WO2011069355A1 - Network transmission method adapted for tri-element peer authentication trusted network connection architecture - Google Patents

Network transmission method adapted for tri-element peer authentication trusted network connection architecture Download PDF

Info

Publication number
WO2011069355A1
WO2011069355A1 PCT/CN2010/073133 CN2010073133W WO2011069355A1 WO 2011069355 A1 WO2011069355 A1 WO 2011069355A1 CN 2010073133 W CN2010073133 W CN 2010073133W WO 2011069355 A1 WO2011069355 A1 WO 2011069355A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
taep
access controller
requester
type
Prior art date
Application number
PCT/CN2010/073133
Other languages
French (fr)
Chinese (zh)
Inventor
肖跃雷
曹军
黄振海
铁满霞
葛莉
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Publication of WO2011069355A1 publication Critical patent/WO2011069355A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a network transmission method for a ternary peer-to-peer authentication trusted network connection architecture.
  • malware such as viruses and worms
  • More than 35,000 malware have been reported, and more than 40 million computers are infected every year.
  • Traditional security defense technologies are no longer able to defend against a wide variety of malicious attacks.
  • TCG-TNC Trusted Computing Group
  • TCG-TNC Trusted Network Connect
  • TCG-TNC architecture Since the policy enforcement point in the TCG-TNC architecture is at the edge of the network, and the access requester does not take countermeasures to perform platform authentication, the architecture has a problem that the policy enforcement point cannot be trusted. To understand this problem, a TNC architecture based on Tri-element Peer Authentication (TePA) was proposed. See Figure 2 for the TePA-based TNC architecture.
  • TePA Tri-element Peer Authentication
  • EAP Extensible Authentication Protocol
  • the Extensible Authentication Protocol is an authentication framework that is used for point-to-point authentication and supports multiple authentication mechanisms. EAP does not specify the authentication method during the link control phase, but defers the process to the authentication phase. This allows the discriminator to request more information before deciding which authentication method to use. This mechanism allows a "back-end" authentication server to be used to actually perform the authentication mechanism, while the discriminator simply passes the authentication exchange information.
  • EAP is only an authentication framework suitable for point-to-point authentication protocols
  • EAP is not suitable for implementing three-party authentication protocols, such as: ternary peer-to-peer authentication protocol—the authentication is based on trusted third parties to implement two-way authentication.
  • an authentication box suitable for the three-party authentication protocol Architecture Tri-element Authentication Extensible Protocol
  • TAEP is proposed, in which the format of the TAEP packet is the same as that of the EAP packet, but the hierarchical model of TAEP is different from EAP.
  • the format of the TAEP package is as follows:
  • the Code field is 1 octet long and indicates the type of TAEP packet:
  • the Identifier field is one octet long and is used to match the Request and Response packets.
  • the Length field is 2 octets in length and represents the total number of octets in the entire TAEP packet, which is the sum of the lengths of all fields including Code, Identifier, Length, and Data.
  • the Data field is variable in length, and the packet contains zero or more octets, the format of which is determined by the value of the Code field. If the value of the Code field is Request or Response, the Bell 'J Data field contains a Type field and a Type-Date field, and the Type field may be Identity and TP Authentication. If the value of the Code field is Success or Failure, the Data field does not exist.
  • the authentication access controller sends a Request packet to the requester to request to start the authentication, and the Request has a Tpye field indicating the type of the request, and the Type field is Identity, indicating the identity;
  • the requester sends a Response packet to the authentication access controller to respond to a valid Request, and the Response packet includes a Type field corresponding to the Type field in the Request packet, and the Type-Data field contains the identity of the peer;
  • the authentication access controller sends a Request packet to the authentication server, and the Request has a Type field indicating the type of the request, and Type is TP Authentication, which is used to request the authentication method type from the authentication server; 4) the authentication server sends a Response packet to the authentication access controller, and the Response packet includes a Type field corresponding to the Type field in the Request packet;
  • the authentication access controller selects an authentication method to start the authentication process according to the type of authentication method returned by the authentication server.
  • the Request packet is sent to the requester, and the requester responds to the Response packet to the authentication access controller, and the sequence of Request and Response continues to interact as needed.
  • the authentication access controller sends a Request packet to the authentication server, and the authentication server responds to the Authentication Access Controller with a Response packet. The sequence of this Request and Response will continue to be the required length.
  • the authentication access controller is responsible for retransmitting the Request packet;
  • the above steps 3), 4) may be selectively performed.
  • the network access control layer transmits the above two layers of platform authentication protocol data in addition to the user authentication protocol data, and the platform authentication protocol data is in the access requester and the access controller. There is a need to use a secure tunnel for transmission, so the ternary authentication scalable protocol cannot complete the network transmission of the TePA-based TNC architecture.
  • Embodiments of the present invention provide a network transmission method suitable for a ternary peer-to-peer authentication trusted network connection architecture to implement network transmission based on a TePA-based TNC architecture.
  • the embodiment of the invention provides a network transmission method suitable for a ternary peer-to-peer authentication trusted network connection architecture, the method comprising:
  • the authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the identity of the TAEP authentication method of the requester;
  • Step 1) further includes the step 2) the requester, the authentication access controller, and the authentication server performing the TAEP tunnel authentication method;
  • the requester and the authentication access controller perform a tunneling method to establish a secure tunnel between the requester and the authentication access controller;
  • the requester, the authentication access controller, and the authentication server perform the internal TAEP authentication method in the secure tunnel established in step 2.1).
  • the session key between the requester and the authentication access controller if the session key between the requester and the authentication access controller has been established in step 1), the data between the requester and the authentication access controller can be used by the session key after the authentication process ends.
  • Security protection, the session key and the established secure tunnel in step 2) may be used to secure data between the requester and the authentication access controller; if the requester and the authentication access control are not established in step 1)
  • the session key between the devices, after the authentication process is completed, the data between the requester and the authentication access controller can be secured by using the established secure tunnel in step 2).
  • the TAEP authentication method and the internal TAEP authentication method adopted by the embodiments of the present invention are all extensible authentication frameworks, thereby enhancing scalability and applicability;
  • the TAEP authentication method used in the embodiment of the present invention is transmitted before the establishment of the security tunnel, and the internal TAEP authentication method is transmitted after the security tunnel is established, so that the method has good forward compatibility.
  • the intra-TAEP authentication method message is transmitted in the secure tunnel, thereby enhancing security.
  • FIG. 1 is a schematic diagram of a TCG-TNC architecture in the prior art
  • FIG. 3 is a diagram of a TAEP multiplexing model in the prior art
  • FIG. 4 is a hierarchical diagram of a tunnel TAEP encapsulation in an embodiment of the present invention.
  • the specific implementation steps of the network transmission method suitable for the ternary peer-to-peer authentication trusted network connection architecture in the embodiment of the present invention are as follows: 1) The requester, the authentication access controller, and the authentication server perform a TAEP authentication method, such as: performing a user authentication protocol. The TAEP authentication method can also establish a session key between the requester and the authentication access controller;
  • the authentication access controller uses the TAEP Request packet and the Response packet to obtain the requester's TAEP authentication method identity, such as: obtaining the requester's user identity;
  • the authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is Identity;
  • the requester sends a Response packet of the TAEP to the authentication access controller, where the Type field corresponds to the Type field in the Request packet of the TAEP in step 1.1.1), and the Type-Data field includes the identity of the TAEP authentication method of the requester. Such as: including the identity of the requester's user;
  • the authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the TAEP authentication method type from the authentication server, such as: the user authentication method type;
  • the authentication access controller sends a TAEP Request packet to the authentication server, wherein the value of the Type field is TP Authentication, and the Type-Data field contains the identity of the TAEP authentication method of the requester and the authentication access controller, such as: The identity of the user accessing the requester and accessing the controller;
  • the authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.2.1), and the Type-Data field contains the TAEP authentication method type, such as: 2 user authentication protocol type;
  • the authentication access controller selects a TAEP authentication method and the requester and the authentication service server to perform the TAEP authentication method, such as: performing a user authentication protocol;
  • the Type field is the TAEP authentication selected by the authentication access controller in step 1.3) Method type
  • the Type-Data field contains a TAEP authentication method message corresponding to the value of the Type field, such as: a user authentication protocol message;
  • step 2) If the TAEP tunnel authentication method needs to be performed after step 1.3), perform step 2), otherwise, perform step 1.4);
  • the authentication access controller ends the authentication process by using the TAEP Success packet or the Failure packet;
  • step 1.4.1 If the access controller is successfully authenticated during the TAEP authentication method in step 1.3.1)
  • the authentication requester for example, the identity of the user who successfully authenticates the requester, sends a Success packet of the TAEP to the requester;
  • step 1.4.2 If the authentication controller fails to successfully authenticate the requester during the TAEP authentication method in step 1.3.1), for example, the user identity of the requester cannot be successfully authenticated, and the TAEP Failure packet is sent to the requester.
  • the requester, the authentication access controller and the authentication server perform the TAEP tunnel authentication method; 2.1) the requester and the authentication access controller perform a tunneling method, establishing a secure tunnel between the requester and the authentication access controller, such as: performing a secure transmission
  • the Transport Layer Security (TLS) protocol establishes a secure tunnel between the requester and the authentication access controller. Since the two-way user authentication between the requester and the authentication access controller has been implemented in step 1), a full anonymous mode of the TLS protocol can be executed to establish a secure tunnel between the requester and the authentication access controller;
  • the authentication access controller sends a request packet of the TAEP to the requester, where the value of the Type field is the TAEP tunnel authentication method type, and the value of the Type-Data field is the TAEP tunnel authentication method start flag, Start;
  • the requester and the authentication access controller interact with a series of TAEP Request packets and
  • the Response packet where the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is the tunnel method message corresponding to the value of the Type field, such as: TLS protocol message, until the requester is established and Identifying a secure tunnel between access controllers;
  • the requester, the authentication access controller and the authentication server perform the internal TAEP authentication method in the secure tunnel established in step 2.1), for example, using the recording protocol of the TLS protocol to securely transmit the internal TAEP authentication method message;
  • the authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the identity of the requester's internal TAEP authentication method, such as: obtaining the platform identity of the requester;
  • the authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is established in step 2.1).
  • the value of the Code field of the inner TAEP authentication method packet is Request, and the value of the Type field is Identity;
  • the requester sends a Response packet of the TAEP to the authentication access controller, wherein the Type field corresponds to the Type field in the Request packet of TAEP in step 2.2.1.1), Type-Data word
  • the value of the segment is the inner TAEP authentication method packet protected by the secure tunnel established in step 2.1).
  • the value of the Code field of the inner TAEP authentication method packet is Response
  • the Type field corresponds to the Type field in the Request packet of the TAEP authentication method packet in step 2.2.1.1
  • the Type-Data field contains the identity of the inner TAEP authentication method of the requester, such as : contains the platform identity of the requester;
  • the authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the type of the internal TAEP authentication method from the authentication server, such as: the platform authentication protocol type;
  • the authentication access controller sends a TAEP Request packet to the authentication server, wherein the value of the Type field is TP Authentication, and the Type-Data field contains the identity of the internal TAEP authentication method of the requester and the authentication access controller, such as: And the identity of the platform that authenticates the access controller;
  • the authentication server sends a TAEP Response packet to the authentication access controller, wherein the Type field corresponds to the Type field in the TAEP Request packet in step 2.2.2.1), and the Type-Data field contains the internal TAEP authentication method type, such as: Contains the type of platform authentication protocol;
  • the authentication access controller selects an internal TAEP authentication method and the requester and the authentication server perform the internal TAEP authentication method, such as: performing a platform authentication protocol;
  • the request between the access controller and the requester, the authentication access controller and the authentication server interact with a series of TAEP Request packets and Response packets until the internal TAEP authentication method is completed.
  • a series of TAEP Request packets and Response packets for authenticating the interaction between the access controller and the requester where the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is the inner TAEP. Identification method package.
  • the value of the Type field of the inner TAEP authentication method packet is the type of the inner TAEP authentication method selected by the authentication access controller in step 2.2.3), and the Type-Data field contains the inner TAEP authentication method message corresponding to the value of the Type field, such as: Platform authentication protocol message;
  • the authentication access controller terminates the authentication process using TAEP's Success packet or Failure packet;
  • step 2.2.4.1 If the access controller successfully authenticates the requestor during the intra-TAEP authentication method in step 2.2.3.1), such as: successfully authenticating the requestor's platform (including platform identity and platform integrity), then to the requester Send the Success packet of TAEP;
  • step 2.2.4.2 If the access controller is authenticated during the internal TAEP authentication method in step 2.2.3.1) The requester cannot be successfully authenticated, such as: The platform of the unsuccessful authentication requester (including platform identity and platform integrity) sends the TAEP's Failure packet to the requester.
  • the authentication access controller may also use the TAEP Request packet and the Response packet to obtain the auxiliary data of the internal TAEP authentication method from the authentication server, such as: platform authentication protocol policy information (including platform protection policy) And platform evaluation strategies, etc.).
  • platform authentication protocol policy information including platform protection policy
  • platform evaluation strategies etc.
  • the session key between the requester and the authentication access controller can be used to secure the data between the requester and the authentication access controller after the authentication process ends.
  • the session key and the established secure tunnel in step 2) may be used to secure data between the requester and the authentication access controller, such as: the session key and the established security tunnel in step 2) Tunneling performs an exclusive OR operation; if the session key between the requester and the authentication access controller is not established in step 1), the requester and the authentication access may be utilized after the authentication process ends using the established secure tunneling in step 2) Data between controllers is secured.
  • the access requester, the access controller, and the policy manager respectively correspond to the requester and the authentication access in the solution of the embodiment of the present invention.
  • Controller and authentication server when the access requester and the access controller calculate the platform signature, if a session key is established between the access requester and the access controller, the platform signature, such as: Attestation Identity Key (AIK) signature, The session key between the access requester and the access controller and the secure tunnel established by the tunnel method in the TAEP tunnel authentication method need to be bound; if the session key is not established between the access requester and the access controller, the platform signature needs to be tied.
  • AIK Attestation Identity Key
  • a secret value that can authenticate the identity of the other party and a secure tunnel established by the tunnel method in the TAEP tunnel authentication method.

Abstract

A network transmission method adapted for tn-element peer authentication trusted network connection architecture is provided. The method includes: 1) a requester, an authentication access controller and an authentication server execute a Tri-element Authentication Extensible Protocol (TAEP) authentication method, which includes: 1.1) the authentication access controller obtains the TAEP authentication method identity of the requester using the Request packets and the Response packets of TAEP; 1.2) the authentication access controller obtains the TAEP authentication method type from the authentication server using the Request packets and the Response packets of TAEP; 1.3) the authentication access controller selects a TAEP authentication method and executes a TAEP authentication method process with the requester and the authentication server; 1.4) the authentication access controller finishes the authentication process using the Success packets or the Failure packets of TAEP The TAEP authentication method and the inner TAEP authentication method adopted by the embodiments of the invention are both extensible authentication architectures, thus enhance the extensibility, applicability and security and have a good forward compatibility.

Description

一种适合三元对等鉴别可信网络连接架构的网络传输方法 本申请要求于 2009 年 12 月 11 日提交中国专利局、 申请号为 200910311270.3、 发明名称为"一种适合三元对等鉴别可信网络连接架构的网 络传输方法"的中国专利申请的优先权,其全部内容通过引用结合在本申请中。 技术领域  Network transmission method suitable for ternary peer-to-peer authentication trusted network connection architecture The application claims to be submitted to the Chinese Patent Office on December 11, 2009, the application number is 200910311270.3, and the invention name is "a suitable for ternary peer identification. Priority of the Chinese Patent Application for the Network Transmission Method of the Network Connection Architecture, the entire contents of which are hereby incorporated by reference. Technical field
本发明涉及通信技术领域,具体涉及一种合三元对等鉴别可信网络连接架 构的网络传输方法。  The present invention relates to the field of communications technologies, and in particular, to a network transmission method for a ternary peer-to-peer authentication trusted network connection architecture.
背景技术 Background technique
随着信息化的发展, 病毒、 蠕虫等恶意软件的问题异常突出。 目前已经出 现了超过三万五千种的恶意软件,每年都有超过四千万的计算机被感染。要遏 制住这类攻击, 不仅需要进行安全的传输和数据输入时的检查,还要从源头即 从每一台连接到网络的终端开始防御。而传统的安全防御技术已经无法防御种 类繁多的恶意攻击。  With the development of information technology, the problems of malware such as viruses and worms are extremely prominent. More than 35,000 malware have been reported, and more than 40 million computers are infected every year. To contain such attacks, not only security transmissions and data entry checks, but also defenses from the source, from each terminal connected to the network. Traditional security defense technologies are no longer able to defend against a wide variety of malicious attacks.
国际可信计算组织 (Trusted Computing Group, TCG )针对这个问题, 专 门制定了一个基于可信计算技术的网络连接规范——可信网络连接( Trusted Network Connect , TNC ) , 筒记为 TCG-TNC , 其包括了开放的终端完整性架 构和一套确保安全互操作的标准。 TCG-TNC架构参见图 1。  In response to this problem, the Trusted Computing Group (TCG) has developed a network connection specification based on trusted computing technology—Trusted Network Connect (TNC), which is labeled TCG-TNC. It includes an open terminal integrity architecture and a set of standards to ensure secure interoperability. See Figure 1 for the TCG-TNC architecture.
由于 TCG-TNC架构中的策略执行点处于网络边缘,且访问请求者不对策 略执行点进行平台鉴别, 所以该架构存在策略执行点不可信赖的问题。 为了解 决这一问题, 一种基于三元对等鉴别 (Tri-element Peer Authentication, TePA ) 的 TNC架构被提出。 基于 TePA的 TNC架构参见图 2。  Since the policy enforcement point in the TCG-TNC architecture is at the edge of the network, and the access requester does not take countermeasures to perform platform authentication, the architecture has a problem that the policy enforcement point cannot be trusted. To understand this problem, a TNC architecture based on Tri-element Peer Authentication (TePA) was proposed. See Figure 2 for the TePA-based TNC architecture.
可扩展鉴别协议 ( Extensible Authentication Protocol, EAP )是一个鉴别才匡 架, 它用于点到点的鉴别, 可支持多种鉴别机制。 EAP并不在链路控制阶段指 定鉴别方法, 而是把这个过程推迟到鉴别阶段。这样鉴别器就可以要求更多的 信息以后再决定使用什么鉴别方法。这种机制允许使用一台"后端"鉴别服务器 来真正执行鉴别机制, 而鉴别器只是传递鉴别交换信息。  The Extensible Authentication Protocol (EAP) is an authentication framework that is used for point-to-point authentication and supports multiple authentication mechanisms. EAP does not specify the authentication method during the link control phase, but defers the process to the authentication phase. This allows the discriminator to request more information before deciding which authentication method to use. This mechanism allows a "back-end" authentication server to be used to actually perform the authentication mechanism, while the discriminator simply passes the authentication exchange information.
由于 EAP仅仅是一个适合点到点鉴别协议的鉴别框架, 所以 EAP不适合 实现三方鉴别协议,如: 三元对等鉴别协议——鉴别双方基于可信第三方来实 现双向鉴别。 为了满足三方鉴别协议的需要, 一种适合三方鉴别协议的鉴别框 架构 三元鉴另 ll可扩展十办议 ( Tri-element Authentication Extensible Protocol,Since EAP is only an authentication framework suitable for point-to-point authentication protocols, EAP is not suitable for implementing three-party authentication protocols, such as: ternary peer-to-peer authentication protocol—the authentication is based on trusted third parties to implement two-way authentication. In order to meet the needs of the three-party authentication protocol, an authentication box suitable for the three-party authentication protocol Architecture Tri-element Authentication Extensible Protocol
TAEP )被提出, 其中 TAEP包的格式与 EAP包的格式类同, 但 TAEP的层次 模型与 EAP不相同。 TAEP is proposed, in which the format of the TAEP packet is the same as that of the EAP packet, but the hierarchical model of TAEP is different from EAP.
TAEP包的格式如下:
Figure imgf000004_0001
The format of the TAEP package is as follows:
Figure imgf000004_0001
其中, 各字段的含义如下:  Among them, the meaning of each field is as follows:
Code字段长度为 1个八位位组, 表示 TAEP分组的类型:  The Code field is 1 octet long and indicates the type of TAEP packet:
1 Request  1 Request
2 Response  2 Response
3 Success  3 Success
4 Failure  4 Failure
Identifier字段长度为 1个八位位组, 用于匹配 Request和 Response分组。 Length字段长度为 2个八位位组, 表示整个 TAEP分组的八位位组数, 即指包括 Code、 Identifier, Length和 Data所有字段的长度总和。  The Identifier field is one octet long and is used to match the Request and Response packets. The Length field is 2 octets in length and represents the total number of octets in the entire TAEP packet, which is the sum of the lengths of all fields including Code, Identifier, Length, and Data.
Data字段长度可变, 分组含 0个或多个八位位组, 其格式由 Code字段 的值决定。 若 Code字段的值为 Request或 Response, 贝' J Data字段包含 Type 字段和 Type-Date字段, 其中 Type字段可为 Identity和 TP Authentication等。 若 Code字段的值为 Success或 Failure, 则 Data字段不存在。  The Data field is variable in length, and the packet contains zero or more octets, the format of which is determined by the value of the Code field. If the value of the Code field is Request or Response, the Bell 'J Data field contains a Type field and a Type-Date field, and the Type field may be Identity and TP Authentication. If the value of the Code field is Success or Failure, the Data field does not exist.
TAEP复用模型如图 3所示:  The TAEP reuse model is shown in Figure 3:
基于该模型, TAEP消息交互的步骤如下:  Based on this model, the steps for TAEP message interaction are as follows:
1 )鉴别访问控制器发送 Request分组给请求者要求开始鉴别, Request有 一个 Tpye字段指示请求的类型, Type字段是 Identity, 表示身份;  1) The authentication access controller sends a Request packet to the requester to request to start the authentication, and the Request has a Tpye field indicating the type of the request, and the Type field is Identity, indicating the identity;
2 )请求者发送 Response分组给鉴别访问控制器来响应有效的 Request, Response分组中包含一个 Type字段, 对应于 Request分组中的 Type字段, Type-Data字段中包含有对等体的身份;  2) The requester sends a Response packet to the authentication access controller to respond to a valid Request, and the Response packet includes a Type field corresponding to the Type field in the Request packet, and the Type-Data field contains the identity of the peer;
3 )鉴别访问控制器发送 Request分组给鉴别服务器, Request有一个 Type 字段指示请求的类型, Type是 TP Authentication, 用于向鉴别服务器请求鉴别 方法类型; 4 )鉴别服务器发送 Response分组给鉴别访问控制器, Response分组中包 含一个 Type字段, 对应于 Request分组中的 Type字段; 3) The authentication access controller sends a Request packet to the authentication server, and the Request has a Type field indicating the type of the request, and Type is TP Authentication, which is used to request the authentication method type from the authentication server; 4) the authentication server sends a Response packet to the authentication access controller, and the Response packet includes a Type field corresponding to the Type field in the Request packet;
5 )鉴别访问控制器根据鉴别服务器返回的鉴别方法类型, 选择一种鉴别 方法开始鉴别过程。发送 Request分组给请求者,请求者响应 Response分组给 鉴别访问控制器, Request和 Response的序列根据需要持续交互。 鉴别访问控 制器向鉴别服务器发送 Request分组, 而鉴别服务器向鉴别访问控制器响应 Response分组。 此 Request和 Response的序列会持续需要的长度。 鉴别访问 控制器负责重传 Request分组;  5) The authentication access controller selects an authentication method to start the authentication process according to the type of authentication method returned by the authentication server. The Request packet is sent to the requester, and the requester responds to the Response packet to the authentication access controller, and the sequence of Request and Response continues to interact as needed. The authentication access controller sends a Request packet to the authentication server, and the authentication server responds to the Authentication Access Controller with a Response packet. The sequence of this Request and Response will continue to be the required length. The authentication access controller is responsible for retransmitting the Request packet;
6 )对话一直持续到鉴别访问控制器不能鉴别请求者, 鉴别访问控制器将 发送 Failure分组给请求者; 或者鉴别访问控制器判断成功的鉴别已经完成, 鉴别访问控制器或停止发送 Request分组, 结束消息交互, 或发送 Success分 组给请求者。  6) The conversation continues until the authentication access controller cannot authenticate the requester, the authentication access controller will send the Failure packet to the requester; or the authentication access controller determines that the successful authentication has been completed, authenticates the access controller or stops sending the Request packet, and ends The message interacts, or sends a Success packet to the requester.
在某些情况下, 鉴别方法是确定的或通过其他方式确定鉴别方法及身份 时, 上述 3 )、 4 ) 步骤可有选择地进行。  In some cases, when the authentication method is determined or otherwise determined by the authentication method and identity, the above steps 3), 4) may be selectively performed.
在图 2所示的基于 TePA的 TNC架构中, 由于网络访问控制层除了传输用户 鉴别协议数据外还传输上两层的平台鉴别协议数据,且平台鉴别协议数据在访 问请求者和访问控制器之间需要利用安全隧道进行传输,所以所述三元鉴别可 扩展协议不能完成基于 TePA的 TNC架构的网络传输。  In the TePA-based TNC architecture shown in FIG. 2, since the network access control layer transmits the above two layers of platform authentication protocol data in addition to the user authentication protocol data, and the platform authentication protocol data is in the access requester and the access controller. There is a need to use a secure tunnel for transmission, so the ternary authentication scalable protocol cannot complete the network transmission of the TePA-based TNC architecture.
发明内容 Summary of the invention
本发明实施例提供一种适合三元对等鉴别可信网络连接架构的网络传输 方法, 以实现基于 TePA的 TNC架构的网络传输。  Embodiments of the present invention provide a network transmission method suitable for a ternary peer-to-peer authentication trusted network connection architecture to implement network transmission based on a TePA-based TNC architecture.
本发明实施例提供一种适合三元对等鉴别可信网络连接架构的网络传输 方法, 该方法包括:  The embodiment of the invention provides a network transmission method suitable for a ternary peer-to-peer authentication trusted network connection architecture, the method comprising:
1 )请求者、 鉴别访问控制器和鉴别服务器执行 TAEP鉴别方法;  1) the requester, the authentication access controller, and the authentication server perform a TAEP authentication method;
1.1 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获取 请求者的 TAEP鉴别方法身份;  1.1) The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the identity of the TAEP authentication method of the requester;
1.2 )利用 TAEP的 Request分组和 Response分组来向鉴别服务器获取 TAEP 鉴别方法类型;  1.2) using TAEP Request packet and Response packet to obtain the TAEP authentication method type from the authentication server;
1.3 )选取一种 TAEP鉴别方法与请求者、鉴别服服务器执行 TAEP鉴别方 法过程; 1.3) Select a TAEP authentication method and perform the TAEP authentication method with the requester and the authentication service server. Legal process
1.4 )利用 TAEP的 Success分组或 Failure分组结束鉴别过程。  1.4) End the authentication process with TAEP's Success packet or Failure packet.
上述步骤 1 )之后还包括步骤 2 )请求者、 鉴别访问控制器和鉴别服务器 执行 TAEP隧道鉴别方法;  Step 1) further includes the step 2) the requester, the authentication access controller, and the authentication server performing the TAEP tunnel authentication method;
2.1 )请求者和鉴别访问控制器执行隧道方法, 建立请求者和鉴别访问控 制器之间的安全隧道;  2.1) The requester and the authentication access controller perform a tunneling method to establish a secure tunnel between the requester and the authentication access controller;
2.2 )请求者、 鉴别访问控制器和鉴别服务器在步骤 2.1 ) 中建立的安全隧 道中执行内 TAEP鉴别方法。  2.2) The requester, the authentication access controller, and the authentication server perform the internal TAEP authentication method in the secure tunnel established in step 2.1).
在上述方法中, 若步骤 1 )中已建立请求者和鉴别访问控制器之间的会话 密钥,则鉴别过程结束后可利用该会话密钥对请求者和鉴别访问控制器之间的 数据进行安全保护, 也可以混合该会话密钥和步骤 2 )中已建立的安全隧隧对 请求者和鉴别访问控制器之间的数据进行安全保护; 若步骤 1 )中没有建立请 求者和鉴别访问控制器之间的会话密钥, 则鉴别过程结束后可利用步骤 2 )中 已建立的安全隧道对请求者和鉴别访问控制器之间的数据进行安全保护。  In the above method, if the session key between the requester and the authentication access controller has been established in step 1), the data between the requester and the authentication access controller can be used by the session key after the authentication process ends. Security protection, the session key and the established secure tunnel in step 2) may be used to secure data between the requester and the authentication access controller; if the requester and the authentication access control are not established in step 1) The session key between the devices, after the authentication process is completed, the data between the requester and the authentication access controller can be secured by using the established secure tunnel in step 2).
本发明实施例具有以下优点:  Embodiments of the invention have the following advantages:
1、 本发明实施例采用的 TAEP鉴别方法和内 TAEP鉴别方法都是可扩展 鉴别框架, 从而增强了可扩展性和应用性;  1. The TAEP authentication method and the internal TAEP authentication method adopted by the embodiments of the present invention are all extensible authentication frameworks, thereby enhancing scalability and applicability;
2、 本发明实施例采用的 TAEP鉴别方法在安全隧道建立前进行传输, 而 内 TAEP鉴别方法在安全隧道建立后进行传输, 从而具有很好的前向兼容性; 3、 本发明实施例采用的内 TAEP鉴别方法消息在安全隧道中进行传输, 从而增强了安全性。  2. The TAEP authentication method used in the embodiment of the present invention is transmitted before the establishment of the security tunnel, and the internal TAEP authentication method is transmitted after the security tunnel is established, so that the method has good forward compatibility. The intra-TAEP authentication method message is transmitted in the secure tunnel, thereby enhancing security.
附图说明 DRAWINGS
图 1为现有技术中的 TCG-TNC架构图;  1 is a schematic diagram of a TCG-TNC architecture in the prior art;
图 2为现有技术中的基于 TePA的 TNC架构;  2 is a TePA-based TNC architecture in the prior art;
图 3为现有技术中的 TAEP复用模型图;  3 is a diagram of a TAEP multiplexing model in the prior art;
图 4为本发明实施例中的隧道 TAEP封装层次图。  4 is a hierarchical diagram of a tunnel TAEP encapsulation in an embodiment of the present invention.
具体实施方式 detailed description
本发明实施例适合三元对等鉴别可信网络连接架构的网络传输方法的具 体实施步骤如下: 1 )请求者、 鉴别访问控制器和鉴别服务器执行 TAEP鉴别方法, 如: 执 行用户鉴别协议。该 TAEP鉴别方法还可以建立请求者和鉴别访问控制器之间 的会话密钥; The specific implementation steps of the network transmission method suitable for the ternary peer-to-peer authentication trusted network connection architecture in the embodiment of the present invention are as follows: 1) The requester, the authentication access controller, and the authentication server perform a TAEP authentication method, such as: performing a user authentication protocol. The TAEP authentication method can also establish a session key between the requester and the authentication access controller;
1.1 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获取 请求者的 TAEP鉴别方法身份, 如: 获取请求者的用户身份;  1.1) The authentication access controller uses the TAEP Request packet and the Response packet to obtain the requester's TAEP authentication method identity, such as: obtaining the requester's user identity;
1.1.1 )鉴别访问控制器向请求者发送 TAEP的 Request分组, 其中 Type 字段的值为 Identity;  1.1.1) The authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is Identity;
1.1.2 )请求者向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type 字段对应步骤 1.1.1 )中 TAEP的 Request分组中的 Type字段, Type-Data字段 中包括请求者的 TAEP鉴别方法身份, 如: 包括请求者的用户身份;  1.1.2) The requester sends a Response packet of the TAEP to the authentication access controller, where the Type field corresponds to the Type field in the Request packet of the TAEP in step 1.1.1), and the Type-Data field includes the identity of the TAEP authentication method of the requester. Such as: including the identity of the requester's user;
1.2 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来向鉴 别服务器获取 TAEP鉴别方法类型, 如: 用户鉴别方法类型;  1.2) The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the TAEP authentication method type from the authentication server, such as: the user authentication method type;
1.2.1 )鉴别访问控制器向鉴别服务器发送 TAEP的 Request分组,其中 Type 字段的值为 TP Authentication, Type-Data字段中包含请求者和鉴别访问控制器 的 TAEP鉴别方法身份, 如: 图 2中访问请求者和访问控制器的用户身份; 1.2.1) The authentication access controller sends a TAEP Request packet to the authentication server, wherein the value of the Type field is TP Authentication, and the Type-Data field contains the identity of the TAEP authentication method of the requester and the authentication access controller, such as: The identity of the user accessing the requester and accessing the controller;
1.2.2 )鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 1.2.1 )中 TAEP的 Request分组中的 Type字段, Type-Data 字段中包含 TAEP鉴别方法类型, 如: 图 2中用户鉴别协议类型; 1.2.2) The authentication server sends a TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.2.1), and the Type-Data field contains the TAEP authentication method type, such as: 2 user authentication protocol type;
1.3 )鉴别访问控制器选取一种 TAEP鉴别方法与请求者、 鉴别服服务器 执行 TAEP鉴别方法过程, 如: 执行用户鉴别协议;  1.3) The authentication access controller selects a TAEP authentication method and the requester and the authentication service server to perform the TAEP authentication method, such as: performing a user authentication protocol;
1.3.1 )鉴别访问控制器与请求者之间、鉴别访问控制器与鉴别服务器之间 交互一系列 TAEP的 Request分组和 Response分组,其中 Type字段为步骤 1.3 ) 中鉴别访问控制器选取的 TAEP鉴别方法类型, Type-Data字段中包含 Type字 段的值对应的 TAEP鉴别方法消息, 如: 用户鉴别协议消息;  1.3.1) Identifying a series of TAEP Request packets and Response packets between the access controller and the requester, and between the authentication access controller and the authentication server, wherein the Type field is the TAEP authentication selected by the authentication access controller in step 1.3) Method type, the Type-Data field contains a TAEP authentication method message corresponding to the value of the Type field, such as: a user authentication protocol message;
若步骤 1.3 )完成后还需要执行 TAEP隧道鉴别方法, 则执行步骤 2 ), 否 则, 执行步骤 1.4 );  If the TAEP tunnel authentication method needs to be performed after step 1.3), perform step 2), otherwise, perform step 1.4);
1.4 )鉴别访问控制器利用 TAEP的 Success分组或 Failure分组结束鉴别 过程;  1.4) The authentication access controller ends the authentication process by using the TAEP Success packet or the Failure packet;
1.4.1 )若在步骤 1.3.1 ) 中的 TAEP鉴别方法过程中鉴别访问控制器成功 认证请求者,如:成功认证请求者的用户身份,则向请求者发送 TAEP的 Success 分组; 1.4.1) If the access controller is successfully authenticated during the TAEP authentication method in step 1.3.1) The authentication requester, for example, the identity of the user who successfully authenticates the requester, sends a Success packet of the TAEP to the requester;
1.4.2 )若在步骤 1.3.1 ) 中的 TAEP鉴别方法过程中鉴别访问控制器不能 成功认证请求者,如:不能成功认证请求者的用户身份,则向请求者发送 TAEP 的 Failure分组。  1.4.2) If the authentication controller fails to successfully authenticate the requester during the TAEP authentication method in step 1.3.1), for example, the user identity of the requester cannot be successfully authenticated, and the TAEP Failure packet is sent to the requester.
2 )请求者、 鉴别访问控制器和鉴别服务器执行 TAEP隧道鉴别方法; 2.1 )请求者和鉴别访问控制器执行隧道方法, 建立请求者和鉴别访问控 制器之间的安全隧道, 如: 执行安全传输层协议(Transport Layer Security, TLS )协议建立请求者和鉴别访问控制器之间的安全隧道。 由于步骤 1 ) 中已 实现请求者和鉴别访问控制器之间的双向用户鉴别, 所以可以执行 TLS协议 的完全匿名模式来建立请求者和鉴别访问控制器之间的安全隧道;  2) The requester, the authentication access controller and the authentication server perform the TAEP tunnel authentication method; 2.1) the requester and the authentication access controller perform a tunneling method, establishing a secure tunnel between the requester and the authentication access controller, such as: performing a secure transmission The Transport Layer Security (TLS) protocol establishes a secure tunnel between the requester and the authentication access controller. Since the two-way user authentication between the requester and the authentication access controller has been implemented in step 1), a full anonymous mode of the TLS protocol can be executed to establish a secure tunnel between the requester and the authentication access controller;
2.2.1 )鉴别访问控制器向请求者发送 TAEP的 Request分组, 其中 Type 字段的值为 TAEP隧道鉴别方法类型, Type-Data字段的值为 TAEP隧道鉴别 方法启动标只, Start;  2.2.1) The authentication access controller sends a request packet of the TAEP to the requester, where the value of the Type field is the TAEP tunnel authentication method type, and the value of the Type-Data field is the TAEP tunnel authentication method start flag, Start;
2.2.2 )请求者和鉴别访问控制器之间交互一系列 TAEP的 Request分组和 2.2.2) The requester and the authentication access controller interact with a series of TAEP Request packets and
Response分组, 其中 Type字段的值为步骤 2.2.1 )中的 TAEP隧道鉴别方法类 型, Type-Data字段的值为 Type字段的值对应的隧道方法消息, 如: TLS协议 消息, 直至建立请求者和鉴别访问控制器之间的安全隧道; The Response packet, where the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is the tunnel method message corresponding to the value of the Type field, such as: TLS protocol message, until the requester is established and Identifying a secure tunnel between access controllers;
2.2 )请求者、 鉴别访问控制器和鉴别服务器在步骤 2.1 ) 中建立的安全隧 道中执行内 TAEP鉴别方法,如:利用 TLS协议的记录协议来安全传输内 TAEP 鉴别方法消息;  2.2) The requester, the authentication access controller and the authentication server perform the internal TAEP authentication method in the secure tunnel established in step 2.1), for example, using the recording protocol of the TLS protocol to securely transmit the internal TAEP authentication method message;
2.2.1 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获取 请求者的内 TAEP鉴别方法身份, 如: 获取请求者的平台身份;  2.2.1) The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the identity of the requester's internal TAEP authentication method, such as: obtaining the platform identity of the requester;
2.2.1.1 )鉴别访问控制器向请求者发送 TAEP的 Request分组, 其中 Type 字段的值为步骤 2.2.1 ) 中的 TAEP隧道鉴别方法类型, Type-Data字段的值为 利用步骤 2.1 ) 中建立的安全隧道进行保护的内 TAEP鉴别方法包。 内 TAEP 鉴别方法包的 Code字段的值为 Request, Type字段的值为 Identity;  2.2.1.1) The authentication access controller sends a TAEP Request packet to the requester, where the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is established in step 2.1). An internal TAEP authentication method package for secure tunnel protection. The value of the Code field of the inner TAEP authentication method packet is Request, and the value of the Type field is Identity;
2.2.1.2 )请求者向鉴别访问控制器发送 TAEP的 Response分组,其中 Type 字段对应步骤 2.2.1.1 ) 中 TAEP的 Request分组中的 Type字段, Type-Data字 段的值为利用步骤 2.1 ) 中建立的安全隧道进行保护的内 TAEP鉴别方法包。 内 TAEP鉴别方法包的 Code字段的值为 Response, Type字段对应步骤 2.2.1.1 中内 TAEP鉴别方法包的 Request分组中的 Type字段, Type-Data字段中包含 请求者的内 TAEP鉴别方法身份, 如: 包含请求者的平台身份; 2.2.1.2) The requester sends a Response packet of the TAEP to the authentication access controller, wherein the Type field corresponds to the Type field in the Request packet of TAEP in step 2.2.1.1), Type-Data word The value of the segment is the inner TAEP authentication method packet protected by the secure tunnel established in step 2.1). The value of the Code field of the inner TAEP authentication method packet is Response, the Type field corresponds to the Type field in the Request packet of the TAEP authentication method packet in step 2.2.1.1, and the Type-Data field contains the identity of the inner TAEP authentication method of the requester, such as : contains the platform identity of the requester;
2.2.2 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来向鉴 别服务器获取内 TAEP鉴别方法类型, 如: 平台鉴别协议类型;  2.2.2) The authentication access controller uses the Request packet and the Response packet of the TAEP to obtain the type of the internal TAEP authentication method from the authentication server, such as: the platform authentication protocol type;
2.2.2.1 )鉴别访问控制器向鉴别服务器发送 TAEP的 Request分组, 其中 Type字段的值为 TP Authentication, Type-Data字段中包含请求者和鉴别访问 控制器的内 TAEP鉴别方法身份, 如: 包含请求者和鉴别访问控制器的平台身 份;  2.2.2.1) The authentication access controller sends a TAEP Request packet to the authentication server, wherein the value of the Type field is TP Authentication, and the Type-Data field contains the identity of the internal TAEP authentication method of the requester and the authentication access controller, such as: And the identity of the platform that authenticates the access controller;
2.2.2.2 )鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 2.2.2.1 )中 TAEP的 Request分组中的 Type字段, Type-Data 字段中包含内 TAEP鉴别方法类型, 如: 包含平台鉴别协议类型;  2.2.2.2) The authentication server sends a TAEP Response packet to the authentication access controller, wherein the Type field corresponds to the Type field in the TAEP Request packet in step 2.2.2.1), and the Type-Data field contains the internal TAEP authentication method type, such as: Contains the type of platform authentication protocol;
2.2.3 )鉴别访问控制器选取一种内 TAEP鉴别方法与请求者、鉴别服务器 执行内 TAEP鉴别方法过程, 如: 执行平台鉴别协议;  2.2.3) The authentication access controller selects an internal TAEP authentication method and the requester and the authentication server perform the internal TAEP authentication method, such as: performing a platform authentication protocol;
2.2.3.1 )鉴别访问控制器与请求者之间、 鉴别访问控制器与鉴别服务器之 间交互一系列 TAEP的 Request分组和 Response分组,直到内 TAEP鉴别方法 过程完成。 对于鉴别访问控制器与请求者之间交互的一系列 TAEP的 Request 分组和 Response分组, 其中 Type字段的值为步骤 2.2.1 )中的 TAEP隧道鉴别 方法类型, Type-Data字段的值为内 TAEP鉴别方法包。 内 TAEP鉴别方法包 的 Type字段的值为步骤 2.2.3 ) 中鉴别访问控制器选取的内 TAEP鉴别方法类 型, Type-Data字段中包含 Type字段的值对应的内 TAEP鉴别方法消息, 如: 包含平台鉴别协议消息;  2.2.3.1) The request between the access controller and the requester, the authentication access controller and the authentication server interact with a series of TAEP Request packets and Response packets until the internal TAEP authentication method is completed. For a series of TAEP Request packets and Response packets for authenticating the interaction between the access controller and the requester, where the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is the inner TAEP. Identification method package. The value of the Type field of the inner TAEP authentication method packet is the type of the inner TAEP authentication method selected by the authentication access controller in step 2.2.3), and the Type-Data field contains the inner TAEP authentication method message corresponding to the value of the Type field, such as: Platform authentication protocol message;
2.2.4 )鉴别访问控制器利用 TAEP的 Success分组或 Failure分组结束鉴别 过程;  2.2.4) The authentication access controller terminates the authentication process using TAEP's Success packet or Failure packet;
2.2.4.1 )若在步骤 2.2.3.1 ) 中的内 TAEP鉴别方法过程中鉴别访问控制器 成功认证请求者, 如: 成功认证请求者的平台(包含平台身份和平台完整性), 则向请求者发送 TAEP的 Success分组;  2.2.4.1) If the access controller successfully authenticates the requestor during the intra-TAEP authentication method in step 2.2.3.1), such as: successfully authenticating the requestor's platform (including platform identity and platform integrity), then to the requester Send the Success packet of TAEP;
2.2.4.2 )若在步骤 2.2.3.1 ) 中的内 TAEP鉴别方法过程中鉴别访问控制器 不能成功认证请求者, 如: 不成功认证请求者的平台(包含平台身份和平台完 整性 ), 则向请求者发送 TAEP的 Failure分组。 2.2.4.2) If the access controller is authenticated during the internal TAEP authentication method in step 2.2.3.1) The requester cannot be successfully authenticated, such as: The platform of the unsuccessful authentication requester (including platform identity and platform integrity) sends the TAEP's Failure packet to the requester.
在所述步骤 2.2.2 )中, 鉴别访问控制器还可以利用 TAEP的 Request分组 和 Response分组来向鉴别服务器获取内 TAEP鉴别方法的辅助数据, 如: 平 台鉴别协议的策略信息 (包含平台保护策略和平台评估策略等)。  In the step 2.2.2), the authentication access controller may also use the TAEP Request packet and the Response packet to obtain the auxiliary data of the internal TAEP authentication method from the authentication server, such as: platform authentication protocol policy information (including platform protection policy) And platform evaluation strategies, etc.).
若上述步骤 1 ) 中已建立请求者和鉴别访问控制器之间的会话密钥, 则鉴 别过程结束后可利用该会话密钥对请求者和鉴别访问控制器之间的数据进行 安全保护, 也可以混合该会话密钥和步骤 2 )中已建立的安全隧隧对请求者和 鉴别访问控制器之间的数据进行安全保护, 如: 对该会话密钥和步骤 2 ) 中已 建立的安全隧隧进行异或运算; 若步骤 1 )中没有建立请求者和鉴别访问控制 器之间的会话密钥, 则鉴别过程结束后可利用步骤 2 )中已建立的安全隧隧对 请求者和鉴别访问控制器之间的数据进行安全保护。  If the session key between the requester and the authentication access controller is established in the above step 1), the session key can be used to secure the data between the requester and the authentication access controller after the authentication process ends. The session key and the established secure tunnel in step 2) may be used to secure data between the requester and the authentication access controller, such as: the session key and the established security tunnel in step 2) Tunneling performs an exclusive OR operation; if the session key between the requester and the authentication access controller is not established in step 1), the requester and the authentication access may be utilized after the authentication process ends using the established secure tunneling in step 2) Data between controllers is secured.
参见图 4, 当本发明实施例的方案应用于图 2所示的基于 TePA的 TNC架 构时,访问请求者、访问控制器和策略管理器分别对应本发明实施例方案中的 请求者、 鉴别访问控制器和鉴别服务器。 此外, 访问请求者和访问控制器在计 算平台签名时,若访问请求者和访问控制器之间已建立会话密钥,则平台签名, 如: 证明身份密钥 (Attestation Identity Key, AIK )签名, 需要绑定访问请求 者和访问控制器之间的会话密钥和 TAEP 隧道鉴别方法中隧道方法建立的安 全隧道; 若访问请求者和访问控制器之间没有建立会话密钥, 则平台签名需要 绑定可认证对方用户身份的保密值和 TAEP 隧道鉴别方法中隧道方法建立的 安全隧道。  Referring to FIG. 4, when the solution of the embodiment of the present invention is applied to the TePA-based TNC architecture shown in FIG. 2, the access requester, the access controller, and the policy manager respectively correspond to the requester and the authentication access in the solution of the embodiment of the present invention. Controller and authentication server. In addition, when the access requester and the access controller calculate the platform signature, if a session key is established between the access requester and the access controller, the platform signature, such as: Attestation Identity Key (AIK) signature, The session key between the access requester and the access controller and the secure tunnel established by the tunnel method in the TAEP tunnel authentication method need to be bound; if the session key is not established between the access requester and the access controller, the platform signature needs to be tied. A secret value that can authenticate the identity of the other party and a secure tunnel established by the tunnel method in the TAEP tunnel authentication method.

Claims

权 利 要 求 Rights request
1、 一种适合三元对等鉴别可信网络连接架构的网络传输方法, 其特征在 于: 该方法包括: 1. A network transmission method suitable for the ternary peer-to-peer authentication trusted network connection architecture, which is characterized by: The method includes:
1 )请求者、 鉴别访问控制器和鉴别服务器执行 TAEP鉴别方法, 包括: 1.1 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获取 请求者的 TAEP鉴别方法身份; 1) The requester, the authentication access controller and the authentication server execute the TAEP authentication method, including: 1.1) The authentication access controller uses the Request packet and the Response packet of TAEP to obtain the TAEP authentication method identity of the requester;
1.2 )利用 TAEP的 Request分组和 Response分组来向鉴别服务器获取 TAEP 鉴别方法类型; 1.2) Use TAEP's Request packet and Response packet to obtain the TAEP authentication method type from the authentication server;
1.3 )选取一种 TAEP鉴别方法与请求者、鉴别服务器执行 TAEP鉴别方法 过程; 1.3) Select a TAEP authentication method and execute the TAEP authentication method process with the requester and authentication server;
1.4 )利用 TAEP的 Success分组或 Failure分组结束鉴别过程。 1.4) Use the Success packet or Failure packet of TAEP to end the authentication process.
2、 根据权利要求 1所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 1.1 ) 包括: 2. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 1, characterized in that: the step 1.1) includes:
1.1.1 )鉴别访问控制器向请求者发送 TAEP的 Request分组, 其中 Type 字段的值为 Identity; 1.1.1) The authentication access controller sends a TAEP Request packet to the requester, in which the value of the Type field is Identity;
1.1.2 )请求者向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type 字段对应步骤 1.1.1 )中 TAEP的 Request分组中的 Type字段, Type-Data字段 中包含请求者的 TAEP鉴别方法身份。 1.1.2) The requester sends the TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.1.1), and the Type-Data field contains the TAEP authentication method identity of the requester.
3、 根据权利要求 2所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 1.2 ) 包括: 3. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 2, characterized in that: the step 1.2) includes:
1.2.1 )鉴别访问控制器向鉴别服务器发送 TAEP的 Request分组,其中 Type 字段的值为 TP Authentication, Type-Data字段中包含请求者和鉴别访问控制器 的 TAEP鉴别方法身份; 1.2.1) The authentication access controller sends a TAEP Request packet to the authentication server, in which the value of the Type field is TP Authentication, and the Type-Data field contains the TAEP authentication method identities of the requester and the authentication access controller;
1.2.2 )鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 1.2.1 )中 TAEP的 Request分组中的 Type字段, Type-Data 字段中包含 TAEP鉴别方法类型。 1.2.2) The authentication server sends the TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 1.2.1), and the Type-Data field contains the TAEP authentication method type.
4、 根据权利要求 3所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 1.3 ) 包括: 4. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 3, characterized in that: the step 1.3) includes:
鉴别访问控制器与请求者之间、鉴别访问控制器与鉴别服务器之间交互一 系列 TAEP的 Request分组和 Response分组, 其中 Type字段为鉴别访问控制 器选取的 TAEP鉴别方法类型, Type-Data字段中包含 Type字段的值对应的 TAEP鉴别方法消息。 The interaction between the authentication access controller and the requestor, and between the authentication access controller and the authentication server The Request group and the Response group of the series TAEP, in which the Type field is the TAEP authentication method type selected by the authentication access controller, and the Type-Data field contains the TAEP authentication method message corresponding to the value of the Type field.
5、 根据权利要求 4所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 1.4 ) 包括: 5. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 4, characterized in that: the step 1.4) includes:
1.4.1 )若在步骤 1.3 ) 中的 TAEP鉴别方法过程中鉴别访问控制器成功认 证请求者, 则向请求者发送 TAEP的 Success分组; 1.4.1) If the authentication access controller successfully authenticates the requester during the TAEP authentication method in step 1.3), the TAEP Success packet is sent to the requester;
1.4.2 )若在步骤 1.3 ) 中的 TAEP鉴别方法过程中鉴别访问控制器不能成 功认证请求者, 则向请求者发送 TAEP的 Failure分组。 1.4.2) If the authentication access controller cannot successfully authenticate the requester during the TAEP authentication method in step 1.3), it will send a TAEP Failure packet to the requester.
6、 根据权利要求 1至 5任一项所述的一种适合三元对等鉴别可信网络连 接架构的网络传输方法, 其特征在于: 所述步骤 1 )之后还包括: 6. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to any one of claims 1 to 5, characterized in that: the step 1) further includes:
2 )请求者、 鉴别访问控制器和鉴别服务器执行 TAEP隧道鉴别方法, 包 括: 2) The requester, authentication access controller and authentication server execute the TAEP tunnel authentication method, including:
2.1 )鉴别访问控制器与请求者建立安全隧道; 2.1) Establish a secure tunnel between the authenticated access controller and the requester;
2.2 )在建立的安全隧道中执行内 TAEP鉴别方法。 2.2) Execute the inner TAEP authentication method in the established security tunnel.
7、 根据权利要求 6所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 2.1 ) 包括: 7. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 6, characterized in that: the step 2.1) includes:
2.1.1 )鉴别访问控制器向请求者发送 TAEP的 Request分组, 其中 Type 字段的值为 TAEP隧道鉴别方法类型, Type-Data字段的值为 TAEP隧道鉴别 方法启动标只; 2.1.1) The authentication access controller sends a TAEP Request packet to the requester, in which the value of the Type field is the TAEP tunnel authentication method type, and the value of the Type-Data field is the TAEP tunnel authentication method start flag;
2.1.2 )鉴别访问控制器和请求者之间交互一系列 TAEP的 Request分组和 Response分组, 其中 Type字段的值为步骤 2.1.1 )中的 TAEP隧道鉴别方法类 型, Type-Data字段的值为 Type字段的值对应的隧道方法消息, 直至建立鉴别 访问控制器和请求者之间的安全隧道完成。 2.1.2) A series of TAEP Request packets and Response packets are exchanged between the authentication access controller and the requester, where the value of the Type field is the TAEP tunnel authentication method type in step 2.1.1), and the value of the Type-Data field is The value of the Type field corresponds to the tunnel method message until the establishment of a secure tunnel between the authenticated access controller and the requestor is completed.
8、根据权利要求 6所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 2.2 ) 包括: 8. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 6, characterized in that: the step 2.2) includes:
2.2.1 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来获取 请求者的内 TAEP鉴别方法身份; 2.2.1) The authentication access controller uses the Request packet and the Response packet of TAEP to obtain the requester's internal TAEP authentication method identity;
2.2.2 )鉴别访问控制器利用 TAEP的 Request分组和 Response分组来向鉴 别服务器获取内 TAEP鉴别方法类型; 2.2.2) The authentication access controller uses the Request packet and Response packet of TAEP to communicate with the authentication The authentication server obtains the internal TAEP authentication method type;
2.2.3 )鉴别访问控制器选取一种内 TAEP鉴别方法与请求者、鉴别服务器 执行内 TAEP鉴别方法过程; 2.2.3) The authentication access controller selects an internal TAEP authentication method and executes the internal TAEP authentication method process with the requester and the authentication server;
2.2.4 )鉴别访问控制器利用 TAEP的 Success分组或 Failure分组结束鉴别 过程。 2.2.4) The authentication access controller uses the Success packet or Failure packet of TAEP to end the authentication process.
9、 根据权利要求 8所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 2.2.1 ) 包括: 9. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 8, characterized in that: the step 2.2.1) includes:
2.2.1.1 )鉴别访问控制器向请求者发送 TAEP的 Request分组, 其中 Type 字段的值为步骤 2.2.1 ) 中的 TAEP隧道鉴别方法类型, Type-Data字段的值为 利用步骤 2.1 ) 中建立的安全隧道进行保护的内 TAEP鉴别方法包, 内 TAEP 鉴别方法包中的 Code字段的值为 Request, Type字段的值为 Identity; 2.2.1.1) The authentication access controller sends a TAEP Request packet to the requester, in which the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is the one established in step 2.1) The inner TAEP authentication method package protected by the secure tunnel, the value of the Code field in the inner TAEP authentication method package is Request, and the value of the Type field is Identity;
2.2.1.2 )请求者向鉴别访问控制器发送 TAEP的 Response分组,其中 Type 字段对应步骤 2.2.1.1 ) 中 TAEP的 Request分组中的 Type字段, Type-Data字 段的值为利用步骤 2.1 ) 中建立的安全隧道进行保护的内 TAEP鉴别方法包, 内 TAEP鉴别方法包中的 Code字段的值为 Response , Type字段对应步骤 2.2.1.1 中内 TAEP鉴别方法包的 Request分组中的 Type字段, Type-Data字段中包含 请求者的内 TAEP鉴别方法身份。 2.2.1.2) The requester sends the TAEP Response packet to the authentication access controller, in which the Type field corresponds to the Type field in the TAEP Request packet in step 2.2.1.1), and the value of the Type-Data field is the value established in step 2.1) The value of the Code field in the inner TAEP authentication method package protected by the secure tunnel is Response. The Type field corresponds to the Type field and the Type-Data field in the Request packet of the inner TAEP authentication method package in step 2.2.1.1. Contains the requester's internal TAEP authentication method identity.
10、根据权利要求 9所述的一种适合三元对等鉴别可信网络连接架构的网 络传输方法, 其特征在于: 所述步骤 2.2.2 ) 包括: 10. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 9, characterized in that: the step 2.2.2) includes:
2.2.2.1 )鉴别访问控制器向鉴别服务器发送 TAEP的 Request分组, 其中 2.2.2.1) The authentication access controller sends a TAEP Request packet to the authentication server, where
Type字段的值为 TP Authentication, Type-Data字段中包含请求者和鉴别访问 控制器的内 TAEP鉴别方法身份; The value of the Type field is TP Authentication, and the Type-Data field contains the identity of the requester and the authentication access controller's internal TAEP authentication method;
2.2.2.2 )鉴别服务器向鉴别访问控制器发送 TAEP的 Response分组, 其中 Type字段对应步骤 2.2.2.1 )中 TAEP的 Request分组中的 Type字段, Type-Data 字段中包含内 TAEP鉴别方法类型。 2.2.2.2) The authentication server sends the TAEP Response packet to the authentication access controller, where the Type field corresponds to the Type field in the TAEP Request packet in step 2.2.2.1), and the Type-Data field contains the TAEP authentication method type.
11、 根据权利要求 10所述的一种适合三元对等鉴别可信网络连接架构的 网络传输方法, 其特征在于: 所述步骤 2.2.3 ) 包括: 11. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 10, characterized in that: the step 2.2.3) includes:
鉴别访问控制器与请求者之间、鉴别访问控制器与鉴别服务器之间交互一 系列 TAEP的 Request分组和 Response分组,直到内 TAEP鉴别方法过程完成, 对于鉴别访问控制器与请求者之间交互的一系列 TAEP 的 Request 分组和 Response分组, 其中 Type字段的值为步骤 2.2.1 )中的 TAEP隧道鉴别方法类 型, Type-Data字段的值为内 TAEP鉴别方法包, 内 TAEP鉴别方法包的 Type 字段的值为步骤 2.2.3 ) 中鉴别访问控制器选取的内 TAEP 鉴别方法类型, Type-Data字段中包含 Type字段的值对应的内 TAEP鉴别方法消息。 A series of TAEP Request packets and Response packets are exchanged between the authentication access controller and the requester, and between the authentication access controller and the authentication server, until the internal TAEP authentication method process is completed. For a series of TAEP Request packets and Response packets that authenticate the interaction between the access controller and the requester, the value of the Type field is the TAEP tunnel authentication method type in step 2.2.1), and the value of the Type-Data field is the inner TAEP Authentication method package, the value of the Type field in the TAEP authentication method package is the TAEP authentication method type selected by the authentication access controller in step 2.2.3), and the Type-Data field contains the TAEP authentication method message corresponding to the value of the Type field. .
12、 根据权利要求 11所述的一种适合三元对等鉴别可信网络连接架构的 网络传输方法, 其特征在于: 所述步骤 2.2.4 ) 包括: 12. A network transmission method suitable for a three-element peer-to-peer authentication trusted network connection architecture according to claim 11, characterized in that: the step 2.2.4) includes:
2.2.4.1 )若在步骤 2.2.3 )中的内 TAEP鉴别方法过程中鉴别访问控制器成 功认证请求者, 则向请求者发送 TAEP的 Success分组; 2.2.4.1) If the authentication access controller successfully authenticates the requester during the internal TAEP authentication method in step 2.2.3), then the TAEP Success packet is sent to the requester;
2.2.4.2 )若在步骤 2.2.3 )中的内 TAEP鉴别方法过程中鉴别访问控制器不 能成功认证请求者, 则向请求者发送 TAEP的 Failure分组。 2.2.4.2) If the authentication access controller cannot successfully authenticate the requester during the internal TAEP authentication method in step 2.2.3), then send a TAEP Failure packet to the requester.
13、 根据权利要求 10所述的一种适合三元对等鉴别可信网络连接架构的 网络传输方法, 其特征在于: 所述步骤 2.2.2 )中, 鉴别访问控制器利用 TAEP 的 Request分组和 Response分组来向鉴别服务器获取内 TAEP鉴别方法的辅助 数据。 13. A network transmission method suitable for ternary peer authentication trusted network connection architecture according to claim 10, characterized in that: in step 2.2.2), the authentication access controller uses the Request group of TAEP and Response packet to obtain auxiliary data for the TAEP authentication method from the authentication server.
PCT/CN2010/073133 2009-12-11 2010-05-24 Network transmission method adapted for tri-element peer authentication trusted network connection architecture WO2011069355A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009103112703A CN101707621B (en) 2009-12-11 2009-12-11 Network transmission method suitable for ternary peer authentication of trusted network connection architecture
CN200910311270.3 2009-12-11

Publications (1)

Publication Number Publication Date
WO2011069355A1 true WO2011069355A1 (en) 2011-06-16

Family

ID=42377811

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/073133 WO2011069355A1 (en) 2009-12-11 2010-05-24 Network transmission method adapted for tri-element peer authentication trusted network connection architecture

Country Status (2)

Country Link
CN (1) CN101707621B (en)
WO (1) WO2011069355A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040060A (en) * 2018-08-01 2018-12-18 广州杰赛科技股份有限公司 Terminal-Matching and system, computer equipment

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707621B (en) * 2009-12-11 2012-05-09 西安西电捷通无线网络通信股份有限公司 Network transmission method suitable for ternary peer authentication of trusted network connection architecture
CN102006291A (en) * 2010-11-10 2011-04-06 西安西电捷通无线网络通信股份有限公司 Network transmission method and system suitable for trusted connection framework
CN101989990A (en) * 2010-11-10 2011-03-23 西安西电捷通无线网络通信股份有限公司 Secure remote certification method and system suitable for trusted connect architecture

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070143629A1 (en) * 2004-11-29 2007-06-21 Hardjono Thomas P Method to verify the integrity of components on a trusted platform using integrity database services
CN101572704A (en) * 2009-06-08 2009-11-04 西安西电捷通无线网络通信有限公司 Access control method suitable for tri-element peer authentication trusted network connect architecture
CN101662410A (en) * 2009-09-22 2010-03-03 西安西电捷通无线网络通信有限公司 Tri-element authentification expandable method based on tunneling technique and system thereof
CN101707621A (en) * 2009-12-11 2010-05-12 西安西电捷通无线网络通信有限公司 Network transmission method suitable for ternary peer authentication of trusted network connection architecture

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527718B (en) * 2009-04-16 2011-02-16 西安西电捷通无线网络通信股份有限公司 Method for building ternary-equally recognizing credible network connecting architecture

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070143629A1 (en) * 2004-11-29 2007-06-21 Hardjono Thomas P Method to verify the integrity of components on a trusted platform using integrity database services
CN101572704A (en) * 2009-06-08 2009-11-04 西安西电捷通无线网络通信有限公司 Access control method suitable for tri-element peer authentication trusted network connect architecture
CN101662410A (en) * 2009-09-22 2010-03-03 西安西电捷通无线网络通信有限公司 Tri-element authentification expandable method based on tunneling technique and system thereof
CN101707621A (en) * 2009-12-11 2010-05-12 西安西电捷通无线网络通信有限公司 Network transmission method suitable for ternary peer authentication of trusted network connection architecture

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040060A (en) * 2018-08-01 2018-12-18 广州杰赛科技股份有限公司 Terminal-Matching and system, computer equipment
CN109040060B (en) * 2018-08-01 2021-03-02 广州杰赛科技股份有限公司 Terminal matching method and system and computer equipment

Also Published As

Publication number Publication date
CN101707621A (en) 2010-05-12
CN101707621B (en) 2012-05-09

Similar Documents

Publication Publication Date Title
US8255977B2 (en) Trusted network connect method based on tri-element peer authentication
JP5259724B2 (en) Trusted network access control method based on 3-element peer authentication
KR101114728B1 (en) A trusted network access control system based ternery equal identification
US8191113B2 (en) Trusted network connect system based on tri-element peer authentication
US8417949B2 (en) Total exchange session security
WO2011020274A1 (en) Security access control method and system for wired local area network
US8719897B2 (en) Access control method for tri-element peer authentication credible network connection structure
WO2009109136A1 (en) A bidirectional entity authentication method based on the credible third party
WO2010066187A1 (en) Trusted network connect handshake method based on tri-element peer authentication
WO2009143778A1 (en) Entity bidirectional-identification method for supporting fast handoff
WO2011022918A1 (en) Entity bidirectional authentication method by introducing an online third party
WO2011022915A1 (en) Method and system for pre-shared-key-based network security access control
WO2010118610A1 (en) Method for establishing trusted network connect framework of tri-element peer authentication
WO2011020279A1 (en) Public key certificate-based identity authentication method and system thereof
JP2011504332A (en) WAPI Unicast Secret Key Negotiation Method
WO2011109959A1 (en) Platform identification implementation method and system suitable for trusted connection architecture
Cao et al. 0-rtt attack and defense of quic protocol
WO2011069355A1 (en) Network transmission method adapted for tri-element peer authentication trusted network connection architecture
WO2010118613A1 (en) Implementation method for a tri-element peer authentication tursted network connection framework
US8423767B2 (en) Security association verification and recovery
WO2023036348A1 (en) Encrypted communication method and apparatus, device, and storage medium
WO2011022902A1 (en) Method for implementing bidirectional platform authentication
Zhu et al. A web database Security model using the Host identity protocol
WO2012083667A1 (en) Management method and apparatus for platform authentication process adapted to trusted connect architecture
WO2011035514A1 (en) Tunneling-technique-based tri-element authentication extensible method and system thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10835392

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10835392

Country of ref document: EP

Kind code of ref document: A1