WO2014189262A1 - User terminal authentication method of access point apparatus - Google Patents

User terminal authentication method of access point apparatus Download PDF

Info

Publication number
WO2014189262A1
WO2014189262A1 PCT/KR2014/004504 KR2014004504W WO2014189262A1 WO 2014189262 A1 WO2014189262 A1 WO 2014189262A1 KR 2014004504 W KR2014004504 W KR 2014004504W WO 2014189262 A1 WO2014189262 A1 WO 2014189262A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
identification information
password
login
received
Prior art date
Application number
PCT/KR2014/004504
Other languages
French (fr)
Inventor
Geun Yong Lee
Original Assignee
Strix Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR20130059003A external-priority patent/KR101487349B1/en
Priority claimed from KR20130059002A external-priority patent/KR101487348B1/en
Priority claimed from KR1020130140628A external-priority patent/KR101401329B1/en
Application filed by Strix Inc. filed Critical Strix Inc.
Publication of WO2014189262A1 publication Critical patent/WO2014189262A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/73Access point logical identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the invention relates to a terminal authentication method of an access point (“AP”) apparatus, and more particularly, to an authentication method with improved security and convenience.
  • AP access point
  • a wireless local area network is a type of local area network (“LAN”) that allows two or more devices to be wirelessly connected.
  • a WLAN may use a radio frequency, instead of, a cable, as a physical channel for communication. Due to a rapid increase in the number of users of mobile devices such as notebook computers, smartphones, tablet pads, etc., WLAN environments have increasingly become prevalent, rapidly replacing existing wired LAN environments.
  • a WLAN uses radio frequencies, and may thus be more susceptible than a wired LAN to communication interference or security breaches.
  • Related-art WLAN systems use various security methods for controlling user terminals’ access to a WLAN, such as, for example, a user authentication method in which a public key is shared between an access point (“AP”) and one or more authorized user terminals and in response to receipt of an access request from a user terminal, user authentication is performed by using the shared public key, and a user authentication method in which the medium access control (“MAC”) addresses of the WLAN cards of authorized user terminals are stored in advance in an AP(Access Point) apparatus and in response to receipt of an access request from a user terminal, user authentication is performed by comparing the MAC address of the WLAN card of the user terminal with the MAC addresses present in the AP apparatus.
  • AP access point
  • MAC medium access control
  • the former user authentication method may be vulnerable to attempts made by malicious users to collect data and thus extract the shared public key on air, and the latter user authentication method may be almost unmanageable, especially when in use in connection with public network services involving multiple random users or when in use for a considerable number of users.
  • Exemplary embodiments of the invention provide an authentication method capable of allowing unspecified user terminals to access an access point (“AP”) apparatus and thus to be connected to a network.
  • AP access point
  • Exemplary embodiments of the invention also provide an authentication method capable of blocking unauthorized external attempts to access a network, while allowing unspecified user terminals to access the network.
  • a wireless network authentication system comprises a short-range communication module configured to manage access point (“AP”) identification information and transmit the AP identification information to a user terminal via short-range communication, a reception unit configured to receive, from the user terminal, AP identification information received by the user terminal and a medium access control (“MAC”) address of the user terminal, a verification unit configured to determine validity of the received AP identification information and the received MAC address, and a control unit configured to add the received MAC address to an authorized user terminal list and thus to control the user terminal’s access to a wireless network.
  • AP access point
  • MAC medium access control
  • An access point apparatus comprises a wireless communication unit configured to receive a MAC address of a user terminal from the user terminal, and AP identification information acquired by tagging between a user terminal and tagging means, and a control unit configured to generate a login identifier (“ID”) and a password based on validity of the received AP identification information, return the generated login ID and password to the user terminal, and set the generated login ID and password and the received MAC address in an authorized user terminal list.
  • the control unit is further configured to grant the user terminal’s Wi-Fi connection to the access point apparatus in response to receipt of a Wi-Fi connection request made by the user terminal with the use of the generated login ID and password.
  • the user terminal comprises, a short-range communication unit configured to acquire AP identification information of the AP apparatus by tagging to a tagging means, a wireless communication unit configured to transmit the acquired AP identification information to the AP apparatus and receive a login ID and a password generated by the AP apparatus in response to the transmitting, and a control unit configured to transmit an access request to the AP apparatus with the use of the received login ID and password.
  • the received login ID and password are generated based on validity of the acquired AP identification information.
  • a method of authenticating a user terminal’s access to an AP apparatus comprises acquiring AP identification information of the AP apparatus by tagging to a tagging means, transmitting the acquired AP identification information to the AP apparatus and receiving a login ID and a password generated by the AP apparatus in return, and transmitting an access request to the AP apparatus with the use of the received login ID and password.
  • the received login ID and password are generated based on validity of the acquired AP identification information.
  • the WLAN system comprises an authentication management server configured to receive AP identification information acquired by the user terminal by tagging to a tagging means and a MAC address of the user terminal from the user terminal and generate a login ID and a password based on validity of the received AP identification information, and an AP apparatus configured to receive the login ID, the password and the MAC address from the authentication management server and set the received login ID, password and MAC address in an authorized user terminal list and to grant the user terminal’s Wi-Fi connection thereto in response to receipt of a Wi-Fi connection request made by the user terminal with the use of the received login ID and password.
  • an authentication management server configured to receive AP identification information acquired by the user terminal by tagging to a tagging means and a MAC address of the user terminal from the user terminal and generate a login ID and a password based on validity of the received AP identification information
  • an AP apparatus configured to receive the login ID, the password and the MAC address from the authentication management server and set the received login ID, password and MAC address in an
  • the authentication management server comprises an AP management unit configured to manage AP identification information and an IP address of at least one AP apparatus, and a control unit configured to determine validity of AP identification information received from a user terminal through comparison with the AP identification information present in the AP management unit and to generate a login ID and a password and transmit the generated login ID and password to an AP apparatus corresponding to the received AP identification information in response to a determination being made that the received AP identification information is valid.
  • the control unit is further configured to return the generated login ID and password to the user terminal and the received AP identification information is AP identification information acquired by the user terminal by tagging to a tagging means.
  • the user terminal comprises a short-range communication unit configured to acquire AP identification information of the AP apparatus by tagging to a tagging means, a wireless communication unit configured to transmit a MAC address of the user terminal and the acquired AP identification information to an authentication management server and receive a login ID and a password generated by the authentication management server in return, and a control unit configured to transmit an access request to the AP apparatus with the use of the received login ID and password.
  • the received login ID and password and the MAC address are transmitted from the authentication management server to the AP apparatus and are then set in an authorized user terminal list of the AP apparatus.
  • AP access point
  • WLAN wireless local area network
  • MAC medium control access
  • FIG. 1 is a block diagram illustrating a wireless network authentication system according to an exemplary embodiment of the invention.
  • FIG. 2 is a diagram illustrating an authentication process performed by the wireless network authentication system of FIG. 1.
  • FIG. 3 is a signal flowchart illustrating a wireless network authentication method according to an exemplary embodiment of the invention.
  • FIG. 4 is a block diagram illustrating a wireless local area network (“WLAN”) system according to an exemplary embodiment of the invention.
  • WLAN wireless local area network
  • FIG. 5 is a block diagram illustrating a user terminal according to an exemplary embodiment of the invention.
  • FIG. 6 is a block diagram illustrating an access point (“AP”) apparatus and an authentication management server, according to an exemplary embodiment of the invention.
  • AP access point
  • FIG. 7 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by a WLAN system, according to an exemplary embodiment of the invention.
  • FIG. 8 is a block diagram illustrating a WLAN system according to another exemplary embodiment of the invention.
  • FIG. 9 is a block diagram illustrating an AP apparatus according to another exemplary embodiment of the invention.
  • FIG. 10 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by an AP apparatus, according to an exemplary embodiment of the invention.
  • FIG. 1 is a block diagram illustrating a wireless network authentication system according to an exemplary embodiment of the invention.
  • a wireless network authentication system includes a reception unit 50, a verification unit 60 and a control unit 70.
  • the reception unit 50 may receive access point (“AP”) identification information and the medium access control (“MAC”) address of at least one user terminal.
  • the wireless network authentication system may perform wireless communication via a communication channel connected between the user terminal and an AP apparatus.
  • the AP apparatus may be a device that can serve as a wireless communication hub or a base station transmitting or receiving wireless data traffic such as Wi-Fi data traffic, and the user terminal may transmit or receive wireless data traffic such as Wi-Fi data traffic to or from another user terminal or the AP apparatus.
  • the AP apparatus may serve as a wireless communication hub or a base station transmitting or receiving wireless data traffic such as Wi-Fi data traffic.
  • the user terminal may transmit or receive wireless data traffic such as Wi-Fi data traffic to or from another user terminal or the AP apparatus.
  • the user terminal may be a mobile terminal such as a mobile phone, a smart phone, a laptop computer, a digital broadcast receiver, a personal digital assistant (“PDA”), a portable multimedia player (“PMP”), or a navigation device, or a home appliance such as a wall mount TV, an electronic frame, or a refrigerator that is equipped with a wireless communication module.
  • PDA personal digital assistant
  • PMP portable multimedia player
  • a home appliance such as a wall mount TV, an electronic frame, or a refrigerator that is equipped with a wireless communication module.
  • the AP identification information is a unique identifier by which the AP apparatus can be distinguished from other AP apparatuses.
  • the AP identification information may be the unique Internet protocol (“IP”) address of the AP apparatus or the MAC address of the AP apparatus, registered in an authentication management server (not illustrated).
  • IP Internet protocol
  • the AP identification information may be transmitted first to the user terminal.
  • the user terminal may acquire the AP identification information from a short-range communication module such as a radio frequency identification (“RFID”) tag disposed in a wireless network region where the AP apparatus is located, but the invention is not limited thereto. That is, the user terminal may use various other short-range communication methods, such as those involving the use of near field communication (“NFC”) codes, quick response (“QR”) codes, or barcodes.
  • RFID radio frequency identification
  • NFC near field communication
  • QR quick response
  • the AP identification information and the MAC address of the user terminal may be transmitted to the authentication management server, and the reception unit 50, which is included in the authentication management server, may receive the AP identification information and the MAC address of the user terminal.
  • the user terminal may receive AP identification information present in an RFID tag, which is a type of short-range communication module, through RFID communication with the aid of an RFID receiver, and may transmit its MAC address and the AP identification information to the reception unit 50 of the authentication management server.
  • the user terminal may access the authentication management server through a predetermined web link by using an application program such as an authentication app, and the communication between the user terminal and the authentication management server may use wireless data communication or wireless local area network (“WLAN”) communication.
  • WLAN wireless local area network
  • the verification unit 60 may determine the validity of the AP identification information and the MAC address received by the reception unit 50. In response to a determination being made that the received AP identification information and the received MAC address are valid, the verification unit 60 may transmit the received MAC address to the control unit 70.
  • a short-range communication module such as an RFID module may be provided in a wireless network region provided by a first AP apparatus, and may manage first AP identification information by which the first AP apparatus can be identified.
  • the verification unit 60 may determine the received MAC address as being invalid. If the user terminal uses second AP identification information of a second AP apparatus, instead of the first AP identification information, to request authentication of access to the first AP apparatus, the verification unit 60 may determine the second AP identification information as being invalid.
  • the verification unit 60 may store, in advance, a plurality of AP identification information and location information of a plurality of AP apparatuses managed by the authentication management server, and may verify the received AP identification information through comparison with the stored AP identification information.
  • the verification unit 60 may transmit the received MAC address to the control unit 70.
  • the control unit 70 may communicate with each AP apparatus through a local area network (“LAN”) or the Internet.
  • the control unit 70 may manage an IP address transmitted thereto in response to the AP apparatus being booted, in association with the AP identification information of the AP apparatus, and may periodically monitor the operating status of the AP apparatus, and may thus collect and manage status information of the AP apparatus.
  • the control unit 70 may add the MAC address transmitted by the verification unit 60 to an authorized user terminal list including one or more user terminals that are allowed to access a wireless network. In response to receipt of an access request from the user terminal, the control unit 70 may compare the MAC address of the user terminal with the authorized user terminal list, and may control the user terminal’s access to the wireless network.
  • control unit 70 may delete the MAC address of the user terminal from the authorized user terminal list so that any external attempt made by the user terminal to access the wireless network with the use of the same MAC address again can be prevented.
  • the user terminal may be connected to the wireless network simply by being positioned near a short-range communication module, such as an RFID tag, located at a random place without the need to store a predetermined password for accessing the wireless network or to register the MAC address of the user terminal in the AP apparatus in advance.
  • a short-range communication module such as an RFID tag
  • the reception unit 50, the verification unit 60 or the control unit 70 may be disposed in various manners.
  • the reception unit 50 and the verification unit 60 may be included in the authentication management server, and the control unit 70 may be included in the AP apparatus, which is connected to the authentication management server via a network.
  • the invention is not limited to this exemplary embodiment. That is, the reception unit 50, the verification unit 60 and the control unit 70 may all be included in the authentication management server, or may be physically separated from one another.
  • a wireless network authentication process performed by the wireless network authentication system of FIG. 1 will hereinafter be described with reference to FIGS. 2 and 3.
  • a user terminal 100 may receive AP identification information (S10).
  • the AP identification information may be managed by a short-range communication module 20, which is provided in a wireless network region 80 covered by an AP apparatus 400 at a predetermined location.
  • the short-range communication module 20 may be included in the AP apparatus 400, and the presence of the user terminal 100 in the wireless network region 80 of the AP apparatus 400 may be acknowledged based on whether the user terminal 100 can near-field-communicate with the short-range communication module 200 without the aid of an authentication management server 300.
  • the user terminal 100 may transmit its location information and the AP identification information to the authentication management server 300.
  • the short-range communication module 200 may include one or more short-range communication sub-modules.
  • the short-range communication module 200 may be implemented as an RFID tag or an NFC module, but the invention is not limited thereto. That is, in another exemplary embodiment, the short-range communication module 200 may perform short-range communication by using various communication methods or devices such as Bluetooth, infrared data association (“IrDA”), ZigBee, a QR code tag, or a barcode tag.
  • IrDA infrared data association
  • ZigBee ZigBee
  • QR code tag a QR code tag
  • barcode tag a barcode tag
  • the user terminal 100 may transmit its MAC address and the AP identification information to the authentication management server 300 (S20) via an application program such as an authentication app installed therein.
  • the authentication management server 300 may determine the validity of the AP identification information and the MAC address of the user terminal 100 (S30). In response to a determination being made that the AP identification information and the MAC address of the user terminal 100 are valid, the authentication management server 300 may transmit the MAC address of the user terminal 100 to the AP apparatus 400 (S40). In an exemplary embodiment, the authentication management server 300 may store in advance a plurality of AP identification information of a plurality of AP apparatuses that are managed by the authentication management server 300, and may determine the validity of the AP identification information and the MAC address of the user terminal 100 by comparing the AP identification information with the plurality of AP identification information. However, the invention is not limited to this exemplary embodiment.
  • the authentication management server 300 may transmit an “Access Refused” message to the user terminal 100. For example, in a case in which the AP authentication information is of an AP apparatus in a different place from that designated by the location information of the user terminal 100 or is arbitrarily generated AP authentication information, the authentication management server 300 may determine the AP identification information as being invalid. In this manner, the authentication management server 300 can prevent any external attacks or indiscriminate access attempts made from outside the wireless network region 80.
  • the AP apparatus 400 may add the MAC address of the user terminal 100, which is determined to be valid, to an authorized user terminal list (S50).
  • the AP apparatus 400 may notify the authentication management server 300 of the addition of the MAC address of the user terminal 100 to the authorized user terminal list (S60).
  • the authentication management server 300 may transmit an “Access Granted” message to the user terminal 100 (S70).
  • the AP apparatus 400 may determine whether the MAC address of the user terminal 100 is included in the authorized user terminal list, and may grant the user terminal’s access to a wireless network.
  • the AP apparatus 400 may delete the MAC address of the user terminal 100 from the authorized user terminal list (S90).
  • the authentication management server 300 and the AP apparatus 400 may be incorporated together. That is, the user terminal 100 may transmit its MAC address and the AP identification information to the AP apparatus 400, and the AP apparatus 400 may determine the validity of the AP identification information with AP identification information set upon being booted, and may transmit directly to the user terminal 100 information indicating whether the user terminal 100 is granted to access a wireless network. According to the exemplary embodiment of FIGS.
  • FIG. 4 is a schematic diagram illustrating a WLAN system according to an exemplary embodiment of the invention.
  • the WLAN system performs wireless communication 20 with the use of a communication channel connected between a user terminal 100 and an AP apparatus 400.
  • the user terminal 100 transmits a Wi-Fi connection request and AP identification information to an authentication management server 300 to be connected to a wireless network.
  • the user terminal 100 may acquire the AP identification information from an RFID tag 200, which is located at a random place within a wireless network region where the AP apparatus 400 belongs, and the AP identification information may be a unique IP address of the AP apparatus 400 or information registered in the authentication management server 300 regarding the AP apparatus 400.
  • the user terminal 100 acquires the AP identification information from the RFID tag 200 via RFID communication 10 with the aid of an RFID receiver embedded therein, and transmits its MAC address and the acquired AP identification information to the authentication management server 300.
  • the user terminal 100 may access the authentication management server 300 through a predetermined web link by using an authentication app, and the wireless communication 20 between the user terminal 100 and the authentication management server 300 may be wireless data communication or WLAN communication.
  • the authentication management server 300 may manage AP identification information of at least one AP apparatus 400, and may store and manage an IP address transmitted thereto in response to the AP apparatus 400 being booted, in association with the AP identification information of the AP apparatus 400.
  • the authentication management server 300 may periodically monitor the operating status of the AP apparatus 400, and may thus collect and manage status information of the AP apparatus 400. In a case in which an AP apparatus 400 corresponding to the AP identification information transmitted by the user terminal 100 is in an abnormal state or a halt state, the authentication management server 300 may return an “Access Refused” message to the user terminal 100.
  • the authentication management server 300 may determine the validity of the AP identification information transmitted by the user terminal 100, and may generate a login ID and a password for logging on to the AP apparatus 400 and provide the ID and the password to the user terminal 100 in response to a determination being made that the AP identification information transmitted by the user terminal 100 is valid.
  • the ID and the password may also be transmitted to the AP apparatus 400.
  • the AP apparatus 400 may use the ID and the password to authenticate the user terminal 100.
  • the user terminal 100 may be connected to a wireless network simply by being placed near the RFID tag 200 without the need to store and manage the ID and password in the user terminal 100 or to register the MAC address of the user terminal 100 in the AP apparatus 400 in advance.
  • the authentication management server 300 may manage AP identification information and public IP information of at least one AP apparatus 400.
  • the structures of the user terminal 100, the authentication management server 300 and the AP apparatus 400 will hereinafter be described with reference to FIGS. 5 and 6.
  • FIG. 5 is a block diagram illustrating a user terminal according to an exemplary embodiment of the invention.
  • a user terminal 100 includes a short-range communication unit 110, a memory unit 120, a control unit 130 and a wireless communication unit 140.
  • the short-range communication unit 110 includes one or more short-range communication modules.
  • the short-range communication unit 110 may include an RFID reception module 112, an NFC module 114 and may also include another short-range communication module having the same functions as, or at least similar functions to, those of the RFID reception module 112 and the NFC module 114, such as a Bluetooth communication module, an IrDA communication module, an ultra wide-band (“UWB”) communication module or a ZigBee communication module.
  • the RFID reception module 112 and the NFC module 114 may be incorporated into a single module. For convenience, it is assumed that the RFID reception module 112 and the NFC module 114 are implemented as separate modules.
  • the RFID reception module 112 acquires AP identification information of the AP apparatus from the RFID tag, which is located at a random place.
  • the RFID reception module 112 transmits a radio frequency (“RF”) carrier signal and energy to the RFID tag 200 via a designated frequency band, and the RFID tag 200 may modulate the phase or amplitude of the RF carrier signal and may thus return AP identification information present in a tag therein to the RFID reception module 112.
  • the modulated RF carrier signal may be demodulated by the RFID reception module 112, and may then be stored in the memory unit 120.
  • the AP identification information of the AP apparatus 400 may be acquired from various tagging means, other than the RFID tag 200, such as, for example, a QR code tag, a barcode tag, an NFC tag or another storage tag with similar functions to those of the RFID tag 200.
  • the user terminal 100 may be equipped with a QR code reader (not illustrated), instead of the RFID reception module 112, or may use the NFC module 114 to acquire the AP identification information of the AP apparatus 400.
  • the AP identification information acquired by the RFIC reception module 112 is stored in the memory unit 120. More specifically, the AP identification information acquired by the RFIC reception module 112 may be stored in association with a login ID and a password generated by the control unit 130 and a MAC address provided along with the ID and the password.
  • An authentication app 122 which can be driven in the user terminal 100, may be stored in the memory unit 120. More specifically, the authentication app 122 may be driven in the memory unit 120, and may handle a series of processes such as allowing the RFID reception module 112 to acquire AP identification information, transmitting the AP identification information to the authentication management server, acquiring a login ID and a password in return from the authentication management server 300, and sending a Wi-Fi connection request to the AP apparatus 400.
  • the control unit 130 controls the execution of the authentication app 122, and also controls the general operation of the user terminal 100.
  • the control unit 130 accesses the authentication management server 300 via a web link, provides AP identification information and the MAC address of the user terminal 100 to the authentication management server 300, and requests authentication information for a Wi-Fi connection to the AP apparatus 400.
  • the control unit 130 transmits a request for access to the AP apparatus 400 by using a login ID and a password transmitted thereto from the authentication management server 300.
  • the wireless communication unit 140 performs wireless communication with the AP apparatus 400, and may include a baseband processor for communication control, a transceiver, a power amplifier and an antenna.
  • the wireless communication unit 140 may be used to transmit AP identification information and the MAC address of the user terminal 100 to the authentication management server 300.
  • wireless data communication provided by a communication service provider, may be used instead of the wireless communication unit 140.
  • the wireless communication unit 140 may receive a login ID and a password from the authentication management server 300 and may transmit the received ID and password to the control unit 130.
  • FIG. 6 is a block diagram illustrating an AP apparatus and an authentication management server, according to an exemplary embodiment of the invention.
  • the authentication management server 300 includes a control unit 310, an AP management unit 320, a storage unit 330, a LAN port 340 and a wireless communication unit 350
  • the AP apparatus 400 includes a control unit 410, an LAN port 420 and a wireless communication unit 430.
  • the control unit 310 determines the validity of AP identification information received from the user terminal. In response to a determination being made that the received AP identification information is valid, the control unit 310 generates a login ID and a password to be provided to the user terminal 100. The login ID and the password are returned to the user terminal 100. The password to be provided to the user terminal 100 may be randomly generated by using various information relating to the user terminal 100. For example, the control unit 310 may generate a password based on data obtained by subjecting the MAC address of the user terminal 100, the login ID to be provided to the user terminal 100, and AP identification information of the AP apparatus 400 to a hash process.
  • the control unit 310 may store the MAC address received from the user terminal 100 along with the received AP identification information, in the storage unit 330 together with the generated login ID and password in the storage unit 330 and may control the transmission of the received MAC address to the AP apparatus 400.
  • the control unit 310 may determine the location of the user terminal 100 based on the received AP identification information, may select advertisement data or a discount coupon from the storage unit 330 based on the determined location of the user terminal 100, and may control the selected advertisement data or a discount coupon to be transmitted to the user terminal 100 along with a login ID.
  • the AP management unit 320 may manage information relating to the AP apparatus 400 to be managed.
  • the AP management unit 320 registers the AP identification information of the AP apparatus 400 so that the AP apparatus 400 can be identified by the registered AP identification information.
  • the AP identification information of the AP apparatus 400 may be a unique value that can represent the AP apparatus 400, such as the MAC address, the public IP address or the unique serial number of the AP apparatus 400.
  • the AP management unit 320 may communicate with the AP apparatus 400 via a LAN or the Internet.
  • the AP management unit 320 may associate an IP address transmitted thereto in response to the AP apparatus 400 being booted, with the AP identification information of the AP apparatus 400 so as to manage the AP identification information of the AP apparatus 400.
  • the AP management unit 320 may periodically monitor the operating status of the AP apparatus 400, and may thus collect and manage status information of the AP apparatus 400.
  • the AP management unit 320 may manage information relating to a place or store where the AP apparatus 400 is installed, together with the AP identification information of the AP apparatus 400. As a result, the authentication management server 300 can easily identify and choose advertisement data or a discount coupon corresponding to the AP identification information of the AP apparatus 400, which is received from the user terminal 100.
  • the storage unit 330 stores the AP identification information and the IP address of the AP apparatus 400, the MAC address of the user terminal 100, which has sent an authentication request, and authentication information such as the login ID and password generated by the control unit 310.
  • the AP management unit 320 deletes the login ID and password allocated to the user terminal 100 and the MAC address of the user terminal 100 from the storage unit 330 upon being notified of the termination of a Wi-Fi connection from the AP apparatus 400 to the user terminal 100.
  • the authentication management server 300 may transmit data to or receive data from the user terminal 100 or the AP apparatus 400 through the Internet or a LAN.
  • the authentication management server 300 uses the LAN port 340, which is for accessing a wired network, and the wireless communication unit 350, which is for accessing a wireless network.
  • the wireless communication unit 350 may include a baseband processor, a transceiver, a power amplifier, an antenna, etc., for wireless communication.
  • the control unit 410 sets the MAC address of the user terminal 100 and a login ID and a password for accessing the AP apparatus 400 in an authorized user terminal list, which is included in Wi-Fi communication setting information.
  • the control unit 410 determines whether the user terminal 100 is included in the authorized user terminal list, and grants the user terminal’s Wi-Fi connection to the AP apparatus 400.
  • control unit 410 may delete the MAC address of the user terminal 100 and the set login ID and password from the authorized user terminal list.
  • the LAN port 420 or the wireless communication unit 430 may be used as a communication interface.
  • FIG. 7 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by a WLAN system, according to an exemplary embodiment of the invention.
  • an application app 122 is driven in a user terminal 100 for authorizing the user terminal 100’s Wi-Fi connection (S100).
  • AP identification information of an AP apparatus 400 that the user terminal 100 wishes to access is acquired (S102) by the tagging to a tagging means such as, for example, an RFID tag located near the user terminal 100, with the use of the authentication app 122.
  • the user terminal 100 transmits the acquired AP identification information and its MAC address to an authentication management server 300 (S104).
  • the AP apparatus 400 transmits its public IP address to the authentication management server 300 (S106) upon being booted.
  • the authentication management server 300 stores the public IP address transmitted by the AP apparatus 400 in association with the AP identification information of the AP apparatus 400 (S108).
  • the authentication management server 300 determines the validity of the AP identification information received from the user terminal 100 and the operating status of the AP apparatus 400. In response to a determination being made that the received AP identification information is valid, the authentication management server 300 generates a login ID and a password to be provided to the user terminal 100 (S112). On the other hand, in response to a determination being made that the received AP identification information is invalid (S116) or that the AP apparatus 400 is not in a normal operating status (S110), the authentication management server 300 returns an “Access Refused” message to the user terminal 100 (S114).
  • the authentication management server 300 transmits the generated login ID and password and the MAC address of the user terminal 100 to the AP apparatus 400 (S118).
  • the AP apparatus 400 adds the login ID, password and MAC address received from the authentication management server 300 to an authorized user terminal list, which is included in Wi-Fi communication setting information (S120).
  • the authentication management server 300 returns the generated login ID and password to the user terminal (S124).
  • the user terminal 100 receives the login ID and password transmitted by the authentication management server 300 (S126) and attempts to Wi-Fi connect to the AP apparatus 400 with the use of the received login ID and password (S128). If the user terminal 100’s attempt to access the AP apparatus 400 is determined to be invalid due to, for example, the input of a wrong or expired login ID, an “Access Refused” message is displayed to the user terminal 100 via the authentication app 122 (S130).
  • the AP apparatus 400 receives a Wi-Fi connection request from the user terminal 100, compares the MAC address of the user terminal 100 with the authorized user terminal list, and grants the user terminal 100’s Wi-Fi connection thereto in response to there being a match for the MAC address of the user terminal 100 in the authorized user terminal list (S132 and S133).
  • the access information i.e., the login ID and password for accessing the AP apparatus 400
  • the access information is automatically deleted from the user terminal 100 and the AP apparatus 400, respectively (S136 and S137).
  • the AP apparatus 400 notifies the authentication management server 300 of the termination of the Wi-Fi connection between the user terminal 100 and the AP apparatus 400, and the login ID and password for accessing the AP apparatus 400 is also deleted from the authentication management server 300 (S138).
  • wireless communication authentication with improved security against many unspecified user terminals and with facilitated maintenance can be provided without the need for an AP apparatus to manage the MAC addresses of multiple user terminals or for each user terminal to acquire or store in advance a login ID and a password for accessing an AP apparatus.
  • FIG. 8 is a block diagram illustrating a WLAN system according to another exemplary embodiment of the invention.
  • the WLAN system performs wireless communication 20 with the use of a communication channel connected between a user terminal 100 and an AP apparatus 400.
  • the user terminal 100 transmits a Wi-Fi connection request and AP identification information to the AP apparatus 400 to be connected to a wireless network.
  • the user terminal 100 may acquire the AP identification information from an RFID tag 200, which is located at a random place within a wireless network region where the AP apparatus 400 belongs, and the AP identification information may be a unique IP address of the AP apparatus 400.
  • the RFID tag 200 may be provided in the AP apparatus 400. That is, the RFID tag 200 may be attached onto, for example, the housing of the AP apparatus 400.
  • the user terminal 100 acquires the AP identification information from the RFID tag 200 via RFID communication 10 with the aid of an RFID receiver embedded therein, accesses the AP apparatus 400 with the use of the acquired AP identification information, and transmits its MAC address and the acquired AP identification information to the AP apparatus 400.
  • the user terminal 100 may use a mobile communication module embedded therein to transmit its MAC address and the acquired AP identification information to the AP apparatus 400.
  • the RFID tag 200 may include access information for accessing the AP apparatus 400, and the user terminal 100 may transmit its MAC address and the acquired AP identification information to a server module embedded in the AP apparatus 400, by using the authentication information.
  • the user terminal 100 is connected to the Internet via the mobile communication module, and thus accesses the AP apparatus 400 via the Internet, rather than transmitting its MAC address and the acquired AP identification information to the AP apparatus 400 via Wi-Fi.
  • the mobile communication module may support, for example, the third generation (3G) or fourth generation (4G) communications standard.
  • the user terminal 100 may use an NFC module, instead of the mobile communication module, to transmit its MAC address and the acquired AP identification information to the AP apparatus 400.
  • the NFC module may generate an RF field and may use the RF field to transmit the MAC address of the user terminal 100 and the acquired AP identification information to an NFC module (not illustrated) of the AP apparatus 400.
  • the NFC module of the AP apparatus 400 may also generate an RF field and may use the RF field to transmit a login ID and a password to the NFC module of the user terminal 100.
  • the AP apparatus 400 determines the validity of the AP identification information received from the user terminal 100. In response to a determination being made that the received AP identification information is valid, the AP apparatus 400 generates a login ID and a password for accessing the AP apparatus 400 and provides them to the user terminal 100.
  • the user terminal 100 may be connected to a wireless network simply by being placed near the RFID tag 200 without the need to store and manage the ID and password for accessing the AP address 400 in the user terminal 100 or to register the MAC address of the user terminal 100 in the AP apparatus 400.
  • FIG. 9 is a block diagram illustrating an AP apparatus according to another exemplary embodiment of the invention.
  • an AP apparatus 400 includes a control unit 410, a LAN port 420, a wireless communication unit 430 and a storage unit 440.
  • the control unit 410 determines the validity of AP identification information received from a user terminal 100. In response to a determination being made that the received AP identification information is valid, the control unit 410 generates a login ID and a password to be provided to the user terminal 100 via the wireless communication unit 430 or an NFC module (not illustrated). The login ID and the password are returned to the user terminal 100. The password to be provided to the user terminal 100 may be generated based on data obtained by subjecting the MAC address of the user terminal 100 or the login ID to be provided to the user terminal 100to a hash process.
  • the control unit 410 stores a MAC address received from the user terminal 100 along with the received AP identification information, in the storage unit 430 together with the generated login ID and password in the storage unit 330 and sets the received MAC address and the generated login ID and password in an authorized user terminal list, which is included in Wi-Fi communication setting information.
  • control unit 410 determines whether the user terminal 100 is included in the authorized user terminal list, and grants the user terminal’s Wi-Fi connection to the AP apparatus 400.
  • the LAN port 420 which is a wired LAN interface, may serve as a communication channel for a user terminal attempting to access the AP apparatus 400 in a wired manner, and an RJ-45 cable may be used to connect the user terminal and the AP apparatus 400.
  • the wireless communication unit 430 performs wireless communication with the user terminal 100, and includes a baseband processor, a transceiver, a power amplifier, an antenna, etc., for wireless communication.
  • the wireless communication unit 430 receives AP identification information and a MAC address from the user terminal 100, and transmits the login ID and password generated by the control unit 410 to the user terminal 100.
  • the storage unit 440 stores and manages the MAC address received from the user terminal 100 and access information such as the login ID and password generated by the control unit 410. In response to the Wi-Fi connection between the user terminal 100 and the AP apparatus 400 being terminated, the storage unit 440 deletes the login ID and password allocated to the user terminal 100, and the corresponding login ID and password may also be deleted from the authorized user terminal list.
  • FIG. 10 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by an AP apparatus, according to an exemplary embodiment of the invention.
  • an application app 122 is driven in a user terminal 100 for authorizing the user terminal 100’s Wi-Fi connection (S100).
  • AP identification information of an AP apparatus 400 that the user terminal 100 wishes to access is acquired (S102) by the tagging to atagging means such as, for example, an RFID tag or a QR code tag located near the user terminal 100, with the use of the authentication app 122.
  • the user terminal 100 accesses the AP apparatus 400 with the use of the acquired AP identification information and transmits the acquired AP identification information and its MAC address to the AP apparatus 400 (S104).
  • the AP apparatus 400 determines the validity of the AP identification information received from the user terminal 100 (S106). In response to a determination being made that the received AP identification information is valid, the AP apparatus 400 generates a login ID and a password to be provided to the user terminal 100 (S108). In response to a determination being made that the received AP identification information is invalid, the AP apparatus 400 returns an “Access Refused” message to the user terminal 100 (S110).
  • the AP apparatus 400 adds the generated login ID and password to an authorized user terminal list, which is included in Wi-Fi communication setting information, in association with the MAC address of the user terminal 100 (S112), and returns the generated login ID and password to the user terminal 100 (S114).
  • the user terminal 100 receives the login ID and password generated by the AP apparatus 400 and attempts to Wi-Fi connect to the AP apparatus 400 with the use of the received login ID and password (S116 and S118). If the user terminal 100’s attempt to access the AP apparatus 400 is determined to be invalid due to, for example, the input of a wrong or expired login ID, an “Access Refused” message is displayed to the user terminal 100 via the authentication app 122 (S120).
  • the AP apparatus 400 receives a Wi-Fi connection request from the user terminal 100, determines the validity of the login ID and password input thereto by the user terminal 100, compares the MAC address of the user terminal 100 with the authorized user terminal list, and grants the user terminal 100’s Wi-Fi connection thereto in response to there being a match for the MAC address of the user terminal 100 in the authorized user terminal list (S122 and S123).
  • the authentication information present in the user terminal 100 and the AP apparatus 400 is automatically deleted (S126 and S127).
  • wireless communication authentication with improved security against many unspecified user terminals and with facilitated maintenance can be provided without the need for an AP apparatus to manage the MAC addresses of multiple user terminals or for each user terminal to acquire or store in advance a login ID and a password for accessing an AP apparatus.
  • This invention may be implemented by using a computer readable code on a non-transitory machine-readable medium.
  • a computer program product comprising a non-transitory machine-readable medium storing instructions that, when executed by at least one programmable processor, cause the at least one programmable processor to perform operations comprising may be provided for the implementation of this invention.

Abstract

An authentication method capable of allowing unspecified user terminals to access an access point ("AP") apparatus and thus to be connected to a network, and blocking unauthorized external attempts to access a network, while allowing unspecified user terminals to access the network is provided. A wireless network authentication system, comprising a short-range communication module configured to manage access point ("AP") identification information and transmit the AP identification information to a user terminal via short-range communication, a reception unit configured to receive, from the user terminal, AP identification information received by the user terminal and a medium access control ("MAC") address of the user terminal, a verification unit configured to determine validity of the received AP identification information and the received MAC address, and a control unit configured to add the received MAC address to an authorized user terminal list and thus to control the user terminal's access to a wireless network is provided.

Description

USER TERMINAL AUTHENTICATION METHOD OF ACCESS POINT APPARATUS
The invention relates to a terminal authentication method of an access point (“AP”) apparatus, and more particularly, to an authentication method with improved security and convenience.
A wireless local area network (“WLAN”) is a type of local area network (“LAN”) that allows two or more devices to be wirelessly connected. A WLAN may use a radio frequency, instead of, a cable, as a physical channel for communication. Due to a rapid increase in the number of users of mobile devices such as notebook computers, smartphones, tablet pads, etc., WLAN environments have increasingly become prevalent, rapidly replacing existing wired LAN environments.
However, a WLAN uses radio frequencies, and may thus be more susceptible than a wired LAN to communication interference or security breaches. Related-art WLAN systems use various security methods for controlling user terminals’ access to a WLAN, such as, for example, a user authentication method in which a public key is shared between an access point (“AP”) and one or more authorized user terminals and in response to receipt of an access request from a user terminal, user authentication is performed by using the shared public key, and a user authentication method in which the medium access control (“MAC”) addresses of the WLAN cards of authorized user terminals are stored in advance in an AP(Access Point) apparatus and in response to receipt of an access request from a user terminal, user authentication is performed by comparing the MAC address of the WLAN card of the user terminal with the MAC addresses present in the AP apparatus.
However, the former user authentication method may be vulnerable to attempts made by malicious users to collect data and thus extract the shared public key on air, and the latter user authentication method may be almost unmanageable, especially when in use in connection with public network services involving multiple random users or when in use for a considerable number of users.
Therefore, a method is needed to stably provide security against unspecified users while addressing the problems associated with related-art WLAN security methods.
Exemplary embodiments of the invention provide an authentication method capable of allowing unspecified user terminals to access an access point (“AP”) apparatus and thus to be connected to a network.
Exemplary embodiments of the invention also provide an authentication method capable of blocking unauthorized external attempts to access a network, while allowing unspecified user terminals to access the network.
However, exemplary embodiments of the invention are not restricted to those set forth herein. The above and other exemplary embodiments of the invention will become more apparent to one of ordinary skill in the art to which the invention pertains by referencing the detailed description of the invention given below.
A wireless network authentication system according to an embodiment of this invention, comprises a short-range communication module configured to manage access point (“AP”) identification information and transmit the AP identification information to a user terminal via short-range communication, a reception unit configured to receive, from the user terminal, AP identification information received by the user terminal and a medium access control (“MAC”) address of the user terminal, a verification unit configured to determine validity of the received AP identification information and the received MAC address, and a control unit configured to add the received MAC address to an authorized user terminal list and thus to control the user terminal’s access to a wireless network.
An access point apparatus according to other embodiment of this invention, comprises a wireless communication unit configured to receive a MAC address of a user terminal from the user terminal, and AP identification information acquired by tagging between a user terminal and tagging means, and a control unit configured to generate a login identifier (“ID”) and a password based on validity of the received AP identification information, return the generated login ID and password to the user terminal, and set the generated login ID and password and the received MAC address in an authorized user terminal list. The control unit is further configured to grant the user terminal’s Wi-Fi connection to the access point apparatus in response to receipt of a Wi-Fi connection request made by the user terminal with the use of the generated login ID and password.
A user terminal performing access authentication with an AP apparatus according to still other embodiment of this invention, the user terminal comprises, a short-range communication unit configured to acquire AP identification information of the AP apparatus by tagging to a tagging means, a wireless communication unit configured to transmit the acquired AP identification information to the AP apparatus and receive a login ID and a password generated by the AP apparatus in response to the transmitting, and a control unit configured to transmit an access request to the AP apparatus with the use of the received login ID and password. The received login ID and password are generated based on validity of the acquired AP identification information.
A method of authenticating a user terminal’s access to an AP apparatus according to still other embodiment of this invention, the method comprises acquiring AP identification information of the AP apparatus by tagging to a tagging means, transmitting the acquired AP identification information to the AP apparatus and receiving a login ID and a password generated by the AP apparatus in return, and transmitting an access request to the AP apparatus with the use of the received login ID and password. The received login ID and password are generated based on validity of the acquired AP identification information.
A wireless local area network (“WLAN”) system performing authentication of a user terminal according to still other embodiment of this invention, the WLAN system comprises an authentication management server configured to receive AP identification information acquired by the user terminal by tagging to a tagging means and a MAC address of the user terminal from the user terminal and generate a login ID and a password based on validity of the received AP identification information, and an AP apparatus configured to receive the login ID, the password and the MAC address from the authentication management server and set the received login ID, password and MAC address in an authorized user terminal list and to grant the user terminal’s Wi-Fi connection thereto in response to receipt of a Wi-Fi connection request made by the user terminal with the use of the received login ID and password.
An authentication management server managing authentication of access to an AP apparatus of still other embodiment of this invention, the authentication management server comprises an AP management unit configured to manage AP identification information and an IP address of at least one AP apparatus, and a control unit configured to determine validity of AP identification information received from a user terminal through comparison with the AP identification information present in the AP management unit and to generate a login ID and a password and transmit the generated login ID and password to an AP apparatus corresponding to the received AP identification information in response to a determination being made that the received AP identification information is valid. The control unit is further configured to return the generated login ID and password to the user terminal and the received AP identification information is AP identification information acquired by the user terminal by tagging to a tagging means.
A user terminal performing access authentication with an AP apparatus of still other embodiment of this invention, the user terminal comprises a short-range communication unit configured to acquire AP identification information of the AP apparatus by tagging to a tagging means, a wireless communication unit configured to transmit a MAC address of the user terminal and the acquired AP identification information to an authentication management server and receive a login ID and a password generated by the authentication management server in return, and a control unit configured to transmit an access request to the AP apparatus with the use of the received login ID and password. The received login ID and password and the MAC address are transmitted from the authentication management server to the AP apparatus and are then set in an authorized user terminal list of the AP apparatus.
According to the exemplary embodiments, there is no need to use a fixed password for authentication of access to an access point (“AP”) apparatus in a wireless local area network (“WLAN”) or to register the medium control access (“MAC”) address of each user terminal in advance. Accordingly, the management of it network access rights can be facilitated.
In addition, there is also no need to use a predetermined password for authentication of access to an AP apparatus in a WLAN or to register the medium control access (“MAC”) address of each user terminal in advance. Accordingly, the management of it network access rights can also be facilitated.
Other features and exemplary embodiments will be apparent from the following detailed description, the drawings, and the claims.
FIG. 1 is a block diagram illustrating a wireless network authentication system according to an exemplary embodiment of the invention.
FIG. 2 is a diagram illustrating an authentication process performed by the wireless network authentication system of FIG. 1.
FIG. 3 is a signal flowchart illustrating a wireless network authentication method according to an exemplary embodiment of the invention.
FIG. 4 is a block diagram illustrating a wireless local area network (“WLAN”) system according to an exemplary embodiment of the invention.
FIG. 5 is a block diagram illustrating a user terminal according to an exemplary embodiment of the invention.
FIG. 6 is a block diagram illustrating an access point (“AP”) apparatus and an authentication management server, according to an exemplary embodiment of the invention.
FIG. 7 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by a WLAN system, according to an exemplary embodiment of the invention.
FIG. 8 is a block diagram illustrating a WLAN system according to another exemplary embodiment of the invention.
FIG. 9 is a block diagram illustrating an AP apparatus according to another exemplary embodiment of the invention.
FIG. 10 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by an AP apparatus, according to an exemplary embodiment of the invention.
Advantages and features of the present invention and methods of accomplishing the same may be understood more readily by reference to the following detailed description of preferred embodiments and the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete and will fully convey the concept of the invention to those skilled in the art, and the present invention will only be defined by the appended claims. Like reference numerals refer to like elements throughout the specification.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Exemplary embodiments of the invention will hereinafter be described with reference to the accompanying drawings. FIG. 1 is a block diagram illustrating a wireless network authentication system according to an exemplary embodiment of the invention. Referring to FIG. 1, a wireless network authentication system includes a reception unit 50, a verification unit 60 and a control unit 70.
The reception unit 50 may receive access point (“AP”) identification information and the medium access control (“MAC”) address of at least one user terminal. The wireless network authentication system may perform wireless communication via a communication channel connected between the user terminal and an AP apparatus. The AP apparatus may be a device that can serve as a wireless communication hub or a base station transmitting or receiving wireless data traffic such as Wi-Fi data traffic, and the user terminal may transmit or receive wireless data traffic such as Wi-Fi data traffic to or from another user terminal or the AP apparatus.
More specifically, the AP apparatus may serve as a wireless communication hub or a base station transmitting or receiving wireless data traffic such as Wi-Fi data traffic. The user terminal may transmit or receive wireless data traffic such as Wi-Fi data traffic to or from another user terminal or the AP apparatus. In an exemplary embodiment, the user terminal may be a mobile terminal such as a mobile phone, a smart phone, a laptop computer, a digital broadcast receiver, a personal digital assistant (“PDA”), a portable multimedia player (“PMP”), or a navigation device, or a home appliance such as a wall mount TV, an electronic frame, or a refrigerator that is equipped with a wireless communication module.
The AP identification information is a unique identifier by which the AP apparatus can be distinguished from other AP apparatuses. For example, the AP identification information may be the unique Internet protocol (“IP”) address of the AP apparatus or the MAC address of the AP apparatus, registered in an authentication management server (not illustrated).
The AP identification information may be transmitted first to the user terminal. For example, the user terminal may acquire the AP identification information from a short-range communication module such as a radio frequency identification (“RFID”) tag disposed in a wireless network region where the AP apparatus is located, but the invention is not limited thereto. That is, the user terminal may use various other short-range communication methods, such as those involving the use of near field communication (“NFC”) codes, quick response (“QR”) codes, or barcodes. The AP identification information and the MAC address of the user terminal may be transmitted to the authentication management server, and the reception unit 50, which is included in the authentication management server, may receive the AP identification information and the MAC address of the user terminal.
In an exemplary embodiment, the user terminal may receive AP identification information present in an RFID tag, which is a type of short-range communication module, through RFID communication with the aid of an RFID receiver, and may transmit its MAC address and the AP identification information to the reception unit 50 of the authentication management server. In this exemplary embodiment, the user terminal may access the authentication management server through a predetermined web link by using an application program such as an authentication app, and the communication between the user terminal and the authentication management server may use wireless data communication or wireless local area network (“WLAN”) communication.
The verification unit 60 may determine the validity of the AP identification information and the MAC address received by the reception unit 50. In response to a determination being made that the received AP identification information and the received MAC address are valid, the verification unit 60 may transmit the received MAC address to the control unit 70. For example, a short-range communication module such as an RFID module may be provided in a wireless network region provided by a first AP apparatus, and may manage first AP identification information by which the first AP apparatus can be identified. In this example, if the user terminal only transmits its MAC address to the authentication management server, without transmitting the first AP identification information, to request for the use of a wireless network, the verification unit 60 may determine the received MAC address as being invalid. If the user terminal uses second AP identification information of a second AP apparatus, instead of the first AP identification information, to request authentication of access to the first AP apparatus, the verification unit 60 may determine the second AP identification information as being invalid.
For this, the verification unit 60 may store, in advance, a plurality of AP identification information and location information of a plurality of AP apparatuses managed by the authentication management server, and may verify the received AP identification information through comparison with the stored AP identification information.
In response to a determination being made that the received AP identification information and the received MAC address are valid, the verification unit 60 may transmit the received MAC address to the control unit 70. The control unit 70 may communicate with each AP apparatus through a local area network (“LAN”) or the Internet. The control unit 70 may manage an IP address transmitted thereto in response to the AP apparatus being booted, in association with the AP identification information of the AP apparatus, and may periodically monitor the operating status of the AP apparatus, and may thus collect and manage status information of the AP apparatus.
The control unit 70 may add the MAC address transmitted by the verification unit 60 to an authorized user terminal list including one or more user terminals that are allowed to access a wireless network. In response to receipt of an access request from the user terminal, the control unit 70 may compare the MAC address of the user terminal with the authorized user terminal list, and may control the user terminal’s access to the wireless network.
In response to the user terminal terminating its access to the wireless network, the control unit 70 may delete the MAC address of the user terminal from the authorized user terminal list so that any external attempt made by the user terminal to access the wireless network with the use of the same MAC address again can be prevented.
That is, the user terminal may be connected to the wireless network simply by being positioned near a short-range communication module, such as an RFID tag, located at a random place without the need to store a predetermined password for accessing the wireless network or to register the MAC address of the user terminal in the AP apparatus in advance.
The reception unit 50, the verification unit 60 or the control unit 70 may be disposed in various manners. In an exemplary embodiment, the reception unit 50 and the verification unit 60 may be included in the authentication management server, and the control unit 70 may be included in the AP apparatus, which is connected to the authentication management server via a network. However, the invention is not limited to this exemplary embodiment. That is, the reception unit 50, the verification unit 60 and the control unit 70 may all be included in the authentication management server, or may be physically separated from one another.
A wireless network authentication process performed by the wireless network authentication system of FIG. 1 will hereinafter be described with reference to FIGS. 2 and 3.
Referring to FIGS. 2 and 3, a user terminal 100 may receive AP identification information (S10). The AP identification information may be managed by a short-range communication module 20, which is provided in a wireless network region 80 covered by an AP apparatus 400 at a predetermined location. For example, the short-range communication module 20 may be included in the AP apparatus 400, and the presence of the user terminal 100 in the wireless network region 80 of the AP apparatus 400 may be acknowledged based on whether the user terminal 100 can near-field-communicate with the short-range communication module 200 without the aid of an authentication management server 300. The user terminal 100 may transmit its location information and the AP identification information to the authentication management server 300.
The short-range communication module 200 may include one or more short-range communication sub-modules. In an exemplary embodiment, the short-range communication module 200 may be implemented as an RFID tag or an NFC module, but the invention is not limited thereto. That is, in another exemplary embodiment, the short-range communication module 200 may perform short-range communication by using various communication methods or devices such as Bluetooth, infrared data association (“IrDA”), ZigBee, a QR code tag, or a barcode tag.
In response to receipt of the AP identification information from the short-range communication module 200, the user terminal 100 may transmit its MAC address and the AP identification information to the authentication management server 300 (S20) via an application program such as an authentication app installed therein.
The authentication management server 300 may determine the validity of the AP identification information and the MAC address of the user terminal 100 (S30). In response to a determination being made that the AP identification information and the MAC address of the user terminal 100 are valid, the authentication management server 300 may transmit the MAC address of the user terminal 100 to the AP apparatus 400 (S40). In an exemplary embodiment, the authentication management server 300 may store in advance a plurality of AP identification information of a plurality of AP apparatuses that are managed by the authentication management server 300, and may determine the validity of the AP identification information and the MAC address of the user terminal 100 by comparing the AP identification information with the plurality of AP identification information. However, the invention is not limited to this exemplary embodiment.
In response to a determination being made that the AP identification information is invalid, the authentication management server 300 may transmit an “Access Refused” message to the user terminal 100. For example, in a case in which the AP authentication information is of an AP apparatus in a different place from that designated by the location information of the user terminal 100 or is arbitrarily generated AP authentication information, the authentication management server 300 may determine the AP identification information as being invalid. In this manner, the authentication management server 300 can prevent any external attacks or indiscriminate access attempts made from outside the wireless network region 80.
The AP apparatus 400 may add the MAC address of the user terminal 100, which is determined to be valid, to an authorized user terminal list (S50).
The AP apparatus 400 may notify the authentication management server 300 of the addition of the MAC address of the user terminal 100 to the authorized user terminal list (S60). The authentication management server 300 may transmit an “Access Granted” message to the user terminal 100 (S70).
In response to the user terminal 100 attempting to access the AP apparatus 400 via an application program such as an authentication app, the AP apparatus 400 may determine whether the MAC address of the user terminal 100 is included in the authorized user terminal list, and may grant the user terminal’s access to a wireless network.
In response to the user terminal 100 terminating its access to the wireless network or leaving the wireless network region 80 (S80), the AP apparatus 400 may delete the MAC address of the user terminal 100 from the authorized user terminal list (S90).
In an exemplary embodiment, the authentication management server 300 and the AP apparatus 400 may be incorporated together. That is, the user terminal 100 may transmit its MAC address and the AP identification information to the AP apparatus 400, and the AP apparatus 400 may determine the validity of the AP identification information with AP identification information set upon being booted, and may transmit directly to the user terminal 100 information indicating whether the user terminal 100 is granted to access a wireless network. According to the exemplary embodiment of FIGS. 2 and 3, it is possible to provide a wireless network authentication system and method that is easy to maintain and is capable of strengthening security against many unspecified user terminals without the need for the AP apparatus 4000 to manage the MAC addresses of multiple user terminals or the need for the user terminal 100 to acquire and store in advance a login identifier (ID) and a password for logging on to the AP apparatus 400.
FIG. 4 is a schematic diagram illustrating a WLAN system according to an exemplary embodiment of the invention. Referring to FIG. 4, the WLAN system performs wireless communication 20 with the use of a communication channel connected between a user terminal 100 and an AP apparatus 400. The user terminal 100 transmits a Wi-Fi connection request and AP identification information to an authentication management server 300 to be connected to a wireless network.
The user terminal 100 may acquire the AP identification information from an RFID tag 200, which is located at a random place within a wireless network region where the AP apparatus 400 belongs, and the AP identification information may be a unique IP address of the AP apparatus 400 or information registered in the authentication management server 300 regarding the AP apparatus 400.
The user terminal 100 acquires the AP identification information from the RFID tag 200 via RFID communication 10 with the aid of an RFID receiver embedded therein, and transmits its MAC address and the acquired AP identification information to the authentication management server 300. The user terminal 100 may access the authentication management server 300 through a predetermined web link by using an authentication app, and the wireless communication 20 between the user terminal 100 and the authentication management server 300 may be wireless data communication or WLAN communication.
The authentication management server 300 may manage AP identification information of at least one AP apparatus 400, and may store and manage an IP address transmitted thereto in response to the AP apparatus 400 being booted, in association with the AP identification information of the AP apparatus 400.
The authentication management server 300 may periodically monitor the operating status of the AP apparatus 400, and may thus collect and manage status information of the AP apparatus 400. In a case in which an AP apparatus 400 corresponding to the AP identification information transmitted by the user terminal 100 is in an abnormal state or a halt state, the authentication management server 300 may return an “Access Refused” message to the user terminal 100.
The authentication management server 300 may determine the validity of the AP identification information transmitted by the user terminal 100, and may generate a login ID and a password for logging on to the AP apparatus 400 and provide the ID and the password to the user terminal 100 in response to a determination being made that the AP identification information transmitted by the user terminal 100 is valid. The ID and the password may also be transmitted to the AP apparatus 400. The AP apparatus 400 may use the ID and the password to authenticate the user terminal 100.
Accordingly, the user terminal 100 may be connected to a wireless network simply by being placed near the RFID tag 200 without the need to store and manage the ID and password in the user terminal 100 or to register the MAC address of the user terminal 100 in the AP apparatus 400 in advance.
The authentication management server 300 may manage AP identification information and public IP information of at least one AP apparatus 400.
The structures of the user terminal 100, the authentication management server 300 and the AP apparatus 400 will hereinafter be described with reference to FIGS. 5 and 6.
FIG. 5 is a block diagram illustrating a user terminal according to an exemplary embodiment of the invention.
Referring to FIG. 5, a user terminal 100 includes a short-range communication unit 110, a memory unit 120, a control unit 130 and a wireless communication unit 140.
The short-range communication unit 110 includes one or more short-range communication modules. The short-range communication unit 110 may include an RFID reception module 112, an NFC module 114 and may also include another short-range communication module having the same functions as, or at least similar functions to, those of the RFID reception module 112 and the NFC module 114, such as a Bluetooth communication module, an IrDA communication module, an ultra wide-band (“UWB”) communication module or a ZigBee communication module. The RFID reception module 112 and the NFC module 114 may be incorporated into a single module. For convenience, it is assumed that the RFID reception module 112 and the NFC module 114 are implemented as separate modules.
The RFID reception module 112 acquires AP identification information of the AP apparatus from the RFID tag, which is located at a random place.
More specifically, the RFID reception module 112 transmits a radio frequency (“RF”) carrier signal and energy to the RFID tag 200 via a designated frequency band, and the RFID tag 200 may modulate the phase or amplitude of the RF carrier signal and may thus return AP identification information present in a tag therein to the RFID reception module 112. The modulated RF carrier signal may be demodulated by the RFID reception module 112, and may then be stored in the memory unit 120.
The AP identification information of the AP apparatus 400 may be acquired from various tagging means, other than the RFID tag 200, such as, for example, a QR code tag, a barcode tag, an NFC tag or another storage tag with similar functions to those of the RFID tag 200. In this example, the user terminal 100 may be equipped with a QR code reader (not illustrated), instead of the RFID reception module 112, or may use the NFC module 114 to acquire the AP identification information of the AP apparatus 400.
The AP identification information acquired by the RFIC reception module 112 is stored in the memory unit 120. More specifically, the AP identification information acquired by the RFIC reception module 112 may be stored in association with a login ID and a password generated by the control unit 130 and a MAC address provided along with the ID and the password.
An authentication app 122, which can be driven in the user terminal 100, may be stored in the memory unit 120. More specifically, the authentication app 122 may be driven in the memory unit 120, and may handle a series of processes such as allowing the RFID reception module 112 to acquire AP identification information, transmitting the AP identification information to the authentication management server, acquiring a login ID and a password in return from the authentication management server 300, and sending a Wi-Fi connection request to the AP apparatus 400.
The control unit 130 controls the execution of the authentication app 122, and also controls the general operation of the user terminal 100.
The control unit 130 accesses the authentication management server 300 via a web link, provides AP identification information and the MAC address of the user terminal 100 to the authentication management server 300, and requests authentication information for a Wi-Fi connection to the AP apparatus 400. The control unit 130 transmits a request for access to the AP apparatus 400 by using a login ID and a password transmitted thereto from the authentication management server 300.
The wireless communication unit 140 performs wireless communication with the AP apparatus 400, and may include a baseband processor for communication control, a transceiver, a power amplifier and an antenna. The wireless communication unit 140 may be used to transmit AP identification information and the MAC address of the user terminal 100 to the authentication management server 300. In an exemplary embodiment, wireless data communication provided by a communication service provider, may be used instead of the wireless communication unit 140. The wireless communication unit 140 may receive a login ID and a password from the authentication management server 300 and may transmit the received ID and password to the control unit 130.
FIG. 6 is a block diagram illustrating an AP apparatus and an authentication management server, according to an exemplary embodiment of the invention. Referring to FIG. 6, the authentication management server 300 includes a control unit 310, an AP management unit 320, a storage unit 330, a LAN port 340 and a wireless communication unit 350, and the AP apparatus 400 includes a control unit 410, an LAN port 420 and a wireless communication unit 430.
Referring to the authentication management server 300, the control unit 310 determines the validity of AP identification information received from the user terminal. In response to a determination being made that the received AP identification information is valid, the control unit 310 generates a login ID and a password to be provided to the user terminal 100. The login ID and the password are returned to the user terminal 100. The password to be provided to the user terminal 100 may be randomly generated by using various information relating to the user terminal 100. For example, the control unit 310 may generate a password based on data obtained by subjecting the MAC address of the user terminal 100, the login ID to be provided to the user terminal 100, and AP identification information of the AP apparatus 400 to a hash process.
The control unit 310 may store the MAC address received from the user terminal 100 along with the received AP identification information, in the storage unit 330 together with the generated login ID and password in the storage unit 330 and may control the transmission of the received MAC address to the AP apparatus 400.
The control unit 310 may determine the location of the user terminal 100 based on the received AP identification information, may select advertisement data or a discount coupon from the storage unit 330 based on the determined location of the user terminal 100, and may control the selected advertisement data or a discount coupon to be transmitted to the user terminal 100 along with a login ID.
The AP management unit 320 may manage information relating to the AP apparatus 400 to be managed.
The AP management unit 320 registers the AP identification information of the AP apparatus 400 so that the AP apparatus 400 can be identified by the registered AP identification information. The AP identification information of the AP apparatus 400 may be a unique value that can represent the AP apparatus 400, such as the MAC address, the public IP address or the unique serial number of the AP apparatus 400.
The AP management unit 320 may communicate with the AP apparatus 400 via a LAN or the Internet. The AP management unit 320 may associate an IP address transmitted thereto in response to the AP apparatus 400 being booted, with the AP identification information of the AP apparatus 400 so as to manage the AP identification information of the AP apparatus 400. The AP management unit 320 may periodically monitor the operating status of the AP apparatus 400, and may thus collect and manage status information of the AP apparatus 400.
The AP management unit 320 may manage information relating to a place or store where the AP apparatus 400 is installed, together with the AP identification information of the AP apparatus 400. As a result, the authentication management server 300 can easily identify and choose advertisement data or a discount coupon corresponding to the AP identification information of the AP apparatus 400, which is received from the user terminal 100.
The storage unit 330 stores the AP identification information and the IP address of the AP apparatus 400, the MAC address of the user terminal 100, which has sent an authentication request, and authentication information such as the login ID and password generated by the control unit 310. The AP management unit 320 deletes the login ID and password allocated to the user terminal 100 and the MAC address of the user terminal 100 from the storage unit 330 upon being notified of the termination of a Wi-Fi connection from the AP apparatus 400 to the user terminal 100.
The authentication management server 300 may transmit data to or receive data from the user terminal 100 or the AP apparatus 400 through the Internet or a LAN. For this, the authentication management server 300 uses the LAN port 340, which is for accessing a wired network, and the wireless communication unit 350, which is for accessing a wireless network. The wireless communication unit 350 may include a baseband processor, a transceiver, a power amplifier, an antenna, etc., for wireless communication.
Referring to the AP apparatus 400, the control unit 410 sets the MAC address of the user terminal 100 and a login ID and a password for accessing the AP apparatus 400 in an authorized user terminal list, which is included in Wi-Fi communication setting information. In response to receipt of an access request made by the user terminal 100 with the use of the set login ID and password, the control unit 410 determines whether the user terminal 100 is included in the authorized user terminal list, and grants the user terminal’s Wi-Fi connection to the AP apparatus 400.
In response to the user terminal 100’s Wi-Fi connection to the AP apparatus 400 being terminated, the control unit 410 may delete the MAC address of the user terminal 100 and the set login ID and password from the authorized user terminal list.
For data communication with the authentication management server 300, the LAN port 420 or the wireless communication unit 430 may be used as a communication interface.
An access authentication process performed by a WLAN system will hereinafter be described. FIG. 7 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by a WLAN system, according to an exemplary embodiment of the invention.
Referring to FIG. 7, an application app 122 is driven in a user terminal 100 for authorizing the user terminal 100’s Wi-Fi connection (S100). AP identification information of an AP apparatus 400 that the user terminal 100 wishes to access is acquired (S102) by the tagging to a tagging means such as, for example, an RFID tag located near the user terminal 100, with the use of the authentication app 122.
The user terminal 100 transmits the acquired AP identification information and its MAC address to an authentication management server 300 (S104).
The AP apparatus 400 transmits its public IP address to the authentication management server 300 (S106) upon being booted. The authentication management server 300 stores the public IP address transmitted by the AP apparatus 400 in association with the AP identification information of the AP apparatus 400 (S108).
The authentication management server 300 determines the validity of the AP identification information received from the user terminal 100 and the operating status of the AP apparatus 400. In response to a determination being made that the received AP identification information is valid, the authentication management server 300 generates a login ID and a password to be provided to the user terminal 100 (S112). On the other hand, in response to a determination being made that the received AP identification information is invalid (S116) or that the AP apparatus 400 is not in a normal operating status (S110), the authentication management server 300 returns an “Access Refused” message to the user terminal 100 (S114).
The authentication management server 300 transmits the generated login ID and password and the MAC address of the user terminal 100 to the AP apparatus 400 (S118). The AP apparatus 400 adds the login ID, password and MAC address received from the authentication management server 300 to an authorized user terminal list, which is included in Wi-Fi communication setting information (S120). In response to receipt of information from the AP apparatus 400 indicating that the generated login ID and password and the MAC address of the user terminal 100 have all been properly set, the authentication management server 300 returns the generated login ID and password to the user terminal (S124).
The user terminal 100 receives the login ID and password transmitted by the authentication management server 300 (S126) and attempts to Wi-Fi connect to the AP apparatus 400 with the use of the received login ID and password (S128). If the user terminal 100’s attempt to access the AP apparatus 400 is determined to be invalid due to, for example, the input of a wrong or expired login ID, an “Access Refused” message is displayed to the user terminal 100 via the authentication app 122 (S130).
The AP apparatus 400 receives a Wi-Fi connection request from the user terminal 100, compares the MAC address of the user terminal 100 with the authorized user terminal list, and grants the user terminal 100’s Wi-Fi connection thereto in response to there being a match for the MAC address of the user terminal 100 in the authorized user terminal list (S132 and S133).
In response to the Wi-Fi connection between the user terminal 100 and the AP apparatus 400 being terminated (S134 and S135), the access information, i.e., the login ID and password for accessing the AP apparatus 400, is automatically deleted from the user terminal 100 and the AP apparatus 400, respectively (S136 and S137). The AP apparatus 400 notifies the authentication management server 300 of the termination of the Wi-Fi connection between the user terminal 100 and the AP apparatus 400, and the login ID and password for accessing the AP apparatus 400 is also deleted from the authentication management server 300 (S138).
According to the exemplary embodiment of FIG. 7, wireless communication authentication with improved security against many unspecified user terminals and with facilitated maintenance can be provided without the need for an AP apparatus to manage the MAC addresses of multiple user terminals or for each user terminal to acquire or store in advance a login ID and a password for accessing an AP apparatus.
FIG. 8 is a block diagram illustrating a WLAN system according to another exemplary embodiment of the invention. Referring to FIG. 8, the WLAN system performs wireless communication 20 with the use of a communication channel connected between a user terminal 100 and an AP apparatus 400. The user terminal 100 transmits a Wi-Fi connection request and AP identification information to the AP apparatus 400 to be connected to a wireless network.
The user terminal 100 may acquire the AP identification information from an RFID tag 200, which is located at a random place within a wireless network region where the AP apparatus 400 belongs, and the AP identification information may be a unique IP address of the AP apparatus 400.
In an exemplary embodiment, the RFID tag 200 may be provided in the AP apparatus 400. That is, the RFID tag 200 may be attached onto, for example, the housing of the AP apparatus 400.
The user terminal 100 acquires the AP identification information from the RFID tag 200 via RFID communication 10 with the aid of an RFID receiver embedded therein, accesses the AP apparatus 400 with the use of the acquired AP identification information, and transmits its MAC address and the acquired AP identification information to the AP apparatus 400.
In an exemplary embodiment, the user terminal 100 may use a mobile communication module embedded therein to transmit its MAC address and the acquired AP identification information to the AP apparatus 400. For example, the RFID tag 200 may include access information for accessing the AP apparatus 400, and the user terminal 100 may transmit its MAC address and the acquired AP identification information to a server module embedded in the AP apparatus 400, by using the authentication information. In this exemplary embodiment, the user terminal 100 is connected to the Internet via the mobile communication module, and thus accesses the AP apparatus 400 via the Internet, rather than transmitting its MAC address and the acquired AP identification information to the AP apparatus 400 via Wi-Fi. The mobile communication module may support, for example, the third generation (3G) or fourth generation (4G) communications standard.
In an alternative exemplary embodiment, the user terminal 100 may use an NFC module, instead of the mobile communication module, to transmit its MAC address and the acquired AP identification information to the AP apparatus 400. In this exemplary embodiment, the NFC module may generate an RF field and may use the RF field to transmit the MAC address of the user terminal 100 and the acquired AP identification information to an NFC module (not illustrated) of the AP apparatus 400. The NFC module of the AP apparatus 400 may also generate an RF field and may use the RF field to transmit a login ID and a password to the NFC module of the user terminal 100.
The AP apparatus 400 determines the validity of the AP identification information received from the user terminal 100. In response to a determination being made that the received AP identification information is valid, the AP apparatus 400 generates a login ID and a password for accessing the AP apparatus 400 and provides them to the user terminal 100.
Accordingly, the user terminal 100 may be connected to a wireless network simply by being placed near the RFID tag 200 without the need to store and manage the ID and password for accessing the AP address 400 in the user terminal 100 or to register the MAC address of the user terminal 100 in the AP apparatus 400.
FIG. 9 is a block diagram illustrating an AP apparatus according to another exemplary embodiment of the invention. Referring to FIG. 9, an AP apparatus 400 includes a control unit 410, a LAN port 420, a wireless communication unit 430 and a storage unit 440.
The control unit 410 determines the validity of AP identification information received from a user terminal 100. In response to a determination being made that the received AP identification information is valid, the control unit 410 generates a login ID and a password to be provided to the user terminal 100 via the wireless communication unit 430 or an NFC module (not illustrated). The login ID and the password are returned to the user terminal 100. The password to be provided to the user terminal 100 may be generated based on data obtained by subjecting the MAC address of the user terminal 100 or the login ID to be provided to the user terminal 100to a hash process.
The control unit 410 stores a MAC address received from the user terminal 100 along with the received AP identification information, in the storage unit 430 together with the generated login ID and password in the storage unit 330 and sets the received MAC address and the generated login ID and password in an authorized user terminal list, which is included in Wi-Fi communication setting information.
In response to receipt of an access request made by the user terminal 100 with the use of the login ID and password generated by the control unit 410, the control unit 410 determines whether the user terminal 100 is included in the authorized user terminal list, and grants the user terminal’s Wi-Fi connection to the AP apparatus 400.
The LAN port 420, which is a wired LAN interface, may serve as a communication channel for a user terminal attempting to access the AP apparatus 400 in a wired manner, and an RJ-45 cable may be used to connect the user terminal and the AP apparatus 400.
The wireless communication unit 430 performs wireless communication with the user terminal 100, and includes a baseband processor, a transceiver, a power amplifier, an antenna, etc., for wireless communication. The wireless communication unit 430 receives AP identification information and a MAC address from the user terminal 100, and transmits the login ID and password generated by the control unit 410 to the user terminal 100.
The storage unit 440 stores and manages the MAC address received from the user terminal 100 and access information such as the login ID and password generated by the control unit 410. In response to the Wi-Fi connection between the user terminal 100 and the AP apparatus 400 being terminated, the storage unit 440 deletes the login ID and password allocated to the user terminal 100, and the corresponding login ID and password may also be deleted from the authorized user terminal list.
An access authorization process performed between the AP apparatus 400 and the user terminal 100 will hereinafter be described in detail. FIG. 10 is a signal flowchart illustrating a method of authorizing a user terminal’s access, as performed by an AP apparatus, according to an exemplary embodiment of the invention.
Referring to FIG. 10, an application app 122 is driven in a user terminal 100 for authorizing the user terminal 100’s Wi-Fi connection (S100). AP identification information of an AP apparatus 400 that the user terminal 100 wishes to access is acquired (S102) by the tagging to atagging means such as, for example, an RFID tag or a QR code tag located near the user terminal 100, with the use of the authentication app 122.
The user terminal 100 accesses the AP apparatus 400 with the use of the acquired AP identification information and transmits the acquired AP identification information and its MAC address to the AP apparatus 400 (S104).
The AP apparatus 400 determines the validity of the AP identification information received from the user terminal 100 (S106). In response to a determination being made that the received AP identification information is valid, the AP apparatus 400 generates a login ID and a password to be provided to the user terminal 100 (S108). In response to a determination being made that the received AP identification information is invalid, the AP apparatus 400 returns an “Access Refused” message to the user terminal 100 (S110).
The AP apparatus 400 adds the generated login ID and password to an authorized user terminal list, which is included in Wi-Fi communication setting information, in association with the MAC address of the user terminal 100 (S112), and returns the generated login ID and password to the user terminal 100 (S114).
The user terminal 100 receives the login ID and password generated by the AP apparatus 400 and attempts to Wi-Fi connect to the AP apparatus 400 with the use of the received login ID and password (S116 and S118). If the user terminal 100’s attempt to access the AP apparatus 400 is determined to be invalid due to, for example, the input of a wrong or expired login ID, an “Access Refused” message is displayed to the user terminal 100 via the authentication app 122 (S120).
The AP apparatus 400 receives a Wi-Fi connection request from the user terminal 100, determines the validity of the login ID and password input thereto by the user terminal 100, compares the MAC address of the user terminal 100 with the authorized user terminal list, and grants the user terminal 100’s Wi-Fi connection thereto in response to there being a match for the MAC address of the user terminal 100 in the authorized user terminal list (S122 and S123).
In response to the Wi-Fi connection between the user terminal 100 and the AP apparatus 400 being terminated (S124 and S125), the authentication information present in the user terminal 100 and the AP apparatus 400, respectively, the login ID and password for accessing the AP apparatus 400, is automatically deleted (S126 and S127).
According to the exemplary embodiment of FIG. 10, wireless communication authentication with improved security against many unspecified user terminals and with facilitated maintenance can be provided without the need for an AP apparatus to manage the MAC addresses of multiple user terminals or for each user terminal to acquire or store in advance a login ID and a password for accessing an AP apparatus.
This invention, explained by referring figs. 1-10, may be implemented by using a computer readable code on a non-transitory machine-readable medium. For example, a computer program product comprising a non-transitory machine-readable medium storing instructions that, when executed by at least one programmable processor, cause the at least one programmable processor to perform operations comprising may be provided for the implementation of this invention.
The foregoing is illustrative of the present invention and is not to be construed as limiting thereof. Although a few embodiments of the present invention have been described, those skilled in the art will readily appreciate that many modifications are possible in the embodiments without materially departing from the novel teachings and advantages of the present invention. Accordingly, all such modifications are intended to be included within the scope of the present invention as defined in the claims. Therefore, it is to be understood that the foregoing is illustrative of the present invention and is not to be construed as limited to the specific embodiments disclosed, and that modifications to the disclosed embodiments, as well as other embodiments, are intended to be included within the scope of the appended claims. The present invention is defined by the following claims, with equivalents of the claims to be included therein.

Claims (17)

1. A wireless network authentication system, comprising:
a short-range communication module configured to manage access point (“AP”) identification information and transmit the AP identification information to a user terminal via short-range communication;
a reception unit configured to receive, from the user terminal, AP identification information received by the user terminal and a medium access control (“MAC”) address of the user terminal;
a verification unit configured to determine validity of the received AP identification information and the received MAC address; and
a control unit configured to add the received MAC address to an authorized user terminal list and thus to control the user terminal’s access to a wireless network.
The wireless network authentication system of claim 1, wherein the control unit is further configured to delete the received MAC address from the authorized user terminal list, in response to the terminal terminating its access to the wireless network.
The wireless network authentication system of claim 1, wherein the short-range communication module is disposed in a wireless network region provided by an AP apparatus corresponding to the received AP identification information.
An access point apparatus, comprising:
a wireless communication unit configured to receive a MAC address of a user terminal from the user terminal, and AP identification information acquired by tagging between a user terminal and tagging means; and
a control unit configured to generate a login identifier (“ID”) and a password based on validity of the received AP identification information, return the generated login ID and password to the user terminal, and set the generated login ID and password and the received MAC address in an authorized user terminal list,
wherein the control unit is further configured to grant the user terminal’s Wi-Fi connection to the access point apparatus in response to receipt of a Wi-Fi connection request made by the user terminal with the use of the generated login ID and password.
The access point apparatus of claim 4, further comprising:
a storage unit configured to store the generated login ID and password,
wherein the control unit is further configured to delete the login ID and password stored in the storage unit in response to the user terminal’s Wi-Fi connection to the AP apparatus being terminated.
The access pointapparatus of claim 4, wherein the control unit is further configured to generate a password based on data obtained by subjecting the received MAC address and the generated login ID to a hash process.
A user terminal performing access authentication with an AP apparatus, the user terminal comprising:
a short-range communication unit configured to acquire AP identification information of the AP apparatus by tagging to a tagging means;
a wireless communication unit configured to transmit the acquired AP identification information to the AP apparatus and receive a login ID and a password generated by the AP apparatus in response to the transmitting; and
a control unit configured to transmit an access request to the AP apparatus with the use of the received login ID and password,
wherein the received login ID and password are generated based on validity of the acquired AP identification information.
The user terminal of claim 7, further comprising:
a memory unit configured to store the received login ID and password,
wherein the control unit is further configured to delete the received login ID and password from the memory unit in response to a Wi-Fi connection between the user terminal and the AP apparatus being terminated.
The user terminal of claim 8, wherein the received password is generated based on at least one of a MAC address of the user terminal and the received login ID.
A method of authenticating a user terminal’s access to an AP apparatus, the method comprising:
acquiring AP identification information of the AP apparatus by tagging to a tagging means;
transmitting the acquired AP identification information to the AP apparatus and receiving a login ID and a password generated by the AP apparatus in return; and
transmitting an access request to the AP apparatus with the use of the received login ID and password,
wherein the received login ID and password are generated based on validity of the acquired AP identification information.
A wireless local area network (“WLAN”) system performing authentication of a user terminal, the WLAN system comprising:
an authentication management server configured to receive AP identification information acquired by the user terminal by tagging to a tagging means and a MAC address of the user terminal from the user terminal and generate a login ID and a password based on validity of the received AP identification information; and
an AP apparatus configured to receive the login ID, the password and the MAC address from the authentication management server and set the received login ID, password and MAC address in an authorized user terminal list and to grant the user terminal’s Wi-Fi connection thereto in response to receipt of a Wi-Fi connection request made by the user terminal with the use of the received login ID and password.
The WLAN System of claim 11, wherein the AP apparatus is further configured to delete the received login ID and password from the authorized user terminal list in response to the user terminal’s Wi-Fi connection thereto being terminated.
An authentication management server managing authentication of access to an AP apparatus, the authentication management server comprising:
an AP management unit configured to manage AP identification information and an IP address of at least one AP apparatus; and
a control unit configured to determine validity of AP identification information received from a user terminal through comparison with the AP identification information present in the AP management unit and to generate a login ID and a password and transmit the generated login ID and password to an AP apparatus corresponding to the received AP identification information in response to a determination being made that the received AP identification information is valid,
wherein the control unit is further configured to return the generated login ID and password to the user terminal and the received AP identification information is AP identification information acquired by the user terminal by tagging to a tagging means.
The authentication management server of claim 13, wherein the control unit is further configured to transmit a MAC address of the user terminal to the AP apparatus corresponding to the received AP identification information and to return the generated login ID and password to the user terminal in response to receipt of a setting completion message from the AP apparatus corresponding to the received AP identification information.
The authentication management server of claim 13, wherein the AP management unit is further configured to delete the generated login ID and password in response to receipt of a Wi-Fi connection termination message from the AP apparatus corresponding to the received AP identification information, indicating that the user terminal’s Wi-Fi connection to the AP apparatus corresponding to the received identification information is terminated.
A user terminal performing access authentication with an AP apparatus, the user terminal comprising:
a short-range communication unit configured to acquire AP identification information of the AP apparatus by tagging to a tagging means;
a wireless communication unit configured to transmit a MAC address of the user terminal and the acquired AP identification information to an authentication management server and receive a login ID and a password generated by the authentication management server in return; and
a control unit configured to transmit an access request to the AP apparatus with the use of the received login ID and password,
wherein the received login ID and password and the MAC address are transmitted from the authentication management server to the AP apparatus and are then set in an authorized user terminal list of the AP apparatus.
The user terminal of claim 16, wherein the wireless communication unit is further configured to receive advertisement data or a discount coupon corresponding to a location of the AP apparatus along with the login ID generated by the authentication management server.
PCT/KR2014/004504 2013-05-24 2014-05-20 User terminal authentication method of access point apparatus WO2014189262A1 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
KR10-2013-0059002 2013-05-24
KR20130059003A KR101487349B1 (en) 2013-05-24 2013-05-24 Terminal Authentication Method in Wireless Access Point and Wireless LAN System using the same
KR20130059002A KR101487348B1 (en) 2013-05-24 2013-05-24 Terminal Authenticatication Method in Wireless Access Point and Wireless AP using the same
KR10-2013-0059003 2013-05-24
KR10-2013-0140628 2013-11-19
KR1020130140628A KR101401329B1 (en) 2013-11-19 2013-11-19 System and method for wireless network access authentication

Publications (1)

Publication Number Publication Date
WO2014189262A1 true WO2014189262A1 (en) 2014-11-27

Family

ID=51933770

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/004504 WO2014189262A1 (en) 2013-05-24 2014-05-20 User terminal authentication method of access point apparatus

Country Status (2)

Country Link
TW (1) TW201503655A (en)
WO (1) WO2014189262A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105898747A (en) * 2016-05-13 2016-08-24 中科创达软件科技(深圳)有限公司 Wireless network security authentication method and device and wireless network access method and device
EP3099093A1 (en) * 2015-05-28 2016-11-30 Orange Method for controlling access to a service
CN106604276A (en) * 2016-11-30 2017-04-26 深圳众思科技有限公司 Wireless local area network access method and wireless local area network access device
CN106789848A (en) * 2015-11-23 2017-05-31 阿里巴巴集团控股有限公司 A kind of user key storage method and server
CN107567025A (en) * 2017-09-14 2018-01-09 宁波大红鹰学院 WLAN accesses management system and method based on stored value card consumption mode
CN108282472A (en) * 2018-01-16 2018-07-13 上海众人网络安全技术有限公司 A kind of WIFI authentication methods, device, server and storage medium
CN111314917A (en) * 2020-02-22 2020-06-19 深圳市天和通信有限公司 Method for controlling wireless terminal access and wireless access point
CN111917736A (en) * 2020-07-13 2020-11-10 海南车智易通信息技术有限公司 Network security management method, computing device and readable storage medium
US10965672B2 (en) 2018-04-13 2021-03-30 At&T Intellectual Property I, L.P. Network service control for access to wireless radio networks
US20210243603A1 (en) * 2019-01-11 2021-08-05 Tencent Technology (Shenzhen) Company Limited Wireless network access method, apparatus, device, equipment and system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7259334B2 (en) * 2019-01-09 2023-04-18 ブラザー工業株式会社 Terminal and computer program for terminal

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110013038A (en) * 2009-07-31 2011-02-09 주식회사 케이티 Web based authentication method for wireless internet access service at business places
KR20120129249A (en) * 2011-05-19 2012-11-28 부산대학교 산학협력단 Method for setting up a WLAN connection and resolving the indoor locastion of a station using the QRQuick Response code and sound wave
KR20130047300A (en) * 2011-10-31 2013-05-08 삼성전자주식회사 Apparatus and method for configurating access in wireless network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110013038A (en) * 2009-07-31 2011-02-09 주식회사 케이티 Web based authentication method for wireless internet access service at business places
KR20120129249A (en) * 2011-05-19 2012-11-28 부산대학교 산학협력단 Method for setting up a WLAN connection and resolving the indoor locastion of a station using the QRQuick Response code and sound wave
KR20130047300A (en) * 2011-10-31 2013-05-08 삼성전자주식회사 Apparatus and method for configurating access in wireless network

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3099093A1 (en) * 2015-05-28 2016-11-30 Orange Method for controlling access to a service
FR3036913A1 (en) * 2015-05-28 2016-12-02 Orange METHOD FOR CONTROLLING ACCESS TO A SERVICE
CN106789848A (en) * 2015-11-23 2017-05-31 阿里巴巴集团控股有限公司 A kind of user key storage method and server
CN105898747A (en) * 2016-05-13 2016-08-24 中科创达软件科技(深圳)有限公司 Wireless network security authentication method and device and wireless network access method and device
CN106604276A (en) * 2016-11-30 2017-04-26 深圳众思科技有限公司 Wireless local area network access method and wireless local area network access device
CN107567025A (en) * 2017-09-14 2018-01-09 宁波大红鹰学院 WLAN accesses management system and method based on stored value card consumption mode
CN108282472A (en) * 2018-01-16 2018-07-13 上海众人网络安全技术有限公司 A kind of WIFI authentication methods, device, server and storage medium
CN108282472B (en) * 2018-01-16 2020-11-17 上海众人网络安全技术有限公司 WIFI authentication method, device, server and storage medium
US10965672B2 (en) 2018-04-13 2021-03-30 At&T Intellectual Property I, L.P. Network service control for access to wireless radio networks
US11601429B2 (en) 2018-04-13 2023-03-07 At&T Intellectual Property I, L.P. Network service control for access to wireless radio networks
US20210243603A1 (en) * 2019-01-11 2021-08-05 Tencent Technology (Shenzhen) Company Limited Wireless network access method, apparatus, device, equipment and system
CN111314917A (en) * 2020-02-22 2020-06-19 深圳市天和通信有限公司 Method for controlling wireless terminal access and wireless access point
CN111314917B (en) * 2020-02-22 2023-06-23 深圳市天和通信有限公司 Method for controlling wireless terminal access and wireless access point
CN111917736A (en) * 2020-07-13 2020-11-10 海南车智易通信息技术有限公司 Network security management method, computing device and readable storage medium
CN111917736B (en) * 2020-07-13 2023-04-18 海南车智易通信息技术有限公司 Network security management method, computing device and readable storage medium

Also Published As

Publication number Publication date
TW201503655A (en) 2015-01-16

Similar Documents

Publication Publication Date Title
WO2014189262A1 (en) User terminal authentication method of access point apparatus
WO2016148548A1 (en) Technique for supporting initial setup between connection request device and connection acceptance device
US20190373453A1 (en) Infrastructure coordinated media access control address assignment
US9119070B2 (en) Method and system for detecting unauthorized wireless devices
CN103119974B (en) For safeguarding the system and method for the privacy in wireless network
WO2015147547A1 (en) Method and apparatus for supporting login through user terminal
CN107948974B (en) WiFi security authentication method
WO2012060646A1 (en) Method and apparatus for connecting wireless network in a digital device
WO2011014043A2 (en) Method and apparatus for creating security context and managing communication in mobile communication network
JP4504970B2 (en) Virtual wireless local area network
WO2020167063A1 (en) Method and apparatus for downloading bundle to smart secure platform by using activation code
US20080046719A1 (en) Access point and method for supporting multiple authentication policies
KR20120039734A (en) Diagnosing and resolving wireless network malfunctions
WO2014010883A1 (en) Device and method for accessing wireless network in consideration of radio frequency band
CN101491008A (en) Station, setting information managing device, wireless communication system, setting information obtaining method, computer-readable medium
WO2012023700A1 (en) Method and apparatus for operating within white space band using message indicating whether available channel information is valid in wireless system
WO2013089349A1 (en) Apparatus and method for identifying wireless network provider in wireless communication system
WO2022255619A1 (en) Wireless intrusion prevention system and operating method therefor
WO2012115337A1 (en) Channel switching to a white space band through tdls
KR102390887B1 (en) Method and apparatus for registering wireless device in wireless communication system
KR101487349B1 (en) Terminal Authentication Method in Wireless Access Point and Wireless LAN System using the same
WO2020130544A1 (en) Information guidance system using automatic connection according to connection type, and driving method therefor
WO2016045206A1 (en) Method for controlling mobile terminal to access home gateway and home gateway
US20240080667A1 (en) Method and device for securely connecting to a local area network
WO2022270828A1 (en) Device for blocking hacking and method therefor

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14801782

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 05/04/2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14801782

Country of ref document: EP

Kind code of ref document: A1