WO2017020546A1 - Network access device verifying method and apparatus - Google Patents

Network access device verifying method and apparatus Download PDF

Info

Publication number
WO2017020546A1
WO2017020546A1 PCT/CN2016/070380 CN2016070380W WO2017020546A1 WO 2017020546 A1 WO2017020546 A1 WO 2017020546A1 CN 2016070380 W CN2016070380 W CN 2016070380W WO 2017020546 A1 WO2017020546 A1 WO 2017020546A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
gateway
certificate
network
public
Prior art date
Application number
PCT/CN2016/070380
Other languages
French (fr)
Chinese (zh)
Inventor
曾苗
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017020546A1 publication Critical patent/WO2017020546A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to communication technologies, and in particular, to a method and apparatus for verifying a network access device.
  • HeNB home eNodeB
  • the home eNodeB is generally placed in the enterprise or user's home, and may pass through the public transmission network, so the security of the device is more demanded.
  • the 3rd Generation Partnership Project (3GPP) stipulates that the HeNB uses the Internet Protocol Security (IPSec) protocol to ensure the authentication and encryption of the base station packets.
  • the negotiation protocol is the network key exchange (Internet). Key Exchangev v2, IKEv2), the certificate and the Universal Subscriber Identity Module (USIM) card are recommended for authentication.
  • the certificate system based on the Public Key Infrastructure (PKI) architecture is too complex, slow to deploy, and poor in application scalability.
  • the operators have their own progress for the specific PKI deployment.
  • the digitally-received digital certificate system is still under construction, but the wireless access equipment (NanoCell) has been deployed in some provinces, so the base station is implemented when the operator does not have a PKI system.
  • the pre-installed operator certificate, and vice versa is the online certificate application (CMPV2 protocol).
  • the HeNB base station may pass through the public transmission network.
  • the existing hardware cannot protect the certificate and the private key well, even if the online certificate application scheme is adopted, the HeNB certificate may be stolen by the illegal user, and there is a problem in security.
  • 3GPP recommends the dual authentication mode of the certificate + USIM, but the implementation is extremely complicated, and there is currently no device supporting the protocol. On the basis that the dual authentication function is not implemented, how to prevent illegal users from stealing the certificate of the base station is very important to ensure the unique association between the certificate and the device.
  • a method for verifying a network access device including:
  • the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
  • the gateway of the public transport network determines, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
  • the gateway of the public transmission network determines that the device requested to access is a legal device, the request is accessed.
  • the device accesses the public transmission network, and vice versa, denies the device requesting access to the public transmission network.
  • the step of determining, by the gateway of the public transport network, whether the device requesting access is a legal device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID includes:
  • the gateway of the public transmission network queries the access status of the device corresponding to the device ID according to the acquired device ID.
  • the access status of the device corresponding to the device ID is already accessed, it is determined that the device requested to access is an illegal device.
  • the step of determining, by the gateway of the public transport network, whether the device requesting access is a legal device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID includes:
  • the device that is requested to access is a legal device, and vice versa, the device that requests the access is determined to be an illegal device.
  • the step of determining, by the gateway of the public transport network, whether the device requesting access is a legal device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID includes:
  • the gateway of the public transmission network queries the access status of the device corresponding to the device ID according to the acquired device ID.
  • the access status of the device corresponding to the device ID is not accessed, the relationship between the device ID and the certificate ID is checked for consistency;
  • the device that is requested to access is a legal device, and vice versa, the device that requests the access is determined to be an illegal device.
  • the gateway of the public transport network binds the device ID and the certificate ID in advance for consistency check.
  • an apparatus for verifying a network access device including:
  • a gateway obtaining module configured to acquire a device ID and a certificate ID from a device that requests access when the device requests to access the public transport network;
  • the gateway judging module is configured to determine, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
  • the gateway access processing module is configured to: when the device that requests the access is a legal device, access the device that is requested to access the public transmission network, and vice versa, reject the device that requests the access The public transmission network.
  • the gateway determining module queries the access status of the device corresponding to the device ID according to the acquired device ID, and if the access state of the device corresponding to the device ID is already accessed, The device requesting access is an illegal device.
  • the gateway judging module performs a consistency check on the relationship between the device ID and the certificate ID. If the check succeeds, the device that requests the access is determined to be a legal device, and vice versa, the device that requests the access is determined. It is an illegal device.
  • the gateway determining module queries the device corresponding to the device ID according to the acquired device ID.
  • the inbound state if the access status of the device corresponding to the device ID is not accessed, the relationship between the device ID and the certificate ID is checked for consistency. When the check is passed, the request is determined.
  • the device to be accessed is a legal device. Otherwise, the device requesting access is an illegal device.
  • the method further comprises:
  • the gateway binding module is configured to bind the device ID and the certificate ID in advance for consistency check.
  • a non-transitory computer readable storage medium having stored therein instructions for causing a gateway of the public transport network when executed by a processor of a gateway of a public transport network
  • a method of verifying a network access device comprising the steps of:
  • the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
  • the gateway of the public transport network determines, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
  • the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access.
  • the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access.
  • the invention improves the security of the certificate and can effectively prevent the criminals from stealing the certificate of the device;
  • the invention achieves the purpose of denying the device that illegally uses the certificate to access the public transmission network through the binding of the certificate and the device, thereby ensuring the access security of the base station and the transmission domain.
  • FIG. 1 is a schematic block diagram of a method for verifying a network access device according to an embodiment of the present invention
  • FIG. 2 is a block diagram of a device for verifying a network access device according to an embodiment of the present invention
  • FIG. 3 is a network diagram of a system for verifying a network access device according to an embodiment of the present invention
  • FIG. 4 is a flow chart of interaction between a base station and a security gateway for verifying a network access device according to an embodiment of the present invention.
  • FIG. 1 is a schematic block diagram of a method for verifying a network access device according to an embodiment of the present invention.
  • the method can be applied to a gateway of a public transport network. As shown in FIG. 1 , the steps include:
  • Step S101 When the device requests to access the public transport network, the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access.
  • the device requesting access to the public transport network sends the device ID and the certificate of the device to the gateway of the public transport network; the public transport network After receiving the device ID and the certificate of the device, the gateway obtains the certificate ID from the certificate.
  • the device requesting access to the public transport network generates the device ID according to the device asset number (SN) of the device that is read by itself, and may also pre-save the device ID locally.
  • SN device asset number
  • Step S102 The gateway of the public transport network determines, according to the obtained device ID and the relationship between the device ID and the certificate ID, whether the device requested to access is a legal device.
  • the gateway of the public transmission network can determine whether the device requested to access is a legal device by using the following three methods:
  • Method 1 The gateway of the public transport network queries the access status of the device corresponding to the device ID according to the obtained device ID, and if the access status of the device corresponding to the device ID is already accessed, The device that is requested to access is determined to be an illegal device, and the device that requests the access is determined to be a legal device.
  • Mode 2 The gateway of the public transport network performs consistency check on the relationship between the device ID and the certificate ID. When the check passes, it determines that the device that is requested to access is a legal device, and vice versa, determines to request access. The device is an illegal device.
  • Mode 3 The gateway of the public transport network queries the access status of the device corresponding to the device ID according to the obtained device ID, and if the access status of the device corresponding to the device ID is not accessed, And performing a consistency check on the relationship between the device ID and the certificate ID.
  • determining that the device that is requested to access is a legal device, and vice versa, determining that the device that is requested to access is an illegal device. That is, when the access state of the device corresponding to the device ID is not accessed, and the consistency check of the relationship between the device ID and the certificate ID is passed, the request for access is determined.
  • the device is a legitimate device.
  • the gateway of the public transport network needs to bind the device ID and the certificate ID in advance, so as to use the pre-bound device ID and the certificate ID when performing consistency check. It is determined whether the binding relationship between the received device ID and the certificate ID is legal. If it is legal, the verification is passed. Otherwise, the verification fails. In other words, when the access status of the device corresponding to the device ID is not accessed, and the relationship between the device ID and the certificate ID is consistent with the pre-stored binding relationship, the request for access is determined.
  • the device is a legal device, and the device is an illegal device.
  • Step S103 When the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the request for access is denied. The device accesses the public transmission network.
  • FIG. 2 is a block diagram of a device for verifying a network access device according to an embodiment of the present invention.
  • the device is applicable to a gateway of a public transport network.
  • the method includes: a gateway acquiring module 10, a gateway determining module 20, and a gateway.
  • the processing module 30 is entered.
  • the gateway obtaining module 10 is configured to acquire a device ID and a certificate ID from a device that requests access when the device requests to access the public transport network;
  • the gateway judging module 20 is configured to determine, according to the acquired device ID and the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
  • the gateway access processing module 30 is configured to: when the device requesting access is a legal device, access the request The device accesses the public transmission network, and vice versa, denies the device requesting access to the public transmission network.
  • the device further includes:
  • the gateway binding module 40 is configured to bind the device ID and the certificate ID in advance, and save the binding relationship for consistency check.
  • the workflow of the device is as follows:
  • Step 1 During the IPSEC negotiation initiated by the device requesting access to the public transport network, the gateway obtaining module 10 receives the device ID and the certificate of the device sent by the device requesting access to the public transport network, and obtains the certificate from the certificate. Certificate ID.
  • Step 2 The gateway judging module 20 determines whether the device requested to be accessed is a legal device.
  • the specific judgment method can adopt any one of the following three methods:
  • the gateway judging module 20 queries the access status of the device corresponding to the device ID according to the acquired device ID. If the access status of the device corresponding to the device ID is already accessed, the device determines The device requesting access is an illegal device. Otherwise, the device requesting access is a legal device.
  • the gateway judging module 20 performs a consistency check on the relationship between the device ID and the certificate ID, that is, the binding relationship between the device ID and the certificate ID pre-bound and saved by the gateway binding module 40, and the device is The relationship between the ID and the certificate ID is checked. If the check is passed, the device that requests the access is determined to be a legal device. Otherwise, the device that requests the access is an illegal device.
  • the gateway judging module 20 queries the access status of the device corresponding to the device ID according to the acquired device ID, and if the access status of the device corresponding to the device ID is not accessed, The device ID and the certificate ID are checked for consistency. When the check is passed, the device that is requested to access is determined to be a legal device. Otherwise, the device that requests access is an illegal device.
  • Step 3 If the gateway judging module 20 determines that the device to be accessed is an illegal device, the gateway access processing module 30 rejects the device requesting access to access the public transmission network, and vice versa, the gateway access processing module The device that accesses the request is accessed by the public transmission network.
  • the device in the embodiment shown in FIG. 1 and FIG. 2 may refer to all devices that use digital certificates. The following is a description of the base station, and is further described in conjunction with FIG. 3 and FIG. 4.
  • FIG. 3 is a network diagram of a system for verifying a network access device according to an embodiment of the present invention. As shown in FIG. 3, the method includes: multiple base stations (AP-A, AP-B, ..., AP) requesting access to a public transmission network. -N), a security gateway (SeGW) in the public transport network, and a core network.
  • AP base stations
  • AP-B access to a public transmission network
  • AP public transmission network
  • SeGW security gateway
  • the correspondence between the base station and the certificate is pre-configured on the security gateway. Specifically, the base station ID and the certificate ID are bound and saved to the database system or other devices.
  • the base station initiates an IPSEC negotiation request to the security gateway.
  • the base station requesting access to the public transport network will send the unique identifier of the base station (ie, the base station ID, APID) to the security gateway, and at the IPSEC identity authentication stage, the base station's certificate will be sent to the security gateway.
  • the full gateway, the security gateway extracts the CN field of the base station certificate from the certificate of the base station, and the CN field can be used to uniquely identify the certificate, that is, obtain the certificate ID.
  • the IPSEC negotiation request may also be initiated by the security gateway to the base station.
  • the security gateway queries the APID and CN of the base station requesting access to the public transmission network in a preset database system, and rejects the base station if the base station corresponding to the APID is already in the access state.
  • the IPSEC negotiation request rejects the access of the base station requesting access to the public transmission network, and reports the alarm; otherwise, if the base station corresponding to the APID is not in the access state, continue to determine whether the relationship between the APID and the CN meets the requirements, if If the requirements of the certificate and the device are met, the checksum is passed and the negotiation with the base station is continued. After the negotiation succeeds, the base station requesting access to the public transport network is successfully accessed, and the security gateway updates the access status of the base station to be accessed. If the check fails, the base station access requesting access to the public transport network is denied.
  • the foregoing processing procedure of the security gateway may also be performed by the network management system.
  • the security gateway sends the APID and the CN of the base station requesting access to the public transmission network to the network management, and the base station is pre-configured with the base station.
  • the NMS determines whether the APID and CN meet the consistency requirements by querying the database. If the certificate and device conformance requirements are met, the network gateway returns a checksum to the security gateway. The message passed, otherwise the message that the verification fails is returned; after receiving the message returned by the network management, if the security gateway checks the passed message, the security gateway continues to negotiate. After the negotiation succeeds, the request is accessed to the public transmission network.
  • the base station accesses the public transmission network; if it is a message that fails to pass the verification, the base station requesting access to the public transmission network is denied access to the public transmission network.
  • FIG. 4 provides a flow chart for verifying the interaction between the base station and the security gateway of the network access device. As shown in FIG. 4, the steps include:
  • Step 201 The base station (LTE-Femto) requesting access to the public transmission network reads its SN, and generates an APID according to the SN.
  • LTE-Femto The base station (LTE-Femto) requesting access to the public transmission network reads its SN, and generates an APID according to the SN.
  • Step 202 The base station requesting access to the public transport network initiates IPSEC negotiation to the gateway (SeGW) of the public transport network, and sends its base station ID (ie, APID) and certificate to the gateway during IKEv2 negotiation.
  • SeGW gateway of the public transport network
  • Step 203 The gateway determines whether the access status of the base station corresponding to the APID is already accessed. If yes, go to step 204. Otherwise, perform step 205, step 206, and step 207.
  • Step 204 The gateway refuses to access the base station that requests the access to the public transmission network to the public transmission network.
  • Step 205 The gateway extracts the CN field from the certificate.
  • Step 206 The gateway determines whether the correspondence between the APID and the CN of the base station requesting access to the public transmission network is legal, and determines, according to the determination result, whether to continue to negotiate to access the base station requesting access to the public transmission network, or directly reject the The base station requesting access to the public transmission network accesses the public transmission network.
  • Step 207 The gateway sends a message for continuing to negotiate or reject the access to the base station requesting access to the public transmission network.
  • Step 208 After the negotiation succeeds, the access status of the base station that requests the access to the public transmission network is never accessed. The new one is already connected.
  • the present invention has little impact on existing processes.
  • a database about the relationship between APID and CN is preset on the security gateway, and Table 1 is a partial mapping or binding relationship table.
  • Serial number APID CN Access status 1 001E7327042000021 Nodeb01 OFF 2 001E7327042000022 Nodeb02 OFF 3 001E7327042000023 Nodeb03 OFF 4 001E7327042000024 Nodeb04 OFF 5 001E7327042000025 Nodeb05 OFF
  • the APID of the base station A is 001E7327042000021, and the IPSEC is used to initiate an IPSEC negotiation request to the security gateway using the digital certificate of the Nodeb01.
  • the security gateway determines that the access status of the base station with the APID of 001E7327042000021 is not connected (OFF) and the relationship between the APID and the CN of the base station A is consistent with the mapping relationship in Table 1, and the check passes to allow the base station A to access.
  • Public transport network and update the access status in Table 1 to access (ON), update the database, as shown in Table 2.
  • Serial number APID CN Access status 1 001E7327042000021 Nodeb01 ON 2 001E7327042000022 Nodeb02 OFF 3 001E7327042000023 Nodeb03 OFF 4 001E7327042000024 Nodeb04 OFF 5 001E7327042000025 Nodeb05 OFF
  • the APID of the base station B is 00000000000021.
  • the base station B steals the digital certificate of the base station A and the digital certificate of the nodeb01 to initiate an IPSEC negotiation request to the security gateway. After the security gateway is verified, the association between the APID and the CN is invalid, the verification fails, and the security gateway rejects the access of the base station B.
  • the APID of the base station C is 00000000000031, and the base station C steals the digital certificate of the base station A from the CN of the Nodeb01, and the forged report APID is 001E7327042000021, and initiates an IPSEC negotiation request to the security gateway.
  • safe net The base station whose judgment APID is 001E7327042000021 is already online, so the check fails, and the security gateway rejects the access of the base station C.
  • the APID is 001E7327042000029.
  • the CN is the digital certificate of the Nodeb09. In this case, the information about the base station needs to be added to the security gateway.
  • the updated database is shown in Table 3.
  • the security gateway determines that the base station access status of the APID is 001E7327042000029 is not accessed (OFF), and the mapping between the APID and the CN is legal. At this time, the security gateway checks to pass, and the base station D is allowed to access. After the negotiation is successful, the access status in the database is updated from being turned on (OFF) to being accessed (ON), as shown in Table 4.
  • Serial number APID CN Access status 1 001E7327042000021 Nodeb01 ON 2 001E7327042000022 Nodeb02 OFF 3 001E7327042000023 Nodeb03 OFF 4 001E7327042000024 Nodeb04 OFF 5 001E7327042000025 Nodeb05 OFF 6 001E7327042000029 Nodeb09 OFF
  • Serial number APID CN Access status 1 001E7327042000021 Nodeb01 ON 2 001E7327042000022 Nodeb02 OFF 3 001E7327042000023 Nodeb03 OFF 4 001E7327042000024 Nodeb04 OFF 5 001E7327042000025 Nodeb05 OFF 6 001E7327042000029 Nodeb09 ON
  • the APID of the base station E is 001E7327042000024, and the digital certificate of the Nodeb04 is used by the CN to operate normally.
  • the corresponding database on the security gateway is shown in Table 5.
  • Serial number APID CN Access status 1 001E7327042000021 Nodeb01 ON 2 001E7327042000022 Nodeb02 OFF
  • the security gateway modifies the database.
  • the updated database is shown in Table 6.
  • Serial number APID CN Access status 1 001E7327042000021 Nodeb01 ON 2 001E7327042000022 Nodeb02 OFF 3 001E7327042000023 Nodeb03 OFF 4 001E7327042000030 Nodeb04 OFF 5 001E7327042000025 Nodeb05 OFF 6 001E7327042000029 Nodeb09 ON
  • the security gateway verifies the pass and allows it to access. After the negotiation is successful, the database is updated as shown in Table 7.
  • Serial number APID CN Access status 1 001E7327042000021 Nodeb01 ON 2 001E7327042000022 Nodeb02 OFF 3 001E7327042000023 Nodeb03 OFF 4 001E7327042000030 Nodeb04 ON 5 001E7327042000025 Nodeb05 OFF 6 001E7327042000029 Nodeb09 ON
  • embodiments of the present invention also provide a non-transitory computer readable storage medium having stored therein instructions that cause the public when executed by a processor of a gateway of a public transport network
  • the gateway of the transport network implements a method of verifying a network access device, the method comprising the steps of:
  • the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
  • the gateway of the public transport network judges according to the acquired device ID and/or the relationship between the device ID and the certificate ID. Whether the device requested to access is a legal device;
  • the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access.
  • the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access.
  • the present invention has the following technical effects:
  • the invention utilizes the binding relationship between the device ID and/or the device ID and the certificate ID to determine whether the device requesting access to the public network is a legitimate device, thereby denying the illegal device access to the public transmission network, in particular, rejecting the device that illegally uses the certificate.
  • the security of the certificate is improved, and the access security in the transmission field is ensured.
  • the method and apparatus for verifying a network access device of the present application can be applied to a gateway of a public transport network, and can determine whether a device requesting access to a public network is legal by using a binding relationship between a device ID and/or a device ID and a certificate ID.
  • the device denies the illegal device from accessing the public transmission network, in particular, the device that refuses to use the certificate to access the public transmission network, improves the security of the certificate, and ensures the access security in the transmission field.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a method and an apparatus for enhancing the security of using a device certificate, relating to communication technology. The method comprises: when a device requests to access a public transmission network, a gateway of the public transmission network obtaining the device ID and the certificate ID from the device requesting access; the gateway of the public transmission network determining, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requesting access is a valid device; and when the gateway of the public transmission network determines the device requesting access as a valid device, the device requesting access is allowed to access the public transmission network, or otherwise, the device requesting access is denied access to the public transmission network. The present invention can improve the security of the digital certificate, being capable of effectively preventing criminals from stealing the certificate of the device, guaranteeing the access security of the device and the transmission field.

Description

验证网络接入设备的方法及装置Method and device for verifying network access device
本申请要求于2015年8月6日提交中国专利局、申请号为201510477798.3的中国专利申请的优先权,以上全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201510477798.3, filed on Aug. 6, 2015, the entire disclosure of which is hereby incorporated by reference.
技术领域Technical field
本发明涉及通信技术,特别涉及一种验证网络接入设备的方法及装置。The present invention relates to communication technologies, and in particular, to a method and apparatus for verifying a network access device.
背景技术Background technique
家庭级基站(Home eNodeB,HeNB)一般放置在企业或用户家中,可能经过公共传输网络,因此对设备的安全性有更高要求。The home eNodeB (HeNB) is generally placed in the enterprise or user's home, and may pass through the public transmission network, so the security of the device is more demanded.
第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)规定HeNB使用网络互连协议安全性(Internet Protocol Security,IPSec)协议保证基站报文的认证和加密,其中协商协议为网络密钥交换(Internet Key Exchangev v2,IKEv2),认证方式推荐了证书和全球用户识别卡(Universal Subscriber Identity Module,USIM)卡。实际应用中,基于公开密钥体系(Public Key Infrastructure,PKI)架构的证书系统过于复杂,部署缓慢,应用扩展能力等不佳。The 3rd Generation Partnership Project (3GPP) stipulates that the HeNB uses the Internet Protocol Security (IPSec) protocol to ensure the authentication and encryption of the base station packets. The negotiation protocol is the network key exchange (Internet). Key Exchangev v2, IKEv2), the certificate and the Universal Subscriber Identity Module (USIM) card are recommended for authentication. In practical applications, the certificate system based on the Public Key Infrastructure (PKI) architecture is too complex, slow to deploy, and poor in application scalability.
运营商对于具体的PKI部署有各自的进度,如中移的数字证书系统还在建设中,但是无线接入设备(NanoCell)已经在一些省份开始部署,所以基站在运营商没有PKI系统时,推行的是预置运营商证书,反之推行的是在线证书申请(CMPV2协议)方案。The operators have their own progress for the specific PKI deployment. For example, the digitally-received digital certificate system is still under construction, but the wireless access equipment (NanoCell) has been deployed in some provinces, so the base station is implemented when the operator does not have a PKI system. The pre-installed operator certificate, and vice versa is the online certificate application (CMPV2 protocol).
HeNB基站可能经过公共传输网络,在现有硬件无法很好的保护证书和私钥的情况下,即使通过在线证书申请方案,HeNB的证书也可能会被非法用户盗用,安全性存在问题。The HeNB base station may pass through the public transmission network. In the case that the existing hardware cannot protect the certificate and the private key well, even if the online certificate application scheme is adopted, the HeNB certificate may be stolen by the illegal user, and there is a problem in security.
在保证证书和设备的绑定关系上,3GPP推荐了证书+USIM的双认证模式,但该实现方式极为复杂,目前没有支持该协议的设备。在双认证功能没有实现的基础上,如何防止非法用户盗用基站的证书,如何保证证书和设备的唯一关联性就显得极为重要。On the binding relationship between the certificate and the device, 3GPP recommends the dual authentication mode of the certificate + USIM, but the implementation is extremely complicated, and there is currently no device supporting the protocol. On the basis that the dual authentication function is not implemented, how to prevent illegal users from stealing the certificate of the base station is very important to ensure the unique association between the certificate and the device.
发明内容Summary of the invention
本发明的目的在于提供一种验证网络接入设备的方法及装置,能更好地拒绝非法使用证书的设备接入传输网络。It is an object of the present invention to provide a method and apparatus for verifying a network access device, which can better deny a device that illegally uses a certificate to access a transmission network.
根据本发明的一个方面,提供了一种验证网络接入设备的方法,包括:According to an aspect of the present invention, a method for verifying a network access device is provided, including:
在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID;When the device requests access to the public transport network, the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway of the public transport network determines, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入 的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。When the gateway of the public transmission network determines that the device requested to access is a legal device, the request is accessed. The device accesses the public transmission network, and vice versa, denies the device requesting access to the public transmission network.
优选地,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:Preferably, the step of determining, by the gateway of the public transport network, whether the device requesting access is a legal device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, includes:
所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态;The gateway of the public transmission network queries the access status of the device corresponding to the device ID according to the acquired device ID.
若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备。If the access status of the device corresponding to the device ID is already accessed, it is determined that the device requested to access is an illegal device.
优选地,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:Preferably, the step of determining, by the gateway of the public transport network, whether the device requesting access is a legal device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, includes:
对所述设备ID与证书ID的关系进行一致性校验;Performing consistency check on the relationship between the device ID and the certificate ID;
当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。When the check is passed, it is determined that the device that is requested to access is a legal device, and vice versa, the device that requests the access is determined to be an illegal device.
优选地,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:Preferably, the step of determining, by the gateway of the public transport network, whether the device requesting access is a legal device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, includes:
所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态;The gateway of the public transmission network queries the access status of the device corresponding to the device ID according to the acquired device ID.
若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验;If the access status of the device corresponding to the device ID is not accessed, the relationship between the device ID and the certificate ID is checked for consistency;
当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。When the check is passed, it is determined that the device that is requested to access is a legal device, and vice versa, the device that requests the access is determined to be an illegal device.
优选地,所述公共传输网络的网关预先将所述设备ID与证书ID进行绑定,以供一致性校验。Preferably, the gateway of the public transport network binds the device ID and the certificate ID in advance for consistency check.
根据本发明的另一方面,提供了一种验证网络接入设备的装置,包括:According to another aspect of the present invention, an apparatus for verifying a network access device is provided, including:
网关获取模块,用于在设备请求接入公共传输网络时,从请求接入的设备获取设备ID和证书ID;a gateway obtaining module, configured to acquire a device ID and a certificate ID from a device that requests access when the device requests to access the public transport network;
网关判断模块,用于根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway judging module is configured to determine, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
网关接入处理模块,用于判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。The gateway access processing module is configured to: when the device that requests the access is a legal device, access the device that is requested to access the public transmission network, and vice versa, reject the device that requests the access The public transmission network.
优选地,所述网关判断模块根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备。Preferably, the gateway determining module queries the access status of the device corresponding to the device ID according to the acquired device ID, and if the access state of the device corresponding to the device ID is already accessed, The device requesting access is an illegal device.
优选地,所述网关判断模块对所述设备ID与证书ID的关系进行一致性校验,若校验通过,则判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Preferably, the gateway judging module performs a consistency check on the relationship between the device ID and the certificate ID. If the check succeeds, the device that requests the access is determined to be a legal device, and vice versa, the device that requests the access is determined. It is an illegal device.
优选地,所述网关判断模块根据所获取的设备ID,查询所述设备ID对应的设备的接 入状态,若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Preferably, the gateway determining module queries the device corresponding to the device ID according to the acquired device ID. In the inbound state, if the access status of the device corresponding to the device ID is not accessed, the relationship between the device ID and the certificate ID is checked for consistency. When the check is passed, the request is determined. The device to be accessed is a legal device. Otherwise, the device requesting access is an illegal device.
优选地,还包括:Preferably, the method further comprises:
网关绑定模块,用于预先将所述设备ID与证书ID进行绑定,以供一致性校验。The gateway binding module is configured to bind the device ID and the certificate ID in advance for consistency check.
根据本发明的再一方面,提供了一种非易失性计算机可读存储介质,其中存储有指令,所述指令在由公共传输网络的网关的处理器执行时使所述公共传输网络的网关实施一种验证网络接入设备的方法,所述方法包括以下步骤:According to still another aspect of the present invention, there is provided a non-transitory computer readable storage medium having stored therein instructions for causing a gateway of the public transport network when executed by a processor of a gateway of a public transport network A method of verifying a network access device is implemented, the method comprising the steps of:
在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID;When the device requests access to the public transport network, the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway of the public transport network determines, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。When the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access. The public transmission network.
与现有技术相比较,本发明的有益效果在于:Compared with the prior art, the beneficial effects of the present invention are:
1、本发明提高了证书的安全性,可以有效防止不法分子窃取设备的证书;1. The invention improves the security of the certificate and can effectively prevent the criminals from stealing the certificate of the device;
2、本发明通过证书和设备的绑定,达到拒绝非法使用证书的设备接入公共传输网络的目的,从而保证基站及传输领域的接入安全。2. The invention achieves the purpose of denying the device that illegally uses the certificate to access the public transmission network through the binding of the certificate and the device, thereby ensuring the access security of the base station and the transmission domain.
附图说明DRAWINGS
图1是本发明实施例提供的验证网络接入设备的方法原理框图;1 is a schematic block diagram of a method for verifying a network access device according to an embodiment of the present invention;
图2是本发明实施例提供的验证网络接入设备的装置框图;2 is a block diagram of a device for verifying a network access device according to an embodiment of the present invention;
图3是本发明实施例提供的验证网络接入设备的系统组网图;3 is a network diagram of a system for verifying a network access device according to an embodiment of the present invention;
图4是本发明实施例提供的验证网络接入设备的基站和安全网关的交互流程图。4 is a flow chart of interaction between a base station and a security gateway for verifying a network access device according to an embodiment of the present invention.
具体实施方式detailed description
以下结合附图对本发明的优选实施例进行详细说明,应当理解,以下所说明的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments of the present invention are described in detail below with reference to the accompanying drawings.
图1是本发明实施例提供的验证网络接入设备的方法原理框图,该方法可应用于公共传输网络的网关中,如图1所示,步骤包括:1 is a schematic block diagram of a method for verifying a network access device according to an embodiment of the present invention. The method can be applied to a gateway of a public transport network. As shown in FIG. 1 , the steps include:
步骤S101:在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID。Step S101: When the device requests to access the public transport network, the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access.
具体地说,所述请求接入公共传输网络的设备发起IPSEC协商期间,所述请求接入公共传输网络的设备将设备ID和设备的证书发送给公共传输网络的网关;所述公共传输网络的网关收到所述设备ID和设备的证书后,从所述证书中获取证书ID。 Specifically, during the IPSEC negotiation initiated by the device requesting access to the public transport network, the device requesting access to the public transport network sends the device ID and the certificate of the device to the gateway of the public transport network; the public transport network After receiving the device ID and the certificate of the device, the gateway obtains the certificate ID from the certificate.
其中,所述请求接入公共传输网络的设备根据其读取的自身的设备资产编号(SN),生成所述设备ID,也可以在本地预先保存所述设备ID。The device requesting access to the public transport network generates the device ID according to the device asset number (SN) of the device that is read by itself, and may also pre-save the device ID locally.
步骤S102:所述公共传输网络的网关根据所获取的设备ID以及设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备。Step S102: The gateway of the public transport network determines, according to the obtained device ID and the relationship between the device ID and the certificate ID, whether the device requested to access is a legal device.
具体地说,所述公共传输网络的网关可以通过以下三种方式判断所述请求接入的设备是否为合法设备:Specifically, the gateway of the public transmission network can determine whether the device requested to access is a legal device by using the following three methods:
方式1:所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备,反之,判断请求接入的设备为合法设备。Method 1: The gateway of the public transport network queries the access status of the device corresponding to the device ID according to the obtained device ID, and if the access status of the device corresponding to the device ID is already accessed, The device that is requested to access is determined to be an illegal device, and the device that requests the access is determined to be a legal device.
方式2:所述公共传输网络的网关对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Mode 2: The gateway of the public transport network performs consistency check on the relationship between the device ID and the certificate ID. When the check passes, it determines that the device that is requested to access is a legal device, and vice versa, determines to request access. The device is an illegal device.
方式3:所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。也就是说,只有当查询到的所述设备ID对应的设备的接入状态为未接入,且对所述设备ID与证书ID的关系进行一致性校验通过时,判断所述请求接入的设备为合法设备。Mode 3: The gateway of the public transport network queries the access status of the device corresponding to the device ID according to the obtained device ID, and if the access status of the device corresponding to the device ID is not accessed, And performing a consistency check on the relationship between the device ID and the certificate ID. When the check is passed, determining that the device that is requested to access is a legal device, and vice versa, determining that the device that is requested to access is an illegal device. That is, when the access state of the device corresponding to the device ID is not accessed, and the consistency check of the relationship between the device ID and the certificate ID is passed, the request for access is determined. The device is a legitimate device.
进一步地,在步骤S101之前,所述公共传输网络的网关需要预先将所述设备ID与证书ID进行绑定,以供在进行一致性校验时,利用预先绑定的设备ID与证书ID,确定收到的设备ID与证书ID绑定关系是否合法,如果合法,则校验通过,反之,校验不通过。换句话说,当所述设备ID对应的设备的接入状态为未接入,且所述设备ID与所述证书ID的关系与预先保存的绑定关系一致时,判断所述请求接入的设备为合法设备,反之为非法设备。Further, before step S101, the gateway of the public transport network needs to bind the device ID and the certificate ID in advance, so as to use the pre-bound device ID and the certificate ID when performing consistency check. It is determined whether the binding relationship between the received device ID and the certificate ID is legal. If it is legal, the verification is passed. Otherwise, the verification fails. In other words, when the access status of the device corresponding to the device ID is not accessed, and the relationship between the device ID and the certificate ID is consistent with the pre-stored binding relationship, the request for access is determined. The device is a legal device, and the device is an illegal device.
步骤S103:当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。Step S103: When the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the request for access is denied. The device accesses the public transmission network.
图2是本发明实施例提供的验证网络接入设备的装置框图,该装置可应用于公共传输网络的网关中,如图2所示,包括:网关获取模块10、网关判断模块20、网关接入处理模块30。2 is a block diagram of a device for verifying a network access device according to an embodiment of the present invention. The device is applicable to a gateway of a public transport network. As shown in FIG. 2, the method includes: a gateway acquiring module 10, a gateway determining module 20, and a gateway. The processing module 30 is entered.
网关获取模块10用于在设备请求接入公共传输网络时,从请求接入的设备获取设备ID和证书ID;The gateway obtaining module 10 is configured to acquire a device ID and a certificate ID from a device that requests access when the device requests to access the public transport network;
网关判断模块20用于根据所获取的设备ID以及设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway judging module 20 is configured to determine, according to the acquired device ID and the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
网关接入处理模块30用于判断所述请求接入的设备为合法设备时,将所述请求接入 的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。The gateway access processing module 30 is configured to: when the device requesting access is a legal device, access the request The device accesses the public transmission network, and vice versa, denies the device requesting access to the public transmission network.
进一步地,所述装置还包括:Further, the device further includes:
网关绑定模块40用于预先将所述设备ID与证书ID进行绑定,并保存所述绑定关系,以供一致性校验。The gateway binding module 40 is configured to bind the device ID and the certificate ID in advance, and save the binding relationship for consistency check.
所述装置的工作流程如下:The workflow of the device is as follows:
步骤1:在所述请求接入公共传输网络的设备发起IPSEC协商期间,网关获取模块10接收所述请求接入公共传输网络的设备发送的设备ID和设备的证书,并从所述证书中获取证书ID。Step 1: During the IPSEC negotiation initiated by the device requesting access to the public transport network, the gateway obtaining module 10 receives the device ID and the certificate of the device sent by the device requesting access to the public transport network, and obtains the certificate from the certificate. Certificate ID.
步骤2:网关判断模块20判断所述请求接入的设备是否为合法设备。Step 2: The gateway judging module 20 determines whether the device requested to be accessed is a legal device.
具体判断方式可以采用以下三种方式中的任意一种:The specific judgment method can adopt any one of the following three methods:
方式1:网关判断模块20根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备,反之,判断请求接入的设备为合法设备。Method 1: The gateway judging module 20 queries the access status of the device corresponding to the device ID according to the acquired device ID. If the access status of the device corresponding to the device ID is already accessed, the device determines The device requesting access is an illegal device. Otherwise, the device requesting access is a legal device.
方式2:网关判断模块20对所述设备ID与证书ID的关系进行一致性校验,即利用网关绑定模块40预先绑定和保存的设备ID和证书ID的绑定关系,对所述设备ID与证书ID的关系进行一致性校验,若校验通过,则判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Mode 2: The gateway judging module 20 performs a consistency check on the relationship between the device ID and the certificate ID, that is, the binding relationship between the device ID and the certificate ID pre-bound and saved by the gateway binding module 40, and the device is The relationship between the ID and the certificate ID is checked. If the check is passed, the device that requests the access is determined to be a legal device. Otherwise, the device that requests the access is an illegal device.
方式3:网关判断模块20根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Mode 3: The gateway judging module 20 queries the access status of the device corresponding to the device ID according to the acquired device ID, and if the access status of the device corresponding to the device ID is not accessed, The device ID and the certificate ID are checked for consistency. When the check is passed, the device that is requested to access is determined to be a legal device. Otherwise, the device that requests access is an illegal device.
步骤3:若网关判断模块20判断所述请求接入的设备为非法设备,则网关接入处理模块30拒绝所述请求接入的设备接入所述公共传输网络,反之,网关接入处理模块30将所述请求接入的设备接入所述公共传输网络。Step 3: If the gateway judging module 20 determines that the device to be accessed is an illegal device, the gateway access processing module 30 rejects the device requesting access to access the public transmission network, and vice versa, the gateway access processing module The device that accesses the request is accessed by the public transmission network.
图1和图2所述实施例中的设备可以指所有使用到数字证书的设备,以下以基站为例,并结合图3和图4进行进一步说明。The device in the embodiment shown in FIG. 1 and FIG. 2 may refer to all devices that use digital certificates. The following is a description of the base station, and is further described in conjunction with FIG. 3 and FIG. 4.
图3是本发明实施例提供的验证网络接入设备的系统组网图,如图3所示,包括:多个请求接入公共传输网络的基站(AP-A,AP-B,…,AP-N),处于公共传输网络的安全网关(SeGW),以及核心网。FIG. 3 is a network diagram of a system for verifying a network access device according to an embodiment of the present invention. As shown in FIG. 3, the method includes: multiple base stations (AP-A, AP-B, ..., AP) requesting access to a public transmission network. -N), a security gateway (SeGW) in the public transport network, and a core network.
1.安全网关预置相关信息1. Security gateway preset related information
在安全网关上预先配置基站和证书的对应关系,具体地说,将基站ID和证书ID进行绑定,并保存至数据库系统或者其它设备上。The correspondence between the base station and the certificate is pre-configured on the security gateway. Specifically, the base station ID and the certificate ID are bound and saved to the database system or other devices.
2.基站向安全网关发起IPSEC协商请求2. The base station initiates an IPSEC negotiation request to the security gateway.
在IPSEC协商过程中,请求接入公共传输网络的基站会将基站的唯一标识(即基站ID,APID)发送给安全网关,同时在IPSEC的身份认证阶段,会将基站的证书发送给安 全网关,安全网关会从基站的证书中取出基站证书的CN字段,所述CN字段可以用来唯一标识证书,即获取证书ID。During the IPSEC negotiation process, the base station requesting access to the public transport network will send the unique identifier of the base station (ie, the base station ID, APID) to the security gateway, and at the IPSEC identity authentication stage, the base station's certificate will be sent to the security gateway. The full gateway, the security gateway extracts the CN field of the base station certificate from the certificate of the base station, and the CN field can be used to uniquely identify the certificate, that is, obtain the certificate ID.
所述IPSEC协商请求也可以由安全网关向基站发起。The IPSEC negotiation request may also be initiated by the security gateway to the base station.
3.安全网关的处理3. Security gateway processing
作为第一种实施方式,安全网关在预置的数据库系统里查询所述请求接入公共传输网络的基站的APID和CN,如果该APID对应的基站是已经处于接入状态,则拒绝此次的IPSEC协商请求,拒绝所述请求接入公共传输网络的基站的接入,并上报告警;反之,如果该APID对应的基站处于未接入状态,继续判断APID和CN的关系是否符合要求,如果符合证书与设备的一致性要求,则校验通过,继续与基站进行协商,协商成功后,所述请求接入公共传输网络的基站成功接入,安全网关更新基站的接入状态为已接入;如果校验不通过,则拒绝所述请求接入公共传输网络的基站接入。As a first implementation manner, the security gateway queries the APID and CN of the base station requesting access to the public transmission network in a preset database system, and rejects the base station if the base station corresponding to the APID is already in the access state. The IPSEC negotiation request rejects the access of the base station requesting access to the public transmission network, and reports the alarm; otherwise, if the base station corresponding to the APID is not in the access state, continue to determine whether the relationship between the APID and the CN meets the requirements, if If the requirements of the certificate and the device are met, the checksum is passed and the negotiation with the base station is continued. After the negotiation succeeds, the base station requesting access to the public transport network is successfully accessed, and the security gateway updates the access status of the base station to be accessed. If the check fails, the base station access requesting access to the public transport network is denied.
作为第二种实施方式,安全网关的上述处理过程也可以在网管执行,具体地说,安全网关将所述请求接入公共传输网络的基站的APID和CN发送至网管,网管上预先配置好基站和证书的对应关系,对安全网关发送过来的APID和CN,网管通过查询数据库,确定所述APID和CN是否符合一致性要求,如果符合证书与设备的一致性要求,则向安全网关返回校验通过的消息,否则返回校验不通过的消息;安全网关收到网管返回的消息后,如果是校验通过的消息,则继续进行协商,协商成功后,将所述请求接入公共传输网络的基站接入公共传输网络;如果是校验不通过的消息,则拒绝所述请求接入公共传输网络的基站接入公共传输网络。As a second implementation manner, the foregoing processing procedure of the security gateway may also be performed by the network management system. Specifically, the security gateway sends the APID and the CN of the base station requesting access to the public transmission network to the network management, and the base station is pre-configured with the base station. Correspondence between the certificate and the certificate. For the APID and CN sent by the security gateway, the NMS determines whether the APID and CN meet the consistency requirements by querying the database. If the certificate and device conformance requirements are met, the network gateway returns a checksum to the security gateway. The message passed, otherwise the message that the verification fails is returned; after receiving the message returned by the network management, if the security gateway checks the passed message, the security gateway continues to negotiate. After the negotiation succeeds, the request is accessed to the public transmission network. The base station accesses the public transmission network; if it is a message that fails to pass the verification, the base station requesting access to the public transmission network is denied access to the public transmission network.
以第一种实施方式为例,图4提供了一种验证网络接入设备的基站和安全网关的交互流程图,如图4所示,步骤包括:Taking the first embodiment as an example, FIG. 4 provides a flow chart for verifying the interaction between the base station and the security gateway of the network access device. As shown in FIG. 4, the steps include:
步骤201:请求接入公共传输网络的基站(LTE-Femto)读取其SN,并根据所述SN,生成APID。Step 201: The base station (LTE-Femto) requesting access to the public transmission network reads its SN, and generates an APID according to the SN.
步骤202:所述请求接入公共传输网络的基站向公共传输网络的网关(SeGW)发起IPSEC协商,并在IKEv2协商期间,将其基站ID(即APID)和证书发送至网关。Step 202: The base station requesting access to the public transport network initiates IPSEC negotiation to the gateway (SeGW) of the public transport network, and sends its base station ID (ie, APID) and certificate to the gateway during IKEv2 negotiation.
步骤203:网关判断所述APID对应的基站的接入状态是否是已接入,如果是已接入,则执行步骤204,否则执行步骤205、步骤206、步骤207。Step 203: The gateway determines whether the access status of the base station corresponding to the APID is already accessed. If yes, go to step 204. Otherwise, perform step 205, step 206, and step 207.
步骤204:网关拒绝将所述请求接入公共传输网络的基站接入公共传输网络。Step 204: The gateway refuses to access the base station that requests the access to the public transmission network to the public transmission network.
步骤205:网关从所述证书中取出CN字段。Step 205: The gateway extracts the CN field from the certificate.
步骤206:网关判断所述请求接入公共传输网络的基站的APID和CN的对应关系是否合法,根据判断结果确定是否继续协商以接入所述请求接入公共传输网络的基站,或者直接拒绝将所述请求接入公共传输网络的基站接入公共传输网络。Step 206: The gateway determines whether the correspondence between the APID and the CN of the base station requesting access to the public transmission network is legal, and determines, according to the determination result, whether to continue to negotiate to access the base station requesting access to the public transmission network, or directly reject the The base station requesting access to the public transmission network accesses the public transmission network.
步骤207:网关将继续协商或拒绝接入的消息发送至所述请求接入公共传输网络的基站。Step 207: The gateway sends a message for continuing to negotiate or reject the access to the base station requesting access to the public transmission network.
步骤208:协商成功后,将所述请求接入公共传输网络的基站的接入状态从未接入更 新为已接入。Step 208: After the negotiation succeeds, the access status of the base station that requests the access to the public transmission network is never accessed. The new one is already connected.
从上述流程可以看出,本发明对现有流程影响非常小。As can be seen from the above process, the present invention has little impact on existing processes.
以下以一个具体应用实例进行进一步说明。The following is further illustrated by a specific application example.
在安全网关上预置关于APID和CN的关系的数据库,表1为部分映射或绑定关系表。A database about the relationship between APID and CN is preset on the security gateway, and Table 1 is a partial mapping or binding relationship table.
表1.第一映射关系表Table 1. First mapping table
序号Serial number APIDAPID CNCN 接入状态Access status
11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 OFFOFF
22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF
33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF
44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF
55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF
1、应用实例11, application example 1
基站A的APID为001E7327042000021,使用CN为Nodeb01的数字证书向安全网关发起IPSEC协商请求。安全网关根据表1,确定APID为001E7327042000021的基站的接入状态为未接入(OFF)且基站A的APID和CN的关系与表1中的映射关系一致,校验通过,允许基站A接入公共传输网络,并将表1中接入状态更新为已接入(ON),对数据库进行更新,具体如表2所示。The APID of the base station A is 001E7327042000021, and the IPSEC is used to initiate an IPSEC negotiation request to the security gateway using the digital certificate of the Nodeb01. According to Table 1, the security gateway determines that the access status of the base station with the APID of 001E7327042000021 is not connected (OFF) and the relationship between the APID and the CN of the base station A is consistent with the mapping relationship in Table 1, and the check passes to allow the base station A to access. Public transport network, and update the access status in Table 1 to access (ON), update the database, as shown in Table 2.
表2.第二映射关系表Table 2. Second mapping relationship table
序号Serial number APIDAPID CNCN 接入状态Access status
11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON
22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF
33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF
44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF
55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF
2、应用实例22, application example 2
基站B的APID为00000000000021,基站B盗用基站A的CN为Nodeb01的数字证书向安全网关发起IPSEC协商请求。安全网关校验后,因APID和CN对应关系不合法,检验不通过,安全网关拒绝基站B的接入。The APID of the base station B is 00000000000021. The base station B steals the digital certificate of the base station A and the digital certificate of the nodeb01 to initiate an IPSEC negotiation request to the security gateway. After the security gateway is verified, the association between the APID and the CN is invalid, the verification fails, and the security gateway rejects the access of the base station B.
3、应用实例33, application example 3
基站C的APID为00000000000031,基站C盗用了基站A的CN为Nodeb01的数字证书,伪造上报APID为001E7327042000021,向安全网关发起IPSEC协商请求。安全网 关判断APID为001E7327042000021的基站已经在线,因此检验不通过,安全网关拒绝基站C的接入。The APID of the base station C is 00000000000031, and the base station C steals the digital certificate of the base station A from the CN of the Nodeb01, and the forged report APID is 001E7327042000021, and initiates an IPSEC negotiation request to the security gateway. safe net The base station whose judgment APID is 001E7327042000021 is already online, so the check fails, and the security gateway rejects the access of the base station C.
4、应用实例44, application example 4
用户在扩容时,新增一个基站D,其APID为001E7327042000029,使用CN为Nodeb09的数字证书,此时需求先在安全网关上添加此基站的相关信息,更新后的数据库如表3所示。When the user expands, a new base station D is added. The APID is 001E7327042000029. The CN is the digital certificate of the Nodeb09. In this case, the information about the base station needs to be added to the security gateway. The updated database is shown in Table 3.
基站D发起IPSEC协商请求时,安全网关确定APID为001E7327042000029的基站接入状态为未接入(OFF),且APID和CN对应关系合法,此时,安全网关校验通过,允许基站D接入,协商成功后,将数据库中的接入状态从未接入(OFF)更新为已接入(ON),具体如表4所示。When the base station D initiates an IPSEC negotiation request, the security gateway determines that the base station access status of the APID is 001E7327042000029 is not accessed (OFF), and the mapping between the APID and the CN is legal. At this time, the security gateway checks to pass, and the base station D is allowed to access. After the negotiation is successful, the access status in the database is updated from being turned on (OFF) to being accessed (ON), as shown in Table 4.
表3.第三映射关系表Table 3. Third mapping relationship table
序号Serial number APIDAPID CNCN 接入状态Access status
11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON
22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF
33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF
44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF
55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF
66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 OFFOFF
表4.第四映射关系表Table 4. Fourth mapping table
序号Serial number APIDAPID CNCN 接入状态Access status
11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON
22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF
33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF
44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF
55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF
66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON
5、应用实例55, application example 5
基站E的APID为001E7327042000024,使用CN为Nodeb04的数字证书,正常运行,安全网关上的对应数据库如表5所示。The APID of the base station E is 001E7327042000024, and the digital certificate of the Nodeb04 is used by the CN to operate normally. The corresponding database on the security gateway is shown in Table 5.
表5.第五映射关系表Table 5. Fifth mapping table
序号Serial number APIDAPID CNCN 接入状态Access status
11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON
22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF
33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF
44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 ONON
55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF
66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON
现在因为基站E的硬件出现问题,需要回厂返修,返修周期较长,用另外一块新硬件(APID为001E7327042000030)替换基站E,但是希望仍沿用基站E原来的证书,此时可以通过以下操作达到预期。Now, because of the hardware problem of the base station E, it needs to be returned to the factory for repair. The repair cycle is long. Replace the base station E with another piece of new hardware (APID is 001E7327042000030). However, it is hoped that the original certificate of the base station E will still be used. expected.
1、将基站E原来的证书拷贝到新硬件里面,1. Copy the original certificate of base station E to the new hardware.
2、安全网关修改数据库,更新后的数据库如表6所示。2. The security gateway modifies the database. The updated database is shown in Table 6.
表6.第六映射关系表Table 6. Sixth mapping relationship table
序号Serial number APIDAPID CNCN 接入状态Access status
11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON
22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF
33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF
44 001E7327042000030001E7327042000030 Nodeb04Nodeb04 OFFOFF
55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF
66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON
APID为001E7327042000030的设备发起IPSEC协商请求时,安全网关校验通过,允许其接入,协商成功后,更新数据库如表7所示。When the device with the APID 001E7327042000030 initiates an IPSEC negotiation request, the security gateway verifies the pass and allows it to access. After the negotiation is successful, the database is updated as shown in Table 7.
表7.第七映射关系表Table 7. Seventh mapping relationship table
序号Serial number APIDAPID CNCN 接入状态Access status
11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON
22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF
33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF
44 001E7327042000030001E7327042000030 Nodeb04Nodeb04 ONON
55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF
66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON
为增强设备证书使用安全,本发明的实施例还提出一种非易失性计算机可读存储介质,其中存储有指令,所述指令在由公共传输网络的网关的处理器执行时使所述公共传输网络的网关实施一种验证网络接入设备的方法,所述方法包括以下步骤:To enhance device certificate usage security, embodiments of the present invention also provide a non-transitory computer readable storage medium having stored therein instructions that cause the public when executed by a processor of a gateway of a public transport network The gateway of the transport network implements a method of verifying a network access device, the method comprising the steps of:
在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID;When the device requests access to the public transport network, the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断 所述请求接入的设备是否为合法设备;The gateway of the public transport network judges according to the acquired device ID and/or the relationship between the device ID and the certificate ID. Whether the device requested to access is a legal device;
当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。When the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access. The public transmission network.
综上所述,本发明具有以下技术效果:In summary, the present invention has the following technical effects:
本发明利用设备ID和/或设备ID与证书ID的绑定关系,确定请求接入公共网络的设备是否是合法设备,从而拒绝非法设备接入公共传输网络,特别是拒绝非法使用证书的设备接入公共传输网络,提高了证书的安全性,保证了传输领域的接入安全。The invention utilizes the binding relationship between the device ID and/or the device ID and the certificate ID to determine whether the device requesting access to the public network is a legitimate device, thereby denying the illegal device access to the public transmission network, in particular, rejecting the device that illegally uses the certificate. Into the public transmission network, the security of the certificate is improved, and the access security in the transmission field is ensured.
尽管上文对本发明进行了详细说明,但是本发明不限于此,本技术领域技术人员可以根据本发明的原理进行各种修改。因此,凡按照本发明原理所作的修改,都应当理解为落入本发明的保护范围。Although the invention has been described in detail above, the invention is not limited thereto, and various modifications may be made by those skilled in the art in accordance with the principles of the invention. Therefore, modifications made in accordance with the principles of the invention are to be understood as falling within the scope of the invention.
工业实用性Industrial applicability
本申请的验证网络接入设备的方法和装置可应用于公共传输网络的网关中,能够利用设备ID和/或设备ID与证书ID的绑定关系,确定请求接入公共网络的设备是否是合法设备,从而拒绝非法设备接入公共传输网络,特别是拒绝非法使用证书的设备接入公共传输网络,提高了证书的安全性,保证了传输领域的接入安全。 The method and apparatus for verifying a network access device of the present application can be applied to a gateway of a public transport network, and can determine whether a device requesting access to a public network is legal by using a binding relationship between a device ID and/or a device ID and a certificate ID. The device denies the illegal device from accessing the public transmission network, in particular, the device that refuses to use the certificate to access the public transmission network, improves the security of the certificate, and ensures the access security in the transmission field.

Claims (11)

  1. 一种验证网络接入设备的方法,其中,包括:A method for verifying a network access device, including:
    在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID;When the device requests access to the public transport network, the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
    所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway of the public transport network determines, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
    当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。When the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access. The public transmission network.
  2. 根据权利要求1所述的方法,其中,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:The method according to claim 1, wherein the step of determining, by the gateway of the public transport network, whether the device requesting access is a legitimate device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, includes: :
    所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态;The gateway of the public transmission network queries the access status of the device corresponding to the device ID according to the acquired device ID.
    若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备。If the access status of the device corresponding to the device ID is already accessed, it is determined that the device requested to access is an illegal device.
  3. 根据权利要求1所述的方法,其中,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:The method according to claim 1, wherein the step of determining, by the gateway of the public transport network, whether the device requesting access is a legitimate device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, includes: :
    对所述设备ID与证书ID的关系进行一致性校验;Performing consistency check on the relationship between the device ID and the certificate ID;
    当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。When the check is passed, it is determined that the device that is requested to access is a legal device, and vice versa, the device that requests the access is determined to be an illegal device.
  4. 根据权利要求1所述的方法,其中,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:The method according to claim 1, wherein the step of determining, by the gateway of the public transport network, whether the device requesting access is a legitimate device, according to the acquired device ID and/or the relationship between the device ID and the certificate ID, includes: :
    所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态;The gateway of the public transmission network queries the access status of the device corresponding to the device ID according to the acquired device ID.
    若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验;If the access status of the device corresponding to the device ID is not accessed, the relationship between the device ID and the certificate ID is checked for consistency;
    当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。When the check is passed, it is determined that the device that is requested to access is a legal device, and vice versa, the device that requests the access is determined to be an illegal device.
  5. 根据权利要求3或4所述的方法,其中,所述公共传输网络的网关预先将所述设备ID与证书ID进行绑定,以供一致性校验。 The method according to claim 3 or 4, wherein the gateway of the public transport network binds the device ID and the certificate ID in advance for consistency check.
  6. 一种验证网络接入设备的装置,其中,包括:A device for verifying a network access device, including:
    网关获取模块,设置为在设备请求接入公共传输网络时,从请求接入的设备获取设备ID和证书ID;a gateway obtaining module, configured to acquire a device ID and a certificate ID from a device requesting access when the device requests to access the public transport network;
    网关判断模块,设置为根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway judging module is configured to determine, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
    网关接入处理模块,设置为判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。The gateway access processing module is configured to: when the device that requests the access is a legal device, access the device that is requested to access the public transmission network, and vice versa, reject the device that requests the access The public transmission network.
  7. 根据权利要求6所述的装置,其中,所述网关判断模块根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备。The device according to claim 6, wherein the gateway judging module queries the access status of the device corresponding to the device ID according to the acquired device ID, and if the device corresponding to the device ID is queried for access If the status is already connected, it is determined that the device requested to access is an illegal device.
  8. 根据权利要求6所述的装置,其中,所述网关判断模块对所述设备ID与证书ID的关系进行一致性校验,若校验通过,则判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。The device according to claim 6, wherein the gateway judging module performs a consistency check on the relationship between the device ID and the certificate ID, and if the check passes, it determines that the device requested to be accessed is a legal device. On the contrary, it is determined that the device requesting access is an illegal device.
  9. 根据权利要求6所述的装置,其中,所述网关判断模块根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。The device according to claim 6, wherein the gateway judging module queries the access status of the device corresponding to the device ID according to the acquired device ID, and if the device corresponding to the device ID is queried for access If the status is not connected, the device checks the relationship between the device ID and the certificate ID. When the check is passed, the device that requests the access is determined to be a legal device. Illegal device.
  10. 根据权利要求8或9所述的装置,其中,还包括:The device according to claim 8 or 9, further comprising:
    网关绑定模块,设置为预先将所述设备ID与证书ID进行绑定,以供一致性校验。The gateway binding module is configured to bind the device ID and the certificate ID in advance for consistency check.
  11. 一种非易失性计算机可读存储介质,其中存储有指令,所述指令在由公共传输网络的网关的处理器执行时使所述公共传输网络的网关实施一种验证网络接入设备的方法,所述方法包括以下步骤:A non-transitory computer readable storage medium storing instructions for causing a gateway of the public transport network to implement a method of verifying a network access device when executed by a processor of a gateway of a public transport network The method includes the following steps:
    在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID;When the device requests access to the public transport network, the gateway of the public transport network acquires the device ID and the certificate ID from the device requesting access;
    所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway of the public transport network determines, according to the obtained device ID and/or the relationship between the device ID and the certificate ID, whether the device requested to be accessed is a legal device;
    当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。 When the gateway of the public transmission network determines that the device that is requested to access is a legal device, the device that requests the access is access to the public transmission network, and vice versa, the device that requests the access is denied access. The public transmission network.
PCT/CN2016/070380 2015-08-06 2016-01-07 Network access device verifying method and apparatus WO2017020546A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510477798.3 2015-08-06
CN201510477798.3A CN106454836B (en) 2015-08-06 2015-08-06 Method and device for enhancing use safety of equipment certificate

Publications (1)

Publication Number Publication Date
WO2017020546A1 true WO2017020546A1 (en) 2017-02-09

Family

ID=57942392

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/070380 WO2017020546A1 (en) 2015-08-06 2016-01-07 Network access device verifying method and apparatus

Country Status (2)

Country Link
CN (1) CN106454836B (en)
WO (1) WO2017020546A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115250186A (en) * 2021-04-12 2022-10-28 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909297A (en) * 2010-08-20 2010-12-08 中兴通讯股份有限公司 Mutual authenticating method between access network equipment and access network equipment
US20110185171A1 (en) * 2007-02-07 2011-07-28 Nippon Telegraph And Telephone Corp. Certificate authenticating method, certificate issuing device, and authentication device
CN102984115A (en) * 2011-09-02 2013-03-20 中国长城计算机深圳股份有限公司 A method, a client and a server for network security
CN103051643A (en) * 2013-01-22 2013-04-17 西安邮电大学 Method and system for dynamically establishing secure connection of virtual host in cloud computing environment
CN103618603A (en) * 2013-11-25 2014-03-05 网神信息技术(北京)股份有限公司 Access method and device for multi-protocol label switching network

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103096311B (en) * 2011-10-31 2018-11-09 中兴通讯股份有限公司 The method and system of Home eNodeB secure accessing
CN103108326A (en) * 2011-11-10 2013-05-15 腾讯科技(深圳)有限公司 Session relationship establishing method and device and system
CN103024742B (en) * 2012-12-04 2015-09-02 广州杰赛科技股份有限公司 Home base station network safety access method, equipment and system
CN104349322B (en) * 2013-08-01 2018-06-12 新华三技术有限公司 A kind of device and method that personator is detected in Wireless LAN
CN104518874A (en) * 2013-09-26 2015-04-15 中兴通讯股份有限公司 Network access control method and system
CN104506352B (en) * 2014-12-24 2018-04-20 福建江夏学院 A kind of method and system of Internet of Things data pretreatment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110185171A1 (en) * 2007-02-07 2011-07-28 Nippon Telegraph And Telephone Corp. Certificate authenticating method, certificate issuing device, and authentication device
CN101909297A (en) * 2010-08-20 2010-12-08 中兴通讯股份有限公司 Mutual authenticating method between access network equipment and access network equipment
CN102984115A (en) * 2011-09-02 2013-03-20 中国长城计算机深圳股份有限公司 A method, a client and a server for network security
CN103051643A (en) * 2013-01-22 2013-04-17 西安邮电大学 Method and system for dynamically establishing secure connection of virtual host in cloud computing environment
CN103618603A (en) * 2013-11-25 2014-03-05 网神信息技术(北京)股份有限公司 Access method and device for multi-protocol label switching network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115250186A (en) * 2021-04-12 2022-10-28 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium
CN115250186B (en) * 2021-04-12 2024-04-16 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN106454836A (en) 2017-02-22
CN106454836B (en) 2021-12-31

Similar Documents

Publication Publication Date Title
US11956361B2 (en) Network function service invocation method, apparatus, and system
CN110800331B (en) Network verification method, related equipment and system
CN107079007B (en) Method, apparatus and computer-readable medium for the certification based on certificate
US9131378B2 (en) Dynamic authentication in secured wireless networks
JP5579938B2 (en) Authentication of access terminal identification information in roaming networks
JP6337642B2 (en) Method for securely accessing a network from a personal device, personal device, network server, and access point
KR101341256B1 (en) Apparatus and method for strengthening security connection of network
DK2924944T3 (en) Presence authentication
WO2011127810A1 (en) Method and apparatus for authenticating communication devices
WO2017054617A1 (en) Wifi network authentication method, device and system
CN101986598B (en) Authentication method, server and system
RU2017146163A (en) SESSION ADMISSION TO VIRTUAL NETWORK SERVICE
CN114268943A (en) Authorization method and device
WO2019056971A1 (en) Authentication method and device
WO2019033822A1 (en) Methods for generating and authenticating digital certificate, communication device, and storage medium
WO2016188053A1 (en) Wireless network access method, device, and computer storage medium
WO2014177106A1 (en) Network access control method and system
WO2017020546A1 (en) Network access device verifying method and apparatus
WO2008148348A1 (en) Communication method, system, and home bs
CN108429726B (en) Secure WIFI certificate encryption verification access method and system thereof
WO2018137239A1 (en) Authentication method, authentication server, and core network equipment
CN102378165B (en) Identity authentication method and system of evolved node B
WO2018171486A1 (en) Method and device for updating position of mobile terminal
CN117678255A (en) Edge enabler client identification authentication procedure
CN117082504A (en) Key generation method and device and network equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16832039

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16832039

Country of ref document: EP

Kind code of ref document: A1