CN101742507B - System and method for accessing Web application site for WAPI terminal - Google Patents
System and method for accessing Web application site for WAPI terminal Download PDFInfo
- Publication number
- CN101742507B CN101742507B CN200910247063A CN200910247063A CN101742507B CN 101742507 B CN101742507 B CN 101742507B CN 200910247063 A CN200910247063 A CN 200910247063A CN 200910247063 A CN200910247063 A CN 200910247063A CN 101742507 B CN101742507 B CN 101742507B
- Authority
- CN
- China
- Prior art keywords
- ticket
- web application
- application site
- authentication
- wapi terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a system and a method for accessing a Web application site for a WAPI terminal. The WAPI terminal identifies that a server entity is the WAPI terminal and generates an authentication certificate when accessing into a wireless fidelity network; the WAPI terminal carries the authentication certificate when accessing the Web application site, the Web application site requests to the identified server entity to authenticate the authentication certificate, the identified server entity finishes the authentication to the authentication certificate and returns an authentication result to the Web application site, and the WAPI terminal is allowed to access the Web application site if the authentication passes. The invention can ensure that an operator carries out the unified authentication on the WAPI terminal of the Web application site that uses operator deployment by using a unified authentication service system, reduces the frequency for logging in various Web application sites by a terminal user, and improves the use security of the Web application sites by users and the user experience.
Description
Technical field
The present invention relates to wireless local area network technology, be specifically related to the system and method for a kind of WAPI (WLANAuthentication and Privacy Infrastructure, WLAN authentication and privacy infrastructure) terminal access Web application site.
Background technology
Single-sign-on (Single Sign On, i.e. SSO) is in a plurality of application systems, and the user only need login the application system that once just can visit all mutual trusts.It comprises and can current main login be mapped to the mechanism that is used for same user's login in other application.
As user for the first time access application system 1 time, because also not login can be directed in the Verification System and login; According to the log-on message that the user provides, Verification System is carried out proof of identity, if through verification, should return to the authority of an authentication of user--ticket; Will this ticket be with when the user visits again other application, as the authority of own authentication, can deliver to Verification System to ticket after the application system request of receiving and carry out verification, the legitimacy of inspection ticket.If through effect, the user just can be under situation about need not login once more access application system 2 and application system 3.
WAPI (WLAN Authentication and Privacy Infrastructure, WLAN authentication and privacy infrastructure) is the wireless security standard that is the basis with 802.11 wireless protocols that China proposes.The WAPI agreement comprises two part: WAI (WLAN Authentication Infrastructure, wireless local area network authentication infrastructure) and WPI (WLAN Privacy Infrastructure, wireless local area network security foundation structure).WAI is the safety approach that is used for discriminating of WLAN identity and key management.WPI is the safety approach that is used for the protection of WLAN transfer of data, comprises functions such as data encryption, data discriminating and the protection of resetting.
Typical WAPI system mainly comprises discriminator entity (AE; Authenticator Entity), identification requester entity (ASUE:Authentication Supplicant Entity) and authentication server entity (ASE:Authentication Service Entity); Wherein: identification requester entity is the entity that operation is differentiated in request before access service; Reside among the STA (wireless client), be appreciated that to be the terminal; The discriminator entity is that identification requester entity provided the discriminating operation before access service, generally resides among AP (access point) or the STA; The authentication server entity is the service that discriminator entity and identification requester entity provide mutual discriminating.
The WAPI terminal will be through the discriminating of authentication server entity when inserting the WAPI network; If visit Web application site then needs login again after inserting the WAPI network; If will realize single-sign-on, also to be directed in the Verification System and login.And under the network environment of WLAN and 3G network fusion; Operator grows with each passing day to the unified certification regulatory requirement of terminal use's signing service; If continue to use the prior art of single-sign-on, the complexity that can increase WAPI terminal access Web webpage greatly and realize single-sign-on reduces user experience.Prior art can't be tackled the development trend that WLAN and 3G network merge, and operator under UNE to the unified certification regulatory requirement of terminal use's signing service.
Summary of the invention
The technical problem that the present invention will solve provides a kind of system and method for WAPI terminal access Web application site, all needs the problem of login again when having solved each Web application site of WAPI terminal access in the prior art.
In order to address the above problem, the invention provides a kind of method of WAPI terminal access Web application site, comprising:
When WiFi (Wireless Fidelity) network was inserted at the WAPI terminal, the authentication server entity was that said WAPI terminal generates a ticket (authentication authority); When said WAPI terminal access Web application site, carry said ticket; The said authentication server entity of said Web application site request carries out authentication to this ticket; The authentication server entity is accomplished the authentication to said ticket; And authentication result is back to the Web application site, if authentication is through then allowing the said Web application site of said WAPI terminal access.
Further; When the WiFi network is inserted at said WAPI terminal; The authentication server entity is that said WAPI terminal ticket of generation is meant; If the discriminating of authentication server entity has been passed through at said WAPI terminal, then the authentication server entity is that said WAPI terminal generates a ticket, and when the discriminator entity sends the certificate authentication response packet, carries said ticket; Said discriminator entity carries said ticket when the access authentication response packet is sent at the WAPI terminal, this ticket is preserved at said WAPI terminal.
Further; The authentication server entity receives after the authentication request that the Web application site sends whether the said ticket of checking is that this authentication server entity generates earlier; If then further judge the local user certificate corresponding that whether store with this ticket; If exist then through checking to said ticket; If said ticket is not storage that this authentication server entity distributes or the local user certificate corresponding with this ticket, then the checking of said ticket is not passed through, then said authentication server entity is to the response of Web application site return authentication failure.
Further; If the checking of said ticket is passed through; Said authentication server entity is searched the WAPI user certificate of local storage and the IMSI (international mobile subscriber identity) that the corresponding relation between the user IMSI is known the user according to user WAPI certificate; And obtain the Web service lists that this user contracts from attaching position register according to said IMSI; Then authorized this Web application site of said user capture if comprise the Web application site of applying for identifying user identity in the Web service lists; Said authentication server entity returns the authenticating user identification response of successful to the Web application site, if do not comprise the then said authentication server entity of the Web application site of applying for identifying user identity returns response from the authenticating user identification failure to the Web application site in the Web service lists.
The present invention also provides a kind of system of WAPI terminal access Web application site, comprises WAPI terminal, authentication server entity and Web application site;
Said authentication server entity is used for when WiFi (Wireless Fidelity) network is inserted at said WAPI terminal, generating a ticket (authentication authority) for the WAPI terminal; And accomplish ticket authentication after receiving the authentication request that the Web application site sends, and authentication result is back to said Web application site to the WAPI terminal;
Said ticket is carried at said WAPI terminal when being used to visit said Web application site;
Said Web application site is used for when said WAPI terminal access, asking said authentication server entity that said ticket is carried out authentication, and authentication is allowed this Web application site of said WAPI terminal access through the back.
Further, said system also comprises the discriminator entity;
Said authentication server entity comprises differentiates service module and single-point access service module;
Said discriminating service module is used for when the WiFi network is inserted at said WAPI terminal, the WAPI terminal being differentiated, and notifies single-point access service module when passing through when differentiating; And send to the discriminator entity and to carry the ticket that single-point access service module generates for the WAPI terminal when certificate is differentiated respective packets;
It is that it generates a ticket that said single-point access service module is used for after said WAPI terminal is through discriminating, and the said ticket that will generate is sent to said discriminating service module;
Said discriminator entity is used for when the access authentication response packet is sent at the WAPI terminal, carrying said ticket.
Further; Said single-point access service module is used to also to receive after the authentication request that the Web application site sends whether the said ticket of checking is that this authentication server entity generates earlier; If then further judge the local user certificate corresponding that whether store with this ticket; If exist then through checking to said ticket; The user certificate corresponding with this ticket then do not pass through the response of then failing to Web application site return authentication to the checking of said ticket if said ticket is not storage that this authentication server entity distributes or local.
Further; Said single-point access service module also is used for the checking of ticket is searched the WAPI user certificate of local storage and the IMSI (international mobile subscriber identity) that the corresponding relation between the user IMSI is known the user through the back according to user WAPI certificate; And obtain the Web service lists that this user contracts from attaching position register according to said IMSI; Then return the authenticating user identification response of successful if comprise the Web application site of applying for identifying user identity in the Web service lists, if do not comprise the Web application site of applying for identifying user identity then returns response from the authenticating user identification failure to the Web application site in the Web service lists to the Web application site.
In sum; The present invention provides a kind of system and method for WAPI terminal access Web application site; Can make operator pass through unified identification service system; WAPI terminal to using the Web application site that operator disposes carries out unified certification, reduced the number of times that the terminal use logins various Web application sites, improved fail safe and user experience that the user uses the Web application site.
Description of drawings
Fig. 1 is the system construction drawing of ASE;
Fig. 2 is the interaction diagrams of WAPI terminal access Web application site of the present invention.
Embodiment
Present embodiment provides a kind of system of WAPI terminal access Web application site, and is as shown in Figure 1, and this system comprises WAPI terminal, authentication server entity and Web application site; The authentication server entity comprises differentiates service module and single-point access service module;
The authentication server entity is used for when WiFi (wireless fidelity, Wireless Fidelity) network is inserted at the WAPI terminal, generating a ticket (authentication authority) for the WAPI terminal; And accomplish ticket authentication after receiving the authentication request that the Web application site sends, and authentication result is back to the Web application site to the WAPI terminal;
Ticket is carried at the WAPI terminal when being used to visit the Web application site;
The Web application site is used for when the WAPI terminal access, asking the authentication server entity that ticket is carried out authentication, and authentication is allowed this Web application site of WAPI terminal access through the back.
Differentiate that service module is used for when the WiFi network is inserted at the WAPI terminal, the WAPI terminal being differentiated, and notify single-point access service module when passing through when differentiating; And send to the discriminator entity and to carry the ticket that single-point access service module generates for the WAPI terminal when certificate is differentiated respective packets;
It is that it generates a ticket that single-point access service module is used for after the WAPI terminal is through discriminating, and the ticket that generates is sent to the discriminating service module;
The discriminator entity is used for when the access authentication response packet is sent at the WAPI terminal, carrying ticket.
Single-point access service module is used to also to receive after the authentication request that the Web application site sends whether checking ticket is that this authentication server entity generates earlier; If then further judge the local user certificate corresponding that whether store with this ticket; If exist then through checking to ticket; The user certificate corresponding with this ticket then do not pass through the response of then failing to Web application site return authentication to the checking of ticket if ticket is not storage that this authentication server entity distributes or local.
Single-point access service module also is used for the checking of ticket is searched the WAPI user certificate of local storage and IMSI (the international mobile subscriber identity that the corresponding relation between the user IMSI is known the user through the back according to user WAPI certificate; International mobile subscriber identity); And according to IMSI from HLR (Home Location Register; Attaching position register) obtains the Web service lists that this user contracts; Then return the authenticating user identification response of successful if comprise the Web application site of applying for identifying user identity in the Web service lists, if do not comprise the Web application site of applying for identifying user identity then returns response from the authenticating user identification failure to the Web application site in the Web service lists to the Web application site.
Present embodiment provides a kind of method of WAPI terminal access Web application site, and idiographic flow is as shown in Figure 2, may further comprise the steps:
Step 201: a WAPI terminal is inserted in the flow process of WiFi network, after ASE differentiates the certificate of AE and ASUE, sends the certificate authentication response packet to AE.If ASUE (i.e. this WAPI terminal) has passed through the discriminating of ASE, then ASE is that this WAPI terminal generates a ticket, and differentiates respective packets with certificate, sends to AE.AE is attached to this ticket to insert in the authentication response packet again and sends to ASUE, i.e. the WAPI terminal.The ticket preservation that WiFi obtains is inserted with this in the WAPI terminal, until breaking off the WiFi network.
This ticket is carried in step 202:WAPI terminal in access request when visit Web application site.
Step 203:Web application site is found to have carried ticket in the request after resolving access request, then sends authentication request to ASE, carries this ticket, and request ASE verifies this ticket.
Step 204:ASE verifies ticket earlier after receiving the authentication request that the Web application site sends.
Be specially; ASE checks at first whether ticket is legal; Promptly judge what whether this ticket generated for this ASE, search locally whether have the corresponding user certificate of this ticket according to this ticket afterwards, if can not satisfy these two conditions then to the response of Web application site return authentication failure; If satisfy, then through checking to ticket, and execution in step 205.
Step 205:ASE searches the WAPI user certificate of local storage and the IMSI that the corresponding relation between the user IMSI is known the user according to user WAPI certificate;
Step 206:ASE wherein carries user's IMSI to the HLR of core net initiation request, and is professional with the signatory Web that obtains this user.
Step 207:HLR returns to ASE with the Web service lists that this user contracts.
Whether step 208:ASE is authorized to visit this Web application site according to the Web service lists judges that the HLR that receives returns; Promptly; When comprising the Web application site of applying for identifying user identity in the Web service lists, show and authorize this Web application site of this user capture, otherwise this Web application site of this user capture of unauthorized;
Step 209: if authorize this Web application site of this user capture, ASE returns the authenticating user identification response of successful to the Web application site; If this Web application site of this user capture of unauthorized, ASE is to Web application site return authentication failure response.
Step 210: if the Web application site is received the response of authentication success, then this Web application site can be directly visited at the WAPI terminal; If the Web application site is received the response of authentification failure, then need let the terminal use login again and could visit this Web application site.
Claims (6)
1. the method for a WAPI terminal access Web application site comprises:
When WiFi (Wireless Fidelity) network was inserted at the WAPI terminal, the authentication server entity was that said WAPI terminal generates a ticket (authentication authority); When said WAPI terminal access Web application site, carry said ticket; The said authentication server entity of said Web application site request carries out authentication to this ticket; The authentication server entity is accomplished the authentication to said ticket; And authentication result is back to the Web application site, if authentication is through then allowing the said Web application site of said WAPI terminal access;
When the WiFi network is inserted at said WAPI terminal; The authentication server entity is that said WAPI terminal ticket of generation is meant; If the discriminating of authentication server entity has been passed through at said WAPI terminal, then the authentication server entity is that said WAPI terminal generates a ticket, and when the discriminator entity sends the certificate authentication response packet, carries said ticket; Said discriminator entity carries said ticket when the access authentication response packet is sent at the WAPI terminal, this ticket is preserved at said WAPI terminal.
2. the method for claim 1 is characterized in that:
The authentication server entity receives after the authentication request that the Web application site sends whether the said ticket of checking is that this authentication server entity generates earlier; If then further judge the local user certificate corresponding that whether store with this ticket; If exist then through checking to said ticket; If said ticket is not storage that this authentication server entity distributes or the local user certificate corresponding with this ticket; Then the checking of said ticket is not passed through, then said authentication server entity is to the response of Web application site return authentication failure.
3. method as claimed in claim 2 is characterized in that:
If the checking of said ticket is passed through; Said authentication server entity is searched the WAPI user certificate of local storage and the IMSI (international mobile subscriber identity) that the corresponding relation between the user IMSI is known the user according to user WAPI certificate; And obtain the Web service lists that this user contracts from attaching position register according to said IMSI; Then authorized this Web application site of said user capture if comprise the Web application site of applying for identifying user identity in the Web service lists; Said authentication server entity returns the authenticating user identification response of successful to the Web application site, if do not comprise the then said authentication server entity of the Web application site of applying for identifying user identity returns response from the authenticating user identification failure to the Web application site in the Web service lists.
4. the system of a WAPI terminal access Web application site comprises WAPI terminal, authentication server entity and Web application site; It is characterized in that:
Said authentication server entity is used for when WiFi (Wireless Fidelity) network is inserted at said WAPI terminal, generating a ticket (authentication authority) for the WAPI terminal; And accomplish ticket authentication after receiving the authentication request that the Web application site sends, and authentication result is back to said Web application site to the WAPI terminal;
Said ticket is carried at said WAPI terminal when being used to visit said Web application site; Said Web application site is used for when said WAPI terminal access, asking said authentication server entity that said ticket is carried out authentication, and authentication is allowed this Web application site of said WAPI terminal access through the back;
Said system also comprises the discriminator entity;
Said authentication server entity comprises differentiates service module and single-point access service module;
Said discriminating service module is used for when the WiFi network is inserted at said WAPI terminal, the WAPI terminal being differentiated, and notifies single-point access service module when passing through when differentiating; And send to the discriminator entity and to carry the ticket that single-point access service module generates for the WAPI terminal when certificate is differentiated respective packets;
It is that it generates a ticket that said single-point access service module is used for after said WAPI terminal is through discriminating, and the said ticket that will generate is sent to said discriminating service module;
Said discriminator entity is used for when the access authentication response packet is sent at the WAPI terminal, carrying said ticket.
5. system as claimed in claim 4 is characterized in that:
Said single-point access service module is used to also to receive after the authentication request that the Web application site sends whether the said ticket of checking is that this authentication server entity generates earlier; If then further judge the local user certificate corresponding that whether store with this ticket; If exist then through checking to said ticket; The user certificate corresponding with this ticket then do not pass through the response of then failing to Web application site return authentication to the checking of said ticket if said ticket is not storage that this authentication server entity distributes or local.
6. system as claimed in claim 5 is characterized in that:
Said single-point access service module also is used for the checking of ticket is searched the WAPI user certificate of local storage and the IMSI (international mobile subscriber identity) that the corresponding relation between the user IMSI is known the user through the back according to user WAPI certificate; And obtain the Web service lists that this user contracts from attaching position register according to said IMSI; Then return the authenticating user identification response of successful if comprise the Web application site of applying for identifying user identity in the Web service lists, if do not comprise the Web application site of applying for identifying user identity then returns response from the authenticating user identification failure to the Web application site in the Web service lists to the Web application site.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910247063A CN101742507B (en) | 2009-12-21 | 2009-12-21 | System and method for accessing Web application site for WAPI terminal |
| PCT/CN2010/072773 WO2010148815A1 (en) | 2009-12-21 | 2010-05-14 | System and method for visiting a web application site by a wapi terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910247063A CN101742507B (en) | 2009-12-21 | 2009-12-21 | System and method for accessing Web application site for WAPI terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101742507A CN101742507A (en) | 2010-06-16 |
| CN101742507B true CN101742507B (en) | 2012-09-26 |
Family
ID=42465223
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910247063A Active CN101742507B (en) | 2009-12-21 | 2009-12-21 | System and method for accessing Web application site for WAPI terminal |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101742507B (en) |
| WO (1) | WO2010148815A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102300189B (en) * | 2010-06-28 | 2014-02-12 | 国基电子(上海)有限公司 | Gateway group unified authentication method, authentication gateway and data gateway |
| WO2017210914A1 (en) * | 2016-06-08 | 2017-12-14 | 华为技术有限公司 | Method and apparatus for transmitting information |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697370A (en) * | 2004-05-14 | 2005-11-16 | 华为技术有限公司 | Method for mobile terminal in WLAN to apply for certificate |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1855814A (en) * | 2005-04-29 | 2006-11-01 | 中国科学院计算机网络信息中心 | Safety uniform certificate verification design |
| CN100512112C (en) * | 2007-10-16 | 2009-07-08 | 西安西电捷通无线网络通信有限公司 | WAPI certificate identification method |
| CN101588241A (en) * | 2008-05-20 | 2009-11-25 | 中兴通讯股份有限公司 | Web network single login system and Web network single login method |
| CN101600203B (en) * | 2009-06-30 | 2011-05-25 | 中兴通讯股份有限公司 | Control method for security service and terminal of wireless local area network |
-
2009
- 2009-12-21 CN CN200910247063A patent/CN101742507B/en active Active
-
2010
- 2010-05-14 WO PCT/CN2010/072773 patent/WO2010148815A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697370A (en) * | 2004-05-14 | 2005-11-16 | 华为技术有限公司 | Method for mobile terminal in WLAN to apply for certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2010148815A1 (en) | 2010-12-29 |
| CN101742507A (en) | 2010-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101374810B1 (en) | Virtual subscriber identity module | |
| CN101369893B (en) | Method for local area network access authentication of casual user | |
| JP5688087B2 (en) | Method and apparatus for reliable authentication and logon | |
| CN105050081A (en) | Method, device and system for connecting network access device to wireless network access point | |
| EP2879421B1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
| WO2011017924A1 (en) | Method, system, server, and terminal for authentication in wireless local area network | |
| KR20040042247A (en) | The method and system for performing authentification to obtain access to public wireless LAN | |
| KR20060017594A (en) | Technique for secure wireless lan access | |
| CN101951603A (en) | Access control method and system for wireless local area network | |
| DK2924944T3 (en) | Presence authentication | |
| CN109716724A (en) | The method and system authenticated with double nets of the communication equipment of server communication | |
| CN102111766A (en) | Network accessing method, device and system | |
| CN105027529A (en) | Method and device for secure network access | |
| CN103220673B (en) | WLAN user authentication method, certificate server and subscriber equipment | |
| US8407474B2 (en) | Pre-authentication method, authentication system and authentication apparatus | |
| CN101697550A (en) | Method and system for controlling access authority of double-protocol-stack network | |
| KR101308498B1 (en) | authentification method based cipher and smartcard for WSN | |
| CN101771722B (en) | System and method for WAPI terminal to access Web application site | |
| CN101742507B (en) | System and method for accessing Web application site for WAPI terminal | |
| CN113302895A (en) | Method and apparatus for authenticating a group of wireless communication devices | |
| KR102558821B1 (en) | System for authenticating user and device totally and method thereof | |
| KR101431214B1 (en) | Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication | |
| CN102694779A (en) | Combination authentication system and authentication method | |
| CN101909052A (en) | Home gateway authentication method and system | |
| JP2017139026A (en) | Method and apparatus for reliable authentication and logon |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |