Safety access system and method for guaranteeing source address authenticity by using token mechanism

A technology of secure access and source address, which is applied in the field of network security and can solve problems such as source address forgery

Inactive Publication Date: 2010-06-09
BEIJING JIAOTONG UNIV
View PDF0 Cites 26 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0012] The above authentication process has the following flaws: the access router stores the access addresses of terminals that have been successfully authenticated in the local user mapping table, and attackers can use the access addresses in the table to pretend to be their own source addresses for communication. The incoming address already exists in the local user mapping table, so it will be forwarded after direct address mapping without triggering authentication, which will cause the problem of source address forgery

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Safety access system and method for guaranteeing source address authenticity by using token mechanism
  • Safety access system and method for guaranteeing source address authenticity by using token mechanism
  • Safety access system and method for guaranteeing source address authenticity by using token mechanism

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0053] Embodiment 1: Use the hash value of identity information to construct a 128-bit access address, and use a 128-bit IPv6 address as a routing address to realize the separation of user identity and location. among them:

[0054] (1) The access address structure is:

[0055] The access address is 128 bits, the home prefix is ​​issued by the local network access server, and the hash value of the identity information is selected by the user. Definition of each field of the access address:

[0056] Home prefix: 24 bits, the home domain prefix of the terminal. Assign the access address home prefix of each domain according to the geographic location of the management domain to improve the access address search efficiency. The home prefix facilitates when the terminal moves to a new access network, the access router promptly informs the mapping server in the home domain of the terminal to update the mapping relationship between the terminal access address and the routing address;

[...

Embodiment 2

[0060] Embodiment 2: To implement the secure access system of the present invention, it is necessary to deploy an access server in the access network of the "address separation mapping" network, install the software of the access negotiation module and the data packet verification module on the access router, and Install access client software on the terminal:

[0061] (1) Access server: save for the terminal when the terminal first accesses Table; publish its own public key for terminal inquiries; assign tokens that mark the identity of the terminal; access servers can query each other; access negotiation control module and token distribution module are installed in the access server;

[0062] The admission negotiation control module installed in the admission server is responsible for receiving and processing terminal access requests. When verifying that the terminal access address requests access for the first time or not for the first time, the corresponding relationship betwee...

Embodiment 3

[0066] Embodiment 3: The invented secure access method is implemented by defining a specific message format, that is, the payload in the invented secure access method is defined in a specific message, and the secure access in embodiment 2 is performed through the message The interaction in the system specifically implements the secure access method.

[0067] The present invention deploys the access server in the access network, installs the software of the access negotiation module and the data packet verification module on the access router, installs the access client software on the terminal, and is designed for access security The access method guarantees the authenticity of the source address in the address separation mapping network. Such as image 3 As shown, image 3 The terminal A in the access network 1 communicates with the terminal C in the access network 2, combining figure 2 , Its secure access method is as follows:

[0068] Step 1: The terminal A in the access net...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides safety access system and method for guaranteeing the source address authenticity by using a token mechanism. An admission server is arranged in an access network of an address separation mapping network, an access consultation module and a data packet verification module are arranged on an access router, an address client software module is arranged on a terminal, and the safety access method used for accessing is designed so as to achieve the aim of guaranteeing the source address authenticity in the address separation mapping network. According to the method, the terminal safely acquires a unique token which is bound to an access address so that the access address is in one-to-one correspondence with the token; the access router creates a (terminal access address, token) table which is used for verifying the binding relation between the terminal access address and the token; the admission server creates a (a terminal access address, a terminal public key) table, the admission server sends a challenge demand when the terminal requests to be accessed, and which both resist the DoS attack to the admission server to a very great extent.

Description

Technical field [0001] The invention relates to a method for ensuring the authenticity of a source address in an address separation mapping network, and belongs to the technical field of network security. Background technique [0002] In the current Internet architecture, the problem of IP address dual identity has been restricting the improvement of network performance, so the idea of ​​separating identity and location has emerged, such as the LISP protocol of Farinacci et al. (see D. Farinacci, V. Fuller, D. Meyer) and D. Lewis. Locator / ID Separation Protocol (LISP), draft-farinacci-lisp-12, March 2, 2009). [0003] The address separation mapping mechanism is based on the idea of ​​separation of identity and location. It introduces two types of addresses: access address and routing address. The access address represents the public identity information of the terminal, and the routing address represents the location information of the terminal. In the address separation mapping m...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/12
Inventor 张宏科王凯周华春刘颖秦雅娟
Owner BEIJING JIAOTONG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap