Network authentication method, method for client to request authentication, client, and device

US 8,800,001 B2
Filed: 04/03/2013
Issued: 08/05/2014
Est. Priority Date: 10/27/2008
Status: Active Grant

First Claim

Patent Images

1. A network authentication method, comprising:

receiving synchronize (SYN) data sent by a client, wherein the SYN data comprises a sequence number SEQ1 and a network parameter, and the network parameter comprises an Identification (ID) in the header of the SYN data;

sending synchronize acknowledge (SYN_ACK) data to the client in response to the SYN data, wherein the SYN_ACK data comprises an acknowledgment number ACK2, a value of ACK2 is the value obtained by carrying out a function transformation according to the network parameter of the SYN data, and the network parameter used in the function transformation comprises the ID in the header of the SYN data;

receiving RESET (RST) data sent by the client in response to the SYN_ACK data, wherein the RST data comprises a sequence number SEQ3 or an acknowledgment number ACK3, a value of SEQ3 or ACK3 is the same as that of ACK2, and the RST data further comprises a network parameter the same as that of the SYN data;

carrying out the function transformation according to the network parameter of the RST data to obtain a check value CHK; and

passing the authentication of the client if CHK matches the value of SEQ3 or ACK3.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network authentication method, a client and a device are provided. The method includes: receiving SYN data sent by a client, where the SYN data includes a sequence number SEQ1 and a network parameter comprising an ID in the header of the SYN data; sending SYN_ACK data to the client, where the SYN_ACK data includes an acknowledgment number ACK2 obtained by carrying out a function transformation according to the network parameter; receiving RST data sent by the client, where the RST data includes a sequence number SEQ3 or an acknowledgment number ACK3, and the RST data further includes a network parameter the same as that of the SYN data; carrying out the function transformation according to the network parameter of the RST data to obtain a check value CHK; and passing the authentication of the client if CHK matches SEQ3 or ACK3.

Citations

12 Claims

1. A network authentication method, comprising:
- receiving synchronize (SYN) data sent by a client, wherein the SYN data comprises a sequence number SEQ1 and a network parameter, and the network parameter comprises an Identification (ID) in the header of the SYN data;
  
  sending synchronize acknowledge (SYN_ACK) data to the client in response to the SYN data, wherein the SYN_ACK data comprises an acknowledgment number ACK2, a value of ACK2 is the value obtained by carrying out a function transformation according to the network parameter of the SYN data, and the network parameter used in the function transformation comprises the ID in the header of the SYN data;
  
  receiving RESET (RST) data sent by the client in response to the SYN_ACK data, wherein the RST data comprises a sequence number SEQ3 or an acknowledgment number ACK3, a value of SEQ3 or ACK3 is the same as that of ACK2, and the RST data further comprises a network parameter the same as that of the SYN data;
  
  carrying out the function transformation according to the network parameter of the RST data to obtain a check value CHK; and
  
  passing the authentication of the client if CHK matches the value of SEQ3 or ACK3.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein the passing the authentication of the client if CHK matches the value of SEQ3 or ACK3 comprises:
    - passing the authentication of the client if a difference between CHK and SEQ3 or ACK3 is in a set range.
  - 3. The method according to claim 1, wherein the network parameter further comprises one or more of a Source Internet Protocol Address (SIP), a Source Port (SPORT), a Destination IP Address (DIP), a Destination Port (DPORT), a Protocol Type (Protocol), and a Time to Live (TTL) in an IP header of a data packet.
  - 4. The method according to claim 3, wherein the function transformation is constructed as
    FUNC (TTL, ID, SIP, SPORT, DIP, DPORT, PROTOCOL)=(x*TTL+y*ID+z*HASH (SIP, SPORT, DIP, DPORT, PROTOCOL)) Mod M, where x, y, z are three constant parameters;
    - Mod indicates modulus operation;
      
      M indicates modulus 65536;
      
      HASH indicates a hash function.

5. A network server including a non-transitory computer readable medium including computer-executable instructions for carrying out a network authentication device, the network authentication device comprising:
- a first receiving unit, configured to receive synchronize (SYN) data sent by a client, wherein the SYN data comprises a sequence number SEQ1 and a network parameter, and the network parameter comprises an Identification (ID) in the header of the SYN data;
  
  a sending unit, configured to send synchronize acknowledge (SYN_ACK) data to the client in response to the SYN data received by the first receiving unit, wherein the SYN_ACK data comprises an acknowledgment number ACK2, a value of ACK2 is the value obtained by carrying out a function transformation according to the network parameter of the SYN data, and the network parameter used in the function transformation comprises the ID in the header of the SYN data;
  
  a second receiving unit, configured to receive RESET (RST) data sent by the client in response to the SYN_ACK data sent by the sending unit, wherein the RST data comprises a sequence number SEQ3 or an acknowledgment number ACK3, and a value of ACK3 is the same as that of SEQ3 or ACK2, and the RST data further comprises a network parameter the same as that of the SYN data;
  
  a calculating unit, configured to carry out the function transformation according to the network parameter of the RST data received by the second receiving unit to obtain a check value CHK; and
  
  an authenticating unit, configured to pass the authentication of the client when CHK calculated by the calculating unit matches SEQ3 or ACK3 of the RST data.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The device according to claim 5, wherein the authenticating unit is configured to pass the authentication of the client when a difference between CHK calculated by the calculating unit and SEQ3 or ACK3 of the RST data is in a preset range.
  - 7. The device according to claim 5, wherein the network parameter further comprises one or more of a Source Internet Protocol Address (SIP), a Source Port (SPORT), a Destination IP Address (DIP), a Destination Port (DPORT), a Protocol Type (Protocol), and a Time to Live (TTL) in an IP header of a data packet.
  - 8. The device according to claim 7, wherein the function transformation is constructed as
    FUNC (TTL, ID, SIP, SPORT, DIP, DPORT, PROTOCOL)=(x*TTL+y*ID+z*HASH (SIP, SPORT, DIP, DPORT, PROTOCOL)) Mod M, where x, y, z are three constant parameters;
    - Mod indicates modulus operation;
      
      M indicates modulus 65536;
      
      HASH indicates a hash function.
  - 9. The device according to claim 7, wherein the network authentication device is a firewall.

10. A network client including a non-transitory computer readable medium including computer-executable instructions for carrying out a set of functional components, the functional components comprising:
- a sending unit, configured to send synchronize (SYN) data to a gateway, wherein the SYN data comprises a sequence number SEQ1 and a network parameter, and the network parameter comprises an Identification (ID) in the header of the SYN data;
  
  a receiving unit, configured to receive synchronize acknowledge (SYN_ACK) data sent by the gateway in response to the SYN data, wherein the SYN_ACK data comprises an acknowledgment number ACK2, a value of ACK2 is the value obtained by carrying out a function transformation according to the network parameter of the SYN data, and the network parameter used in the function transformation comprises the ID in the header of the SYN data; and
  
  a judging unit, configured to judge whether the value of ACK2 is the same as an expected value, and if the value of ACK2 is different from the expected value, send RESET (RST) data to the gateway in response to the SYN_ACK data, wherein the RST data comprises a sequence number SEQ3 or an acknowledgment number ACK3, a value of SEQ3 or ACK3 is the same as that of ACK2, and the RST data further comprises a network parameter the same as that of the SYN data; and
  
  instruct the gateway to authenticate the client according to the RST data and SEQ3 or ACK3.
- View Dependent Claims (11, 12)
- - 11. The network client according to claim 10, wherein the network parameter further comprises one or more of a Source Internet Protocol Address (SIP), a Source Port (SPORT), a Destination IP Address (DIP), a Destination Port (DPORT), a Protocol Type (Protocol), and a Time to Live (TTL) in an IP header of a data packet.
  - 12. The network client according to claim 11, wherein the function transformation is constructed as
    FUNC (TTL, ID, SIP, SPORT, DIP, DPORT, PROTOCOL)=(x*TTL+y*ID+z*HASH (SIP, SPORT, DIP, DPORT, PROTOCOL)) Mod M, where x, y, z are three constant parameters;
    - Mod indicates modulus operation;
      
      M indicates modulus 65536;
      
      HASH indicates a hash function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Jiang, Wu
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
VICTORIA, NARCISO F

Application Number

US13/856,141
Publication Number

US 20130219467A1
Time in Patent Office

489 Days
Field of Search

726/3
US Class Current

726/3
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/08   for authentication of entit...

H04L 63/1466   Active attacks involving in...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

Network authentication method, method for client to request authentication, client, and device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Network authentication method, method for client to request authentication, client, and device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links