CN106888455A - A kind of access authentication of WLAN method, apparatus and system - Google Patents

A kind of access authentication of WLAN method, apparatus and system Download PDF

Info

Publication number
CN106888455A
CN106888455A CN201610670508.1A CN201610670508A CN106888455A CN 106888455 A CN106888455 A CN 106888455A CN 201610670508 A CN201610670508 A CN 201610670508A CN 106888455 A CN106888455 A CN 106888455A
Authority
CN
China
Prior art keywords
dynamic password
wlan
authentication
access
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610670508.1A
Other languages
Chinese (zh)
Other versions
CN106888455B (en
Inventor
刘唯实
王远秋
周永昶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610670508.1A priority Critical patent/CN106888455B/en
Publication of CN106888455A publication Critical patent/CN106888455A/en
Application granted granted Critical
Publication of CN106888455B publication Critical patent/CN106888455B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Abstract

This application discloses a kind of access authentication of WLAN method, apparatus and system.A kind of access authentication of WLAN method includes:Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;The dynamic password that Authentication Client will be generated is forwarded to certificate server by WLAN side apparatus;Certificate server is verified to the dynamic password;In the case of dynamic password verification is correct, WLAN side apparatus allow the Authentication Client to access corresponding WLAN.Technical scheme provided herein, access authentication of WLAN is realized using the form of dynamic password, it is not necessary to fixed WLAN authentication informations are preserved again, so as to effectively reduce potential safety hazard.

Description

A kind of access authentication of WLAN method, apparatus and system
Technical field
The application is related to Internet technical field, more particularly to a kind of access authentication of WLAN method, device and is System.
Background technology
WLAN (Wireless Local Area Networks, WLAN) is a kind of based on radio-frequency technique realization Wireless network, the technology can well make up the deficiency of cable network, to reach the purpose of Network stretch.With Wi-Fi As a example by (Wireless Fidelity, Wireless Fidelity) technology, Wi-Fi is a kind of wireless local being most widely used at present Network technology, configures the terminal device (such as PC, smart mobile phone etc.) of Wi-Fi functional modules, wirelessly accesses After AP (Access Point, wireless access points), it is possible to directly access Ethernet.
Terminal user is often required in face of a variety of groups when different places is desirable for WLAN and carries out online connection The WLAN that net person (including individual, communal facility, operator etc.) provides, this requires terminal user for different WLAN, point Corresponding authentication information (user name, password etc.) or Ji Yi not be respectively input when in use, causes to use upper inconvenience.For The problem, some third party manufacturers provide the scheme of " being uniformly accessed into certification ", and various conventional WLAN are docked by backstage, and right Terminal user shields different identifying procedures, makes user only need to can be just directly accessed different networking persons using an account and carry The WLAN of confession.
Existing one kind is uniformly accessed into certification implementation:" client-server end " being uniformly accessed into for framework is built to recognize Card system.The login authentication information for different WLAN is prestored in service end, when user needs wireless networking, client is used Service end is signed in by Verification System inside account, corresponding WLAN authentication informations (user name, password are obtained from service end Deng), then initiate certification request to WLAN.The problem of this mode is, in whole flow process, the login authentication information meeting of WLAN It is transmitted several times, particularly during client-side transmitting-receiving login authentication information, it is easy to blocked by network bag is carried out from outside Cut, cracked or replicated by network bag, can be just linked into corresponding WLAN with identical authentication information.It is particularly right For " being uniformly accessed into Verification System ", once there is intercepted problem, large batch of authentication information may be caused to reveal, made Into very big potential safety hazard.
The content of the invention
For above-mentioned technical problem, the application provides a kind of access authentication of WLAN method, apparatus and system, technology Scheme is as follows:
According to the first aspect of the application, there is provided a kind of access authentication of WLAN method, the method includes:
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
According to the second aspect of the application, there is provided the dynamic password that Authentication Client will be generated passes through wireless local net side Device forwards are to certificate server;
Certificate server is verified to the dynamic password;
In the case of dynamic password verification is correct, it is corresponding that WLAN side apparatus allow the Authentication Client to access WLAN.
According to the third aspect of the application, there is provided a kind of access authentication of WLAN method, Authentication Client is applied to The method includes:
Locally identified according to default dynamic password algorithm and Authentication Client, generate dynamic password;
The dynamic password that will be generated is forwarded to certificate server by WLAN side apparatus, to cause authentication service End verifies to the dynamic password;
In the case of dynamic password verification is correct, the corresponding WLAN of the WLAN side apparatus is accessed.
According to the fourth aspect of the application, there is provided a kind of access authentication of WLAN method, certificate server is applied to, The method includes:
The dynamic password that Authentication Client sends, forwarded through WLAN side apparatus is received, the dynamic password is:Recognize Card client locally identifies the dynamic password of generation according to default dynamic password algorithm and Authentication Client;
The dynamic password is verified;
Check results are sent to WLAN side apparatus, to cause that WLAN side apparatus are verified in dynamic password In the case of correct, it is allowed to which the Authentication Client accesses corresponding WLAN.
The 5th aspect according to the application, there is provided a kind of radio lan access authentication system, the system includes certification visitor Family end and certificate server;
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
The dynamic password that Authentication Client will be generated is forwarded to certificate server by WLAN side apparatus;
Certificate server is verified to the dynamic password;
In the case of dynamic password verification is correct, it is corresponding that WLAN side apparatus allow the Authentication Client to access WLAN.
A kind of the 6th aspect according to the application, there is provided access authentication of WLAN device, is applied to Authentication Client, The device includes:
Dynamic password generation module, it is raw for locally being identified according to default dynamic password algorithm and Authentication Client Into dynamic password;
Dynamic password sending module, the dynamic password for that will be generated is forwarded to certification by WLAN side apparatus Service end, to cause that certificate server is verified to the dynamic password;
Access Control module, in the case of dynamic password verification is correct, accessing the WLAN side apparatus Corresponding WLAN.
A kind of access authentication of WLAN device, is applied to certificate server, and the device includes:
Dynamic password receiver module, for receiving the dynamic that Authentication Client sends, forwarded through WLAN side apparatus Password, the dynamic password is:Authentication Client locally identifies life according to default dynamic password algorithm and Authentication Client Into dynamic password;
Dynamic password correction verification module, for being verified to the dynamic password;
Check results feedback module, for check results to be sent into WLAN side apparatus, to cause wireless local Net side equipment is in the case of dynamic password verification is correct, it is allowed to which the Authentication Client accesses corresponding WLAN.
Technical scheme provided herein, access authentication of WLAN is realized using the form of dynamic password, is not required to Fixed WLAN authentication informations are preserved again, even if dynamic password is trapped in transmitting procedure, cannot be also reused, from And effectively reduce potential safety hazard.In addition, using application scheme, client initiates certification to WLAN side apparatus please Ask, without directly accessing our service end, it is to avoid the need that WLAN side apparatus are authenticated to service end in advance Ask, effectively reduce implementation and maintenance cost.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary and explanatory, not The application can be limited.
Brief description of the drawings
In order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this Some embodiments described in application, for those of ordinary skill in the art, can also obtain other according to these accompanying drawings Accompanying drawing.
Fig. 1 is the application scenarios configuration diagram of the application;
Fig. 2 is the first schematic flow sheet of the access authentication of WLAN method of the application;
Fig. 3 is second schematic flow sheet of the access authentication of WLAN method of the application;
Fig. 4 is the structural representation of the radio lan access authentication system of the application;
Fig. 5 is the structural representation of the access authentication of WLAN client terminal device of the application;
Fig. 6 is the structural representation of the access authentication of WLAN service terminal device of the application.
Specific embodiment
In order that those skilled in the art more fully understand the technical scheme in the application, implement below in conjunction with the application Accompanying drawing in example, is described in detail to the technical scheme in the embodiment of the present application, it is clear that described embodiment is only Some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art The every other embodiment for being obtained, should all belong to the scope of the application protection.
The erection threshold of WLAN is relatively low, still by taking Wi-Fi as an example, the small intelligent hand to configuration Wi-Fi functional modules Machine, household radio router, greatly to more professional enterprise-level, carrier grade communication equipment, can serve as AP and use, so that The convenient WLAN set up various scales, meet various demands.On the other hand, for bandwidth control, security or it is full of The consideration of the aspects such as profit, the access style of WLAN is often configured as " needing certification ", that is, require that terminal device is complete Ethernet could be accessed by WLAN after into necessary authentication.Common identification authentication mode includes:Access AP Authentication is carried out before, and authentication, etc. is carried out before accessing Ethernet by AP.
Wherein, carrying out authentication before accessing AP refers to:User needs to provide specific authentication information to access AP, this In authentication information generally refer to " the Wi-Fi passwords " being commonly called as, for certain specific AP, once the correct Wi- of user input Fi passwords, it is possible to access AP and access Ethernet.
Carrying out authentication before accessing Ethernet by AP refers to:User do not need password can just access AP, but After accessing AP, the authenticating device of WLAN sides can control to eject login interface on a user device, the corresponding user name of user input After password, can just proceed to browse the various upper net operations such as webpage, networking APP.
In order to provide a user with more preferable " whenever and wherever possible " online experience, some mechanisms of certain scale can be on a large scale AP is laid, this kind of mechanism generally includes common carrier, public transport unit, greater chain hotel, restaurant etc..With the fortune that communicates As a example by battalion business, it is assumed that certain common carrier X has laid substantial amounts of AP:As long as then user terminal be connectable to wherein any one AP, certification can service access network based on ethernet after passing through with the WLAN provided using common carrier X.
In view of the actual coverage differences of WLAN of Ge Jia networkings mechanism, when terminal user is in different location, very May need to access the WLAN that different institutions are provided.Remember respectively in order to avoid terminal user, input pin is to the use of each mechanism The authentication informations such as name in an account book, password, some third party manufacturers provide the scheme of " being uniformly accessed into Verification System ":By system background Dock various conventional WLAN, and different identifying procedures are shielded to terminal user, user only needs to use the account just can be with Quickly access these WLAN.
Existing one kind is uniformly accessed into certification implementation:" client-server end " being uniformly accessed into for framework is built to recognize Card system.In the terminal user system after register account number, by oneself can one or many WLAN authentication informations storages exist In the system.When user needs wireless networking, service end is signed in by Verification System inside account using client, from service End obtains corresponding WLAN authentication informations (user name, password etc.), then from client using acquired authentication information to Initiate certification request in WLAN sides.
For example, certain user can be provided using China Mobile, CHINAUNICOM, public transport company, this four mechanisms of McDonald WLAN is serviced, and possesses login username and password needed for being serviced using this 4 WLAN respectively.The user is being uniformly accessed into After Verification System registration, system preserves the user name and password of above-mentioned 4 mechanisms under the user name.Assuming that user currently needs The WLAN of " China Mobile " is accessed, then it (is also likely to be caching to be uniformly accessed into the client of Verification System and can be fetched from service end It is local in client) " China Mobile " user name that prestores and password, then using the username and password to China Mobile WLAN Verification Systems initiate certification request.If the user desired that accessing other WLAN, then access authentication flow is similar to.It can be seen that, this The mode of kind is effectively convenient for users, but in whole flow process, the username and password for logging in WLAN may Repeatedly it is transmitted in a network, particularly during client-side receives and dispatches these information, it is easy to carried out from outside Network bag is intercepted, so as to the situation for causing the WLAN user name password of user stolen occurs.
Regarding to the issue above, the application provides a kind of access authentication of WLAN scheme realized based on dynamic password.
Fig. 1 show the system architecture schematic diagram of the application, and the interworking entity that application scheme is related to includes:User terminal 100th, WLAN side apparatus 200, be uniformly accessed into Verification System side apparatus 300.Wherein, it is configured with user terminal 100 The client (hereafter will be simply referred to as " Authentication Client ") of Verification System is uniformly accessed into, Verification System side apparatus are being uniformly accessed into The service end (hereafter will be simply referred to as " certificate server ") for being uniformly accessed into Verification System is configured with 300.It should be noted that this In " client " do not answer the client application that narrow sense is interpreted as under C/S (client/server) framework, in fact based on B/ In the scheme that S (browser/server) framework is realized, it is also possible to open particular webpage with browser to realize above-mentioned " certification visitor The function at family end ".
WLAN side apparatus 200 are the general designations of WLAN service provider equipment, and user terminal 100 and being uniformly accessed into is recognized Card system side apparatus 300 can simultaneously access multiple WLAN service providers, and each service provider can specifically include one Or multiple relevant devices, typical allocation plan can be:A set of wlan network Core Feature equipment+some AP, " core here Heart function equipment " should have basic Ethernet access function and access authentication function, and these functions can be integrated in one In equipment, it is also possible to be distributed on multiple devices.Certainly, in practical application, the deployment framework of " WLAN side apparatus " can Can there are various situations, for example, for the mechanisms such as hotel, restaurant, that it is provided is only AP, specific Ethernet access work( Can still need to be realized by the equipment of common carrier.The application is to " WLAN side apparatus " or " Core Feature equipment " Implement form and need not be defined.
Dynamic password (Dynamic Password) is the uncertain random text string generated according to specific algorithm, Password of each generation has certain using limitation, for example can only using 1 time, can only be using n time, in stipulated time scope It is interior effectively etc..
Based on said system framework and dynamic-password technique, the application provides a kind of access authentication of WLAN method, Shown in Figure 2, the method may comprise steps of:
S101, Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generation dynamic Password;
Assuming that Authentication Client is locally designated xi, dynamic password algorithm is f (x), then can be calculated dynamic password yi =f (xi), in practical application, dynamic password generating algorithm except locally identified to Authentication Client it is related in addition to, can also be with Other random parameters are related, and random parameter here can be time, event etc..
For the dynamic password for having generated, can also further be processed, such as encryption, plus obscure treatment, With client identification jointly packing treatment, etc., the application is not limited this.
S102, the dynamic password that Authentication Client will be generated is forwarded to authentication service by WLAN side apparatus End;
Authentication Client sends access request to WLAN side apparatus first, and the dynamic of above-mentioned generation is at least carried in the request State password, actual carrying form can be the dynamic password by such as encryption, packing treatment.
After WLAN side apparatus receive above-mentioned access request, access request directly can be forwarded to certificate server, or The client identification that dynamic password and request are accessed at least is forwarded to certificate server by person.It should be noted that visitor here Family end mark refer in " being uniformly accessed into Verification System " client identification (concrete form can with user name, operation client Terminal device hardware mark, etc.), rather than the user name for logging in certain specific WLAN.
In addition, in practical application, WLAN side apparatus may relate to one or more and perform interworking entity, such as AP, access Authenticating device etc., the application is not limited the interaction flow inside WLAN side apparatus.
S103, certificate server is verified to dynamic password;
After certificate server receives dynamic password, the dynamic password is verified.Here the premise for being verified is: Certificate server and Authentication Client have been made an appointment identical or corresponding algorithm.So, the dynamic password y for givingi And client identification xi(i.e. the transmitting side marking of dynamic password), certificate server can be by the algorithm of agreement, for client The new dynamic password y of end mark generationi', then compare yiAnd yi' whether consistent, determine that verification passes through if consistent.
If Authentication Client has used other random parameters, such as time, event etc. when dynamic password is generated Deng then certificate server should be able to also get same random parameter, so as to the dynamic password sent to Authentication Client Verified.
It is, of course, understood that certificate server can also be by yiThe mode of anti-solution, realizes to yiVerification, it is former Reason is similar with above-mentioned implementation method, no longer describes in detail here.
S104, in the case of dynamic password verification is correct, WLAN side apparatus allow Authentication Client to access phase The WLAN answered.
Check results and client identification can be back to WLAN side apparatus by certificate server, and WLAN side apparatus are with according to school Result is tested to decide whether to allow the corresponding terminal device of the client identification to access WLAN:If verification is correct, allow to access, Otherwise forbid accessing.
Certificate server only can also return to confirmation message in the case of dynamic password verification is correct to WLAN side apparatus, And client identification is carried in the message, after WLAN side apparatus receive the message, can directly allow the client identification pair The terminal device answered accesses WLAN.
With it is existing be uniformly accessed into certificate scheme compared with, application scheme at least have following two aspects advantage:
In terms of password mechanism realization, the application realizes access authentication of WLAN using the form of dynamic password, no Need to preserve fixed WLAN authentication informations again, even if dynamic password is trapped in transmitting procedure, cannot also be reused, So as to effectively reduce potential safety hazard.
In terms of interaction flow realization:Authentication Client is to initiate certification request to WLAN side apparatus in application scheme, Without directly accessing our service end, it is to avoid the demands that WLAN side apparatus are in advance authenticated to service end, it is not necessary to The IP address of certificate server or domain name are added white list by WLAN side apparatus, are not also changed by certificate server IP address or domain name The influence of change, so as to effectively reduce implementation and the maintenance cost of WLAN sides
With reference to specific application scenarios, the scheme to the application is illustrated.
Fig. 3 shows that one kind is applied to the access authentication of " carrying out being uniformly accessed into certification to Duo Jia operators Wi-Fi " scene The interaction diagrams of scheme.In a verification process, the interaction agent being related to includes:Wi-Fi authentication client, operator AP, carrier authorization system, Wi-Fi authentication service end.Wherein " Wi-Fi authentication client " is configured at subscriber terminal equipment, It can be any form of carrier network that " Wi-Fi authentication service end " is configured at server apparatus, " carrier authorization system " Equipment entity, the application need not be defined.
Dynamic password is generated using OPT (One-Time Password, disposable dynamic password) algorithm.OPT be at present compared with It is a kind of general dynamic password algorithm, feature is:At regular intervals the time generate one with time correlation, uncertain Random digit is combined, and each password is used only once.
OTP algorithm is based on the disposal password that key and other stochastic variables are produced.Each OTP client is owned by belonging to The key of oneself, the key is simultaneously in service end preservation corresponding with client identification.For application scheme, " client " Can be distinguished according to different login usernames, it is also possible to which the terminal device hardware according to different operation clients carries out area Point, such as mobile phone and panel computer that same login username is used can be considered as two different clients.
In each identifying procedure, Authentication Client is according to local key, current random parameter (such as time, thing Part etc.), dynamic password is generated using default algorithm, and the dynamic password is sent to certificate server.Due to key, generation Algorithm, the selection of random parameter are all that both sides make an appointment, therefore under normal circumstances, certificate server can also utilize identical Key, random parameter, generating algorithm the dynamic password is verified, if verification passes through, then it is assumed that active user is to close Method user, so as to allow it to access corresponding WLAN.Specific identifying procedure is as follows:
S1, Wi-Fi authentication client generation OTP code, and combine the Token (visits of client account information generation encryption Ask token).
OTP code are based on time, the three parameters generation of event and key, these three parameters all should ensure that client with The synchronism of service end.
Wherein " key " is corresponding with " client identification ", and each client possesses one's own key, while in service Preserve the corresponding relation of each client and its key in end.The key of each client can have uniqueness, multiple different Client can also to a certain extent be multiplexed identical key.Client identification can be client login username, It can also be the combination of terminal device hardware mark (such as MAC Address), or various identification informations that run client (such as " user name+unit type "), the application is not limited the concrete form of client identification.
" event " parameter is typically easier to realize the synchronism in client and service end, for example, be currently needed for carrying out " Wi- Fi access authentications ", " China Mobile Wi-Fi access authentications " etc., this kind of event information be all client and service end both sides all Will appreciate that, therefore can be used as " event " parameter, certainly, the application is also not required to for the concrete form of event argument It is defined.
" time " parameter can be defined according to actual demand, for example, define:It is different every 1 minute correspondence one Time parameter values, every 5 minutes correspondences, one different time parameter values, etc..Client generation OTP code, service end school When testing OTP code, the current time can be obtained, under normal circumstances, during transmission of the dynamic password from client to service end Prolong relative to time parameter generation interval can be ignored substantially, therefore in practical application can also basic guarantee client and The time parameter synchronization of service end both sides.
Access token Token can be generated using encryption and by the way of obscuring, and basic scheme is as follows:
Token=Encrypt (ID, OTP Code, scramble data, key), relevant parameter is explained as follows:
Encrypt () is AES function, using key as key, can be realized using AES scheduling algorithms.Encrypt () and key are the information that client and service end both sides make an appointment.It should be noted that:Here " key " is generation The key used during Token, key used is different during from foregoing generation OTP code.
ID:Can be login username, Customs Assigned Number of client etc.;
OTP Code:According to the one-time password that OTP algorithm is generated.
Scramble data:As a kind of preferred scheme, when Token is generated, scramble data can be added, difficulty is cracked to increase Degree, obscures that rule is similarly client and service end both sides make an appointment.
For example, definition:
The character string of 6 character string+userId+OTPCode+ length of content=length 7;
Token=AES (content, key);
Wherein, content is spliced by 4 parts, the OTPCode in addition to userId, and two parts are and obscure in addition Information, scramble data can be any character.If splicing rule is obscured in understanding, it is possible to directly removed from content first 6, portion, the scramble data of afterbody 7, the information being actually needed, if instead do not know about obscuring splicing rule, crack difficulty Degree can be obviously improved.
S2, Authentication Client initiates network access authentication by operator AP to operator's access authentication system asks, in request The middle Token for carrying above-mentioned generation;
S3, after operator's access authentication system receives network access authentication request, the Token information in transparent transmission request, to recognizing Card service end initiates checking client identity request;
S4, certificate server parsing Token, obtains OTP code, and then further the OTP code are verified.
In order to eliminate delays of the Token in operator's internal unit forwarding, can suitably relax here and the time is joined Several verification requirements, for example:After certificate server obtains current time, the definition rule according to time parameter, it is determined that when current Between corresponding time section parameter Ti, then further obtain TiThe corresponding parameter T of previous time sectioni-1, Ran Houfen Li Yong not Ti-1And TiGeneration OTP code, as long as there is any one result consistent with the OTP code that client sends, then can be with Think that verification passes through, so avoid just locating with the verification moment in service end at the client generation moment for OTP code In the check results inconsistence problems caused by two time sections.
Check results are returned to operator's access authentication system by S5, certificate server;
S6, the check results that operator's access authentication system is returned according to certificate server decide whether to allow client Wi-Fi is accessed, clearance operation is done on operator AP if allowing;
S7, AP return to Authentication Client by clearance result is accessed, and now terminal user can be entered using operator Wi-Fi Row online.
Used as a kind of specific embodiment of the application, such scheme can be as being uniformly accessed into Verification System to all A kind of access scheme of standard that Wi-Fi operators use, the operator of any cooperation with Verification System manufacturer only need to by Accessed according to normal process, so as to avoid the need for being realized for different Wi-Fi operators the fiber crops of various different authentication schemes It is tired.
In order to illustrate more clearly of the scheme of the application, separately below again from unilateral angle, to Authentication Client with recognize The method that card service end is performed is illustrated:
The major function that Authentication Client side performs includes:
Locally identified according to default dynamic password algorithm and Authentication Client, generate dynamic password;
The dynamic password that will be generated is forwarded to certificate server by WLAN side apparatus, to cause certificate server to dynamic State password is verified;
In the case of dynamic password verification is correct, it is corresponding that Authentication Client will be allowed to access WLAN side apparatus WLAN。
The major function that authentication service side performs includes:
Receive the dynamic password that Authentication Client sends, forwarded through WLAN side apparatus;
According to default dynamic password algorithm, the dynamic password to receiving is verified;
Check results are sent to WLAN side apparatus, to cause that WLAN side apparatus verify correct situation in dynamic password Under, it is allowed to Authentication Client accesses corresponding WLAN.
Unilateral execution method details on Authentication Client Yu certificate server, may refer to retouching for preceding embodiment State, repeat no more here.
Corresponding to above method embodiment, the application also provides a kind of radio lan access authentication system, referring to Fig. 4 institutes Show, the system can include:Authentication Client 110 and certificate server 120;
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
The dynamic password that Authentication Client will be generated is forwarded to certificate server by WLAN side apparatus;
Certificate server is verified to dynamic password;
In the case of dynamic password verification is correct, WLAN side apparatus allow Authentication Client to access corresponding nothing Line LAN.
In a kind of specific embodiment of the application, dynamic password algorithm can be OTP algorithm.
In a kind of specific embodiment of the application, Authentication Client can be specifically for:
Generation carries client identification, the access token of dynamic password, and the access token that will be generated passes through wireless office Domain net side device forwards are to certificate server.Wherein authentication token can be generated using AES.
In a kind of specific embodiment of the application, certificate server can be specifically for:
After receiving access token, dynamic password is parsed from access token, and dynamic password is verified.
Shown in Figure 5, the application also provides a kind of access authentication of WLAN device for being applied to Authentication Client, The device can include:
Dynamic password generation module 111, for according to default dynamic password algorithm and Authentication Client this terrestrial reference Know, generate dynamic password;
Dynamic password sending module 112, the dynamic password for that will be generated is forwarded to by WLAN side apparatus Certificate server, to cause that certificate server is verified to dynamic password;
Access Control module 113, in the case of dynamic password verification is correct, accessing WLAN side apparatus pair The WLAN answered.
Shown in Figure 6, the application also provides a kind of access authentication of WLAN device for being applied to certificate server, The device can include:
Dynamic password receiver module 121, for receiving Authentication Client transmission, through moving that WLAN side apparatus are forwarded State password, dynamic password is:Authentication Client locally identifies generation according to default dynamic password algorithm and Authentication Client Dynamic password;
Dynamic password correction verification module 122, for being verified to dynamic password;
Check results feedback module 123, for check results to be sent into WLAN side apparatus, to cause wireless office Domain net side equipment is in the case of dynamic password verification is correct, it is allowed to which Authentication Client accesses corresponding WLAN.
The function of modules and the implementation process of effect specifically refer to preceding method embodiment or system in said apparatus Description in embodiment, will not be repeated here.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can Realized by the mode of software plus required general hardware platform.Based on such understanding, the technical scheme essence of the application On the part that is contributed to prior art in other words can be embodied in the form of software product, the computer software product Can store in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are used to so that a computer equipment (can be personal computer, server, or network equipment etc.) performs some of each embodiment of the application or embodiment Method described in part.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.Especially for device or For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method The part explanation of embodiment.Device or system embodiment described above is only schematical, wherein the conduct Separating component explanation module can be or may not be it is physically separate, implement application scheme when can be each The function of module is realized in same or multiple softwares and/or hardware.Portion therein can also according to the actual needs be selected Point or whole module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creative work In the case of, you can to understand and implement.
The above is only the specific embodiment of the application, it is noted that for the ordinary skill people of the art For member, on the premise of the application principle is not departed from, some improvements and modifications can also be made, these improvements and modifications also should It is considered as the protection domain of the application.

Claims (16)

1. a kind of access authentication of WLAN method, it is characterised in that the method includes:
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
The dynamic password that Authentication Client will be generated is forwarded to certificate server by WLAN side apparatus;
Certificate server is verified to the dynamic password;
In the case of dynamic password verification is correct, WLAN side apparatus allow the Authentication Client to access corresponding nothing Line LAN.
2. method according to claim 1, it is characterised in that the dynamic password that the Authentication Client will be generated passes through WLAN side apparatus are forwarded to certificate server, including:
Authentication Client sends to wireless local network connecting point the dynamic password;
Wireless local network connecting point sends to access authentication of WLAN equipment the dynamic password;
Access authentication of WLAN equipment sends to certificate server the dynamic password.
3. method according to claim 2, it is characterised in that described in the case of dynamic password verification is correct, wirelessly Local area network side equipment allows the Authentication Client to access, including:
Certificate server sends to access authentication of WLAN equipment authentication result;
Access authentication of WLAN equipment is in the case of dynamic password verification is correct, it is allowed to which the Authentication Client accesses phase The WLAN answered.
4. method according to claim 1, it is characterised in that the dynamic password algorithm is OTP algorithm.
5. method according to claim 1, it is characterised in that the dynamic password that the Authentication Client will be generated passes through WLAN side apparatus are forwarded to certificate server, including:
Authentication Client generation carries client identification, the access token of dynamic password, and the access token that will be generated passes through nothing Line local area network side device forwards are to certificate server.
6. method according to claim 5, it is characterised in that the certificate server carries out school to the dynamic password Test, including:
After certificate server receives the access token, the dynamic password is parsed from the access token, and to institute Dynamic password is stated to be verified.
7. the method according to claim 5 or 6, it is characterised in that the authentication token is generated using AES.
8. a kind of access authentication of WLAN method, is applied to Authentication Client, it is characterised in that the method includes:
Locally identified according to default dynamic password algorithm and Authentication Client, generate dynamic password;
The dynamic password that will be generated is forwarded to certificate server by WLAN side apparatus, to cause certificate server pair The dynamic password is verified;
In the case of dynamic password verification is correct, the corresponding WLAN of the WLAN side apparatus is accessed.
9. a kind of access authentication of WLAN method, is applied to certificate server, it is characterised in that the method includes:
The dynamic password that Authentication Client sends, forwarded through WLAN side apparatus is received, the dynamic password is:Certification visitor Family end locally identifies the dynamic password of generation according to default dynamic password algorithm and Authentication Client;
The dynamic password is verified;
Check results are sent to WLAN side apparatus, to cause that WLAN side apparatus are correct in dynamic password verification In the case of, it is allowed to the Authentication Client accesses corresponding WLAN.
10. a kind of radio lan access authentication system, it is characterised in that the system includes Authentication Client and authentication service End;
Authentication Client is locally identified according to default dynamic password algorithm and Authentication Client, generates dynamic password;
The dynamic password that Authentication Client will be generated is forwarded to certificate server by WLAN side apparatus;
Certificate server is verified to the dynamic password;
In the case of dynamic password verification is correct, WLAN side apparatus allow the Authentication Client to access corresponding nothing Line LAN.
11. systems according to claim 10, it is characterised in that the dynamic password algorithm is OTP algorithm.
12. systems according to claim 10, it is characterised in that the Authentication Client specifically for:
Generation carries client identification, the access token of dynamic password, and the access token that will be generated passes through WLAN Side apparatus are forwarded to certificate server.
13. systems according to claim 12, it is characterised in that the certificate server specifically for:
After receiving the access token, the dynamic password is parsed from the access token, and to the dynamic password Verified.
14. system according to claim 12 or 13, it is characterised in that the authentication token is generated using AES.
A kind of 15. access authentication of WLAN devices, are applied to Authentication Client, it is characterised in that the device includes:
Dynamic password generation module, for locally being identified according to default dynamic password algorithm and Authentication Client, generation is dynamic State password;
Dynamic password sending module, the dynamic password for that will be generated is forwarded to authentication service by WLAN side apparatus End, to cause that certificate server is verified to the dynamic password;
Access Control module, in the case of dynamic password verification is correct, accessing the WLAN side apparatus correspondence WLAN.
A kind of 16. access authentication of WLAN devices, are applied to certificate server, it is characterised in that the device includes:
Dynamic password receiver module, for receiving the dynamic password that Authentication Client sends, forwarded through WLAN side apparatus, The dynamic password is:Authentication Client locally identifies generation according to default dynamic password algorithm and Authentication Client Dynamic password;
Dynamic password correction verification module, for being verified to the dynamic password;
Check results feedback module, for check results to be sent into WLAN side apparatus, to cause WLAN side Equipment is in the case of dynamic password verification is correct, it is allowed to which the Authentication Client accesses corresponding WLAN.
CN201610670508.1A 2016-08-15 2016-08-15 Wireless local area network access authentication method, device and system Active CN106888455B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610670508.1A CN106888455B (en) 2016-08-15 2016-08-15 Wireless local area network access authentication method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610670508.1A CN106888455B (en) 2016-08-15 2016-08-15 Wireless local area network access authentication method, device and system

Publications (2)

Publication Number Publication Date
CN106888455A true CN106888455A (en) 2017-06-23
CN106888455B CN106888455B (en) 2020-12-15

Family

ID=59176756

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610670508.1A Active CN106888455B (en) 2016-08-15 2016-08-15 Wireless local area network access authentication method, device and system

Country Status (1)

Country Link
CN (1) CN106888455B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109286932A (en) * 2017-07-20 2019-01-29 阿里巴巴集团控股有限公司 Networking authentication method, apparatus and system
CN112636910A (en) * 2020-12-29 2021-04-09 北京深思数盾科技股份有限公司 Method, device and system for generating and verifying temporary password

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304789A1 (en) * 2013-04-05 2014-10-09 International Business Machines Corporation Convenient one-time password
CN104717218A (en) * 2015-03-19 2015-06-17 北京云安世纪科技有限公司 Wifi certification system and method
CN104994118A (en) * 2015-08-11 2015-10-21 吴培希 WiFi authentication system and method based on dynamic password
CN105069619A (en) * 2015-07-17 2015-11-18 上海众人网络安全技术有限公司 On-line fast payment system and payment method thereof
CN105101191A (en) * 2014-05-23 2015-11-25 宇龙计算机通信科技(深圳)有限公司 Method and apparatus for WLAN security mechanism setup
CN105516970A (en) * 2015-11-17 2016-04-20 上海礼源网络科技有限公司 WIFI authentication method, intelligent router, and Internet access system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140304789A1 (en) * 2013-04-05 2014-10-09 International Business Machines Corporation Convenient one-time password
CN105101191A (en) * 2014-05-23 2015-11-25 宇龙计算机通信科技(深圳)有限公司 Method and apparatus for WLAN security mechanism setup
CN104717218A (en) * 2015-03-19 2015-06-17 北京云安世纪科技有限公司 Wifi certification system and method
CN105069619A (en) * 2015-07-17 2015-11-18 上海众人网络安全技术有限公司 On-line fast payment system and payment method thereof
CN104994118A (en) * 2015-08-11 2015-10-21 吴培希 WiFi authentication system and method based on dynamic password
CN105516970A (en) * 2015-11-17 2016-04-20 上海礼源网络科技有限公司 WIFI authentication method, intelligent router, and Internet access system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109286932A (en) * 2017-07-20 2019-01-29 阿里巴巴集团控股有限公司 Networking authentication method, apparatus and system
CN109286932B (en) * 2017-07-20 2021-10-19 阿里巴巴集团控股有限公司 Network access authentication method, device and system
US11616775B2 (en) 2017-07-20 2023-03-28 Alibaba Group Holding Limited Network access authentication method, apparatus, and system
CN112636910A (en) * 2020-12-29 2021-04-09 北京深思数盾科技股份有限公司 Method, device and system for generating and verifying temporary password
CN112636910B (en) * 2020-12-29 2021-08-24 北京深思数盾科技股份有限公司 Method, device and system for generating and verifying temporary password

Also Published As

Publication number Publication date
CN106888455B (en) 2020-12-15

Similar Documents

Publication Publication Date Title
JP7352008B2 (en) First element contactless card authentication system and method
CN106664554B (en) The security configuration of Service Ticket
US10116448B2 (en) Transaction authorization method and system
US8495720B2 (en) Method and system for providing multifactor authentication
US11252142B2 (en) Single sign on (SSO) using continuous authentication
US9756056B2 (en) Apparatus and method for authenticating a user via multiple user devices
CN105933353B (en) The realization method and system of secure log
US9338164B1 (en) Two-way authentication using two-dimensional codes
US20130205380A1 (en) Identity verification
US10693854B2 (en) Method for authenticating a user, corresponding server, communications terminal and programs
US9294474B1 (en) Verification based on input comprising captured images, captured audio and tracked eye movement
CN104994118A (en) WiFi authentication system and method based on dynamic password
CN104994504A (en) Secure and automatic connection to wireless network
EP3662430B1 (en) System and method for authenticating a transaction
CN106230838A (en) A kind of third-party application accesses the method and apparatus of resource
CN101986598B (en) Authentication method, server and system
CN105721412A (en) Method and device for authenticating identity between multiple systems
KR20130072790A (en) User authentication system and method thereof
CN104144163A (en) Identity verification method, device and system
WO2021113034A1 (en) Full-duplex password-less authentication
US9443069B1 (en) Verification platform having interface adapted for communication with verification agent
CN109218334A (en) Data processing method, device, access control equipment, certificate server and system
JP2016536678A (en) Network management security authentication method, apparatus, system, and computer storage medium
CN105812398A (en) Remote login authorization method and remote login authorization device
CN105577657B (en) A kind of extended method of SSL/TLS algorithms external member

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1238068

Country of ref document: HK

TA01 Transfer of patent application right

Effective date of registration: 20200922

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200922

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Applicant before: Alibaba Group Holding Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant