The application method of certificate in the wireless LAN WAPI safety mechanism
Technical field
The present invention relates to the application method of certificate in a kind of communication network, automatic application, the installation method of certificate in the WAPI mechanism among especially a kind of WLAN (wireless local area network) WLAN.
Background technology
WLAN (wireless local area network) WLAN (Wireless Local Area Network) with flexibility, agility and the extensibility of its framework, has been widely used in hot zones operation, enterprise, industry and family field in recent years.In May, 2003, China issued the standard GB 15629.11 and the GB15629.1102 in WLAN (wireless local area network) field first.WLAN (wireless local area network) national standards in 2006 are revised the issuing and implementation of single GB15629.11-2003/XG1-2006 and relevant subitem standard GB15629.1101, GB/T15629.1103 and GB15629.1104 for No. 1, begun to take shape WLAN (wireless local area network) national standard system, this national standard system has comprised brand-new WAPI (WLAN Authentication and Privacy Infrastructure) security mechanism.
The WAPI security mechanism is based on certificate and wildcard.When using, terminal, wireless access point AP (Authentication and Privacy) all need install certificate based on the security mechanism of certificate, and prescribed terminal and wireless access point AP are not obtained mode with install certificate in the national standard.The installation method that obtains of user certificate commonly used has two kinds in the practical application:
(1) obtains installation on the spot.The user carries certificate is handled the application user certificate to the place of business of certificate server AS (Authentication Server) relevant account opening procedure, obtain simultaneously with certain storage medium is the user certificate of carrier, take back end, user certificate file in control, the selection storage medium, manual operation is installed step by step.
Use the WAPI security mechanism under operating environment, because the wireless lan network scale covers each geographic area, the whole nation, number of users is huge, and the situation of roaming takes place frequent.Therefore, obtain user certificate on the spot, the user needs directly to arrive the place of business application of certificate server AS, and time-consuming, effort is extremely inconvenient.
(2) long-rangely obtain installation.The user passes through certain access way in terminal, as visit Internet networks such as wired lan access or Dial-up Networks, login authentication server certificate application interface, import the information of every application user certificate requirement, obtain the user certificate file, downloaded stored is in local disk again, and manual operation is installed step by step.
The long-range user certificate that obtains, the user must learn the network address of certificate server AS in advance, and will be familiar with the certificates of recognition application process.
Also there is following shortcoming in the installation of obtaining of above-mentioned two kinds of WAPI security mechanism user certificates:
1. obtain inconvenience is installed, restricted applying that wlan network inserts to a certain extent.
2. fail safe is lower.The private key of certificate correspondence is the key of whole system safe operation, can only be known by the user of certificate correspondence, can not leak.When the private key information of certificate correspondence is passed through the Network Transmission private key, can't guarantee the fail safe of user's private information.
3. fitting operation is complicated.Need artificial step by step interventional procedure during installation, promptly need carry out manual operations such as Artificial Control, selection, input.
Summary of the invention
The object of the present invention is to provide the application method of certificate in a kind of wireless LAN WAPI safety mechanism, it has solved and has obtained the user certificate inconvenience in the background technology, fitting operation complexity, the technical problem that fail safe is lower.
Technical solution of the present invention is:
The application method of certificate in a kind of wireless LAN WAPI safety mechanism, this method comprises following performing step:
(i) obtains the address of certificate server AS:
1. obtain user name and password;
When 2. terminal STA inserts wlan network first, be associated with the wireless access point AP of not enabling WAPI security mechanism pattern;
3. carry out user name and password authentication by the WEB authentication mode of forcing PORTAL; User name and password authentication success, then terminal STA can be visited Internet net NET by wireless access point AP; Access controller AC or PORTAL server PS are sent to user terminal STA to the IP address of certificate server AS in user name and password authentication process or behind the authentication success;
(ii) applies for user certificate:
1. after terminal STA obtains the IP address of certificate server AS, generate private key in this locality, and calculate corresponding PKI;
2. terminal STA sends to certificate server AS to PKI and user name and password information composition user certificate application message that this locality generates, the application user certificate;
3. certificate server AS is according to the information in the terminal STA user certificate application message, and the legitimacy of checking user name and password is proved to be successful the back and generates end-user certificate, and sends to terminal STA;
(iii) installs user certificate:
After terminal STA was received the end-user certificate of certificate server AS transmission, the installation procedure that promptly starts end-user certificate was automatically installed, and end-user certificate is stored in this locality.
After above-mentioned terminal STA obtains the IP address of certificate server AS, generate private key in this locality, and calculate corresponding PKI, all carry out to good with the algorithm of stipulating in the WLAN GB.
Generally be by HTTPS protocol transmission information between above-mentioned terminal STA and the certificate server AS.
Above-mentionedly obtain user name and but the password user obtains user name and password by SMS, also can obtain user name and password by opening an account.
Public key information in the above-mentioned end-user certificate is good to adopt the PKI in the terminal STA user certificate application message.
Above-mentioned private key is stored in terminal STA, and described private key can adopt the password of opening an account that obtains when opening an account to carry out encipherment protection when terminal STA is preserved, and also can point out the user to import new password private key is carried out encipherment protection.
The present invention has the following advantages:
1. be complementary with present WLAN (wireless local area network) national standard, practical, be easy to promote, use.
2. it is convenient to obtain, install: the user need not the place of business and goes through the formalities on the spot, also need not to know certificate server AS network address, can apply for automatically and install certificate.
3. fail safe is good.The private key and the PKI of certificate correspondence are generated by subscriber's local, and private key is not in transmission over networks, transmission over networks only be the public key information of ostensible private key correspondence, user name, password etc. have been guaranteed the fail safe of user's private information by escape way transmission.
Description of drawings
Fig. 1 is the network topological diagram of application example of the present invention.
The drawing reference numeral explanation:
Wireless access point AP, certificate server AS, access controller AC, certificate server RS, terminal STA, the PORTAL server PS, Internet nets NET.
Embodiment
The present invention is on the basis that meets present WLAN (wireless local area network) national standard, the expansion that the application and the installation of user certificate are carried out.Performing step of the present invention is as follows:
(i) obtains the address of certificate server AS:
1. obtain user name and password.Obtaining user name and password is that the user obtains user name and password by SMS, or obtains user name and password by opening an account.
When 2. terminal STA inserts wlan network first, not enable WAPI security mechanism pattern association to wireless access point AP;
3. carry out user name and password authentication by the WEB authentication mode of forcing PORTAL.User name and password authentication success, then terminal STA can be visited Internet net NET by wireless access point AP.Access controller AC or PORTAL server PS are sent to terminal STA to the IP address of certificate server AS in the verification process of user name and password or behind the authentication success.The WEB authentication mode of PORTAL is known authentication mode.
(ii) applies for user certificate:
1. after terminal STA obtained the IP address of certificate server AS, the algorithm of stipulating in according to the WLAN GB in this locality generated private key, and calculated corresponding PKI.Private key and PKI are one to one, and password is used to protect the fail safe of private key.
2. terminal STA is issued certificate server AS to PKI and user name and password information composition user certificate application message that this locality generates, the application user certificate.Pass through HTTPS protocol transmission information between terminal STA and the certificate server AS, to guarantee the fail safe of user's private information.The HTTPS agreement is a Secure Hypertext Transfer Protocol.
3. certificate server AS is according to the information in the terminal STA user certificate application message, and the legitimacy of checking user name and password is proved to be successful the back and generates end-user certificate, sends to terminal STA.Public key information in the end-user certificate adopts the PKI in the terminal STA user certificate application message.
(iii) installs user certificate
After terminal STA was received the end-user certificate of certificate server AS transmission, the installation procedure that promptly starts end-user certificate was automatically installed, and end-user certificate is stored in this locality.
Private key is stored in terminal STA.Private key can adopt the password of opening an account that obtains when opening an account that private key is carried out encipherment protection when terminal STA is preserved, or points out the user to import new password private key is carried out encipherment protection.
The manual operation that participates in of user of the present invention only is the input the user name and password, and the application of end-user certificate, download and installation are and finish automatically, have therefore simplified user's operation, have improved fail safe simultaneously again.