1. No category

Peer-to-peer access control method of triple unit structure

USOO8495712B2
(12) United States Patent
(10) Patent N0.:
Lai et al.
(54)
(45) Date of Patent:
PEER-TO-PEER ACCESS CONTROL
METHOD OF TRIPLE UNIT STRUCTURE
(75) Inventors: Xiaolong Lai, Shaanxi (CN); Jun Cao,
Shaanxi (CN); Manxia Tie, Shaanxi
1399490 A
1426200 A
1539106
1567868
OTHER PUBLICATIONS
Hubert Zimmerman, OSI Reference ModeliThe ISO Model of
Architecture for Open System Interconnection. 1980*
U.S.C. 154(b) by 454 days.
(21)
(22)
(86)
Appl. No .:
12/519,955
PCT Filed:
Jun. 25, 2007
2/2003
6/2003
10/2004
1/2005
(Continued)
(73) Assignee: China IWNCOMM Co., Ltd. (CN)
Subject to any disclaimer, the term of this
patent is extended or adjusted under 35
Jul. 23, 2013
FOREIGN PATENT DOCUMENTS
CN
CN
CN
CN
(CN); Bianling Zhang, Shaanxi (CN)
( * ) Notice:
US 8,495,712 B2
(Continued)
Primary Examiner * KambiZ Zand
Assistant Examiner * Ghodrat Jamshidi
PCT No.:
PCT/CN2007/070171
§ 371 (0)0),
(2), (4) Date:
Jun. 18, 2009
(74) Attorney, Agent, or Firm * Cantor Colburn LLP
(57)
ABSTRACT
This invention relates to a peer-to-peer access control method
(87)
PCT Pub. No.: WO2008/074233
of a triple-unit structure for safely implementing bidirectional
PCT Pub. Date: Jun. 26, 2008
authentication between the terminal and the network. Accord
ing to the method, on the basis of the access control method of
(65)
the existing double-unit triple-entity structure, the authenti
Prior Publication Data
US 2010/0037302 A1
cator function is implemented in the access controller, and the
authentication protocol function is implemented in the termi
Feb. 11,2010
nal and the access controller, so that the terminal, the access
(30)
Foreign Application Priority Data
Dec. 18, 2006
(51)
(52)
Int. Cl.
H04L 29/00
US. Cl.
(2006.01)
and the extension of the number of the access controllers is
Field of Classi?cation Search
inconvenient, but also solves the technical problems of the
existing access control method of the double-unit triple-entity
USPC
structure that the process for establishing the trust relation
USPC
(58)
(CN) ........................ .. 2006 1 0105203
controller and the server all participate in the authentication,
and the trust relationship is established between the terminal
and the access controller directly, which renders security very
reliable. The invention not only solves the technical problems
of the access control method of the existing double-unit
double-entity structure that the access ?exibility is limited
............................................. .. 726/5; 713/155
............................................. .. 726/5; 713/155
See application ?le for complete search history.
ship is complicated and the security of the network may be
in?uenced, thus achieving advantages of high security per
(56)
References Cited
formance, no requirement of changing existing network
structures and relative independency of the authentication
U.S. PATENT DOCUMENTS
7,917,758 B2*
2004/0098612 A1
3/2011
protocol.
Palekar et a1. .............. .. 713/171
10 Claims, 3 Drawing Sheets
5/2004 Lee et al.
Terminal
‘
Access controller
401 Request
402 Response
403 Request
404 Response
A
405 Request
406 Response ‘
407 Success/failure
4. _ _ _ _ _ _ _ _ _ _
Server
US 8,495,712 B2
Page 2
FOREIGN PATENT DOCUMENTS
CN
1708018 A
tions on communications,vol. comi28,No. 4 Apr. 1980 pp. 425
12/2005
432*
Aboba, B., et al., “Extensible Authentication Protocol (EAP)”, Net
work Working Group, The Internet Society, 2004.
International Search Report PCT/CN2007/07017l; Dated Sep. 27,
CN
EP
WO
1765082
1708447
2004015958 A2
4/2006
10/2006
2/2004
WO
2004077742 Al
9/2004
2007‘
OTHER PUBLICATIONS
Hubert Zimerman,OSI Refecence ModeliThe ISO model of
Architecture for Open Systems Interconnection IEE Transac-
* Cited by examiner
US. Patent
Jul. 23, 2013
Sheet 1 013
Fig.1
Terminal
Access controller
Analglfgéifgie?
