CN103442359A - Sensor node authentication method and system based on short distance wireless access mode - Google Patents
Sensor node authentication method and system based on short distance wireless access mode Download PDFInfo
- Publication number
- CN103442359A CN103442359A CN2013103923729A CN201310392372A CN103442359A CN 103442359 A CN103442359 A CN 103442359A CN 2013103923729 A CN2013103923729 A CN 2013103923729A CN 201310392372 A CN201310392372 A CN 201310392372A CN 103442359 A CN103442359 A CN 103442359A
- Authority
- CN
- China
- Prior art keywords
- sensor node
- control equipment
- access control
- authentication
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a sensor node authentication method and system based on a short distance wireless access mode. A sensor node is configured with service authentication information and address information of an authentication device in advance. The sensor node authentication method comprises the following steps that the sensor node is connected into a short distance wireless network access device and sends the service authentication information to the authentication device according to the preconfigured address information of the authentication device after obtaining an IP address distributed to the sensor node from an access control device; the authentication device sends the service authentication information to an AAA server and obtains an authentication result from the AAA server; if the authentication result shows that authentication is successful, the access control device is notified to modify a data forwarding strategy to a strategy allowing the sensor node to be in communication with an application server. The sensor node authentication method and system based on the short distance wireless access mode meet the authentication requirement of the sensor node in an operator network, and enable the deployment of the sensor node through wireless technologies such as Wifi, Bluetooth and Zigbee to be possible.
Description
[technical field]
The present invention relates to network communications technology field, particularly a kind of sensor node authentication method and system based on the short-distance wireless access way.
[background technology]
In recent years, the Wifi technology has obtained the development of advancing by leaps and bounds, and is from deployment speed or global chip shipment amount all becomes the important force wireless technology.Along with the technology standardization work of Wifi alliance and IEEE802.11 series, the equipment based on Wifi has obtained great lifting at aspects such as power consumption, performance, coverage and safety.Wifi is one of important wireless technology of indoor even outdoor cover at present, and each operator and scheme solve the commercial city develop and field various schemes positive based on Wifi.Be accompanied by development and the deployment of Wifi technology, be the emphasis that industry is paid close attention to for the fail safe of Wifi always.At present, for a large amount of application based on Wifi equipment, mainly adopt two kinds of authentication modes of Portal authentication method and EAP-SIM/EAP-AKA:
Wherein the EAP-SIM/EAP-AKA authentication mode is authenticated mainly for the Wifi access of smart mobile phone, it utilizes the SIM(Subscriber Identity Module of mobile phone, client identification module) card or USIM(Universal Subscriber Identity Module, the global customers identification module) card information, coordinate 802.1x certification mode and HLR(Home Location Register, attaching position register) data are authenticated, along with the development of the network integration, in carrier network, start at present to dispose gradually.The Portal authentication architecture is clear, and simple and convenient user operation, without special software is installed, itself does not require the Wifi terminal simultaneously, by global operation, is therefore extensively support and adopt.
As one of a kind of important wireless technology, the application of Wifi on Internet of Things obtained the extensive concern of industry.For wireless senser, a large amount of deployment of Wifi WAP (wireless access point) and the high bandwidth speed of Wifi make it than other wireless technologys, very large advantage be arranged.In order to make Wifi adapt to better the Internet of Things application, the IEEE of International Standards Organization just is being devoted to the research of 802.11AH at present, and it will be that the Wifi technology is from coverage, fail safe, power consumption and obtain tremendous increase with the compatible aspect of other short distance wireless technicals.Meanwhile, leading chip manufacturers have started the Wifi chip manufacturing of super low-power consumption to meet the fast-developing Internet of Things market demand.
When the Wifi technology is applied to Internet of Things, a typical Internet of Things application needs to dispose a large amount of sensor nodes usually.Due to the sensor node enormous amount, the deployed environment complexity, difficult in maintenance etc., make the strategies such as the sensor node design adopts simply as far as possible, low cost, economize on electricity.A sensor node, have a basic data processing chip (MCU) usually, a transducer (Sensor), power supply, low-power consumption Wifi wireless data transfer module, limited internal memory etc.With common Wifi terminal, compare, screen, the standard configuration of the smart mobile phone such as keyboard and notebook all can not adopted by sensor node.
The limited computational resource of sensor node has caused certain restriction to the authentication that realizes the sensor node based on Wifi: existing EAP-SIM/EAP-AKA authentication mode is substantially based on the 802.11i security architecture, need on the one hand more computational resource, on the other hand, it needs authentic node to have SIM card or usim card, need is the signed client of operator simultaneously, and the very large difficulty that realizes is all arranged from technology and business model.And existing Portal authentication mode is a personal-machine reciprocal process, need to be when authentic node be connected to certain stage of network service, manually input the authentication informations such as user name, password according to prompting, and the sensor node One's name is legion, dispose remote, there is no the man-machine interaction resources such as screen and keyboard simultaneously, therefore can't directly use existing Portal authentication mode.
[summary of the invention]
In view of this, the invention provides a kind of sensor node authentication method and system based on the short-distance wireless access way, to meet the authentication demand of sensor node.
Concrete technical scheme is as follows:
A kind of sensor node authentication method based on the short-distance wireless access way, sensor node is provided with the address information of service authentication information and authenticating device in advance, and described method comprises:
Described sensor node accesses the short-distance radio network access device and, from access control equipment gets the IP address of distributing to described sensor node, according to the address information of pre-configured described authenticating device, described service authentication information is sent to authenticating device;
Described authenticating device sends to described service authentication information aaa server and obtains authentication result from described aaa server, if described authentication result is authentication success, notifying described access control equipment is the described sensor node of permission and application server communication by the data retransmission strategy modification.
One preferred implementation according to the present invention, described short-distance radio network access device comprises: the AP of wifi wireless network, Bluetooth gateway or things-internet gateway.
One preferred implementation according to the present invention, if described short-distance radio network access device is AP, described sensor node access short-distance radio network access device specifically comprises:
Described sensor node scanning discovery Wifi wireless network, utilize pre-configured SSID and cryptographic algorithm to carry out the access of Wifi wireless network, is associated with corresponding AP.
One preferred implementation according to the present invention describedly gets from access control equipment the IP address of distributing to described sensor node and specifically comprises:
Described sensor node sends DHCP Discovery message to described access control equipment, receives the DHCP Offer message of carrying the IP address information that described access control equipment sends;
Wherein said IP address be described access control equipment to adopt local address pool be that described sensor node distributes, or described access control equipment request Dynamic Host Configuration Protocol server is that described sensor node distributes.
One preferred implementation according to the present invention, the method also comprises:
Described authenticating device sends to described sensor node by the result of authentification failure;
Described sensor node is pointed out authentification failure to the user.
One preferred implementation according to the present invention, described authenticating device is revised described data retransmission strategy by described access control equipment, sending the described access control equipment of CoA-Request message informing;
The method also comprises:
Described access control equipment is replied CoA-Ack message to described authenticating device;
After described authenticating device receives described CoA-Ack message, send the result of authentication success to described sensor node, with notify described sensor node can with application server communication.
One preferred implementation according to the present invention, after described access control equipment is successfully revised described data retransmission strategy, the method also comprises:
Described access control equipment sends charging to described aaa server to start the described aaa server of message informing and carries out charging for the user of described sensor node.
A kind of sensor node Verification System based on the short-distance wireless access way, this system comprises: sensor node and authenticating device;
Described sensor node, be provided with the address information of service authentication information and authenticating device in advance, for at access short-distance radio network access device and get the IP address of distributing to described sensor node from access control equipment, according to the address information of pre-configured described authenticating device, described service authentication information is sent to described authenticating device;
Described authenticating device, for described service authentication information is sent to aaa server and obtains authentication result from described aaa server, if described authentication result is authentication success, notifying described access control equipment is the described sensor node of permission and application server communication by the data retransmission strategy modification.
One preferred implementation according to the present invention, described short-distance radio network access device comprises: access point AP, Bluetooth gateway or the things-internet gateway of wifi wireless network.
One preferred implementation according to the present invention, if described short-distance radio network access device is AP, described sensor node is when access short-distance radio network access device, the concrete execution: scanning discovery Wifi wireless network, utilize pre-configured SSID and cryptographic algorithm to carry out the access of Wifi wireless network, be associated with corresponding AP.
One preferred implementation according to the present invention, described sensor node is when obtaining described IP address from access control equipment, the concrete execution: send DHCP Discovery message to described access control equipment, receive the DHCP Offer message of carrying the IP address information that described access control equipment sends;
Wherein said IP address be described access control equipment to adopt local address pool be that described sensor node distributes, or described access control equipment request Dynamic Host Configuration Protocol server is that described sensor node distributes.
One preferred implementation according to the present invention, described authenticating device, also send to described sensor node for the result by authentification failure;
Described sensor node, also, for after the result that receives described authentification failure, point out authentification failure to the user.
One preferred implementation according to the present invention, described authenticating device is revised described data retransmission strategy by described access control equipment, sending the described access control equipment of CoA-Request message informing;
Described access control equipment, also for replying CoA-Ack message to described authenticating device;
Described authenticating device, also for after receiving described CoA-Ack message, send the result of authentication success to described sensor node, with notify described sensor node can with application server communication.
One preferred implementation according to the present invention, described access control equipment, after successfully revising described data retransmission strategy, also starts the described aaa server of message informing and carries out charging for the user of described sensor node for send charging to described aaa server.
As can be seen from the above technical solutions, the present invention is applicable to the restriction few, that there is no man-machine interaction resources such as screen and keyboard etc. of sensor node computational resource and has met the authentication demand of sensor node at carrier network, and then makes the deployment that adopts wireless technologys such as Wifi, bluetooth or Zigbee to carry out sensor node become possibility.
[accompanying drawing explanation]
The sensor node Verification System structure chart based on the short-distance wireless access way that Fig. 1 provides for the embodiment of the present invention;
The sensor node authentication method flow chart based on Wifi that Fig. 2 provides for the embodiment of the present invention.
[embodiment]
In order to make the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with the drawings and specific embodiments, describe the present invention.
The present invention is mainly in order to realize the carrier network authentication of sensor node, the system architecture adopted can be as shown in Figure 1, this system mainly comprises: sensor node, short-distance radio network access device, access control equipment, authenticating device and AAA(Authentication Authorization Accounting, authentication, mandate, charging) server.Wherein wireless network access device, access control equipment and aaa server are the equipment of having disposed in existing network, and the function related to does not in the present invention change, i.e. the present invention is applicable to existing wireless network access device, access control equipment and aaa server.
Core concept of the present invention is, in advance in the address information of sensor node configuration service authentication information and authenticating device; When sensor node access short-distance radio network access device and get the IP address of distributing to this sensor node from access control equipment, according to the address information of pre-configured authenticating device, send to authenticating device to be authenticated service authentication information; This authenticating device offers aaa server by this service authentication information and from aaa server obtains authentication result, if authentication result is authentication success, notifying access control equipment is permission sensor node and application server communication by the data retransmission strategy modification.
Sensor node shown in Fig. 1, the short-range wireless communication module (such as wifi module, bluetooth module, Zigbee module etc.) that includes transducer, power supply, limited computational resource, internal memory and low-power consumption usually is presented as the physical node of a small size in Internet of Things.For sensor node being carried out to the authentication of carrier network in embodiments of the present invention, after authentication success, sensor node just can successful access carrier network, carry out communication with application server, the sensing data that transducer in sensor node is collected sends to application server by short-range wireless communication module.
Wherein the short-distance radio network access device adopts different equipment according to different short-distance radio network types, for example, when short-distance radio network is the wifi network, corresponding short-distance radio network access device is the AP(access point), when short-distance radio network is bluetooth, corresponding short-distance radio network access device is Bluetooth gateway, when short-distance radio network is Zigbee, corresponding short-distance radio network access device is things-internet gateway.
Wherein access control equipment can be but be not limited to be BRAS(Broadband Remote Access Server, broad access network gate) or AC(Access Controller, access controller).BRAS and AC may have different functions and network site in the common network design of operator, main realize IP address assignment, service access control to sensor node, initiate the functions such as accounting request.
Authenticating device can be but be not limited to be AS(Authentication Server, certificate server) or Portal server.Main being responsible for communicates with sensor node and aaa server, realizes the authentication function to the Wifi transducer, further based on authentication result indication access control equipment, revises forwarding strategy.
Aaa server is deployed in carrier network, realizes user's authentication, mandate and billing function, generally uses Radius or Diameter.
Application server and sensor node communicate, and major embodiment is the sensing data that obtains sensor node, irrelevant with identifying procedure in the present invention.The application server related in the embodiment of the present invention can be the application server of operator, it can be also third-party application server, that is to say, the present invention can be applied at least two kinds of scenes: the first scene is that whole system comprises that transducer, application server and middle network are all operators; The second scene is that transducer and application server are third-party, the network in the middle of operator only provides and the equipment that completes authentication function.Visible especially the second scene, authentication function is just particularly important, and operator needs basis and third-party agreement, by the authentication to sensor node, determines whether allowing the third party to use its wifi network and core network.
On interface, the sa interface between sensor node and authenticating device, be mainly used in the authentication message transmission between sensor node and authenticating device, can adopt the self-designed interface protocol pattern of manufacturer.Sr interface between sensor node and short-distance radio network access device is air interface, for example by Wifi security protocol, Bluetooth protocol or the Zigbee agreement of standard, carries out data communication and fail safe protection.Sd interface between sensor node and application server transmits sensing data for sensor node to application server.Can adopt the self-designed interface protocol form of manufacturer, irrelevant with verification process.Aa interface between authenticating device and aaa server can adopt the Radius agreement.Ab interface between authenticating device and access control equipment, send to AC/BRAS for certificate server by authentication result, based on the Radius agreement.Ac interface between aaa server and access control equipment, mainly realize to the possessory billing function of sensor node, based on the Radius agreement.
Below in conjunction with specific embodiment, the implementation method based on said system provided by the invention is described in detail, at first will carries out Verification System pre-configuredly, this is pre-configured mainly comprises:
1) to the configuration of sensor node.Configuration to sensor node mainly comprises the following aspects:
First aspect, configuration service authentication information on sensor node in advance, this service authentication information is that the service that sensor node obtains carrier network is authenticated necessary information, can be the information such as user name, password.Service authentication information obtains to operator's application, can be by operator's business hall registration, use note, obtaining, from carrier network application etc. mode, obtain service authentication information, and be disposed on sensor node, specifically adopt which type of obtain manner and the form of service authentication information to depend on the strategy of operator.Once apply for service authentication information, just possessed the legal service authentication information of having applied on aaa server.
Second aspect, in advance on sensor node the configuration authenticating device address, usually configure the IP address information of authenticating device, in order to realize the access to authenticating device in verification process, mainly specifically to realize that sensor node sends to authenticating device by authentication message, the IP address that the purpose IP address of this authentication message is authenticating device, can be further processed after making authenticating device receive this authentication message.
The third aspect, configuration and short-distance radio network the used information that connects on sensor node in advance can configure corresponding information in this difference according to the short-distance radio network type on sensor node.Take the wifi network as example, and the information of configuration includes but not limited to the SSID(Service Set Identifier of wireless network, service set), cryptographic algorithm etc.This cryptographic algorithm is the cryptographic algorithm adopted when carrying out the wifi transfer of data, and purpose is in order to guarantee the wireless transmission fail safe of data.This part is the information that common wireless network access has.
If consider from the fail safe of sensor node, in order to realize the demands such as economize on electricity and low cost, on software is realized, sensor node generally can be designed to run on a miniature embedded software system on specific hardware, this system does not usually comprise operating system or only operates on a lightweight operating system of highly reducing, and the service logic of its realization is also simplified as far as possible.It is all that sensor node manufacturer carries out privately owned design according to concrete application demand that these characteristics cause nearly all sensor node software at present, without intercommunication and open system demand.Such software design, special hardware design in addition, the characteristic such as on-keyboard screen, make sensor node software become a complete totally enclosed system, except the production firm of sensor node, the information kept on it can be thought and can't directly be stolen from sensor node.Therefore we can think that the preservation of authentication information on sensor node is safe here.
The above-mentioned configuration of carrying out on sensor node can be undertaken by serial ports, but generally, the sensor node quantity of Internet of Things has greatly and not the peripheral hardwares such as keyboard, therefore can adopt some special modes to carry out information configuration, for example the configuration of Smart Configure(intelligence) mode carries out automatically batch configuration.
2) sensors configured node and short-distance radio network the used information that connects on the short-distance radio network access device in advance.Take wifi as example, and the information of the upper configuration of AP includes but not limited to the SSID of wireless network, cryptographic algorithm etc.This is consistent with the above-mentioned third aspect configuration on sensor node, and purpose is in order to realize the radio communication protection between sensor node and AP.Because low-power consumption Wifi module encrypt algorithm in the market generally itself is provided by the Wifi module; do not need software to realize; the outer MCU(micro controller unit of occupying volume not) computational resource such as; energy-conservation and efficient; have very strong feasibility, the requirement according to operator to safety, can select to support WEP(Wired Equivalent Privacy; Wired Equivalent Privacy) or WAP(Wireless Application Protocol), WAP (wireless application protocol)) etc. protected.This part content can be reused the security mechanism of having disposed at present and be accomplished effective protection, therefore without independent design.This on the short-distance radio network access device is configured to existing configuration of the prior art.
Carry out above-mentioned pre-configured after, sensor node just can be realized following function:
1) access short-distance radio network access device.Take the wifi network as example, and this function is consistent with existing general Wifi terminal, and scanning discovery Wifi wireless network, utilize pre-configured SSID and cryptographic algorithm to carry out the access of Wifi wireless network, is associated with corresponding AP.If bluetooth, sensor node and Bluetooth gateway connect.If Zigbee, sensor node and things-internet gateway connect.
2) obtain from access control equipment the IP address of distributing to this sensor node.This function is same consistent with existing general Wifi terminal, can be: send DHCP(Dynamic Host Configuration Protocol, DynamicHost arranges agreement) Discovery message is to access control equipment, receives the DHCP Offer message of carrying the IP address information that control appliance sends.Wherein this IP address is that access control equipment adopts local address pool for this sensor node distribution, or access control equipment request Dynamic Host Configuration Protocol server is that this sensor node distributes.
3) access the short-distance radio network access device and, from access control equipment gets the IP address of distributing to this sensor node, according to the address information of pre-configured authenticating device, service authentication information sent to authenticating device.This function is one of Core Feature in the present invention, after getting the IP address be assigned with, initiatively transmit service authentication information to authenticating device by sensor node, the transmission of this service authentication information is based on the address information of the authenticating device configured on sensor node in advance, rather than by authenticating device pushing certification information page again by user's hand filling service authentication information on the authentication information page.The service authentication information here is exactly above-mentioned such as user name, password etc. to operator's application, can be carried in authentication message and send to authenticating device.
4) after receiving the result from the authentication success of authenticating device, start and application server communication.This function is not household function of the present invention, even if receiving the result of authentication success, authenticating device just do not start and application server communication, for example to application server, send sensing data, owing to still there is no the data retransmission strategy modification to this sensor node at access control equipment, be permission sensor node and application server communication, therefore, this communication can't realize, only have after authentication is passed through, access control equipment Update Table forwarding strategy is revised as and allows sensor node and application server communication, and this communication can be successful.Certainly, this mode can be wasted network traffics and affect equipment performance, so the preferred sensor node is after the result received from the authentication success of authenticating device, then starts and application server communication.
5) user after receiving the result from the authentification failure of authenticating device, to the user, points out authentification failure, so that can select again to initiate authentication.This function is also optional function of the present invention.
The function of short-distance radio network access device is identical with function of the prior art, is responsible for sensor node access short-distance radio network, carries out the data retransmission of sensor node.
The function of access control equipment also with prior art in access control equipment function class seemingly, possess following functions:
1) the responsible IP address that will distribute to sensor node offers sensor node.Particularly, after receiving the DHCP Discovery message of sensor node transmission, adopting local address pool is this sensor node distributing IP address, perhaps asking Dynamic Host Configuration Protocol server is this sensor node distributing IP address, then the IP address is carried in DHCP Offer message and sends to sensor node.
2) after being sensor node distributing IP address, IP address and the MAC Address of storage sensor node, set up forwarding contexts.Default setting is by all traffic forwardings by the data retransmission strategy of this sensor node or is redirected to authenticating device.
3) when authentication success, according to the notice of authenticating device by the data retransmission strategy modification for allowing this sensor node and application server communication.
4), after successfully having revised the data retransmission strategy, notice is to authenticating device.Specifically can send CoA-Ack message to authenticating device.
5), after successfully having revised the data retransmission strategy, the notice aaa server starts charging for the user of this sensor node.
Authenticating device is the nucleus equipment in the present invention, possesses following functions:
1) the service authentication information of autobiography sensor node sends to aaa server and obtains authentication result from described aaa server in the future.Particularly, authenticating device can send Radius Access-Request message to aaa server, carry service authentication information in this Radius Access-Request message, if aaa server is replied Radius Access-Accept message to authenticating device, authentication success is described, if aaa server is replied Radius Access-Reject message to authenticating device, authentification failure is described.
2), if described authentication result is authentication success, notifying access control equipment is this sensor node of permission and application server communication by the data retransmission strategy modification.
3) if authentication result is authentification failure, the result of authentification failure is notified to sensor node.
4) after knowing the success of access control equipment Update Table forwarding strategy, for example, after receiving CoA-Ack, the result of authentication success is notified to sensor node, sensor node just can start and application server communication.Perhaps, when from the AAA transducer is known the result of authentication success, when notice control appliance Update Table forwarding strategy, just the result of authentication success is notified to sensor node.But a kind of mode preferably.
The function of aaa server is consistent with existing function in prior art, and the present invention can directly be suitable for, and specifically comprises:
1), after receiving the service authentication information from authenticating device, the service authentication information of this sensor node of preserving with self compares, if consistent, authentication success, otherwise authentification failure.If authentication success, send Radius Access-Accept message to authenticating device, otherwise send Radius Access-Reject message to authenticating device.
2), after receiving the notice of the beginning charging that access control equipment sends, for the user of this sensor node, start charging.
Below take the wifi network insertion as example, and the short-distance radio network access device is AP, and access control equipment is AC, and authenticating device is Portal server, in advance the address information of configuration service authentication information and Portal server on sensor node.Concrete identifying procedure can as shown in Figure 2, comprise the following steps:
Step 201: sensor node scanning discovery Wifi wireless network, utilize SSID and the cryptographic algorithm of configuration to carry out the access of Wifi wireless network, successfully be associated with corresponding AP.
Step 202: sensor node sends DHCP Discovery message to AC.
After being associated with AP, sensor node is initiated the DHCP flow process, send DHCP Discovery message to AC to obtain the IP address.
Step 203:AC will send to sensor node by DHCP Offer message for the IP address that this sensor node distributes.
AC is according to the IP address configuration strategy of configuration, and can adopt the address pool of local configuration is sensor node distributing IP address, also DHCP Discover message can be transmitted to Dynamic Host Configuration Protocol server, and obtains the IP address that Dynamic Host Configuration Protocol server is the sensor node distribution.
Get the IP address of distribution at sensor node after, can send the response of DHCP Request message as DHCP Offer message to AC, the IP address that will use distribution with notice AC; Then AC sends DHCK ACK message and does confirmation to sensor node.This part is not shown in Fig. 2, and so far, sensor node completes IP address acquisition flow process.
AC to sensor node distributing IP address after, because sensor node not yet completes authentication, thus default setting by the data retransmission strategy of this sensor node for by all traffic forwardings or be redirected to Portal server.
So far, in AC, can record the IP address of distributing to sensor node and the MAC Address of sensor node, create forwarding contexts.
Step 204: sensor node, according to the address information of pre-configured Portal server, sends authentication message to Portal server, carries pre-configured service authentication information in this authentication message.
For Portal server, sensor node is used HTTP(Hypertext transfer protocol, HTML (Hypertext Markup Language)) carry service authentication information.If that certificate server adopts is AS, the communication protocol that sensor node can adopt authentication service to use is communicated by letter with AS.
The authentication message that sensor node sends is sent to AC via AP, and after AC receives authentication message, the forwarding rule according to configuration, be transmitted to Portal server by authentication message.
Step 205:Portal server is initiated identifying procedure to aaa server, sends Radius Access-Request message to aaa server, in this Radius Access-Request message, carries service authentication information.
Because the destination address of authentication message is Portal server, therefore, Portal server can be processed the authentication message received, obtain service authentication information wherein after receiving authentication message, then to aaa server, send the Radius Access-Request message of carrying service authentication information.
Step 206:Portal server obtains authentication result from aaa server.
The service authentication information that the service authentication information that aaa server comparison user prestores while applying for (for example username and password information) and Portal server send, if identical, aaa server sends Radius Access-Accept message to Portal server, the notification authentication success; Otherwise aaa server sends Radius Access-Reject message to Portal server, the notification authentication failure.
Step 207: if authentification failure, Portal server sends to sensor node by the result of authentification failure.
Portal server is received the aaa server authentication result, if authentification failure, to sensor node, send Registration NAK(authentification failure message), notice sensor node authentification failure, sensor node is after receiving authentification failure message, can point out this authentification failure message to the user, the user can select again to initiate identifying procedure.
Step 208: if authentication success, Portal server notice AC revises forwarding strategy.
Portal server is received the aaa server authentication result, if authentication success, to AC, send CoA-Request(Change of Authentication-Request, request is revised in authentication) message, notice AC revises the corresponding data retransmission strategy of sensor node.
Step 209:AC revises the corresponding data retransmission strategy of this sensor node for allowing communicating by letter between sensor node and application server, and sends the Radius charging message to aaa server, to start the charging flow for the user of this sensor node.
AC can send CoA-Ack(authentication and revise response) message is to Portal server, Portal server can send to sensor node the result of authentication success, the notice sensor node has passed through the authentication of network side, can communicate with application server, this part flow process is not steps necessary of the present invention, in Fig. 2, with dotted line, shows.Perhaps, Portal server gets the result of authentication success from aaa server, when notice AC revises forwarding strategy, send the result of authentication success to sensor node.The sensing data of sensor node just can normally be forwarded to application server like this, for example IoT App (Internet of Things data processing server).
AC can start by send Radius Acct-Start(charging to aaa server) message notifies aaa server to carry out charging for the user of this sensor node.
Step 210:AAA server sends charge response message to AC.
Step 211: sensor node starts to send sensing data to application server, starts normal business.
It should be noted that, the message that the message adopted in above-mentioned flow process is all named according to agreement commonly used between each network equipment, the present invention is not limited concrete message name, does not get rid of and adopts other agreements or message to carry out the transmission of corresponding information.
Flow process shown in Fig. 2 is for take short-distance radio network as the wifi network in addition, the short-distance radio network access device is AP, access control equipment is that AC and authenticating device are that Portal server is the description that example is carried out, when other short-distance radio networks that adopt the present invention to be suitable for, the short-distance radio network access device, when access control equipment and authenticating device, the core concept of above-mentioned flow process does not change, only be the difference of short-distance radio network access way, for example in step 201, sensor node carries out bluetooth scanning, with Bluetooth gateway, connect, and this difference is not limited by the present invention, it is prior art.
By above description, can be found out, method and system provided by the invention has the following advantages:
1) authentication method provided by the invention and system are applicable to the restriction that the sensor node computational resource is few, there is no man-machine interaction resources such as screen and keyboard etc., thereby met the authentication demand of sensor node at carrier network, and then made the deployment that adopts wireless technologys such as Wifi, bluetooth or Zigbee to carry out sensor node become possibility.
2) the present invention has utilized existing network framework and functional entity to a great extent, has reduced and has realized cost and difficulty.
3), by pre-configured mode, farthest the Adoption Network side realizes the mode of authentication, the consumption of having saved computational resource and the electric weight of sensor node.
In several embodiment provided by the present invention, should be understood that disclosed system and method can be realized by another way.For example, system embodiment described above is only schematically, and for example, the division of each equipment, be only that a kind of logic function is divided, and during actual the realization, other dividing mode can be arranged.The described equipment as the separating component explanation can or can not be also physically to separate, and can be positioned at a place, or also can be distributed on a plurality of network element.Can select according to the actual needs the some or all of purpose that realizes the present embodiment scheme wherein.
Each function in the said equipment both can adopt the form of hardware to realize, the form that also can adopt hardware to add SFU software functional unit realizes.The integrated unit that the above-mentioned form with SFU software functional unit realizes, can be stored in a computer read/write memory medium.Above-mentioned SFU software functional unit is stored in a storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) or processor (processor) carry out the part steps of the described method of each embodiment of the present invention.And aforesaid storage medium comprises: various media that can be program code stored such as USB flash disk, portable hard drive, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CDs.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (14)
1. the sensor node authentication method based on the short-distance wireless access way, is characterized in that, sensor node is provided with the address information of service authentication information and authenticating device in advance, and described method comprises:
Described sensor node accesses the short-distance radio network access device and, from access control equipment gets the IP address of distributing to described sensor node, according to the address information of pre-configured described authenticating device, described service authentication information is sent to authenticating device;
Described authenticating device sends to described service authentication information aaa server and obtains authentication result from described aaa server, if described authentication result is authentication success, notifying described access control equipment is the described sensor node of permission and application server communication by the data retransmission strategy modification.
2. method according to claim 1, is characterized in that, described short-distance radio network access device comprises: the AP of wifi wireless network, Bluetooth gateway or things-internet gateway.
3. method according to claim 2, is characterized in that, if described short-distance radio network access device is AP, described sensor node access short-distance radio network access device specifically comprises:
Described sensor node scanning discovery Wifi wireless network, utilize pre-configured SSID and cryptographic algorithm to carry out the access of Wifi wireless network, is associated with corresponding AP.
4. method according to claim 1, is characterized in that, describedly gets from access control equipment the IP address of distributing to described sensor node and specifically comprise:
Described sensor node sends DHCP Discovery message to described access control equipment, receives the DHCP Offer message of carrying the IP address information that described access control equipment sends;
Wherein said IP address be described access control equipment to adopt local address pool be that described sensor node distributes, or described access control equipment request Dynamic Host Configuration Protocol server is that described sensor node distributes.
5. method according to claim 1, is characterized in that, the method also comprises:
Described authenticating device sends to described sensor node by the result of authentification failure;
Described sensor node is pointed out authentification failure to the user.
6. method according to claim 1, is characterized in that, described authenticating device is revised described data retransmission strategy by described access control equipment, sending the described access control equipment of CoA-Request message informing;
The method also comprises:
Described access control equipment is replied CoA-Ack message to described authenticating device;
After described authenticating device receives described CoA-Ack message, send the result of authentication success to described sensor node, with notify described sensor node can with application server communication.
7. according to the described method of claim 1 or 6, it is characterized in that, after described access control equipment is successfully revised described data retransmission strategy, the method also comprises:
Described access control equipment sends charging to described aaa server to start the described aaa server of message informing and carries out charging for the user of described sensor node.
8. the sensor node Verification System based on the short-distance wireless access way, is characterized in that, this system comprises: sensor node and authenticating device;
Described sensor node, be provided with the address information of service authentication information and authenticating device in advance, for at access short-distance radio network access device and get the IP address of distributing to described sensor node from access control equipment, according to the address information of pre-configured described authenticating device, described service authentication information is sent to described authenticating device;
Described authenticating device, for described service authentication information is sent to aaa server and obtains authentication result from described aaa server, if described authentication result is authentication success, notifying described access control equipment is the described sensor node of permission and application server communication by the data retransmission strategy modification.
9. system according to claim 8, is characterized in that, described short-distance radio network access device comprises: access point AP, Bluetooth gateway or the things-internet gateway of wifi wireless network.
10. system according to claim 8, it is characterized in that, if described short-distance radio network access device is AP, described sensor node is when access short-distance radio network access device, the concrete execution: scanning discovery Wifi wireless network, utilize pre-configured SSID and cryptographic algorithm to carry out the access of Wifi wireless network, be associated with corresponding AP.
11. system according to claim 8, it is characterized in that, described sensor node is when obtaining described IP address from access control equipment, the concrete execution: send DHCP Discovery message to described access control equipment, receive the DHCP Offer message of carrying the IP address information that described access control equipment sends;
Wherein said IP address be described access control equipment to adopt local address pool be that described sensor node distributes, or described access control equipment request Dynamic Host Configuration Protocol server is that described sensor node distributes.
12. system according to claim 8, is characterized in that, described authenticating device also sends to described sensor node for the result by authentification failure;
Described sensor node, also, for after the result that receives described authentification failure, point out authentification failure to the user.
13. system according to claim 8, is characterized in that, described authenticating device is revised described data retransmission strategy by described access control equipment, sending the described access control equipment of CoA-Request message informing;
Described access control equipment, also for replying CoA-Ack message to described authenticating device;
Described authenticating device, also for after receiving described CoA-Ack message, send the result of authentication success to described sensor node, with notify described sensor node can with application server communication.
14. according to Claim 8 or 13 described systems, it is characterized in that, described access control equipment, after successfully revising described data retransmission strategy, also starts the described aaa server of message informing and carries out charging for the user of described sensor node for send charging to described aaa server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103923729A CN103442359A (en) | 2013-09-02 | 2013-09-02 | Sensor node authentication method and system based on short distance wireless access mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103923729A CN103442359A (en) | 2013-09-02 | 2013-09-02 | Sensor node authentication method and system based on short distance wireless access mode |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103442359A true CN103442359A (en) | 2013-12-11 |
Family
ID=49696012
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013103923729A Pending CN103442359A (en) | 2013-09-02 | 2013-09-02 | Sensor node authentication method and system based on short distance wireless access mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103442359A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812869A (en) * | 2014-02-21 | 2014-05-21 | 昆山中创软件工程有限责任公司 | Data transmission method and device based on Internet of Things |
| CN105245547A (en) * | 2015-10-29 | 2016-01-13 | 青海金联讯电子科技有限公司 | Gateway based equipment authentication method |
| CN105764053A (en) * | 2015-12-31 | 2016-07-13 | 天津赞普科技股份有限公司 | WIFI-based discovery reminding access system and method |
| GB2550905A (en) * | 2016-05-27 | 2017-12-06 | Airbus Operations Ltd | Secure communications |
| WO2018045798A1 (en) * | 2016-09-12 | 2018-03-15 | 华为技术有限公司 | Network authentication method and related device |
| CN113973299A (en) * | 2020-07-22 | 2022-01-25 | 中国石油化工股份有限公司 | Wireless sensor with identity authentication function and identity authentication method |
| CN114760066A (en) * | 2022-03-28 | 2022-07-15 | 深蓝感知(杭州)物联科技有限公司 | Time sequence data fragmentation double-chain authentication method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558695A (en) * | 2004-01-18 | 2004-12-29 | ����ͨѶ�ɷ�����˾ | Method of keeping IP address of CDMA2000 incorporated WLAN user on cross-network switchover |
| WO2005086422A1 (en) * | 2004-03-10 | 2005-09-15 | Ab Seesta Oy | Heterogeneous network system, network node and mobile host |
| CN102026194A (en) * | 2009-09-14 | 2011-04-20 | 华为技术有限公司 | Method, equipment and system for converging WiFi (Wireless Fidelity) network and WiMAX (Wireless Metropolitan Area Networking) network |
| CN103249043A (en) * | 2012-02-14 | 2013-08-14 | 上海贝尔股份有限公司 | Methods for SN (sensor node) equipment authentication and state authentication, as well as security protocol method |
-
2013
- 2013-09-02 CN CN2013103923729A patent/CN103442359A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558695A (en) * | 2004-01-18 | 2004-12-29 | ����ͨѶ�ɷ�����˾ | Method of keeping IP address of CDMA2000 incorporated WLAN user on cross-network switchover |
| WO2005086422A1 (en) * | 2004-03-10 | 2005-09-15 | Ab Seesta Oy | Heterogeneous network system, network node and mobile host |
| CN102026194A (en) * | 2009-09-14 | 2011-04-20 | 华为技术有限公司 | Method, equipment and system for converging WiFi (Wireless Fidelity) network and WiMAX (Wireless Metropolitan Area Networking) network |
| CN103249043A (en) * | 2012-02-14 | 2013-08-14 | 上海贝尔股份有限公司 | Methods for SN (sensor node) equipment authentication and state authentication, as well as security protocol method |
Non-Patent Citations (2)
| Title |
|---|
| 华东明等: "基于移动IP的WLAN和GPRS互通", 《计算机工程与应用》 * |
| 张俊峰: "WLAN安全认证技术与仿真", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103812869B (en) * | 2014-02-21 | 2017-03-22 | 昆山中创软件工程有限责任公司 | Data transmission method and device based on Internet of Things |
| CN103812869A (en) * | 2014-02-21 | 2014-05-21 | 昆山中创软件工程有限责任公司 | Data transmission method and device based on Internet of Things |
| CN105245547B (en) * | 2015-10-29 | 2018-08-21 | 青海金联讯电子科技有限公司 | A kind of equipment authentication method based on gateway |
| CN105245547A (en) * | 2015-10-29 | 2016-01-13 | 青海金联讯电子科技有限公司 | Gateway based equipment authentication method |
| CN105764053A (en) * | 2015-12-31 | 2016-07-13 | 天津赞普科技股份有限公司 | WIFI-based discovery reminding access system and method |
| GB2550905A (en) * | 2016-05-27 | 2017-12-06 | Airbus Operations Ltd | Secure communications |
| US10135624B2 (en) | 2016-05-27 | 2018-11-20 | Airbus Operations Limited | Wireless sensor architecture |
| US10785040B2 (en) | 2016-05-27 | 2020-09-22 | Airbus Operations Limited | Secure communications |
| US10858121B2 (en) | 2016-05-27 | 2020-12-08 | Airbus Operations Limited | Sensor network |
| US11753180B2 (en) | 2016-05-27 | 2023-09-12 | Airbus Operations Limited | Sensor network |
| WO2018045798A1 (en) * | 2016-09-12 | 2018-03-15 | 华为技术有限公司 | Network authentication method and related device |
| CN113973299A (en) * | 2020-07-22 | 2022-01-25 | 中国石油化工股份有限公司 | Wireless sensor with identity authentication function and identity authentication method |
| CN113973299B (en) * | 2020-07-22 | 2023-09-29 | 中国石油化工股份有限公司 | Wireless sensor with identity authentication function and identity authentication method |
| CN114760066A (en) * | 2022-03-28 | 2022-07-15 | 深蓝感知(杭州)物联科技有限公司 | Time sequence data fragmentation double-chain authentication method and device |
| CN114760066B (en) * | 2022-03-28 | 2023-05-23 | 深蓝感知(杭州)物联科技有限公司 | Time sequence data slicing double-chain authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103442359A (en) | Sensor node authentication method and system based on short distance wireless access mode | |
| US9253712B2 (en) | Automatic configuration of a wireless device | |
| US9219816B2 (en) | System and method for automated whitelist management in an enterprise small cell network environment | |
| CN102498733B (en) | The technology of initialization femtocell community | |
| EP2846586B1 (en) | A method of accessing a network securely from a personal device, a corporate server and an access point | |
| CN103716903A (en) | Image forming apparatus to support wi-fi direct and method of wi-fi direct connecting thereof | |
| US20150172925A1 (en) | Method and Apparatus for Wireless Network Access Parameter Sharing | |
| MX2012000268A (en) | Methods and apparatus to register with external networks in wireless network environments. | |
| CN104735814A (en) | Access method, system and related device for automatically getting access to WiFi network | |
| WO2017219673A1 (en) | Vowifi network access method and system, and terminal | |
| CN102349319A (en) | Setup and configuration of relay nodes | |
| CN103297968A (en) | Wireless terminal identifying method, wireless terminal identifying device and wireless terminal identifying system | |
| JP2017523741A (en) | Information providing method, apparatus, program, and recording medium | |
| US11246174B2 (en) | Methods and systems for connecting a wireless device to a wireless network | |
| WO2020029754A1 (en) | Signing information configuration method and communication device | |
| EP3095263A1 (en) | Regulatory domain identification for network devices | |
| CN103442328A (en) | Method and system for controlling quality of service of terminal of Internet of Things | |
| CN102215515B (en) | Data processing method, communication system and related equipment | |
| CN103781071B (en) | The method of access points and relevant device | |
| WO2017101211A1 (en) | Method and apparatus for accessing wireless communication system, and terminal | |
| WO2021159708A1 (en) | Method and apparatus for automatic access of internet of things device to wireless local area network | |
| CN102143165B (en) | Method, network switch and network system for authenticating terminals | |
| WO2010124569A1 (en) | Method and system for user access control | |
| US20240008117A1 (en) | Dual-connection device enabling service advertisement and discovery of services between networks, user device and system | |
| Lee | Non-connection wireless IoT network control using WiFi and bluetooth beacon |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131211 |