The content of the invention
For above-mentioned technical problem, the application provides a kind of access authentication of WLAN method, apparatus and system, technology
Scheme is as follows:
According to the first aspect of the application, there is provided a kind of access authentication of WLAN method, the method includes:
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
According to the second aspect of the application, there is provided the dynamic password that Authentication Client will be generated passes through wireless local net side
Device forwards are to certificate server;
Certificate server is verified to the dynamic password;
In the case of dynamic password verification is correct, it is corresponding that WLAN side apparatus allow the Authentication Client to access
WLAN.
According to the third aspect of the application, there is provided a kind of access authentication of WLAN method, Authentication Client is applied to
The method includes:
Locally identified according to default dynamic password algorithm and Authentication Client, generate dynamic password;
The dynamic password that will be generated is forwarded to certificate server by WLAN side apparatus, to cause authentication service
End verifies to the dynamic password;
In the case of dynamic password verification is correct, the corresponding WLAN of the WLAN side apparatus is accessed.
According to the fourth aspect of the application, there is provided a kind of access authentication of WLAN method, certificate server is applied to,
The method includes:
The dynamic password that Authentication Client sends, forwarded through WLAN side apparatus is received, the dynamic password is:Recognize
Card client locally identifies the dynamic password of generation according to default dynamic password algorithm and Authentication Client;
The dynamic password is verified;
Check results are sent to WLAN side apparatus, to cause that WLAN side apparatus are verified in dynamic password
In the case of correct, it is allowed to which the Authentication Client accesses corresponding WLAN.
The 5th aspect according to the application, there is provided a kind of radio lan access authentication system, the system includes certification visitor
Family end and certificate server;
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
The dynamic password that Authentication Client will be generated is forwarded to certificate server by WLAN side apparatus;
Certificate server is verified to the dynamic password;
In the case of dynamic password verification is correct, it is corresponding that WLAN side apparatus allow the Authentication Client to access
WLAN.
A kind of the 6th aspect according to the application, there is provided access authentication of WLAN device, is applied to Authentication Client,
The device includes:
Dynamic password generation module, it is raw for locally being identified according to default dynamic password algorithm and Authentication Client
Into dynamic password;
Dynamic password sending module, the dynamic password for that will be generated is forwarded to certification by WLAN side apparatus
Service end, to cause that certificate server is verified to the dynamic password;
Access Control module, in the case of dynamic password verification is correct, accessing the WLAN side apparatus
Corresponding WLAN.
A kind of access authentication of WLAN device, is applied to certificate server, and the device includes:
Dynamic password receiver module, for receiving the dynamic that Authentication Client sends, forwarded through WLAN side apparatus
Password, the dynamic password is:Authentication Client locally identifies life according to default dynamic password algorithm and Authentication Client
Into dynamic password;
Dynamic password correction verification module, for being verified to the dynamic password;
Check results feedback module, for check results to be sent into WLAN side apparatus, to cause wireless local
Net side equipment is in the case of dynamic password verification is correct, it is allowed to which the Authentication Client accesses corresponding WLAN.
Technical scheme provided herein, access authentication of WLAN is realized using the form of dynamic password, is not required to
Fixed WLAN authentication informations are preserved again, even if dynamic password is trapped in transmitting procedure, cannot be also reused, from
And effectively reduce potential safety hazard.In addition, using application scheme, client initiates certification to WLAN side apparatus please
Ask, without directly accessing our service end, it is to avoid the need that WLAN side apparatus are authenticated to service end in advance
Ask, effectively reduce implementation and maintenance cost.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary and explanatory, not
The application can be limited.
Specific embodiment
In order that those skilled in the art more fully understand the technical scheme in the application, implement below in conjunction with the application
Accompanying drawing in example, is described in detail to the technical scheme in the embodiment of the present application, it is clear that described embodiment is only
Some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art
The every other embodiment for being obtained, should all belong to the scope of the application protection.
The erection threshold of WLAN is relatively low, still by taking Wi-Fi as an example, the small intelligent hand to configuration Wi-Fi functional modules
Machine, household radio router, greatly to more professional enterprise-level, carrier grade communication equipment, can serve as AP and use, so that
The convenient WLAN set up various scales, meet various demands.On the other hand, for bandwidth control, security or it is full of
The consideration of the aspects such as profit, the access style of WLAN is often configured as " needing certification ", that is, require that terminal device is complete
Ethernet could be accessed by WLAN after into necessary authentication.Common identification authentication mode includes:Access AP
Authentication is carried out before, and authentication, etc. is carried out before accessing Ethernet by AP.
Wherein, carrying out authentication before accessing AP refers to:User needs to provide specific authentication information to access AP, this
In authentication information generally refer to " the Wi-Fi passwords " being commonly called as, for certain specific AP, once the correct Wi- of user input
Fi passwords, it is possible to access AP and access Ethernet.
Carrying out authentication before accessing Ethernet by AP refers to:User do not need password can just access AP, but
After accessing AP, the authenticating device of WLAN sides can control to eject login interface on a user device, the corresponding user name of user input
After password, can just proceed to browse the various upper net operations such as webpage, networking APP.
In order to provide a user with more preferable " whenever and wherever possible " online experience, some mechanisms of certain scale can be on a large scale
AP is laid, this kind of mechanism generally includes common carrier, public transport unit, greater chain hotel, restaurant etc..With the fortune that communicates
As a example by battalion business, it is assumed that certain common carrier X has laid substantial amounts of AP:As long as then user terminal be connectable to wherein any one
AP, certification can service access network based on ethernet after passing through with the WLAN provided using common carrier X.
In view of the actual coverage differences of WLAN of Ge Jia networkings mechanism, when terminal user is in different location, very
May need to access the WLAN that different institutions are provided.Remember respectively in order to avoid terminal user, input pin is to the use of each mechanism
The authentication informations such as name in an account book, password, some third party manufacturers provide the scheme of " being uniformly accessed into Verification System ":By system background
Dock various conventional WLAN, and different identifying procedures are shielded to terminal user, user only needs to use the account just can be with
Quickly access these WLAN.
Existing one kind is uniformly accessed into certification implementation:" client-server end " being uniformly accessed into for framework is built to recognize
Card system.In the terminal user system after register account number, by oneself can one or many WLAN authentication informations storages exist
In the system.When user needs wireless networking, service end is signed in by Verification System inside account using client, from service
End obtains corresponding WLAN authentication informations (user name, password etc.), then from client using acquired authentication information to
Initiate certification request in WLAN sides.
For example, certain user can be provided using China Mobile, CHINAUNICOM, public transport company, this four mechanisms of McDonald
WLAN is serviced, and possesses login username and password needed for being serviced using this 4 WLAN respectively.The user is being uniformly accessed into
After Verification System registration, system preserves the user name and password of above-mentioned 4 mechanisms under the user name.Assuming that user currently needs
The WLAN of " China Mobile " is accessed, then it (is also likely to be caching to be uniformly accessed into the client of Verification System and can be fetched from service end
It is local in client) " China Mobile " user name that prestores and password, then using the username and password to China Mobile
WLAN Verification Systems initiate certification request.If the user desired that accessing other WLAN, then access authentication flow is similar to.It can be seen that, this
The mode of kind is effectively convenient for users, but in whole flow process, the username and password for logging in WLAN may
Repeatedly it is transmitted in a network, particularly during client-side receives and dispatches these information, it is easy to carried out from outside
Network bag is intercepted, so as to the situation for causing the WLAN user name password of user stolen occurs.
Regarding to the issue above, the application provides a kind of access authentication of WLAN scheme realized based on dynamic password.
Fig. 1 show the system architecture schematic diagram of the application, and the interworking entity that application scheme is related to includes:User terminal
100th, WLAN side apparatus 200, be uniformly accessed into Verification System side apparatus 300.Wherein, it is configured with user terminal 100
The client (hereafter will be simply referred to as " Authentication Client ") of Verification System is uniformly accessed into, Verification System side apparatus are being uniformly accessed into
The service end (hereafter will be simply referred to as " certificate server ") for being uniformly accessed into Verification System is configured with 300.It should be noted that this
In " client " do not answer the client application that narrow sense is interpreted as under C/S (client/server) framework, in fact based on B/
In the scheme that S (browser/server) framework is realized, it is also possible to open particular webpage with browser to realize above-mentioned " certification visitor
The function at family end ".
WLAN side apparatus 200 are the general designations of WLAN service provider equipment, and user terminal 100 and being uniformly accessed into is recognized
Card system side apparatus 300 can simultaneously access multiple WLAN service providers, and each service provider can specifically include one
Or multiple relevant devices, typical allocation plan can be:A set of wlan network Core Feature equipment+some AP, " core here
Heart function equipment " should have basic Ethernet access function and access authentication function, and these functions can be integrated in one
In equipment, it is also possible to be distributed on multiple devices.Certainly, in practical application, the deployment framework of " WLAN side apparatus " can
Can there are various situations, for example, for the mechanisms such as hotel, restaurant, that it is provided is only AP, specific Ethernet access work(
Can still need to be realized by the equipment of common carrier.The application is to " WLAN side apparatus " or " Core Feature equipment "
Implement form and need not be defined.
Dynamic password (Dynamic Password) is the uncertain random text string generated according to specific algorithm,
Password of each generation has certain using limitation, for example can only using 1 time, can only be using n time, in stipulated time scope
It is interior effectively etc..
Based on said system framework and dynamic-password technique, the application provides a kind of access authentication of WLAN method,
Shown in Figure 2, the method may comprise steps of:
S101, Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generation dynamic
Password;
Assuming that Authentication Client is locally designated xi, dynamic password algorithm is f (x), then can be calculated dynamic password yi
=f (xi), in practical application, dynamic password generating algorithm except locally identified to Authentication Client it is related in addition to, can also be with
Other random parameters are related, and random parameter here can be time, event etc..
For the dynamic password for having generated, can also further be processed, such as encryption, plus obscure treatment,
With client identification jointly packing treatment, etc., the application is not limited this.
S102, the dynamic password that Authentication Client will be generated is forwarded to authentication service by WLAN side apparatus
End;
Authentication Client sends access request to WLAN side apparatus first, and the dynamic of above-mentioned generation is at least carried in the request
State password, actual carrying form can be the dynamic password by such as encryption, packing treatment.
After WLAN side apparatus receive above-mentioned access request, access request directly can be forwarded to certificate server, or
The client identification that dynamic password and request are accessed at least is forwarded to certificate server by person.It should be noted that visitor here
Family end mark refer in " being uniformly accessed into Verification System " client identification (concrete form can with user name, operation client
Terminal device hardware mark, etc.), rather than the user name for logging in certain specific WLAN.
In addition, in practical application, WLAN side apparatus may relate to one or more and perform interworking entity, such as AP, access
Authenticating device etc., the application is not limited the interaction flow inside WLAN side apparatus.
S103, certificate server is verified to dynamic password;
After certificate server receives dynamic password, the dynamic password is verified.Here the premise for being verified is:
Certificate server and Authentication Client have been made an appointment identical or corresponding algorithm.So, the dynamic password y for givingi
And client identification xi(i.e. the transmitting side marking of dynamic password), certificate server can be by the algorithm of agreement, for client
The new dynamic password y of end mark generationi', then compare yiAnd yi' whether consistent, determine that verification passes through if consistent.
If Authentication Client has used other random parameters, such as time, event etc. when dynamic password is generated
Deng then certificate server should be able to also get same random parameter, so as to the dynamic password sent to Authentication Client
Verified.
It is, of course, understood that certificate server can also be by yiThe mode of anti-solution, realizes to yiVerification, it is former
Reason is similar with above-mentioned implementation method, no longer describes in detail here.
S104, in the case of dynamic password verification is correct, WLAN side apparatus allow Authentication Client to access phase
The WLAN answered.
Check results and client identification can be back to WLAN side apparatus by certificate server, and WLAN side apparatus are with according to school
Result is tested to decide whether to allow the corresponding terminal device of the client identification to access WLAN:If verification is correct, allow to access,
Otherwise forbid accessing.
Certificate server only can also return to confirmation message in the case of dynamic password verification is correct to WLAN side apparatus,
And client identification is carried in the message, after WLAN side apparatus receive the message, can directly allow the client identification pair
The terminal device answered accesses WLAN.
With it is existing be uniformly accessed into certificate scheme compared with, application scheme at least have following two aspects advantage:
In terms of password mechanism realization, the application realizes access authentication of WLAN using the form of dynamic password, no
Need to preserve fixed WLAN authentication informations again, even if dynamic password is trapped in transmitting procedure, cannot also be reused,
So as to effectively reduce potential safety hazard.
In terms of interaction flow realization:Authentication Client is to initiate certification request to WLAN side apparatus in application scheme,
Without directly accessing our service end, it is to avoid the demands that WLAN side apparatus are in advance authenticated to service end, it is not necessary to
The IP address of certificate server or domain name are added white list by WLAN side apparatus, are not also changed by certificate server IP address or domain name
The influence of change, so as to effectively reduce implementation and the maintenance cost of WLAN sides
With reference to specific application scenarios, the scheme to the application is illustrated.
Fig. 3 shows that one kind is applied to the access authentication of " carrying out being uniformly accessed into certification to Duo Jia operators Wi-Fi " scene
The interaction diagrams of scheme.In a verification process, the interaction agent being related to includes:Wi-Fi authentication client, operator
AP, carrier authorization system, Wi-Fi authentication service end.Wherein " Wi-Fi authentication client " is configured at subscriber terminal equipment,
It can be any form of carrier network that " Wi-Fi authentication service end " is configured at server apparatus, " carrier authorization system "
Equipment entity, the application need not be defined.
Dynamic password is generated using OPT (One-Time Password, disposable dynamic password) algorithm.OPT be at present compared with
It is a kind of general dynamic password algorithm, feature is:At regular intervals the time generate one with time correlation, uncertain
Random digit is combined, and each password is used only once.
OTP algorithm is based on the disposal password that key and other stochastic variables are produced.Each OTP client is owned by belonging to
The key of oneself, the key is simultaneously in service end preservation corresponding with client identification.For application scheme, " client "
Can be distinguished according to different login usernames, it is also possible to which the terminal device hardware according to different operation clients carries out area
Point, such as mobile phone and panel computer that same login username is used can be considered as two different clients.
In each identifying procedure, Authentication Client is according to local key, current random parameter (such as time, thing
Part etc.), dynamic password is generated using default algorithm, and the dynamic password is sent to certificate server.Due to key, generation
Algorithm, the selection of random parameter are all that both sides make an appointment, therefore under normal circumstances, certificate server can also utilize identical
Key, random parameter, generating algorithm the dynamic password is verified, if verification passes through, then it is assumed that active user is to close
Method user, so as to allow it to access corresponding WLAN.Specific identifying procedure is as follows:
S1, Wi-Fi authentication client generation OTP code, and combine the Token (visits of client account information generation encryption
Ask token).
OTP code are based on time, the three parameters generation of event and key, these three parameters all should ensure that client with
The synchronism of service end.
Wherein " key " is corresponding with " client identification ", and each client possesses one's own key, while in service
Preserve the corresponding relation of each client and its key in end.The key of each client can have uniqueness, multiple different
Client can also to a certain extent be multiplexed identical key.Client identification can be client login username,
It can also be the combination of terminal device hardware mark (such as MAC Address), or various identification informations that run client
(such as " user name+unit type "), the application is not limited the concrete form of client identification.
" event " parameter is typically easier to realize the synchronism in client and service end, for example, be currently needed for carrying out " Wi-
Fi access authentications ", " China Mobile Wi-Fi access authentications " etc., this kind of event information be all client and service end both sides all
Will appreciate that, therefore can be used as " event " parameter, certainly, the application is also not required to for the concrete form of event argument
It is defined.
" time " parameter can be defined according to actual demand, for example, define:It is different every 1 minute correspondence one
Time parameter values, every 5 minutes correspondences, one different time parameter values, etc..Client generation OTP code, service end school
When testing OTP code, the current time can be obtained, under normal circumstances, during transmission of the dynamic password from client to service end
Prolong relative to time parameter generation interval can be ignored substantially, therefore in practical application can also basic guarantee client and
The time parameter synchronization of service end both sides.
Access token Token can be generated using encryption and by the way of obscuring, and basic scheme is as follows:
Token=Encrypt (ID, OTP Code, scramble data, key), relevant parameter is explained as follows:
Encrypt () is AES function, using key as key, can be realized using AES scheduling algorithms.Encrypt
() and key are the information that client and service end both sides make an appointment.It should be noted that:Here " key " is generation
The key used during Token, key used is different during from foregoing generation OTP code.
ID:Can be login username, Customs Assigned Number of client etc.;
OTP Code:According to the one-time password that OTP algorithm is generated.
Scramble data:As a kind of preferred scheme, when Token is generated, scramble data can be added, difficulty is cracked to increase
Degree, obscures that rule is similarly client and service end both sides make an appointment.
For example, definition:
The character string of 6 character string+userId+OTPCode+ length of content=length 7;
Token=AES (content, key);
Wherein, content is spliced by 4 parts, the OTPCode in addition to userId, and two parts are and obscure in addition
Information, scramble data can be any character.If splicing rule is obscured in understanding, it is possible to directly removed from content first
6, portion, the scramble data of afterbody 7, the information being actually needed, if instead do not know about obscuring splicing rule, crack difficulty
Degree can be obviously improved.
S2, Authentication Client initiates network access authentication by operator AP to operator's access authentication system asks, in request
The middle Token for carrying above-mentioned generation;
S3, after operator's access authentication system receives network access authentication request, the Token information in transparent transmission request, to recognizing
Card service end initiates checking client identity request;
S4, certificate server parsing Token, obtains OTP code, and then further the OTP code are verified.
In order to eliminate delays of the Token in operator's internal unit forwarding, can suitably relax here and the time is joined
Several verification requirements, for example:After certificate server obtains current time, the definition rule according to time parameter, it is determined that when current
Between corresponding time section parameter Ti, then further obtain TiThe corresponding parameter T of previous time sectioni-1, Ran Houfen
Li Yong not Ti-1And TiGeneration OTP code, as long as there is any one result consistent with the OTP code that client sends, then can be with
Think that verification passes through, so avoid just locating with the verification moment in service end at the client generation moment for OTP code
In the check results inconsistence problems caused by two time sections.
Check results are returned to operator's access authentication system by S5, certificate server;
S6, the check results that operator's access authentication system is returned according to certificate server decide whether to allow client
Wi-Fi is accessed, clearance operation is done on operator AP if allowing;
S7, AP return to Authentication Client by clearance result is accessed, and now terminal user can be entered using operator Wi-Fi
Row online.
Used as a kind of specific embodiment of the application, such scheme can be as being uniformly accessed into Verification System to all
A kind of access scheme of standard that Wi-Fi operators use, the operator of any cooperation with Verification System manufacturer only need to by
Accessed according to normal process, so as to avoid the need for being realized for different Wi-Fi operators the fiber crops of various different authentication schemes
It is tired.
In order to illustrate more clearly of the scheme of the application, separately below again from unilateral angle, to Authentication Client with recognize
The method that card service end is performed is illustrated:
The major function that Authentication Client side performs includes:
Locally identified according to default dynamic password algorithm and Authentication Client, generate dynamic password;
The dynamic password that will be generated is forwarded to certificate server by WLAN side apparatus, to cause certificate server to dynamic
State password is verified;
In the case of dynamic password verification is correct, it is corresponding that Authentication Client will be allowed to access WLAN side apparatus
WLAN。
The major function that authentication service side performs includes:
Receive the dynamic password that Authentication Client sends, forwarded through WLAN side apparatus;
According to default dynamic password algorithm, the dynamic password to receiving is verified;
Check results are sent to WLAN side apparatus, to cause that WLAN side apparatus verify correct situation in dynamic password
Under, it is allowed to Authentication Client accesses corresponding WLAN.
Unilateral execution method details on Authentication Client Yu certificate server, may refer to retouching for preceding embodiment
State, repeat no more here.
Corresponding to above method embodiment, the application also provides a kind of radio lan access authentication system, referring to Fig. 4 institutes
Show, the system can include:Authentication Client 110 and certificate server 120;
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
The dynamic password that Authentication Client will be generated is forwarded to certificate server by WLAN side apparatus;
Certificate server is verified to dynamic password;
In the case of dynamic password verification is correct, WLAN side apparatus allow Authentication Client to access corresponding nothing
Line LAN.
In a kind of specific embodiment of the application, dynamic password algorithm can be OTP algorithm.
In a kind of specific embodiment of the application, Authentication Client can be specifically for:
Generation carries client identification, the access token of dynamic password, and the access token that will be generated passes through wireless office
Domain net side device forwards are to certificate server.Wherein authentication token can be generated using AES.
In a kind of specific embodiment of the application, certificate server can be specifically for:
After receiving access token, dynamic password is parsed from access token, and dynamic password is verified.
Shown in Figure 5, the application also provides a kind of access authentication of WLAN device for being applied to Authentication Client,
The device can include:
Dynamic password generation module 111, for according to default dynamic password algorithm and Authentication Client this terrestrial reference
Know, generate dynamic password;
Dynamic password sending module 112, the dynamic password for that will be generated is forwarded to by WLAN side apparatus
Certificate server, to cause that certificate server is verified to dynamic password;
Access Control module 113, in the case of dynamic password verification is correct, accessing WLAN side apparatus pair
The WLAN answered.
Shown in Figure 6, the application also provides a kind of access authentication of WLAN device for being applied to certificate server,
The device can include:
Dynamic password receiver module 121, for receiving Authentication Client transmission, through moving that WLAN side apparatus are forwarded
State password, dynamic password is:Authentication Client locally identifies generation according to default dynamic password algorithm and Authentication Client
Dynamic password;
Dynamic password correction verification module 122, for being verified to dynamic password;
Check results feedback module 123, for check results to be sent into WLAN side apparatus, to cause wireless office
Domain net side equipment is in the case of dynamic password verification is correct, it is allowed to which Authentication Client accesses corresponding WLAN.
The function of modules and the implementation process of effect specifically refer to preceding method embodiment or system in said apparatus
Description in embodiment, will not be repeated here.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
Realized by the mode of software plus required general hardware platform.Based on such understanding, the technical scheme essence of the application
On the part that is contributed to prior art in other words can be embodied in the form of software product, the computer software product
Can store in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are used to so that a computer equipment
(can be personal computer, server, or network equipment etc.) performs some of each embodiment of the application or embodiment
Method described in part.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for device or
For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method
The part explanation of embodiment.Device or system embodiment described above is only schematical, wherein the conduct
Separating component explanation module can be or may not be it is physically separate, implement application scheme when can be each
The function of module is realized in same or multiple softwares and/or hardware.Portion therein can also according to the actual needs be selected
Point or whole module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creative work
In the case of, you can to understand and implement.
The above is only the specific embodiment of the application, it is noted that for the ordinary skill people of the art
For member, on the premise of the application principle is not departed from, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as the protection domain of the application.