Peer layer
Autlhentication method layer
iAuthenticator layer
Encapsulationt
layer
'l
: Encapsulation layer
1
Bottom layersL
Bottom layer
US 8,495,712 B2
US. Patent
Jul. 23, 2013
Sheet 2 of3
Terminal
Access controller
US 8,495,712 B2
Server
Authentication
Authentication
method laverl
method layer
Peer layer 5
Authenticator'layer' 1|
Almigy‘gfamr
Encapsulation
Encapsulation layer I
Encapsulation
layer
:
:
Bottom layeiz‘
I
'
Bottoin layer
1
Transmission
layer ;
: Laver
Fig.3
Terminal
‘
Access controller
401 Request
402 Response ‘
V
403 Request
404 Response
‘
405 Request
406 Response
407 Success/failure
4. _ _ - - _ _ _ _ _ _
Fig.4
layer
Transmission
Server
US. Patent
Jul. 23, 2013
Sheet 3 0f3
US 8,495,712 B2
Terminal (corresponding
Access controller (corresponding to
Server (corresponding to
to subject)
authenticator)
authentication server)
Authentication
Authentication metnnd layer
Authentication
method layer:
:- """""""" ' ' 1
method layer
Peer layer I
Encapsulation
iAuthenticator layer 1
I Encapsulation layer I
Peer layer
Encapsulation
layer
;
'
i
Bottom layer
;
'
1
Transmission
Boittom layer
layer
Transmission
layer :
: Layer
Fig .5
ASU E
AE
ASE
601 Authentication
activation packet
602 Access authentication
requeSt paCket
n 603 Certi?cate authentication request
packet
m
V
_
_
605 Access authentication
response packet
604 Certi?cate authentication response
packet
4
A
Fig.6
US 8,495,712 B2
1
2
PEER-TO-PEER ACCESS CONTROL
METHOD OF TRIPLE UNIT STRUCTURE
cation. In this network structure, the terminal and the access
controller both have authentication functions, thus supporting
bidirectional authentication.
This application claims the priority of Chinese Patent
Application No. 2006101052032, ?led on Dec. 18, 2006
with the Chinese Patent Of?ce and titled “Peer-to-Peer
Access Control Method of Triple-unit Structure”, the con
tents of which are incorporated herein by reference in their
However, there is no authentication server in the double
unit double-entity structure, which leads to signi?cantly lim
ited ?exibility. In addition, there are typically a large number
of terminals, and if there is also a large number of access
controllers, the relationship between the terminals and the
access controllers may be many-to-many, and the manage
ment may be very di?icult. Therefore, the structure of this
type is typically used in the case that there is a limited number
of access controllers, and the implementation is very limited.
The network structure of the second type is the double-unit
triple-entity structure as shown in FIG. 3, which includes a
entirety.
FIELD OF THE INVENTION
The present invention relates to a network access control
method, and particularly to a peer-to-peer access control
method of a triple-unit structure.
terminal, an access controller and a server, respectively cor
responding to the ?rst entity, the second entity and the third
entity. Speci?cally, the terminal, corresponding to the ?rst
BACKGROUND OF THE INVENTION
The basic function of a network is to provide various types
of terminals with network services. Although a terminal may
be physically connected to a network, the terminal connected
to the network is not always an authorized legal terminal, and
the network connected by the terminal is not always its
required network. Thus, before the terminal communicates
with the network, the terminal and the network need authen
tication and authorization functions to mutually authenticate
the legality of the peer party therebetween, i.e. bidirectional
access control between the terminal and the network is
required, so as to ensure the security of the communication.
FIG. 1 is a diagram illustrating bidirectional access control
between a terminal and a network. A terminal 1 accesses a
network 4 via an access controller 3, and before the terminal
1 begins to use the resources of the network 4, it is required to
complete access control 2 between the terminal 1 and the
access controller 3, i.e.:
1. The access controller checks whether the terminal 1 has
20
25
authentication function, thus the structure of this type sup
ports bidirectional authentication by using the second entity
30
35
40
45
50
a unit if it does not have the authentication function.
Based on the different number of entities which participate
in the authentication, there are two types of network structure
the trust relationship B. Hence, it is required to relay the trust
relationships three times to complete the establishment of the
trust relationship between the terminal and the access con
troller. However, to relay the trust relationships multiple
for implementing the bi-directional authentication between
55
times may not only lead to complicated authentication but
also in?uence the security of the network, thus should be
avoided.
SUMMARY OF THE INVENTION
The present invention provides a peer-to-peer access con
terminal and an access controller, where the terminal corre
sponds to the ?rst entity and the access controller corresponds
order to avoid this problem, a trust relationship C and a safe
channel have to be established between the access controller
and the server. Upon reception of the key by the access con
troller, the terminal and the access controller have to con?rm
a functional body which may have an authentication function
in the network access authentication. In the network, the
the terminal and the network. RFC3748 Extensible Authen
tication Protocol (EAP) contains description as follows:
The network structure of the ?rst type is the double-unit
double-entity structure as shown in FIG. 2, which includes a
establish a trust relationship B between the terminal and the
access controller, thus a transfer of the trust relationships, i.e.
to transfer from the trust relationship A to the trust relation
ship B, must be carried out safely. The transfer of the trust
relationships is completed by sending a key from the server to
the access controller. However, if the key leaks, the security of
the network may be signi?cantly in?uenced. Therefore, in
cates the network 4.
entity is a unit if it has the authentication function; and it is not
troller is virtual. The authentication is only carried out
between the terminal and the server, and the relationship with
multiple terminals being corresponding to multiple access
controllers is evolved into a relationship with multiple termi
is established between them. But ?nally, it is required to
a legal device to avoid data being intercepted, i.e. authenti
In the authentication, it is required to use the concepts of
entity and unit. Speci?cally, an entity refers to a functional
body which may accomplish a particular function in the net
work structure and can exist independently, and is typically
implemented using an independent device; and a unit refers to
as an intermediate of the third entity.
In the double-unit triple-entity structure, the access con
nals being corresponding to a server, i.e. a trust relationship A
the right of accessing the network 4, i.e. authenticates the
terminal 1; and
2. The terminal 1 checks whether the access controller 3 is
unit, has an authentication credential, an authentication func
tion, and a function for controlling whether to access the
network; the access controller has a function for controlling
the access of the terminal according to the result of the
authentication, and has no authentication function; and the
server, corresponding to the second unit, has an authentica
tion credential and an authentication function. The double
unit triple-entity structure is also called a Pass-through mode.
In this network structure, the terminal and the server both
have authentication functions, but the access controller has no
60
trol method of a triple-unit structure for safely implementing
to the second entity. Speci?cally, the terminal, corresponding
bidirectional authentication between the terminal and the net
to the ?rst unit, has an authentication credential, an authenti
cation function, and a function for controlling whether to
access the network; and the access controller, corresponding
to the second unit, has an authentication credential, an
work, which not only solves the technical problems of the
authentication function, and a function for controlling the
access of the terminal according to the result of the authenti
65
access control method of the existing double-unit double
entity structure that the access ?exibility is limited and the
extension of the number of the access controllers is inconve
nient, but also solves the technical problems of the existing
access control method of the double-unit triple-entity struc
US 8,495,712 B2
3
4
ture that the process for establishing the trust relationship is
complicated and the security of the network may be in?u
enced.
A technical solution of the present invention may include:
the request message and terminating the message interaction,
and notifying, by the authentication method layer of the
authenticator, the bottom layer of the authenticator that the
subject is permitted to access the authenticator; or sending, by
A peer-to-peer access control method of a triple-unit struc
the authentication method layer of the authenticator, a suc
cess message to the authentication method layer of the sub
ture, Which includes:
ing, in an authenticator, an authenticator function; and imple
ject, and notifying, by the authentication method layer of the
subject, the bottom layer of the subject that the subject is
menting, in an authentication server, an authentication server
permitted to access the authenticator.
function:
The request message sent by the authentication method
layer of the authenticator to the authentication method layer
of the subject contains a type ?eld, Which type ?eld is a ?eld
used for indicating a type of the request message; and the
response message sent by the authentication method layer of
the subject to the authentication method layer of the authen
ticator contains a type ?eld, Which type ?eld corresponds to
the type ?eld contained in the request message.
The above method may further includes the folloWing step:
maintaining, as required, the interaction of sending the
request message by the authentication method layer of the
authenticator and responding to the request message by the
authentication method layer of the subject.
implementing, in a subject, a subject function; implement
setting, in the subject, an authentication method layer of
the subject, a peer layer of the subject, an encapsulation layer
of the subject and a bottom layer of the subject; setting, in the
authenticator, an authentication method layer of the authen
ticator, an authenticator layer of the authenticator, an encap
sulation layer of the authenticator, a bottom layer of the
authenticator and a transmission layer of the authenticator;
and setting, in the authentication server, an authentication
method layer of the authentication server, a peer layer of the
authentication server, an encapsulation layer of the authenti
cation server and a transmission layer of the authentication
20
server; and
implementing, in the authentication method layer of the
The subject may be a terminal; the authenticator may be an
subject, a function for carrying out, according to an authen
access controller; and the authentication server may be a
tication credential, authentication, and implementing, in the
bottom layer of the subject, a function for transmitting data
and for controlling, according to a result of the authentication,
Whether the subject accesses the authenticator; implement
ing, in the authentication method layer of the authenticator, a
25
function for carrying out, according to an authentication cre
30
Another technical solution of the present invention
includes:
A peer-to-peer access control method of a triple-unit struc
ture, Which includes:
dential, authentication, and implementing, in the bottom
layer of the authenticator, a function for controlling, accord
ing to a result of the authentication, Whether to permit the
subject to access the authenticator; and implementing, in the
authentication method layer of the authentication server, a
function for carrying out, according to an authentication cre
menting, in an authentication server, an authentication server
function:
35
40
authentication process:
sending, by the authentication method layer of the authen
implementing, in a subject, a subject function; implement
ing, in an authenticator, an authenticator function; and imple
dential, authentication;
implementing, in the subject and the authenticator, an
authentication protocol function:
implementing, in the authentication method layer of the
subject together With the authentication method layer of the
authenticator, the authentication protocol function;
implementing, by the subject and the authenticator, an
server.
45
setting, in the subject, an authentication method layer of
the subject, a peer layer of the subject, an encapsulation layer
of the subject and a bottom layer of the subject; setting, in the
authenticator, an authentication method layer of the authen
ticator, an authenticator layer of the authenticator, an encap
sulation layer of the authenticator, a bottom layer of the
authenticator and a transmission layer of the authenticator;
and setting, in the authentication server, an authentication
method layer of the authentication server, a peer layer of the
authentication server, an encapsulation layer of the authenti
cation server and a transmission layer of the authentication
server; and
implementing, in the authentication method layer of the
ticator, a request message to the authentication method layer
of the subject; and sending, by the authentication method
subject, a function for carrying out, according to an authen
layer of the subject, a response message to the authentication
method layer of the authenticator to respond to a valid request
message; and
tication credential, authentication, and implementing, in the
bottom layer of the subject, a function for transmitting data
and for controlling, according to a result of the authentication,
Whether the subject accesses the authenticator; implement
ing, in the authentication method layer of the authenticator, a
50
implementing, upon termination of the authentication,
access control:
stopping sending, by the authentication method layer of the
authenticator When being unable to authenticate the subject
according to the response message, the request message and
function for carrying out, according to an authentication cre
55
terminating message interaction, and notifying, by the
ing to a result of the authentication, Whether to permit the
subject to access the authenticator; and implementing, in the
authentication method layer of the authentication server, a
function for carrying out, according to an authentication cre
authentication method layer of the authenticator, the bottom
layer of the authenticator that the subject is not permitted to
access the authenticator; or sending, by the authentication
method layer of the authenticator, a failure message to the
60
authentication method layer of the subject, and notifying, by
dential, authentication;
implementing, in the subject, the authenticator and the
the authentication method layer of the subject, the bottom
layer of the subject that the subject is not permitted to access
the authenticator; and
stopping sending, by the authentication method layer of the
dential, authentication, and implementing, in the bottom
layer of the authenticator, a function for controlling, accord
authentication server, an authentication protocol function:
implementing, in the authentication method layer of the
subject together With the authentication method layer of the
authenticator When determining that the authentication is
authenticator and together With the authentication method
layer of the authentication server, the authentication protocol
completed successfully according to the response message,
function;
65
US 8,495,712 B2
6
5
implementing, by the subject, the authenticator and the
The subject may be a terminal; the authenticator may be an
authentication server, an authentication process:
access controller; and the authentication server may be a
sending, by the authentication method layer of the authen
server.
ticator during the message interaction between the authenti
cation method layer of the subject and the authentication
method layer of the authenticator, a request message to the
authentication method layer of the authentication server, and
When implementing the method of the present invention in
the network structure of a speci?c type, the authentication
carried out by the terminal (subject) and the access controller
(authenticator) needs assistance of the server. The terminal
sending, by the authentication method layer of the authenti
can communicate with the access controller and cannot com
municate with the server, while the access controller can
cation server, a response message to the authentication
method layer of the authenticator; and
implementing, upon termination of the authentication,
communicate with the terminal and can also communicate
with the server. The terminal, the access controller and the
access control:
server all participate in the authentication, and the trust rela
tionship is established between the terminal and the access
stopping sending, by the authentication method layer of the
authenticator when being unable to authenticate the subject
according to the response message of the authentication
method layer of the subject or according to the response
message of the authentication method layer of the authenti
controller directly, which renders security very reliable.
In addition, the method of the present invention may be
implemented in a triple-unit structure, but may be compatible
to double-unit double-entity structure. In the case that there is
no authentication server, the implementation of the method of
cation server, the request message and terminating the mes
sage interaction, and notifying, by the authentication method
layer of the authenticator, the bottom layer of the authentica
20
tor that the subject is not permitted to access the authenticator;
or sending, by the authentication method layer of the authen
ticator, the failure message to the authentication method layer
of the subject, and notifying, by the authentication method
layer of the subject, the bottom layer of the subject that the
25
subject is not permitted to access the authenticator; and
stopping sending, by the authentication method layer of the
authenticator when determining that the authentication is
completed successfully according to the response message of
the authentication method layer of the subject or according to
the response message of the authentication method layer of
the authentication server, the request message and terminat
30
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a diagram illustrating bidirectional access control
between a terminal and a network in the prior art;
FIG. 2 is a diagram illustrating a connection relationship of
ing the message interaction, and notifying, by the authentica
tion method layer of the authenticator, the bottom layer of the
authenticator that the subject is permitted to access the
the present invention is totally compatible to the double-unit
double-entity network structure. Therefore, the method of the
present invention may be implemented in both the double
entity and the triple-entity structure, which may have full
adaptability to the existing network structures.
Besides, when implementing the method according to the
present invention, the authentication protocol layer may use
existing authentication protocols, or alternatively new
authentication protocols may be devised.
35
authenticator; or sending, by the authentication method layer
a network access control system of a double-unit double
entity structure in the prior art;
of the authenticator, the success message to the authentication
FIG. 3 is a diagram illustrating a connection relationship of
method layer of the subject, and notifying, by the authentica
tion method layer of the subject, the bottom layer of the
a network access control system of a double-unit triple-entity
subject that the subject is permitted to access the authentica
structure in the prior art;
40
FIG. 4 is a ?owchart illustrating a network peer-to-peer
access control method of the present invention;
FIG. 5 a diagram illustrating a connection relationship of a
triple-unit triple-entity structure in which the network peer
to-peer access control method of the present invention is
45
implemented; and
tor.
The request message sent by the authentication method
layer of the authenticator to the authentication method layer
of the subject contains a type ?eld, which type ?eld is a ?eld
used for indicating a type of the request message; and the
response message sent by the authentication method layer of
the subject to the authentication method layer of the authen
ticator contains a type ?eld, which type ?eld corresponds to
the type ?eld contained in the request message; and the
request message sent by the authentication method layer of
the authenticator to the authentication method layer of the
FIG. 6 is a ?owchart illustrating the method of the present
invention being implemented in a speci?c certi?cate authen
tication process.
50
Speci?cally: literminal, 2iaccess control, 3iaccess
controller, 4inetwork.
DETAILED DESCRIPTION OF THE
EMBODIMENTS
authentication server contains a type ?eld, which type ?eld is
a ?eld used for indicating a type of the request message; and
the response message sent by the authentication method layer
of the authentication server to the authentication method
55
First, the principles of the present invention are described
layer of the authenticator contains a type ?eld, which type
?eld corresponds to the type ?eld contained in the request
as follows: An authentication protocol is a series of steps
carried out by two or more participants to complete an authen
message.
tication. The authentication method layers of the subject, the
The above method may further include the following steps:
maintaining, as required, the interaction of sending the
request message by the authentication method layer of the
authenticator and responding to the request message by the
authentication method layer of the subject; and
maintaining, as required, the interaction of sending the
request message by the authentication method layer of the
authenticator and responding to the request message by the
authentication method layer of the authentication server.
authenticator and the authentication server are the implemen
60
65
tation of the authentication protocol in each of the partici
pants, and they together construct an authentication protocol
layer, so as to complete the authentication protocol function.
In the present invention, the functions of the terminal, the
access controller and the server are adjusted, so that the access
controller has an authentication credential and an authentica
tion function, and the network structure is changed to triple
unit triple-entity. As shown in FIG. 5:
US 8,495,712 B2
8
7
The ?rst entity/the ?rst unit: the terminal, which has an
corresponding protocol of the authentication method is
authentication credential, an authentication function, and a
function for controlling whether to access the network.
implemented in the terminal, the access controller and the
server. The speci?c steps of the method according to the
The second entity/the second unit: the access controller,
present invention are as follows:
401. The access controller sends a request message to the
which has an authentication credential, an authentication
terminal to request starting authentication. The request mes
sage has a type ?eld for indicating the type of the request. The
function, and a function for controlling the access of the
terminal according to the result of the authentication.
The third entity/the third unit: the server, which has an
type may be Identity, MD5-Challenge, etc.;
authentication credential and an authentication function.
402. The terminal sends a response message to the access
controller to respond to the valid request message. The
response message contains a type ?eld, which corresponds to
the type ?eld contained in the request message;
403. According to various authentication methods, the
In this structure, the authentication carried out by the ter
minal (subject) and the access controller (authenticator)
needs assistance of the server (authentication server). The
terminal can communicate with the access controller and
cannot communicate with the server, while the access con
troller can communicate with the terminal and can also com
municate with the server. The terminal, the access controller
and the server all participate in the authentication, and the
trust relationship is established between the terminal and the
access controller directly, which renders security very reli
able.
access controller sends a request message to the server if
required;
404. The server sends a response message to the access
controller. The sequence of the request message and the
response message may be maintained for a required length;
405-406. The access controller sends a request message to
20
If only the subject and the authenticator is required to
participate in the authentication protocol, the authentication
method layer of the subject together with the authentication
layer of the authenticator construct the authentication proto
col layer, and complete the authentication protocol function
together. If the server is required to participate in the authen
tication carried out by the subject and the authenticator, the
authentication method layer of the subject together with the
authentication layer of the authenticator and together with the
25
authentication layer of the authentication server construct the
30
the terminal, and the terminal sends a response message to the
access controller, where the sequence of the request message
and the response message may maintain interaction as
required. Of course, according to various authentication
methods, the terminal may possibly not respond to the request
message sent by the access controller.
407. The session is maintained until the access controller
cannot authenticate the terminal. The access controller may
stop sending the request message and terminate the message
interaction, and the access controller may send a failure mes
tion protocol function together. They three may run the same
sage to the terminal and the access controller does not permit
the terminal to access the access controller; or alternatively,
the access controller may determine that a successful authen
authentication protocol. Alternatively, different authentica
tication has been completed, and the access controller may
authentication protocol layer, and complete the authentica
tion protocols may be run between any two of them. However
there is essentially an association in the messages between
those two of them, so that to achieve the same object, i.e. to
stop sending the request message and terminate the message
35
and the access controller permits the terminal to access the
access controller. At this time, the access control between the
terminal and the access controller is completed.
complete the authentication between the subject and the
authenticator.
In the art, the concepts of the bottom layer, the transmission
layer, the encapsulation layer, the peer layer, the authenticator
40
layer and the authentication method layer are as follows:
The bottom layer and the transmission layer: the bottom
layer and the transmission layer are responsible for transmit
In FIG. 6, the ASUE refers to the Authentication Suppli
45
50
implements repeated-frame detection and retransmission,
authenticator layer.
The peer layer and the authenticator layer: the encapsula
Speci?cally:
55
method layer implements an authentication algorithm, and
transmits messages via the peer layer and the authenticator
layer.
601. The AE sends a request message to the ASUE;
602. The ASUE sends a response message to the AE;
603. The AE sends a request message to the ASE;
604. The ASE sends a response message to the AE; and
605. The AE sends a request message to the ASUE; the
ASUE receives the request message, and does not need to
send a response message; and the AE stops sending mes sages.
For the de?nitions of the speci?c ?elds contained in the
FIG. 4 is a ?owchart illustrating a network peer-to-peer
access control method of the present invention. Speci?cally, a
subject function is implemented in the subject, an authenti
i.e. the server, which implements the authentication server
function. The authentication method described in this stan
dard needs to be implemented in all the ASUE, the AE and the
ASE, which complies with and thus may be implemented in
the model of the method according to the present invention.
and transmits messages between the peer layer and the
tion layer parses the TEAP data frames and transmits them to
the peer layer or the authenticator layer. The peer layer and the
authenticator layer parse the received data packets and trans
mit them to the peer layer or the authenticator layer.
The authentication method layer: the authentication
cant Entity, i.e. the terminal, which implements the subject
function; the AE refers to the Authenticator Entity, i.e. the
access controller, which implements the authenticator func
tion; and the ASE refers to the Authentication Service Entity,
of the adjacent bottom layer.
The encapsulation layer: the encapsulation layer transmits
and receives the TEAP data packets via the bottom layer,
An embodiment of the present invention is implemented in
the model of the authentication method de?ned in the national
standard GB 1 5629.1 l-2003/XG1 -2006. The certi?cate
authentication process described in this standard is as shown
in FIG. 6, and speci?cally includes the following:
ting and receiving Triple-unit Extensible Authentication Pro
tocol (TEAP) data frames between the peer and the authen
ticator. The transmission layer is a logic concept, which
means that this layer may be of a technique different from that
interaction, or may send a success message to the terminal
message, reference can be made to the de?nitions in the
national standard GB 1 5629.1 l-2003/XG1 -2006.
65
Another embodiment of the present invention may be
cator function is implemented in the authenticator, an authen
implemented in the Otway-Rees protocol, referring to Otway,
tication server function is implemented in the server; and a
D. and Ress, 0., “Ef?cient and timely mutual authentication”
US 8,495,712 B2
9
10
ACE OSR, Vol. 21, No. 1, pp. 8-10, January 1987. This
protocol is used for identity authentication, and cannot be
used in conventional network structures. Speci?c steps with
the method of the present invention cooperating with this
departing from the substance and scope of the present inven
tion are all encompassed within the scope of the present
invention. Therefore, the scope of the present invention is
de?ned by the appended claims.
What is claimed is:
1. A peer-to-peer access control method of a triple-unit
protocol are as follows:
The participants include Alice, Bob and Trent.
1] Bob sends a request message to request starting authen
structure, comprising:
implementing, in a subject, a subject function; implement
tication;
2] Alice generates a piece of message, which includes an
index number, her identity, Bob’ s identity and a random num
ing, in an authenticator, an authenticator function; and
implementing, in an authentication server, an authenti
cation server function:
ber, and encrypts this piece of message using the shared key
of her and Trent, and then sends the ciphertext together with
setting, in the subject, an authentication method layer of
the subject, a peer layer of the subject, an encapsulation
layer of the subject and a bottom layer of the subject;
setting, in the authenticator, an authentication method
layer of the authenticator, an authenticator layer of the
authenticator, an encapsulation layer of the authentica
the index number, the identities of Alice and Bob to Bob;
3] Bob generates a piece of message, which includes a new
random number, an index number, the identities of Alice and
Bob, and encrypts this piece of message using the shared key
of him and Trent, and then sends the ciphertext together with
the ciphertext ofAlice, the index number, and the identities of
Alice and Bob to Trent;
4] Trent generates a random session key, and then generates
two pieces of messages. The ?rst piece of message is to
encrypt the random number ofAlice and the session key using
the shared key of him andAlice. The second piece of message
is to encrypt the random number of Bob and the session key
using the shared key of him and Bob. Finally, Trent sends the
two pieces of messages together with the index numbers to
tor, a bottom layer of the authenticator and a transmis
sion layer of the authenticator; and setting, in the authen
20
tication server, an authentication method layer of the
authentication server, a peer layer of the authentication
server, an encapsulation layer of the authentication
server and a transmission layer of the authentication
server; and
25
implementing, in the authentication method layer of the
subject, a function for carrying out, according to an
authentication credential, authentication, and imple
Bob;
5] Bob sends the piece of message belonging to Alice as
well as the index number to Alice; and
6] If all the random numbers are matched and the index
30
number is not changed during the communication process,
the authentication succeeds.
It can be seen that Alice, Bob and Trent respectively imple
ment the subject, the authenticator and the authentication
server functions, and this authentication protocol can be
35
implemented in the method of the present invention.
To sum up, when implementing the method of the present
invention in the network structure of a speci?c type, the
authentication carried out by the terminal (subject) and the
access controller (authenticator) needs assistance of the
menting, in the bottom layer of the subject, a function for
transmitting data and for controlling, according to a
result of the authentication, whether the subject accesses
the authenticator; implementing, in the authentication
method layer of the authenticator, a function for carrying
out, according to an authentication credential, authenti
cation, and implementing, in the bottom layer of the
authenticator, a function for controlling, according to a
result of the authentication, whether to permit the sub
ject to access the authenticator; and implementing, in the
authentication method layer of the authentication server,
a function for carrying out, according to an authentica
40
tion credential, authentication;
implementing an authentication protocol function, com
server. The terminal can communicate with the access con
troller and cannot communicate with the server, while the
prising:
access controller can communicate with the terminal and can
implementing, in the authentication method layer of the
subject together with the authentication method layer
also communicate with the server. The terminal, the access
controller and the server all participate in the authentication,
and the trust relationship is established between the terminal
and the access controller directly, which renders security very
reliable.
In addition, the method of the present invention may be
implemented in a triple-unit structure, but may be compatible
to double-unit double-entity structure. With comparison with
45
authentication protocol function;
implementing an authentication process, comprising:
sending, by the authentication method layer of the
50
Besides, when implementing the method according to the
present invention, the authentication protocol layer may use
existing authentication protocols, or alternatively new
authentication protocols may be devised.
authentication method layer of the subject, a response
message to the authentication method layer of the
authenticator to respond to a valid request message;
55
invention are not limited to those above. Various variations
and modi?cations devised by those skilled in the art without
sending, by the authentication method layer of the
authenticator, a request message to the authentication
method layer of the authentication server, and send
ing, by the authentication method layer of the authen
tication server, a response message to the authentica
60
The above embodiments are employed to describe and
explain the principles of the present invention. It can be
understood that the speci?c embodiments of the present
authenticator, a request message to the authentication
method layer of the subject; and sending, by the
FIGS. 2 and 5, it is known that in the case that there is no
authentication server, the implementation of the method of
the present invention is totally compatible to the double-unit
double-entity network structure. Therefore, the method of the
present invention may be implemented in both the double
entity and the triple-entity structure, which may have full
adaptability to the existing network structures.
of the authenticator and together with the authentica
tion method layer of the authentication server, the
65
tion method layer of the authenticator, so that the
authentication server authenticates the authenticator;
and
authenticating the authentication server by the subject
through the message interaction between the subject
and the authenticator together with the message inter
action between the authenticator and the authentica
tion server; and
US 8,495,712 B2
11
12
tion method layer of the authenticator contains a type ?eld,
which type ?eld corresponds to the type ?eld contained in the
request message; and the request message sent by the authen
tication method layer of the authenticator to the authentica
implementing, upon termination of the authentication,
access control, comprising:
carrying out at least one of following steps: stopping the
sending the request message and terminating mes sage
interaction, by the authentication method layer of the
tion method layer of the authentication server contains a type
?eld, which type ?eld is a ?eld used for indicating a type of
the request message; and the response message sent by the
authentication method layer of the authentication server to
authenticator when being unable to authenticate the
subject according to at least one of the response mes
sage of the authentication method layer of the subject
and the response message of the authentication
the authentication method layer of the authenticator contains
a type ?eld, which type ?eld corresponds to the type ?eld
contained in the request message.
method layer of the authentication server, and notify
ing, by the authentication method layer of the authen
ticator, the bottom layer of the authenticator that the
subject is not permitted to access the authenticator;
and sending, by the authentication method layer of the
authenticator, a failure message to the authentication
5. The peer-to-peer access control method of a triple-unit
5
method layer of the subject, and notifying, by the
authentication method layer of the subject, the bottom
layer of the subject that the subject is not permitted to
access the authenticator; and
carrying out at least one of following steps: stopping the
sending the request message and terminating the mes
sage interaction, by the authentication method layer
server.
of the authenticator when determining that the
authentication is completed successfully according to
at least one of the response message of the authenti
cation method layer of the subject and the response
message of the authentication method layer of the
authentication server, and notifying, by the authenti
cation method layer of the authenticator, the bottom
layer of the authenticator that the subject is permitted
to access the authenticator; and sending, by the
authentication method layer of the authenticator, a
25
subject that the subject is permitted to access the
authenticator.
2. The peer-to-peer access control method of a triple-unit
structure according to claim 1, wherein the request message
sent by the authentication method layer of the authenticator to
the authentication method layer of the subject contains a type
?eld, which type ?eld is a ?eld used for indicating a type of
the request message; and the response message sent by the
authentication method layer of the subject to the authentica
tion method layer of the authenticator contains a type ?eld,
which type ?eld corresponds to the type ?eld contained in the
request message.
7. The peer-to-peer access control method of a triple-unit
30
40
structure according to claim 4, further comprising:
maintaining, as required, the interaction of sending the
request message by the authentication method layer of
the authenticator and responding to the request message
by the authentication method layer of the subject; and
maintaining, as required, the interaction of sending the
request message by the authentication method layer of
the authenticator and responding to the request message
by the authentication method layer of the authentication
server.
45
9. The peer-to-peer access control method of a triple-unit
structure according to claim 1, wherein the subject is a termi
nal; the authenticator is an access controller; and the authen
tication server is a server.
10. The peer-to-peer access control method of a triple-unit
50
structure according to claim 1, wherein the subject is capable
of communicating authentication protocol with the authenti
cator and is not capable of communicating authentication
protocol with the authentication server, while the authentica
4. The peer-to-peer access control method of a triple-unit
structure according to claim 1, wherein the request message
sent by the authentication method layer of the authenticator to
the authentication method layer of the subject contains a type
?eld, which type ?eld is a ?eld used for indicating a type of
the request message; and the response message sent by the
authentication method layer of the subject to the authentica
structure according to claim 2, further comprising:
maintaining, as required, the interaction of sending the
request message by the authentication method layer of
the authenticator and responding to the request message
by the authentication method layer of the subject.
8. The peer-to-peer access control method of a triple-unit
35
3. The peer-to-peer access control method of a triple-unit
structure according to claim 1, further comprising:
maintaining, as required, the interaction of sending the
request message by the authentication method layer of
the authenticator and responding to the request message
by the authentication method layer of the subject.
6. The peer-to-peer access control method of a triple-unit
structure according to claim 1, wherein the subject is a termi
nal; the authenticator is an access controller; and the authen
tication server is a server.
success mes sage to the authentication method layer of
the subject, and notifying, by the authentication
method layer of the subject, the bottom layer of the
structure according to claim 1, further comprising:
maintaining, as required, the interaction of sending the
request message by the authentication method layer of
the authenticator and responding to the request message
by the authentication method layer of the subject; and
maintaining, as required, the interaction of sending the
request message by the authentication method layer of
the authenticator and responding to the request message
by the authentication method layer of the authentication
55
tor is capable of communicating authentication protocol with
the subject and is also capable of communicating authentica
tion protocol with the authentication server; the subject, the
authenticator and the authentication server all participate in
the authentication, and a trust relationship is established
between the subject and the authenticator directly.
*
*
*
*
*
UNITED STATES PATENT AND TRADEMARK OFFICE
CERTIFICATE OF CORRECTION
PATENT No.
: 8,495,712 B2
APPLICATION NO.
: 12/519955
DATED
INVENTOR(S)
: July 23, 2013
: Xiaolong Lai et a1.
Page 1 of 1
It is certified that error appears in the above-identi?ed patent and that said Letters Patent is hereby corrected as shown below:
On the Title Page:
The first or sole Notice should read -
Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b)
by 581 days.
Signed and Sealed this
Sixth Day of May, 2014
WMZ44L_
Michelle K. Lee
Deputy Director 0fthe United States Patent and Trademark O?ice

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz