CN112054909A - Radius authentication method based on RSA algorithm - Google Patents
Radius authentication method based on RSA algorithm Download PDFInfo
- Publication number
- CN112054909A CN112054909A CN202010990189.9A CN202010990189A CN112054909A CN 112054909 A CN112054909 A CN 112054909A CN 202010990189 A CN202010990189 A CN 202010990189A CN 112054909 A CN112054909 A CN 112054909A
- Authority
- CN
- China
- Prior art keywords
- message
- nas
- access
- request
- radius server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a Radius authentication method based on an RSA algorithm, which comprises the following steps: nas receives a user name password transmitted from a Client, then an Access-request is transmitted to a Radius server, a request message is subjected to RSA signature processing through a private key, the Radius server decrypts the request message through a public key after acquiring data, the decrypted data is compared with database information, if the comparison is passed, an Access-accept message is returned to Nas, the Access-accept message is subjected to RSA encryption processing through the public key, the Nas decrypts the request message through the private key after receiving the message, the Client successfully authenticates, if the comparison is not passed, the Access-reject message is returned to Nas, the Access-reject message is subjected to RSA encryption processing through the public key, the Nas decrypts the request message through the private key after receiving the message, and the Client fails in authentication.
Description
Technical Field
The invention relates to the field of data security, in particular to a Radius authentication method based on an RSA algorithm.
Background
The development of computer encryption technology makes the requirements of the vast netizens on the information security of the internet more and more. The traditional Radius authentication method uses the MD5 encryption mode in message transmission, and with the increase of user requirements, RSA encrypted messages are gradually required by markets and users. The method has the advantages that the private key is stored at the Nas end in the transmission process, the public key is stored at the Radius server end, the Radius authentication message of a user can be encrypted and decrypted, the asymmetric encryption method ensures the security and the non-tamper property of data transmission, and meets the requirements of all users.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a Radius authentication method based on an RSA algorithm, the method realizes safer Radius authentication and authorization functions, and has the advantages of high data access safety factor, optimized resource monitoring, reduced resource consumption and the like.
The invention aims at a Radius authentication method based on an RSA algorithm, which can comprise the following steps: the Client inputs the username and password, and the Nas sends an access-request to the Radius server after receiving the username and password.
The Nas transmission message is subjected to RSA encryption processing through a private key, namely, Access-Request Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret).
And the Radius server acquires data, analyzes the data through a public key and compares the data with database information.
And if the comparison is passed, the Radius server returns an Access-accept message to the Nas, the Radius server transmits the message to perform RSA encryption processing through a public key, RSA (Access-accept Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret) is performed, the Nas receives the message and decrypts the message through a private key, and the Client authentication is successful.
If the comparison fails, the Radius server returns an Access-Request message to the Nas, the Radius server transmits the message to perform RSA encryption processing through a public key, RSA (Access-Request Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret), the Nas receives the message and analyzes the message through a private key, and the Client authentication fails.
The data collected is from the data in the user, Nas and Radius servers.
In the signature process, the invention does not only combine the timestamp or the identifier with the message for signature, but also combines the identifier with the messageITime stampT j And a messagemThe three are combined to generate a signature. The private key encryption data process should satisfy the signature formulaSn d :
When the server receives the message combination transmitted by Nas { ()E’||I,T j ),Sn d (E’||i,T j ) And fourthly, whether the signature encryption is tampered in the transmission process or not is judged, and the verification process of the signature encryption meets the following formula:
after receiving the Nas message combination, the Radius server judges whether each received message is tampered by adopting a one-by-one verification mode. After the Radius server verifies, if the above formula is not true, it indicates that the data in the message combination is tampered; if the above formula is satisfied, it indicates that the message combination is not tampered and the data transmission is normal.
Drawings
Fig. 1 is a flowchart of a Radius authentication method based on RSA algorithm according to an example of the present invention.
Detailed Description
As shown in fig. 1, an embodiment of the present invention provides a Radius authentication method based on RSA algorithm.
First, in step S101, the Client inputs a username and password, and the Nas receives the username and password and transmits an Access-request to the Radius server.
Secondly, in step S102, the Nas transmission message is processed by RSA encryption processing through a private key, and the generation identifier is processedITime stampT j And a messagemThe three are combined to generate a signature. The private key data encryption process should satisfy a signature formula Snd:
the information in the message comprises Access-request corresponding codes, identifiers, message lengths, request authorization codes, Radius message attributes and shared keys.
In step S103, the Radius server obtains data, decrypts the data through the public key, and compares the data with the database information. Whether the signature encryption is tampered in the transmission process or not is verified at a Radius server, and the verification process of the signature encryption meets the following formula:
after the verification is passed, after the Radius server receives the message, decoding and recovering the message sent by the information source by utilizing the encoding and decoding process of the public key random linear network coding, thereby obtaining the original message sent by the information source to the destination node.
In step S104, the parsed packet data is compared with the database information in the Radius server.
In step S105, if the Radius server returns an Access-accept message to the Nas after the comparison is passed, and if the comparison is not passed, the Radius server returns an Access-reject message to the Nas. The information in the message passing the comparison comprises Access-accept corresponding codes, identifiers, message length, request authorization codes, Radius message attributes and shared keys. The information in the failed comparison message comprises an Access-reject corresponding code, an identifier, a message length, a request authorization code, a Radius message attribute and a shared secret key.
In step S106, the Radius server transmits the message to perform RSA encryption processing through the public key, encrypts the message transmitted to Nas by using the public key, and encrypts the signature rule in the encryption rule S102.
In step S107, the Nas receives the message and decrypts the message by using the private key, and verifies whether the transmission process of the message is tampered according to the method in S103. And after the verification, judging whether the Client passes the authentication according to the decrypted message information.
Claims (5)
1. A Radius authentication method based on an RSA algorithm, the method comprising:
the Client transmits user information to the Nas, and the Nas receives a request for directly pointing to an access-request message to a Radius server;
the Nas transmission message is subjected to RSA encryption processing through a private key, and RSA (Access-Request Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret);
the Radius server acquires data, analyzes the data through a public key and compares the data with database information;
if the comparison is passed, the Radius server returns an Access-accept message to the Nas, the Radius server transmits the message to perform RSA encryption processing through a public key, RSA (Access-accept Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret) is performed, the Nas receives the message and decrypts the message through a private key, and the Client authentication is successful;
if the comparison fails, the Radius server returns an Access-Request message to the Nas, the Radius server transmits the message to perform RSA encryption processing through a public key, RSA (Access-Request Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret), the Nas receives the message and analyzes the message through a private key, and the Client authentication fails.
2. The method of claim 1, wherein the data is derived from intra-user, Nas, and Radius server data.
3. The method of claim 1, wherein the private key encrypts data to satisfy a signature formulaSn d :
4. The method of claim 1, wherein the signature encryption is tampered during transmission, and the verification process thereof satisfies the following formula:
5. the method as claimed in claim 1, wherein after the Radius server receives the message, the message sent by the source is decoded and recovered by using the encoding and decoding process of the public key random linear network coding, so as to obtain the original message sent by the source to the destination node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010990189.9A CN112054909A (en) | 2020-09-19 | 2020-09-19 | Radius authentication method based on RSA algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010990189.9A CN112054909A (en) | 2020-09-19 | 2020-09-19 | Radius authentication method based on RSA algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112054909A true CN112054909A (en) | 2020-12-08 |
Family
ID=73603893
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010990189.9A Pending CN112054909A (en) | 2020-09-19 | 2020-09-19 | Radius authentication method based on RSA algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112054909A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113364762A (en) * | 2021-06-02 | 2021-09-07 | 中国电信股份有限公司 | Login authentication method, system, equipment and storage medium based on hybrid encryption |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333093A (en) * | 2011-09-28 | 2012-01-25 | 深圳市赛格导航科技股份有限公司 | Data encryption transmission method and system |
| WO2013090866A1 (en) * | 2011-12-15 | 2013-06-20 | Microsoft Corporation | Secure communication system and method |
| CN107222476A (en) * | 2017-05-27 | 2017-09-29 | 国网山东省电力公司 | A kind of authentication service method |
-
2020
- 2020-09-19 CN CN202010990189.9A patent/CN112054909A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333093A (en) * | 2011-09-28 | 2012-01-25 | 深圳市赛格导航科技股份有限公司 | Data encryption transmission method and system |
| WO2013090866A1 (en) * | 2011-12-15 | 2013-06-20 | Microsoft Corporation | Secure communication system and method |
| CN107222476A (en) * | 2017-05-27 | 2017-09-29 | 国网山东省电力公司 | A kind of authentication service method |
Non-Patent Citations (2)
| Title |
|---|
| 兰丽娜等: "RADIUS协议安全机制研究及改进办法初探", 《信息安全与通信保密》 * |
| 曹世宏: "RADIUS协议基础原理", 《曹世宏的博客》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113364762A (en) * | 2021-06-02 | 2021-09-07 | 中国电信股份有限公司 | Login authentication method, system, equipment and storage medium based on hybrid encryption |
| CN113364762B (en) * | 2021-06-02 | 2022-12-02 | 中国电信股份有限公司 | Login authentication method, system, equipment and storage medium based on hybrid encryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11930103B2 (en) | Method, user device, management device, storage medium and computer program product for key management | |
| AU2003203712B2 (en) | Methods for remotely changing a communications password | |
| CN1324502C (en) | Method for discriminating invited latent member to take part in group | |
| US7793340B2 (en) | Cryptographic binding of authentication schemes | |
| CN103051628B (en) | Obtain the method and system of authentication token based on server | |
| CN111884811B (en) | Block chain-based data evidence storing method and data evidence storing platform | |
| CN110048849B (en) | Multi-layer protection session key negotiation method | |
| CN112073467A (en) | Block chain-based data transmission method and device, storage medium and electronic equipment | |
| US20100235625A1 (en) | Techniques and architectures for preventing sybil attacks | |
| TWI773161B (en) | Digital signature private key verification method | |
| WO2010005071A1 (en) | Password authenticating method | |
| CN107517194B (en) | Return source authentication method and device of content distribution network | |
| CN114726546B (en) | Digital identity authentication method, device, equipment and storage medium | |
| JP2001177513A (en) | Authentication method in communication system, center device, recording medium storing authentication program | |
| CN115842680A (en) | Network identity authentication management method and system | |
| US20170324563A1 (en) | Encrypted text verification system, method, and recording medium | |
| CN114244530A (en) | Resource access method and apparatus, electronic device, and computer-readable storage medium | |
| CN116170131A (en) | Ciphertext processing method, device, storage medium and trusted execution device | |
| CN109412799B (en) | System and method for generating local key | |
| CN112054909A (en) | Radius authentication method based on RSA algorithm | |
| CN107786338B (en) | Shared Platform in Dynamic Password Verification | |
| CN107404476B (en) | Method and device for protecting data security in big data cloud environment | |
| CN115664861A (en) | Identity information verification method and device based on block chain, equipment and medium | |
| CN115021918A (en) | QR two-dimensional code data security encryption method and decryption method | |
| CN115277093A (en) | Tamper verification method, system and device thereof and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20201208 |