CN101453394A - Method, system and equipment for access control - Google Patents
Method, system and equipment for access control Download PDFInfo
- Publication number
- CN101453394A CN101453394A CNA2007101875797A CN200710187579A CN101453394A CN 101453394 A CN101453394 A CN 101453394A CN A2007101875797 A CNA2007101875797 A CN A2007101875797A CN 200710187579 A CN200710187579 A CN 200710187579A CN 101453394 A CN101453394 A CN 101453394A
- Authority
- CN
- China
- Prior art keywords
- business service
- access
- corresponding relation
- key
- remote server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/086—Access security using security domains
Abstract
The invention discloses a method for controlling the access of the user equipment of a wireless personal area network (WPAN). The method comprises: the access equipment of the WPAN has a preset corresponding relation between a user equipment identifier in the WPAN and a service identifier of a service received by the user equipment in a remote service; the access equipment receives an access request sent by the user equipment of the WPAN, and the access request carries the user equipment identifier and the service identifier; when the user equipment identifier and the service identifier carried in the access request are consistent with the corresponding relation stored in the access equipment, the request passes through the access authority verification; and the access equipment sends an access request to the remote server corresponding to the service identifier. The invention also discloses a system for controlling the access of the user equipment of the WPAN and access equipment. The method, the system and the access equipment reduce the occupation of wireless transmission resources in the WPAN.
Description
Technical field
The present invention relates to the network communications technology, particularly relate to a kind of connection control method, system and equipment.
Background technology
The network that wireless personal area network (WPAN, Wireless Personal Area Network) is made up of the nearer equipment of a plurality of mutual distances.Fig. 1 is the networking schematic diagram of WPAN.Referring to Fig. 1, comprise a plurality of subscriber equipmenies and one or more access device among the WPAN.Wherein, each subscriber equipment can directly communicate by Wireless transmission mode in WPAN inside, and promptly the data between the subscriber equipment need not the transmission through carrier network.Certainly, the subscriber equipment among the WPAN also can communicate with the equipment in the outside carrier network, and at this moment, communication data need be transmitted by the access device among the WPAN.
When the equipment in subscriber equipment in WPAN and the outside carrier network communicates, usually need carry out access control to subscriber equipment, such as, allow a server in the subscriber equipment access carrier network of some mandate, insert but refuse undelegated subscriber equipment.Fig. 2 is prior art is carried out access control to the subscriber equipment among the WPAN a flow chart.Referring to Fig. 2, in the prior art, the process of the subscriber equipment among the WPAN being carried out access control specifically may further comprise the steps:
Subscriber equipment among the step 201:WPAN obtains the access key in advance.
Usually, subscriber equipment need produce server to the key in the outside carrier network and send a request message, and produces from this key and obtains to insert key the server.
Subscriber equipment among the step 202:WPAN is carried at customer equipment identification and the access key that obtains the access device that is sent in the request of access among the WPAN.
Access device among the step 203:WPAN will insert the customer equipment identification that carries in the request and insert key and be sent to certificate server, according to the access key that receives subscriber equipment be inserted Authority Verification by certificate server.
In this step, also can can't help certificate server to insert Authority Verification, and after receiving the request of access by access device, directly subscriber equipment be inserted Authority Verification according to inserting key.
Step 204: after being proved to be successful, the access device among the WPAN carries out processing such as address transition and protocol conversion to inserting request, and the access request after handling is sent to remote server corresponding in the outside operator.
Step 205: the subscriber equipment of remote server in WPAN corresponding in the outside operator provides the corresponding service service.
By above-mentioned flow process shown in Figure 2 as can be seen, in the prior art, when the subscriber equipment among the WPAN is carried out access control, be to insert Authority Verification according to the access key that subscriber equipment is sent, like this, then must obtain the access key in advance by subscriber equipment.And the subscriber equipment among the WPAN is when obtaining the access key, the key of wireless transmission resources in outside carrier network that must take WPAN produces server and sends a request message, when key being produced access pin that server returns and send to subscriber equipment, need take the wireless transmission resources of WPAN equally.And, if that the subscriber equipment that inserts has is a plurality of, all needing to obtain respectively the access key, the wireless transmission resources that then takies is more.Because WPAN is the personal network of wireless transmission method, its wireless transmission resources is very limited, and therefore the way of prior art, has increased the burden of WPAN owing to need take the wireless transmission resources of a large amount of WPAN.
Summary of the invention
The purpose of the embodiment of the invention is to provide a kind of method and system that subscriber equipment among the WPAN is carried out access control, and a kind of access device, so that reduce taking wireless transmission resources among the WPAN.
In order to achieve the above object, the technical scheme of the embodiment of the invention is achieved in that
A kind of method that the subscriber equipment of WPAN is carried out access control, this method comprises:
Set in advance the corresponding relation of the business service sign of the business service in the remote server that customer equipment identification among the WPAN and subscriber equipment enjoy in the access device of WPAN;
Described access device receives the access request that the subscriber equipment among the WPAN is sent, and carries customer equipment identification and business service sign in the described access request;
When the corresponding relation of preserving when the customer equipment identification that carries in the described access request and business service sign and described access device is consistent, by the access Authority Verification;
Described access device identifies pairing remote server to described business service and sends the request of access.
A kind of subscriber equipment to WPAN carries out system of access control, and this system comprises:
Access device among the WPAN, be used for preserving the corresponding relation of the business service sign of the business service in the customer equipment identification of WPAN and the remote server that subscriber equipment is enjoyed, receive the access request that the subscriber equipment among the WPAN is sent, carry customer equipment identification and business service sign in the described access request, when the customer equipment identification that carries in detecting described access request is consistent with the corresponding relation of being preserved with the business service sign, by inserting Authority Verification, send the request of access to the pairing remote server of described service identification;
Subscriber equipment among the WPAN is used for sending the request of access to the access device of WPAN, carries customer equipment identification and business service sign in the described access request.
A kind of access device, this access device comprises:
Corresponding relation is preserved the unit, is used for preserving the corresponding relation that the business service of the business service in the customer equipment identification of WPAN and the remote server that subscriber equipment is enjoyed identifies;
The message pick-up processing unit, be used for receiving the access request that the subscriber equipment of WPAN is sent, offer the access control unit with inserting the customer equipment identification and the business service sign of carrying in the request, receive insert the notice that Authority Verification passes through after, the business service of carrying in inserting request identifies pairing remote server and sends the request of access;
The access control unit, be used for detecting customer equipment identification that the message pick-up processing unit provides and business service sign and corresponding relation preserve the corresponding relation of preserving the unit consistent after, announcement information receives processing unit access Authority Verification to be passed through.
This shows, in embodiments of the present invention, when the subscriber equipment among the WPAN is carried out access control, be to insert Authority Verification according to customer equipment identification among the ACL and business service sign by access device, like this, the subscriber equipment among the WPAN need not to obtain the access key, has avoided needing in the prior art to take the shortcoming of the inner limited transfer resource of WPAN, save the wireless transmission resources of WPAN, reduced the burden of WPAN.
Description of drawings
Fig. 1 is the networking schematic diagram of WPAN.
Fig. 2 is prior art is carried out access control to the subscriber equipment among the WPAN a flow chart.
Fig. 3 is the flow chart that in embodiments of the present invention subscriber equipment among the WPAN is carried out access control.
Fig. 4 be in embodiments of the present invention first kind of ACL preserve the form schematic diagram.
Fig. 5 be in embodiments of the present invention second kind of ACL preserve the form schematic diagram.
Fig. 6 carries out the system of access control structural representation to the subscriber equipment among the WPAN in embodiments of the present invention.
Fig. 7 is the basic structure schematic diagram of the access device of WPAN in embodiments of the present invention.
Fig. 8 is a kind of schematic diagram of optimizing structure of the access device of WPAN in embodiments of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, the embodiment of the invention is described in further detail below in conjunction with drawings and the specific embodiments.
The embodiment of the invention mainly is the corresponding relation that sets in advance the business service sign of the business service in the remote server that customer equipment identification among the WPAN and subscriber equipment enjoy in the access device of WPAN; After access device receives the access request that the subscriber equipment among the WPAN sends, carry customer equipment identification and business service sign in the described access request, if the customer equipment identification that carries in the described access request is consistent with the corresponding relation that business service sign and described access device are preserved, then by inserting Authority Verification; Access device identifies pairing remote server to described business service and sends the request of access.
Fig. 3 is the flow chart that in embodiments of the present invention subscriber equipment among the WPAN is carried out access control.Referring to Fig. 1 and Fig. 3, need insert remote server 1 in the outside carrier network with subscriber equipment, and be example the process that subscriber equipment carries out access control, specifically may further comprise the steps:
Step 301: remote server 1 obtains identical shared key K u in advance with access device among the WPAN.
The specific implementation process of this step can comprise: operator is provided with in access device and remote server 1 respectively with manual mode or with other secured fashions shares key K u; Perhaps, key K u shares with manual mode or to be provided with on other secured fashions any one in access device and remote server 1 in operator, as on remote server 1, being provided with, then by be provided with share key K u this equipment with secured fashion as after encrypting, will share key K u and send to another equipment such as access device.
Step 302: the access device among remote server 1 and the WPAN obtains the key schedule corresponding to each business service of remote server 1 in advance.
The specific implementation process of this step can comprise: operator is provided with key schedule corresponding to each business service of remote server 1 respectively with manual mode or with other secured fashions in access device and remote server 1; Perhaps, operator is with manual mode or so that the key schedule corresponding to each business service of remote server 1 to be set on other secured fashions any one in access device and remote server 1, as on remote server 1, being provided with, then by this equipment that is provided with key schedule with secured fashion as after encrypting, will send to another equipment such as access device corresponding to the key schedule of each business service of remote server 1.
In this step, the corresponding key schedule of different business service can be identical or different.
Step 303: remote server 1 generates each business service random number corresponding, and each business service random number corresponding is sent to access device according to the quantity of the business service that can the subscriber equipment in WPAN provides.
Step 304: at available each business service, remote server 1 utilization shares key K u, corresponding to the key schedule and the random number of this kind business service, generates the access key corresponding to this business service.
Can provide n (n is a natural number) to plant business service by the subscriber equipment in WPAN such as, remote server 1, so, in step 302, then generate n random number, be designated as Rand1, Rand2 ..., Randn.
In this step 303, the access key that remote server 1 generates corresponding to each business service can be designated as respectively K1=h1 (Ku, Rand1), K2=h2 (Ku, Rand2) ..., Kn=hn (Ku, Randn).
Step 305: at remote server 1 available each business service, the access device utilization shares key K u, corresponding to the key schedule and the random number of this kind business service, generates the access key corresponding to this business service.
Here, the access key corresponding to each business service that access device generated is identical with remote server 1, can be designated as respectively K1=h1 (Ku, Rand1), K2=h2 (Ku, Rand2) ..., Kn=hn (Ku, Randn).
Carry out this step, then obtained access key on the access device in remote server 1 and WPAN respectively corresponding to each business service of remote server 1.The imbody of this corresponding relation is: the sign of each business service such as title or code, and with the corresponding relation that inserts key.
Step 306: access device utilizes the sign of the business service in the remote server 1 that preset user equipment can enjoy, and corresponding to the access key of each business service, generates and also preserve access control list (ACL).
In access device, the service subscribing information that the sign of the business service in the remote server 1 that subscriber equipment can be enjoyed can utilize remote server 1 to provide sets in advance.
Here, the corresponding relation between this three of access key of ACL embodiment customer equipment identification, business service sign and business service.The preservation form of the corresponding relation between this three is that the preservation form of ACL includes but not limited to following two kinds:
Preservation form one,
In this step 306, access device can be kept at customer equipment identification, business service sign and the corresponding relation that inserts between this three of key among the same ACL.Referring to ACL shown in Figure 4, a corresponding relation that is recorded as this three of access key of subscriber equipment 2 among the WPAN, business service 5 and business service 5 correspondences among the ACL, another is recorded as this three's of access key of subscriber equipment 2 among the WPAN, business service 9 and business service 9 correspondences corresponding relation.Wherein, if subscriber equipment among the WPAN such as subscriber equipment n can't enjoy the business service of any one remote server, so, need set up a record at this subscriber equipment n too in ACL shown in Figure 4, subscriber equipment n corresponding service service identifiers and access key are the sky mark in this record.
Preservation form two,
In this step 306, access device can be kept at customer equipment identification among the different ACL with the corresponding relation that inserts key with the corresponding relation and the business service sign of business service sign.Referring to ACL1 shown in Figure 5 and ACL2, each the bar record among the ACL1 is the corresponding relation of customer equipment identification and business service sign, and each the bar record in ACL2 is business service sign and the corresponding relation that inserts key.Wherein, if subscriber equipment among the WPAN such as subscriber equipment n can't enjoy the business service of any one remote server, so, only need to set up a record at this subscriber equipment n in ACL1 shown in Figure 5, subscriber equipment n corresponding service service identifiers is empty mark in this record.
Step 307:, on remote server 1 and access device, obtain the corresponding access key of this Added Business service respectively when increasing newly a kind ofly can be to business service that subscriber equipment provides the time on the remote server 1.
In this step, it is identical to obtain obtaining in mode and the above-mentioned steps 302 to 305 of access key of this Added Business service correspondence the mode of the corresponding access key of any one business service on remote server 1 and access device.
Step 308: when needs are revised the access key of a kind of business service such as business service 1 correspondence, on remote server 1 and access device, revise the access key of business service 1 respectively.
Here, the process of revising the process of access key of the business service 1 access key corresponding with a newly-generated business service in the above-mentioned steps on remote server 1 and access device respectively is similar, comprise: remote server 1 generates a new random number, remote server 1 utilization shares key K u, corresponding to key schedule and this new random number of business service 1, regenerate access key, utilize this access key that regenerates to replace the access key of business service 1 correspondence of preserving corresponding to business service 1; And, the new random number that remote server 1 will generate is sent to access device, the access device utilization is shared key K u, is regenerated access key corresponding to business service 1 corresponding to the key schedule of business service 1 and this new random number, utilizes this access key that regenerates to replace the access key of business service 1 correspondence of preserving.
Step 309: after a kind of business service cancellation in the remote server 1, the sign of the business service that remote server 1 will be cancelled is carried in the cancellation notice message and is sent to access device.
Step 310: access device is deleted access key corresponding with this business service in self according to the sign of the business service of carrying in the cancellation notice message.
In above-mentioned steps 307 to step 310, when newly-increased business service of access device and corresponding access key thereof, revise a business service and corresponding access key thereof and delete a business service and during corresponding access key, all need the corresponding ACL of modification, promptly in ACL, increase a record accordingly newly, revise a record and delete a record.That is to say, when newly-increased a kind of can be to business service that subscriber equipment provides the time in the remote server, described access device increases the corresponding relation of access key, customer equipment identification and this Added Business service identifiers of this Added Business service of being obtained in ACL; When needs were revised the access key of a kind of business service in the remote server, described access device was revised the access key of the sign correspondence of this business service in ACL; When a kind of business service was cancelled in the remote server, described access device was deleted sign, customer equipment identification and this three's of access key of this business service corresponding relation in ACL.
In addition, the implementation procedure from above-mentioned steps 307 to step 310 after the ACL in access device forms, has only remote server 1 to have the right to send order ACL is made amendment as can be seen, promptly triggers access device and increase, revise and delete a record newly in ACL.Wherein, the reason of the remote server 1 triggering process that a newly-increased record is corresponding above-mentioned steps 307 in ACL can be: the subscriber equipment among the WPAN has been subscribed to the business service that should increase newly of remote server 1 by certain mode.Wherein, remote server 1 triggers in ACL record of deletion, and to be corresponding above-mentioned steps 309 to the reason of the process of step 310 can be: the subscriber equipment among the WPAN has been cancelled the business service of remote server 1 by certain mode, or remote server finds that this business service that subscriber equipment is subscribed to expires.
Step 311: when the subscriber equipment among the WPAN need be enjoyed in the remote server 1 a kind of business service, the access request that subscriber equipment will carry remote server 1 sign, this customer equipment identification and business service sign was sent to the access device among the WPAN.
In the present embodiment, the remote server sign also can lump together with service identification, that is to say, can comprise the sign of remote server in the business service identification field.The business service identification field of preserving in the access device accordingly, also can comprise the sign of remote server.
Remote server 1 sign, this customer equipment identification and business service sign that access device utilization among the step 312:WPAN extracts from the access request that receives, search the ACL of preservation, judge according to ACL whether subscriber equipment has the access authority, if, then execution in step 314, otherwise, execution in step 313.
Here, judge according to ACL whether subscriber equipment has the process that inserts authority to be: judge that whether can find this customer equipment identification and the business service that extract from insert request among the ACL identifies this both corresponding relation, if can find, determine that then subscriber equipment has the access authority, otherwise, determine that subscriber equipment does not insert authority.Wherein, when the preservation form of ACL is table shown in Figure 4, then only need in this step in this table, search; When the preservation form of ACL is two tables shown in Figure 5, then need in ACL1, search in this step.
Step 313: access device this subscriber equipment in WPAN sends refusal and inserts notification message, finishes current flow process.
Step 314: access device identifies address, the business service of remote server 1 and according to the corresponding access key of this business service sign that acl lookup is arrived, be carried in the request of access and be sent to remote server 1.
Here, be carried at the address of inserting the remote server 1 in asking and include but not limited to the IP address.
Preferably, the specific implementation that the access key is carried in the request of access can be that this access key is encapsulated in the request of access.
Step 315: remote server 1 extracts the business service sign and inserts key from the access request that receives, judge whether this access key is correct, if then execution in step 317, otherwise, execution in step 316.
Here, remote server 1 judges whether correct process is the access key: remote server 1 is according to the business service sign that extracts from the access request that receives, search the corresponding access key of self preserving of this business service sign, judge whether the access key that extracts in the request of access is identical with the access key that finds, if it is identical, it is correct then can to determine to insert key, otherwise, determine to insert wrong cipher key.
Step 316: remote server 1 will insert wrong cipher key information and be sent to access device, and access device this subscriber equipment in WPAN sends refusal and inserts notification message, finishes current flow process.
Step 317: remote server 1 provides the corresponding service service by the described subscriber equipment of access device in WPAN.
Need to prove, in above-mentioned flow process shown in Figure 3, generate the way of corresponding access key respectively at remote server 1 available each business service, just in the embodiment of the invention for fear of a kind of access key of business service stolen after, influence a kind of preferred process mode of other business service.In the business realizing of reality, also can not consider the quantity of remote server 1 available business service, all business service are shared a key schedule and a random number, that is to say the corresponding shared access key of all business service.Its specific implementation process and above-mentioned process shown in Figure 3 are similar.
In embodiments of the present invention, remote server is meant in the outside carrier network equipment that can service is provided or subscriber equipment is controlled by the subscriber equipment of the access device among the WPAN in WPAN.Wherein, external network includes but not limited to the Internet, IP network or wireless network.And the access device among the WPAN includes but not limited to gateway device or access point.
And in embodiments of the present invention, the sign of subscriber equipment can be other a intrinsic information of the IEEE address of this subscriber equipment or this subscriber equipment among the WPAN.
Need to prove that in the present embodiment, the access device utilization is shared key K u, key schedule and random number and obtained inserting key.But the method that access device obtains the access key is not limited thereto.For example, send to access device after can using the point-to-point key of sharing with access device will insert secret key encryption by remote server, after also can obtaining to insert key, adopt manual mode on access device, to insert the setting of key by other safe modes.In addition, access device is preserved the corresponding relation of user ID and business service sign, except adopting ACL, also can adopt other forms.
According to the flow process of the embodiment of the invention shown in Figure 3 as can be seen, in embodiments of the present invention, can at first insert Authority Verification to subscriber equipment by the access device among the WPAN, once more the correctness that inserts key is verified by remote server that then the double verification process has further guaranteed the fail safe that subscriber equipment inserts.Certainly, also the faith mechanism of operator to access device can be set in advance, after the access Authority Verification passed through, remote server just can provide business service, and does not need to insert key authentication again.Do not needing to insert under the situation of key authentication, can only preserve the corresponding relation of business service sign and customer equipment identification in the access device, and need not preserve business service sign and the corresponding relation that inserts key.According to the flow process of the embodiment of the invention shown in Figure 3 as can be seen, in embodiments of the present invention, whole access control process need not private key of the prior art and produces server and specific authentication server, producing the function of key and the function of authentication can be finished by remote server and access device respectively, like this, operator then need not to be provided with special-purpose key and produces server and specific authentication server in network, reduced the cost of operator.And, need not in the prior art key with special use and produce the process that server and special-purpose certificate server carry out information interaction; When a plurality of users need to obtain business service, need not a plurality of users and carry out alternately with outside carrier network respectively, only need access device and carry out alternately with outside carrier network.Therefore, the embodiment of the invention has also been simplified the process of access control.
Be understandable that,, should be pointed out that the strictness of restriction do not do to(for) the order of above-mentioned steps though in the foregoing description, for ease of understanding, the step of method has been adopted the succession description.
Those of ordinary skills it is also understood that, all or part of step in the foregoing description can instruct relevant hardware to realize by program, described program can be stored in the computer read/write memory medium, described storage medium can be ROM/RAM, magnetic disc, CD etc.
Correspondingly, the embodiment of the invention has also proposed a kind of subscriber equipment to be carried out system of access control.Fig. 6 carries out the system of access control structural representation to the subscriber equipment among the WPAN in embodiments of the present invention.Referring to Fig. 6, this system comprises:
Access device among the WPAN, be used for preserving the corresponding relation of the business service sign of the business service in the customer equipment identification of WPAN and the remote server that subscriber equipment is enjoyed, receive the access request that the subscriber equipment among the WPAN is sent, carry customer equipment identification and business service sign in the described access request, when the customer equipment identification that carries in detecting described access request is consistent with the corresponding relation of being preserved with the business service sign, by inserting Authority Verification, send the request of access to the pairing remote server of described service identification;
Subscriber equipment among the WPAN is used for sending the request of access to the access device of WPAN, carries customer equipment identification and business service sign in the described access request.
Correspondingly, the embodiment of the invention has also proposed a kind of access device.Fig. 7 is the basic structure schematic diagram of the access device of WPAN in embodiments of the present invention.Referring to Fig. 7, this access device comprises:
Corresponding relation is preserved the unit, is used for preserving the corresponding relation that the business service of the business service in the customer equipment identification of WPAN and the remote server that subscriber equipment is enjoyed identifies;
The message pick-up processing unit, be used for receiving the access request that the subscriber equipment of WPAN is sent, offer the access control unit with inserting the customer equipment identification and the business service sign of carrying in the request, receive insert the notice that Authority Verification passes through after, the pairing remote server of the service identification that carries in inserting request sends the request of access;
The access control unit, be used for detecting customer equipment identification that the message pick-up processing unit provides and business service sign and corresponding relation preserve the corresponding relation of preserving the unit consistent after, announcement information receives processing unit access Authority Verification to be passed through.
Preferably, described corresponding relation is preserved the unit, is used for the corresponding relation of the sign of described customer equipment identification and business service is kept at ACL.
In order further to realize follow-up remote server to inserting the checking of key, described corresponding relation is preserved the unit, is further used for preserving the sign and the corresponding relation that inserts key of each business service in the described remote server;
Described access control unit, further preserve the sign and the corresponding relation that inserts key of each business service of preserving in the unit according to corresponding relation, determine that the business service that provides with the message pick-up processing unit identifies corresponding access key, sends the access key of being determined to described message pick-up processing unit;
Described message pick-up processing unit further before the request that will insert is sent to remote server, is contained in the access key packet that receives in this access request.
Preferably, referring to Fig. 8, this access device further comprises the access key acquiring unit, wherein,
Described message pick-up processing unit, each business service random number corresponding of further remote server being sent offers the access key acquiring unit;
Insert key acquiring unit, be used to obtain key K u and corresponding to the key schedule of each business service of remote server, utilize key K u, corresponding to the key schedule and the random number of each business service, obtain the sign and the corresponding relation that inserts key of each business service in the described remote server, this corresponding relation is saved in described corresponding relation preserves in the unit.
Preferably, the corresponding relation of customer equipment identification in described access device and business service sign and the sign of each business service and the corresponding relation that inserts key, when all being kept among the ACL, described corresponding relation preserve the mode of preserving the unit can for: customer equipment identification, business service sign are kept among the same ACL with the corresponding relation that inserts this three of key; Perhaps, customer equipment identification is kept among the different ACL with the corresponding relation that inserts key with the corresponding relation and the business service sign of business service sign.
Be understandable that, only be schematic in the accompanying drawing or shown in the embodiment, the presentation logic structure, the wherein said unit that shows as separating component may or may not be physically to separate, the parts that show as the unit may be or may not be physical locations, promptly can be positioned at a place, perhaps be distributed on several network element.
In a word, the above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1, a kind of method that the subscriber equipment of wireless personal area network WPAN is carried out access control is characterized in that this method comprises:
Set in advance the corresponding relation of the business service sign of the business service in the remote server that customer equipment identification among the WPAN and subscriber equipment enjoy in the access device of WPAN;
Described access device receives the access request that the subscriber equipment among the WPAN is sent, and carries customer equipment identification and business service sign in the described access request;
When the corresponding relation of preserving when the customer equipment identification that carries in the described access request and business service sign and described access device is consistent, by the access Authority Verification;
Described access device identifies pairing remote server to described business service and sends the request of access.
2, method according to claim 1 is characterized in that, the corresponding relation of customer equipment identification in the described access device and business service sign is kept in the access control list ACL.
3, method according to claim 1 is characterized in that, also sets in advance the business service sign and the corresponding relation that inserts key of the business service in the described remote server in the described access device;
Described access device comprises to the step that described business service identifies pairing remote server transmission access request: described access device is according to the corresponding relation of business service sign with the access key, determine with insert request in the business service of carrying identify corresponding access key, send the request of access to the pairing remote server of this industry service identifiers, comprise determined access key in this access request.
4, method according to claim 3 is characterized in that, sets in advance business service sign and the corresponding relation that inserts key in the described remote server;
Described access device is after described business service identifies pairing remote server transmission access request, further comprise: when the business service of carrying in described access request sign with insert key and described remote server in the corresponding relation preserved when consistent, described remote server to described subscriber equipment provide with described access request in the business service of carrying identify the corresponding service service.
5, method according to claim 3 is characterized in that, the business service sign that described access device sets in advance the business service in the described remote server comprises with the method for the corresponding relation that inserts key:
Described access device obtains the pairing access key of each business service according to the key K u that comes from described remote server and corresponding to the key schedule and the random number of each business service of described remote server;
The business service sign and the corresponding relation that inserts key of each business service are set.
6, according to any described method in the claim 3 to 5, it is characterized in that, the corresponding relation of customer equipment identification in described access device and business service sign and business service sign and the corresponding relation that inserts key, when being kept among the ACL, this store method is:
Customer equipment identification, business service sign are kept among the same ACL with the corresponding relation that inserts the key three;
Perhaps,
Customer equipment identification is kept among the different ACL with the corresponding relation that inserts key with the corresponding relation and the business service sign of business service sign.
7, a kind of subscriber equipment to WPAN carries out system of access control, it is characterized in that this system comprises:
Access device among the WPAN, be used for preserving the corresponding relation of the business service sign of the business service in the customer equipment identification of WPAN and the remote server that subscriber equipment is enjoyed, receive the access request that the subscriber equipment among the WPAN is sent, carry customer equipment identification and business service sign in the described access request, when the customer equipment identification that carries in detecting described access request is consistent with the corresponding relation of being preserved with the business service sign, by inserting Authority Verification, send the request of access to the pairing remote server of described service identification;
Subscriber equipment among the WPAN is used for sending the request of access to the access device of WPAN, carries customer equipment identification and business service sign in the described access request.
8, a kind of access device is characterized in that, this access device comprises:
Corresponding relation is preserved the unit, is used for preserving the corresponding relation that the business service of the business service in the customer equipment identification of WPAN and the remote server that subscriber equipment is enjoyed identifies;
The message pick-up processing unit, be used for receiving the access request that the subscriber equipment of WPAN is sent, offer the access control unit with inserting the customer equipment identification and the business service sign of carrying in the request, receive insert the notice that Authority Verification passes through after, the business service of carrying in inserting request identifies pairing remote server and sends the request of access;
The access control unit, be used for detecting customer equipment identification that the message pick-up processing unit provides and business service sign and corresponding relation preserve the corresponding relation of preserving the unit consistent after, announcement information receives processing unit access Authority Verification to be passed through.
9, access device according to claim 8 is characterized in that, described corresponding relation is preserved the unit, is used for the corresponding relation of described customer equipment identification and business service sign is kept at ACL.
10, according to Claim 8 or 9 described access devices, it is characterized in that described corresponding relation is preserved the unit, be further used for preserving described business service sign and the corresponding relation that inserts key;
Described access control unit, further preserve business service sign of preserving in the unit and the corresponding relation that inserts key according to corresponding relation, determine that the business service that provides with the message pick-up processing unit identifies corresponding access key, sends determined access key to described message pick-up processing unit;
Described message pick-up processing unit was further used for before the request that will insert is sent to remote server, and the access key packet that receives is contained in this access request.
11, access device according to claim 10 is characterized in that, described corresponding relation is preserved the unit, is used for customer equipment identification, business service sign are kept at same ACL with the corresponding relation that inserts this three of key; Perhaps, customer equipment identification is kept among the different ACL with the corresponding relation that inserts key with the corresponding relation and the business service sign of business service sign.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101875797A CN101453394B (en) | 2007-12-03 | 2007-12-03 | Method, system and equipment for access control |
| PCT/CN2008/073256 WO2009074082A1 (en) | 2007-12-03 | 2008-11-28 | Access controlling method?system and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101875797A CN101453394B (en) | 2007-12-03 | 2007-12-03 | Method, system and equipment for access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101453394A true CN101453394A (en) | 2009-06-10 |
| CN101453394B CN101453394B (en) | 2011-06-01 |
Family
ID=40735424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101875797A Expired - Fee Related CN101453394B (en) | 2007-12-03 | 2007-12-03 | Method, system and equipment for access control |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101453394B (en) |
| WO (1) | WO2009074082A1 (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102083089A (en) * | 2009-11-27 | 2011-06-01 | 中国移动通信集团山东有限公司 | Access business monitoring method, system and apparatus thereof |
| CN102143126A (en) * | 2010-01-29 | 2011-08-03 | 北京邮电大学 | Converged IP messaging (CPM) conversation history accessing method and message storage server |
| CN102271382A (en) * | 2010-06-07 | 2011-12-07 | 电信科学技术研究院 | Access control method and equipment for machine type communication (MTC) equipment |
| CN102594782A (en) * | 2011-01-14 | 2012-07-18 | 中国移动通信集团公司 | Authentication method and system of IP (Internet Protocol) multi-media subsystem as well as server |
| WO2012094971A1 (en) * | 2011-01-13 | 2012-07-19 | 华为技术有限公司 | Method and apparatus for access point (ap) control of user equipment (ue) residency |
| CN104754015A (en) * | 2013-12-31 | 2015-07-01 | 华为技术有限公司 | Method, device and system for establishing remote session |
| CN105872059A (en) * | 2016-03-31 | 2016-08-17 | 北京奇艺世纪科技有限公司 | Remote execution method and device |
| WO2017084089A1 (en) * | 2015-11-20 | 2017-05-26 | 华为技术有限公司 | Internet of vehicle verification method, device and internet of vehicle system |
| CN106921632A (en) * | 2015-12-25 | 2017-07-04 | 北京奇虎科技有限公司 | Hotspot connection control method and device |
| CN109246226A (en) * | 2018-09-25 | 2019-01-18 | 行吟信息科技(上海)有限公司 | A kind of method for generating message and device |
| CN109561431A (en) * | 2019-01-17 | 2019-04-02 | 西安电子科技大学 | The WLAN access control system and method identified based on more password identity |
| CN109587113A (en) * | 2018-10-30 | 2019-04-05 | 歌尔科技有限公司 | A kind of equipment correlating method, equipment and storage medium |
| CN111159693A (en) * | 2019-12-28 | 2020-05-15 | 西安精雕软件科技有限公司 | Electronic equipment permission verification method, device and system and readable medium |
| CN112260995A (en) * | 2018-03-31 | 2021-01-22 | 华为技术有限公司 | Access authentication method, device and server |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111770087A (en) * | 2020-06-29 | 2020-10-13 | 深圳市网心科技有限公司 | Service node verification method and related equipment |
| CN116049860B (en) * | 2023-03-06 | 2023-06-02 | 深圳前海环融联易信息科技服务有限公司 | Access control method, device, computer equipment and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1225870C (en) * | 2002-09-23 | 2005-11-02 | 华为技术有限公司 | Method and apparatus for VLAN based network access control |
| CN100539521C (en) * | 2003-05-16 | 2009-09-09 | 华为技术有限公司 | A kind of method that realizes radio local area network authentication |
| CN100388740C (en) * | 2005-07-29 | 2008-05-14 | 华为技术有限公司 | Data service system and access control method |
| CN100563161C (en) * | 2006-10-23 | 2009-11-25 | 华为技术有限公司 | A kind of method and system of identifying service block |
-
2007
- 2007-12-03 CN CN2007101875797A patent/CN101453394B/en not_active Expired - Fee Related
-
2008
- 2008-11-28 WO PCT/CN2008/073256 patent/WO2009074082A1/en active Application Filing
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102083089A (en) * | 2009-11-27 | 2011-06-01 | 中国移动通信集团山东有限公司 | Access business monitoring method, system and apparatus thereof |
| CN102143126A (en) * | 2010-01-29 | 2011-08-03 | 北京邮电大学 | Converged IP messaging (CPM) conversation history accessing method and message storage server |
| CN102143126B (en) * | 2010-01-29 | 2016-04-13 | 北京邮电大学 | The access method of CPM meeting history record and message storage server |
| CN102271382A (en) * | 2010-06-07 | 2011-12-07 | 电信科学技术研究院 | Access control method and equipment for machine type communication (MTC) equipment |
| CN102271382B (en) * | 2010-06-07 | 2014-08-20 | 电信科学技术研究院 | Access control method and equipment for machine type communication (MTC) equipment |
| WO2012094971A1 (en) * | 2011-01-13 | 2012-07-19 | 华为技术有限公司 | Method and apparatus for access point (ap) control of user equipment (ue) residency |
| CN102594782A (en) * | 2011-01-14 | 2012-07-18 | 中国移动通信集团公司 | Authentication method and system of IP (Internet Protocol) multi-media subsystem as well as server |
| CN102594782B (en) * | 2011-01-14 | 2016-03-02 | 中国移动通信集团公司 | IP Multimedia System method for authenticating, system and server |
| CN104754015A (en) * | 2013-12-31 | 2015-07-01 | 华为技术有限公司 | Method, device and system for establishing remote session |
| CN104754015B (en) * | 2013-12-31 | 2018-11-13 | 华为技术有限公司 | A kind of methods, devices and systems for establishing remote session |
| WO2017084089A1 (en) * | 2015-11-20 | 2017-05-26 | 华为技术有限公司 | Internet of vehicle verification method, device and internet of vehicle system |
| CN106921632A (en) * | 2015-12-25 | 2017-07-04 | 北京奇虎科技有限公司 | Hotspot connection control method and device |
| CN106921632B (en) * | 2015-12-25 | 2020-02-07 | 北京奇虎科技有限公司 | Wireless hotspot access control method and device |
| CN105872059A (en) * | 2016-03-31 | 2016-08-17 | 北京奇艺世纪科技有限公司 | Remote execution method and device |
| CN105872059B (en) * | 2016-03-31 | 2019-08-09 | 北京奇艺世纪科技有限公司 | A kind of remote execution method and device |
| CN112260995A (en) * | 2018-03-31 | 2021-01-22 | 华为技术有限公司 | Access authentication method, device and server |
| CN109246226A (en) * | 2018-09-25 | 2019-01-18 | 行吟信息科技(上海)有限公司 | A kind of method for generating message and device |
| CN109587113A (en) * | 2018-10-30 | 2019-04-05 | 歌尔科技有限公司 | A kind of equipment correlating method, equipment and storage medium |
| CN109561431A (en) * | 2019-01-17 | 2019-04-02 | 西安电子科技大学 | The WLAN access control system and method identified based on more password identity |
| CN111159693A (en) * | 2019-12-28 | 2020-05-15 | 西安精雕软件科技有限公司 | Electronic equipment permission verification method, device and system and readable medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101453394B (en) | 2011-06-01 |
| WO2009074082A1 (en) | 2009-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101453394B (en) | Method, system and equipment for access control | |
| CN101160911B (en) | Method of transmitting session requirement | |
| CN104137587B (en) | A kind of method and terminal device for sending, receiving user data | |
| AU2015261578B2 (en) | Communication control apparatus, authentication device, central control apparatus and communication system | |
| CN107979835B (en) | eSIM card and management method thereof | |
| CN107548550A (en) | Function management MBMS membership qualifications are opened in service ability | |
| US8863240B2 (en) | Method and system for smart card migration | |
| CN101390368B (en) | Managing secure access to a secure digital content in a portable communicating object | |
| CN104093139A (en) | Aerial card-writing method, server and smart card | |
| CN106162517A (en) | The management method of a kind of virtual SIM card and system | |
| CN113330763A (en) | Improved handling of unique identifiers for stations | |
| CN102833422A (en) | Short-message-control-based long-command system of mobile intelligent terminal | |
| CN108293055A (en) | Method, apparatus and system for authenticating to mobile network and for by the server of device authentication to mobile network | |
| CN106470386A (en) | A kind of near-field communication data transmission method and device | |
| JP2005267433A (en) | Network service system using user temporary identifier | |
| CN110022536A (en) | Verification information processing method, communication equipment, business platform and storage medium | |
| CN104780521A (en) | Data roaming method, device and system | |
| CN104981791A (en) | Mobile sender controlled data access and data deletion method and system | |
| CN103546873B (en) | Services through one key pushed processing method and processing device | |
| CN103458392A (en) | Method and system for user registration in process of application store crossing | |
| CN101692730B (en) | Encrypted interaction mode for SIM card and special public telephone terminal and special public telephone terminal | |
| CN106453200A (en) | Data service accessing method and terminal | |
| CN101170469A (en) | Registration information processing method, data processing device and system | |
| CN103501494A (en) | Mobile hotspot terminal access method, mobile hotspot terminal and MME (mobile management entity) | |
| CN103313245A (en) | Network service access method, equipment and system based on mobile phone terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110601 Termination date: 20201203 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |