CN106454836B - Method and device for enhancing use safety of equipment certificate - Google Patents
Method and device for enhancing use safety of equipment certificate Download PDFInfo
- Publication number
- CN106454836B CN106454836B CN201510477798.3A CN201510477798A CN106454836B CN 106454836 B CN106454836 B CN 106454836B CN 201510477798 A CN201510477798 A CN 201510477798A CN 106454836 B CN106454836 B CN 106454836B
- Authority
- CN
- China
- Prior art keywords
- equipment
- access
- certificate
- gateway
- transmission network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method and a device for enhancing the use safety of equipment certificates, which relate to the communication technology, wherein the method comprises the following steps: when a device requests to access a public transmission network, a gateway of the public transmission network acquires a device ID and a certificate ID from the device requesting to access; the gateway of the public transmission network judges whether the equipment requesting access is legal equipment or not according to the acquired equipment ID and/or the relation between the equipment ID and the certificate ID; and when the gateway of the public transmission network judges that the equipment requesting access is legal equipment, accessing the equipment requesting access to the public transmission network, and if not, refusing the equipment requesting access to the public transmission network. The invention can improve the security of the digital certificate, can effectively prevent lawless persons from stealing the certificate of the equipment, and ensures the access security of the equipment and the transmission field.
Description
Technical Field
The present invention relates to communications technologies, and in particular, to a method and an apparatus for enhancing security of device certificate usage.
Background
Home base stations (Home enodebs, henbs) are typically placed in an enterprise or user's Home, possibly via a public transport network, and therefore place higher demands on the security of the device.
The third Generation Partnership Project (3rd Generation Partnership Project, 3GPP) specifies that the HeNB uses Internet Protocol Security (IPSec) Protocol to ensure authentication and encryption of base station messages, where the negotiation Protocol is network Key exchange (Internet Key exchange v2, IKEv2), and the authentication method recommends a certificate and a Universal Subscriber Identity Module (USIM) card. In practical applications, a certificate system based on a Public Key Infrastructure (PKI) architecture is too complex, slow in deployment, and poor in application expansion capability.
The operator has respective schedules for specific PKI deployment, such as a mobile digital certificate system is still under construction, but a wireless access device (NanoCell) is already deployed in some provinces, so that the base station pushes preset operator certificates when the operator does not have the PKI system, and pushes an online certificate application (CMPV2 protocol) scheme.
The HeNB base station may pass through a public transmission network, and under the condition that the existing hardware cannot well protect the certificate and the private key, even through the online certificate application scheme, the certificate of the HeNB may be stolen by an illegal user, and the safety has a problem.
In terms of guaranteeing the binding relationship between the certificate and the device, the 3GPP recommends a certificate + USIM dual authentication mode, but the implementation mode is very complex, and no device supporting the protocol exists at present. On the basis that the double authentication function is not realized, how to prevent illegal users from stealing certificates of the base station and how to ensure the unique relevance of the certificates and the equipment is very important.
Disclosure of Invention
The invention aims to provide a method and a device for enhancing the use safety of a device certificate, which can better refuse the device which illegally uses the certificate to access a transmission network.
According to an aspect of the present invention, there is provided a method for enhancing device certificate usage security, comprising:
when a device requests to access a public transmission network, a gateway of the public transmission network acquires a device ID and a certificate ID from the device requesting to access;
the gateway of the public transmission network judges whether the equipment requesting access is legal equipment or not according to the acquired equipment ID and/or the relation between the equipment ID and the certificate ID;
and when the gateway of the public transmission network judges that the equipment requesting access is legal equipment, accessing the equipment requesting access to the public transmission network, and if not, refusing the equipment requesting access to the public transmission network.
Preferably, the step of judging, by the gateway of the public transport network, whether the device requesting access is a legitimate device according to the obtained device ID and/or the relationship between the device ID and the certificate ID includes:
the gateway of the public transmission network inquires the access state of the equipment corresponding to the equipment ID according to the acquired equipment ID;
and if the access state of the equipment corresponding to the inquired equipment ID is accessed, judging that the equipment requesting access is illegal equipment, and otherwise, judging that the equipment requesting access is illegal equipment.
Preferably, the step of judging, by the gateway of the public transport network, whether the device requesting access is a legitimate device according to the obtained device ID and/or the relationship between the device ID and the certificate ID includes:
carrying out consistency check on the relation between the equipment ID and the certificate ID;
and when the verification is passed, judging that the equipment requesting access is legal equipment, otherwise, judging that the equipment requesting access is illegal equipment.
Preferably, the step of judging, by the gateway of the public transport network, whether the device requesting access is a legitimate device according to the obtained device ID and/or the relationship between the device ID and the certificate ID includes:
the gateway of the public transmission network inquires the access state of the equipment corresponding to the equipment ID according to the acquired equipment ID;
if the access state of the equipment corresponding to the inquired equipment ID is not accessed, consistency check is carried out on the relation between the equipment ID and the certificate ID;
and when the verification is passed, judging that the equipment requesting access is legal equipment, otherwise, judging that the equipment requesting access is illegal equipment.
Preferably, the gateway of the public transport network binds the device ID and the certificate ID in advance for consistency check.
According to another aspect of the present invention, there is provided an apparatus for enhancing device certificate usage security, including:
the gateway acquisition module is used for acquiring the equipment ID and the certificate ID from the equipment requesting access when the equipment requests to access the public transmission network;
the gateway judgment module is used for judging whether the equipment requesting access is legal equipment or not according to the acquired equipment ID and/or the relation between the equipment ID and the certificate ID;
and the gateway access processing module is used for accessing the equipment requesting access to the public transmission network when judging that the equipment requesting access is legal equipment, and refusing the equipment requesting access to the public transmission network if the equipment requesting access is not legal.
Preferably, the gateway determining module queries an access state of the device corresponding to the device ID according to the acquired device ID, and if the access state of the device corresponding to the device ID is already accessed, determines that the device requesting access is an illegal device, otherwise, determines that the device requesting access is an illegal device.
Preferably, the gateway determining module performs consistency check on the relationship between the device ID and the certificate ID, and if the check is passed, determines that the device requesting access is a legal device, otherwise, determines that the device requesting access is an illegal device.
Preferably, the gateway determining module queries an access status of the device corresponding to the device ID according to the acquired device ID, and if the queried access status of the device corresponding to the device ID is not accessed, performs consistency check on a relationship between the device ID and the certificate ID, and determines that the device requesting access is a legal device when the check is passed, and otherwise determines that the device requesting access is an illegal device.
Preferably, the method further comprises the following steps:
and the gateway binding module is used for binding the equipment ID and the certificate ID in advance for consistency check.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention improves the security of the certificate, and can effectively prevent lawbreakers from stealing the certificate of the equipment;
2. the invention achieves the purpose of refusing the equipment which illegally uses the certificate to access the public transmission network through the binding of the certificate and the equipment, thereby ensuring the access safety of the base station and the transmission field.
Drawings
FIG. 1 is a block diagram of a method for enhancing device certificate usage security according to an embodiment of the present invention;
FIG. 2 is a block diagram of an apparatus for enhancing device certificate usage security according to an embodiment of the present invention;
FIG. 3 is a system networking diagram for enhancing device certificate usage security provided by an embodiment of the present invention;
fig. 4 is an interaction flowchart of a base station and a security gateway for enhancing device certificate usage security according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings, and it should be understood that the preferred embodiments described below are only for the purpose of illustrating and explaining the present invention, and are not to be construed as limiting the present invention.
Fig. 1 is a schematic block diagram of a method for enhancing device certificate usage security according to an embodiment of the present invention, as shown in fig. 1, the steps include:
step S101: when a device requests to access a public transport network, a gateway of the public transport network acquires a device ID and a certificate ID from the device requesting access.
Specifically, during the period that the device requesting to access the public transmission network initiates IPSEC negotiation, the device requesting to access the public transmission network sends the device ID and the certificate of the device to the gateway of the public transmission network; and after receiving the equipment ID and the certificate of the equipment, the gateway of the public transmission network acquires the certificate ID from the certificate.
The device requesting access to the public transport network generates the device ID according to its own read device asset number (SN), or may save the device ID locally in advance.
Step S102: and the gateway of the public transmission network judges whether the equipment requesting access is legal equipment or not according to the acquired equipment ID and the relation between the equipment ID and the certificate ID.
Specifically, the gateway of the public transport network may determine whether the device requesting access is a legal device by the following three ways:
mode 1: and the gateway of the public transmission network inquires the access state of the equipment corresponding to the equipment ID according to the acquired equipment ID, if the inquired access state of the equipment corresponding to the equipment ID is accessed, the equipment requesting access is judged to be illegal equipment, otherwise, the equipment requesting access is judged to be illegal equipment.
Mode 2: and the gateway of the public transmission network carries out consistency check on the relation between the equipment ID and the certificate ID, and when the check is passed, the equipment requesting access is judged to be legal equipment, otherwise, the equipment requesting access is judged to be illegal equipment.
Mode 3: and the gateway of the public transmission network inquires the access state of the equipment corresponding to the equipment ID according to the acquired equipment ID, if the inquired access state of the equipment corresponding to the equipment ID is not accessed, consistency check is carried out on the relation between the equipment ID and the certificate ID, when the check is passed, the equipment requesting access is judged to be legal equipment, otherwise, the equipment requesting access is judged to be illegal equipment. That is, only when the access state of the device corresponding to the queried device ID is not accessed and the consistency check of the relationship between the device ID and the certificate ID is passed, it is determined that the device requesting access is a valid device.
Further, before step S101, the gateway of the public transport network needs to bind the device ID and the certificate ID in advance, so that when performing the consistency check, the gateway determines whether the binding relationship between the received device ID and the certificate ID is legal by using the pre-bound device ID and the certificate ID, and if so, the check is passed, otherwise, the check is not passed. In other words, when the access state of the device corresponding to the device ID is not accessed and the relationship between the device ID and the certificate ID is consistent with the binding relationship stored in advance, it is determined that the device requesting access is a legal device, and otherwise, the device requesting access is an illegal device.
Step S103: and when the gateway of the public transmission network judges that the equipment requesting access is legal equipment, accessing the equipment requesting access to the public transmission network, and if not, refusing the equipment requesting access to the public transmission network.
Fig. 2 is a block diagram of an apparatus for enhancing device certificate usage security according to an embodiment of the present invention, as shown in fig. 2, including: the gateway access processing system comprises a gateway acquisition module 10, a gateway judgment module 20 and a gateway access processing module 30.
The gateway obtaining module 10 is configured to obtain a device ID and a certificate ID from a device requesting access when the device requests access to a public transport network;
the gateway determining module 20 is configured to determine whether the device requesting access is a valid device according to the obtained device ID and the relationship between the device ID and the certificate ID;
the gateway access processing module 30 is configured to access the device requesting access to the public transmission network when it is determined that the device requesting access is a legal device, and to deny the device requesting access to the public transmission network if the device requesting access is not a legal device.
Further, the apparatus further comprises:
the gateway binding module 40 is configured to bind the device ID and the certificate ID in advance, and store the binding relationship for consistency check.
The working flow of the device is as follows:
step 1: during the period that the device requesting to access the public transport network initiates IPSEC negotiation, the gateway obtaining module 10 receives the device ID and the certificate of the device sent by the device requesting to access the public transport network, and obtains the certificate ID from the certificate.
Step 2: the gateway determining module 20 determines whether the device requesting access is a legal device.
The specific judgment mode can adopt any one of the following three modes:
mode 1: the gateway determining module 20 queries the access state of the device corresponding to the device ID according to the acquired device ID, determines that the device requesting access is an illegal device if the access state of the device corresponding to the device ID is queried as accessed, and otherwise determines that the device requesting access is an illegal device.
Mode 2: the gateway determining module 20 performs consistency check on the relationship between the device ID and the certificate ID, that is, the gateway determining module 40 performs consistency check on the relationship between the device ID and the certificate ID by using the binding relationship between the device ID and the certificate ID that is bound and stored in advance, and if the check is passed, determines that the device requesting access is a legal device, otherwise, determines that the device requesting access is an illegal device.
Mode 3: the gateway determining module 20 queries the access state of the device corresponding to the device ID according to the acquired device ID, performs consistency check on the relationship between the device ID and the certificate ID if the queried access state of the device corresponding to the device ID is not accessed, determines that the device requesting access is a legal device when the check is passed, and otherwise determines that the device requesting access is an illegal device.
And step 3: if the gateway determining module 20 determines that the device requesting access is an illegal device, the gateway access processing module 30 rejects the device requesting access to the public transmission network, otherwise, the gateway access processing module 30 accesses the device requesting access to the public transmission network.
The devices in the embodiments described in fig. 1 and fig. 2 may refer to all devices using digital certificates, and are further described below with reference to fig. 3 and fig. 4 by taking a base station as an example.
Fig. 3 is a system networking diagram for enhancing device certificate usage security according to an embodiment of the present invention, and as shown in fig. 3, the system networking diagram includes: cA plurality of base stations (AP-A, AP-B, …, AP-N) requesting access to the public transport network, cA security gateway (SeGW) in the public transport network, cA core network.
1. Security gateway presets relevant information
The corresponding relation between the base station and the certificate is configured in advance on the security gateway, specifically, the base station ID and the certificate ID are bound and stored in a database system or other equipment.
2. Base station initiates IPSEC negotiation request to security gateway
In the IPSEC negotiation process, a base station requesting to access a public transport network sends a unique identifier (i.e., a base station ID, an APID) of the base station to a security gateway, and at the same time, in an identity authentication phase of the IPSEC, a certificate of the base station is sent to the security gateway, and the security gateway takes out a CN field of the certificate of the base station from the certificate of the base station, where the CN field may be used to uniquely identify the certificate, i.e., to obtain the certificate ID.
The IPSEC negotiation request may also be initiated by the security gateway to the base station.
3. Handling of security gateways
As a first implementation manner, the security gateway queries the APID and CN of the base station requesting to access the public transport network in a preset database system, and if the base station corresponding to the APID is already in an access state, rejects the IPSEC negotiation request of this time, rejects the access of the base station requesting to access the public transport network, and reports an alarm; if the base station corresponding to the APID is in the non-access state, whether the relation between the APID and the CN meets the requirement is continuously judged, if the relation meets the requirement of the certificate and the consistency of the equipment, the verification is passed, the negotiation with the base station is continuously carried out, after the negotiation is successful, the base station requesting to access the public transmission network is successfully accessed, and the security gateway updates the access state of the base station to be accessed; and if the verification is not passed, rejecting the access of the base station requesting to access the public transport network.
As a second implementation manner, the above processing procedure of the security gateway may also be executed in a network management system, specifically, the security gateway sends the APID and CN of the base station requesting to access the public transport network to the network management system, the network management system configures a correspondence between the base station and the certificate in advance, and determines, for the APID and CN sent by the security gateway, whether the APID and CN meet the requirement for consistency by querying a database, and if the APID and CN meet the requirement for consistency between the certificate and the device, returns a message that the verification passes to the security gateway, otherwise returns a message that the verification does not pass; after receiving the message returned by the network manager, if the message passes the verification, the security gateway continues negotiation, and after the negotiation is successful, the base station requesting to access the public transmission network is accessed into the public transmission network; and if the message is the message which is not verified, rejecting the base station which requests to access the public transport network.
Taking a first embodiment as an example, fig. 4 provides an interaction flowchart of a base station and a security gateway for enhancing device certificate usage security, as shown in fig. 4, the steps include:
step 201: and a base station (LTE-Femto) requesting to access the public transport network reads the SN thereof and generates the APID according to the SN.
Step 202: the base station requesting access to the public transport network initiates an IPSEC negotiation with the gateway (SeGW) of the public transport network and sends its base station ID (i.e., APID) and credentials to the gateway during the IKEv2 negotiation.
Step 203: the gateway judges whether the access state of the base station corresponding to the APID is accessed, if so, step 204 is executed, otherwise, step 205, step 206 and step 207 are executed.
Step 204: and the gateway refuses the base station which requests to access the public transmission network.
Step 205: the gateway takes the CN field from the certificate.
Step 206: the gateway judges whether the corresponding relation between the APID of the base station requesting to access the public transmission network and the CN is legal or not, and determines whether to continue negotiation to access the base station requesting to access the public transmission network or directly refuses the base station requesting to access the public transmission network according to the judgment result.
Step 207: and the gateway sends a message of continuously negotiating or refusing access to the base station requesting to access the public transmission network.
Step 208: and after the negotiation is successful, updating the access state of the base station requesting to access the public transmission network from the non-access state to the accessed state.
As can be seen from the above process, the present invention has very little effect on the existing process.
The following is a further description of a specific application example.
And presetting a database about the relationship between the APID and the CN on the security gateway, wherein the table 1 is a partial mapping or binding relationship table.
TABLE 1 first mapping relation table
Serial number | APID | CN | Access status |
1 | 001E7327042000021 | Nodeb01 | OFF |
2 | 001E7327042000022 | Nodeb02 | OFF |
3 | 001E7327042000023 | Nodeb03 | OFF |
4 | 001E7327042000024 | Nodeb04 | OFF |
5 | 001E7327042000025 | Nodeb05 | OFF |
1. Application example 1
The APID of base station A is 001E7327042000021, and an IPSEC negotiation request is initiated to the security gateway using the digital certificate of CN Nodeb 01. The security gateway determines that the access status of the base station with the APID 001E7327042000021 is not accessed (OFF) and the relationship between the APID of the base station a and the CN is consistent with the mapping relationship in table 1 according to table 1, checks to pass, allows the base station a to access the public transport network, updates the access status in table 1 to accessed (ON), and updates the database, as shown in table 2 specifically.
TABLE 2 second mapping relation Table
Serial number | APID | CN | Access status |
1 | 001E7327042000021 | Nodeb01 | ON |
2 | 001E7327042000022 | Nodeb02 | OFF |
3 | 001E7327042000023 | Nodeb03 | OFF |
4 | 001E7327042000024 | Nodeb04 | OFF |
5 | 001E7327042000025 | Nodeb05 | OFF |
2. Application example 2
The APID of the base station B is 00000000000021, and the base station B steals the digital certificate of the CN of the base station A for the Nodeb01 to initiate IPSEC negotiation request to the security gateway. After the security gateway checks, the security gateway refuses the access of the base station B because the APID and CN are illegal.
3. Application example 3
The APID of the base station C is 00000000000031, the base station C steals the digital certificate of the base station A with the CN of Nodeb01, the APID reported by falsification is 001E7327042000021, and an IPSEC negotiation request is initiated to the security gateway. The security gateway determines that the base station with the APID 001E7327042000021 is already on-line, so the verification fails and the security gateway denies access to base station C.
4. Application example 4
When the user expands the capacity, a new base station D is added, the APID of which is 001E7327042000029, and the digital certificate with CN being Nodeb09 is used, at this time, it is required to add the relevant information of the base station to the security gateway, and the updated database is shown in table 3.
When the base station D initiates an IPSEC negotiation request, the security gateway determines that the access state of the base station with an APID of 001E7327042000029 is unaccessed (OFF), and the correspondence between the APID and the CN is legal, at this time, the security gateway checks to pass, allows the base station D to access, and updates the access state in the database from unaccessed (OFF) to accessed (ON) after the negotiation is successful, as shown in table 4.
TABLE 3 third mapping relation Table
Serial number | APID | CN | Access status |
1 | 001E7327042000021 | Nodeb01 | ON |
2 | 001E7327042000022 | Nodeb02 | OFF |
3 | 001E7327042000023 | Nodeb03 | OFF |
4 | 001E7327042000024 | Nodeb04 | OFF |
5 | 001E7327042000025 | Nodeb05 | OFF |
6 | 001E7327042000029 | Nodeb09 | OFF |
TABLE 4 fourth mapping relation Table
Serial number | APID | CN | Access status |
1 | 001E7327042000021 | Nodeb01 | ON |
2 | 001E7327042000022 | Nodeb02 | OFF |
3 | 001E7327042000023 | Nodeb03 | OFF |
4 | 001E7327042000024 | Nodeb04 | OFF |
5 | 001E7327042000025 | Nodeb05 | OFF |
6 | 001E7327042000029 | Nodeb09 | ON |
5. Application example 5
The APID of base station E is 001E7327042000024, and the corresponding database on the security gateway is shown in Table 5, which operates normally using the digital certificate with CN Nodeb 04.
TABLE 5 fifth mapping relationship Table
Serial number | APID | CN | Access status |
1 | 001E7327042000021 | Nodeb01 | ON |
2 | 001E7327042000022 | Nodeb02 | OFF |
3 | 001E7327042000023 | Nodeb03 | OFF |
4 | 001E7327042000024 | Nodeb04 | ON |
5 | 001E7327042000025 | Nodeb05 | OFF |
6 | 001E7327042000029 | Nodeb09 | ON |
Now, because the hardware of the base station E has problems, it needs to be repaired back to the factory, the repair period is long, and the base station E is replaced by another new piece of hardware (the APID is 001E7327042000030), but it is desirable to still use the original certificate of the base station E, and this time, the following operation can be performed to achieve the expectation.
1. The original certificate of the base station E is copied into the new hardware,
2. the security gateway modifies the database and the updated database is shown in table 6.
TABLE 6 sixth mapping relation Table
Serial number | APID | CN | Access status |
1 | 001E7327042000021 | Nodeb01 | ON |
2 | 001E7327042000022 | Nodeb02 | OFF |
3 | 001E7327042000023 | Nodeb03 | OFF |
4 | 001E7327042000030 | Nodeb04 | OFF |
5 | 001E7327042000025 | Nodeb05 | OFF |
6 | 001E7327042000029 | Nodeb09 | ON |
When the device with the APID 001E7327042000030 initiates an IPSEC negotiation request, the security gateway checks to pass, allows its access, and updates the database after the negotiation is successful as shown in table 7.
TABLE 7 seventh mapping relation Table
Serial number | APID | CN | Access status |
1 | 001E7327042000021 | Nodeb01 | ON |
2 | 001E7327042000022 | Nodeb02 | OFF |
3 | 001E7327042000023 | Nodeb03 | OFF |
4 | 001E7327042000030 | Nodeb04 | ON |
5 | 001E7327042000025 | Nodeb05 | OFF |
6 | 001E7327042000029 | Nodeb09 | ON |
In summary, the present invention has the following technical effects:
the invention determines whether the equipment requesting to access the public network is legal equipment or not by utilizing the equipment ID and/or the binding relationship between the equipment ID and the certificate ID, thereby refusing illegal equipment to access the public transmission network, particularly refusing the equipment illegally using the certificate to access the public transmission network, improving the safety of the certificate and ensuring the access safety in the transmission field.
Although the present invention has been described in detail hereinabove, the present invention is not limited thereto, and various modifications can be made by those skilled in the art in light of the principle of the present invention. Thus, modifications made in accordance with the principles of the present invention should be understood to fall within the scope of the present invention.
Claims (8)
1. A method for enhancing device certificate usage security, comprising:
when a device requests to access a public transmission network, a gateway of the public transmission network acquires a device ID and a certificate ID from the device requesting to access;
the gateway of the public transmission network inquires the access state of the equipment corresponding to the equipment ID according to the acquired equipment ID;
when the gateway of the public transmission network inquires that the access state of the equipment corresponding to the equipment ID is not accessed, carrying out consistency check on the relation between the equipment ID and the certificate ID;
and when the gateway of the public transmission network judges that the equipment requesting access is not the equipment using the certificate illegally when the consistency check of the relation between the equipment ID and the certificate ID is passed, the gateway of the public transmission network accesses the equipment requesting access to the public transmission network when judging that the equipment requesting access is not the equipment using the certificate illegally.
2. The method of claim 1, further comprising:
and when the gateway of the public transmission network inquires that the access state of the equipment corresponding to the equipment ID is accessed, judging that the equipment requesting access is the equipment using the certificate illegally, and refusing the equipment requesting access to access the public transmission network when the gateway of the public transmission network judges that the equipment requesting access is the equipment using the certificate illegally.
3. The method of claim 1, further comprising:
and when the gateway of the public transmission network judges that the equipment requesting access is the equipment using the certificate illegally when the consistency check of the relation between the equipment ID and the certificate ID is not passed, the gateway of the public transmission network refuses the equipment requesting access to access the public transmission network when the gateway of the public transmission network judges that the equipment requesting access is the equipment using the certificate illegally.
4. A method according to any of claims 1-3, wherein a gateway of the public transport network binds the device ID with a certificate ID in advance for consistency checking.
5. An apparatus for enhancing device certificate usage security, comprising:
the gateway acquisition module is used for acquiring the equipment ID and the certificate ID from the equipment requesting access when the equipment requests to access the public transmission network;
the gateway judgment module is used for inquiring the access state of the equipment corresponding to the equipment ID according to the acquired equipment ID, performing consistency check on the relation between the equipment ID and the certificate ID when the access state of the equipment corresponding to the equipment ID is not inquired, and judging that the equipment requesting access is not the equipment illegally using the certificate when the consistency check on the relation between the equipment ID and the certificate ID is passed;
and the gateway access processing module is used for accessing the equipment requesting access to the public transmission network when judging that the equipment requesting access is not the equipment illegally using the certificate.
6. The apparatus according to claim 5, wherein the gateway determining module determines that the device requesting access is a device using the certificate illegally when the access state of the device corresponding to the queried device ID is already accessed, and correspondingly, the gateway access processing module is further configured to deny the device requesting access to access the public transport network when the gateway determining module determines that the device requesting access is the device using the certificate illegally.
7. The apparatus according to claim 5, wherein the gateway determining module determines that the device requesting access is a device using the certificate illegally when the consistency check performed on the relationship between the device ID and the certificate ID fails, and accordingly, the gateway access processing module is further configured to deny the device requesting access to access the public transmission network when the gateway determining module determines that the device requesting access is the device using the certificate illegally.
8. The apparatus of any one of claims 5-7, further comprising:
and the gateway binding module is used for binding the equipment ID and the certificate ID in advance for consistency check.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510477798.3A CN106454836B (en) | 2015-08-06 | 2015-08-06 | Method and device for enhancing use safety of equipment certificate |
PCT/CN2016/070380 WO2017020546A1 (en) | 2015-08-06 | 2016-01-07 | Network access device verifying method and apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510477798.3A CN106454836B (en) | 2015-08-06 | 2015-08-06 | Method and device for enhancing use safety of equipment certificate |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106454836A CN106454836A (en) | 2017-02-22 |
CN106454836B true CN106454836B (en) | 2021-12-31 |
Family
ID=57942392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510477798.3A Active CN106454836B (en) | 2015-08-06 | 2015-08-06 | Method and device for enhancing use safety of equipment certificate |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106454836B (en) |
WO (1) | WO2017020546A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115250186B (en) * | 2021-04-12 | 2024-04-16 | 顺丰科技有限公司 | Network connection authentication method, device, computer equipment and storage medium |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008096825A1 (en) * | 2007-02-07 | 2008-08-14 | Nippon Telegraph And Telephone Corporation | Certificate authenticating method, certificate issuing device, and authentication device |
CN102984115B (en) * | 2011-09-02 | 2016-03-16 | 中国长城计算机深圳股份有限公司 | A kind of network security method and client-server |
CN103096311B (en) * | 2011-10-31 | 2018-11-09 | 中兴通讯股份有限公司 | The method and system of Home eNodeB secure accessing |
CN103108326A (en) * | 2011-11-10 | 2013-05-15 | 腾讯科技(深圳)有限公司 | Session relationship establishing method and device and system |
CN103024742B (en) * | 2012-12-04 | 2015-09-02 | 广州杰赛科技股份有限公司 | Home base station network safety access method, equipment and system |
CN103051643B (en) * | 2013-01-22 | 2016-03-23 | 西安邮电大学 | Fictitious host computer secure connection dynamic establishing method and system under cloud computing environment |
CN104349322B (en) * | 2013-08-01 | 2018-06-12 | 新华三技术有限公司 | A kind of device and method that personator is detected in Wireless LAN |
CN104518874A (en) * | 2013-09-26 | 2015-04-15 | 中兴通讯股份有限公司 | Network access control method and system |
CN103618603A (en) * | 2013-11-25 | 2014-03-05 | 网神信息技术(北京)股份有限公司 | Access method and device for multi-protocol label switching network |
CN104506352B (en) * | 2014-12-24 | 2018-04-20 | 福建江夏学院 | A kind of method and system of Internet of Things data pretreatment |
-
2015
- 2015-08-06 CN CN201510477798.3A patent/CN106454836B/en active Active
-
2016
- 2016-01-07 WO PCT/CN2016/070380 patent/WO2017020546A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
CN106454836A (en) | 2017-02-22 |
WO2017020546A1 (en) | 2017-02-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109511115B (en) | Authorization method and network element | |
CN110800331B (en) | Network verification method, related equipment and system | |
JP5144679B2 (en) | User access management in communication networks | |
CN100454876C (en) | Method for applying for certificate in wireless LAN WAPI safety mechanism | |
US8272036B2 (en) | Dynamic authentication in secured wireless networks | |
WO2019062384A1 (en) | Method and device for public network user accessing private network | |
CN102111766B (en) | Network accessing method, device and system | |
WO2015101125A1 (en) | Network access control method and device | |
AU2002226278B2 (en) | Use of a public key key pair in the terminal for authentication and authorisation of the telecommunication user with the network operator and business partners | |
KR20060046243A (en) | Method and system for secured duplication of information from a sim card to at least one communicating object | |
CN107979835B (en) | eSIM card and management method thereof | |
CN110519085B (en) | Configuration change method and block chain platform | |
DK2924944T3 (en) | Presence authentication | |
CN109561429B (en) | Authentication method and device | |
CN104184713A (en) | Terminal identification method, machine identification code registration method, and corresponding system and equipment | |
CN114268943A (en) | Authorization method and device | |
CN106982430B (en) | Portal authentication method and system based on user use habits | |
CN106412901A (en) | Network-loitering prevention wireless routing method and system | |
CN102833066A (en) | Three-party authentication method and device as well as intelligent card supporting two-way authentication | |
CN105050086A (en) | Method for terminal to log in Wifi hotspot | |
CN104703177B (en) | Mobile station, system, network processing unit and for the method in mobile communication | |
CN101754210B (en) | Method and system for authenticating home base station equipment | |
CN1885770B (en) | Authentication method | |
CN107295510B (en) | Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) | |
CN100479570C (en) | Connection set-up method, system, network application entity and user terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |