The basic function of a network is to provide various types of terminals with network services. Although a terminal may be physically connected to a network, the terminal connected to the network is not always an authorized legal terminal, and the network connected by the terminal is not always its required network. Thus, before the terminal communicates with the network, the terminal and the network need authentication and authorization functions to mutually authenticate the legality of the peer party therebetween, i.e. bidirectional access control between the terminal and the network is required, so as to ensure the security of the communication.
FIG. 1 is a diagram illustrating bidirectional access control between a terminal and a network. A terminal 1 accesses a network 4 via an access controller 3, and before the terminal 1 begins to use the resources of the network 4, it is required to complete access control 2 between the terminal 1 and the access controller 3, i.e.:
1. The access controller checks whether the terminal 1 has the right of accessing the network 4, i.e. authenticates the terminal 1; and
2. The terminal 1 checks whether the access controller 3 is a legal device to avoid data being intercepted, i.e. authenticates the network 4.
In the authentication, it is required to use the concepts of entity and unit. Specifically, an entity refers to a functional body which may accomplish a particular function in the network structure and can exist independently, and is typically implemented using an independent device; and a unit refers to a functional body which may have an authentication function in the network access authentication. In the network, the entity is a unit if it has the authentication function; and it is not a unit if it does not have the authentication function.
Based on the different number of entities which participate in the authentication, there are two types of network structure for implementing the bi-directional authentication between the terminal and the network. RFC3748 Extensible Authentication Protocol (EAP) contains description as follows:
The network structure of the first type is the double-unit double-entity structure as shown in FIG. 2, which includes a terminal and an access controller, where the terminal corresponds to the first entity and the access controller corresponds to the second entity. Specifically, the terminal, corresponding to the first unit, has an authentication credential, an authentication function, and a function for controlling whether to access the network; and the access controller, corresponding to the second unit, has an authentication credential, an authentication function, and a function for controlling the access of the terminal according to the result of the authentication. In this network structure, the terminal and the access controller both have authentication functions, thus supporting bidirectional authentication.
However, there is no authentication server in the double-unit double-entity structure, which leads to significantly limited flexibility. In addition, there are typically a large number of terminals, and if there is also a large number of access controllers, the relationship between the terminals and the access controllers may be many-to-many, and the management may be very difficult. Therefore, the structure of this type is typically used in the case that there is a limited number of access controllers, and the implementation is very limited.
The network structure of the second type is the double-unit triple-entity structure as shown in FIG. 3, which includes a terminal, an access controller and a server, respectively corresponding to the first entity, the second entity and the third entity. Specifically, the terminal, corresponding to the first unit, has an authentication credential, an authentication function, and a function for controlling whether to access the network; the access controller has a function for controlling the access of the terminal according to the result of the authentication, and has no authentication function; and the server, corresponding to the second unit, has an authentication credential and an authentication function. The double-unit triple-entity structure is also called a Pass-through mode. In this network structure, the terminal and the server both have authentication functions, but the access controller has no authentication function, thus the structure of this type supports bidirectional authentication by using the second entity as an intermediate of the third entity.
In the double-unit triple-entity structure, the access controller is virtual. The authentication is only carried out between the terminal and the server, and the relationship with multiple terminals being corresponding to multiple access controllers is evolved into a relationship with multiple terminals being corresponding to a server, i.e. a trust relationship A is established between them. But finally, it is required to establish a trust relationship B between the terminal and the access controller, thus a transfer of the trust relationships, i.e. to transfer from the trust relationship A to the trust relationship B, must be carried out safely. The transfer of the trust relationships is completed by sending a key from the server to the access controller. However, if the key leaks, the security of the network may be significantly influenced. Therefore, in order to avoid this problem, a trust relationship C and a safe channel have to be established between the access controller and the server. Upon reception of the key by the access controller, the terminal and the access controller have to confirm the trust relationship B. Hence, it is required to relay the trust relationships three times to complete the establishment of the trust relationship between the terminal and the access controller. However, to relay the trust relationships multiple times may not only lead to complicated authentication but also influence the security of the network, thus should be avoided.