CN101272253B - Authentication method of access equipment of global microwave access intercommunication system - Google Patents
Authentication method of access equipment of global microwave access intercommunication system Download PDFInfo
- Publication number
- CN101272253B CN101272253B CN2008100883042A CN200810088304A CN101272253B CN 101272253 B CN101272253 B CN 101272253B CN 2008100883042 A CN2008100883042 A CN 2008100883042A CN 200810088304 A CN200810088304 A CN 200810088304A CN 101272253 B CN101272253 B CN 101272253B
- Authority
- CN
- China
- Prior art keywords
- sign
- equipment
- certificate
- access
- access device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an authentication method for an access device of a global microwave access intercommunicating system. The method comprises step S202, when the access device is accessed into a network, a network side obtains a digital certificate stored in the access device; wherein, the digital certificate includes a first sign; step S204, the network side carries out authentication treatment to the device according to locally stored second sign and the digital certificate. The technical scheme of the invention can be used fir effectively preventing a postiche or an unlawful WiMAX wireless network card device from accessing into the network, thus improving the safety of a device interface and effectively guaranteeing the safety and benefits of a device manufacturer, a network operator and a terminal user.
Description
Technical field
The present invention relates to the broadband wireless access field, and especially, relate to the method for authenticating of a kind of global microwave access intercommunication system (World Interoperability for Microwave Access is hereinafter to be referred as WiMAX) access device.
Background technology
World Interoperability for Microwave Access, WiMax is a broadband wireless access metropolitan area network technology based on IEEE 802.16 series standards.The elementary object of WiMAX is to insert under the environment at metropolitan area network, guarantees that the wireless device of different vendor interconnects, be mainly used in to family, enterprise and mobile communications network high-speed wideband insert, and personal mobile communication in the future.WiMAX can substitute the existing wired and digital subscriber line connected mode of (Digital Subscriber Line is called for short DSL), and the WiMAX access service of last mile is provided.Than other wireless access wide band technologies, WiMAX has advantages such as strong and quality of service (Quality of Service the is called for short QoS) may command of wide coverage, extensibility.
Fig. 1 is the software architecture block diagram of WiMAX wireless network card.At present, the software architecture of WiMAX wireless network card substantially all adopts structure shown in Figure 1.
As shown in Figure 1, the software of WiMAX wireless network card can be divided into two parts: host computer side software and equipment side software.Wherein, host computer side software comprises user software (GUI), device A PI, device driver; Equipment side software is mainly firmware (Firmware), firmware is realized functions such as IEEE802.16e part agreement, special interface (USB/PCMCIA/Express etc.), chip enable bootstrapping, firmware downloads.For the consideration of saving memory space, generally all use EEPROM as nonvolatile memory.
Firmware leaves in the main frame, when the WiMAX wireless network card is inserted in the main frame, the operation system driver in the main frame will be automatically with firmware downloads in the RAM of WiMAX wireless network card.After network interface card was pulled out, the firmware among the RAM can be because power down disappears automatically.Next time is when inserting equipment again, driver again can be automatically with firmware downloads in the RAM of WiMAX wireless network card.
At present, authentication mode commonly used in the WiMAX network system is user name/password (password) mode, the user becomes legal users by the mode to registration of WiMAX Virtual network operator or purchase prepaid card, obtain fixing user name/password (password), when the user asks to insert the WiMAX network, the user inputs the user name and password (password) Access Service Network Gateway (ASN GW) by software, and the user name and password (password) of user input is sent to autonomous system (AS) by gateway (ASN GW), finish the authentication that the user inserts by AS, judge user's legitimacy.Virtual network operator only provides the service of WiMAX access service to validated user, but this fixed-line subscriber name and password (password) mode for the networking of illegal WiMAX network card equipment without any restriction, this is with the interests of ground grievous injury communication apparatus manufacturer, Virtual network operator.
At present, in the prior art, the technical scheme that can address the above problem is not proposed as yet.
Summary of the invention
Consider the problems referred to above and make the present invention, for this reason, main purpose of the present invention is to provide a kind of method for authenticating of WiMAX access device, to solve the problem of WiMAX network card equipment authentication in the correlation technique.
A kind of method for authenticating of WiMAX access device is provided according to one embodiment of present invention.
This method comprises: step S202, and when the access device access network, network side obtains the digital certificate of storing in the access device, and wherein, digital certificate comprises first sign; Step S203, described access device read the 3rd sign of its local storage, and judge whether described first sign in described the 3rd sign and the described digital certificate is identical, and are being judged as the described step S204 of execution under the situation that is; Step S204, network side carries out authentication process according to second sign and the digital certificate of this locality storage to equipment.
Wherein, first sign, second sign and the 3rd information that is designated the unique of access device and can not revises; The described unique and packets of information purse rope Card processor chip serial number that can not revise.
Described method specifically comprise with
Following step:
Step 2: the device drives of described access device is to the X.509 certificate of equipment firmware requesting service;
Step 3: the equipment in the described equipment firmware reading non-volatile storage is certificate X.509, and sends to device drives;
Step 4: device drives is asked for device id to equipment firmware;
Step 5: the device id that equipment firmware reads also sends to device drives;
Step 6: device drives compare facilities ID and certificate content X.509, differentiate whether the device id in the certificate X.509 mates with physical device ID; If coupling, execution in step 7;
Step 7: device drives is initiated X.509 three-dimensional authentication process itself to the base station of network side, confirms identity mutually; Device id in the certificate is X.509 received by extraction in the base station, and compares with the database of authentication server, and the Returning equipment authenticating result wherein, stores equipment mark in advance in the database; Wherein, the device id that described equipment firmware reads is the 3rd sign, and X.509 the device id in the certificate is first sign, and storing equipment mark in the database in advance is second sign.
In addition, this method can further comprise: access device utilizes the digital certificate and second sign that network side is authenticated.
In addition, before carrying out authentication process, further comprise: the application programming interfaces locking with access device is called to forbid application programming interfaces; After carrying out authentication process, further comprise: with the latch-release of the application programming interfaces of access device.
Wherein, above-mentioned digital certificate can be certificate X.509.
By technique scheme of the present invention, can effectively prevent imitated or illegal WiMAX wireless network card equipment access network, promote the fail safe of equipment interface, effectively ensured equipment manufacturers, Virtual network operator and terminal use's fail safe and interests.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in the specification of being write, claims and accompanying drawing.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used from explanation the present invention with embodiments of the invention one, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the block architecture diagram according to the WiMAX wireless network card of correlation technique;
Fig. 2 is the flow chart according to the method for authenticating of the WiMAX access device of the inventive method embodiment;
Fig. 3 is the signaling process figure according to the method for authenticating of the WiMAX access device of the inventive method embodiment; And
Fig. 4 is the signaling process figure according to the three-dimensional authentication that realizes device drives and base station in the method for the inventive method embodiment.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for description and interpretation the present invention, and be not used in qualification the present invention.
Method embodiment
A kind of method for authenticating of WiMAX access device is provided in the present embodiment.
Fig. 2 is the method for authenticating flow chart according to the WiMAX access device of the inventive method embodiment.As shown in Figure 2, comprise according to the method for authenticating of this WiMAX access device: step S202, when the access device access network, network side obtains the digital certificate of storing in the access device, and wherein, digital certificate comprises first sign; Step S204, network side carries out authentication process according to second sign and the digital certificate of this locality storage to equipment.
Wherein, before step S202, further comprise: access device reads the 3rd sign of its local storage, and judges whether first in the 3rd sign and the digital certificate identifies identical, and is being judged as execution in step S202 under the situation that is.
Wherein, first sign, second sign and the 3rd information that is designated the unique of access device and can not revises.Access device utilizes the digital certificate and second sign that network side is authenticated.
In addition, before carrying out authentication process, further comprise: the application programming interfaces locking with access device is called to forbid application programming interfaces; After carrying out authentication process, further comprise: with the latch-release of the application programming interfaces of access device.
Wherein, digital certificate is certificate X.509.Designated memory is an electricallyerasable ROM (EEROM).
Specifically, the X.509 certificate that equipment manufacturers will comprise device id is in advance deposited in the nonvolatile memory (EEPROM) on the network interface card, device id use network interface card processor chips sequence number etc. can not change and unique information as device id.When network interface card inserts computer, behind download firmware and normal the startup, read X.509 certificate file of network interface card, and initiate the device authentication process by host driver.
Fig. 1 shows the WiMAX access device block diagram of realization according to the method for present embodiment.Below in conjunction with access device shown in Figure 1 and further combined with Fig. 3 the present invention is described the method according to the WiMAX network card equipment authentication of present embodiment.
Fig. 3 is according to the signaling process figure of the method for authenticating of the WiMAX access device of the inventive method embodiment (UML sequence chart), as shown in Figure 3, comprises following steps according to the device authentication method of present embodiment:
Step 1: at host computer side, device drives (Device Driver) sends Lock message to appliance applications interface (Device API), forbids that API is called, and all device A PI called and were not performed and just directly return information in device authentication this moment;
Step 2: device drives is to the X.509 certificate of equipment firmware (Device FirmWare) requesting service;
Step 3: the equipment among the firmware reading non-volatile storage EEPROM is certificate X.509, and sends to device driver;
Step 4: device drives is asked for device id (Device ID) to equipment firmware;
Step 5: the device id that firmware reads (that is, the 3rd above-mentioned sign), and send to device drives;
Step 6: device drives compare facilities ID and certificate content X.509 (above-mentioned first sign), differentiate whether the device id in the certificate X.509 mates with physical device ID;
Step 7: device driver is initiated X.509 three-dimensional authentication process itself to the base station, confirm identity mutually, device id in the certificate is X.509 received by extraction in the base station, and compare with authentication server (AS) database, the Returning equipment authenticating result, wherein, store equipment mark (that is, above-mentioned second sign) in the database in advance;
Step 8: at host computer side, device driver is according to the base station equipment authenticating result, whether decision sends UnLock message to device A PI, when device authentication is passed through, driver sends UnLock message to equipment device A PI, after the release, device A PI calls just and can be performed, application program (GUI) is passed through device A PI, the device drives access network services, or continue to carry out subscription authentication.
Describe device driver is initiated processing from authentication X.509 to the base station in detail below in conjunction with accompanying drawing.Wherein, the mode of authentication can comprise unilateral authentication, two-way authentication and three-dimensional authentication.Below in conjunction with Fig. 4, be that example is described with the three-dimensional authentication.
As shown in Figure 4, when using X.509 the three-dimensional auth method, X.509 authentication protocol has adopted the method for digital signature (based on public key system), and the authentication both sides have obtained the other side's public key certificate.As shown in Figure 4, the three-dimensional auth method comprises following processing:
At first, device drives (Device Driver) sends to base station (BS) and comprises X.509 certificate and Eb (Ca, Da (M)) authentication request, wherein, M=(Ta, Ra, Ia, d), express time stamp, random number, equipment identities prove, the hashed value of random information, the M data message that Da (M) expression is encrypted with the device private certificate, Eb (Ca, Da (M)) is for using device certificate, Da (M) data message of base station public key encryption.
Secondly, the base station uses private key certificate (Db) deciphering of oneself to obtain Ca, Da (M), obtains equipment PKI file (Ea) then, obtain M then, so just verified that this message is device subscription, at this moment, whether the device id information in base station and the authentication server Authentication devices certificate is legal.
Afterwards, Ea (Db (Mm)), wherein Mm=(Tb, Rb are replied to device drives in the base station, Ia, Ra, d), Mm represents that new timestamp, new random number, the equipment identities that receives prove, random number, the hashed value of random information, the Mm information of base station encrypted private key is used in Db (Mm) expression, and Ea (Db (Mm)) is through the data message of equipment public key encryption.
Then, after device drives received that the base station is replied, processing method was with step 2, and then verified this message complete, and was the information through the base station signature, empirical tests device id legal;
At last, device drives is replied Eb (Rb) to the base station, and the affirmation device authentication is finished.
Wherein, above-mentioned C is a certificate, and D is a private key, and E is a PKI, and T is a timestamp, and R is a random number, and I is a proof of identification, and d is a random information, a designation equipment information, and b indicates base station information.
In sum, by means of technical scheme of the present invention, can effectively prevent imitated or illegal WiMAX wireless network card equipment access network, promote the fail safe of equipment interface, effectively ensure equipment manufacturers, Virtual network operator and terminal use's fail safe and interests.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1. the method for authenticating of an access equipment of global microwave access intercommunication system is characterized in that, comprising:
Step S202, when the access device access network, access device obtains the digital certificate of storing in the described access device, and wherein, described digital certificate comprises first sign;
Step S203, described access device read the 3rd sign of its local storage, and judge whether described first sign in described the 3rd sign and the described digital certificate is identical, and are being judged as the described step S204 of execution under the situation that is;
Step S204, network side carries out authentication process according to second sign and the described digital certificate of this locality storage to described equipment;
Wherein, described first sign, described second sign and the described the 3rd information that is designated the unique of described access device and can not revises; The described unique and packets of information purse rope Card processor chip serial number that can not revise.
2. according to the described method of claim 1, it is characterized in that described method specifically may further comprise the steps:
Step 2: the device drives of described access device is to the X.509 certificate of equipment firmware requesting service;
Step 3: the equipment in the described equipment firmware reading non-volatile storage is certificate X.509, and sends to device drives;
Step 4: device drives is asked for device id to equipment firmware;
Step 5: the device id that equipment firmware reads also sends to device drives;
Step 6: device drives compare facilities ID and certificate content X.509, differentiate whether the device id in the certificate X.509 mates with physical device ID; If coupling, execution in step 7; Step 7: device drives is initiated X.509 three-dimensional authentication process itself to the base station of network side, confirms identity mutually; Device id in the certificate is X.509 received by extraction in the base station, and compares with the database of authentication server, and the Returning equipment authenticating result wherein, stores equipment mark in advance in the database; Wherein, the device id that described equipment firmware reads is the 3rd sign, and X.509 the device id in the certificate is first sign, and storing equipment mark in the database in advance is second sign.
3. according to the described method of claim 1, it is characterized in that, in described step S204, further comprise:
Described access device utilizes described digital certificate and described second sign that described network side is authenticated.
4. according to the described method of claim 1, it is characterized in that,
Before carrying out described authentication process, further comprise: the application programming interfaces locking with described access device is called to forbid described application programming interfaces;
After carrying out described authentication process, further comprise: with the latch-release of the application programming interfaces of described access device.
5. according to each described method in the claim 1 to 4, it is characterized in that described digital certificate is certificate X.509.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100883042A CN101272253B (en) | 2008-03-25 | 2008-03-25 | Authentication method of access equipment of global microwave access intercommunication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100883042A CN101272253B (en) | 2008-03-25 | 2008-03-25 | Authentication method of access equipment of global microwave access intercommunication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101272253A CN101272253A (en) | 2008-09-24 |
| CN101272253B true CN101272253B (en) | 2010-09-01 |
Family
ID=40005966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100883042A Expired - Fee Related CN101272253B (en) | 2008-03-25 | 2008-03-25 | Authentication method of access equipment of global microwave access intercommunication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101272253B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753354A (en) * | 2008-12-22 | 2010-06-23 | 北京中星微电子有限公司 | Method for realizing the automatic configuration of network camera and monitoring system |
| CN101742506A (en) * | 2009-11-11 | 2010-06-16 | 中兴通讯股份有限公司 | Method and device for network access |
| CN105635062B (en) * | 2014-10-31 | 2019-11-29 | 腾讯科技(上海)有限公司 | The verification method and device of network access equipment |
| US20170063841A1 (en) * | 2015-08-27 | 2017-03-02 | Sony Corporation | Trusting intermediate certificate authorities |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1482549A (en) * | 2002-09-09 | 2004-03-17 | 中国科学院研究生院 | Identity authentication device and method for network equipment |
| CN1494258A (en) * | 2002-11-01 | 2004-05-05 | 华为技术有限公司 | Safety management method of network comprehensive switch on equipment |
| US6854056B1 (en) * | 2000-09-21 | 2005-02-08 | International Business Machines Corporation | Method and system for coupling an X.509 digital certificate with a host identity |
| CN101127659A (en) * | 2007-09-06 | 2008-02-20 | 中兴通讯股份有限公司 | Method for controlling online mobile terminal via user authentication in WiMAX system |
-
2008
- 2008-03-25 CN CN2008100883042A patent/CN101272253B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6854056B1 (en) * | 2000-09-21 | 2005-02-08 | International Business Machines Corporation | Method and system for coupling an X.509 digital certificate with a host identity |
| CN1482549A (en) * | 2002-09-09 | 2004-03-17 | 中国科学院研究生院 | Identity authentication device and method for network equipment |
| CN1494258A (en) * | 2002-11-01 | 2004-05-05 | 华为技术有限公司 | Safety management method of network comprehensive switch on equipment |
| CN101127659A (en) * | 2007-09-06 | 2008-02-20 | 中兴通讯股份有限公司 | Method for controlling online mobile terminal via user authentication in WiMAX system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101272253A (en) | 2008-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9788209B2 (en) | Apparatus and methods for controlling distribution of electronic access clients | |
| JP5579938B2 (en) | Authentication of access terminal identification information in roaming networks | |
| KR101500825B1 (en) | Wireless network authentication apparatus and methods | |
| EP3099090B1 (en) | Network locking or card locking method and device for a mobile terminal, terminal, sim card, storage media | |
| JP5629788B2 (en) | Facilitating authentication of access terminal identification information | |
| CN104660567B (en) | D2D terminal access authentications method, D2D terminals and server | |
| CN107979835B (en) | eSIM card and management method thereof | |
| US9723549B2 (en) | Communication control apparatus, authentication device, central control apparatus and communication system | |
| US20130205390A1 (en) | Network assisted fraud detection apparatus and methods | |
| TW200531493A (en) | Method for authenticating applications | |
| WO2014048354A1 (en) | Method, terminal and universal integrated circuit card (uicc) for realizing subscriber identity module (sim) card function in terminal | |
| KR100834270B1 (en) | Method and system for providing virtual private network services based on mobile communication and mobile terminal for the same | |
| CN101330420A (en) | Authentication method and device, mobile terminal | |
| WO2006079282A1 (en) | A method for setting the key and setting the initial security key in the mobile terminal | |
| CN101986598B (en) | Authentication method, server and system | |
| WO2019109640A1 (en) | Method and device for locking sim card | |
| CN101272253B (en) | Authentication method of access equipment of global microwave access intercommunication system | |
| CN105763517A (en) | Router security access and control method and system | |
| WO2011124051A1 (en) | Method and system for terminal authentication | |
| CN112533211A (en) | Certificate updating method and system for eSIM card and storage medium | |
| WO2013149426A1 (en) | Method, device and system for authenticating access for application to smart card | |
| CN101192921A (en) | Share secret key management device | |
| WO2011144129A2 (en) | Machine-card interlocking method, user identity model card and terminal | |
| CN103843378A (en) | Method for binding secure device to a wireless phone | |
| CN205864753U (en) | A kind of encryption guard system of terminal unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100901 Termination date: 20210325 |