption between the external device and the remote verification authentication unit;
5) Sending the authentication result data and the authentication information to a remote agent authentication module, and packaging the authentication result and the authentication information by the remote agent authentication module and encrypting the package through a secret key shared with a local agent authentication module;
6) The remote agent authentication module sends the encrypted packet to the local agent authentication module, and the local agent authentication module decrypts the packet to obtain authentication information and encrypted authentication result data;
7) The authentication module of the local authentication device records the authentication information and the encrypted authentication result data and sends the authentication information and the encrypted authentication result data to the external device;
8) The external equipment receives the authentication information and the encrypted authentication result data, verifies whether the authentication key is correct, returns failure if the authentication key is incorrect, and returns successful authentication if the session link is correctly established;
9) After receiving the authentication success information, the authentication module of the local authentication equipment creates a corresponding session link, and if receiving the authentication failure information, the authentication module does not process the session link.
Preferably, in the step 1) of the local verification authentication, the value of the key_id of the encrypted message is first searched from a local database of the local verification authentication unit, and then corresponding authentication information is searched from the local database, where the authentication information includes an authentication user and an authentication Key.
Preferably, in the step 2) of remote verification authentication, on the basis of the request message, a custom message type is added, a agent_id is randomly generated, the agent_id is used as a header to be added to a message header of an information packet, and the message header is directly sent to a remote proxy authentication module through an established Session, and the TCP connection information between the agent_id and an access external device is stored through a data structure.
Preferably, in the step 4) of remote verification authentication, the authentication module of the authentication center device decrypts after receiving the request message, searches the user information, the authentication key and the authentication key information of the authentication center device in the center database, verifies the user information and the authentication key, encrypts the authentication result through the key known by the external device, and invokes the encrypted authentication result and verification state to the remote proxy authentication module.
Preferably, the data transferred to the remote proxy authentication module further comprises authentication key information of the authentication center device and the generated Session key.
Compared with the prior art, the invention has the following beneficial effects:
according to the authentication system and the authentication method based on the center node, communication connection between the external equipment and all equipment connected with the authentication center is realized on the basis of communication between the local verification authentication and the authentication center of the remote verification authentication through the local verification authentication or the local verification failure through the remote verification authentication, the defect that the external equipment can only be authenticated with the appointed equipment is overcome, and convenience is provided for multi-point authentication communication; in addition, the method realizes the multiple encryption transmission of the authentication information in the authentication process, ensures the security of the authentication information transmission, is beneficial to central management, and can record all the access devices in the center for management when all the devices need to pass through the central node for device authentication in the access network.
Drawings
FIG. 1 is a schematic block diagram of a central node-based authentication system of the present invention;
fig. 2 is a flow chart of the authentication method based on the central node of the present invention.
In the figure: the authentication system comprises a local verification authentication unit 100, a local authentication device 110, a local proxy authentication module 111, a remote verification authentication unit 200, an authentication center device 210, a remote proxy authentication module 211, a key relay device 300 and an external device 400.
Detailed Description
The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which embodiments of the invention are shown.
The access authentication of the present invention is divided into two cases: first, authentication information is stored in an accessed local verification authentication unit; second, authentication information is stored in a remote verification authentication unit. The first case only requires local verification at the access local verification authentication unit, while the second case requires transmission of authentication information to the remote verification authentication unit for proxy access authentication verification. The specific authentication system and the authentication method are as follows:
as shown in fig. 1, the authentication system based on the central node comprises a local verification authentication unit 100 and a remote verification authentication unit 200, wherein the local verification authentication unit 100 comprises a local authentication device 110, the local authentication device 110 is provided with a local proxy authentication module 111, the remote verification authentication unit 200 comprises an authentication central device 210, the authentication central device 210 is provided with a remote proxy authentication module 211, the remote proxy authentication module 211 can be connected with a plurality of local proxy authentication modules 111, the remote proxy authentication module 200 and the plurality of local proxy authentication modules 111 are respectively connected with a key relay device 300, and the local verification authentication unit 100 is connected with a corresponding external device 400. A key relay device 300 is connected between the external device 400 and the remote verification authentication unit 200. The key relay device 300 is a quantum key relay device, and the existing authentication mode is mostly verified by adopting a certificate mode, while the present invention uses a quantum key generated by quantum communication as an authentication key of access authentication, which is superior to an authentication certificate generated by an algorithm in terms of security, wherein a plurality of local authentication devices 110 can share one set of key relay device 300, so that the key relay device 300 relays keys of a plurality of local authentication devices 110 and an authentication center device 210, for example, when an external device a initiates access authentication to the local authentication device a, the accessed local authentication device a can first search a key_id in a message header received locally, and if a corresponding key_value is found, it is indicated that verification can be performed locally. If not, the local proxy module is called to package the encrypted message, and the message is encrypted by using a secret key shared by the local authentication equipment A and the authentication center equipment and forwarded to the remote verification authentication unit 200, and authentication is completed by the authentication center equipment 210.
As shown in fig. 2, the invention further provides a center node-based authentication method, which comprises the following steps:
local verification authentication
1) The external equipment sends an authentication request message to a local verification authentication unit, the local authentication equipment performs verification authentication on the authentication request message, if the verification authentication is passed, an authentication key of the local authentication equipment is returned to the external equipment, and if the verification authentication is not passed, the local authentication equipment enters remote verification authentication;
2) The external equipment receives the self-authentication key returned by the local authentication equipment, the external equipment verifies whether the self-authentication key is correct or not, if the self-authentication key is incorrect, authentication failure is returned, if the self-authentication key is correct, a session link is created, and authentication success is returned;
3) After receiving the authentication success message, the local authentication equipment creates a corresponding session link, if receiving the authentication failure message, does not process,
remote verification authentication
1) The external equipment sends an authentication request message to the local verification authentication unit, the local authentication equipment performs verification authentication on the authentication request message, and if the verification authentication does not pass, the authentication request message is transmitted to the local agent authentication module;
2) After receiving the authentication request message, the local proxy authentication module creates an encrypted information packet based on the request, and the authentication request message is added into the encrypted information packet and is sent to the remote proxy authentication module;
3) After receiving the information package, the remote proxy authentication module decrypts the information package and then transmits the authentication request message to an authentication module of a remote check authentication unit;
4) The authentication module decrypts after receiving the authentication request message, verifies the authentication information, and encrypts authentication result data needing to be returned to the external device through shared key encryption between the external device and the remote verification authentication unit;
5) Sending the authentication result data and the authentication information to a remote agent authentication module, and packaging the authentication result and the authentication information by the remote agent authentication module and encrypting the package through a secret key shared with a local agent authentication module;
6) The remote agent authentication module sends the encrypted packet to the local agent authentication module, and the local agent authentication module decrypts the packet to obtain authentication information and encrypted authentication result data;
7) The authentication module of the local authentication device records the authentication information and the encrypted authentication result data and sends the authentication information and the encrypted authentication result data to the external device;
8) The external equipment receives the authentication information and the encrypted authentication result data, verifies whether the authentication key is correct, returns failure if the authentication key is incorrect, and returns successful authentication if the session link is correctly established;
9) After receiving the authentication success information, the authentication module of the local authentication equipment creates a corresponding session link, and if receiving the authentication failure information, the authentication module does not process the session link.
Preferably, in the step 1) of the local verification authentication, the value of the key_id of the encrypted message is first searched from a local database of the local verification authentication unit, and then corresponding authentication information is searched from the local database, where the authentication information includes an authentication user and an authentication Key.
Preferably, in the step 2) of remote verification authentication, on the basis of the request message, a custom message type is added, a agent_id is randomly generated, the agent_id is used as a header to be added to a message header of an information packet, and the message header is directly sent to a remote proxy authentication module through an established Session, and the TCP connection information between the agent_id and an access external device is stored through a data structure.
Preferably, in the step 4) of remote verification authentication, the authentication module of the authentication center device decrypts after receiving the request message, searches the user information, the authentication key and the authentication key information of the authentication center device in the center database, verifies the user information and the authentication key, encrypts the authentication result through the key known by the external device, and invokes the encrypted authentication result and verification state to the remote proxy authentication module.
Preferably, the data transferred to the remote proxy authentication module further comprises authentication key information of the authentication center device and the generated Session key.
The authentication process is bidirectional authentication, namely the initiating terminal and the receiving terminal need to transmit authentication information known by both sides, and the parties can establish normal communication connection under the condition that both sides pass authentication. The authentication information sent by the initiator needs to be encrypted, a pair of preset shared keys (key_id, key_value) are used for encryption and decryption, the key_id is assembled into a message in a plaintext format in the transmission process and is placed in a message header, and the authentication information is encrypted by using the key_value corresponding to the key_id and is assembled in a message body of the message. Thereafter, the message is transmitted to the device requiring access.
In addition to authentication information, the message REQ requested to be accessed by the external equipment also needs to carry a randomly generated Session key id and Session key value corresponding to the Session key id, a preset shared key is used for encrypting the message, and if the access authentication equipment cannot analyze, the message is forwarded to a remote verification authentication unit; after decryption and authentication, the remote verification authentication unit 200 encrypts and transmits the Session information and an authentication result encrypted by using a shared key in an external device request message back to the local verification authentication unit in the form of a message ACK through the shared key of the authentication center device and the local authentication device, and the local verification authentication unit stores the Session key information; if authentication fails, directly returning to a failure state; in the message CONF, the key used for encrypting the message is the result of exclusive OR of the two Session key ids and Session key value, that is, the key of the last frame is not preset, and the message analysis is not needed to be carried out by the authentication center. The authentication adopts a three-way handshake mode similar to TCP connection, and relevant authentication information is carried in three frames of REQ (request), ACK (response) and CONF (acknowledgement), so that bidirectional authentication can be better realized. In addition, in the one-time authentication process, different keys are used for encrypting and decrypting the message, and the security of information transmission is ensured while the authentication is completed.
As can be seen from the system structure and the authentication method provided by the invention, the authentication system and the authentication method based on the central node realize communication connection between the external device and all devices connected with the authentication center on the basis of communication between the local verification authentication and the authentication center of the remote verification authentication by the local verification authentication or the local verification failure through the remote verification authentication, eliminate the defect that the external device can only authenticate with the appointed device, and provide convenience for multi-point authentication communication; in addition, the authentication information is transmitted in multiple times in an encryption manner in the authentication process, and the security of the authentication information transmission is ensured.