CN1700649A - A charging method based on WLAN authentication and privacy infrastructure certificate - Google Patents
A charging method based on WLAN authentication and privacy infrastructure certificate Download PDFInfo
- Publication number
- CN1700649A CN1700649A CN 200410042314 CN200410042314A CN1700649A CN 1700649 A CN1700649 A CN 1700649A CN 200410042314 CN200410042314 CN 200410042314 CN 200410042314 A CN200410042314 A CN 200410042314A CN 1700649 A CN1700649 A CN 1700649A
- Authority
- CN
- China
- Prior art keywords
- certificate
- sta
- deadline
- asu
- current time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000004891 communication Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 abstract 1
- 230000004044 response Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004308 accommodation Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000012850 discrimination method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
This invention provides one charging method based on wireless local net and safe basis structure, which uses user held certificate valid period as charging base to realize the charging and improve the WAPI system. The invention uses the terminal time of the certificate as the basis of the network charging to make the ASU and AP free of real time monitoring and user requirement and loading time.
Description
Technical field
The present invention relates to WAPI (WAPI) system technical field, be meant a kind of charging method especially based on the WAPI certificate.
Background technology
Wireless lan (wlan) causes equipment manufacturers, operator and user's common concern with its flexible advantage easily.China's wide-band wireless IP standard operation group has been formulated WLAN standard GB/T15629.11, has wherein provided a kind of safety approach based on the WAPI system.This WAPI system provides a kind of mobile terminal of wireless local area network safety access method based on public key certificate.
In the WAPI system, wireless access user terminal (STA is arranged, Station), access points (AP, Access Point) and asu (authentication service unit) (ASU, Authentication Service Unit) three kinds of entities, respectively as identification requester entity (ASUE, Authentication SupplicantEntity), discriminator entity (AE, Authentication Entity) and differentiate the carrier of service entities (ASE, Authentication Service Entity).Wherein, ASUE is the entity of differentiating by asu (authentication service unit), resides among the STA; AE resides in AP for identification requester provided the entity of differentiating operation before access service; ASE resides in ASU for discriminator and identification requester provide the entity of mutual discriminating.
ASU is to the AP in its range of management and STA manages and for each legal AP and STA issue a public key certificate, with as the digital identity voucher of the network equipment in this WLAN.Realize the mutual discriminating of identity between STA and the AP by ASU.At this moment, STA certificate and AP certificate have also been preserved in the ASU.
Certificate of utility realizes that the basic principle of access control is: STA never controlled ports sends connection request to AP, AP and STA carry out mutual authentication under the assistance of ASU, be that certificate is differentiated, if authentication success, the open controlled ports of AP allows STA to insert, otherwise AP refusal STA inserts or STA abandons inserting AP.
Figure 1 shows that in the WAPI system identification flow figure to certificate.
Step 101, AP sends to STA and differentiates activation;
Step 102, STA sends the request of discriminating that inserts to AP, is about to the STA certificate and sends to AP;
Step 103, AP sends request of certificate authentication to ASU, and promptly AP sends to ASU together with STA certificate and self certificate, and data are signed;
Step 104, the signature of ASU checking AP, and the authenticity of the certificate of AP certificate and STA and validity are signed and are sent to AP identification result, and promptly ASU sends the discriminating response message that comprises identification result to AP;
Step 105, AP sends the access that comprises identification result according to the response message from ASU that receives to STA and differentiates response, and whether STA is connected according to the identification result decision of ASU with AP.
WAPI compares an outstanding feature with other access control scheme: each validated user all can obtain the certificate issued by ASU, and only having passed through correctly when inserting that certificate differentiates could the accesses network resource.The structure of WAPI standard certificate is as shown in table 1:
Field name | Explanation | Length (byte number) |
Certificate version number | Specify the certificate version | ??2 |
Certificate serial number | Each certificate that ASU issues has unique sequence number | ??4 |
Signature algorithm | Hash algorithm and signature algorithm that the sign issuer uses | ??2 |
The issuer title | The issuer identify label | ??6~256 |
Issuer public key | The public key information of issuer | ??41~256 |
The term of validity | Comprise zero-time and deadline, each 4 byte | ??8 |
Holder's title | Certificate holder identify label | ??6~256 |
Holder's PKI | Certificate holder's public key information | ??41~256 |
Certificate type | Device type is divided STA, AP and ASU | ??2 |
Expansion | Reserved field | ??2 |
The issuer signature | Issuer is to the signature value of above-mentioned all information | ??41~256 |
Table 1
" term of validity " fields specify wherein use the initial sum deadline that this certificate inserts.When the user inserts, if the current time surpass the deadline that indicates in the certificate, i.e. this certificate inefficacy out of date, then this certificate can not pass through the certificate discrimination process, that is to say to use this certificate access WLAN; If the current time still is in the term of validity, and this certificate passed through the certificate discrimination process, and the user just can insert WLAN.
The WAPI system has proposed unique discrimination method and encryption method, has remedied the defective of existing international standard aspect fail safe, has improved the security reliability that the user uses.But simultaneously, WAPI does not provide clear and definite method aspect charging, and does not show the method that it can be supported, and in the practical application of WLAN, it is necessary rationally to charge, and in order to implement WAPI better, how to charge obtain embodying.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of charging method, further improve the WAPI system based on the WAPI certificate.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of charging method based on the WAPI certificate, this method may further comprise the steps:
Be set to deadline date of providing services on the Internet the deadline of a, ASU STA certificate to the user;
B, AP judge whether the current time arrive the deadline of the certificate that STA uses that is using Internet resources, if then active termination is communicated by letter with this STA, and execution in step c, otherwise repeated execution of steps b;
C, ASU charge to this STA certificate according to the term of validity length of this STA certificate.
Preferably, described term of validity length according to the STA certificate to the method that the STA certificate charges is: the length with the term of validity multiply by the rate that has been provided with; Perhaps, according to the term of validity length that has been provided with and the tabulation of Freight Basis, the STA certificate is chargeed.
Preferably, only allow at a certificate under the situation of a STA use, this method further comprises: after ASU differentiates certain certificate success, and before this certificate user rolled off the production line, the ASU refusal was differentiated processing to the discriminating request of same STA certificate.
Preferably, the described AP of step b judges whether the current time arrive the method for the deadline of the certificate that STA uses that is using Internet resources and be:
AP judges every one predefined period whether current time arrives the deadline of certificate that STA uses, perhaps, after AP begins communication service is provided for this STA, start a timer that timing is current time and STA certificate time difference deadline, AP judges the deadline whether current time arrives certificate that STA uses according to whether receiving the signal then that this timer is sent out.
The present invention utilizes the term of validity that the user holds certificate as charging authority, thereby realizes chargeing, further perfect WAPI system.The present invention is with the foundation of the initial sum deadline in the STA certificate as the charge of providing services on the Internet, make ASU and AP to monitor in real time User Status for charging again, and needn't inquiring user whether online, needn't add up user's landing time and use the charge informations such as time length of WLAN.Application the present invention will charge and subscription authentication combines, and implement simply to use conveniently, not increase network overhead.
Description of drawings
Figure 1 shows that in the WAPI system identification flow figure to certificate;
Figure 2 shows that and use charging flow schematic diagram of the present invention.
Embodiment
For making technical scheme of the present invention clearer, the present invention is done detailed description further again below in conjunction with accompanying drawing.
In the WAPI system, the certificate that ASU issues is the digital identity voucher of STA, and the present invention utilizes the term of validity that the user holds certificate as charging authority, thereby realizes chargeing.Specific implementation method is as follows:
Figure 2 shows that and use charging flow schematic diagram of the present invention.
Step 201, ASU issues the WAPI certificate with valid expiration date according to the kind of service to the user, is set to deadline date of providing services on the Internet to the user deadline of STA certificate, after the user has this certificate, just possible visited WLAN Internet resources;
Step 202, AP and STA carry out mutual authentication under the assistance of ASU, behind the authentication success, communicate between STA and the AP, and AP provides communication service for this STA; At this moment, STA certificate and AP certificate have also been preserved in the ASU;
Step 203, AP judges whether the current time arrive the deadline of the certificate that STA uses that is using Internet resources, if then execution in step 204, otherwise repeated execution of steps 203;
Above-mentioned AP judges whether the current time arrives the method for the deadline of certificate that STA uses and be, AP judges every one predefined period whether current time arrives the deadline of certificate that STA uses, perhaps, after AP begins communication service is provided for this STA, start a timer that timing is current time and STA certificate time difference deadline, after the time that this timer arrival sets, give one of AP signal then, AP judges the deadline whether current time arrives certificate that STA uses according to whether receiving the signal that this timer sends out;
Step 204, the AP active termination is communicated by letter with this STA, stops to provide communication service to this STA, and this stops to provide the operation of communication service and ASU to have nothing to do to this STA, is independently finished by AP fully.At this moment, ASU charges according to the term of validity length of this STA certificate.
The method that above-mentioned ASU charges according to the term of validity length of STA certificate is: the length with the term of validity multiply by the rate that has been provided with; Perhaps, according to the term of validity length that has been provided with and the tabulation of Freight Basis, the STA certificate is chargeed.
Owing to can not prolong deadline of STA certificate, and after the STA certificate arrived deadline, this certificate can not be differentiated by ASU again, therefore, if the user also needs AP to propose service, it must apply for a STA certificate again, otherwise it can not visit again the wlan network resource.
If a certificate only allows a STA to use, then after ASU differentiates certain certificate success, and before this certificate user rolls off the production line, the ASU refusal is differentiated processing to the discriminating request of same STA certificate.
Consideration for system safety or others, ASU can send the invalid information of certain STA certificate to AP at any time, require AP to stop to provide service to the STA that uses this certificate, after AP receives this message, check each STA that it is providing communication service, if certain STA is using this certificate, just initiatively stop to provide service immediately, and the information that will stop to communicate by letter with this STA is notified ASU for this STA.
Use the present invention, but the term of validity time of flexible configuration STA certificate, like this, the certificate the different maturity periods that the manager can issuing according to different situations.For example, in places such as hotel, hotels, can issue the certificate of corresponding time period according to client's accommodation time.In the Internet bar, place such as library, airport can issue shorter certificate such as several hrs of time.
Using user of the present invention can pre-payment, also can pay in the consumption back that finish.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1, a kind of charging method based on the WAPI certificate is characterized in that, this method may further comprise the steps:
Be set to deadline date of providing services on the Internet the deadline of a, ASU STA certificate to the user;
B, AP judge whether the current time arrive the deadline of the certificate that STA uses that is using Internet resources, if then active termination is communicated by letter with this STA, and execution in step c, otherwise repeated execution of steps b;
C, ASU charge to this STA certificate according to the term of validity length of this STA certificate.
2, method according to claim 1 is characterized in that, described term of validity length according to the STA certificate to the method that the STA certificate charges is: the length with the term of validity multiply by the rate that has been provided with; Perhaps, according to the term of validity length that has been provided with and the tabulation of Freight Basis, the STA certificate is chargeed.
3, method according to claim 1, it is characterized in that, only allow at a certificate under the situation of a STA use, this method further comprises: after ASU differentiates certain certificate success, and before this certificate user rolled off the production line, the ASU refusal was differentiated processing to the discriminating request of same STA certificate.
4, method according to claim 1 is characterized in that, the described AP of step b judges whether the current time arrive the method for the deadline of the certificate that STA uses that is using Internet resources and be:
AP judges every one predefined period whether current time arrives the deadline of certificate that STA uses, perhaps, after AP begins communication service is provided for this STA, start a timer that timing is current time and STA certificate time difference deadline, AP judges the deadline whether current time arrives certificate that STA uses according to whether receiving the signal then that this timer is sent out.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100423144A CN100365981C (en) | 2004-05-17 | 2004-05-17 | A charging method based on WLAN authentication and privacy infrastructure certificate |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100423144A CN100365981C (en) | 2004-05-17 | 2004-05-17 | A charging method based on WLAN authentication and privacy infrastructure certificate |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1700649A true CN1700649A (en) | 2005-11-23 |
CN100365981C CN100365981C (en) | 2008-01-30 |
Family
ID=35476524
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2004100423144A Expired - Lifetime CN100365981C (en) | 2004-05-17 | 2004-05-17 | A charging method based on WLAN authentication and privacy infrastructure certificate |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100365981C (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
CN100448196C (en) * | 2006-12-29 | 2008-12-31 | 西安西电捷通无线网络通信有限公司 | WAPI-based wireless LAN operation method |
WO2010133073A1 (en) * | 2009-05-19 | 2010-11-25 | 中兴通讯股份有限公司 | Method for obtaining certificate state information and system for managing certificate state |
WO2010142170A1 (en) * | 2009-06-12 | 2010-12-16 | 中兴通讯股份有限公司 | Device debugging method based on wlan privacy infrastructure and system thereof |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002186037A (en) * | 2000-12-12 | 2002-06-28 | Ntt Docomo Inc | Authentication method, communication system, and repeater |
CN1447579A (en) * | 2002-03-21 | 2003-10-08 | 华为技术有限公司 | Method for switching in intelligence net by using prepaid cards |
CN1199487C (en) * | 2002-04-27 | 2005-04-27 | 华为技术有限公司 | Radio communication system charge method |
US7221929B2 (en) * | 2002-10-12 | 2007-05-22 | Lg Electronics Inc. | Handling charging information in interworking structure of mobile communication and wireless local area networks |
-
2004
- 2004-05-17 CN CNB2004100423144A patent/CN100365981C/en not_active Expired - Lifetime
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100448196C (en) * | 2006-12-29 | 2008-12-31 | 西安西电捷通无线网络通信有限公司 | WAPI-based wireless LAN operation method |
WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
WO2010133073A1 (en) * | 2009-05-19 | 2010-11-25 | 中兴通讯股份有限公司 | Method for obtaining certificate state information and system for managing certificate state |
WO2010142170A1 (en) * | 2009-06-12 | 2010-12-16 | 中兴通讯股份有限公司 | Device debugging method based on wlan privacy infrastructure and system thereof |
CN101656962B (en) * | 2009-06-12 | 2011-12-07 | 中兴通讯股份有限公司 | Method and system for debugging equipment based on wireless local area network security foundation structure |
Also Published As
Publication number | Publication date |
---|---|
CN100365981C (en) | 2008-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4272920B2 (en) | Method and apparatus for checking the validity of a first communication participant in a communication network | |
US5483658A (en) | Detection of unauthorized use of software applications in processing devices | |
US7945245B2 (en) | Authentication system and authentication method for performing authentication of wireless terminal | |
EP0973299A3 (en) | Fleet management using mobile stations and wireless data networks | |
US20060153189A1 (en) | Ad hoc communication system, mobile terminal, center, ad hoc communication method and ad hoc communication program | |
CN103746969A (en) | Vehicle terminal authentication method and authentication server | |
WO2013024986A2 (en) | Network identifier position determining system and method for same | |
AU2002314407A1 (en) | Method, system and devices for transferring accounting information | |
CN105391681A (en) | Communication system, communication device, vehicle and communication method | |
CN108011873B (en) | Illegal connection judgment method based on set coverage | |
CN101895587A (en) | Method, device and system for preventing users from modifying IP addresses privately | |
GB2392344A (en) | Method and system for auto discovery of IP-based network elements | |
CN1647451A (en) | Monitoring of information in a network environment | |
CN1411209A (en) | Method of detecting and monitoring malicious user host machine attack | |
CN101425909B (en) | Method for implementing WAPI system terminal zero interference charging | |
US20150149770A1 (en) | Time check method and base station | |
CN1700649A (en) | A charging method based on WLAN authentication and privacy infrastructure certificate | |
WO2013062214A1 (en) | Method and system for determining position of financial transaction terminal | |
CN101540985B (en) | Method for implementing terminal zero intervention charging of WAPI system | |
CN104244242A (en) | Network number allocation method and corresponding authentication method of Internet-of-things equipment | |
CN100459536C (en) | Method and network for WLAN session control | |
CN1697370A (en) | Method for mobile terminal in WLAN to apply for certificate | |
CN100456671C (en) | Method for distributing session affairs identifier | |
JP2002529032A (en) | Risk management method and system in mobile phone network | |
US7966653B2 (en) | Method and data processing system for determining user specific usage of a network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C41 | Transfer of patent application or patent right or utility model | ||
TR01 | Transfer of patent right |
Effective date of registration: 20160420 Address after: California, USA Patentee after: SNAPTRACK, Inc. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
CX01 | Expiry of patent term |
Granted publication date: 20080130 |