High availability network access authentication method and system based on multiple optical modules

By employing a multi-optical module redundancy structure and a shared secret seed generation method, the problems of easy optical module failure and easy key tampering are solved, achieving highly reliable network access authentication and improving security and fault tolerance.

CN121967085BActive Publication Date: 2026-07-10SUZHOU HONGCUNXINJIE TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SUZHOU HONGCUNXINJIE TECH CO LTD
Filing Date
2026-03-26
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

In existing technologies, optical modules lack redundant backups, are prone to single points of failure, and authentication keys are easily attacked and tampered with, resulting in poor access security and reliability.

Method used

A multi-optical module redundancy structure is adopted, and the master module and slave module are randomly selected. A shared secret seed and digital certificate are written into the EEPROM. The terminal and the server generate a shared secret array through the shared secret seed, generate a one-time session key and sign it, and transmit it according to the 802.1X protocol. The server verifies the signature value to allow access.

Benefits of technology

It achieves highly available, tamper-proof, and attack-resistant secure network access, and improves the security and redundancy fault tolerance of optical module access authentication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121967085B_ABST
    Figure CN121967085B_ABST
Patent Text Reader

Abstract

This invention discloses a high-availability network access authentication method and system based on multiple optical modules, belonging to the field of network access authentication technology. The method includes: randomly selecting one SFP optical module as the master module and using the remaining SFP optical modules as multiple slave modules; generating a shared secret array by derivation of keys according to a first key derivation rule; randomly generating index tuples to obtain a one-time session key; signing the one-time session key to generate a signature value; extracting multiple identical secret values ​​to obtain a verification session key; and allowing the terminal to access the network when verification is successful. This invention solves the technical problems of existing technologies, such as lack of redundant backup of optical modules, susceptibility to single points of failure, vulnerability of authentication keys to attacks and tampering, and poor access security and reliability. It achieves high availability, tamper-proof, attack-resistant, and highly reliable secure network access, effectively improving the security and redundancy fault tolerance of optical module access authentication.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network access authentication technology, and specifically to a high-availability network access authentication method and system based on multiple optical modules. Background Technology

[0002] With the rapid development of fiber optic communication and industrial network access technologies, network access authentication based on SFP optical modules has been widely used. However, traditional single-optical-module architectures generally suffer from high single-point-of-failure risk and weak redundancy and fault tolerance. Once the optical module is damaged, the communication link is interrupted, or the stored data is abnormal, it is very easy for the terminal to fail to complete authentication and for network access to be interrupted. At the same time, most existing access authentication schemes use fixed keys for identity verification. The keys lack dynamic update mechanisms and secure backup mechanisms, making them vulnerable to attacks such as eavesdropping, tampering, and replay attacks. These schemes suffer from low authentication security, easy key leakage, and insufficient resistance to attacks.

[0003] Existing technologies suffer from technical problems such as lack of redundant backup for optical modules, susceptibility to single points of failure, vulnerability of authentication keys to attack and tampering, and poor access security and reliability. Summary of the Invention

[0004] This application provides a high-availability network access authentication method and system based on multiple optical modules, which is used to address the technical problems in the prior art, such as the lack of redundant backup of optical modules, susceptibility to single point of failure, vulnerability of authentication keys to attack and tampering, and poor access security and reliability.

[0005] In view of the above problems, this application provides a high-availability network access authentication method and system based on multiple optical modules.

[0006] A first aspect of this application provides a high-availability network access authentication method based on multiple optical modules, the method comprising:

[0007] In a multi-optical module redundancy structure, one SFP optical module is randomly selected as the master module, and the remaining SFP optical modules are designated as slave modules. The same shared secret seed is written into the EEPROM of both the master module and the slave modules. A digital certificate bound to the master module's serial number is written into the master module's EEPROM, and the master module's digital certificate is backed up in the EEPROMs of each slave module. The authentication terminal and the access authentication server perform key derivation according to the shared secret seed and a first key derivation rule to generate a shared secret array, which includes multiple secret values. The terminal responds to the access request. The authentication request involves randomly generating an index tuple containing multiple indices, extracting corresponding secret values ​​from the shared secret array based on the index tuple, performing a hash operation to obtain a one-time session key, signing the one-time session key with a signing key to generate a signature value, and transmitting the index tuple and signature value to the access authentication server via the 802.1X protocol. The access authentication server extracts multiple identical secret values ​​from its local shared secret array based on the index tuple, performs a hash operation to obtain a verification session key, verifies the signature value using the public key corresponding to the signing key, and allows the terminal to access the network when the verification is successful.

[0008] A second aspect of this application provides a high-availability network access authentication system based on multiple optical modules, the system comprising:

[0009] A shared secret seed writing module is used to randomly select one SFP optical module as the master module in a multi-optical module redundancy structure, and use the remaining SFP optical modules as multiple slave modules. The same shared secret seed is written into the EEPROMs of the master module and the multiple slave modules respectively. A digital certificate bound to the master module's serial number is written into the master module's EEPROM, and the master module's digital certificate is backed up in the EEPROMs of the multiple slave modules respectively. A shared secret array generation module is used for the authentication terminal and the access authentication server to perform key derivation according to the shared secret seed and a first key derivation rule to generate a shared secret array, wherein the shared secret array includes multiple secret values. A one-time session key acquisition module is also included. The system includes a terminal response mechanism for responding to access authentication requests, a random index tuple containing multiple indices, an index tuple for extracting corresponding secret values ​​from the shared secret array based on the index tuple, a hash operation for performing a hash operation, and a signature value generation module for signing the one-time session key using a signature key to generate a signature value, and transmitting the index tuple and signature value to the access authentication server via the 802.1X protocol. A verification session key acquisition module is used by the access authentication server to extract multiple identical secret values ​​from the local shared secret array based on the index tuple, perform a hash operation to obtain a verification session key, verify the signature value using a public key corresponding to the signature key, and allow the terminal to access the network when the verification is successful.

[0010] One or more technical solutions provided in this application have at least the following technical effects or advantages:

[0011] In a multi-optical module redundancy structure, one SFP optical module is randomly selected as the master module, and the remaining SFP optical modules are used as multiple slave modules. The authentication terminal and the access authentication server perform key derivation according to the shared secret seed and the first key derivation rule to generate a shared secret array. The terminal responds to the access authentication request, randomly generates an index tuple containing multiple indices, extracts multiple corresponding secret values ​​from the shared secret array based on the index tuple, performs a hash operation, and obtains a one-time session key. The one-time session key is signed using a signing key to generate a signature value, and the index tuple and signature value are transmitted to the access authentication server via the 802.1X protocol. The access authentication server extracts multiple identical secret values ​​from its local shared secret array based on the index tuple, performs a hash operation to obtain a verification session key, and verifies the signature value using the public key corresponding to the signing key. When the verification is successful, the terminal is allowed to access the network. This achieves highly available, tamper-proof, attack-resistant, and highly reliable secure network access, effectively improving the security and redundancy fault tolerance of optical module access authentication. Attached Figure Description

[0012] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0013] Figure 1 A schematic diagram of the high-availability network access authentication method based on multiple optical modules provided in this application embodiment;

[0014] Figure 2 This is a schematic diagram of the structure of a high-availability network access authentication system based on multiple optical modules provided in an embodiment of this application.

[0015] Explanation of reference numerals in the attached diagram: Shared secret seed writing module 10, shared secret array generation module 20, one-time session key acquisition module 30, signature value generation module 40, and verification session key acquisition module 50. Detailed Implementation

[0016] This application provides a highly available network access authentication method and system based on multiple optical modules, which addresses the technical problems in the prior art, such as the lack of redundant backup of optical modules, susceptibility to single points of failure, vulnerability of authentication keys to attack and tampering, and poor access security and reliability.

[0017] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of them. All other embodiments obtained by those skilled in the art based on the embodiments of this application without creative effort are within the scope of protection of this application.

[0018] Example 1, as Figure 1 As shown, this application provides a high-availability network access authentication method based on multiple optical modules, the method comprising:

[0019] Step S100: In the multi-optical module redundancy structure, randomly select one SFP optical module as the master module, and use the remaining SFP optical modules as multiple slave modules. Write the same shared secret seed into the EEPROM of the master module and the multiple slave modules respectively. Write a digital certificate bound to the master module serial number into the EEPROM of the master module, and back up the digital certificate of the master module into the EEPROM of the multiple slave modules respectively.

[0020] Specifically, at the physical hardware level of this multi-optical module redundancy structure, any one SFP optical module is randomly selected as the master module, and the remaining SFP optical modules not selected as master modules are uniformly configured as slave modules, realizing the physical layering of master and backup nodes based on the redundancy architecture. Furthermore, to build a secure foundation for subsequent identity authentication and key negotiation, utilizing the non-volatile storage characteristics of the electrically erasable programmable read-only memory (EEPROM) built into each SFP optical module, the same shared secret seed is written into the EEPROM of the master module and all slave modules. This shared secret seed is written synchronously in plaintext to the protected secure storage area of ​​the master module's EEPROM and the EEPROMs of all slave modules. The seed is a tuple consisting of a 256-bit forward seed and a 256-bit reverse seed, both of which are generated by hardware-generated true random numbers. The key is generated independently and mathematically unrelated, using a binary bit string as its physical form. Its 256-bit length can withstand brute-force attacks using the quantum Grover algorithm, achieving an effective security strength of 128 bits. This binary tuple is fixed once generated and only changes when the key update process is triggered. The shared secret seed in the master module's EEPROM is configured as read-only and non-exportable. Slave modules write identical copies of this seed to the master module, and this seed is synchronously stored in the authentication server's hardware security module (HSM), never leaving the HSM's physical boundaries, forming a three-way synchronous storage mechanism involving the master module, multiple slave modules, and the authentication server. Simultaneously, a digital certificate strongly bound to the master module's globally unique serial number is written to the master module's EEPROM. The uniqueness of the serial number ensures the digital certificate's traceability and unforgeability. Furthermore, the master module's digital certificate is backed up in each slave module's EEPROM, forming a redundant certificate storage mechanism with one master and multiple backups. Through the above configuration, this step not only utilizes the redundant structure of the multi-optical modules to ensure the high availability and fault tolerance of the key materials and identity certificates required for authentication, avoiding the interruption of the authentication process due to the data corruption of a single module, but also provides the core technical basis for certificate validity verification, prevention of certificate cloning attacks, and vendor identity verification in the subsequent access authentication stage through the binding relationship between the certificate and the main module serial number, thus forming the pre-trust foundation for the subsequent network access authentication security mechanism.

[0021] Step S200: The authentication terminal and the access authentication server perform key derivation according to the first key derivation rule based on the shared secret seed to generate a shared secret array, wherein the shared secret array includes multiple secret values.

[0022] Specifically, the authentication terminal and the access authentication server first synchronize their key materials. The access authentication server pre-configures and holds seed materials and derived materials corresponding to the shared secret seed in the master-slave module's EEPROM, ensuring that the underlying data for key derivation from both parties is from the same source. Subsequently, based on the same shared secret seed, both parties collaboratively execute key derivation operations, strictly following the first key derivation rule consistent with the master-slave module's encryption process. This rule specifically involves performing a forward iterative hash calculation on the first seed in the shared secret seed to generate a forward hash value sequence, performing a reverse iterative hash calculation on the second seed to generate a reverse hash value sequence, and then performing an XOR operation on the hash values ​​at corresponding positions in the two sequences. This composite operation generates a shared secret array composed of multiple independent secret values. This process relies on the same source seed and the same derivation rule between the terminal and the server to ensure that the shared secret array generated by both parties is completely consistent, constructing a unified basic key pool for subsequent one-time session key generation and authentication verification. At the same time, the combination of forward and reverse iterative hashing and XOR encryption logic improves the randomness and anti-cracking resistance of secret value generation, ensuring the security and consistency of network access authentication from the key derivation level.

[0023] Step S300: The terminal responds to the access authentication request, randomly generates an index tuple containing multiple indices, extracts multiple corresponding secret values ​​from the shared secret array based on the index tuple, performs a hash operation, and obtains a one-time session key.

[0024] Specifically, upon receiving an 802.1X network access authentication request from the access authentication server, the terminal immediately initiates a key generation process. First, a preset number of random integers are generated using a random number generator. The values ​​of all random integers are limited to the total number of secret values ​​in the shared secret array. These random integers are then combined in the order of generation into an index tuple containing multiple indices, ensuring the randomness and unpredictability of index selection. Subsequently, based on this index tuple, the terminal precisely extracts multiple secret values ​​at corresponding positions from the generated shared secret array. These extracted secret values ​​are then combined and hashed to generate a one-time session key using a one-way hash encryption method. In this process, the one-time session key is dynamically derived based on random indices and is valid only for this access authentication. This aligns with the security design of dynamically generated session keys and incorporates the high-availability authentication logic of the SFP module, avoiding the security risk of fixed keys being cracked. Furthermore, the multi-secret-value design of the shared secret array further enhances the randomness and anti-attack capability of the session key, establishing a secure one-time session foundation for subsequent identity authentication under the 802.1X protocol.

[0025] Step S400: Sign the one-time session key using the signing key to generate a signature value, and transmit the index tuple and signature value to the access authentication server via the 802.1X protocol.

[0026] Specifically, after generating a one-time session key, the terminal performs a digital signature operation on the one-time session key based on a preset signature key, which is the signature private key in the terminal's signature key pair. Specifically, the one-time session key is used as the input for the signature message, and the signature function of the FAEST signature algorithm that generated the signature private key is called to complete the signature calculation and generate the corresponding signature value. After the signature is completed, the terminal follows the transmission specifications of the 802.1X network access control protocol, integrates the randomly generated index tuple with the generated signature value as core authentication data, and transmits it to the access authentication server. This provides a complete verification basis for the server's subsequent session key verification and signature legality verification. By combining asymmetric signature with standard protocol transmission, the integrity and immutability of the authentication data during transmission are ensured. At the same time, relying on the FAEST quantum-resistant signature algorithm, the cryptographic security strength of the signature process is improved, which meets the security design requirements of high-availability network access authentication.

[0027] Step S500: The access authentication server extracts multiple identical secret values ​​from the local shared secret array based on the index tuple, performs a hash operation to obtain the verification session key, verifies the signature value using the public key corresponding to the signature key, and allows the terminal to access the network when the verification is successful.

[0028] Specifically, after receiving the index tuple and signature value transmitted by the terminal via the 802.1X protocol, the access authentication server first extracts multiple secret values ​​at corresponding positions from the shared secret array generated locally and from the same source as the terminal, based on the index tuple. It then calculates the extracted secret values ​​according to hash operation rules completely consistent with the terminal's, generating a verification session key to achieve consistency verification of the terminal's one-time session key. Subsequently, it calls a pre-set verification public key, asymmetrically corresponding to the terminal's signature private key, to perform a legality verification operation on the signature value sent by the terminal. This verification public key is authenticated by the vendor's root key against the private key, and its validity has been pre-verified on the server side. When the server completes the consistency matching between the verification session key and the terminal's one-time session key, and the public key verification operation result of the signature value is passed, it confirms the terminal's legitimate identity and that the authentication data has not been tampered with. It then executes the network access authorization operation, allowing the terminal to access the corresponding network. The entire verification process relies on a dual verification mechanism of same-source key derivation, same-rule hash operation, and asymmetric signature verification, ensuring the security and accuracy of network access authentication and meeting the core design requirements of high-availability network access authentication.

[0029] In one possible implementation, step S200 further includes:

[0030] Step S210: Perform a forward iterative hash calculation on the first seed in the shared secret seed to obtain a forward hash value sequence.

[0031] Step S220: Perform reverse iterative hash calculation on the second seed in the shared secret seed to obtain a reverse hash value sequence.

[0032] Step S230: Perform an XOR operation on the corresponding hash values ​​in the forward hash value sequence and the reverse hash value sequence to obtain multiple secret values ​​in the shared secret array.

[0033] Specifically, the authentication terminal and the access authentication server first uniformly call the SHA-256 hash algorithm and load a pre-agreed number of iterations N (N≥1024) and an initial salt value to share the first seed in the secret seed, denoted as Seed1, as the initial input value. The first round of forward hash calculation is then performed: Seed1 is concatenated with the initial salt value and input into the SHA-256 algorithm to obtain the first hash value H1. Subsequently, H1 is used as the input value for the next round of calculation, the initial salt value is removed, and the SHA-256 algorithm is used to perform the second round of hash calculation to obtain the hash value H2. This process continues to iterate, with each round using the hash result of the previous round as the input value for the current round, until N forward iterations are completed. Finally, H1, H2...HN generated during the iteration process are stored sequentially according to the order of operation, forming an ordered forward hash value sequence of length N. The entire process ensures that the forward hash value sequences generated by the terminal and the server are completely consistent through a fixed algorithm, a unified number of iterations, and standardized operation logic. At the same time, the high number of iterations significantly improves the sequence's resistance to collisions and cracking.

[0034] The authentication terminal and the access authentication server synchronously adopt the SHA-256 hash algorithm consistent with step S210, loading the same preset iteration number N, N≥1024, and a unique reverse initial salt value, sharing the second seed in the secret seed, denoted as Seed2, as the core input value to perform reverse iterative hash calculation: First, Seed2 is concatenated with the reverse initial salt value and input into the SHA-256 algorithm to complete the Nth round of hash operation, obtaining the last hash value HN; then, HN is used as the input value for the (N-1)th round of operation, the reverse initial salt value is removed, and the SHA-256 hash operation is continued to obtain the hash value. HN-1; Following this rule, iterate backwards from back to front, using the hash result of the current round as the input value of the previous round, until the first round of hashing is completed and the hash value H1 is obtained; Finally, store H1, H2...HN generated by the reverse iteration in forward order from the first round to the Nth round, forming a reverse hash value sequence with the same length as the forward hash value sequence. This reverse iteration method maintains the consistency of the algorithm with the forward iteration, and further improves the randomness of the hash value sequence through the reverse operation logic. At the same time, the synchronous operation between the terminal and the server ensures that the reverse hash value sequences generated by both parties are completely from the same source.

[0035] The authentication terminal and the access authentication server synchronously perform XOR operations on the generated forward hash value sequence and the generated reverse hash value sequence. First, they confirm that the lengths of the two hash value sequences are exactly the same, ensuring that the positions of the hash values ​​in the sequences correspond one-to-one. Then, starting from the first position of the sequence, they sequentially perform bitwise XOR operations on the hash values ​​at the same index positions in the two sequences. The result of the operation on each corresponding position hash value is used as an independent secret value. Finally, the secret values ​​obtained from the XOR operations on all positions are integrated in the order of the operations to generate a shared secret array containing multiple secret values. By combining the characteristics of forward and reverse iterative hashing through XOR operations, the randomness and anti-cracking resistance of the secret values ​​are improved. At the same time, the terminal and the server use completely consistent operation logic to ensure that the shared secret arrays generated by both parties are completely from the same source, laying a unified foundation for key verification in subsequent access authentication.

[0036] In one possible implementation, step S300 further includes:

[0037] Step S310: Obtain a preset number of random integers from the random number generator, wherein the values ​​of the random integers range from 1 to N, where N is the total number of secret values ​​in the shared secret array and N is a positive integer.

[0038] Step S320: Combine the plurality of random integers into the index tuple according to the generation order.

[0039] Specifically, during the process of generating an index tuple in response to an access authentication request, the terminal first invokes the device's built-in cryptographically secure random number generator. This generator has the characteristics of high randomness and unpredictability, which can avoid the security risks brought by pseudo-random numbers. The terminal generates a number of random integers through this generator according to a preset number agreed upon with the access authentication server. At the same time, the generated random integers are strictly limited to a range of values. All random integers are positive integers in the range of 1 to N, where N is the total number of secret values ​​in the shared secret array jointly generated by the terminal and the server. This ensures that each generated random integer can serve as a valid index, accurately matching the secret value at the corresponding position in the shared secret array, and providing a legitimate and random index basis for subsequent extraction of secret values ​​and generation of one-time session keys.

[0040] After obtaining a preset number of random integers, the terminal strictly follows the order in which these random integers are output from the cryptographically secure random number generator, concatenating and combining them sequentially without any sorting or adjustment to form an ordered index tuple. The number of elements in the index tuple is exactly the same as the preset number of random integers, and the order of the elements is completely synchronized with the generation order of the random integers, thus ensuring the randomness and originality of the index tuple. At the same time, this ordered index tuple can serve as the sole basis for accurately extracting the secret value at the corresponding position from the shared secret array, ensuring that the terminal can extract the secret value in a fixed order.

[0041] In one possible implementation, step S400 further includes:

[0042] Step S410: Generate the vendor root key pair and the terminal signature key pair.

[0043] Step S420: Use the private key in the manufacturer's root key pair to sign the verification public key in the terminal signature key pair.

[0044] Step S430: Pre-install the public key in the vendor root key pair to the access authentication server, so that the access authentication server can verify the validity of the verification public key in the terminal signature key pair.

[0045] Step S440: The terminal uses the signing private key in the terminal signing key pair to sign the one-time session key to obtain a signature value.

[0046] Specifically, a two-layer key pair is generated using a quantum-resistant cryptographic algorithm. First, the SFP optical module manufacturer generates a manufacturer root key pair as the foundation of root trust. This key pair is asymmetric and includes the manufacturer's root private key and root public key, serving as the underlying trusted basis for the entire authentication system. Simultaneously, on the terminal side that needs to perform network access authentication, a dedicated terminal signature key pair is generated. This key pair is also asymmetric and includes the terminal signature private key and the terminal verification public key, specifically used for signing and verifying the signature for this network access authentication. Both types of key pairs follow high-security generation specifications to ensure the randomness, uniqueness, and resistance to cracking of the keys.

[0047] After generating the vendor root key pair and the terminal signature key pair, the vendor performs a signature endorsement operation on the public key. Using the vendor root private key in the vendor root key pair, the terminal verification public key in the terminal signature key pair is used as the original signature data. A preset quantum-resistant signature algorithm is used to digitally sign the public key, generating the corresponding public key signature information. This operation completes the authentication of the legitimacy and ownership of the terminal verification public key, proving that the terminal verification public key was issued by a legitimate vendor and has not been tampered with. It also establishes a trusted association between the vendor root key pair and the terminal signature key pair, providing a traceable signature basis for subsequent access to the authentication server to verify the validity of the terminal verification public key, thus strengthening the trust link of the entire authentication system.

[0048] During the device manufacturing or system initialization phase, the vendor's root public key in the vendor's root key pair is embedded in plaintext in a secure and trusted format and pre-installed in the secure storage area of ​​the access authentication server, and added to the server's trusted certificate trust chain. This pre-installed vendor root public key serves as the server's unique and trusted public key verification benchmark. When the access authentication server receives the signature information and corresponding terminal verification public key uploaded by the terminal, it can use the pre-embedded vendor root public key to perform a signature verification operation on the terminal verification public key signed by the vendor's root private key. By verifying the legality of the signature, it determines whether the terminal verification public key was issued by a legitimate vendor and whether it has been tampered with during transmission or storage, thereby completing the trusted authentication of the validity of the terminal verification public key.

[0049] The authentication terminal first performs a hash operation on the generated one-time session key to obtain the corresponding session key digest information. Then, it calls the signature private key from the terminal signature key pair stored locally on the terminal and uses a pre-set asymmetric cryptographic algorithm to perform a signature operation with the session key digest as the signature object. The digest information is encrypted using the signature private key to finally obtain a signature value uniquely bound to the one-time session key, which is used to prove that the source of the session key is legitimate and that the data is intact and has not been tampered with.

[0050] In one possible implementation, step S440 further includes:

[0051] Step S441: Input the one-time session key as a signature message.

[0052] Step S442: Call the signature function of the FAEST signature algorithm that generates the signature private key to sign the message and obtain the signature value.

[0053] Specifically, the authentication terminal uses the one-time session key generated by its own hash operation as the original, unauthenticated signature message. Under the premise of ensuring data integrity and that it has not been tampered with, the one-time session key is directly passed as an input parameter to the signature operation module corresponding to the FAEST quantum-resistant signature algorithm, providing the raw message data to be processed for subsequent signature calculation using the signature private key.

[0054] The authentication terminal calls the standard signature function of the FAEST quantum-resistant signature algorithm that matches the terminal's signature private key. It uses the input one-time session key as the signature message and the locally stored terminal signature private key as the signature key. Following the operation process specified by the FAEST algorithm, the terminal performs a private key signature operation on the signature message. After nonlinear transformation, encoding and encryption processing within the algorithm, a unique signature value is finally generated. This signature value is used by the subsequent access authentication server to verify the integrity of the message and the identity of the terminal.

[0055] In one possible implementation, step S500 further includes:

[0056] When the main module fails, the terminal reads the backed-up shared secret seed and digital certificate from the EEPROM of multiple slave modules, regenerates the shared secret array and one-time session key according to the first key derivation rule, and re-initiates access authentication with the digital identity of the main module.

[0057] Specifically, when an abnormal operation or failure is detected in the original master module, the authentication terminal reads the pre-backed-up shared secret seed and digital certificate from the EEPROM secure storage areas of multiple redundant slave modules. After obtaining the complete backup data, the terminal re-executes iterative hash and XOR operations according to the preset first key derivation rules to restore the shared secret array and recalculate the one-time session key based on the array. Subsequently, the terminal uses the legitimate digital identity of the original master module to re-initiate the access authentication process to the access authentication server, thereby ensuring that the entire authentication process is uninterrupted and data is not lost in the event of a master module failure, thus improving the system's reliability and fault tolerance.

[0058] In one possible implementation, step S500 further includes:

[0059] The terminal periodically reads the status register of the main module.

[0060] The main module is deemed faulty when the number of consecutive read failures exceeds a preset threshold and / or the main module is detected to be offline, the link is interrupted, or the EEPROM data is unreadable.

[0061] Specifically, during normal system operation, the terminal reads the status register of the main module periodically through the internal communication interface according to a pre-configured fixed time period, and obtains the working status, operating mode and data ready flag of the main module in real time, so as to realize periodic monitoring of the operating status of the main module and fault prediction.

[0062] The terminal maintains its own exception count register in real time. Each time it fails to read the main module status register, it increments the exception count by 1. When the exception count exceeds the pre-configured fault judgment threshold, and / or the hardware link detection mechanism identifies that the main module is offline, the communication link with the main module is broken, or a verification error occurs when performing a read operation on the main module's EEPROM, or the data cannot be read, the terminal immediately determines that the main module has failed and enters the redundancy backup process.

[0063] In one possible implementation, step S500 further includes:

[0064] The terminal establishes a secure channel with the access authentication server.

[0065] The terminal sends a key update request to the access authentication server through the secure channel according to the key update instruction.

[0066] The access authentication server generates a new shared secret seed, protects the new shared secret seed, and sends it to the terminal.

[0067] The terminal writes the received new shared secret seed into the EEPROM of the master module and multiple slave modules, thus updating the shared secret seed.

[0068] Specifically, the terminal and the access authentication server complete identity verification through two-way identity authentication and the FAEST quantum-resistant signature algorithm, and use the negotiated session key to encrypt and protect the integrity of the transmitted data, thereby establishing an end-to-end encrypted secure channel to ensure that sensitive data such as subsequent key updates and authentication messages are not eavesdropped on, tampered with or forged during transmission.

[0069] After receiving a key update command triggered locally or issued by the server, the terminal parses and verifies the validity of the command. After confirming that the key update conditions are met, the terminal assembles its own unique identifier, current certificate serial number, and update request information into plaintext request data. The terminal then encrypts the above data using the session encryption key of the established secure channel and attaches a message signature generated based on the FAEST quantum-resistant signature algorithm. The encrypted and signed key update request is then sent to the access authentication server through the encrypted secure channel.

[0070] After verifying the validity of the terminal's key update request, the access authentication server generates a new, highly secure shared secret seed using a cryptographically secure random number generator. It then uses the session encryption key negotiated through the secure channel to encrypt and protect this new shared secret seed. Simultaneously, the server uses its own private key to sign the ciphertext data using the FAEST quantum-resistant signature algorithm. The encrypted and signed new shared secret seed is then distributed to the terminal through the secure channel, ensuring the seed maintains confidentiality, integrity, and anti-counterfeiting capabilities during transmission.

[0071] After receiving the new shared secret seed ciphertext transmitted via the secure channel, the terminal decrypts it using the session key of the secure channel and verifies the corresponding FAEST signature to ensure that the data is intact and has not been tampered with. After successful verification, the terminal sequentially writes the new shared secret seed into the secure storage area of ​​the master module's EEPROM and writes it into the EEPROM of each slave module through the internal communication bus. After all modules have completed writing and verification, the old shared secret seed is overwritten, completing the secure update and redundant backup of the global shared secret seed.

[0072] In one possible implementation, step S500 further includes:

[0073] The system counts the cumulative number of authentication failures at the terminal. When the cumulative number of authentication failures is greater than or equal to a preset number, a key update command is triggered.

[0074] Specifically, the system records and counts the results of each terminal access authentication in real time, maintains and updates the cumulative authentication failure frequency of the terminal in the local security register, and increments the count by 1 for each authentication failure. When the cumulative authentication failure frequency is greater than or equal to the pre-configured security threshold, the system determines that the current key is at risk of leakage or attack, automatically generates and issues a key update instruction to initiate the subsequent key update process, thereby improving the security of terminal access authentication.

[0075] Example 2 is based on the same inventive concept as the high-availability network access authentication method based on multiple optical modules in the previous examples, such as... Figure 2 As shown, this application provides a high-availability network access authentication system based on multiple optical modules. The system and method embodiments in this application are based on the same inventive concept. The system includes:

[0076] The shared secret seed writing module 10 is used to randomly select one SFP optical module as the master module in a multi-optical module redundancy structure, and use the remaining SFP optical modules as multiple slave modules. The same shared secret seed is written into the EEPROM of the master module and the multiple slave modules respectively. A digital certificate bound to the serial number of the master module is written into the EEPROM of the master module, and the digital certificate of the master module is backed up in the EEPROM of the multiple slave modules respectively.

[0077] The shared secret array generation module 20 is used for the authentication terminal and the access authentication server to perform key derivation according to the first key derivation rule based on the shared secret seed to generate a shared secret array, wherein the shared secret array includes multiple secret values.

[0078] The one-time session key acquisition module 30 is used for the terminal to respond to the access authentication request, randomly generate an index tuple containing multiple indices, extract multiple corresponding secret values ​​from the shared secret array according to the index tuple, perform a hash operation, and obtain a one-time session key.

[0079] The signature value generation module 40 is used to sign the one-time session key with a signature key to generate a signature value, and transmit the index tuple and signature value to the access authentication server via the 802.1X protocol.

[0080] The verification session key acquisition module 50 is used to access the authentication server to extract multiple identical secret values ​​from the local shared secret array based on the index tuple, perform a hash operation to obtain the verification session key, verify the signature value using the public key corresponding to the signature key, and allow the terminal to access the network when the verification is successful.

[0081] Furthermore, the system is also used to implement the following functions:

[0082] A forward iterative hash calculation is performed on the first seed in the shared secret seed to obtain a forward hash value sequence; a reverse iterative hash calculation is performed on the second seed in the shared secret seed to obtain a reverse hash value sequence; and an XOR operation is performed between the hash values ​​at corresponding positions in the forward hash value sequence and the reverse hash value sequence to obtain multiple secret values ​​in the shared secret array.

[0083] Furthermore, the system is also used to implement the following functions:

[0084] Obtain a preset number of random integers from a random number generator, wherein the values ​​of the random integers range from 1 to N, where N is the total number of secret values ​​in the shared secret array and N is a positive integer; combine the random integers in the order of generation to form the index tuple.

[0085] Furthermore, the system is also used to implement the following functions:

[0086] Generate a vendor root key pair and a terminal signature key pair; use the private key in the vendor root key pair to sign the verification public key in the terminal signature key pair; pre-install the public key in the vendor root key pair to the access authentication server, so that the access authentication server can verify the validity of the verification public key in the terminal signature key pair; the terminal uses the signing private key in the terminal signature key pair to sign the one-time session key to obtain a signature value.

[0087] Furthermore, the system is also used to implement the following functions:

[0088] The one-time session key is used as the input for the signature message; the signature function of the FAEST signature algorithm, which generates the signature private key, is called to sign the signature message and obtain the signature value.

[0089] Furthermore, the system is also used to implement the following functions:

[0090] When the main module fails, the terminal reads the backed-up shared secret seed and digital certificate from the EEPROM of multiple slave modules, regenerates the shared secret array and one-time session key according to the first key derivation rule, and re-initiates access authentication with the digital identity of the main module.

[0091] Furthermore, the system is also used to implement the following functions:

[0092] The terminal periodically reads the status register of the main module; when the number of consecutive read failures exceeds a preset threshold and / or the main module is detected to be offline, the link is interrupted, or the EEPROM data is unreadable, the main module is determined to be faulty.

[0093] Furthermore, the system is also used to implement the following functions:

[0094] The terminal establishes a secure channel with the access authentication server; according to the key update instruction, the terminal sends a key update request to the access authentication server through the secure channel; the access authentication server generates a new shared secret seed, protects the new shared secret seed, and sends it to the terminal; the terminal writes the received new shared secret seed into the EEPROM of the main module and multiple slave modules, thus updating the shared secret seed.

[0095] Furthermore, the system is also used to implement the following functions:

[0096] The system counts the cumulative number of authentication failures at the terminal. When the cumulative number of authentication failures is greater than or equal to a preset number, a key update command is triggered.

[0097] It should be noted that the order of the embodiments described above is for descriptive purposes only and does not represent the superiority or inferiority of the embodiments. Specific embodiments of this specification have been described above. Furthermore, the processes depicted in the accompanying drawings do not necessarily require a specific or sequential order to achieve the desired results. In some embodiments, multitasking and parallel processing are possible or may be advantageous.

[0098] The above description is only a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

[0099] This specification and accompanying drawings are merely illustrative examples of this application and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of this application. Clearly, those skilled in the art can make various alterations and modifications to this application without departing from its scope. Therefore, if such modifications and variations fall within the scope of this application and its equivalents, this application intends to include such modifications and variations.

Claims

1. A high-availability network access authentication method based on multi-optical modules, characterized in that, The method includes: In a multi-optical module redundancy structure, one SFP optical module is randomly selected as the master module, and the remaining SFP optical modules are used as multiple slave modules. The same shared secret seed is written into the EEPROM of the master module and the multiple slave modules respectively. A digital certificate bound to the master module serial number is written into the EEPROM of the master module, and the digital certificate of the master module is backed up in the EEPROM of the multiple slave modules respectively. The authentication terminal and the access authentication server perform key derivation according to the first key derivation rule based on the shared secret seed to generate a shared secret array, wherein the shared secret array includes multiple secret values; The terminal responds to the access authentication request, randomly generates an index tuple containing multiple indices, extracts multiple corresponding secret values ​​from the shared secret array based on the index tuple, performs a hash operation, and obtains a one-time session key; The one-time session key is signed using a signing key to generate a signature value, and the index tuple and signature value are transmitted to the access authentication server via the 802.1X protocol; The access authentication server extracts multiple identical secret values ​​from the local shared secret array based on the index tuple, performs a hash operation to obtain the verification session key, and verifies the signature value using the public key corresponding to the signature key. When the verification is successful, the terminal is allowed to access the network.

2. The high-availability network access authentication method based on multiple optical modules as described in claim 1, characterized in that, The authentication terminal and the access authentication server perform key derivation according to the shared secret seed and the first key derivation rule to generate a shared secret array, wherein the shared secret array includes multiple secret values, including: Perform a forward iterative hash calculation on the first seed in the shared secret seed to obtain a sequence of forward hash values; Perform reverse iterative hash calculation on the second seed in the shared secret seed to obtain a reverse hash value sequence; The forward hash value sequence is XORed with the corresponding hash value in the reverse hash value sequence to obtain multiple secret values ​​in the shared secret array.

3. The high-availability network access authentication method based on multiple optical modules as described in claim 1, characterized in that, The terminal responds to the access authentication request by randomly generating an index tuple containing multiple indexes, including: Obtain a preset number of random integers from a random number generator, wherein the values ​​of the random integers range from 1 to N, where N is the total number of secret values ​​in the shared secret array and N is a positive integer; The plurality of random integers are combined into the index tuple according to the generation order.

4. The high-availability network access authentication method based on multiple optical modules as described in claim 1, characterized in that, The one-time session key is signed using a signing key to generate a signature value, including: Generate the vendor root key pair and the terminal signature key pair; The private key in the manufacturer's root key pair is used to sign the terminal signature key pair using the verification public key. The public key in the vendor root key pair is pre-installed in the access authentication server, so that the access authentication server can verify the validity of the verification public key in the terminal signature key pair; The terminal uses the signing private key in the terminal signing key pair to sign the one-time session key to obtain a signature value.

5. The high-availability network access authentication method based on multiple optical modules as described in claim 4, characterized in that, The terminal uses the signing private key from the terminal signing key pair to sign the one-time session key to obtain a signature value, including: Input the one-time session key as a signature message; Call the signature function of the FAEST signature algorithm that generates the signature private key to sign the message and obtain the signature value.

6. The high-availability network access authentication method based on multiple optical modules as described in claim 1, characterized in that, When the main module fails, the terminal reads the backed-up shared secret seed and digital certificate from the EEPROM of multiple slave modules, regenerates the shared secret array and one-time session key according to the first key derivation rule, and re-initiates access authentication with the digital identity of the main module.

7. The high-availability network access authentication method based on multiple optical modules as described in claim 6, characterized in that, When the main module fails, including: The terminal periodically reads the status register of the main module; The main module is deemed faulty when the number of consecutive read failures exceeds a preset threshold and / or the main module is detected to be offline, the link is interrupted, or the EEPROM data is unreadable.

8. The high-availability network access authentication method based on multiple optical modules as described in claim 1, characterized in that, Also includes: The terminal establishes a secure channel with the access authentication server; The terminal sends a key update request to the access authentication server through the secure channel according to the key update instruction; The access authentication server generates a new shared secret seed, protects the new shared secret seed, and sends it to the terminal. The terminal writes the received new shared secret seed into the EEPROM of the master module and multiple slave modules, thus updating the shared secret seed.

9. The high-availability network access authentication method based on multiple optical modules as described in claim 8, characterized in that, The system counts the cumulative number of authentication failures at the terminal. When the cumulative number of authentication failures is greater than or equal to a preset number, a key update command is triggered.

10. A high-availability network access authentication system based on multi-optical modules, characterized in that: The system is used to implement the high-availability network access authentication method based on multiple optical modules as described in any one of claims 1-9, and the system comprises: The shared secret seed writing module is used to randomly select one SFP optical module as the master module in a multi-optical module redundancy structure, and use the remaining SFP optical modules as multiple slave modules. The same shared secret seed is written into the EEPROM of the master module and the multiple slave modules respectively. A digital certificate bound to the master module serial number is written into the EEPROM of the master module, and the digital certificate of the master module is backed up in the EEPROM of the multiple slave modules respectively. A shared secret array generation module is used for authentication terminals and access authentication servers to perform key derivation according to the shared secret seed and the first key derivation rule to generate a shared secret array, wherein the shared secret array includes multiple secret values; The one-time session key acquisition module is used by the terminal to respond to the access authentication request, randomly generate an index tuple containing multiple indices, extract multiple corresponding secret values ​​from the shared secret array according to the index tuple, perform a hash operation, and obtain a one-time session key; The signature value generation module is used to sign the one-time session key with a signature key to generate a signature value, and transmit the index tuple and signature value to the access authentication server via the 802.1X protocol; The verification session key acquisition module is used to access the authentication server to extract multiple identical secret values ​​from the local shared secret array based on the index tuple, perform a hash operation to obtain the verification session key, verify the signature value using the public key corresponding to the signature key, and allow the terminal to access the network when the verification is successful.