A kind of wireless LAN operation method based on WAPI
Technical field
The present invention relates to the WLAN (wireless local area network) field, especially a kind of wireless LAN operation method based on WAPI.
Background technology
WLAN (wireless local area network) WLAN (Wireless Local Area Network) is with flexibility, agility and the extensibility of its framework, and development in recent years has been widely used in hot zones operation, enterprise, industry and family field rapidly.
For WLAN (wireless local area network), safety is most important.In May, 2003, China issued WLAN (wireless local area network) standard GB 15629.11 and GB15629.1102, and this is the standard of China's first batch of promulgation in the WLAN (wireless local area network) field.2006, the WLAN (wireless local area network) national standard is revised single GB15629.11-2003/XG1-2006 and other correlator item standards GB15629.1101, GB/T15629.1103 and GB15629.1104 for No. 1 and is is also issued and implemented, and has begun to take shape WLAN (wireless local area network) national standard system.Comprised brand-new WAPI (WLAN Authentication and PrivacyInfrastructure) security mechanism in the standards system, this security mechanism is made up of WAI (WLAN AuthenticationInfrastructure) and WPI (WLAN Privacy Infrastructure) two parts.
WAPI provides based on the authentication of certificate and wildcard and cryptographic key negotiation method, and this method can provide very high fail safe, guarantees that legal users inserts legal network, the data security on the protection Radio Link.
When WLAN used under operating environment, authentication and charging had very confidential relation.Charging is to carry out on the basis of authentication, there has been ripe separately authentication and accounting mode in operators at present, but these modes not necessarily can and be revised the certificate verification that defines in the list for No. 1 with standard GB 15629.11 and merge, how mating these ripe authentication and accounting modes and standard GB 15629.11 and revise the certificate verification that defines in the list No. 1, is one of key issue of WLAN operation.
Present authentication mechanism (as Radius) is only realized the unilateral authentication of network to the user, realizes functions such as chargings on the basis of authentication, and this authentication and accounting mode is effective, promptly more suitable under cable environment under the safer situation of link.But and very dangerous, these authentication and accounting modes directly are applied in the WLAN (wireless local area network) bigger safety problem can occur to the WLAN (wireless local area network) link owing to its opening flag.
Summary of the invention
The present invention is authentication and the method for charging and the incompatible technical problem of authentication method of standard GB 15629.11 and No. 1 single regulation of modification thereof that operator is used for wireless LAN operation in the solution background technology, and a kind of also present multiple authentication of using of support of national standard, wireless LAN operation method based on WAPI of charging method of meeting is provided.
Technical solution of the present invention is: the present invention is a kind of wireless LAN operation method based on WAPI, and its special character is: this method comprises link level authenticating step and account information authenticating step,
Described account information authenticating step is as follows:
21) access controller authenticates the account information of portable terminal;
22) server provides the portable terminal authentication information according to the account information authentication result, and portable terminal and network carry out the exchange of information data, and promptly portable terminal can accesses network.
Described link level authenticating step is as follows:
1) certificate issued of portable terminal and WAP (wireless access point) build-in services device;
2) when portable terminal need be visited LAN (local area network (LAN)), at first be associated to WAP (wireless access point), set up link and connect by portable terminal;
3) after portable terminal was associated to WAP (wireless access point), WAP (wireless access point) sent to portable terminal and differentiates Active Frame, the startup verification process;
4) portable terminal and WAP (wireless access point) are carried out certificate verification according to GB GB15629.11 and No. 1 single regulation of modification thereof by server;
5) if certificate verification is successful, portable terminal and WAP (wireless access point) are carried out session key agreement, and WAP (wireless access point) is announced multicast key to portable terminal;
6) WAP (wireless access point) allows portable terminal to insert;
Above-mentioned steps 4) concrete steps of certificate verification are as follows in:
4.1) portable terminal send to insert differentiates request to WAP (wireless access point), wherein comprises the certificate of portable terminal;
4.2) WAP (wireless access point) sends request of certificate authentication to server, wherein comprises the certificate of portable terminal and WAP (wireless access point);
4.3) server verifies the certificate of portable terminal and WAP (wireless access point), and return certificate to WAP (wireless access point) and differentiate response, wherein comprise the identification result of portable terminal and WAP (wireless access point) certificate;
4.4) the portable terminal certificate identification result that returns according to server of WAP (wireless access point) determines whether to allow this portable terminal to insert, and send to insert to portable terminal and differentiate response;
4.5) portable terminal is according to insert differentiating that the certificate identification result to WAP (wireless access point) of server in the response determines whether to insert this WAP (wireless access point), if then proceed to step 5), otherwise finishes.
Above-mentioned link level authenticating step also can be following steps:
1) portable terminal is provided with identical wildcard with WAP (wireless access point);
2) when portable terminal needs accesses network, at first be associated to WAP (wireless access point) by portable terminal, set up link and connect;
3) after portable terminal was associated to WAP (wireless access point), portable terminal and WAP (wireless access point) were carried out session key agreement, and WAP (wireless access point) is announced multicast key to portable terminal;
4) WAP (wireless access point) allows portable terminal to insert.
Above-mentioned steps 21) access controller authenticates as follows to the account information of portable terminal in: finish when the certificate verification stage, during user's browse network, system ejects webpage automatically, the prompting user imports username and password, server is according to username and password checking user's identity, and according to the visit of authentication result Control Network, if authentication success, the portable terminal addressable network.
Above-mentioned steps 21) access controller authenticates as follows to the account information of portable terminal in: finish when the certificate verification stage, portable terminal utilizes the information in the SIM card, carry out authentication and session key agreement by certificate server and WAP (wireless access point), and according to the visit of authentication result Control Network, if authentication success, portable terminal can accesses network.
The present invention differentiates to be two separate processes by separating link level authentication and user class identity; the link level authentication is used to protect the safety of Radio Link access; the user class identity is differentiated management services such as being used for mandate and charging; make WLAN (wireless local area network) can be used as the expansion of original Operation Network; and make the operation management of WLAN (wireless local area network) and original Operation Network consistent, so the present invention has the following advantages:
1, meets national standard.The present invention adopts the safe access technology that meets national standard at the link level verification process, can realize that bidirectional identification is differentiated between user and the network, again can with management system compatibilities such as original mandate, charging, it meets the regulation of GB GB15629.11-2003, GB15629.11-2003/XG1-2006 and subitem standard thereof fully.
2, safe.The present invention adopts the safe access technology that meets national standard at the link level verification process, utilization is based on the certificate mechanism of public key cryptography system, really realized the two-way authentication between portable terminal (MT) and WAP (wireless access point) (AP), satisfy operator fully to the requirement that safety inserts, make the fail safe of Radio Link be guaranteed; And it is equal to wire link; except the safety access and data communication of protection Radio Link; can also protect the information of follow-up user account authentication phase effectively; in the user account information authentication phase; network is further verified the mobile terminal user identity; whether the control portable terminal can accesses network, and charges according to authentication result control accesses network and to customer access network, so the present invention is safe.
3, the present invention can continue to use present existing authentification of user charging way, and flexibility is good, after WAP (wireless access point) sets certificate, need not the aaa server on backstage is provided with again, and installs, networking is convenient, can be used for the operation in areas such as large-scale focus.
Embodiment
The present invention includes link level authenticating step and account information authenticating step, when the present invention was used for WAPI based on certificate, its link level authenticating step was as follows:
1) certificate issued of portable terminal and WAP (wireless access point) build-in services device;
2) when portable terminal needs accesses network, at first be associated to WAP (wireless access point) by portable terminal, set up link and connect;
3) after portable terminal was associated to WAP (wireless access point), WAP (wireless access point) sent to portable terminal and differentiates Active Frame, the startup verification process;
4) portable terminal and WAP (wireless access point) are carried out certificate verification according to GB GB15629.11 and No. 1 single regulation of modification thereof by server;
4.1) portable terminal send to insert differentiates request to WAP (wireless access point), wherein comprises the certificate of portable terminal;
4.2) WAP (wireless access point) sends request of certificate authentication to server, wherein comprises the certificate of portable terminal and WAP (wireless access point);
4.3) server verifies the certificate of portable terminal and WAP (wireless access point), and return certificate to WAP (wireless access point) and differentiate response, wherein comprise the identification result of portable terminal and WAP (wireless access point) certificate;
4.4) the portable terminal certificate identification result that returns according to server of WAP (wireless access point) determines whether to allow this portable terminal to insert, and send to insert to portable terminal and differentiate response;
4.5) portable terminal is according to insert differentiating that the certificate identification result to WAP (wireless access point) of server in the response determines whether to insert this WAP (wireless access point), if then proceed to step 5), otherwise finishes.
5) if certificate verification is successful, portable terminal and WAP (wireless access point) are carried out session key agreement, and WAP (wireless access point) is announced multicast key to portable terminal;
6) WAP (wireless access point) allows portable terminal to insert;
When the present invention was used for WAPI based on wildcard, its link level authenticating step was as follows:
1) portable terminal is provided with identical wildcard with WAP (wireless access point);
2) when portable terminal needs accesses network, at first be associated to WAP (wireless access point) by portable terminal, set up link and connect;
3) after terminal was associated to WAP (wireless access point), portable terminal and WAP (wireless access point) were carried out session key agreement, and WAP (wireless access point) is announced multicast key to portable terminal;
4) access point allows portable terminal to insert.
No matter be based on certificate and also be based on wildcard, its account information authenticating step is as follows:
21) access controller authenticates the account information of portable terminal;
22) server provides the portable terminal authentication information according to the account information authentication result, and portable terminal and network carry out the exchange of information data, and promptly portable terminal can accesses network.
Step 21 wherein) access controller authenticates as follows to the account information of portable terminal in: finish when the certificate verification stage, during user's browse network, system ejects webpage automatically, the prompting user imports username and password, server is according to username and password checking user's identity, and according to the visit of authentication result Control Network, if authentication success, the portable terminal addressable network.
Access controller also can authenticate as follows to the account information of portable terminal in the step 21: finish when the certificate verification stage, portable terminal utilizes the information in the SIM card, carry out authentication and session key agreement by certificate server and WAP (wireless access point), and according to the visit of authentication result Control Network, if authentication success, portable terminal can accesses network.
Explanation of nouns:
1, portable terminal (MT): the terminal that wireless network adapter is installed.
2, WAP (wireless access point) (AP): the equipment that the network insertion service is provided for portable terminal.
3, server (AS): provide identity to differentiate the network entity of service and certificate management functions.
4, access controller (AC): the network equipment that customer access network is provided access control.
5, SIM: subscriber identification module.