WO2017020530A1 - Enhanced wlan certificate authentication method, device and system - Google Patents

Abstract

An embodiment of the present invention discloses an enhanced wireless local area network (WLAN) certificate authentication method. The method comprises: sending, by an AP, to an STA an authentication activation message to trigger the STA to perform identity verification for the AP, wherein the authentication activation message carries an AP certificate and first AP signature information; receiving, by the AP, an access authentication request message sent by the STA after the identity verification of the AP, and performing, according to a public key of the STA and the access authentication request message, identity verification for the STA; and if the AP verifies that an STA identity corresponding to STA signature information matches an STA certificate, and the STA certificate is valid, then sending a certificate authentication request message to an AS to trigger the AS to perform two-way certificate authentication. The present technical solution can add an identity verification function between an STA and an AP before an AS performs two-way certificate authentication, thus ensuring the uniqueness and unforgeability of identities of an STA and AP, and improving security of a WLAN certificate authentication process.

Description

Enhanced WLAN certificate identification method, device and system

This application claims priority to Chinese Patent Application No. 201510466837.X, entitled "An Enhanced WLAN Certificate Authentication Method, Apparatus and System", filed on July 31, 2015, the entire contents of which is hereby incorporated by reference. This is incorporated herein by reference.

Technical field

The present invention relates to the field of communications technologies, and in particular, to an enhanced WLAN certificate authentication method, apparatus, and system.

Background technique

With the development of technology and society, Wireless Local Access Network (WLAN) has become more and more widely used in its IT industry with its features such as convenience and speed. However, at the same time, the security threat of WLAN networks is becoming more and more serious. Compared with wired networks, the communication content of wireless networks is more susceptible to eavesdropping and tampering, and security management and protection are more complicated and difficult.

In order to solve the security problem of WLAN, China announced on December 1, 2003 the wireless local area network standard GB15629.11 with authentication and confidentiality mechanism, including the WLAN Authentication and Privacy Infrastructure (WAPI) mechanism. WAPI is divided into two modules: WLAN Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). WAI is a public key cryptography (PKI) based on digital signature. Two-way certificate authentication technology.

According to the existing WAI technology, when a terminal (STA, Station) accesses an access point (AP, Access Point) process, there is a lack of an effective authentication link, so that an attacker can use the security vulnerability to conduct a network attack, for example, a network. The attacker can obtain the STA's public key certificate by spoofing the AP's trust, and then use the obtained STA public key certificate to impersonate the STA to access the legal AP, and then access the network through the authentication of the authentication server (AS, Authentication Server). Cyber attack of.

Therefore, designing an enhanced WLAN certificate authentication method is an urgent problem to be solved.

Summary of the invention

The embodiment of the invention discloses an enhanced method and device for WLAN certificate authentication, which can increase the mutual authentication function between the STA and the AP before the AS performs bidirectional certificate authentication on the STA and the AP, thereby ensuring the unique identity of the STA and the AP. Sexuality and unforgeability improve the security of the WLAN certificate authentication process.

A first aspect of the embodiments of the present invention provides an enhanced method for WLAN certificate authentication, which is used in an access point, where the method includes:

The AP sends an authentication activation message to the STA to trigger the STA to perform identity verification on the AP, where the authentication activation message carries an AP certificate and first AP signature information.

Receiving, by the AP, an access authentication request message sent by the STA after performing identity verification on the AP, performing identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message, where The access authentication request message carries an STA certificate, an access authentication request time, and STA signature information.

If the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, sends a certificate authentication request message to the AS to trigger the AS to perform bidirectional certificate authentication and send a certificate authentication response. Message

The AP performs access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message sent by the AS, and sends an access authentication response message to the STA.

With reference to the first aspect, in a first possible implementation manner, the STA signature information is information obtained by encrypting the STA certificate and the access authentication request time by a STA private key;

The authenticating the STA according to the pre-stored public key of the STA and the access authentication request message includes:

Decrypting the STA signature information in the access authentication request message by using the pre-stored public key of the STA to obtain the STA identity corresponding to the STA signature information;

And verifying whether the STA identity corresponding to the STA signature information matches the STA certificate, and verifying whether the STA certificate is valid.

With reference to the first aspect, or the first possible implementation manner of the first aspect, in a second possible implementation manner, the certificate authentication request message carries the STA certificate, the access authentication request time, and the STA The signature information, the AP certificate, and the second AP signature information, where the second AP signature information is an AP's private key to the STA certificate, the access authentication request time, the STA signature, and the AP The information obtained after the certificate is encrypted.

In conjunction with the first aspect, in a third possible implementation, the authentication activation message further carries an authentication activation time.

A second aspect of the embodiments of the present invention provides an enhanced method for WLAN certificate authentication, which is used in a terminal, where the method includes:

The STA receives the authentication activation message sent by the AP, and the STA performs identity verification on the AP according to the pre-stored public key of the AP and the authentication activation message, where the authentication activation message carries the AP certificate and the first AP signature information;

If the STA verifies that the AP identity corresponding to the first AP signature information matches the AP certificate and the AP certificate is valid, sending an access authentication request message to the AP to trigger the AP to The STA performs the authentication, where the access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information;

After the STA receives the access authentication response message sent by the AS after performing the bidirectional certificate authentication, the STA obtains the AP certificate authentication result from the access authentication response message, according to the The AP certificate authentication result determines whether to access the AP.

With reference to the second aspect, in a first possible implementation, the first AP signature information is information obtained by encrypting the AP certificate by a private key of the AP;

Performing on the AP according to the pre-stored public key of the AP and the authentication activation message Authentication, including:

Decrypting the first AP signature information in the authentication activation message by using the pre-stored public key of the AP to obtain the STA identity corresponding to the first AP signature information;

And verifying whether the AP identity corresponding to the first AP signature information matches the AP certificate, and verifying whether the AP certificate is valid.

With reference to the second aspect, in a second possible implementation manner, the authentication activation message further carries an authentication activation time, where the first AP signature information is an AP's private key, and the AP certificate and the authentication activation time are encrypted. After getting the information.

A third aspect of the embodiments of the present invention provides a WLAN access point device, including:

a sending unit, configured to send an authentication activation message to the STA, to trigger the STA to perform identity verification on the access point device, where the authentication activation message carries an AP certificate and first AP signature information;

a receiving unit, configured to receive an access authentication request message sent by the STA after performing identity verification on the access point device;

a processing unit, configured to perform identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message, after the receiving unit receives the access authentication request message, where The access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information;

The sending unit is further configured to: if the processing unit verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, send a certificate authentication request message to the AS to trigger the AS Performing a two-way certificate authentication and transmitting a certificate authentication response message;

The receiving unit is further configured to receive a certificate authentication response message sent by the AS;

The processing unit is further configured to perform access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message received by the receiving unit;

The sending unit is further configured to send an access authentication response message to the STA.

With reference to the third aspect, in a first possible implementation manner, the STA signature information is information obtained by encrypting the STA certificate and the access authentication request time by a STA private key;

The processing unit is specifically configured to:

Decrypting the STA signature information in the access authentication request message by using the pre-stored public key of the STA to obtain the STA identity corresponding to the STA signature information;

And verifying whether the STA identity corresponding to the STA signature information matches the STA certificate, and verifying whether the STA certificate is valid.

With reference to the third aspect, or the first possible implementation manner of the third aspect, in a second possible implementation manner, the certificate authentication request message carries the STA certificate, the access authentication request time, and the STA The signature information, the AP certificate, and the second AP signature information, where the second AP signature information is an AP's private key to the STA certificate, the access authentication request time, the STA signature, and the AP The information obtained after the certificate is encrypted.

In conjunction with the third aspect, in a third possible implementation, the authentication activation message further carries an authentication activation time.

A fourth aspect of the embodiments of the present invention provides a WLAN terminal device, including:

a receiving unit, configured to receive an authentication activation message sent by the AP;

a processing unit, after the receiving unit receives the authentication activation message sent by the AP, performing identity verification on the AP according to the pre-stored public key of the AP and the authentication activation message, where the authentication The activation message carries the AP certificate and the first AP signature information.

a sending unit, configured to: after the processing unit verifies that the AP identity corresponding to the AP signature information matches the AP certificate and the AP certificate is valid, send an access authentication request message to the AP to trigger the The AP performs identity verification on the STA, where the access authentication request message carries an STA certificate, an access authentication request time, and STA signature information;

The receiving unit is further configured to: receive an access authentication response message that is sent after the AP performs identity verification on the STA, and then triggers the AS to perform bidirectional certificate authentication;

The processing unit is further configured to: after receiving the access authentication response message sent by the AP, the receiving unit obtains an AP certificate authentication result from the access authentication response message, and determines, according to the AP certificate authentication result Whether to access the AP.

With reference to the fourth aspect, in a first possible implementation, the first AP signature information is information obtained by encrypting the AP certificate by a private key of the AP;

The processing unit is specifically configured to:

Decrypting the first AP signature information in the authentication activation message by using the pre-stored public key of the AP to obtain the STA identity corresponding to the first AP signature information;

And verifying whether the AP identity corresponding to the first AP signature information matches the AP certificate, and verifying whether the AP certificate is valid.

With reference to the fourth aspect, in a second possible implementation manner, the authentication activation message received by the receiving unit further carries an authentication activation time, where the first AP signature information is an AP private key pair, the AP certificate, and the Identifies the information obtained after the activation time is encrypted.

A fifth aspect of the embodiments of the present invention provides a WLAN certificate authentication system, where the system includes an access point device AP, a terminal device STA, and an authentication server AS, where:

Sending, by the AP, an authentication activation message to the STA, where the authentication activation message carries an AP certificate and first AP signature information;

Receiving, by the STA, the authentication activation message, performing identity verification on the AP according to the pre-stored public key of the AP and the authentication activation message;

And if the STA verifies that the AP identity corresponding to the first AP signature information matches the AP certificate and the AP certificate is valid, sending an access authentication request message to the AP, where the access authentication The request message carries the STA certificate, the access authentication request time, and the STA signature information;

Receiving, by the AP, the access authentication request message, performing identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message;

And if the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, sending a certificate authentication request message to the AS;

The AS receives the certificate authentication request message, performs bidirectional certificate authentication on the STA and the AP according to the certificate authentication request message, and sends a certificate authentication response message to the AP according to the authentication result;

Receiving, by the AP, the certificate authentication response message, performing access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message, and sending an access authentication response message to the STA;

The STA receives the access authentication response message, obtains an AP certificate authentication result from the access authentication response message, and determines whether to access the AP according to the AP certificate authentication result.

Optionally, the STA signature information is information obtained by encrypting, by the STA's private key, the STA certificate and the access authentication request time; the AP is configured according to the pre-stored public key of the STA and the The authentication request message is used to authenticate the STA, including:

The AP decrypts the STA signature information in the access authentication request message by using the pre-stored public key of the STA to obtain the STA identity corresponding to the STA signature information.

The AP verifies whether the STA identity corresponding to the STA signature information matches the STA certificate, and verifies whether the STA certificate is valid.

Optionally, the certificate authentication request message carries the STA certificate, the access authentication request time, the STA signature information, the AP certificate, and the second AP signature information, where the second AP signature information is Information obtained by encrypting the STA certificate, the access authentication request time, the STA signature, and the AP certificate by a private key of the AP.

Optionally, the authentication activation message further carries an authentication activation time, where the first AP signature information is information obtained by encrypting the AP certificate and the authentication activation time by a private key of the AP.

Optionally, the first AP signature information is information obtained by encrypting the AP certificate by a private key of the AP, and the STA is configured to the AP according to the pre-stored public key of the AP and the authentication activation message. Authenticate, including:

The STA decrypts the first AP signature information in the authentication activation message by using the pre-stored public key of the AP to obtain the STA identity corresponding to the first AP signature information.

The STA verifies whether the AP identity corresponding to the first AP signature information matches the AP certificate, and verifies whether the AP certificate is valid.

In the technical solution of the embodiment of the present invention, the AP sends an authentication activation message carrying the AP certificate and the first AP signature to the STA; after the STA receives the authentication activation message sent by the AP, the STA performs the public key and the authentication according to the pre-stored AP. The activation message is used to authenticate the AP. If the AP verifies that the AP identity corresponding to the AP signature information matches the AP certificate and the AP certificate is valid, the AP sends an access authentication request message to the AP to trigger the AP to perform identity verification on the STA. The incoming authentication request message carries the STA certificate, the access authentication request time, and the STA signature information. After receiving the access authentication request message sent by the STA, the AP performs the STA according to the pre-stored STA public key and the access authentication request message. The authentication, if the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, sends a certificate authentication request message to the AS to trigger the AS to perform the two-way certificate authentication and send the certificate authentication response message. It can be seen that the technical solution proposed by the embodiment of the present invention can increase the mutual authentication function between the STA and the AP before the STA performs the bidirectional certificate authentication on the STA and the AP, thereby ensuring the STA and the AP. The uniqueness and unforgeability of identity enhances the security of the WLAN certificate authentication process.

DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings to be used in the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.

1 is a schematic flowchart of a WLAN certificate authentication method in the prior art according to an embodiment of the present invention;

2 is a schematic flowchart of an enhanced WLAN certificate authentication method according to Embodiment 1 of the present invention;

3 is a schematic flowchart of an enhanced WLAN certificate authentication method according to Embodiment 2 of the present invention;

4 is a schematic structural diagram of an access point device according to Embodiment 3 of the present invention;

FIG. 5 is a schematic structural diagram of another access point device according to Embodiment 4 of the present invention; FIG.

FIG. 6 is a schematic structural diagram of a terminal device according to Embodiment 5 of the present invention; FIG.

FIG. 7 is a schematic structural diagram of another terminal device according to Embodiment 6 of the present invention; FIG.

FIG. 8 is a schematic structural diagram of a WLAN certificate authentication system according to Embodiment 7 of the present invention.

detailed description

The public key cryptography used by WAI is a more advanced encryption method than WiFi. In the certificate authentication process, the authentication server (AS) issues public key digital certificates and provides public key certificates for terminals (STAs) and access points (APs). Proof of sex.

The AS is responsible for managing the digital certificates (including generation, issuance, revocation, update, etc.) required by all parties involved in the online information exchange, and is the core of the secure exchange of electronic information. Both the STA and the AP are installed with the public key certificate issued by the AS as their own digital identity certificate. When the STA logs in to the AP, the AS must perform two-way certificate authentication between the STA and the AP before accessing the network. In the case of a certificate, the STA can access the AP to access the network. In this way, the STA that holds the legal certificate can access the AP that holds the legal certificate, prevent the illegal STA from accessing the AP and occupy the network resource, and prevent the STA from leaking the STA through the legal STA. Public key certificates are the most important part of WAI. The identity of the network device can be uniquely determined by the certificate and the private key. The public key certificate is the digital identity certificate of the network device in the network environment. The combination of the cryptographic technology and the security protocol can ensure the uniqueness, unforgeability and other capabilities of the device identity. performance.

At present, the certificate authentication process of the WAI technology can be seen in FIG. 1. In FIG. 1, the certificate authentication process of the WAI technology includes the following steps: 1. When the STA is associated with the AP, the AP sends an authentication activation to the STA to start the entire authentication. process. 2. After receiving the authentication activation message, the STA sends an access authentication request message to the AP, including the STA certificate and the current system time of the STA. 3. After receiving the access authentication request message, the AP first records the system time in the message as the access authentication request time, and then sends the STA certificate, the access authentication request time, the AP certificate, and the AP's private key to the AS. The certificate authentication request message is formed by the signature; after receiving the certificate authentication request message sent by the AP, the AS performs AP signature verification on the certificate authentication request message. If the verification fails, the authentication process fails, otherwise the AP certificate is further verified. The validity of the book and STA certificate. 4. After the AS authenticates the AP and the STA, the STA certificate authentication result information (including the STA certificate and the STA authentication result) and the AP certificate authentication result information (including the AP certificate, the AP authentication result, and the access authentication request time) and The certificate authentication response message formed by the private key of the AS is sent to the AP. The AP performs AS signature verification on the certificate authentication response message sent by the AS to obtain the authentication result of the STA certificate, and performs access control on the STA according to the result. 5. The AP sends the received certificate authentication response message to the STA. After the STA verifies the signature of the AS, the STA obtains the authentication result of the AP certificate, and determines whether to access the AP according to the authentication result. The STA and the AP have completed the two-way authentication process. If the STA certificate is successfully authenticated, the AP allows the STA to access. Otherwise, the STA is disconnected. If the AP certificate is successfully authenticated, the STA decides to access the AP. Otherwise, the AP does not access the AP. .

Researchers in the field have found that there is a lack of mutual authentication process in the process of STA accessing the AP. Since the authentication activation message does not contain any identity authentication information, the network attacker can easily fake the AP identity and send the authentication activation to the STA. After receiving the authentication activation message, the STA sends an access authentication request message carrying the STA certificate to the fake AP, so that the fake AP obtains the STA certificate, and then uses the obtained STA certificate to impersonate the STA identity to access the legal AP, and then passes the AS. After the certificate is authenticated, it accesses the network and achieves the purpose of network attack.

The embodiments of the present invention provide an enhanced WLAN certificate authentication method, device, and system. The method can be implemented in a STA and an AP of a wireless local area network, and can ensure the uniqueness of STA and AP identity during STA access to the AP. And unforgeability, improve the security of the WLAN certificate authentication process.

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

Each embodiment will be described below separately.

The terms "first", "second", "third" and "fourth" and the like in the specification and claims of the present invention and the above drawings are used to distinguish different objects, and are not intended to describe a specific order. Furthermore, the terms "comprises" and "comprising" and "comprising" are intended to cover a non-exclusive inclusion. For example, a process, method, system, product, or device that comprises a series of steps or units is not limited to the listed steps or units, but optionally also includes steps or units not listed, or alternatively Correct Other steps or units inherent to these processes, methods, products or equipment.

Referring first to FIG. 2, FIG. 2 is a schematic flowchart diagram of a method for enhancing WLAN certificate authentication according to Embodiment 1 of the present invention. As shown in FIG. 2, an enhanced WLAN certificate authentication method provided in Embodiment 1 of the present invention can be used in an AP, and can include the following steps:

S101. The AP sends an authentication activation message to the STA to trigger the STA to perform identity verification on the AP, where the authentication activation message carries the AP certificate and the first AP signature information.

When the STA is associated with the AP, the AP sends an authentication activation message to the STA to start the certificate authentication process. In the solution provided by the embodiment of the present invention, the authentication activation message is also used to trigger the STA to perform identity verification on the AP, and the authentication activation message carries The identity information of the AP, that is, the AP certificate and the first AP signature information. The AP certificate is issued by the AS and can be used to prove the identity of the AP. The first AP signature information is the information obtained by the AP using the private key to encrypt the AP certificate, and is used to ensure that the identity of the AP entity is not falsified. Unforgeable.

After receiving the authentication activation message sent by the AP, the STA authenticates the AP according to the pre-stored AP's public key and the authentication activation message. Specifically, the STA first uses the public key of the pre-stored AP to perform the signature algorithm decryption on the first AP signature information in the authentication activation message, and the information obtained after the decryption is the STA identity corresponding to the first AP signature information, and the STA verifies the first Whether the AP identity corresponding to an AP signature information matches the AP certificate in the authentication activation message. If the identity of the AP corresponding to the first AP signature information is matched with the AP certificate, the first AP signature verification is passed, and the identity of the AP is confirmed to be consistent with the real identity of the AP, and then the validity of the AP certificate is verified, and the AP certificate is verified. If the certificate is valid, the AP certificate is verified and the AP can be confirmed as a legitimate user. After the first AP signature and the AP certificate are verified, the identity of the AP is fully verified, and the STA sends an access authentication request message to the AP. If the AP signature or the AP certificate fails to pass the verification, the AP is an illegal access point. , suspend the certificate identification process.

In some feasible implementation manners, the authentication activation message sent by the AP to the STA may further include an authentication activation time, which is used to indicate the time when the AP sends the authentication activation message, so that the STA distinguishes different authentication processes.

S102: The AP receives an access authentication request message sent by the STA after performing identity verification on the AP, and performs identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message, where the access authentication request message carries the STA certificate. Access authentication request time and STA signature information.

In the solution proposed by the embodiment of the present invention, if the STA successfully authenticates the AP, the STA The AP sends an access authentication request message. When the AP receives the access authentication request message, the AP performs identity verification on the STA according to the pre-stored STA public key and the access authentication request message, and the access authentication request message carries the STA certificate. Access authentication request time and STA signature information. The STA certificate is issued by the AS and can be used to prove the identity of the STA. The STA signature information is obtained by the STA using the private key to encrypt the STA certificate and the access authentication request time. Not falsified, unforgeable.

Specifically, when the AP authenticates the STA, the STA signature information in the access authentication request message is decrypted by using the public key of the pre-stored STA, and the STA signature information is obtained from the decrypted information. The STA identity verifies whether the STA identity corresponding to the STA signature information matches the STA certificate. If the STA identity corresponding to the STA signature information is matched with the STA certificate, the STA signature verification is passed, and it can be confirmed that the identity declared by the STA is consistent with the true identity of the STA, and then the STA certificate is verified as a valid certificate, and if the STA certificate is a valid certificate. Then, the STA certificate is verified, and it can be confirmed that the STA is a legitimate user. If the STA signature verification fails or the STA certificate fails to pass, the STA is an illegal user and the certificate authentication process is aborted.

S103. If the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, sends a certificate authentication request message to the AS to trigger the AS to perform the two-way certificate authentication and send the certificate authentication response message.

If the STA signature verification is passed and the STA certificate is verified, that is, the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, indicating that the identity of the STA is fully verified. After the identity of the STA is verified, the AP first records the access authentication request time and the STA certificate carried in the access authentication request message, and then sends a certificate authentication request message to the AS to trigger the AS to perform the two-way certificate authentication and send the certificate authentication response message. The certificate authentication request message carries an STA certificate, an access authentication request time, an AP certificate, and a second AP signature information. The second AP signature information is information obtained by encrypting the STA certificate, the access authentication request time, and the AP certificate by the private key of the AP. For the specific implementation of the AS bidirectional certificate authentication, reference may be made to the prior art.

In some feasible implementation manners, the certificate authentication request message sent by the AP to the AS may further carry the STA signature information, where the STA signature information is obtained by the AP from the access authentication request message sent by the STA, that is, the certificate authentication request message. The STA certificate, the access authentication request time, the STA signature information, the AP certificate, and the second AP signature information are carried. The second AP signature information is the AP's private key pair STA certificate and access profile. Do not request time, STA signature and AP certificate to obtain the information obtained by the signature algorithm encryption. After receiving the certificate authentication request message sent by the AP, the AS decrypts the second AP signature information in the certificate authentication request message by using the public key of the pre-stored AP, and obtains the second AP signature information from the decrypted information. AP identity. If the AP identity corresponding to the second AP signature information matches the AP certificate, the second AP signature verification is passed, and the STA signature information in the certificate authentication request message is used to decrypt the signature algorithm by using the pre-stored STA public key. After the information of the STA corresponding to the STA signature information is obtained, if the STA identity corresponding to the STA signature information matches the STA certificate, the STA signature verification is passed. The AS re-verifies whether the AP certificate and the STA certificate are valid certificates. The signature verification can confirm whether the declared identity of the AP and the STA is consistent with the real identity, and the certificate verification can confirm whether the AP and the STA are legitimate users. If the second AP signature is verified and the AP certificate is verified, the AS determines that the AP certificate is successfully authenticated, otherwise the AP certificate authentication fails; if the STA signature passes the verification and the STA certificate passes the verification, the AS determines that the STA certificate is successfully authenticated, otherwise the STA certificate is authenticated. failure. The AS generates a certificate authentication response message according to the bidirectional certificate authentication result and sends the message to the AP.

S104: The AP performs access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message sent by the received AS, and sends an access authentication response message to the STA.

The certificate authentication response message sent by the AS to the AP carries the STA certificate authentication result (including the STA certificate and the STA authentication result), the AP certificate authentication result information (including the AP certificate, the AP authentication result, and the access authentication request time), and the private key of the AS. After receiving the certificate authentication response message sent by the AS, the AP performs signature verification on the AS and performs access authentication request time verification using the public key of the pre-stored AS. If the authentication process fails, the certificate authentication process fails. Otherwise, the STA authentication result is obtained from the certificate authentication response message. The AP performs access control on the STA according to the result, and sends the access to the STA. Authentication response message.

In the technical solution of the embodiment of the present invention, when the STA is associated with the AP, the AP sends an authentication activation message carrying the AP certificate and the first AP signature to the STA. After the STA receives the authentication activation message sent by the AP, the STA stores the STA according to the pre-stored The public key of the AP and the authentication activation message authenticate the AP. If the AP verifies that the AP identity corresponding to the AP signature information matches the AP certificate and the AP certificate is valid, the AP sends an access authentication request message to the AP to trigger the AP to the STA. Performing authentication, where the access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information; when the AP receives the STA After the sent access authentication request message is sent, the STA is authenticated according to the pre-stored STA's public key and the access authentication request message. If the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, Then, a certificate authentication request message is sent to the AS to trigger the AS to perform two-way certificate authentication and send a certificate authentication response message. It can be seen that the technical solution proposed by the embodiment of the present invention can increase the mutual identity verification function between the STA and the AP before the STA performs the bidirectional certificate authentication on the STA and the AP, thereby ensuring the identity of the STA and the AP. The uniqueness and unforgeability improve the security of the WLAN certificate authentication process.

The second embodiment of the present invention provides an enhanced WLAN certificate authentication method. Referring to FIG. 3, FIG. 3 is a schematic flowchart of an enhanced WLAN certificate authentication method according to Embodiment 2 of the present invention. The method provided in the second embodiment may include the following steps:

S201: The STA receives the authentication activation message sent by the AP, and the STA performs identity verification according to the public key of the pre-stored AP and the authentication activation message, where the authentication activation message carries the AP certificate and the first AP signature information.

When the STA is associated with the AP, the AP sends an authentication activation message to the STA to start the certificate authentication process. In the solution proposed by the embodiment of the present invention, the authentication activation message is further used to trigger the STA to perform identity verification on the AP, and the STA receives the AP to send the The authentication message is authenticated, and the STA authenticates the AP according to the public key of the pre-stored AP and the authentication activation message.

The authentication activation message carries the identity information of the AP, that is, carries the AP certificate and the first AP signature information. The AP certificate is issued by the AS and can be used to prove the identity of the AP. The first AP signature information is the information obtained by the AP using the private key to encrypt the AP certificate, and is used to ensure that the identity of the AP entity is not falsified. Unforgeable.

Specifically, the STA first uses the public key of the pre-stored AP to perform the signature algorithm decryption on the first AP signature information in the authentication activation message, and the information obtained after the decryption is the STA identity corresponding to the first AP signature information, and the STA verifies the first Whether the AP identity corresponding to an AP signature information matches the AP certificate in the authentication activation message. If the identity of the AP corresponding to the first AP signature information is matched with the AP certificate, the first AP signature verification is passed, and the identity of the AP is confirmed to be consistent with the real identity of the AP, and then the validity of the AP certificate is verified, and the AP certificate is verified. If the certificate is valid, the AP certificate is verified and the AP can be confirmed as a legitimate user. If the AP signature or AP certificate fails to pass the verification, the AP is an illegal access point and the certificate authentication process is aborted.

In some feasible implementation manners, the authentication activation message sent by the AP to the STA may further include an authentication activation time, which is used to indicate the time when the AP sends the authentication activation message, so that the STA distinguishes different authentication processes.

S202. If the AP identity of the AP signature information matches the AP certificate and the AP certificate is valid, the AP sends an access authentication request message to the AP to trigger the AP to perform identity verification on the STA, where the access authentication request message is carried. STA certificate, access authentication request time, and STA signature information.

In the solution provided by the embodiment of the present invention, after the first AP signature and the AP certificate are verified, the AP identity corresponding to the AP signature information is matched with the AP certificate and the AP certificate is valid, indicating that the identity of the AP is fully verified. The STA sends an access authentication request message to the AP. The access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information. The STA certificate is issued by the AS and can be used to prove the identity of the STA. The STA signature information is obtained by the STA using the private key to encrypt the STA certificate and the access authentication request time. Not falsified, unforgeable. When the AP receives the access authentication request message, the AP performs identity verification on the STA according to the pre-stored STA's public key and the access authentication request message. For the specific implementation of the AP to authenticate the STA, refer to the first embodiment of the present invention. Step S102, and details are not described herein again.

S203. When the STA receives the access authentication response message sent by the AS after performing the bidirectional certificate authentication, the STA obtains the AP certificate authentication result from the access authentication response message, and determines whether to access according to the AP certificate authentication result. AP.

If the AP passes the authentication of the STA, the AP records the access authentication request time and the STA certificate in the access authentication request message, and then sends a certificate authentication request message to the AS to trigger the AS to perform the two-way certificate authentication and send the certificate authentication response message. The certificate authentication request message carries an STA certificate, an access authentication request time, an AP certificate, and a second AP signature information. The second AP signature information is information obtained by encrypting the STA certificate, the access authentication request time, and the AP certificate by the private key of the AP. For the specific implementation of the AS bidirectional certificate authentication, reference may be made to the prior art.

In some feasible implementation manners, the certificate authentication request message sent by the AP to the AS may further carry the STA signature information, where the STA signature information is obtained by the AP from the access authentication request message sent by the STA, that is, the certificate authentication request message. The STA certificate, the access authentication request time, the STA signature information, the AP certificate, and the second AP signature information are carried. The second AP signature information is information obtained by encrypting the STA certificate, the access authentication request time, the STA signature, and the AP certificate by the signature algorithm of the private key of the AP. About AS root The specific implementation of the two-way certificate authentication according to the certificate authentication request message may refer to step S103 of the first embodiment of the present invention, and details are not described herein again.

The certificate authentication response message sent by the AS to the AP carries the STA certificate authentication result (including the STA certificate and the STA authentication result), the AP certificate authentication result information (including the AP certificate, the AP authentication result, and the access authentication request time), and the private key of the AS. After the AP obtains the certificate authentication response message sent by the AS, the AP obtains the STA certificate authentication result from the certificate authentication response message, and the AP performs access control on the STA according to the result, and An access authentication response message is sent to the STA.

The access authentication response message carries the STA certificate authentication result (including the STA certificate and the STA authentication result), the AP certificate authentication result information (including the AP certificate, the AP authentication result, and the access authentication request time), and the AP's private key to perform the above information. The third AP signature information obtained by the signature algorithm is encrypted. After receiving the access authentication response message sent by the AP, the STA uses the public key of the pre-stored AP to perform signature verification on the AP and perform access authentication request time verification. If the AP signature verification or access authentication time verification is not performed, The certificate authentication process is aborted. Otherwise, the AP certificate authentication result is obtained from the access authentication response message, and the STA determines whether to access the AP according to the AP certificate authentication result.

In the technical solution of the embodiment of the present invention, when the STA is associated with the AP, the AP sends an authentication activation message carrying the AP certificate and the first AP signature to the STA. After the STA receives the authentication activation message sent by the AP, the STA stores the STA according to the pre-stored The public key of the AP and the authentication activation message authenticate the AP. If the AP verifies that the AP identity corresponding to the AP signature information matches the AP certificate and the AP certificate is valid, the AP sends an access authentication request message to the AP to trigger the AP to the STA. The authentication is performed, where the access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information. After the AP receives the access authentication request message sent by the STA, the AP performs the public key according to the pre-stored STA. The authentication request message is used to authenticate the STA. If the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, the AS sends a certificate authentication request message to the AS to trigger the AS to perform mutual authentication and send the certificate. Authentication response message. It can be seen that the technical solution proposed by the embodiment of the present invention can increase the mutual authentication function between the STA and the AP before the STA performs the bidirectional certificate authentication on the STA and the AP, thereby ensuring the STA and the AP. The uniqueness and unforgeability of identity enhances the security of the WLAN certificate authentication process.

Embodiment 3 of the present invention provides an access point device for implementing an enhancement proposed by the present invention. WLAN certificate authentication method. Referring to FIG. 4, the access point device a00 may include a transmitting unit a10, a receiving unit a20, and a processing unit a30.

The sending unit a10 is configured to send an authentication activation message to the STA to trigger the STA to perform identity verification on the access point device, where the authentication activation message carries the AP certificate and the first AP signature information.

The receiving unit a20 is configured to receive an access authentication request message sent by the STA after performing identity verification on the access point device;

The processing unit a30 is configured to perform identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message, after the receiving unit a20 receives the access authentication request message, where the access authentication request message carries the STA certificate. Access authentication request time and STA signature information;

The sending unit a10 is further configured to: if the processing unit a30 verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, send a certificate authentication request message to the AS to trigger the AS to perform the two-way certificate authentication and send the certificate authentication. Response message

The receiving unit a20 is further configured to receive a certificate authentication response message sent by the AS;

The processing unit a30 is further configured to perform access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message received by the receiving unit a20;

The sending unit a10 is further configured to send an access authentication response message to the STA.

The STA signature information in the access authentication request message is information obtained by encrypting the STA certificate and the access authentication request time by the private key of the STA. The processing unit a30 decrypts the STA signature information in the access authentication request message by using the public key of the pre-stored STA to obtain the STA identity corresponding to the STA signature information, and verifies whether the STA identity corresponding to the STA signature information matches the STA certificate, and Verify that the STA certificate is valid.

The certificate authentication request message carries the STA certificate, the access authentication request time, the STA signature information, the AP certificate, and the second AP signature information, and the second AP signature information is the AP private key to the STA certificate, the access authentication request time, and the STA. The information obtained after the signature and AP certificate are encrypted.

It can be seen that the technical solution proposed by the embodiment of the present invention can increase the mutual relationship between the STA and the access point device before the AS performs the bidirectional certificate authentication on the STA and the access point device, that is, in the process of the STA accessing the access point device. The authentication function ensures the uniqueness and unforgeability of the STA and access point device identity, which improves the security of the WLAN certificate authentication process.

Embodiment 4 of the present invention provides another access point device for implementing an increase proposed by the present invention. Strong WLAN certificate authentication method. Referring to FIG. 5, the device b00 includes a processor b10, a memory b20, a bus system b30, a receiver b40, and a transmitter b50. The processor b10, the memory b20, the receiver b40 and the transmitter b50 are connected by a bus system b30 for storing instructions for executing the instructions stored in the memory b20 to control the receiver b40 to receive. The signal is controlled and the transmitter b50 transmits a signal to complete the steps in the enhanced WLAN certificate authentication method described above. The receiver b40 and the transmitter b50 may be the same or different physical entities. When they are the same physical entity, they can be collectively referred to as transceivers.

The method steps performed by the device b00 may at least include:

Sending an authentication activation message to the STA to trigger the STA to authenticate the access point, where the authentication activation message carries the AP certificate and the first AP signature information;

Receiving an access authentication request message sent by the STA after the access point is authenticated, and authenticating the STA according to the pre-stored public key of the STA and the access authentication request message, where the access authentication request message carries the STA certificate, Access authentication request time and STA signature information;

If the STA identity corresponding to the STA signature information is matched with the STA certificate and the STA certificate is valid, the certificate authentication request message is sent to the AS to trigger the AS to perform the two-way certificate authentication and send the certificate authentication response message;

The STA performs access control according to the STA certificate authentication result carried in the certificate authentication response message sent by the received AS, and sends an access authentication response message to the STA.

For the concepts, explanations, detailed descriptions and other steps related to the technical solutions provided by the embodiments of the present invention, refer to the descriptions of the foregoing methods or embodiments, and no further details are provided herein.

The fifth embodiment of the present invention provides a terminal device for implementing an enhanced WLAN certificate authentication method proposed by the present invention. Referring to FIG. 6, the terminal device c00 may include a receiving unit c10, a processing unit c20, and a transmitting unit c30.

The receiving unit c10 is configured to receive an authentication activation message sent by the AP.

The processing unit c20 is configured to: after receiving the authentication activation message sent by the AP, the receiving unit c10 performs identity verification on the AP according to the public key of the pre-stored AP and the authentication activation message, where the authentication activation message carries the AP certificate and the first AP. Signature information;

The sending unit c30 is configured to verify, at the processing unit c20, the AP identity and the AP corresponding to the AP signature information. After the certificate is matched and the AP certificate is valid, the AP sends an access authentication request message to the AP to trigger the AP to perform authentication on the STA, where the access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information.

The receiving unit c10 is further configured to: receive an access authentication response message that is sent after the AP performs bidirectional certificate authentication after the AP performs identity verification on the STA;

The processing unit c20 is further configured to: after receiving the access authentication response message sent by the AP, the receiving unit c10 obtains an AP certificate authentication result from the access authentication response message, and determines whether to access the AP according to the AP certificate authentication result.

The first AP signature information is information obtained by encrypting the AP certificate by the AP private key; the processing unit c20 decrypts the first AP signature information in the authentication activation message by using the pre-stored AP public key to obtain the first The STA identity corresponding to the AP signature information is verified whether the AP identity corresponding to the first AP signature information matches the AP certificate, and the AP certificate is valid.

The authentication activation message received by the receiving unit c10 further carries the authentication activation time, and the first AP signature information is information obtained by encrypting the AP private key to the AP certificate and the authentication activation time.

It can be seen that the technical solution proposed by the embodiment of the present invention can increase the mutual identity verification function between the terminal device and the AP before the AS performs the two-way certificate authentication on the terminal device and the AP, thereby ensuring mutual authentication between the terminal device and the AP. The uniqueness and unforgeability of the terminal device and the AP identity improve the security of the WLAN certificate authentication process.

Embodiment 6 of the present invention provides another terminal device for implementing an enhanced WLAN certificate authentication method proposed by the present invention. Referring to Figure 7, the device d00 includes a processor d10, a memory d20, a bus system d30, a receiver d40, and a transmitter d50. The processor d10, the memory d20, the receiver d40 and the transmitter d50 are connected by a bus system d30 for storing instructions, and the processor d10 is configured to execute the instructions stored in the memory d20 to control the receiver d40 to receive Signaling, and controlling the transmitter d50 to transmit a signal, completes the steps in the enhanced WLAN certificate authentication method described above. The receiver d40 and the transmitter d50 may be the same or different physical entities. When they are the same physical entity, they can be collectively referred to as transceivers.

The method steps performed by the device d00 may at least include:

Receiving the authentication activation message sent by the AP, and authenticating the AP according to the public key of the pre-stored AP and the authentication activation message, where the authentication activation message carries the AP certificate and the first AP signature information;

If the AP identity corresponding to the first AP signature information is matched with the AP certificate and the AP certificate is valid, the AP sends an access authentication request message to the AP to trigger the AP to perform identity verification on the STA, where the access authentication request message carries the STA. Certificate, access authentication request time, and STA signature information;

After receiving the AP to authenticate the STA, the AS sends an access authentication response message sent by the AS to perform the two-way certificate authentication, obtains the AP certificate authentication result from the access authentication response message, and determines whether to access the AP according to the AP certificate authentication result.

For the concepts, explanations, detailed descriptions and other steps related to the technical solutions provided by the embodiments of the present invention, refer to the descriptions of the foregoing methods or embodiments, and no further details are provided herein.

A seventh embodiment of the present invention provides a system for WLAN certificate authentication. Referring to FIG. 8, FIG. 8 is a schematic structural diagram of a WLAN certificate authentication system according to Embodiment 7 of the present invention. As shown in FIG. 8, the system includes: The in-point device 710, the terminal device 720, and the authentication server 730.

The access point device 710 is an access point device provided by the above embodiments of the present invention for implementing an enhanced WLAN certificate authentication method of the present invention;

The terminal device 720 is the terminal device for implementing the enhanced WLAN certificate authentication method of the present invention provided by the foregoing embodiments of the present invention;

The authentication server 730 is configured to perform bidirectional certificate authentication on the terminal device 720 and the access point device 710 according to the certificate authentication request message after receiving the certificate authentication request message sent by the access point device 710, and provide the access point to the access point according to the authentication result. Device 710 sends a certificate authentication response message.

The certificate authentication request message may carry the STA certificate, the access authentication request time, the STA signature information, the AP certificate, and the second AP signature information, where the second AP signature information is the AP private key to the STA certificate, the access authentication request time, The information obtained after the STA signature and the AP certificate are encrypted. After receiving the certificate authentication request message sent by the access point device 710, the authentication server 730 decrypts the second AP signature information in the certificate authentication request message by using the public key of the pre-stored AP, and obtains the first information from the decrypted information. The AP identity corresponding to the second AP signature information. If the AP identity corresponding to the second AP signature information matches the AP certificate, the second AP signature verification is passed, and the STA signature information in the certificate authentication request message is used to decrypt the signature algorithm by using the pre-stored STA public key. After the information of the STA corresponding to the STA signature information is obtained, if the STA identity corresponding to the STA signature information matches the STA certificate, the STA signature verification is passed. Authentication server 730 re-authenticates AP Whether the certificate and the STA certificate are valid certificates. The signature verification can confirm whether the declared identity of the AP and the STA is consistent with the real identity, and the certificate verification can confirm whether the AP and the STA are legitimate users. If the second AP signature passes the verification and the AP certificate passes the verification, the authentication server 730 determines that the AP certificate authentication is successful, otherwise the AP certificate authentication fails; if the STA signature passes the verification and the STA certificate passes the verification, the authentication server 730 determines that the STA certificate is successfully authenticated. Otherwise, the STA certificate authentication fails. The authentication server 730 generates a certificate authentication response message to the access point device 710 according to the above bidirectional certificate authentication result.

Those of ordinary skill in the art will appreciate that various aspects of the present invention, or possible implementations of various aspects, may be embodied as a system, method, or computer program product. Furthermore, aspects of the invention, or possible implementations of various aspects, may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.

The computer readable medium can be a computer readable data medium or a computer readable storage medium. The computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing, such as random access memory (RAM), read only memory (ROM), Erase programmable read-only memory (EPROM or flash memory), optical fiber, portable read-only memory (CD-ROM).

The processor in the computer reads the computer readable program code stored in the computer readable medium such that the processor is capable of performing the various functional steps specified in each step of the flowchart, or a combination of steps; A device that functions as specified in each block, or combination of blocks.

The computer readable program code can execute entirely on the user's computer, partly on the user's computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or server. carried out. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.

In the several embodiments provided herein, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the device embodiments described above are merely illustrative. The division of the functional units is only a logical function division. In the specific implementation, there may be other division manners, for example, multiple units may be combined into the same subsystem. Or implemented in a module, or split a unit into several Unit implementations, or some implementation features may be ignored or not implemented.

The method and device for enhancing the WLAN certificate authentication disclosed in the embodiments of the present invention are described in detail. The principles and implementation manners of the present invention are described in the following. The description of the above embodiments is only for helping. The method of the present invention and its core idea are understood; at the same time, for those skilled in the art, according to the idea of the present invention, there are changes in the specific embodiments and application scopes. It should be understood that the invention is limited.

Claims (19)

1. An enhanced method for authenticating a WLAN certificate for use in an access point, the method comprising:

   The access point AP sends an authentication activation message to the terminal STA to trigger the STA to perform identity verification on the AP, where the authentication activation message carries the AP certificate and the first AP signature information.

   Receiving, by the AP, an access authentication request message sent by the STA after performing identity verification on the AP, performing identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message, where The access authentication request message carries an STA certificate, an access authentication request time, and STA signature information.

   And if the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, sending a certificate authentication request message to the authentication server AS, to trigger the AS to perform bidirectional certificate authentication and Sending a certificate authentication response message;

   The AP performs access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message sent by the AS, and sends an access authentication response message to the STA.
2. The method according to claim 1, wherein the STA signature information is information obtained by encrypting the STA certificate and the access authentication request time by a private key of the STA;

   The authenticating the STA according to the pre-stored public key of the STA and the access authentication request message includes:

   Decrypting the STA signature information in the access authentication request message by using the pre-stored public key of the STA to obtain the STA identity corresponding to the STA signature information;

   And verifying whether the STA identity corresponding to the STA signature information matches the STA certificate, and verifying whether the STA certificate is valid.
3. The method according to claim 1 or 2, wherein the certificate authentication request message carries the STA certificate, the access authentication request time, the STA signature information, the AP certificate, and a second AP signature. The information, wherein the second AP signature information is information obtained by encrypting the STA certificate, the access authentication request time, the STA signature, and the AP certificate by a private key of the AP.
4. The method of claim 1 wherein said authentication activation message is further carried Identify the activation time.
5. An enhanced method for authenticating a WLAN certificate for use in a terminal, the method comprising:

   The terminal STA receives the authentication activation message sent by the access point AP, and the STA performs identity verification on the AP according to the pre-stored public key of the AP and the authentication activation message, where the authentication activation message carries the AP. Certificate and first AP signature information;

   If the STA verifies that the AP identity corresponding to the first AP signature information matches the AP certificate and the AP certificate is valid, sending an access authentication request message to the AP to trigger the AP to The STA performs the authentication, where the access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information;

   After the STA receives the access authentication response message sent by the authentication server AS after performing the bidirectional certificate authentication, the STA obtains the AP certificate authentication result from the access authentication response message, according to the STA, The AP certificate authentication result determines whether to access the AP.
6. The method according to claim 5, wherein the first AP signature information is information obtained by encrypting the AP certificate by a private key of the AP;

   The authenticating the AP according to the pre-stored public key of the AP and the authentication activation message includes:

   Decrypting the first AP signature information in the authentication activation message by using the pre-stored public key of the AP to obtain the STA identity corresponding to the first AP signature information;

   And verifying whether the AP identity corresponding to the first AP signature information matches the AP certificate, and verifying whether the AP certificate is valid.
7. The method according to claim 5, wherein the authentication activation message further carries an authentication activation time, and the first AP signature information is obtained by encrypting the AP certificate and the authentication activation time by using an AP private key. Information.
8. A WLAN access point device, comprising:

   a sending unit, configured to send an authentication activation message to the terminal STA, to trigger the STA to perform identity verification on the access point device, where the authentication activation message carries an AP certificate and first AP signature information;

   a receiving unit, configured to receive an access authentication request message sent by the STA after performing identity verification on the access point device;

   a processing unit, configured to perform identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message, after the receiving unit receives the access authentication request message, where The access authentication request message carries the STA certificate, the access authentication request time, and the STA signature information;

   The sending unit is further configured to: if the processing unit verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, send a certificate authentication request message to the authentication server AS, Triggering the AS to perform bidirectional certificate authentication and sending a certificate authentication response message;

   The receiving unit is further configured to receive a certificate authentication response message sent by the AS;

   The processing unit is further configured to perform access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message received by the receiving unit;

   The sending unit is further configured to send an access authentication response message to the STA.
9. The device according to claim 8, wherein the STA signature information is information obtained by encrypting the STA certificate and the access authentication request time by a private key of the STA;

   The processing unit is specifically configured to:

   Decrypting the STA signature information in the access authentication request message by using the pre-stored public key of the STA to obtain the STA identity corresponding to the STA signature information;

   And verifying whether the STA identity corresponding to the STA signature information matches the STA certificate, and verifying whether the STA certificate is valid.
10. The device according to claim 8 or 9, wherein the certificate authentication request message carries the STA certificate, the access authentication request time, the STA signature information, the AP certificate, and a second AP signature. The information, wherein the second AP signature information is information obtained by encrypting the STA certificate, the access authentication request time, the STA signature, and the AP certificate by a private key of the AP.
11. The device of claim 8 wherein said authentication activation message further carries an authentication activation time.
12. A terminal device for a wireless local area network, comprising:

    a receiving unit, configured to receive an authentication activation message sent by the access point AP;

    a processing unit, after the receiving unit receives the authentication activation message sent by the AP, performing identity verification on the AP according to the pre-stored public key of the AP and the authentication activation message, where the authentication The activation message carries the AP certificate and the first AP signature information.

    a sending unit, configured to: after the processing unit verifies that the AP identity corresponding to the AP signature information matches the AP certificate and the AP certificate is valid, send an access authentication request message to the AP to trigger the The AP performs identity verification on the STA, where the access authentication request message carries an STA certificate, an access authentication request time, and STA signature information;

    The receiving unit is further configured to: after receiving the identity verification by the AP, trigger an authentication authentication response message sent by the authentication server AS after performing bidirectional certificate authentication;

    The processing unit is further configured to: after receiving the access authentication response message sent by the AP, the receiving unit obtains an AP certificate authentication result from the access authentication response message, and determines, according to the AP certificate authentication result Whether to access the AP.
13. The device according to claim 12, wherein the first AP signature information is information obtained by encrypting the AP certificate by a private key of the AP;

    The processing unit is specifically configured to:

    Decrypting the first AP signature information in the authentication activation message by using the pre-stored public key of the AP to obtain the STA identity corresponding to the first AP signature information;

    And verifying whether the AP identity corresponding to the first AP signature information matches the AP certificate, and verifying whether the AP certificate is valid.
14. The device according to claim 12, wherein the authentication activation message received by the receiving unit further carries an authentication activation time, and the first AP signature information is an AP's private key activated to the AP certificate and the authentication. Information obtained after time encryption.
15. A system for wireless local area network certificate authentication, characterized in that the system comprises an access point device AP, a terminal device STA and an authentication server AS, wherein:

    Sending, by the AP, an authentication activation message to the STA, where the authentication activation message carries an AP certificate and first AP signature information;

    Receiving, by the STA, the authentication activation message according to a pre-stored public key of the AP and the Authentication activation message to authenticate the AP;

    And if the STA verifies that the AP identity corresponding to the first AP signature information matches the AP certificate and the AP certificate is valid, sending an access authentication request message to the AP, where the access authentication The request message carries the STA certificate, the access authentication request time, and the STA signature information;

    Receiving, by the AP, the access authentication request message, performing identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message;

    And if the AP verifies that the STA identity corresponding to the STA signature information matches the STA certificate and the STA certificate is valid, sending a certificate authentication request message to the AS;

    The AS receives the certificate authentication request message, performs bidirectional certificate authentication on the STA and the AP according to the certificate authentication request message, and sends a certificate authentication response message to the AP according to the authentication result;

    Receiving, by the AP, the certificate authentication response message, performing access control on the STA according to the STA certificate authentication result carried in the certificate authentication response message, and sending an access authentication response message to the STA;

    The STA receives the access authentication response message, obtains an AP certificate authentication result from the access authentication response message, and determines whether to access the AP according to the AP certificate authentication result.
16. The system for authenticating a wireless local area network certificate according to claim 15, wherein the STA signature information is information obtained by encrypting the STA certificate and the access authentication request time by a private key of the STA;

    The AP performs identity verification on the STA according to the pre-stored public key of the STA and the access authentication request message, including:

    The AP decrypts the STA signature information in the access authentication request message by using the pre-stored public key of the STA to obtain the STA identity corresponding to the STA signature information.

    The AP verifies whether the STA identity corresponding to the STA signature information matches the STA certificate, and verifies whether the STA certificate is valid.
17. The system for authenticating a wireless local area network certificate according to claim 15 or 16, wherein the first AP signature information is information obtained by encrypting the AP certificate by a private key of the AP;

    The STA performs identity verification on the AP according to the pre-stored public key of the AP and the authentication activation message, including:

    The STA decrypts the first AP signature information in the authentication activation message by using the pre-stored public key of the AP to obtain the STA identity corresponding to the first AP signature information.

    The STA verifies whether the AP identity corresponding to the first AP signature information matches the AP certificate, and verifies whether the AP certificate is valid.
18. The system for authenticating a wireless local area network certificate according to any one of claims 15-17, wherein the certificate authentication request message carries the STA certificate, the access authentication request time, the STA signature information, The AP certificate and the second AP signature information, where the second AP signature information is an AP's private key, the STA certificate, the access authentication request time, the STA signature, and the AP certificate are encrypted. The information obtained.
19. The system for authenticating a wireless local area network certificate according to any one of claims 15 to 18, wherein the authentication activation message further carries an authentication activation time, and the first AP signature information is a private key pair of the AP. The AP certificate and the information obtained after the authentication activation time is encrypted.

Images