CN101018174A - Network system and method for obtaining the public key certificate for WAPI - Google Patents
Network system and method for obtaining the public key certificate for WAPI Download PDFInfo
- Publication number
- CN101018174A CN101018174A CN 200710064435 CN200710064435A CN101018174A CN 101018174 A CN101018174 A CN 101018174A CN 200710064435 CN200710064435 CN 200710064435 CN 200710064435 A CN200710064435 A CN 200710064435A CN 101018174 A CN101018174 A CN 101018174A
- Authority
- CN
- China
- Prior art keywords
- public key
- key certificate
- asu
- hasu
- sta
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The network system obtaining public key certificate for WAPI only adds a DCS to store public key certificates of all ASUs and IP address and port number in whole network. The method for obtaining the public key certificate is also simple. This invention makes it easy to build trustiness between STS and ASU, solves the certification difficulty for roaming user, and has wide application future.
Description
Technical field
The present invention relates to a kind of safe practice of WLAN (wireless local area network), exactly, relate to the network system of obtaining public key certificate and the method for a kind of WAPI of being used for, belong to wireless communication technology field.
Background technology
Along with developing rapidly of WLAN (wireless local area network), its safety problem is subjected to people's attention day by day.Two kinds of link verification mechanism of the open system of international standard ISO IEC 8802-11 definition and shared key and wired reinforcement equivalent privacy WEP (Wired Equivalency Privacy) security protocol solve safety problem; But security breaches still exist.In order to remedy the leak that security protocol among the ISO IEC 8802-11 exists, China was respectively at 2003 and issued the standard GB 15629.11/1102 and the GB 15629.11-2003/XG1-2006/1101/1103/1104 of a series of WLAN (wireless local area network) in 2006.GB 15629.11 has overcome the deficiency of conventional security scheme.These standards are the security protocols with independent intellectual property right of being worked out and being proposed by Chinese wide-band wireless IP standard operation group: WAPI WAPI (WLANAuthentication and Privacy Infrastructure), it is the safety encipher standard that is used for 802.11 existing associated transport agreements of standard.Its major technique feature comprises: adopt public key cryptography technology, realize access control, data confidentiality and data integrity etc.The WAPI agreement comprises two parts: wireless local area network authentication infrastructure WAI (WLAN Authentication Infrastructure) and wireless local area network security foundation structure WPI (WLAN Privacy Infrastructure), wherein, WAI is used to finish user's identity discriminating and key management, is the basis of realizing WAPI.
Insert the technical scheme of operation based on the Internet of WAPI,, must be easy to dispose, meet that existing business is carried out and management process for operator; Simultaneously must be seamless integrated with existing WLAN access service, for example: must support the supplementary service of WAPI, must support WAPI as the access service that is independent of the WLAN business as existing WLAN business.For the user, the program of transacting business must be simple, and meet the custom of handling of existing business; The occupation mode of the quick and easy broadband wireless access business of using and managing of user security must be provided; Use the interface necessary friendly, simple to operate.
WAPI is a kind of safety certification confidentiality foundation structure, it can provide safe service for the user, but, introduce the transmission security performance of WAPI standard solution data at WLAN after, the WAPI standard has also been brought following new problem and difficulty for disposing based on the broadband internet access service of WLAN: the obtaining and problem of management of digital certificates, and the user is when roaming and the trust problem between the network of roaming place.These problems still are not resolved so far.Following brief description it:
(1) obtaining and problem of management of digital certificates: the WAPI wireless network adopts the rivest, shamir, adelman of two keys, promptly is provided with PKI-public-key cryptography and private key-private cipher key; In information exchanging process, the Party A generates pair of secret keys and PKI is passed to the Party B, after the Party B obtains this PKI, sends to the Party A again after using this cipher key pair information to encrypt; The Party A is decrypted enciphered message with the private key that oneself is preserved again.The Party A must use its private key (private key) deciphering by any information behind its public key encryption.Each user terminal in the network all has its unique digital certificates-user certificate.User certificate is to issue public key certificate by certificate server ASU for this terminal earlier, and the client software request user by terminal imports its challenge password again, just generates after private key is encrypted.Because user certificate shows the voucher of its identity when being user terminal use WAPI network, must manage these public key certificate, to guarantee safety.The safety management of public key certificate comprises the public key certificate preserved on the supervising the network how and how issues the problem of public key certificate to user terminal.But, because the restriction of user's technical merit and the physical constraints of digital certificates carrier can't just be issued public key certificate for the user when user's transacting business.Therefore at first need to solve the problem of issuing of user's electronic certificate.
(2) user's roaming in other places; When the user roams the strange land, need with the roaming place certificate server ASU relation of breaking the wall of mistrust, therefore the user need hold roaming place ASU public key certificate, yet, because user's ownership place certificate server HASU and roaming place certificate server ASU lack the mutual trust relation between the two, thereby can't finish authentication, also can't provide the ASU public key certificate to the user to this user identity.
Therefore, how to design the network system of obtaining public key certificate and its implementation of a kind of WAPI of being used for, make the operation technical scheme of internet access authentication can better solve issuing and problem of management of user's electronic certificate, for user (especially roaming in other places user) provides safer, WAPI service easily, become one of focus that present WAPI those skilled in the art pay close attention to and study.
Summary of the invention
In view of this, the purpose of this invention is to provide the network system of obtaining public key certificate and the implementation method of a kind of WAPI of being used for, this network architecture is simple, and the operating procedure of obtaining public key certificate is also fairly simple, realizes easily; But, can provide the wireless access authentication service for user, especially roaming in other places user well.
In order to achieve the above object, the invention provides the network system of obtaining public key certificate of a kind of WAPI of being used for, comprise: the internet, telecommunications network, what be arranged in telecommunications network provides certificate server HASU and a plurality of certificate server ASU that lay respectively at each local network and the access controller AC, the wireless access point AP that directly are connected with aaa server, each certificate server ASU and each network and the terminal STA that the WAPI wireless network card is housed of aaa server, the user ascription area of authentication, mandate and charging service for the user; STA is during by AP and AC access network, undertaken just allowing STA access local networks after identity differentiates by the client public key certificate between ASU and the STA; It is characterized in that: this system also includes a catalogue certificate server DCS, this certificate server DCS internal memory contains the public key certificate of each the certificate server ASU in the network and issues the IP address and the port numbers of client public key certificate, return the HASU public key certificate so that obtain the ASU of request to proposition HASU public key certificate, the HASU public key certificate that this ASU can be utilized obtain is differentiated STA, realizes that the WAPI network connects; Simultaneously when terminal STA need break the wall of mistrust with the ASU of roaming place the relation and when DCS applies for the ASU public key certificate of this roaming place, DCS returns the public key certificate of the ASU of this roaming place to STA, so that terminal STA is differentiated current network, foundation realizes that to the trust of local networks the WAPI network connects; And receive the terminal STA request when issuing the client public key certificate as this catalogue certificate server DCS, then this DCS selects its ownership place certificate server HASU according to the STA ownership place earlier, issue this user's public key certificate by this HASU server to the terminal STA that proposes the request of client public key certificate authority by the client public key certificate authority interface of this HASU again, and return to terminal STA, so that this STA obtains the trust to network, realize that the WAPI network connects.
The information that described DCS server database is safeguarded includes: the IP address and the port numbers that are used for the client public key certificate authority of the user name of client public key certificate and password thereof, HASU issued in the request of user rs authentication terminal STA.
Described terminal STA is when installing client software, the public key certificate of its client public key certificate or its ownership place certificate server HASU all is not installed, therefore, when terminal STA is used first, must issue the client public key certificate at the auxiliary request HASU down of DCS for it earlier, and download and install the public key certificate of the certificate server HASU of its ownership place from catalogue certificate server DCS, to obtain trust to local network.
Described each certificate server ASU stores, safeguards the ASU tabulation of trusting separately respectively, when the ownership place certificate server HASU that roams into local STA is not in the ASU tabulation that local ASU trusts, described STA will obtain the public key certificate of its ownership place HASU to catalogue certificate server DCS, so that roaming place ASU can differentiate the legitimacy of this HASU public key certificate; The ASU tabulation that described terminal STA all stores respectively, safeguard is separately trusted, when the ASU of this terminal STA roaming place is not in the ASU tabulation that this terminal STA is trusted, this terminal STA is obtained the public key certificate of roaming place ASU to certificate server DCS, is used to judge the legitimacy of this roaming place ASU.
In order to achieve the above object, the present invention also provides a kind of method of obtaining public key certificate that adopts above-mentioned network system, it is characterized in that: when user terminal was before the ownership place wireless network carries out the WAPI connection, the flow process that its user obtains public key certificate comprised following operating procedure:
(1) STA downloads the public key certificate of ownership place certificate server HASU: when user terminal STA uses client software first at ownership place, will download the public key certificate of ownership place HASU earlier, to obtain the trust to local network; Detailed process is: STA downloads the HASU public key certificate to the DCS server requests earlier, and the DCS server is after this terminal STA is returned the HASU public key certificate, and terminal STA will be differentiated this HASU public key certificate; If differentiate successfully, then keep this HASU public key certificate, this HASU identity is added in the trusted ASU tabulation of STA; If differentiate failure, then abandon this HASU public key certificate;
(2) the client public key certificate is issued in the STA request: terminal STA is in order to use the secure data transmission of WAPI, and auxiliary at DCS is that STA issues the client public key certificate by ownership place certificate server HASU down; Detailed process is: terminal STA generates private key and client public key at random, submits to client public key and request to issue the client public key certificate for it to the DCS server; The username and password checking STA legitimacy of DCS server by utilizing storage, to the STA that is proved to be successful, earlier, submit client public key to this HASU again, and to ask this HASU be that terminal STA is issued the client public key certificate according to this user terminal STA ownership place choice of location ownership place HASU; Return success the client public key certificate of signature at HASU after, DCS returns the client public key certificate of having signed to this user terminal STA, finishes client public key certificate authority process;
Described step (1) further comprises following content of operation:
(11) public key certificate of ownership place HASU is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA sends the request of downloading ownership place certificate server HASU public key certificate to the DCS server, comprises the HASU identity in this information, i.e. the HASU title;
(14) the DCS server returns the HASU public key certificate to terminal STA;
(15) terminal STA is differentiated the true and false of HASU public key certificate, if differentiate successfully, then keeps this HASU public key certificate, and this HASU is added in the ASU tabulation trusty; Otherwise, abandon this HASU public key certificate.
Described step (2) further comprises following content of operation:
(21) user starts the client public key certificate process of issuing on terminal, and the username and password of client public key certificate is issued in the input request; At this moment, automated randomized generation private key for user of terminal STA and client public key;
(22) the client public key certificate is issued in the terminal STA request, connects the DCS server again;
(23) aaa server is finished the authentication to terminal STA;
(24) terminal STA is submitted client public key to the DCS server, and the client public key certificate is issued in request; This information comprises terminal user name and password and the client public key information that the client public key certificate is issued in request;
(25) the DCS server is differentiated username and password, as differentiates success, then submits client public key to this terminal attaching ground HASU, asks to this user terminal STA issues the client public key certificate, and order is carried out subsequent operation; Otherwise, return failure response to terminal STA, end operation;
(26) HASU signs to client public key, and successful client public key certificate of signing is returned to the DCS server, and the DCS server returns success the client public key certificate of issuing to terminal STA again;
In order to achieve the above object, the present invention provides a kind of method that adopts above-mentioned network system to obtain certificate again, it is characterized in that: when user terminal was before the roaming place wireless network carries out the WAPI connection, its flow process of obtaining the ASU public key certificate comprised following operating procedure:
(1) STA downloads the public key certificate of roaming place certificate server ASU: when the user roams into the strange land, earlier will with the roaming place ASU relation of breaking the wall of mistrust, promptly to download the public key certificate of roaming place ASU earlier, to obtain trust to local network; Detailed process is: each terminal STA is all safeguarded the ASU tabulation of trusting separately, if the ASU that terminal STA connects by AP is not in this ASU tabulation trusty the time, terminal STA is downloaded this ASU public key certificate to the DCS server requests earlier, the DCS server is after terminal STA is returned the ASU public key certificate, this terminal STA will be differentiated this ASU public key certificate, if differentiate successfully, then keep this ASU public key certificate, this ASU is added in the trusted ASU tabulation of this STA; If differentiate failure, then abandon this ASU public key certificate;
(2) the ASU trusting relationship of downloading HASU public key certificate: STA and HASU foundation can only guarantee to enter in this locality the WAPI secure network, but can't insert the WAPI network in the roaming place; When the user roamed into the other places, roaming place ASU will judge the legitimacy of this user terminal equally, promptly will utilize its ownership place HASU public key certificate to differentiate the public key certificate of this user terminal STA, and with the private key of oneself the certificate identification result be signed; If ASU does not have the public key certificate of HASU, then to download the HASU public key certificate to the DCS application.
Described step (1) further comprises following content of operation:
(11) the ASU public key certificate of roaming place is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA comprises the ASU identity, i.e. the ASU title to the request of the ASU public key certificate of DCS server transmission download roaming place in this information;
(14) the DCS server returns the ASU public key certificate of this roaming place to terminal STA;
(1 5) terminal STA is differentiated the ASU public key certificate, if differentiate successfully, then keeps this ASU public key certificate, and this ASU is added in its ASU tabulation trusty; Otherwise, abandon this ASU public key certificate.
Described step (2) further comprises following content of operation:
(21) ASU starts the process of the ownership place HASU public key certificate that obtains roaming terminal;
(22) ASU initiates to obtain the request of HASU public key certificate to the DCS server, comprises the information of HASU identity in this request;
(23) the DCS server returns the HASU public key certificate to this ASU;
(24) ASU differentiates the HASU public key certificate that obtains; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in its trusted ASU tabulation; If differentiate failure, then abandon the HASU public key certificate.
The present invention is the network system of obtaining public key certificate and the method for a kind of WAPI of being used for, its innovation point and beneficial effect are: set up a catalogue certificate server DCS in network system, this DCS server stores has IP address and the port numbers that can issue each ownership place HASU of public key certificate for user terminal STA, can assist STA to obtain the public key certificate of user terminal, make the user obtain legal identity; Also store all ASU public key certificate of the whole network, download its public key certificate to the ASU that proposes authentication application, to obtain trust to network; Can assist ASU to finish the download of HASU public key certificate again, make ASU obtain trust, and then obtain trust STA to HASU.The DCS server that system of the present invention introduces has solved the problem that STA and ASU obtain public key certificate preferably, make between STA and the ASU than being easier to set up mutual trusting relationship, also solved the distrust problem of user's roaming in other places between network simultaneously, DCS assisting users terminal STA and ASU finish the download of public key certificate respectively, set up simultaneously the trusting relationship between the two in passing, make the user when roaming into the strange land, still can enjoy the network service of WAPI safety.In a word, the download that enforcement of the present invention can be better finished public key certificate for user terminal, especially roaming in other places user terminal is obtained and authentication service, has good popularization and application prospect.
Description of drawings
Fig. 1 is that the network architecture of issuing the Internet certificate that the present invention is based on WAPI is formed schematic diagram.
Fig. 2 is the certificate of the implementation method flow diagram network system of issuing the Internet certificate that the present invention is based on WAPI is issued to(for) LUT.
Fig. 3 is the concrete operations step sequential chart of step among Fig. 2 (1).
Fig. 4 is the concrete operations step sequential chart of step among Fig. 2 (2).
Fig. 5 is the certificate of the implementation method flow diagram network system of issuing the Internet certificate that the present invention is based on WAPI is issued to(for) the roaming place user terminal.
Fig. 6 is the concrete operations step sequential chart of step among Fig. 5 (2).
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
Referring to Fig. 1, the concrete structure of introducing the network system of the realization internet access authentication that the present invention is based on WAPI is formed, comprise: the internet, telecommunications network WAN, be arranged in the aaa server of telecommunications network WAN, the HASU certificate server of user ascription area, the a plurality of ASU certificate servers that lay respectively at each local network (carry out the identity discriminating by certificate between ASU and the STA, so that user terminal inserts local networks), with catalogue certificate server DCS, and and aaa server, the access controller AC that each certificate server ASU and all-network directly link to each other, wireless access point AP and the terminal STA (comprising: notebook computer, PDA etc.) that the WAPI wireless network card is housed; STA is during by AP and AC access network, undertaken just allowing STA access local networks after identity differentiates by the client public key certificate between ASU and the STA; Wherein catalogue certificate server DCS is the network element device that this system sets up, be used for storage networking each certificate server ASU public key certificate and issue the IP address and the port numbers of client public key certificate, return the HASU public key certificate so that obtain the ASU of application to proposition HASU public key certificate, the HASU public key certificate that this ASU can be utilized obtain is differentiated STA, realizes that the WAPI network connects; And when terminal STA need break the wall of mistrust with the ASU of roaming place the relation and when DCS applies for the ASU public key certificate of this roaming place, DCS returns the public key certificate of the ASU of this roaming place to STA, so that terminal STA is differentiated local networks, foundation realizes that to the trust of local networks the WAPI network connects; This catalogue certificate server DCS receives the terminal STA request when issuing the client public key certificate, then this DCS selects its ownership place certificate server HASU according to the STA ownership place earlier, issue this user's public key certificate by this HASU server to the terminal STA that proposes the request of client public key certificate authority by the client public key certificate authority interface of this HASU again, and return to terminal STA, so that this STA obtains the trust to network, realize that the WAPI network connects.
Each certificate server ASU in this system stores, safeguards the ASU tabulation of trusting separately respectively, when the ownership place certificate server HASU that roams into local STA is not in the ASU tabulation that local ASU trusts, this roaming terminal STA will obtain the public key certificate of its ownership place HASU to catalogue certificate server DCS, so that roaming place ASU can differentiate the legitimacy of this HASU public key certificate; The wherein terminal STA ASU tabulation all storing respectively, safeguard separately to be trusted, when the ASU of this terminal STA roaming place is not in the ASU tabulation that this terminal STA is trusted, this terminal STA is obtained the public key certificate of roaming place ASU to certificate server DCS, is used to judge the legitimacy of this roaming place ASU.
Referring to Fig. 2~Fig. 6, introduce the user and carry out the method that public key certificate is obtained in WAPI connection download before:
(1) local operation-introduce user terminal the ownership place wireless network carry out WAPI connect before the time, its user terminal obtains the flow process (referring to Fig. 2) of public key certificate:
(1) STA downloads the public key certificate of ownership place certificate server HASU: when client software is installed, user terminal STA does not install client public key certificate or HASU public key certificate, so when ownership place uses client software first, to download the HASU public key certificate earlier, to obtain trust to local network.Detailed process is: STA downloads the HASU public key certificate to the DCS server requests earlier, and the DCS server is after this terminal STA is returned the HASU public key certificate, and terminal STA will be differentiated this HASU public key certificate; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in the trusted ASU tabulation of STA; If differentiate failure, then abandon this HASU public key certificate.
Specify the sequential chart of this operating procedure referring to Fig. 3:
(11) public key certificate of ownership place HASU is downloaded in the STA request, connects the DCS server;
(12) Portal of portal website of access controller AC/ operator pushes login page; STA client software interception login page is submitted the access terminals username and password to; Or when terminal was not provided with, the request user imported the access terminals username and password;
(13) AC is included in username and password and issues aaa server (if the user is in the roaming place, then transmits Access Request message and give the ownership place aaa server) in the Access Request message;
(14) aaa server checking username and password success is then returned Access Accept message and is given AC;
(15) AC is transmitted to terminal STA with the success identity information of returning;
(16) terminal STA sends the request of downloading ownership place certificate server HASU public key certificate to the DCS server, comprises the HASU identity in this information, i.e. the HASU title;
(17) the DCS server returns the HASU public key certificate to terminal STA;
(18) terminal STA is differentiated the true and false of HASU public key certificate, if differentiate successfully, then keeps this HASU public key certificate, and this HASU is added in the ASU tabulation trusty; Otherwise, abandon this HASU public key certificate.
(2) the client public key certificate is issued in the STA request: after the user installs client software on computers, just can use the broadband internet access service based on WLAN.Although this moment, the user downloaded the HASU public key certificate, promptly trusted local network, but the user wants to use WAPI to guarantee data transmission security on the Radio Link, and just must assist at DCS is that STA issues the client public key certificate by ownership place certificate server HASU down; Detailed process is: terminal STA generates private key and client public key at random, submits to client public key and request to issue the client public key certificate for it to the DCS server.The username and password checking STA legitimacy of DCS server by utilizing storage, the DSC server stores has the HASU address that can issue public key certificate for the user, to the STA that is proved to be successful, earlier according to this user terminal STA ownership place choice of location ownership place HASU, and to submit client public key to and ask this HASU to this HASU be that terminal STA is issued the client public key certificate.Return success the client public key certificate of signature at HASU after, DCS returns the client public key certificate of having signed to this user terminal STA, finishes client public key certificate authority process.The client software request user of this terminal imports challenge password at last, and private key is encrypted, and generates personal user's certificate file, so that user terminal STA carries this user certificate.
Specify the sequential chart of issuing client public key certificate step when the user uses for the first time referring to Fig. 4:
(21) user starts the client public key certificate process of issuing on terminal, and the username and password of client public key certificate is issued in the input request; At this moment, automated randomized generation private key for user of terminal STA and client public key;
(22) terminal STA connects access controller AC by Open System mode, connects the DCS server again;
(23) AC/Portal pushes login page; Terminal STA interception login page is submitted Internet user's name and password to; Or when the user is not provided with, require the user to input Internet user's name and password;
(24) AC is included in username and password and issues aaa server (if the user is in the roaming place, then transmits Access Request message and give ownership AAA) in the Access Request message; Aaa server is proved to be successful username and password, then returns Access Accept message and gives AC; By AC the success identity information of returning is transmitted to terminal STA;
(25) terminal STA is submitted client public key to the DCS server, and the client public key certificate is issued in request, and this information comprises terminal user name and password and the client public key information that the client public key certificate is issued in request;
(26) the DCS server is differentiated username and password, as differentiates success, then submits client public key to this terminal attaching ground HASU, asks to this user terminal STA issues this client public key certificate, and order is carried out subsequent operation; Otherwise, return failure response to terminal STA, end operation;
(27) HASU signs to client public key, and the client public key certificate that success is signed returns to the DCS server, and the DCS server returns success the client public key certificate of issuing to terminal STA again;
(28) terminal STA request user imports challenge password, and private key is encrypted, and generates the personal certificate file;
(29) terminal STA prompting individual subscriber certificate is downloaded successfully, can activate use; Download startup if WLAN this moment connects by personal certificate, then disconnect WLAN and connect.
(2) roam operation-introduce user terminal the roaming place wireless network carry out WAPI connect before the time, its user terminal obtains the flow process (referring to Fig. 5) of public key certificate:
(1) STA downloads the public key certificate of roaming place certificate server ASU: when the user roams into the strange land, earlier will with the roaming place ASU relation of breaking the wall of mistrust, promptly to download the public key certificate of roaming place ASU earlier, to obtain trust to local network; Detailed process is: each terminal STA is all safeguarded the ASU tabulation of trusting separately, if the ASU that terminal STA connects by AP is not in this ASU tabulation trusty the time, terminal STA is downloaded this ASU public key certificate to the DCS server requests earlier, the DCS server is after terminal STA is returned the ASU public key certificate, this terminal STA will be differentiated this ASU public key certificate, if differentiate successfully, then keep this ASU public key certificate, this ASU is added in the trusted ASU tabulation of this STA; If differentiate failure, then abandon this ASU public key certificate.Need to prove: the sequential chart of downloading the HASU public key certificate among the download roaming place ASU certificate flow process of this step and Fig. 3 is basic identical, repeats no more.
(2) ASU downloads the HASU public key certificate: the trusting relationship of setting up between STA and the HASU can only guarantee to enter the WAPI secure network at its ownership place, but can't insert the WAPI network in the roaming place; Therefore, when user terminal roams into the other places, roaming place ASU will judge the legitimacy of this user terminal equally, promptly will utilize its ownership place HASU public key certificate to differentiate the public key certificate of this user terminal STA, and with the private key of oneself the certificate identification result be signed; If ASU does not have the public key certificate of HASU, then to download the HASU public key certificate to the DCS application.
Specify the sequential chart that ASU downloads HASU public key certificate operating procedure referring to Fig. 6:
(21) ASU starts the process of the ownership place HASU public key certificate that obtains roaming terminal;
(22) ASU initiates to obtain the request of HASU public key certificate to the DCS server, comprises the HASU identity information in this request;
(23) the DCS server returns the HASU public key certificate to this ASU;
(24) ASU differentiates the HASU public key certificate that obtains; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in its trusted ASU tabulation; If differentiate failure, then abandon the HASU public key certificate.
In a word, utilize the present invention, after user terminal downloads is obtained client public key certificate and roaming place ASU public key certificate, just the wireless network of trusted roaming place, after ASU differentiates this terminal by terminal attaching ground HASU, also can differentiate the legitimacy of this user terminal, the relation that breaks the wall of mistrust mutually, thereby safety, convenient service that the user can use the WAPI network to provide.
Claims (10)
1, the network system of obtaining public key certificate of a kind of WAPI of being used for, comprise: the internet, telecommunications network, what be arranged in telecommunications network provides certificate server HASU and a plurality of certificate server ASU that lay respectively at each local network and the access controller AC, the wireless access point AP that directly are connected with aaa server, each certificate server ASU and each network and the terminal STA that the WAPI wireless network card is housed of aaa server, the user ascription area of authentication, mandate and charging service for the user; STA is during by AP and AC access network, undertaken just allowing STA access local networks after identity differentiates by the client public key certificate between ASU and the STA; It is characterized in that: this system also includes a catalogue certificate server DCS, this certificate server DCS internal memory contains the public key certificate of each certificate server ASU in the network and issues the IP address and the port numbers of client public key certificate, return the HASU public key certificate so that obtain the ASU of request to proposition HASU public key certificate, the HASU public key certificate that this ASU can be utilized obtain is differentiated STA, realizes that the WAPI network connects; Simultaneously when terminal STA need break the wall of mistrust with the ASU of roaming place the relation and when DCS applies for the ASU public key certificate of this roaming place, DCS returns the public key certificate of the ASU of this roaming place to STA, so that terminal STA is differentiated current network, foundation realizes that to the trust of local networks the WAPI network connects; And receive the terminal STA request when issuing the client public key certificate as this catalogue certificate server DCS, then this DCS selects its ownership place certificate server HASU according to the STA ownership place earlier, issue this user's public key certificate by this HASU server to the terminal STA that proposes the request of client public key certificate authority by the client public key certificate authority interface of this HASU again, and return to terminal STA, realize that the WAPI network connects.
2, network system according to claim 1 is characterized in that: the information that described DCS server database is safeguarded includes: be used for the IP address and the port numbers that are used for the client public key certificate authority that the user name of client public key certificate and password thereof, HASU are issued in verification terminal STA request.
3, network system according to claim 1, it is characterized in that: described terminal STA is when installing client software, the public key certificate of its client public key certificate or its ownership place certificate server HASU all is not installed, therefore, when terminal STA is used first, must earlier issue the client public key certificate for it, and download and install the public key certificate of the certificate server HASU of its ownership place, to obtain trust local network from catalogue certificate server DCS at the auxiliary request down of DCS HASU.
4, network system according to claim 1, it is characterized in that: described each certificate server ASU stores, safeguards the ASU tabulation of trusting separately respectively, when the ownership place certificate server HASU that roams into local STA is not in the ASU tabulation that local ASU trusts, described STA will obtain the public key certificate of its ownership place HASU to catalogue certificate server DCS, so that roaming place ASU can differentiate the legitimacy of this HASU public key certificate; The ASU tabulation that described terminal STA all stores respectively, safeguard is separately trusted, when the ASU of this terminal STA roaming place is not in the ASU tabulation that this terminal STA is trusted, this terminal STA is obtained the public key certificate of roaming place ASU to certificate server DCS, is used to judge the legitimacy of this roaming place ASU.
5, a kind of method of obtaining public key certificate that adopts the described network system of claim 1 is characterized in that: when user terminal was before the ownership place wireless network carries out the WAPI connection, the flow process that its user obtains public key certificate comprised following operating procedure:
(1) STA downloads the public key certificate of ownership place certificate server HASU: when user terminal STA uses client software first at ownership place, will download the public key certificate of ownership place HASU earlier, to obtain the trust to local network; Detailed process is: STA downloads the HASU public key certificate to the DCS server requests earlier, and the DCS server is after this terminal STA is returned the HASU public key certificate, and terminal STA will be differentiated this HASU public key certificate; If differentiate successfully, then keep this HASU public key certificate, this HASU identity is added in the trusted ASU tabulation of STA; If differentiate failure, then abandon this HASU public key certificate;
(2) the client public key certificate is issued in the STA request: terminal STA is in order to use the secure data transmission of WAPI, and auxiliary at DCS is that STA issues the client public key certificate by ownership place certificate server HASU down; Detailed process is: terminal STA generates private key and client public key at random, submits to client public key and request to issue the client public key certificate for it to the DCS server; The username and password checking STA legitimacy of DCS server by utilizing storage, to the STA that is proved to be successful, earlier, submit client public key to this HASU again, and to ask this HASU be that terminal STA is issued the client public key certificate according to this user terminal STA ownership place choice of location ownership place HASU; Return success the client public key certificate of signature at HASU after, DCS returns the client public key certificate of having signed to this user terminal STA, finishes client public key certificate authority process.
6, the method for obtaining public key certificate according to claim 5 is characterized in that: described step (1) further comprises following content of operation:
(11) public key certificate of ownership place HASU is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA is submitted the request of downloading ownership place certificate server HASU public key certificate to the DCS server, comprises the HASU identity in this information, i.e. the HASU title;
(14) the DCS server returns the HASU public key certificate to terminal STA;
(15) terminal STA is differentiated the true and false of HASU public key certificate, if differentiate successfully, then keeps this HASU public key certificate, and this HASU is added in the ASU tabulation trusty; Otherwise, abandon this HASU public key certificate.
7, the method for obtaining public key certificate according to claim 5 is characterized in that: described step (2) further comprises following content of operation:
(21) user starts the client public key certificate process of issuing on terminal, and the username and password of client public key certificate is issued in the input request; At this moment, automated randomized generation private key for user of terminal STA and client public key;
(22) the client public key certificate is issued in the terminal STA request, connects the DCS server;
(23) aaa server is finished the authentication to terminal STA;
(24) terminal STA is submitted client public key to the DCS server, and the client public key certificate is issued in request; This solicited message comprises terminal user name and password and the client public key information that the client public key certificate is issued in request;
(25) the DCS server is differentiated username and password, as differentiates success, then submits client public key to this terminal attaching ground HASU, asks to this user terminal STA issues the client public key certificate, and order is carried out subsequent operation; Otherwise, return failure response to terminal STA, end operation;
(26) HASU signs to client public key, and successful client public key certificate of signing is returned to the DCS server, and the DCS server returns success the client public key certificate of issuing to terminal STA again.
8, a kind of method of obtaining public key certificate that adopts the described network system of claim 1 is characterized in that: when user terminal was before the roaming place wireless network carries out the WAPI connection, its flow process of obtaining the ASU public key certificate comprised following operating procedure:
(1) STA downloads the public key certificate of roaming place certificate server ASU: when the user roams into the strange land, earlier will with the roaming place ASU relation of breaking the wall of mistrust, promptly to download the public key certificate of roaming place ASU earlier, to obtain trust to local network; Detailed process is: each terminal STA is all safeguarded the ASU tabulation of trusting separately, if the ASU that terminal STA connects by AP is not in this ASU tabulation trusty the time, terminal STA is downloaded this ASU public key certificate to the DCS server requests earlier, the DCS server is after terminal STA is returned the ASU public key certificate, this terminal STA will be differentiated this ASU public key certificate, if differentiate successfully, then keep this ASU public key certificate, this ASU is added in the trusted ASU tabulation of this STA; If differentiate failure, then abandon this ASU public key certificate;
(2) the ASU trusting relationship of downloading HASU public key certificate: STA and HASU foundation can only guarantee to enter in this locality the WAPI secure network, but can't insert the WAPI network in the roaming place; When the user roamed into the other places, roaming place ASU will judge the legitimacy of this user terminal equally, promptly will utilize its ownership place HASU public key certificate to differentiate the public key certificate of this user terminal STA, and with the private key of oneself the certificate identification result be signed; If ASU does not have the public key certificate of HASU, then to download the HASU public key certificate to the DCS application.
9, the method for obtaining public key certificate according to claim 8 is characterized in that: described step (1) further comprises following content of operation:
(11) the ASU public key certificate of roaming place is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA comprises the ASU identity, i.e. the ASU title to the request of the ASU public key certificate of DCS server transmission download roaming place in this information;
(14) the DCS server returns the ASU public key certificate of this roaming place to terminal STA;
(15) terminal STA is differentiated the ASU public key certificate, if differentiate successfully, then keeps this ASU public key certificate, and this ASU is added in its ASU tabulation trusty; Otherwise, abandon this ASU public key certificate.
10, the method for obtaining public key certificate according to claim 8 is characterized in that: described step (2) further comprises following content of operation:
(21) ASU starts the process of the ownership place HASU public key certificate that obtains roaming terminal;
(22) ASU initiates to obtain the request of HASU public key certificate to the DCS server, comprises the information of HASU identity in this request;
(23) the DCS server returns the HASU public key certificate to this ASU;
(24) ASU differentiates the HASU public key certificate that obtains; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in its trusted ASU tabulation; If differentiate failure, then abandon the HASU public key certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100644352A CN100456725C (en) | 2007-03-15 | 2007-03-15 | Network system and method for obtaining the public key certificate for WAPI |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100644352A CN100456725C (en) | 2007-03-15 | 2007-03-15 | Network system and method for obtaining the public key certificate for WAPI |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101018174A true CN101018174A (en) | 2007-08-15 |
| CN100456725C CN100456725C (en) | 2009-01-28 |
Family
ID=38726939
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100644352A Expired - Fee Related CN100456725C (en) | 2007-03-15 | 2007-03-15 | Network system and method for obtaining the public key certificate for WAPI |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100456725C (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009135445A1 (en) * | 2008-05-09 | 2009-11-12 | 西安西电捷通无线网络通信有限公司 | Roaming authentication method based on wapi |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| WO2010078755A1 (en) * | 2009-01-12 | 2010-07-15 | 中兴通讯股份有限公司 | Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof |
| WO2010124490A1 (en) * | 2009-04-30 | 2010-11-04 | 中兴通讯股份有限公司 | Wireless local area network authentication and privacy infrastructure certificate obtaining method and system |
| CN101425909B (en) * | 2008-09-28 | 2011-06-01 | 西安西电捷通无线网络通信股份有限公司 | Method for implementing WAPI system terminal zero interference charging |
| WO2011116617A1 (en) * | 2010-03-23 | 2011-09-29 | 中兴通讯股份有限公司 | Combination network and method for accessing network of wireless sensor network terminal |
| CN102307349A (en) * | 2011-08-16 | 2012-01-04 | 宇龙计算机通信科技(深圳)有限公司 | Access method of wireless network, terminal and server |
| RU2448427C2 (en) * | 2007-11-16 | 2012-04-20 | Чайна Ивнкомм Ко.,Лтд. | Wapi unicast secret key negotiation method |
| CN103155614A (en) * | 2010-10-22 | 2013-06-12 | 高通股份有限公司 | Authentication of access terminal identities in roaming networks |
| WO2015103748A1 (en) * | 2014-01-08 | 2015-07-16 | 华为技术有限公司 | Authentication association method and system |
| US9578498B2 (en) | 2010-03-16 | 2017-02-21 | Qualcomm Incorporated | Facilitating authentication of access terminal identity |
| US9668128B2 (en) | 2011-03-09 | 2017-05-30 | Qualcomm Incorporated | Method for authentication of a remote station using a secure element |
| CN107147636A (en) * | 2017-05-03 | 2017-09-08 | 北京小米移动软件有限公司 | E-mail transmission method and device |
| CN112136299A (en) * | 2018-05-17 | 2020-12-25 | 诺基亚技术有限公司 | Facilitating residential wireless roaming via VPN connectivity over a public service provider network |
| CN112312395A (en) * | 2019-07-17 | 2021-02-02 | 中国电信股份有限公司 | WAPI certificate centralized distribution method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030235305A1 (en) * | 2002-06-20 | 2003-12-25 | Hsu Raymond T. | Key generation in a communication system |
| CN1674497A (en) * | 2004-03-26 | 2005-09-28 | 华为技术有限公司 | Certification method for WLAN terminal switching in mobile network |
| CN100544253C (en) * | 2004-07-22 | 2009-09-23 | 中兴通讯股份有限公司 | The safe re-authentication method of mobile terminal of wireless local area network |
-
2007
- 2007-03-15 CN CNB2007100644352A patent/CN100456725C/en not_active Expired - Fee Related
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2448427C2 (en) * | 2007-11-16 | 2012-04-20 | Чайна Ивнкомм Ко.,Лтд. | Wapi unicast secret key negotiation method |
| WO2009135445A1 (en) * | 2008-05-09 | 2009-11-12 | 西安西电捷通无线网络通信有限公司 | Roaming authentication method based on wapi |
| US8417951B2 (en) | 2008-05-09 | 2013-04-09 | China Iwncomm Co., Ltd. | Roaming authentication method based on WAPI |
| CN101425909B (en) * | 2008-09-28 | 2011-06-01 | 西安西电捷通无线网络通信股份有限公司 | Method for implementing WAPI system terminal zero interference charging |
| WO2010078755A1 (en) * | 2009-01-12 | 2010-07-15 | 中兴通讯股份有限公司 | Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof |
| WO2010124490A1 (en) * | 2009-04-30 | 2010-11-04 | 中兴通讯股份有限公司 | Wireless local area network authentication and privacy infrastructure certificate obtaining method and system |
| CN101754203B (en) * | 2009-12-25 | 2014-04-09 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| US9578498B2 (en) | 2010-03-16 | 2017-02-21 | Qualcomm Incorporated | Facilitating authentication of access terminal identity |
| WO2011116617A1 (en) * | 2010-03-23 | 2011-09-29 | 中兴通讯股份有限公司 | Combination network and method for accessing network of wireless sensor network terminal |
| CN103155614B (en) * | 2010-10-22 | 2019-01-18 | 高通股份有限公司 | The certification of access terminal identity in roaming network |
| US9112905B2 (en) | 2010-10-22 | 2015-08-18 | Qualcomm Incorporated | Authentication of access terminal identities in roaming networks |
| CN103155614A (en) * | 2010-10-22 | 2013-06-12 | 高通股份有限公司 | Authentication of access terminal identities in roaming networks |
| US9668128B2 (en) | 2011-03-09 | 2017-05-30 | Qualcomm Incorporated | Method for authentication of a remote station using a secure element |
| CN102307349A (en) * | 2011-08-16 | 2012-01-04 | 宇龙计算机通信科技(深圳)有限公司 | Access method of wireless network, terminal and server |
| WO2015103748A1 (en) * | 2014-01-08 | 2015-07-16 | 华为技术有限公司 | Authentication association method and system |
| US10187796B2 (en) | 2014-01-08 | 2019-01-22 | Huawei Technologies Co., Ltd. | Authentication and association method and system |
| CN107147636A (en) * | 2017-05-03 | 2017-09-08 | 北京小米移动软件有限公司 | E-mail transmission method and device |
| CN112136299A (en) * | 2018-05-17 | 2020-12-25 | 诺基亚技术有限公司 | Facilitating residential wireless roaming via VPN connectivity over a public service provider network |
| CN112136299B (en) * | 2018-05-17 | 2023-02-14 | 诺基亚技术有限公司 | Facilitating residential wireless roaming via VPN connectivity over a public service provider network |
| US11963007B2 (en) | 2018-05-17 | 2024-04-16 | Nokia Technologies Oy | Facilitating residential wireless roaming via VPN connectivity over public service provider networks |
| CN112312395A (en) * | 2019-07-17 | 2021-02-02 | 中国电信股份有限公司 | WAPI certificate centralized distribution method and system |
| CN112312395B (en) * | 2019-07-17 | 2023-03-31 | 中国电信股份有限公司 | WAPI certificate centralized distribution method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100456725C (en) | 2009-01-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100456725C (en) | Network system and method for obtaining the public key certificate for WAPI | |
| US8161278B2 (en) | System and method for distributing keys in a wireless network | |
| AU2011309758B2 (en) | Mobile handset identification and communication authentication | |
| EP2037621B1 (en) | Method and device for deriving local interface key | |
| CN1753359B (en) | Method of implementing SyncML synchronous data transmission | |
| CN100456726C (en) | Network system and method for realizing the Internet access authentication based on WAPI | |
| US9392453B2 (en) | Authentication | |
| US20070098176A1 (en) | Wireless LAN security system and method | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| KR20180095873A (en) | Wireless network access method and apparatus, and storage medium | |
| WO2007085175A1 (en) | Authentication method, system and authentication center based on end to end communication in the mobile network | |
| CN101371550A (en) | Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service | |
| CN113746632B (en) | Multi-level identity authentication method for Internet of things system | |
| CN101426190A (en) | Service access authentication method and system | |
| CN100499453C (en) | Method of the authentication at client end | |
| JP4499575B2 (en) | Network security method and network security system | |
| CN213938340U (en) | 5G application access authentication network architecture | |
| CN113972995A (en) | Network configuration method and device | |
| CN101454767B (en) | Dynamic authentication in secured wireless networks | |
| KR101550425B1 (en) | System and method for service providing using USIM authentication | |
| CN101917722B (en) | Method for identifying non-attributive place access identity of terminal in wireless local area network | |
| Lee et al. | A secure wireless lan access technique for home network | |
| Wang et al. | A wireless mesh network secure access method based on identity-based signature | |
| CN115988496A (en) | Access authentication method and device | |
| CN101925061B (en) | Method for non-home domain accessing identity authentication in wireless metropolitan area network terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090128 Termination date: 20160315 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |