Distributed Authentication System Based On Diameter Protocol

Diameter protocol is a scalable AAA (Authentication, Authorization and Accounting) protocol which is designed by the IETF working group to replace the Radius protocol in the future. Compared with the Radius protocol, Diameter protocol is more emphasis on the flexible expansion, advanced routing algorithm, dynamic error recovery and security features of the transport layer.Diameter protocol uses EAP protocol to implement authentication. There are EAP-MD5, EAP-AKA and EAP-TLS.EAP framework is used to authentication of Diameter protocol, EAP-TLS is the most popular way. in EAP-TLS. Traditional certificate system store relationship between public entities and public key for later use. Public key and the relationship between physical identity certificate of organization is related by the authority (CA) public key certificate. In practice, the use of public key cryptography system mainly uses the public key certificate infrastructure (PKI) methods to verify the identity of a public key and related entity. The deployment of public key certificate infrastructure (PKI) and management of public key increase the complexity of the authentication system.In response to a request during the service, long time waiting or services Timeout will reduce user experience, even result in the loss of users. Therefore, when providing users Diameter services, ensuring high reliability under the premise of the treatment, servers should solve as much as possible requests. With the increasing number of users access the network, the network expanding, the data to be processed in the system and capacity of the system are more and more different. Deployment of distributed systems, parallel processing with its large amount of data has become a mainstream solution for the moment, in which the load allocation algorithm is a difficulty in the design.The peers need to go through several rounds of information exchange to complete authentication certificate exchange and key agreement in EAP protocol. These features make the common load balancing algorithm can not be used in on distributed authentication system based on Diameter protocol, because they can not maintain that the consistency of session; when the network structure changes, there will be a large number of session migration, resulting in over load or light load, this reduce the network's scalability.After widely reading paper documentation and literature about Diameter protocol, in-depth studying and comparing on RADIUS protocol, focusing on research, analysising of the improve part of the Diameter-based peer-to-peer with the structure. and implementing a distributed authentication system based on Diameter protocol using identity-based authentication.Implemented a identity-based authentication method by EAP framework, through the establishment of PKG, users can communicate with the public key which is a public identity (for example, email address) for each certification, which effectively avoid the certificate-based authentication scheme in the complex certificate management. This method also reduces procedure of the certification process passing. Because the user's private key is issued by a number of PKG, PKG alone can not forge signatures, then the program can be used for open systems.For multiple rounds of interactive features in EAP protocol, proposed a message-based load balancing algorithm. Not only it enables the Diameter service node load balancing, but also can maintain the same session and reduce the session migration when the structure of the network is changed. In the Diameter network environment, the experimental results show that compared with the other commonly load balancing algorithm, MOLB have smaller load balancing degree, smaller session destruction degree and lower session destruction distribution degree.Finally, implement the above-mentioned algorithms and strategies based on freeDiameter.