CN101867929B - Authentication method, system, authentication server and terminal equipment - Google Patents

Authentication method, system, authentication server and terminal equipment Download PDF

Info

Publication number
CN101867929B
CN101867929B CN 201010189995 CN201010189995A CN101867929B CN 101867929 B CN101867929 B CN 101867929B CN 201010189995 CN201010189995 CN 201010189995 CN 201010189995 A CN201010189995 A CN 201010189995A CN 101867929 B CN101867929 B CN 101867929B
Authority
CN
China
Prior art keywords
information
identity
terminal equipment
info
certificate
Prior art date
Application number
CN 201010189995
Other languages
Chinese (zh)
Other versions
CN101867929A (en
Inventor
罗来财
Original Assignee
北京星网锐捷网络技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京星网锐捷网络技术有限公司 filed Critical 北京星网锐捷网络技术有限公司
Priority to CN 201010189995 priority Critical patent/CN101867929B/en
Publication of CN101867929A publication Critical patent/CN101867929A/en
Application granted granted Critical
Publication of CN101867929B publication Critical patent/CN101867929B/en

Links

Abstract

The invention discloses an authentication method, a system, an authentication server and terminal equipment. The method comprises the following steps: sending a first identity abstract information request to the terminal equipment through a wireless access point; receiving the first identity abstract information response returned by the terminal equipment through the wireless access point, wherein the first identity abstract information response comprises first identity abstract information and initial random values, and the first identity abstract information is generated by the terminal equipment according to the terminal equipment information, user private information and the initial random values; generating first identity abstract verification information according to the initial random values, the terminal equipment information obtained in advance from the terminal equipment and the user private information; and comparing the first identity abstract information and the first identity abstract verification information to obtain authentication results, and returning the authentication results to the wireless access point. The technical scheme of the embodiment of the invention improves the safety of the network authentication.

Description

Authentication method, system, certificate server and terminal equipment
Technical field
The embodiment of the invention relates to communication technical field, particularly a kind of authentication method, system, certificate server and terminal equipment.
Background technology
In the access authentication field of WLAN (wireless local area network), usually authenticate by the client of digital certificate to access to LAN.Need the user of accessing WLAN to obtain digital certificate to the certificate server application in advance by terminal equipment, this digital certificate comprises digital signature that user basic information, public key information, authoritative institution sign and issue and validity period of certificate etc.This digital certificate has been realized the binding of user basic information and public key information, and has comprised the digital signature that authoritative institution signs and issues.
When terminal equipment needs accessing WLAN, can finish the certificate identification flow by the digital certificate and the certificate server that obtain in advance.Digital signature in the digital certificate that certificate server reports terminal equipment is carried out verification, if verification succeeds then notifies this terminal equipment certificate to differentiate successfully.Terminal can be accessed by WLAN (wireless local area network) and accesses network resource after receiving the successful notice of certificate discriminating.
But, because digital certificate is the file that can store and copy, if not therefore in actual applications the method user by obtaining the mobile memory that stores digital certificate or illegally obtaining digital certificate by means such as internet worm attacks, then the disabled user just can pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, thereby has reduced the fail safe of network authentication; And when stipulating that for the fail safe that guarantees accesses network this validated user can only use the terminal equipment of appointment, this validated user also can pass through by the miscellaneous equipment of digital certificate outside the terminal equipment of this appointment that obtains authentication and the accesses network resource of certificate server, and this also can cause reducing the fail safe of network authentication.
Summary of the invention
The invention provides a kind of authentication method, system, certificate server and terminal equipment, in order to improve the fail safe of network authentication.
The embodiment of the invention provides a kind of authentication method, comprising:
(Access Point is called for short: AP) send the first identity summary info request to terminal equipment by WAP (wireless access point);
Receive the first identity summary info response that described terminal equipment returns by described WAP (wireless access point), described the first identity summary info response comprises that the first identity summary info and initial random numerical value, described the first identity summary info are that described terminal equipment generates according to terminal equipment information, private information and initial random numerical value;
According to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generate the first identity Digest Authentication information;
Described the first identity summary info and described the first identity Digest Authentication information are compared, draw authentication result and return described authentication result to described WAP (wireless access point);
The described transmission to terminal equipment by WAP (wireless access point) comprises before the first identity summary info request:
Receive the request of certificate authentication that described WAP (wireless access point) sends, described request of certificate authentication comprises digital certificate, described digital certificate is to comprise in the access request that sends of described terminal equipment that described WAP (wireless access point) receives, described digital certificate comprises the second identity summary info and public key information, and described the second identity summary info generates according to described user basic information, described terminal equipment information, described private information and described public key information;
According to the public key information that from described digital certificate, extracts and the user basic information of obtaining in advance, terminal equipment information and private information, generate the second identity Digest Authentication information;
Whether more described the second identity Digest Authentication information is identical with the second identity summary info that extracts from described digital certificate, if identically then carry out the described step that sends the first identity summary info request by WAP (wireless access point) to terminal equipment.
The embodiment of the invention provides a kind of certificate server, comprising:
The first sending module is used for sending the first identity summary info request by WAP (wireless access point) to terminal equipment;
The first receiver module, be used for receiving the first identity summary info response that described terminal equipment returns by described WAP (wireless access point), described the first identity summary info response comprises that the first identity summary info and initial random numerical value, described the first identity summary info are that described terminal equipment generates according to terminal equipment information, private information and initial random numerical value;
The first generation module is used for according to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generates the first identity Digest Authentication information;
The first comparison module is used for described the first identity summary info and described the first identity Digest Authentication information are compared, and draws authentication result and returns described authentication result to described WAP (wireless access point);
Also comprise: the second generation module and the second comparison module;
Described the first receiver module also is used for receiving the request of certificate authentication that described WAP (wireless access point) sends, described request of certificate authentication comprises digital certificate, described digital certificate is to comprise that described digital certificate comprises the second identity summary info and public key information in the access request that sends of described terminal equipment that described WAP (wireless access point) receives;
Described the second generation module is used for basis from public key information and the user basic information of obtaining in advance, terminal equipment information and private information that described digital certificate extracts, generates the second identity Digest Authentication information;
Described the second comparison module, whether with the described second identity summary info that from described digital certificate extract identical, and will compare described the second identity summary info and export to described the first sending module with the identical comparative result of described the second identity Digest Authentication information if being used for more described the second identity Digest Authentication information.
The embodiment of the invention provides a kind of terminal equipment, comprising:
The second receiver module is used for receiving the first identity summary info request that certificate server sends by WAP (wireless access point);
The 5th generation module is used for according to terminal equipment information, private information and initial random numerical value, generates the first identity summary info;
The second sending module, be used for returning the response of the first identity summary info by described WAP (wireless access point) to described certificate server, described the first identity summary info response comprises described the first identity summary info and described initial random numerical value, to according to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generate the first identity Digest Authentication information for described certificate server.Described the first identity summary info and described the first identity Digest Authentication information are compared, draw authentication result and return described authentication result to described WAP (wireless access point);
Described the second sending module also was used for before the first identity summary info request that described reception certificate server sends by WAP (wireless access point), send access request to WAP (wireless access point), this access request comprises digital certificate, and this digital certificate comprises the second identity summary info and public key information.
The embodiment of the invention provides a kind of Verification System, above-mentioned terminal equipment, WAP (wireless access point) and above-mentioned certificate server.
The authentication method that present embodiment provides, system, certificate server and terminal equipment, the first identity summary info response that the certificate server receiving terminal apparatus returns by WAP (wireless access point), this the first identity summary info response comprises the first identity summary info and initial random numerical value, according to initial random numerical value and the terminal equipment information and the private information that obtain in advance from terminal equipment, generate the first identity Digest Authentication information, the first identity summary info and the first identity Digest Authentication information are compared, and to WAP (wireless access point) return authentication result.In the method that the embodiment of the invention provides, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore adopt the first identity summary info and the first identity Digest Authentication information to authenticate, can effectively avoid the disabled user to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do one to the accompanying drawing of required use in embodiment or the description of the Prior Art and introduce simply, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The flow chart of a kind of authentication method that Fig. 1 provides for the embodiment of the invention one;
The flow chart of a kind of authentication method that Fig. 2 provides for the embodiment of the invention two;
The flow chart of a kind of authentication method that Fig. 3 provides for the embodiment of the invention three;
The structural representation of a kind of certificate server that Fig. 4 provides for the embodiment of the invention four;
The structural representation of a kind of certificate server that Fig. 5 provides for the embodiment of the invention five;
The structural representation of a kind of terminal equipment that Fig. 6 provides for the embodiment of the invention six;
The structural representation of a kind of Verification System that Fig. 7 provides for the embodiment of the invention seven.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
The flow chart of a kind of authentication method that Fig. 1 provides for the embodiment of the invention one, as shown in Figure 1, the method comprises:
Step 101, send the first identity summary info request by WAP (wireless access point) to terminal equipment.
Each step can be carried out by certificate server in the present embodiment.Certificate server sends to WAP (wireless access point) with the first identity summary info request, passes through this terminal equipment by wireless access this first identity summary info of naming a person for a particular job.
The first identity summary info response that step 102, receiving terminal apparatus return by WAP (wireless access point), described the first identity summary info response comprises that the first identity summary info and initial random numerical value, the first identity summary info are that this terminal equipment generates according to terminal equipment information, private information and initial random numerical value.
In the present embodiment, terminal equipment is behind the first identity summary info that receives the WAP (wireless access point) transmission, return the response of the first identity summary info to WAP (wireless access point), and pass through certificate server by wireless access this first identity information digest response of naming a person for a particular job, so that certificate server receives this first identity information digest response.
The first identity summary info that terminal equipment returns is that this terminal equipment generates according to terminal equipment information, private information and initial random numerical value.Wherein, terminal equipment information is used for this terminal equipment of sign, and for example: terminal equipment can be mobile phone or computer; If terminal equipment is mobile phone, this terminal equipment information can be international mobile subscriber identity (international mobile subscriber identity, hereinafter to be referred as: IMSI) or the International Mobile Equipment Identity code (International Mobile Equipment Identity, hereinafter to be referred as: IMEI) etc.; If terminal equipment is computer, this terminal equipment information can be hard disk sequence number, CPU ID or mainboard ID etc.Private information can be the password of user's input or family members' name of user etc., private information can be used for identifying the user's who uses this terminal equipment identity, so the information that only could grasp for the user who uses this terminal equipment of this private information.Initial random numerical value can be the random number of regular length, and for example: this initial random numerical value can be 32 random number.Particularly, terminal equipment can carry out computing to terminal equipment information, private information and initial random numerical value according to digest algorithm, generates the first identity summary info.Wherein, digest algorithm can be Hash (HASH) algorithm, for example: this HASH algorithm can be Message Digest Algorithm 5 (Message Digest Algorithm 5, hereinafter to be referred as: md5) (Secure Hash Algorithm 1 is called for short: sha1) algorithm etc. for algorithm or Secure Hash Algorithm.
Step 103, according to this initial random numerical value and from terminal equipment information and private information that this terminal equipment obtains in advance, generate the first identity Digest Authentication information.
In the present embodiment, certificate server can obtain terminal equipment information and private information in advance from terminal equipment.Then in this step, certificate server can carry out computing to terminal equipment information, private information and initial random numerical value according to digest algorithm, generates the first identity Digest Authentication information.Wherein, digest algorithm can be the HASH algorithm, such as: this HASH algorithm can be md5 algorithm or sha1 algorithm etc.
Step 104, this first identity summary info and this first identity Digest Authentication information are compared, draw authentication result and return this authentication result to this WAP (wireless access point).
Particularly, authentication result can comprise authentication success message or authentification failure message.Then this step comprises: whether certificate server relatively this first identity summary info is identical with this first identity Digest Authentication information, if the first identity summary info is identical with the first identity Digest Authentication information, then certificate server draws authentication success message and returns this authentication success message to WAP (wireless access point); If the first identity summary info is not identical with the first identity Digest Authentication information, then certificate server draws authentification failure message and returns this authentification failure message to WAP (wireless access point).
Authentication method in the embodiment of the invention can be applicable to WLAN authentication and privacy infrastructure (Wireless LAN Authentication and Privacy Infrastructure, hereinafter to be referred as: WAPI) agreement, based on the wireless network security protocol of the IEEE802.11i of WLAN (wireless local area network) or the authentication protocol based on IEEE802.1x protocol frame and digital certificate of cable LAN.
The authentication method that present embodiment provides, the first identity summary info response that receiving terminal apparatus returns by WAP (wireless access point), this the first identity summary info response comprises the first identity summary info and initial random numerical value, according to initial random numerical value and the terminal equipment information and the private information that obtain in advance from terminal equipment, generate the first identity Digest Authentication information, the first identity summary info and the first identity Digest Authentication information are compared, draw and to WAP (wireless access point) return authentication result.In the method that present embodiment provides, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore adopt the first identity summary info and the first identity Digest Authentication information to authenticate, can effectively avoid the disabled user to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.
The flow chart of a kind of authentication method that Fig. 2 provides for the embodiment of the invention two, as shown in Figure 2, the method comprises:
Step 201, terminal equipment send access request to WAP (wireless access point), and this access request comprises digital certificate, and this digital certificate comprises the second identity summary info and public key information.
In the present embodiment, digital certificate also comprises the information such as user basic information, digital signature and validity period of certificate, does not enumerate one by one at this.
In the present embodiment, digital certificate is that terminal equipment obtains to the certificate server request in advance.Particularly, terminal equipment sends the certificate request request to certificate server, certificate server generates this second identity summary info according to the user basic information, terminal equipment information, private information and the public key information that obtain from terminal equipment, certificate server is according to the second identity summary info and public key information generating digital certificate, and returning digital certificate to terminal equipment, this digital certificate comprises the second identity summary info and public key information.Wherein, user basic information can comprise the essential informations such as user name, the pet name, sex, age, identification number; Public key information is that terminal equipment sends to certificate server during to the certificate server digital certificate request; Description to terminal equipment information and private information can be referring to the description among the embodiment one.
In the present embodiment, when terminal equipment is wanted access of radio network and accesses network resource, need to send access request to WAP (wireless access point).
Step 202, WAP (wireless access point) send request of certificate authentication to certificate server, and this request of certificate authentication comprises this digital certificate.
Step 203, certificate server generate the second identity Digest Authentication information according to the public key information and the user basic information of obtaining in advance, terminal equipment information and the private information that extract from digital certificate.
In the practical application, certificate server can obtain different user basic information in advance from different terminal equipments, terminal equipment information and private information, obtaining user basic information, can be with the user basic information of obtaining behind terminal equipment information and the private information, terminal equipment information and private information are kept in the database of certificate server this locality, and for making things convenient for the authentication query server preserving above-mentioned user basic information, can set up MAC Address and the user basic information of the network interface card of this terminal equipment in the time of terminal equipment information and private information, the corresponding relation of terminal equipment information and private information.Wherein, MAC Address can be carried in the request of certificate authentication that access request that terminal equipment sends to WAP (wireless access point) and WAP (wireless access point) send to certificate server.Then in this step, when certificate server receives request of certificate authentication, MAC Address be can from request of certificate authentication, extract, the user basic information in advance obtained corresponding with this MAC Address, terminal equipment information and private information from the database of this locality, inquired by this MAC Address.
In this step, certificate server can obtain user basic information, terminal equipment information and private information from terminal equipment in advance in the process of terminal equipment digital certificate request, and after receiving request of certificate authentication, from the digital certificate that request of certificate authentication comprises, extract public key information, to generate the second identity Digest Authentication information according to this public key information, the user basic information of obtaining in advance that inquires, terminal equipment information and private information.Particularly, certificate server can carry out computing to public key information, user basic information, terminal equipment information and private information according to digest algorithm, generates the second identity Digest Authentication information.Wherein, digest algorithm can be the HASH algorithm, such as: this HASH algorithm can be md5 algorithm or sha1 algorithm etc.
Whether step 204, certificate server relatively this second identity Digest Authentication information be identical with the second identity summary info that extracts from digital certificate, and if it is execution in step 205; If otherwise execution in step 213.
In this step, certificate server extracts the second identity summary info from the digital certificate that request of certificate authentication comprises, and whether the second identity Digest Authentication information that generates in the comparison step 203 is identical with the second identity summary info that extracts.
Step 205, certificate server send the first identity summary info request to WAP (wireless access point).
In this step, this first identity summary info request is mainly used in to terminal equipment request the first identity summary info.
The first identity summary info request of naming a person for a particular job of step 206, wireless access sends to terminal equipment.
Step 207, terminal equipment generate the first identity summary info according to terminal equipment information, private information and initial random numerical value.
In the present embodiment, terminal equipment according to terminal equipment information, private information and initial random numerical value, generates the first identity summary info after receiving the first identity summary info request.Wherein, terminal equipment information can be by terminal equipment Real-time Obtaining after receiving the first identity summary info request, private information can require the user to input after receiving the first identity summary info request by terminal equipment, and initial random numerical value can be generated after receiving the first identity summary info request in real time by terminal equipment.
Step 208, terminal equipment return the response of the first identity summary info to WAP (wireless access point), and this first identity summary info response comprises the first identity summary info and initial random numerical value.
This first identity summary info response of naming a person for a particular job of step 209, wireless access sends to certificate server.
Step 210, certificate server generate the first identity Digest Authentication information according to the initial random numerical value that comprises in the terminal equipment information of obtaining in advance and private information and the response of the first identity summary info.
In the present embodiment, in the first identity summary info response that terminal equipment returns to WAP (wireless access point) and WAP (wireless access point) carry MAC Address to the first identity summary info response that certificate server sends.Then in this step, when certificate server receives the response of the first identity summary info, can from the response of the first identity summary info, extract MAC Address, from the database of this locality, inquire the terminal equipment information and the private information that in advance obtain corresponding with this MAC Address by this MAC Address.In this step, certificate server is after receiving the response of the first identity summary info, from the response of the first identity summary info, extract initial random numerical value, and generate the first identity Digest Authentication information according to the initial random numerical value of terminal equipment information, private information and the extraction of obtaining in advance that inquire.Particularly, certificate server can carry out computing to terminal equipment information, private information and initial random numerical value according to digest algorithm, generates the first identity Digest Authentication information.Wherein, digest algorithm can be the HASH algorithm, such as: this HASH algorithm can be md5 algorithm or sha1 algorithm etc.
Whether the first identity summary info that comprises in step 211, certificate server comparison the first identity Digest Authentication information and the response of the first identity summary info is identical, if if it is execution in step 212 otherwise execution in step 213.
In this step, certificate server extracts the first identity summary info from the response of the first identity summary info, and the first identity Digest Authentication information that generates in the comparison step 210 is identical with the first identity summary info that extracts.
Step 212, certificate server draw authentication success message and return this authentication success message to WAP (wireless access point).
Step 213, certificate server draw authentification failure message and return this authentification failure message to WAP (wireless access point).
In the authentication method that present embodiment provides, certificate server adopts the first identity summary info and the first identity Digest Authentication information to authenticate, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore can effectively avoid the disabled user just to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.Further, in the present embodiment, certificate server also adopts the second identity summary info and the second identity Digest Authentication information to authenticate, because the second identity summary info and the second identity Digest Authentication information all generate according to user basic information, terminal equipment information, private information and public key information, therefore can carry out effective verification to authenticity and the legitimacy of digital certificate by the second identity summary info and the second identity Digest Authentication information, thereby improve further the fail safe of network authentication.
The flow chart of a kind of authentication method that Fig. 3 provides for the embodiment of the invention three, as shown in Figure 3, the method comprises:
Step 301, terminal equipment send the certificate request request to certificate server, and this certificate request request comprises public key information.
In the present embodiment, terminal equipment can generate key pair, and this key is to comprising public key information and private key information, and then terminal equipment can carry public key information in numeral application request when sending the certificate request request to certificate server.
Step 302, certificate server obtain user basic information, terminal equipment information and private information from terminal equipment.
This step specifically can comprise:
Step 3021, certificate server send the user basic information request to terminal equipment, and the user basic information returned of receiving terminal apparatus;
Step 3022, certificate server be to the request of terminal equipment transmitting terminal facility information, and the terminal equipment information returned of receiving terminal apparatus;
Step 3023, certificate server send the private information request to terminal equipment, and the private information that returns of receiving terminal apparatus.
The execution sequence of above-mentioned steps 3021, step 3022 and step 3033 can change according to actual needs.
In the present embodiment, certificate server is in the process of obtaining user basic information, terminal equipment information and private information, if certificate server does not get access to arbitrary information in user basic information, terminal equipment information and the private information, then the present embodiment flow process finishes.
Step 303, certificate server detect whether this user basic information, terminal equipment information and private information be legal, and if it is execution in step 304, if otherwise present embodiment flow process end.
Particularly, whether certificate server detects the form of user basic information, terminal equipment information and private information up to specification, and whether the particular content of user basic information, terminal equipment information and private information is complete etc.
Step 304, certificate server generate this second identity summary info according to user basic information, terminal equipment information, private information and public key information.
In the present embodiment, public key information is to comprise in the certificate request request that sends of terminal equipment.
Particularly, certificate server can carry out computing to public key information, user basic information, terminal equipment information and private information according to digest algorithm, generates the second identity Digest Authentication information.Wherein, digest algorithm can be the HASH algorithm, such as: this HASH algorithm can be md5 algorithm or sha1 algorithm etc.
Step 305, certificate server be according to this second identity summary info and this public key information generating digital certificate, and return digital certificate to terminal equipment, and this digital certificate comprises the second identity summary info and public key information.
In the present embodiment, the digital certificate of generation also comprises the information such as user basic information, digital signature and validity period of certificate, does not enumerate one by one at this.
Step 306, terminal equipment send access request to WAP (wireless access point), and this access request comprises this digital certificate.
Step 307, WAP (wireless access point) send request of certificate authentication to certificate server, and this request of certificate authentication comprises this digital certificate.
Step 308, certificate server carry out verification to the digital signature that comprises in this digital certificate, if verification succeeds execution in step 309 then, if verification failure execution in step 320 then.
In the present embodiment, comprise digital signature in the digital certificate of generation.Certificate server is after receiving the request of certificate authentication that WAP (wireless access point) sends, and the digital signature of the digital certificate that request of certificate authentication is comprised is carried out verification.
Step 309, certificate server return certificate to WAP (wireless access point) and differentiate response.
Step 310, certificate server generate the second identity Digest Authentication information according to the public key information and the user basic information of obtaining, terminal equipment information and the private information that extract from digital certificate.
Particularly, certificate server can carry out computing to public key information, user basic information, terminal equipment information and private information according to digest algorithm, generates the second identity Digest Authentication information.Wherein, digest algorithm can be the HASH algorithm, such as: this HASH algorithm can be md5 algorithm or sha1 algorithm etc.
Whether step 311, certificate server relatively this second identity Digest Authentication information be identical with the second identity summary info that extracts from digital certificate, and if it is execution in step 312; If otherwise execution in step 320.
Step 312, certificate server send the first identity summary info request to WAP (wireless access point).
In this step, this first identity summary info request is mainly used in to terminal equipment request the first identity summary info.
The first identity summary info request of naming a person for a particular job of step 313, wireless access sends to terminal equipment.
Step 314, terminal equipment generate the first identity summary info according to terminal equipment information, private information and initial random numerical value.
In the present embodiment, terminal equipment according to terminal equipment information, private information and initial random numerical value, generates the first identity summary info after receiving the first identity summary info request.Wherein, terminal equipment information can be by terminal equipment Real-time Obtaining after receiving the first identity summary info request, private information can require the user to input after receiving the first identity summary info request by terminal equipment, and initial random numerical value can be generated after receiving the first identity summary info request in real time by terminal equipment.
Step 315, terminal equipment return the response of the first identity summary info to WAP (wireless access point), and this first identity summary info response comprises the first identity summary info and initial random numerical value.
This first identity summary info response of naming a person for a particular job of step 316, wireless access sends to certificate server.
Step 317, certificate server generate the first identity Digest Authentication information according to the initial random numerical value that comprises in the terminal equipment information of obtaining in advance and private information and the response of the first identity summary info.
In this step, certificate server is after receiving the response of the first identity summary info, from the response of the first identity summary info, extract initial random numerical value, and generate the first identity Digest Authentication information according to the initial random numerical value of terminal equipment information, private information and extraction.Particularly, certificate server can carry out computing to terminal equipment information, private information and initial random numerical value according to digest algorithm, generates the first identity Digest Authentication information.Wherein, digest algorithm can be the HASH algorithm, such as: this HASH algorithm can be md5 algorithm or sha1 algorithm etc.
Whether the first identity summary info that comprises in step 318, certificate server comparison the first identity Digest Authentication information and the response of the first identity summary info is identical, if if it is execution in step 319 otherwise execution in step 320.
In this step, certificate server extracts the first identity summary info from the response of the first identity summary info, and the first identity Digest Authentication information that generates in the comparison step 317 is identical with the first identity summary info that extracts.
Step 319, certificate server draw authentication success message and return this authentication success message to WAP (wireless access point).
Step 320, certificate server draw authentification failure message and return this authentification failure message to WAP (wireless access point).
In the authentication method that present embodiment provides, certificate server adopts the first identity summary info and the first identity Digest Authentication information to authenticate, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore can effectively avoid the disabled user just to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.Further, in the present embodiment, certificate server also adopts the second identity summary info and the second identity Digest Authentication information to authenticate, because the second identity summary info and the second identity Digest Authentication information all generate according to user basic information, terminal equipment information, private information and public key information, therefore can carry out effective verification to authenticity and the legitimacy of digital certificate by the second identity summary info and the second identity Digest Authentication information, thereby improve further the fail safe of network authentication.
The structural representation of a kind of certificate server that Fig. 4 provides for the embodiment of the invention four, as shown in Figure 4, this certificate server comprises: the first sending module 11, the first receiver module 12, the first generation module 13 and the first comparison module 14.
The first sending module 11 is used for sending the first identity summary info request by WAP (wireless access point) to terminal equipment.
The first receiver module 12 is used for receiving the first identity summary info response that described terminal equipment returns by described WAP (wireless access point), described the first identity summary info response comprises that the first identity summary info and initial random numerical value, described the first identity summary info are that described terminal equipment generates according to terminal equipment information, private information and initial random numerical value.
The first generation module 13 is used for according to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generates the first identity Digest Authentication information.
The first comparison module 14 is used for described the first identity summary info and described the first identity Digest Authentication information are compared, draw authentication result and this authentication result is exported to the first sending module 11, return this authentication result by the first sending module 11 to described WAP (wireless access point).
The certificate server that present embodiment provides, the first identity summary info response that receiving terminal apparatus returns by WAP (wireless access point), this the first identity summary info response comprises the first identity summary info and initial random numerical value, according to initial random numerical value and the terminal equipment information and the private information that obtain in advance from terminal equipment, generate the first identity Digest Authentication information, the first identity summary info and the first identity Digest Authentication information are compared, and to WAP (wireless access point) return authentication result.The certificate server that present embodiment provides, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore adopt the first identity summary info and the first identity Digest Authentication information to authenticate, can effectively avoid the disabled user to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.
The structural representation of a kind of certificate server that Fig. 5 provides for the embodiment of the invention five, as shown in Figure 5, this certificate server also comprises on the basis of above-described embodiment four: the second generation module 15 and the second comparison module 16.
The first receiver module 12 also is used for receiving the request of certificate authentication that described WAP (wireless access point) sends, described request of certificate authentication comprises digital certificate, described digital certificate is to comprise that described digital certificate comprises the second identity summary info and public key information in the access request that sends of described terminal equipment that WAP (wireless access point) receives;
The second generation module 15 is used for basis from public key information and the user basic information of obtaining in advance, terminal equipment information and private information that described digital certificate extracts, generates the second identity Digest Authentication information;
Whether the second comparison module 16 is used for more described the second identity Digest Authentication information identical with described the second identity summary info that extracts from described digital certificate, and will compare described the second identity summary info and export to described the first sending module 11 with the identical comparative result of described the second identity Digest Authentication information, carry out and send the first identity summary info request by WAP (wireless access point) to terminal equipment to trigger the first sending module 11.
Further, the certificate server in the present embodiment also comprises: acquisition module 17, the 3rd generates module 18 and the 4th generation module 19.
The first receiver module 12 also is used for receiving the certificate request request that described terminal equipment sends, and described certificate request request comprises public key information;
Acquisition module 17 is used for obtaining described user basic information, described terminal equipment information and described private information from described terminal equipment;
The 3rd generates module 18 is used for according to described user basic information, described terminal equipment information, described private information and described public key information, generates described the second identity summary info;
The 4th generation module 19 is used for generating described digital certificate according to described the second identity summary info and described public key information;
The first sending module 11 also is used for returning described digital certificate to described terminal equipment.
Further, the certificate server in the present embodiment can also comprise: detection module 20.Whether the described user basic information that detection module 20 obtains for detection of acquisition module 17, described terminal equipment information and described private information be legal, and detected described user basic information, described terminal equipment information and the legal judged result of described private information are exported to the described the 3rd generate module 18, generate the described user basic information of module 18 executive basis, described terminal equipment information, described private information and described public key information to trigger the 3rd, generate described the second identity summary info.
The certificate server that present embodiment provides, adopt the first identity summary info and the first identity Digest Authentication information to authenticate, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore can effectively avoid the disabled user just to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.Further, in the present embodiment, certificate server also adopts the second identity summary info and the second identity Digest Authentication information to authenticate, because the second identity summary info and the second identity Digest Authentication information all generate according to user basic information, terminal equipment information, private information and public key information, therefore can carry out effective verification to authenticity and the legitimacy of digital certificate by the second identity summary info and the second identity Digest Authentication information, thereby improve further the fail safe of network authentication.
The structural representation of a kind of terminal equipment that Fig. 6 provides for the embodiment of the invention six, as shown in Figure 6, this terminal equipment comprises: the second receiver module 21, the 5th generation module 22 and the second sending module 23.
The second receiver module 21 is used for receiving the first identity summary info request that certificate server sends by WAP (wireless access point);
The 5th generation module 22 is used for according to terminal equipment information, private information and initial random numerical value, generates the first identity summary info;
The second sending module 23 is used for returning the response of the first identity summary info by described WAP (wireless access point) to described certificate server, described the first identity summary info response comprises described the first identity summary info and described initial random numerical value, to according to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generate the first identity Digest Authentication information for described certificate server.Described the first identity summary info and described the first identity Digest Authentication information are compared, draw authentication result and return this authentication result to described WAP (wireless access point).
The terminal equipment that present embodiment provides, generate and return the first identity summary info and described initial random numerical value by WAP (wireless access point) to certificate server, authenticate for the first identity Digest Authentication information of certificate server according to this first identity summary info and generation, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore adopt the first identity summary info and the first identity Digest Authentication information to authenticate, can effectively avoid the disabled user to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.
The structural representation of a kind of Verification System that Fig. 7 provides for the embodiment of the invention seven, as shown in Figure 7, this Verification System comprises: terminal equipment 1, WAP (wireless access point) 2 and certificate server 3.
Certificate server 3 is used for sending the first identity summary info request by WAP (wireless access point) 2 to terminal equipment 1; The first identity summary info response that receiving terminal apparatus 1 returns by WAP (wireless access point) 2, the response of the first identity summary info comprises that the first identity summary info and initial random numerical value, this first identity summary info are that terminal equipment 1 generates according to terminal equipment information, private information and initial random numerical value; According to initial random numerical value with from terminal equipment information and private information that terminal equipment 1 obtains in advance, generate the first identity Digest Authentication information; The first identity summary info and described the first identity Digest Authentication information are compared, draw authentication result and return this authentication result to WAP (wireless access point) 2.
In the present embodiment, terminal equipment 1 can adopt embodiment six described terminal equipments, and certificate server 3 can adopt embodiment four or embodiment five described certificate servers, repeats no more herein
The Verification System that present embodiment provides, the first identity summary info response that the certificate server receiving terminal apparatus returns by WAP (wireless access point), this the first identity summary info response comprises the first identity summary info and initial random numerical value, according to initial random numerical value and the terminal equipment information and the private information that obtain in advance from terminal equipment, generate the first identity Digest Authentication information, the first identity summary info and the first identity Digest Authentication information are compared, draw and to WAP (wireless access point) return authentication result.In the system that present embodiment provides, because the first identity summary info and the first identity Digest Authentication information all are according to initial random numerical value, terminal equipment information and private information generate, therefore certificate server adopts the first identity summary info and the first identity Digest Authentication information to authenticate, can effectively avoid the disabled user to pretend to be validated user to pass through the authentication of certificate server by the digital certificate that obtains, and avoid validated user by the authentication by certificate server on the miscellaneous equipment outside the terminal equipment of appointment of the digital certificate that obtains, thereby the fail safe that has improved network authentication.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (8)

1. an authentication method is characterized in that, comprising:
Send the first identity summary info request by WAP (wireless access point) to terminal equipment;
Receive the first identity summary info response that described terminal equipment returns by described WAP (wireless access point), described the first identity summary info response comprises that the first identity summary info and initial random numerical value, described the first identity summary info are that described terminal equipment generates according to terminal equipment information, private information and initial random numerical value;
According to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generate the first identity Digest Authentication information;
Described the first identity summary info and described the first identity Digest Authentication information are compared, draw authentication result and return described authentication result to described WAP (wireless access point);
The described transmission to terminal equipment by WAP (wireless access point) comprises before the first identity summary info request:
Receive the request of certificate authentication that described WAP (wireless access point) sends, described request of certificate authentication comprises digital certificate, described digital certificate is to comprise in the access request that sends of described terminal equipment that described WAP (wireless access point) receives, described digital certificate comprises the second identity summary info and public key information, and described the second identity summary info generates according to described user basic information, described terminal equipment information, described private information and described public key information;
According to the public key information that from described digital certificate, extracts and the user basic information of obtaining in advance, terminal equipment information and private information, generate the second identity Digest Authentication information;
Whether more described the second identity Digest Authentication information is identical with the second identity summary info that extracts from described digital certificate, if identically then carry out the described step that sends the first identity summary info request by WAP (wireless access point) to terminal equipment.
2. method according to claim 1 is characterized in that, also comprises before the request of certificate authentication that the described WAP (wireless access point) of described reception sends:
Receive the certificate request request that described terminal equipment sends, described certificate request request comprises public key information;
Obtain described user basic information, described terminal equipment information and described private information from described terminal equipment;
According to described user basic information, described terminal equipment information, described private information and described public key information, generate described the second identity summary info;
Generate described digital certificate according to described the second identity summary info and described public key information, and return described digital certificate to described terminal equipment.
3. method according to claim 2 is characterized in that, and is described according to described user basic information, described terminal equipment information, described private information and described public key information, generates described the second identity summary info and also comprises before:
Whether legal, if it is carry out the described step that generates described digital certificate according to described the second identity summary info and described public key information if detecting described user basic information, described terminal equipment information and described private information.
4. a certificate server is characterized in that, comprising:
The first sending module is used for sending the first identity summary info request and to described WAP (wireless access point) return authentication result by WAP (wireless access point) to terminal equipment;
The first receiver module, be used for receiving the first identity summary info response that described terminal equipment returns by described WAP (wireless access point), described the first identity summary info response comprises that the first identity summary info and initial random numerical value, described the first identity summary info are that described terminal equipment generates according to terminal equipment information, private information and initial random numerical value;
The first generation module is used for according to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generates the first identity Digest Authentication information;
The first comparison module is used for described the first identity summary info and described the first identity Digest Authentication information are compared, and draws described authentication result and described authentication result is exported to described the first sending module;
Also comprise: the second generation module and the second comparison module;
Described the first receiver module also is used for receiving the request of certificate authentication that described WAP (wireless access point) sends, described request of certificate authentication comprises digital certificate, described digital certificate is to comprise that described digital certificate comprises the second identity summary info and public key information in the access request that sends of described terminal equipment that described WAP (wireless access point) receives;
Described the second generation module is used for basis from public key information and the user basic information of obtaining in advance, terminal equipment information and private information that described digital certificate extracts, generates the second identity Digest Authentication information;
Described the second comparison module, whether with the described second identity summary info that from described digital certificate extract identical, and will compare described the second identity summary info and export to described the first sending module with the identical comparative result of described the second identity Digest Authentication information if being used for more described the second identity Digest Authentication information.
5. certificate server according to claim 4 is characterized in that, also comprises: acquisition module, the 3rd generates module and the 4th generation module;
Described the first receiver module also is used for receiving the certificate request request that described terminal equipment sends, and described certificate request request comprises public key information;
Described acquisition module is used for obtaining described user basic information, described terminal equipment information and described private information from described terminal equipment;
The described the 3rd generates module, is used for according to described user basic information, described terminal equipment information, described private information and described public key information, generates described the second identity summary info;
Described the 4th generation module is used for generating described digital certificate according to described the second identity summary info and described public key information;
Described the first sending module also is used for returning described digital certificate to described terminal equipment.
6. certificate server according to claim 5 is characterized in that, also comprises:
Detection module, whether legal for detection of described user basic information, described terminal equipment information and described private information that described acquisition module obtains, and the described user basic information that will judge, described terminal equipment information and the legal judged result of described private information are exported to described the 3rd generation module.
7. a terminal equipment is characterized in that, comprising:
The second receiver module is used for receiving the first identity summary info request that certificate server sends by WAP (wireless access point);
The 5th generation module is used for according to terminal equipment information, private information and initial random numerical value, generates the first identity summary info;
The second sending module, be used for returning the response of the first identity summary info by described WAP (wireless access point) to described certificate server, described the first identity summary info response comprises described the first identity summary info and described initial random numerical value, to according to described initial random numerical value with from terminal equipment information and private information that described terminal equipment obtains in advance, generate the first identity Digest Authentication information for described certificate server.Described the first identity summary info and described the first identity Digest Authentication information are compared, draw authentication result and return described authentication result to described WAP (wireless access point);
Described the second sending module also was used for before the first identity summary info request that described reception certificate server sends by WAP (wireless access point), send access request to WAP (wireless access point), this access request comprises digital certificate, and this digital certificate comprises the second identity summary info and public key information.
8. a Verification System is characterized in that, comprising: terminal equipment, WAP (wireless access point) and certificate server;
Described terminal equipment adopts the claims 7 described terminal equipments;
Described certificate server adopts the claims 4 to 6 arbitrary described certificate servers.
CN 201010189995 2010-05-25 2010-05-25 Authentication method, system, authentication server and terminal equipment CN101867929B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010189995 CN101867929B (en) 2010-05-25 2010-05-25 Authentication method, system, authentication server and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010189995 CN101867929B (en) 2010-05-25 2010-05-25 Authentication method, system, authentication server and terminal equipment

Publications (2)

Publication Number Publication Date
CN101867929A CN101867929A (en) 2010-10-20
CN101867929B true CN101867929B (en) 2013-03-13

Family

ID=42959437

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010189995 CN101867929B (en) 2010-05-25 2010-05-25 Authentication method, system, authentication server and terminal equipment

Country Status (1)

Country Link
CN (1) CN101867929B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977383A (en) * 2010-08-03 2011-02-16 北京星网锐捷网络技术有限公司 Authentication processing method, system, client side and server for network access
CN103079200B (en) * 2011-10-26 2016-08-03 国民技术股份有限公司 The authentication method of a kind of wireless access, system and wireless router
CN102497354A (en) * 2011-11-08 2012-06-13 陈嘉贤 Method, system and device for identifying user's identity
CN103384249B (en) * 2013-07-08 2016-05-25 北京星网锐捷网络技术有限公司 Network access verifying method, Apparatus and system, certificate server
CN104660567B (en) * 2013-11-22 2017-12-15 中国联合网络通信集团有限公司 D2D terminal access authentications method, D2D terminals and server
CN103929748B (en) * 2014-04-30 2017-07-04 普联技术有限公司 A kind of Internet of Things wireless terminal and its collocation method and wireless network access point
CN104468626A (en) * 2014-12-25 2015-03-25 上海市共进通信技术有限公司 System and method for achieving wireless authentication encryption of mobile terminal
CN104836671B (en) * 2015-05-15 2018-05-22 安一恒通(北京)科技有限公司 The inspection method and check device of the addition of digital certificate
CN105636037B (en) * 2015-06-29 2019-11-12 宇龙计算机通信科技(深圳)有限公司 Authentication method, device and electronic equipment
CN105188055B (en) * 2015-08-14 2018-06-12 中国联合网络通信集团有限公司 wireless network access method, wireless access point and server
WO2017041298A1 (en) * 2015-09-11 2017-03-16 华为技术有限公司 Wireless local area network access point verification method, terminal, service platform, access point and access point background
CN105516978B (en) * 2015-12-04 2019-06-28 上海斐讯数据通信技术有限公司 Machinery of consultation and system is arranged in wireless protection
CN105554760B (en) * 2016-01-29 2018-06-29 腾讯科技(深圳)有限公司 Wireless access point authentication method, apparatus and system
CN106230784B (en) * 2016-07-20 2020-09-18 新华三技术有限公司 Equipment verification method and device
CN107276997B (en) * 2017-06-06 2019-06-28 云南电网有限责任公司信息中心 A kind of intelligent cut-in method, the apparatus and system of electric power mobile application terminal
CN108882237A (en) * 2018-05-31 2018-11-23 四川斐讯信息技术有限公司 A kind of wireless networking verification method and system of digital certificate formula

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1549526A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing radio local area network authentication
CN1698309A (en) * 2003-04-21 2005-11-16 索尼株式会社 Device authentication system
US6996715B2 (en) * 2002-01-03 2006-02-07 Lockheed Martin Corporation Method for identification of a user's unique identifier without storing the identifier at the identification site
CN101273572A (en) * 2005-10-03 2008-09-24 诺基亚公司 System, method and computer program product for authenticating a data agreement between network entities

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6996715B2 (en) * 2002-01-03 2006-02-07 Lockheed Martin Corporation Method for identification of a user's unique identifier without storing the identifier at the identification site
CN1698309A (en) * 2003-04-21 2005-11-16 索尼株式会社 Device authentication system
CN1549526A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing radio local area network authentication
CN101273572A (en) * 2005-10-03 2008-09-24 诺基亚公司 System, method and computer program product for authenticating a data agreement between network entities

Also Published As

Publication number Publication date
CN101867929A (en) 2010-10-20

Similar Documents

Publication Publication Date Title
US10567385B2 (en) System and method for provisioning a security token
US10623954B2 (en) AP connection method, terminal, and server
EP2878115B1 (en) Online user account login method and server system implementing the method
US9736131B2 (en) Secure login for subscriber devices
US20180160255A1 (en) Nfc tag-based web service system and method using anti-simulation function
US8682297B2 (en) Seamlessly authenticating device users
JP6215934B2 (en) Login verification method, client, server, and system
US10776786B2 (en) Method for creating, registering, revoking authentication information and server using the same
US10700861B2 (en) System and method for generating a recovery key and managing credentials using a smart blockchain contract
CN102790674B (en) Auth method, equipment and system
CN105763521B (en) A kind of device authentication method and device
CN102394887B (en) OAuth protocol-based safety certificate method of open platform and system thereof
CN101310286B (en) Improved single sign on
CN100438421C (en) Method and system for conducting user verification to sub position of network position
KR101214839B1 (en) Authentication method and authentication system
CN101350720B (en) Dynamic cipher authentication system and method
WO2017079795A1 (en) A distributed user profile identity verification system for e-commerce transaction security
CN102045367B (en) Registration method and authentication server of real-name authentication
CN106656907B (en) Method, device, terminal equipment and system for authentication
US9762567B2 (en) Wireless communication of a user identifier and encrypted time-sensitive data
CN103167491B (en) A kind of mobile terminal uniqueness authentication method based on software digital certificate
WO2014182957A1 (en) Authentication system
US20070143832A1 (en) Adaptive authentication methods, systems, devices, and computer program products
CN106330850B (en) Security verification method based on biological characteristics, client and server
CN104144419A (en) Identity authentication method, device and system

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model