METHOD FOR REALIZING NETWORK ACCESS AUTHENTICATION

US 20090019528A1
Filed: 12/08/2005
Published: 01/15/2009
Est. Priority Date: 02/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for realizing network access authentication, wherein a network access authentication device pre-storing a system integrity value of a device waiting to access which is calculated by the device waiting to access itself, and a correspondence between each device waiting to access and its system integrity value, the method comprises the following steps:

a). the device waiting to access acquires its current system integrity value, and sends an authentication request including information containing the current system integrity value to the network access authentication device;

b). the network access authentication device judges whether the current system integrity value of the device waiting to access in the received authentication request and its stored system integrity value of the device waiting to access are identical or not, according to the received authentication request and the correspondence; and

, in a case where the received current system integrity value of the device waiting to access in the received authentication request and its stored system integrity value of the device waiting to access are identical, the network access authentication device determines that the network access is authenticated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for realizing network access authentication, wherein a network access authentication device pre-storing a system integrity value of a device waiting to access and a correspondence between each device waiting to access and its system integrity value. When the device waiting to access needs to access the network, it acquires its current system integrity value, and sends the current system integrity value to the network access authentication device; the network access authentication device judges whether the received current system integrity value of the device waiting to access and its stored integrity value of the device waiting to access are identical or not, and in a case where the received current system integrity value of the device waiting to access and its stored integrity value of the device waiting to access are identical, it determines that the network access is authenticated. As such, the network access device could determine the real status of the device waiting to access, and ensure the device accessing to the network is really secure, thereby ensuring the security of the network.

52 Citations

View as Search Results

16 Claims

1. A method for realizing network access authentication, wherein a network access authentication device pre-storing a system integrity value of a device waiting to access which is calculated by the device waiting to access itself, and a correspondence between each device waiting to access and its system integrity value, the method comprises the following steps:
- a). the device waiting to access acquires its current system integrity value, and sends an authentication request including information containing the current system integrity value to the network access authentication device;
  
  b). the network access authentication device judges whether the current system integrity value of the device waiting to access in the received authentication request and its stored system integrity value of the device waiting to access are identical or not, according to the received authentication request and the correspondence; and
  
  , in a case where the received current system integrity value of the device waiting to access in the received authentication request and its stored system integrity value of the device waiting to access are identical, the network access authentication device determines that the network access is authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to the claim 1, wherein the current system integrity value is a basic system integrity value;
    - the step a) of the device waiting to access acquiring its current system integrity value comprises;
      
      when the device waiting to access is initiated, its current basic system integrity value is calculated and stored in a secure storage unit;
      
      when it needs to access the network, the device waiting to access extracts the basic system integrity value directly from the secure storage unit as the current system integrity value.
  - 3. The method according to the claim 1, wherein the current system integrity value is a system integrity value calculated with a basic system integrity value and a module for network access;
    - the step a) of the device waiting to access acquiring its current system integrity value comprises;
      
      when the device waiting to access is initiated, its current basic system integrity value is calculated and stored in a secure storage unit;
      
      when it needs to access the network, the device waiting to access extracts the basic system integrity value directly from the secure storage unit, and performs integrity calculation with the module for network access in order to obtain the calculated value as its current system integrity value.
  - 4. The method according to the claim 3, wherein the module for network access comprises a driver module for link layer network, a software module for network layer and transport layer protocols and a software module for network access application.
  - 5. The method according to the claim 1, wherein the device waiting to access is a computer, and the process of calculating its basic system integrity value comprises the following steps:
    - i) when the computer is powered on, integrity values for system ROM, BIOS or EFI firmware codes and hardware configuration parameters are calculated and stored in a secure storage unit;
      
      ii) when BIOS or EFI is initiated, integrity values for all configured system parameters, main booting sector and system booting partition are calculated and stored in the secure storage unit;
      
      iii) before BIOS or EFI is loaded into booting OS (operating system), an integrity value for codes to be loaded into the OS is calculated and stored in the secure storage unit;
      
      iv) when the codes are loaded into the OS, integrity values for OS kernel, system initiation files, system configuration files and driver software are calculated and stored in the secure storage unit;
      
      v) when the OS is initiated, an integrity value for application software is calculated and stored in the secure storage unit;
      
      vi) the basic system integrity value is calculated based on all the integrity values obtained in step i) to step vi).
  - 6. The method according to the claim 5, wherein the configured system parameters comprise:
    - CPU microcode software, enable or disable status configuration of various system functions, various authentication passwords, disk configuration parameters, peripheral configuration parameters and security function configuration parameters.
  - 7. The method according to the claim 2, wherein the secure storage unit is a secure chip TPM, a hard disk with security-protecting function, a USB-key or a smart-card.
  - 8. The method according to the claim 1, wherein the step b) further comprises:
    - authenticating the creditability of the received information.
  - 9. The method according to the claim 8, wherein the device waiting to access pre-generates public/private keys, and the public/private keys are signed by a trusted third party;
    - before the device waiting to access sends the authentication request, the step a) comprises;
      
      the current system integrity value is signed with the private key;
      
      wherein information in the authentication request is the current system integrity value in plaintext, and the authentication request further comprises a signature for the current system integrity value and the public key;
      
      the authentication to the creditability of the received information comprises;
      
      the network access authentication device authenticates whether the received signature is correct by using the received public key; and
      
      if so, judges that the received information is creditable;
      
      otherwise, judges that the received information is not creditable.
  - 10. The method according to the claim 8, wherein the device waiting to access pre-generates public/private keys and the public/private keys are signed by a trusted third party, wherein the public key is pre-stored in the network access authentication device;
    - before the device waiting to access sends the authentication request, the step a) further comprises;
      
      the current system integrity value is signed with the private key;
      
      wherein information in the authentication request is the current system integrity value in plaintext, and the authentication request further comprises a signature for the current system integrity value;
      
      the authentication to the creditability of the received information comprises;
      
      the network access authentication device authenticates whether the received signature is correct by using the pre-stored public key; and
      
      if so, judges that the received information is creditable;
      
      otherwise, judges that the received information is not creditable.
  - 11. The method according to the claim 8, wherein the device waiting to access pre-generates public/private keys and the public/private keys are not signed by a trusted third party;
    - before the device waiting to access sends the authentication request, the step a) further comprises;
      
      the current system integrity value is signed with the private key;
      
      wherein information in the authentication request is the current system integrity value in plaintext, and the authentication request further comprises a signature for the current system integrity value, an anonymous identity certificate and the public key;
      
      the authentication to the creditability of the received information comprises;
      
      after the network access authentication device authenticates that the identity of the sender is legal with the received anonymous identity certificate, the network access authentication device authenticates whether the signature is correct with the received public key; and
      
      if so, judges that the received information is creditable;
      
      otherwise, judges that the received information is not creditable.
  - 12. The method according to the claim 8, wherein the device waiting to access and the network access authentication device pre-store a symmetric key;
    - before the device waiting to access sends the authentication request, the step a) further comprises;
      
      the current system integrity value is encrypted with the symmetrical key;
      
      wherein information in the authentication request is the symmetrical-key-encrypted current system integrity value;
      
      the authentication to the creditability of the received information comprises;
      
      the network access authentication device decrypts the received information with its stored symmetric key; and
      
      judges that the received information is creditable in case of successful decryption, whereas judges that the received information is not creditable in case of unsuccessful decryption.
  - 13. The method according to the claim 1, wherein the method further comprises:
    - a system integrity value of the network access authentication device is pre-stored in the device waiting to access;
      
      after the device waiting to access acquires the current system integrity value of the network access authentication device and authenticates that the acquired current system integrity value of the network access authentication device and the stored system integrity value of the network access authentication device are identical, the step a) is performed then.
  - 14. The method according to the claim 1, wherein the network access authentication device consists of one server, or a firewall, a switch or a router together with an authentication server.
  - 15. The method according to the claim 1, wherein the method further comprises:
    - in a case where the current system integrity value of the device waiting to access in the received authentication request and the stored system integrity value of the device waiting to access are not identical, the network access authentication device sends to the device waiting to access an alarm prompt indicating that the device waiting to access is not secure.
  - 16. The method according to the claim 1, whereinwhen the information interacting between the network access authentication device and the device waiting to access is carried via an SSL protocol or a TLS protocol, after the device waiting to access in the step a) receives a ServerHello message from a server, the information containing the integrity value is sent to the network access authentication device with a handshake protocol;
    - or the information containing the integrity value is included in a ClientHello message sent by the device waiting to access in the step a);
      
      when the information interacting between the network access authentication device and the device waiting to access is carried via the IPv6 protocol or the IKE protocol in IPSec, the device waiting to access in the step a) sends the information containing the integrity value to the network access authentication device with a handshake protocol when sending HDR, SA.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo (Beijing) Limited (Lenovo Group Ltd.)
Original Assignee
Lenovo (Beijing) Limited (Lenovo Group Ltd.)
Inventors
Chen, Jun, Wei, Wei, Qu, Yadong

Granted Patent

US 8,037,306 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

METHOD FOR REALIZING NETWORK ACCESS AUTHENTICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

METHOD FOR REALIZING NETWORK ACCESS AUTHENTICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others