CN108966233B - Network access control method and device - Google Patents
Network access control method and device Download PDFInfo
- Publication number
- CN108966233B CN108966233B CN201811103336.5A CN201811103336A CN108966233B CN 108966233 B CN108966233 B CN 108966233B CN 201811103336 A CN201811103336 A CN 201811103336A CN 108966233 B CN108966233 B CN 108966233B
- Authority
- CN
- China
- Prior art keywords
- key
- target
- user terminal
- encrypted file
- communication network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a network access control method and device. The method comprises the following steps: when the user terminal successfully finds the target key of the target AP, the network access request and the first key are encrypted by the target key to obtain a first encrypted file, and the first encrypted file is sent to the target AP; the target AP decrypts the first encrypted file by using the target key to generate an access permission message, and generates a permission key according to the first key, the target key and a key generation strategy of the target AP; the target AP encrypts the access permission message by using the permission key to obtain a second encrypted file and sends the second encrypted file to the user terminal; the user terminal searches a key generation strategy of the target AP, and generates a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy is searched; and when the user terminal successfully decrypts the second encrypted file by using the second key, accessing the communication network corresponding to the access target AP. The method can carry out bidirectional authentication between the communication network and the user terminal, and ensures the network connection safety.
Description
Technical Field
The present application relates to the field of network connection management and control technologies, and in particular, to a network access management and control method and apparatus.
Background
With the continuous development of scientific technology, in order to ensure the network connection security and the network connection independence, an AP (Access Point) deployed in a communication network generally performs one-way authentication for a user terminal when the user terminal accesses the communication network, so as to determine whether the user terminal has an Access right to Access the communication network corresponding to the AP. However, this authentication method is only authentication of the user terminal by the communication network, and does not have a function of confirming authentication of the user terminal with respect to the communication network, and thus the security of the entire network connection is not very strong.
Disclosure of Invention
In order to overcome the above disadvantages in the prior art, an object of the present application is to provide a method and an apparatus for network access management and control, which can perform bidirectional authentication between a communication network and a user terminal to improve the overall network connection security.
In terms of a method, an embodiment of the present application provides a network access control method for controlling an access status of a user terminal accessing a communication network, where at least one wireless access point AP is deployed under the communication network, the method including:
the user terminal searches a target key of a selected target AP from keys of all stored APs, encrypts a network access request and a first key of the user terminal by using the target key when the target key is searched to obtain a first encrypted file, and sends the first encrypted file to the target AP;
the target AP decrypts the first encrypted file by using the target key corresponding to the target AP to obtain the network access request and the first key;
the target AP responds to the network access request, generates an access permission message matched with the network access request, and generates a corresponding permission key according to the first key, the target key and a key generation strategy corresponding to the target AP;
the target AP encrypts the access permission message by using the generated permission key to obtain a second encrypted file, and sends the second encrypted file to the user terminal;
the user terminal searches a key generation strategy corresponding to the target AP from stored key generation strategies corresponding to the APs, and generates a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy is searched;
and the user terminal decrypts the received second encrypted file by using the second key and accesses the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful.
As to a method, an embodiment of the present application further provides a network access control method, applied to a user terminal, for controlling an access status of the user terminal to a communication network, where at least one wireless access point AP is deployed under the communication network, and the method includes:
searching a target key of a selected target AP from keys of all stored APs, encrypting a network access request and a first key of the user terminal by using the target key when the target key is searched to obtain a first encrypted file, and sending the first encrypted file to the target AP so that the target AP feeds back a second encrypted file comprising an access permission message according to the first encrypted file;
searching a key generation strategy corresponding to the target AP in stored key generation strategies corresponding to the APs, and generating a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy corresponding to the target AP is searched;
and decrypting the received second encrypted file by using the second key, and accessing the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful.
As to a method, an embodiment of the present application further provides a network access control method, which is applied to each wireless access point AP deployed in the same communication network, and is used to control an access status of a user terminal accessing the communication network, where the method includes:
receiving a first encrypted file from the user terminal, and decrypting the first encrypted file by using a key corresponding to the first encrypted file to obtain a network access request and a first key of the user terminal;
responding to the network access request, generating an access permission message matched with the network access request, and generating a corresponding permission key according to the first key, the key corresponding to the first key and a key generation strategy corresponding to the first key;
and encrypting the access permission message by using the generated permission key to obtain a second encrypted file, and sending the second encrypted file to the user terminal so that the user terminal decrypts the second encrypted file and accesses the communication network based on the access permission message in the second encrypted file when the decryption is successful.
As for an apparatus, an embodiment of the present application provides a network access control apparatus, which is applied to a user terminal, and is configured to control an access status of the user terminal to a communication network, where at least one wireless access point AP is deployed under the communication network, and the apparatus includes:
the searching encryption module is used for searching a target key of a selected target AP from keys of all stored APs, encrypting a network access request and a first key of the user terminal by using the target key when the target key is searched to obtain a first encrypted file, and sending the first encrypted file to the target AP so that the target AP feeds back a second encrypted file comprising an access permission message according to the first encrypted file;
the key generation module is used for searching the key generation strategy corresponding to the target AP in the stored key generation strategies corresponding to the APs, and generating a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy is searched;
and the key decryption module is used for decrypting the received second encrypted file by using the second key and accessing the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful.
As for the apparatus, an embodiment of the present application further provides a network access control apparatus, which is applied to each wireless access point AP deployed in the same communication network, and is configured to control an access status of a user terminal accessing the communication network, where the apparatus includes:
the file decryption module is used for receiving a first encrypted file from the user terminal and decrypting the first encrypted file by using a key corresponding to the file decryption module to obtain a network access request and the first key of the user terminal;
the response generation module is used for responding to the network access request, generating an access permission message matched with the network access request, and generating a corresponding permission key according to the first key, the key corresponding to the first key and a key generation strategy corresponding to the first key;
and the encryption sending module is used for encrypting the access permission message by using the generated permission key to obtain a second encrypted file, sending the second encrypted file to the user terminal so that the user terminal decrypts the second encrypted file, and accessing the communication network based on the access permission message in the second encrypted file when the decryption is successful.
Compared with the prior art, the network access control method and the network access control device provided by the embodiment of the application have the following beneficial effects: the network access control method can perform bidirectional authentication between the communication network and the user terminal so as to improve the overall network connection security. The method is used for managing and controlling the access condition of the user terminal to the communication network, wherein at least one AP is deployed under the communication network. Firstly, the user terminal searches a target key of a selected target AP from keys of all stored APs, encrypts a network access request and a first key of the user terminal by using the target key when the target key is found out to obtain a first encrypted file, and sends the first encrypted file to the target AP. Secondly, the target AP decrypts the first encrypted file by using the target key corresponding to the target AP to obtain the network access request and the first key. Then, the target AP responds to the network access request, generates an access permission message matched with the network access request, and generates a corresponding permission key according to the first key, the target key and a key generation strategy corresponding to the target AP. Then, the target AP encrypts the access permission packet with the generated permission key to obtain a second encrypted file, and sends the second encrypted file to the user terminal. Then, the user terminal searches the key generation strategy corresponding to the target AP from the stored key generation strategies corresponding to the APs, and generates a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy is searched. And finally, the user terminal decrypts the received second encrypted file by using the second key, and accesses the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful, so that the bidirectional authentication is performed between the communication network and the user terminal, and the overall network connection safety is improved.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments are briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope of the claims of the present application, and it is obvious for those skilled in the art that other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a schematic diagram of interaction between a user terminal and a wireless access point AP according to an embodiment of the present disclosure.
Fig. 2 is a flowchart of a first network access control method according to an embodiment of the present application.
Fig. 3 is a second flowchart of a first network access control method according to an embodiment of the present application.
Fig. 4 is a flowchart illustrating a second network access control method according to an embodiment of the present application.
Fig. 5 is a second flowchart illustrating a second network access control method according to an embodiment of the present application.
Fig. 6 is a flowchart illustrating a third network access control method according to an embodiment of the present application.
Fig. 7 is a block diagram illustrating an embodiment of the first network access management and control apparatus shown in fig. 1.
Fig. 8 is a second block diagram of the first network access management and control apparatus shown in fig. 1 according to an embodiment of the present disclosure.
Fig. 9 is a schematic block diagram of a second network access management and control apparatus shown in fig. 1 according to an embodiment of the present disclosure.
Icon: 10-a user terminal; 20-AP; 30-a communication network; 100-a first network access control device; 200-a second network access control device; 110-find encryption module; 120-a key generation module; 130-key decryption module; 140-a communication probe module; 150-an information generating module; 210-file decryption module; 220-a response generation module; 230-encrypted sending module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present application, it is noted that the terms "first", "second", "third", and the like are used merely for distinguishing between descriptions and are not intended to indicate or imply relative importance. Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Please refer to fig. 1 and fig. 2 in combination, wherein fig. 1 is a schematic diagram of an interaction between a user terminal 10 and a wireless access point AP20 according to an embodiment of the present application, and fig. 2 is a schematic flowchart of a first network access control method according to an embodiment of the present application. In this embodiment, the network access control method shown in fig. 2 is applied to a user terminal 10 and an AP20 that communicate with each other, and is used to control an access status of the user terminal 10 to a communication network 30, where at least one AP20 is deployed under the communication network 30, and the user terminal 10 accesses the communication network 30 corresponding to the AP20 by establishing network communication with any one of at least one AP20 deployed under the communication network 30. The network access control method improves the network connection security by performing bidirectional authentication between the communication network 30 and the user terminal 10. The following describes a detailed procedure and steps of the network access control method shown in fig. 2.
Step S310, the user terminal 10 searches for a target key of the selected target AP20 from the stored keys of all the APs 20, encrypts the network access request and the first key of the user terminal 10 with the target key when the target key is found out to obtain a first encrypted file, and sends the first encrypted file to the target AP 20.
In this embodiment, when the user terminal 10 wants to access a certain communication network 30, one AP20 needs to be selected from at least one AP20 deployed under the communication network 30 as a network access point of the user terminal 10, and the selected AP20 is the target AP20 of the user terminal 10 for the communication network 30. The network access request is used to indicate to the corresponding AP20 that the user terminal 10 wants to access the communication network 30 to which the AP20 corresponds.
In this embodiment, the user terminal 10 stores keys corresponding to all the APs 20 that the user terminal 10 can establish network communication, and the user terminal 10 determines whether or not it has the authority to access the communication network 30 corresponding to the target AP20 by searching the target key of the selected target AP20 from the keys of all the APs 20 stored in its data storage area. When the user terminal 10 finds the target key of the target AP20, it indicates that the user terminal 10 has the right to access the communication network 30 corresponding to the target AP20, and at this time, the user terminal 10 encrypts the network access request generated by the user terminal 10 and the first key corresponding to the user terminal with the found target key to obtain a first encrypted file including the network access request and the first key, and then sends the first encrypted file to the target AP 20.
In step S320, the target AP20 decrypts the first encrypted file with the target key corresponding to the target AP20, so as to obtain the network access request and the first key.
In this embodiment, after receiving the first encrypted file from any user terminal 10, the target AP20 decrypts the first encrypted file by using its corresponding target key, so as to determine whether the user terminal 10 corresponding to the first encrypted file has the right to access the communication network 30 corresponding to the target AP 20. When the decryption is successful, it indicates that the user terminal 10 corresponding to the first encrypted file indeed has the key of the target AP20, and the user terminal 10 has the right to access the communication network 30 corresponding to the target AP20, at this time, the target AP20 will obtain the corresponding network access request and the first key of the user terminal 10 from the first encrypted file.
Step S330, the target AP20 responds to the network access request, generates an access permission packet matching the network access request, and generates a corresponding permission key according to the first key, the target key, and a key generation policy corresponding to the target AP.
In this embodiment, the key generation policy for generating the license key corresponding to each AP20 deployed under the same communication network 30 may be the same as or different from the key generation policies of other APs 20. When the target AP20 obtains the network access request and the first key from the first encrypted file, the target AP20 generates an access permission packet matching the network access request and used for permitting the user terminal 10 to access the communication network 30 corresponding to the target AP20 in response to the network access request, searches a key generation policy corresponding to itself in its data storage area, and then generates a corresponding permission key by combining the first key of the user terminal 10 and the target key corresponding to the target AP20 through the key generation policy.
In step S340, the target AP20 encrypts the access permission packet with the generated permission key to obtain a second encrypted file, and sends the second encrypted file to the user terminal 10.
In this embodiment, the target AP20 sends the second encrypted file obtained by encrypting the access permission message with the permission key to the user terminal 10, so that the user terminal 10 decrypts the second encrypted file, and the user terminal 10 authenticates, with respect to the target AP20, whether the communication network 30 corresponding to the target AP20 is the network that the user terminal 10 wants to access.
In step S350, the user terminal 10 searches the key generation policy corresponding to the target AP20 from the stored key generation policies corresponding to the APs 20, and generates a second key according to the first key, the target key, and the searched key generation policy when the key generation policy is found.
In this embodiment, the user terminal 10 stores a key generation policy corresponding to each AP 20. After receiving the second encrypted file fed back from the target AP20, the user terminal 10 searches the key generation policy corresponding to the target AP20 from the stored key generation policies corresponding to all APs 20, and generates a second key according to the first key, the target key, and the searched key generation policy when the second key is found, so as to authenticate whether the communication network 30 corresponding to the target AP20 is the network that the user terminal 10 wants to access in a manner of encrypting the second encrypted file by using the second key.
In step S360, the user terminal 10 decrypts the received second encrypted file with the second key, and accesses the communication network 30 corresponding to the target AP20 based on the access permission packet in the second encrypted file when the decryption is successful.
In this embodiment, when the user terminal 10 decrypts the received second encrypted file with the generated second key and successfully decrypts the received second encrypted file, it indicates that the second key is the same as the license key, the key generation policy found by the user terminal 10 is the same as the key generation policy corresponding to the target AP20, the second encrypted file is indeed from the target AP20, and the communication network 30 corresponding to the target AP20 is the network that the user terminal 10 wants to access, at this time, the authentication of the user terminal 10 for the communication network 30 is successful, the user terminal 10 obtains the access license packet from the second encrypted file, and then the user terminal 10 establishes network communication with the target AP20 according to the access license packet, so as to access the communication network 30 corresponding to the target AP20 through the target AP20, the mutual authentication between the user terminal 10 and the communication network 30 is completed, and the network connection security is improved.
Fig. 3 is a second flowchart of a first network access control method according to an embodiment of the present application. In this embodiment of the application, the network access control method further includes step S308 and step S309.
Step S308, the user terminal 10 probes the signal strength between the AP20 under the communication network 30, and selects the target AP20 from the APs 20 under the communication network 30 according to the probing result.
In this embodiment, the ue 10 detects the signal strength between the ue 10 and each AP20 of the communication network 30 by broadcasting a signal detection packet to all the APs 20 of the communication network 30 and receiving a feedback packet from each AP20, and obtains a corresponding detection result, so as to select a target AP20 from the APs 20 of the communication network 30 according to the detection result. In an implementation manner of this embodiment, the ue 10 selects the AP20 corresponding to the maximum signal strength in the probing results as the target AP20 of the ue 10 under the communication network 30.
In step S309, the user terminal 10 generates a network access request corresponding to the communication network 30 after selecting the target AP20, and randomly generates the first key.
In this embodiment, the key of each AP20 is not changed after being set, and the first key of the user terminal 10 may be randomly generated by the user terminal 10 according to the requirement.
Fig. 4 is a flowchart illustrating a second network access control method according to an embodiment of the present application. In this embodiment, the user terminal 10 includes a first network access management and control device 100, where the first network access management and control device 100 is configured to execute a network access management and control method shown in fig. 4, and the network access management and control method is applied to the user terminal 10 and is configured to manage an access status of the user terminal 10 accessing the communication network 30. The following describes a detailed procedure and steps of the network access control method shown in fig. 4.
Step S410, searching a target key of the selected target AP20 from the stored keys of all the APs 20, when the target key is found, encrypting the network access request and the first key of the user terminal 10 with the target key to obtain a first encrypted file, and sending the first encrypted file to the target AP20, so that the target AP20 feeds back a second encrypted file including an access permission message according to the first encrypted file.
Step S420, searching for a key generation policy corresponding to the target AP20 from the stored key generation policies corresponding to the APs 20, and generating a second key according to the first key, the target key, and the searched key generation policy when the key generation policy is found.
Step S430, decrypt the received second encrypted file with the second key, and access to the communication network 30 corresponding to the target AP20 based on the access permission packet in the second encrypted file when decryption is successful.
In this embodiment, the respective execution processes of the step S410, the step S420 and the step S430 refer to the above detailed descriptions of the step S310, the step S350 and the step S360, and are not repeated herein.
Fig. 5 is a second flowchart illustrating a second network access control method according to an embodiment of the present application. In this embodiment of the present application, the method for managing and controlling network access further includes step S408 and step S409.
Step S408 is performed to detect the signal strength between the AP20 in the communication network 30, and select the target AP20 from the APs 20 in the communication network 30 according to the detection result.
Step S409, after selecting the target AP20, generates a network access request corresponding to the communication network 30, and randomly generates the first key.
Fig. 6 is a flowchart illustrating a third method for managing and controlling network access according to an embodiment of the present application. In the embodiment of the present application, each AP20 deployed under the same communication network 30 includes a second network access management and control apparatus 200, where the second network access management and control apparatus 200 is configured to execute the network access management and control method shown in fig. 6, and the network access management and control method is applied to each AP20 deployed under the same communication network 30 and is used for managing and controlling an access condition of the user terminal 10 to the communication network 30. The following describes a detailed procedure and steps of the network access control method shown in fig. 6.
Step S510, receiving the first encrypted file from the user terminal 10, and decrypting the first encrypted file with the key corresponding to the first encrypted file to obtain the network access request and the first key of the user terminal 10.
Step S520, responding to the network access request, generating an access permission packet matching the network access request, and generating a corresponding permission key according to the first key, the key corresponding to itself, and the key generation policy corresponding to itself.
Step S530, encrypt the access permission packet with the generated permission key to obtain a second encrypted file, and send the second encrypted file to the user terminal 10, so that the user terminal 10 decrypts the second encrypted file, and accesses to access the communication network 30 based on the access permission packet in the second encrypted file when the decryption is successful.
In this embodiment, the respective execution processes of the step S510, the step S520, and the step S530 refer to the above detailed descriptions of the step S320, the step S330, and the step S340, which are not repeated herein.
Fig. 7 is a block diagram of the first network access management and control device 100 shown in fig. 1 according to an embodiment of the present disclosure. In this embodiment, the first network access management and control apparatus 100 includes a lookup encryption module 110, a key generation module 120, and a key decryption module 130.
The search encryption module 110 is configured to search a target key of the selected target AP20 from stored keys of all the APs 20, encrypt a network access request and a first key of the user terminal 10 with the target key when the target key is found to obtain a first encrypted file, and send the first encrypted file to the target AP20, so that the target AP20 feeds back a second encrypted file including an access permission message according to the first encrypted file.
The key generation module 120 is configured to search for a key generation policy corresponding to the target AP20 from stored key generation policies corresponding to the APs 20, and generate a second key according to the first key, the target key, and the searched key generation policy when the key generation policy is found.
The key decryption module 130 is configured to decrypt the received second encrypted file with the second key, and access the communication network 30 corresponding to the target AP20 based on the access permission packet in the second encrypted file when the decryption is successful.
Fig. 8 is a second block diagram of the first network access management and control device 100 shown in fig. 1 according to the present embodiment. In this embodiment, the first network access management and control apparatus 100 further includes a communication detection module 140 and an information generation module 150.
The communication probe module 140 is configured to probe signal strength between the AP20 in the communication network 30 and select the target AP20 from the APs 20 in the communication network 30 according to the probe result.
The information generating module 150 is configured to generate a network access request corresponding to the communication network 30 after the target AP20 is selected, and randomly generate the first key.
Fig. 9 is a block schematic diagram of a second network access management and control device 200 shown in fig. 1 according to an embodiment of the present disclosure. In this embodiment, the second network access management and control apparatus 200 includes a file decryption module 210, a response generation module 220, and an encryption transmission module 230.
The file decryption module 210 is configured to receive the first encrypted file from the user terminal 10, and decrypt the first encrypted file with a key corresponding to the file decryption module to obtain the network access request and the first key of the user terminal 10.
The response generating module 220 is configured to respond to the network access request, generate an access permission packet matching the network access request, and generate a corresponding permission key according to the first key, the key corresponding to the first key, and the key generation policy corresponding to the first key.
The encryption sending module 230 is configured to encrypt the access permission packet with the generated permission key to obtain a second encrypted file, and send the second encrypted file to the user terminal 10, so that the user terminal 10 decrypts the second encrypted file, and accesses to the communication network 30 based on the access permission packet in the second encrypted file when the decryption is successful.
In summary, in the network access control method and the network access control device provided in the embodiments of the present application, the network access control method can perform bidirectional authentication between the communication network and the user terminal, so as to improve the overall network connection security. The method is used for managing and controlling the access condition of the user terminal to the communication network, wherein at least one AP is deployed under the communication network. Firstly, the user terminal searches a target key of a selected target AP from keys of all stored APs, encrypts a network access request and a first key of the user terminal by using the target key when the target key is found out to obtain a first encrypted file, and sends the first encrypted file to the target AP. Secondly, the target AP decrypts the first encrypted file by using the target key corresponding to the target AP to obtain the network access request and the first key. Then, the target AP responds to the network access request, generates an access permission message matched with the network access request, and generates a corresponding permission key according to the first key, the target key and a key generation strategy corresponding to the target AP. Then, the target AP encrypts the access permission packet with the generated permission key to obtain a second encrypted file, and sends the second encrypted file to the user terminal. Then, the user terminal searches the key generation strategy corresponding to the target AP from the stored key generation strategies corresponding to the APs, and generates a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy is searched. And finally, the user terminal decrypts the received second encrypted file by using the second key, and accesses the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful, so that the bidirectional authentication is performed between the communication network and the user terminal, and the overall network connection safety is improved.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A network access control method is used for controlling access conditions of a user terminal to a communication network, wherein at least one wireless Access Point (AP) is deployed under the communication network, and the method comprises the following steps:
the user terminal searches a target key of a selected target AP from keys of all stored APs, encrypts a network access request and a first key of the user terminal by using the target key when the target key is searched to obtain a first encrypted file, and sends the first encrypted file to the target AP;
the target AP decrypts the first encrypted file by using the target key corresponding to the target AP to obtain the network access request and the first key;
the target AP responds to the network access request, generates an access permission message matched with the network access request, and generates a corresponding permission key according to the first key, the target key and a key generation strategy corresponding to the target AP;
the target AP encrypts the access permission message by using the generated permission key to obtain a second encrypted file, and sends the second encrypted file to the user terminal;
the user terminal searches a key generation strategy corresponding to the target AP from stored key generation strategies corresponding to the APs, and generates a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy is searched;
and the user terminal decrypts the received second encrypted file by using the second key and accesses the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful.
2. The method of claim 1, further comprising:
and the user terminal detects the signal intensity between the user terminal and each AP under the communication network, and selects the target AP from the APs under the communication network according to the detection result.
3. The method of claim 2, further comprising:
and the user terminal generates a network access request corresponding to the communication network after selecting the target AP, and randomly generates the first key.
4. A network access control method is applied to a user terminal and used for controlling the access condition of the user terminal to a communication network, wherein at least one wireless Access Point (AP) is deployed under the communication network, and the method comprises the following steps:
searching a target key of a selected target AP from keys of all stored APs, encrypting a network access request and a first key of the user terminal by using the target key when the target key is searched to obtain a first encrypted file, sending the first encrypted file to the target AP so that the target AP decrypts the network access request and the first key from the first encrypted file by using the target key of the target AP, and feeding back a second encrypted file comprising an access permission message matched with the network access request to the user terminal, wherein the second encrypted file is obtained by encrypting the access permission message by using a permission key, and the permission key is generated based on the first key, the target key and a key generation strategy of the target AP;
searching a key generation strategy corresponding to the target AP in stored key generation strategies corresponding to the APs, and generating a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy corresponding to the target AP is searched;
and decrypting the received second encrypted file by using the second key, and accessing the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful.
5. The method of claim 4, further comprising:
and detecting the signal intensity between the AP and each AP under the communication network, and selecting the target AP from the APs under the communication network according to the detection result.
6. The method of claim 5, further comprising:
and generating a network access request corresponding to the communication network after the target AP is selected, and randomly generating the first key.
7. A network access control method is applied to each wireless Access Point (AP) deployed in the same communication network and used for controlling the access condition of a user terminal accessing the communication network, and the method comprises the following steps:
receiving a first encrypted file from the user terminal, and decrypting the first encrypted file by using a key corresponding to the first encrypted file to obtain a network access request and a first key of the user terminal;
responding to the network access request, generating an access permission message matched with the network access request, and generating a corresponding permission key according to the first key, the key corresponding to the first key and a key generation strategy corresponding to the first key;
and encrypting the access permission message by using the generated permission key to obtain a second encrypted file, sending the second encrypted file to the user terminal, so that the user terminal decrypts the second encrypted file by using the first key, the key of the AP and the second key generated by the searched key generation strategy under the condition that the user terminal finds the key generation strategy of the AP, and accesses to access the communication network based on the access permission message in the second encrypted file when the decryption is successful.
8. A network access control device is applied to a user terminal and used for controlling an access condition of the user terminal to a communication network, wherein at least one wireless Access Point (AP) is deployed under the communication network, and the device comprises:
the searching encryption module is used for searching a target key of a selected target AP from keys of all stored APs, encrypting a network access request and a first key of the user terminal by using the target key when the target key is searched to obtain a first encrypted file, sending the first encrypted file to the target AP so that the target AP decrypts the network access request and the first key from the first encrypted file by using the target key of the target AP, and feeding back a second encrypted file comprising an access permission message matched with the network access request to the user terminal, wherein the second encrypted file is obtained by encrypting the access permission message by using a permission key, and the permission key is generated based on the first key, the target key and a key generation policy of the target AP;
the key generation module is used for searching the key generation strategy corresponding to the target AP in the stored key generation strategies corresponding to the APs, and generating a second key according to the first key, the target key and the searched key generation strategy when the key generation strategy is searched;
and the key decryption module is used for decrypting the received second encrypted file by using the second key and accessing the communication network corresponding to the target AP based on the access permission message in the second encrypted file when the decryption is successful.
9. The apparatus of claim 8, further comprising:
a communication detection module, configured to detect a signal strength between the communication network and each AP in the communication network, and select the target AP from the APs in the communication network according to a detection result;
and the information generation module is used for generating a network access request corresponding to the communication network after the target AP is selected, and randomly generating the first key.
10. A network access control device is applied to each wireless access point AP deployed under the same communication network and used for controlling the access condition of a user terminal accessing the communication network, and the device comprises:
the file decryption module is used for receiving a first encrypted file from the user terminal and decrypting the first encrypted file by using a key corresponding to the file decryption module to obtain a network access request and the first key of the user terminal;
the response generation module is used for responding to the network access request, generating an access permission message matched with the network access request, and generating a corresponding permission key according to the first key, the key corresponding to the first key and a key generation strategy corresponding to the first key;
and the encryption sending module is used for encrypting the access permission message by using the generated permission key to obtain a second encrypted file, sending the second encrypted file to the user terminal, so that the user terminal decrypts the second encrypted file by using a second key generated based on the first key, the key of the AP and the searched key generation strategy under the condition that the user terminal finds the key generation strategy of the AP, and accesses to access the communication network based on the access permission message in the second encrypted file when the user terminal successfully decrypts the access permission message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811103336.5A CN108966233B (en) | 2018-09-20 | 2018-09-20 | Network access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811103336.5A CN108966233B (en) | 2018-09-20 | 2018-09-20 | Network access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108966233A CN108966233A (en) | 2018-12-07 |
| CN108966233B true CN108966233B (en) | 2021-11-09 |
Family
ID=64471869
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811103336.5A Active CN108966233B (en) | 2018-09-20 | 2018-09-20 | Network access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108966233B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980919A (en) * | 2015-05-13 | 2015-10-14 | 小米科技有限责任公司 | Method for acquiring network service information and equipment |
| CN106992866A (en) * | 2017-04-13 | 2017-07-28 | 广东工业大学 | It is a kind of based on wireless network access methods of the NFC without certificate verification |
| US9887996B1 (en) * | 2014-10-13 | 2018-02-06 | Wells Fargo Bank, N.A. | Bidirectional authentication |
-
2018
- 2018-09-20 CN CN201811103336.5A patent/CN108966233B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9887996B1 (en) * | 2014-10-13 | 2018-02-06 | Wells Fargo Bank, N.A. | Bidirectional authentication |
| CN104980919A (en) * | 2015-05-13 | 2015-10-14 | 小米科技有限责任公司 | Method for acquiring network service information and equipment |
| CN106992866A (en) * | 2017-04-13 | 2017-07-28 | 广东工业大学 | It is a kind of based on wireless network access methods of the NFC without certificate verification |
Non-Patent Citations (1)
| Title |
|---|
| 无线局域网安全协议BAP研究;姚会娟,周祥;《无线互联科技》;20160630;第35-42页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108966233A (en) | 2018-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10554420B2 (en) | Wireless connections to a wireless access point | |
| EP2963959B1 (en) | Method, configuration device, and wireless device for establishing connection between devices | |
| US20160269176A1 (en) | Key Configuration Method, System, and Apparatus | |
| US9762567B2 (en) | Wireless communication of a user identifier and encrypted time-sensitive data | |
| US20030093663A1 (en) | Technique to bootstrap cryptographic keys between devices | |
| EP3537652B1 (en) | Method for securely controlling smart home appliance and terminal device | |
| KR20040075293A (en) | Apparatus and method simplifying an encrypted network | |
| EP2874422B1 (en) | Simplified wi-fi setup | |
| US8918844B1 (en) | Device presence validation | |
| KR20180119201A (en) | Electronic device for authentication system | |
| US20230344626A1 (en) | Network connection management method and apparatus, readable medium, program product, and electronic device | |
| US8661244B2 (en) | Method and apparatus for establishing secured link between devices | |
| CN103812651A (en) | Password authentication method, device and system | |
| CN105636037A (en) | Authentication method and apparatus and electronic device | |
| KR20150050181A (en) | System for Cloud Printing and Method of Cloud Printing Service using the Same | |
| EP3309997B1 (en) | Network monitoring apparatus, and remote encryption and remote activation method, device and system therefor | |
| US9054848B2 (en) | Electronic apparatus and encryption method thereof | |
| JP2019057867A (en) | Encryption communication system | |
| CN108966233B (en) | Network access control method and device | |
| KR102171377B1 (en) | Method of login control | |
| KR101451638B1 (en) | Identification and theft prevention system, and method thereof | |
| JP5894956B2 (en) | Image forming apparatus, server, and document printing management system | |
| CN106685931B (en) | Smart card application management method and system, terminal and smart card | |
| US20120106734A1 (en) | Safe handover method and system | |
| CN112214753A (en) | Authentication method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |