CN101895884A - Method, system and device for updating WAPI certificate - Google Patents
Method, system and device for updating WAPI certificate Download PDFInfo
- Publication number
- CN101895884A CN101895884A CN201010221869.0A CN201010221869A CN101895884A CN 101895884 A CN101895884 A CN 101895884A CN 201010221869 A CN201010221869 A CN 201010221869A CN 101895884 A CN101895884 A CN 101895884A
- Authority
- CN
- China
- Prior art keywords
- certificate update
- asue
- certificate
- renewal
- grouping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 166
- 230000005540 biological transmission Effects 0.000 claims description 19
- 230000008569 process Effects 0.000 abstract description 110
- 230000004044 response Effects 0.000 abstract description 3
- 238000012795 verification Methods 0.000 abstract 1
- 239000004098 Tetracycline Substances 0.000 description 15
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 238000004321 preservation Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012958 reprocessing Methods 0.000 description 2
- 230000002123 temporal effect Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000012850 discrimination method Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method, a system and a device for updating a WAPI certificate, which aims to solve the problem of low updating efficiency in the process of updating certificates in the prior art. The method comprises the following steps: receiving a certificate updating request grouping sent by AE and verifying the certificate updating request grouping by ASE; when the grouping passes the verification, acquiring a certificate according to the certificate updating request grouping; and grouping and returning the certificate updating response carrying certificate data information to the AE. As the scheme provided by the invention, on the condition that no new protocol is introduced any more, the certificates of STA and AP ready to be out of date are updated and the efficiency of updating the certificates is improved by expanding fields of a WAI protocol grouping under the WAPI.
Description
Technical field
The present invention relates to the wireless local area network technology field, relate in particular to a kind of WAPI (WLAN Authentication and Privacy Infrastructure, the WAPI) method and system of certificate update.
Background technology
WAPI is that (Wireless Local Area Networks, WLAN) security protocol also are simultaneously the security mechanisms in the WLAN (wireless local area network) compulsory standard to a kind of WLAN (wireless local area network).This scheme is by wireless local area network authentication infrastructure (WLAN Authentication Infrastructure, WAI) and wireless local area network security foundation structure (WLAN Privacy Infrastructure, WPI) two parts are formed, wherein WAI realizes the discriminating to user identity, and WPI realizes the data encryption to transmission.WAI has comprised two kinds of discrimination methods: wildcard is differentiated and certificate is differentiated.Wherein the method differentiated of certificate has adopted the certificate mechanism based on the public key cryptography system, really realized wireless user terminal (Station, STA) and radio access point (Access Point, AP) the two-way discriminating between.
In certificate identification method, WAPI is with STA, AP and asu (authentication service unit) (Authentication Service Unit, ASU) respectively as identification requester (Authentication Supplicant Entity, ASUE), the discriminator entity (Authentication Entity, AE) and differentiate service entities (Authentication Service Entity, ASE).Wherein ASUE is the entity that operation is differentiated in request before access service; AE provided the entity of differentiating operation for identification requester before access service; ASE differentiates the entity of service for discriminator and identification requester provide identity.
Fig. 1 is the process that certificate is differentiated in the prior art, specifically may further comprise the steps:
S101:ASUE sends the wireless association requests frame to AE;
S102:AE sends to ASUE and differentiates the activation grouping;
S103:ASUE sends to AE and inserts discrimination request grouping;
S104:AE sends the request of certificate authentication grouping to ASE;
S105:ASE sends the certificate authentication response packet to AE;
S106:AE sends to ASUE and inserts authentication response packet;
S107:AE sends unicast key agreement request grouping to ASUE;
S108:ASUE sends the unicast key agreement respond packet to AE;
S109:AE sends unicast key agreement to ASUE and confirms grouping;
S110:AE sends the multicast key notification grouping to ASUE;
S111:ASUE sends the multicast key respond packet to AE.
Ask by inserting discriminating, respond packet and request of certificate authentication respond packet, ASUE and AE just can verify mutually by believable third party ASE, thereby carry out the negotiation of singlecast key and the announcement of multicast key.And the update method to the WAPI certificate can only be upgraded certificate by introducing other agreements or manually operated method in the prior art, when adopting the method for introducing other agreements that certificate is upgraded, need relate to the conversion between the agreement, process is complicated, influence the efficient of certificate update, and adopt manual mode to carry out certificate update, the staff determines by subjective whether certificate will be expired, when judging that certificate will be expired, obtain the certificate data information after the renewal, this certificate data information is write each entity under the WAPI, for example adopt TFTP (Trivial File Transfer Protocol, TFTP) etc. method writes each entity under the WAPI with certificate data information, should obtain by manual, and the process efficiency that writes certificate data information again is also lower, can not effectively improve the efficient of certificate update.
Summary of the invention
In view of this, the embodiment of the invention provides a kind of method, system and device of WAPI certificate update, in order to the low problem of update efficiency in the process that solves the prior art certificate update.
The method of a kind of WAPI certificate update that the embodiment of the invention provides comprises:
Differentiate that service entities ASE receives the certificate update request grouping that discriminator entity A E sends; And
After the transmit leg of verifying described certificate update request grouping has the authority of renewal,, obtain corresponding certificate data information according to described certificate update request grouping;
Described ASE will carry the certificate update respond packet of described certificate data information and return described AE.
The system of a kind of WAPI certificate update that the embodiment of the invention provides comprises:
Discriminator entity A E is used for to differentiating that service entities ASE sends certificate update request grouping, receives the certificate update respond packet of carrying described certificate data information that described ASE sends;
Described ASE, be used for the grouping of acceptance certificate update request, after the transmit leg of verifying described certificate update request grouping has the authority of renewal, according to described certificate update request grouping, obtain corresponding certificate data information, the certificate update respond packet of carrying described certificate data information is returned described AE.
The embodiment of the invention provides a kind of device of WAPI certificate update, comprising:
First receiver module is used to receive the certificate update request grouping that discriminator entity A E sends;
First authentication module is used to verify whether the transmit leg of described certificate update request grouping has the renewal authority;
The first certificate acquisition module is used for obtaining corresponding certificate data information according to described certificate update request grouping;
First sending module is used for the certificate update respond packet of carrying described certificate data information is returned described AE.
The embodiment of the invention provides a kind of device of WAPI certificate update, comprising:
Second sending module is used for to differentiating that service entities ASE sends certificate update request grouping;
Second receiver module is used to receive the certificate update respond packet of the certificate data information of carrying that described ASE sends;
Second authentication module, the fail safe of the data message that is used for verifying that described certificate update respond packet is carried.
The embodiment of the invention provides a kind of method, system and device of WAPI certificate update, this method ASE receives the certificate update request grouping that AE sends, grouping is verified to the certificate update request, and when the transmit leg of the described certificate update request grouping of checking has the authority of renewal, obtain corresponding certificate data information, the certificate update respond packet of carrying certificate data information is returned AE.Owing to do not introduce other agreements in the embodiment of the invention, by having expanded the field of WAI protocol packet under the WAPI, realized the renewal of certificate under the WAPI, improved the efficient of certificate update.
Description of drawings
Fig. 1 is the process that certificate is differentiated in the prior art;
The method of the WAPI certificate update that Fig. 2 provides for the embodiment of the invention;
The process of first kind of WAPI certificate update that Fig. 3 provides for the embodiment of the invention;
The process of second kind of WAPI certificate update that Fig. 4 provides for the embodiment of the invention;
The process of the third WAPI certificate update that Fig. 5 provides for the embodiment of the invention;
The process of the 4th kind of WAPI certificate update that Fig. 6 provides for the embodiment of the invention;
The system configuration schematic diagram of a kind of WAPI certificate update that Fig. 7 provides for the embodiment of the invention;
The apparatus structure schematic diagram of a kind of WAPI certificate update that Fig. 8 provides for the embodiment of the invention;
The apparatus structure schematic diagram of a kind of WAPI certificate update that Fig. 9 provides for the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of method of WAPI certificate update, ASE receives the certificate update request grouping that AE sends, grouping is verified to the certificate update request, and when the transmit leg of the described certificate update request grouping of checking has the authority of renewal, obtain corresponding certificate data information, the certificate update respond packet of carrying certificate data information is returned AE, thereby realize the renewal of certificate under the WAPI.
Below in conjunction with Figure of description, the embodiment of the invention is described in detail.
The method of the WAPI certificate update that Fig. 2 provides for the embodiment of the invention, this method may further comprise the steps:
S201:ASE receives the certificate update request grouping that AE sends;
Wherein, certificate update request grouping comprises: AE certificate update request grouping, act on behalf of ASUE certificate update request grouping, wherein, the request of the described ASUE of agency certificate update is grouped into described AE and receives the ASUE certificate update request grouping that ASUE sends, after the transmit leg of verifying described ASUE certificate update request grouping had the authority of renewal, generation described acted on behalf of ASUE certificate update request grouping.
After S202:ASE verifies that the transmit leg of described certificate update request grouping has the authority of renewal,, obtain corresponding certificate data information according to described certificate update request grouping.
The transmit leg of verifying described certificate update request grouping has and upgrades authority and comprise: described ASE judges the mac address information in the described certificate update request grouping, and the mac address information with self related AE is identical; And/or whether described ASE judges the signing messages in the described certificate update request grouping, identical with the signing messages of self preserving, and when checking is identical, determines that then the transmit leg of described certificate update request grouping has the renewal authority.
When ASE verifies that the transmit leg of this certificate update request grouping does not upgrade authority, this certificate update request grouping is abandoned.
S203: the certificate update respond packet that will carry described certificate data information is returned described AE.
Under the WAPI agreement, each entity is when interrelated, the mac address information of other entities is kept at this locality, therefore when ASE receives the certificate request grouping of AE transmission, can be according to the mac address information of the AE that comprises in this certificate request grouping, judge this mac address information, the mac address information with self related AE is identical, thereby determines whether AE has the renewal authority.
The relation that has mutual trust under the WAPI agreement between each entity, the preservation in each entity the signing messages of other entities of self trusting.Therefore when ASE receives the certificate request grouping of AE transmission, can be according to the signing messages of the AE that comprises in this certificate request grouping, in the signing messages of self preserving, search the signing messages of AE, judge the signing messages of the AE that searches, whether consistent with the signing messages of the AE that comprises in the described certificate request grouping, thus determine whether AE has the renewal authority.
In embodiments of the present invention, when the certificate of necessity upgraded, the upper strata sent indication to the module that ASUE, AE or ASE manage to ASUE, AE or ASE, and the entity that receives indication initiates to carry out the more new session of certificate update.Wherein corresponding one of a certificate update process is upgraded conversation procedure, upgrades in the conversation procedure at this, and corresponding renewal conversation index is identical.Perhaps,, when this time arrives, preserved the entity of this temporal information, initiated the session of certificate update in the temporal information that ASUE, AE or ASE have preserved certificate update.
When ASE according to certificate update request grouping, when obtaining corresponding certificate data information, the certificate data information that this ASE can preserve according to this locality be returned the renewal respond packet of carrying this certificate data information to AE.Wherein, the local certificate data information of preserving of ASE, can be that ASE is when idle condition, to digital certificate authentication center (Certificate Authority, CA) send the request of obtaining certificate data information, reception is also preserved the certificate data information that CA returns, and perhaps also can be when the transmit leg AE of ASE authentication certificate update request grouping has the authority of renewal, send the request of obtaining certificate data information to CA, receive and preserve the certificate data information that CA returns.
With a concrete execution mode above-mentioned implementation procedure is described below.
The renewal process of first kind of WAPI certificate that Fig. 3 provides for the embodiment of the invention, this process may further comprise the steps:
S301:AE sends AE certificate update request grouping to ASE.
The mac address information that in this AE certificate update request grouping, comprises AE, and/or, the signing messages of AE.
Wherein, this AE certificate update request grouping uses the PKI of ASE to encrypt by AE, and the grouping of the AE certificate update request after will encrypting sends to ASE.
Whether S302:ASE has the authority of renewal to AE and verifies according to the AE certificate update request grouping that receives, and when checking is passed through, carries out step S303, otherwise, carry out step S306.
Before whether ASE checking AE had the authority of renewal, the private key that ASE need employing itself divided into groups to be decrypted to this AE certificate update request, obtains data message wherein.
Comprise when authority is verified whether AE being had upgrade: ASE judges the mac address information in this AE certificate update request grouping, and the mac address information with self related AE is identical; Judge the signing messages in this AE certificate update request grouping, whether identical with the signing messages of self preserving; ASE discerns the more other identification information in the described AE certificate update request grouping, and owing to this certificate update conversation procedure is initiated by AE, so the renewal in this AE certificate update request grouping is designated 0; ASE judges the renewal conversation index that comprises in the described AE certificate update request grouping, whether greater than the renewal conversation index of self preserving, verifies whether described transmit leg has the renewal authority.
When above-mentioned at least one verify obstructed out-of-dately, determine that then AE does not have the renewal authority, ASE abandons this AE certificate update request grouping, promptly it is not handled.
S303:ASE obtains corresponding certificate data information, and the AE certificate update respond packet of carrying this certificate data information is returned AE.
Wherein, this AE certificate update respond packet uses the PKI of AE to encrypt by ASE, and the AE certificate update respond packet after will encrypting sends to AE.
S304:AE verifies the fail safe of the data message that comprises in the described AE certificate update respond packet, when checking is passed through, carries out step S305, otherwise, carry out step S306.
Before the fail safe of the data message that AE comprises in checking AE certificate update respond packet, also need the private key of employing itself that AE certificate update respond packet is decrypted, obtain data message wherein.
AE verifies that the fail safe of the data message that comprises in the described AE certificate update respond packet comprises: whether AE is identical with the mac address information of self according to the mac address information in this AE certificate update respond packet; Whether AE judges the signing messages in the AE certificate update respond packet, identical with the signing messages of self preserving; Whether AE judges the renewal conversation index in the described AE certificate update respond packet, identical with renewal conversation index in the AE certificate update request grouping; Whether identical with more new logo in the AE certificate update request grouping described AE judges the more new logo in the described AE certificate update respond packet, one or more in.
When above-mentioned at least one verify obstructed out-of-dately, determine that then the data message that comprises in the described AE certificate update respond packet is dangerous, AE abandons this AE certificate update respond packet, promptly it is not handled.
S305:AE obtains the certificate data information in the AE certificate update respond packet.
S306: abandon this grouping, promptly it is not handled.
A kind of form that table 1 divides into groups for the AE certificate update request that the embodiment of the invention provides, with the mac address information that comprises AE in this AE certificate update request grouping, signing messages, renewal conversation index and the renewal identification information of AE is that example describes, when this AE certificate update request grouping only comprise the signing messages of mac address information, the AE of AE, when upgrading conversation index and upgrading in the identification information one or more, its deterministic process is identical with deterministic process that should information at phase.
| Upgrade conversation index | The MAC Address of AE | Challenge | New logo more | The signature of AE |
Table 1
Comprise the renewal conversation index of this certificate update process in table 1 in this AE certificate update request grouping, this renewal conversation index can make ASE prevent Replay Attack, promptly prevents from the more new session of having handled is before carried out reprocessing.In the renewal conversation procedure of this whole certificate update, the renewal conversation index that comprises in each grouping is identical.When ASE received this AE certificate update request grouping, the renewal conversation index that can preserve according to this locality, and the renewal conversation index in this AE certificate update request grouping determined whether to handle this AE certificate update request grouping.Promptly work as the renewal conversation index in this AE certificate update request grouping, during greater than the local renewal conversation index of preserving of this ASE, this ASE handles this AE certificate update request grouping, and when upgrading conversation end, adopt the renewal conversation index in this AE certificate update request grouping, upgrade the local renewal conversation index of preserving.Renewal conversation index in this AE certificate update request grouping, when being not more than the renewal conversation index of the local preservation of this ASE, this ASE does not handle this AE certificate update request grouping.
In addition, in embodiments of the present invention, for further pre-anti-replay-attack, can also comprise challenge information in this AE certificate update request grouping kind, once more in the process of new session, this challenge information that each grouping comprises is identical, and this challenge information calculates acquisition by the entity of initiating the certificate update session.A random number that in this AE certificate update request grouping, adopts random algorithm to generate for AE.After ASE receives this AE certificate update request grouping, according to the challenge information that comprises in the AE certificate update request grouping, and the local challenge information of preserving, judge whether the challenge information that comprises in this AE certificate update request grouping is identical with the local challenge information of preserving, if it is inequality, then this AE certificate update request grouping is handled, otherwise this AE certificate update request grouping is abandoned.
A certain entity under the WAPI adopts renewal conversation index and the challenge information in this AE certificate update request grouping, upgrade local renewal conversation index and the challenge information of preserving, and this entity based on the incidence relation of other entities, notify other entities also to adopt renewal conversation index and challenge information in this AE certificate update request grouping, upgrade local renewal conversation index and the challenge information of preserving.For example, in embodiments of the present invention, when ASE adopts renewal conversation index and challenge information in this AE certificate update request grouping, when upgrading local renewal conversation index of preserving and challenge information, this ASE based on the incidence relation of AE, notice AE also adopts renewal conversation index and the challenge information in this AE certificate update request grouping, upgrades local renewal conversation index and the challenge information of preserving of AE.
The more new logo that in table 1, comprises this certificate update process in this AE certificate update request grouping, this more new logo only use lowest order, be used to identify the entity of initiating this certificate update session, if this certificate update session is initiated by ASE, then more new logo puts 1, otherwise put 0, and once more in the process of new session, the more new logo that each grouping comprises is identical.Because this certificate update conversation procedure is initiated by AE, therefore the renewal in this AE certificate update request grouping is designated 0, thereby ASE judges the renewal conversation index that comprises in the described AE certificate update request grouping, whether greater than the renewal conversation index of self preserving, whether checking AE has the renewal authority, when checking is identical, determine that then AE has the renewal authority.
The enciphered message of signing messages for other data messages in this grouping are encrypted.Owing to have trusting relationship between each entity under the WAPI, promptly in each entity, all preserve the signing messages of other entities of its trust, thereby when a certain entity receives the grouping of another entity transmission, and when comprising mac address information and signing messages in this grouping, the recipient need be according to mac address information and the signing messages self preserved, judge mac address information and signing messages in this grouping, whether identical with mac address information and the signing messages self preserved, if identical, then this grouping is handled.
In table 1, also comprise the mac address information of AE and the signing messages of AE in this AE certificate update request grouping.When ASE receives AE certificate update request grouping, in this AE certificate update request grouping when this ASE recognizes the signing messages of AE, ASE is according to the signing messages of its AE that trusts that preserves, other data messages in this AE certificate update request grouping are decrypted, when successful decryption, the signing messages of determining the AE that self trusts is identical with the signing messages of the AE of this grouping, otherwise, determine inequality.After the signing messages of determining the AE that self preserves as this ASE is identical with the signing messages of the AE of this grouping, obtain the mac address information in this AE certificate update request grouping of this successful decryption, judge the mac address information of the AE in this AE certificate update request grouping, whether identical with the mac address information of the AE that self preserves, if it is identical, then ASE determines that the transmit leg AE of this AE certificate update request grouping has the renewal authority, and this AE certificate update request grouping is handled.
The signing messages of AE of determining the signing messages of the AE that self trusts and this grouping as ASE is inequality, and/or, when the mac address information of the mac address information of the AE in the AE certificate update request grouping and the AE that self preserves is inequality, this AE certificate update request grouping is abandoned, do not handle.
When the signing messages of mac address information that only comprises AE in this AE certificate update request grouping or AE, its deterministic process is identical with above-mentioned deterministic process at corresponding information, does not here just give unnecessary details one by one.
A kind of form of the AE certificate update respond packet that table 2 provides for the embodiment of the invention, with the mac address information that comprises AE in this AE certificate update respond packet, signing messages, renewal conversation index and the renewal identification information of ASE is that example describes, when this AE certificate update respond packet only comprise the signing messages of mac address information, the ASE of AE, when upgrading conversation index and upgrading in the identification information one or more, its deterministic process is identical with deterministic process that should information at phase.
Table 2
Because once more in the process of new session, the renewal conversation index that each grouping comprises is identical, thereby the renewal conversation index that comprises in this AE certificate update respond packet in the table 2 is identical with renewal conversation index during the request of AE certificate update is divided into groups.AE is according to the renewal conversation index that comprises in the AE certificate update respond packet, the process whether checking is handled this AE certificate update respond packet, with ASE according to the renewal conversation index that comprises in the AE certificate update request grouping, the process whether checking is handled this AE certificate update request grouping is identical, does not here just give unnecessary details one by one.
Because once more in the process of new session, the more new logo that each grouping comprises is identical, thereby the more new logo in the more new logo that comprises in this AE certificate update respond packet in the table 2 and the request of the AE certificate update grouping is identical, because this renewal conversation procedure is initiated by AE, so the more new logo that comprises in this AE certificate update respond packet and the AE certificate update request grouping all is 0.
In table 2, comprise the mac address information of AE and the signing messages of ASE in this AE certificate update respond packet, AE is according to the mac address information of this AE and the signing messages of ASE, verify the process of the fail safe of data message in this AE certificate update respond packet, with ASE according to the mac address information of the AE in the AE certificate update request grouping and the signing messages of AE, it is identical whether checking AE has the process of upgrading authority, promptly judge the mac address information of the AE that self preserves and the signing messages of ASE, whether consistent with the signing messages of mac address information that comprises AE in this AE certificate update respond packet and ASE, when judging unanimity, then determine the safety of data message in this AE certificate update respond packet, obtain the AE certificate data information that comprises in this AE certificate update respond packet, otherwise, abandon this AE certificate update respond packet.
The length information and the AE new authentication file data information that in table 2, also comprise AE new authentication file in this AE certificate update respond packet, AE is when the data information security of checking in this AE certificate update respond packet, obtain AE certificate data information, wherein, AE certificate data information comprises: the length information of AE new authentication file and AE new authentication file data information.
The process of certificate update under second kind of WAPI that Fig. 4 provides for the embodiment of the invention, this process may further comprise the steps:
S401:AE receives the ASE of ASE transmission to AE certificate update announcement grouping.
Wherein, this ASE uses the PKI of AE to encrypt AE certificate update announcement grouping by ASE.
S402:AE announces grouping according to the ASE of reception to the AE certificate update, whether ASE is had the authority of renewal verify, when checking is passed through, carries out step S403, otherwise, carry out step S408.
Before whether AE checking ASE had the authority of renewal, AE also needed the private key of employing itself that this ASE is decrypted AE certificate update announcement grouping, obtains data message wherein.
Whether ASE being had when upgrading authority and verifying, comprise that AE judges this ASE to the mac address information in the AE certificate update announcement grouping, whether identical with the mac address information of self preserving; And/or, judge this ASE to the signing messages in the AE certificate update announcement grouping, whether identical with the signing messages of self preserving, when checking is identical, determine that then ASE has the renewal authority.
When above-mentioned at least one when inequality, determine that then checking do not pass through, AE abandons this ASE to AE certificate update announcement grouping, promptly it is not handled.
S403:AE generates AE certificate update request grouping, and described AE certificate update request grouping is sent to described ASE.
Wherein, this AE certificate update request grouping uses the PKI of ASE to encrypt by AE, and the grouping of the AE certificate update request after will encrypting sends to ASE.
Whether S404:ASE has the authority of renewal to AE and verifies according to the AE certificate update request grouping that receives, and when checking is passed through, carries out step S405, otherwise, carry out step S408.
At ASE whether AE is had and to upgrade before authority verifies, ASE need be decrypted this AE certificate update request grouping with the private key of itself, obtains data message wherein.
Whether AE had to upgrade comprise when authority is verified: ASE judges the mac address information in this AE certificate update request grouping, and the mac address information with self related AE is identical; Judge the signing messages in this AE certificate update request grouping, whether identical with the signing messages of self preserving; ASE discerns the renewal identification information in the described AE certificate update request grouping, and owing to this certificate update conversation procedure is initiated by ASE, so the renewal in this AE certificate update request grouping is designated 1; ASE judges renewal conversation index and the challenge information of described ASE to comprising in the announcement grouping of AE certificate update, whether with described AE certificate update request grouping in the renewal conversation index and the challenge information correspondent equal that comprise, whether checking AE has the renewal authority.
When above-mentioned at least one do not verify by the time, determine that then AE does not have the renewal authority, ASE abandons this AE certificate update request grouping, promptly it is not handled.
S405:ASE obtains corresponding certificate data information, and the AE certificate update respond packet of carrying this certificate data information is returned AE.
Wherein, this AE certificate update respond packet uses the PKI of AE to encrypt by ASE, and the AE certificate update respond packet after will encrypting sends to AE.
S406:AE verifies the fail safe of the data message that comprises in the described AE certificate update respond packet, when checking is passed through, carries out step S407, otherwise, carry out step S408.
Before the fail safe of the data message that AE comprises in checking AE certificate update respond packet, also need AE certificate update respond packet to be decrypted, obtain data message wherein with the private key of itself.
AE verifies that the fail safe of the data message that comprises in the described AE certificate update respond packet comprises: whether AE is identical with the mac address information of self according to the mac address information in this AE certificate update respond packet; Whether AE judges the signing messages in the AE certificate update respond packet, identical with the signing messages of self preserving; Whether AE judges the renewal conversation index in the described AE certificate update respond packet, identical with renewal conversation index in the AE certificate update request grouping; Whether identical with more new logo in the AE certificate update request grouping described AE judges the more new logo in the described AE certificate update respond packet, one or more in.
When above-mentioned at least one verify obstructed out-of-dately, determine that then the data message that comprises in the described AE certificate update respond packet is dangerous, AE abandons this AE certificate update respond packet, promptly it is not handled.
S407:AE obtains the certificate data information in the AE certificate update respond packet.
S408: abandon this grouping, promptly it is not handled.
ASE a kind of form that announcement is divided into groups to the AE certificate update that table 3 provides for the embodiment of the invention, with this ASE to comprising the mac address information of AE in the announcement grouping of AE certificate update and the signing messages of ASE is that example describes, as this ASE when announcement grouping only comprises a kind of in the signing messages of the mac address information of AE and ASE to the AE certificate update, its deterministic process is identical with deterministic process that should information at phase.
| Upgrade conversation index | The MAC Address of AE | Challenge | The ASE signature that AE trusts |
Table 3
This ASE is to comprising the renewal conversation index of this certificate update process in the AE certificate update announcement grouping in table 3, and the effect of the renewal conversation index during this upgrades conversation index and the request of AE certificate update is divided into groups is identical, is used to prevent Replay Attack.AE can be according to the renewal conversation index of ASE to comprising in the AE certificate update announcement grouping, and the renewal conversation index of self preserving, whether checking is handled AE certificate update announcement grouping this ASE, ASE is according to the renewal conversation index that comprises this certificate update process in the AE certificate update request grouping in its process and the first kind of execution mode, and the renewal conversation index of self preserving, the process whether checking is handled this AE certificate update request grouping is identical.
And because in a certificate update conversation procedure, the renewal conversation index that comprises in each grouping is identical, thereby carry out in the implementation process of certificate update session at this, ASE is identical to the renewal conversation index that comprises in AE certificate update announcement grouping, AE certificate update request grouping and the AE certificate update respond packet.
In addition, announcement can also comprise challenge information in dividing into groups to the AE certificate update at this ASE, and this challenge information is identical with the challenge information effect in the AE certificate update request grouping, is used to prevent Replay Attack.Because the more new session of this certificate is initiated by ASE, so this ASE is the random number that ASE adopts random algorithm to generate to the challenge information that comprises in the AE certificate update announcement grouping.And because in a certificate update conversation procedure, the challenge information that each grouping is carried is identical, thereby in this process, the challenge information that carries in the challenge information that comprises in the AE certificate update request grouping, this ASE challenge information that announcement comprises in dividing into groups to the AE certificate update and the AE certificate update respond packet is identical.AE can be according to ASE to the challenge information in the AE certificate update announcement grouping, and the challenge information of self preserving, whether checking is handled AE certificate update announcement grouping this ASE, ASE is according to the challenge information in the AE certificate update request grouping in its process and the first kind of execution mode, and the challenge information of self preserving, the process whether checking is handled this AE certificate update request grouping is identical.
This ASE is to also comprising the mac address information of AE and the ASE signing messages that AE trusts in the AE certificate update announcement grouping in table 3, AE is according to the mac address information of this AE and the ASE signing messages of AE trust, whether checking ASE has the process of upgrading authority, with ASE in first kind of execution mode according to the mac address information of the AE in the AE certificate update request grouping and the signing messages of AE, it is identical whether checking AE has the process of upgrading authority, promptly judge the mac address information of the AE that self preserves and the signing messages of the ASE that AE trusts, whether consistent with this ASE to the signing messages of the mac address information of the AE that comprises in the announcement grouping of AE certificate update and the ASE that AE trusts, when judging unanimity, determine that then ASE has the renewal authority, otherwise, abandon this ASE to AE certificate update announcement grouping.
In above-mentioned implementation process, the ASE that receives the ASE transmission as AE is to AE certificate update announcement grouping, and according to this ASE to the announcement grouping of AE certificate update, when checking ASE has the authority of renewal, this AE generates AE certificate update request grouping, wherein the information that comprises in this AE certificate update request grouping is described in detail in first kind of execution mode, just the renewal conversation index that comprises in this AE certificate update request grouping this moment is identical to the renewal conversation index that comprises in the AE certificate update announcement grouping with ASE, and the challenge information that comprises in this AE certificate update request grouping is also identical to the challenge information that comprises in the AE certificate update announcement grouping with ASE, adopts random algorithm to generate by ASE.After ASE receives this AE certificate update request grouping, can be according to the mac address information of the AE that comprises in this AE certificate update request grouping and the signing messages of AE, whether AE is had the authority of renewal is verified, and determine whether to obtain certificate data information, and generate AE certificate update respond packet according to the result of checking.
The AE certificate update respond packet that generates in the AE certificate update respond packet that ASE generates and the first kind of execution mode is basic identical, just the renewal conversation index that carries in this AE certificate update respond packet is identical to the renewal conversation index that comprises in the AE certificate update announcement grouping with ASE, and the challenge information that comprises in this AE certificate update respond packet is also identical to the challenge information that comprises in the AE certificate update announcement grouping with ASE.AE is according to this AE certificate update announcement grouping, and is identical with above-mentioned first kind of execution mode to the process that the fail safe of the data message that comprises in this grouping is verified, here just do not give unnecessary details one by one.
The process of the third WAPI certificate update that Fig. 5 provides for the embodiment of the invention, this process may further comprise the steps:
S501:ASUE sends ASUE certificate update request grouping to AE.
Wherein, this ASUE certificate update request grouping uses the PKI of AE to encrypt by ASUE, and the grouping of the ASUE certificate update request after will encrypting sends to AE.
Whether S502:AE has the authority of renewal to ASUE and verifies according to the ASUE certificate update request grouping that receives, and when checking is passed through, carries out step S503, otherwise, carry out step S510.
Before whether AE checking ASUE had the authority of renewal, the private key that AE need employing itself divided into groups to be decrypted to this ASUE certificate update request, obtains data message wherein.
Whether AE has ASUE is upgraded authority and verify and comprise: whether AE has the renewal authority according to mac address information that comprises in the ASUE certificate update request grouping and signing messages checking ASUE; AE discerns the more other identification information in the described ASUE certificate update request grouping, and owing to this certificate update conversation procedure is initiated by ASUE, so the renewal identification information in this ASUE certificate update request grouping is 0; Judge the renewal conversation index that comprises in the described ASUE certificate update request grouping,, verify whether described transmit leg has the renewal authority whether greater than the renewal conversation index of self preserving.
When above-mentioned at least one verify obstructed out-of-dately, determine that then ASUE does not have the renewal authority, AE abandons this ASUE certificate update request grouping, promptly it is not handled.
S503:AE generates and acts on behalf of ASUE certificate update request grouping, and sends to ASE.
Wherein, this is acted on behalf of ASUE certificate update request grouping and uses the PKI of ASE to encrypt by AE, and the grouping of the ASUE certificate update request of acting on behalf of after will encrypting sends to ASE.
Whether S504:ASE has the authority of renewal to AE and verifies according to the ASUE certificate update request of the acting on behalf of grouping that receives, and when checking is passed through, carries out step S505, otherwise, carry out step S510.
Before whether ASE checking AE had the authority of renewal, the private key that ASE need employing itself was acted on behalf of the request of ASUE certificate update to this and is divided into groups to be decrypted, and obtains data message wherein.
Whether ASE has AE is upgraded authority and verify and comprise: whether ASE has the authority of renewal to AE and verifies according to acting on behalf of the mac address information that comprises in the ASUE certificate update request grouping and signing messages; The described more other identification information of acting on behalf of in the ASUE certificate update request grouping of ASE identification, owing to this certificate update conversation procedure is initiated by ASUE, so this renewal identification information of acting on behalf of in the ASUE certificate update request grouping is 0; ASE judges renewal conversation index and the challenge information that comprises in the described ASUE of the agency certificate update request grouping, whether with ASUE certificate update request grouping in renewal conversation index and challenge information correspondent equal, verify whether described transmit leg has the renewal authority.
When above-mentioned at least one verify obstructed out-of-dately, determine that then AE does not have the renewal authority, ASE abandons this and acts on behalf of ASUE certificate update request grouping, promptly it is not handled.
S505:ASE obtains corresponding certificate data information, counts the ASUE certificate update respond packet of acting on behalf of of information and returns AE carrying this certificate.
Wherein, this is acted on behalf of ASUE certificate update respond packet and uses the PKI of AE to encrypt by ASE, and the ASUE certificate update respond packet of acting on behalf of after will encrypting sends to AE.
The fail safe of the data message that comprises in the ASUE certificate update respond packet is acted on behalf of in the S506:AE checking, when checking is passed through, carries out step S507, otherwise carries out step S510.
Before the fail safe of the data message that comprises in the ASUE certificate update respond packet is acted on behalf of in the AE checking, also need the private key of employing itself to be decrypted to acting on behalf of ASUE certificate update respond packet, obtain data message wherein.
The fail safe that the data message that comprises in the ASUE certificate update respond packet is acted on behalf of in the AE checking comprises: whether AE is identical with the mac address information of self according to this mac address information of acting on behalf of in the ASUE certificate update respond packet; Whether AE judges the signing messages of acting on behalf of in the ASUE certificate update respond packet, identical with the signing messages of self preserving; AE judges the described renewal conversation index of acting on behalf of in the ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update request grouping in the renewal conversation index identical; Described AE judges the described more new logo of acting on behalf of in the ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update request grouping in more new logo one or more in identical.
When above-mentioned at least one verify obstructed out-of-dately, confirm that then the data message that comprises in the described ASUE of the agency certificate update respond packet is dangerous, AE abandons this and acts on behalf of ASUE certificate update respond packet, promptly it is not handled.
S507:AE generates ASUE certificate update respond packet, and sends to ASUE.
Wherein, this ASUE certificate update respond packet uses the PKI of ASUE to encrypt by AE, and the ASUE certificate update respond packet after will encrypting sends to ASUE.
The fail safe of the data message that comprises in the S508:ASUE checking ASUE certificate update respond packet when checking is passed through, is carried out step S509, otherwise is carried out step S510.
Before the fail safe of the data message that in ASUE checking ASUE certificate update respond packet, comprises, also need the private key of employing itself that ASUE certificate update respond packet is decrypted, obtain data message wherein.
The fail safe of the data message that comprises in the ASUE checking ASUE certificate update respond packet comprises: whether ASUE is identical with the mac address information of self according to the mac address information in this ASUE certificate update respond packet; Whether ASUE judges the signing messages in the ASUE certificate update respond packet, identical with the signing messages of self preserving; ASUE judges the renewal conversation index in the described ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update request grouping in the renewal conversation index identical; Described ASUE judges the more new logo in the described ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update request grouping in more new logo one or more in identical.
When above-mentioned at least one verify obstructed out-of-dately, confirm that then the data message that comprises in the described ASUE certificate update respond packet is dangerous, ASUE abandons this ASUE certificate update respond packet, and it is not handled.
S509:ASUE obtains the certificate data information in the ASUE certificate update respond packet.
S510: abandon this grouping, promptly it is not handled.
A kind of form that table 4 divides into groups for the ASUE certificate update request that the embodiment of the invention provides, with the mac address information that comprises AE in this ASUE certificate update request grouping, the mac address information of ASUE, signing messages, renewal conversation index and the renewal identification information of ASUE is that example describes, when the signing messages of the mac address information of the mac address information that only comprises AE in this ASUE certificate update request grouping, ASUE, ASUE, when upgrading conversation index and upgrading one or more of identification information, its deterministic process is identical with deterministic process that should information at phase.
Table 4
Comprise the renewal conversation index of this certificate update process in table 4 in this ASUE certificate update request grouping, this renewal conversation index can make AE prevent Replay Attack, promptly prevents from reprocessing is proceeded in the session of having handled before.In the renewal conversation procedure of this whole certificate update, the renewal conversation index that comprises in each grouping is identical.When AE received this ASUE certificate update request grouping, the renewal conversation index that can preserve according to this locality, and the renewal conversation index in this ASUE certificate update request grouping determined whether to handle this ASUE certificate update request grouping.Promptly work as the renewal conversation index in this ASUE certificate update request grouping, during greater than the local renewal conversation index of preserving of this AE, this AE handles this ASUE certificate update request grouping, and when upgrading conversation end, adopt the renewal conversation index in this ASUE certificate update request grouping, upgrade the local renewal conversation index of preserving.Renewal conversation index in this ASUE certificate update request grouping, when being not more than the renewal conversation index of the local preservation of this AE, this AE does not handle this ASUE certificate update request grouping.
In addition, in embodiments of the present invention, for further pre-anti-replay-attack, in this ASUE certificate update request grouping, can also comprise challenge information, once more in the process of new session, this challenge information that comprises in each grouping is identical, and this challenge information calculates acquisition by the entity of initiating the certificate update session.A random number that in this ASUE certificate update request grouping, adopts random algorithm to generate for ASUE.After AE receives this ASUE certificate update request grouping, according to the challenge information that comprises in the ASUE certificate update request grouping, and the local challenge information of preserving, judge whether the challenge information that comprises in this ASUE certificate update request grouping is identical with the local challenge information of preserving, if it is inequality, then this ASUE certificate update request grouping is handled, otherwise this ASUE certificate update request is abandoned.
A certain entity under the WAPI adopts renewal conversation index and the challenge information that comprises in this ASUE certificate update request grouping, upgrade local renewal conversation index and the challenge information of preserving, and this entity based on the incidence relation of other entities, notify other entities also to adopt renewal conversation index and the challenge information that comprises in this ASUE certificate update request grouping, upgrade local renewal conversation index and the challenge information of preserving.For example, in embodiments of the present invention, when AE adopts renewal conversation index and the challenge information that comprises in this ASUE certificate update request grouping, when upgrading local renewal conversation index of preserving and challenge information, this AE based on the incidence relation of ASE and ASUE, notice ASE and ASUE also adopt renewal conversation index and the challenge information that comprises in this ASUE certificate update request grouping, upgrade local renewal conversation index and the challenge information of preserving of ASE and ASUE.
The more new logo that in table 4, comprises this certificate update process in this ASUE certificate update request grouping, this more new logo only use lowest order, be used to identify the entity of initiating this certificate update session, if this certificate update session is initiated by ASE, then more new logo puts 1, otherwise put 0, and once more in the process of new session, the more new logo that each grouping comprises is identical, because this certificate update conversation procedure is initiated by ASUE, therefore the renewal in this ASUE certificate update request grouping is designated 0, thereby AE judges the renewal conversation index that comprises in the described ASUE certificate update request grouping, and whether greater than the renewal conversation index of self preserving, whether checking ASUE has the renewal authority, when checking is identical, determine that then ASUE has the renewal authority.
The enciphered message of signing messages for other data messages in this grouping are encrypted.Owing to have trusting relationship between each entity under the WAPI, promptly in each entity, all preserve the signing messages of other entities of its trust, thereby when a certain entity receives the grouping of another entity transmission, and when comprising mac address information and signing messages in this grouping, the recipient need be according to mac address information and the signing messages self preserved, judge mac address information and signing messages in this grouping, whether identical with mac address information and the signing messages self preserved, if identical, then this grouping is handled.
In table 4, also comprise the mac address information of AE, the mac address information of ASUE and the signing messages of ASUE in this ASUE certificate update request grouping.When AE receives ASUE certificate update request grouping, in this ASUE certificate update request grouping when this AE recognizes the signing messages of ASUE, AE is according to the signing messages of its ASUE that trusts that preserves, other data messages in this ASUE certificate update request grouping are decrypted, when successful decryption, the signing messages of determining the ASUE that self trusts is identical with the signing messages of the ASUE of this grouping, otherwise, determine inequality.After the signing messages of the ASUE that comprises in signing messages that this AE determines the ASUE that self preserves and this grouping is identical, obtain the mac address information in this ASUE certificate update request grouping of this successful decryption, judge the mac address information of the AE in this ASUE certificate update request grouping and the mac address information of ASUE, whether identical with the mac address information of self with the mac address information of the ASUE that self preserves, if it is identical, then AE determines that the transmit leg ASUE of this ASUE certificate update request grouping has the renewal authority, and this ASUE certificate update request grouping is handled.
The signing messages of determining the ASUE that comprises in the signing messages of the ASUE that self trusts and this grouping as AE is inequality, and/or, when the mac address information of the ASUE of the mac address information of the AE that comprises in the ASUE certificate update request grouping and the mac address information of ASUE and the mac address information of self and self preservation is inequality, this ASUE certificate update request grouping is abandoned, do not handle.
When one or more of the signing messages of the mac address information of the mac address information that only comprises AE in this ASUE certificate update request grouping, ASUE and ASUE, its deterministic process is identical with above-mentioned deterministic process at corresponding information, does not here just give unnecessary details one by one.
A kind of form that table 5 divides into groups for the ASUE certificate update request of acting on behalf of that the embodiment of the invention provides, act on behalf of the mac address information that comprises AE in the ASUE certificate update request grouping with this, the mac address information of ASUE, the signing messages of AE, upgrade conversation index, upgrading identification information and challenge information is that example describes, when this acts on behalf of the mac address information that only comprises AE in the ASUE certificate update request grouping, the mac address information of ASUE, the signing messages of AE, upgrade conversation index, when upgrading one or more of identification information and challenge information, its deterministic process is identical with deterministic process that should information at phase.
Table 5
Because once more in the process of new session, the renewal conversation index that comprises in each grouping is identical, thereby this acts on behalf of the renewal conversation index that comprises in the ASUE certificate update request grouping in the table 5, and is identical with renewal conversation index in the ASUE certificate update request grouping.ASE is according to the renewal conversation index of acting on behalf of ASUE certificate update request grouping, whether checking acts on behalf of the process that ASUE certificate update request grouping is handled to this, with AE according to the renewal conversation index that comprises in the ASUE certificate update request grouping, the process whether checking is handled this ASUE certificate update request grouping is identical.
Because it is once more in the process of new session, the challenge information that each grouping comprises is identical, thereby this acts on behalf of the challenge information that comprises in the ASUE certificate update request grouping in the table 2, identical with challenge information in the ASUE certificate update request grouping.ASE is according to acting on behalf of the challenge information that comprises in the ASUE certificate update request grouping, whether checking acts on behalf of the process that ASUE certificate update request grouping is handled to this, with the challenge information of AE according to ASUE certificate update request grouping, the process whether checking is handled this ASUE certificate update request grouping is identical.
Because once more in the process of new session, the more new logo that each grouping comprises is identical, thereby in the table 5 this to act on behalf of the more new logo that comprises in the ASUE certificate update request grouping identical with more new logo during the request of ASUE certificate update is divided into groups, because this renewals conversation procedure is initiated by ASUE, thus this to act on behalf of the more new logo that ASUE certificate update request grouping comprises in dividing into groups with the request of ASUE certificate update all be 0.
This acts on behalf of the mac address information that also comprises AE in the ASUE certificate update request grouping in table 5, the mac address information of ASUE and the signing messages of AE, ASE is according to the mac address information of this AE, the mac address information of ASUE and the signing messages of AE, whether checking AE has the process of upgrading authority, with the mac address information of AE according to the AE that comprises in the ASUE certificate update request grouping, the mac address information of ASUE and the signing messages of ASUE, it is identical whether checking ASUE has the process of upgrading authority, promptly judge the mac address information of the AE that self preserves, the mac address information of ASUE and the signing messages of AE, act on behalf of the mac address information of the AE that comprises in the ASUE certificate update request grouping with this, whether the mac address information of ASUE is consistent with the signing messages of AE, when judging unanimity, determine that then this AE has the renewal authority, otherwise, abandon this and act on behalf of ASUE certificate update request grouping.
A kind of form of acting on behalf of ASUE certificate update respond packet that table 6 provides for the embodiment of the invention, act on behalf of the mac address information that comprises AE in the ASUE certificate update respond packet with this, the mac address information of ASUE, the signing messages of ASE, upgrading conversation index and upgrading identification information is that example describes, when this acts on behalf of the mac address information that only comprises AE in the ASUE certificate update respond packet, the mac address information of ASUE, the signing messages of ASE, when upgrading conversation index and upgrading one or more of identification information, its deterministic process is identical with deterministic process that should information at phase.
Table 6
Because once more in the process of new session, the renewal conversation index that each grouping comprises is identical, thereby the renewal conversation index during this is acted on behalf of the renewal conversation index that comprises in the ASUE certificate update respond packet and acts on behalf of ASUE certificate update request grouping in the table 6 is identical.AE is according to acting on behalf of the renewal conversation index that comprises in the ASUE certificate update respond packet, whether checking acts on behalf of the process that ASUE certificate update respond packet is handled to this, with ASE according to the renewal conversation index of acting on behalf of in the ASUE certificate update request grouping, it is identical whether checking acts on behalf of the process that ASUE certificate update request grouping handles to this.
Because once more in the process of new session, the more new logo that each grouping comprises is identical, thereby the more new logo during this is acted on behalf of the more new logo that comprises in the ASUE certificate update respond packet and acts on behalf of ASUE certificate update request grouping in the table 6 is identical, because this renewals conversation procedure is initiated by ASUE, thus this to act on behalf of ASUE certificate update respond packet all be 0 with acting on behalf of the more new logo that the request of ASUE certificate update comprises in dividing into groups.
This acts on behalf of the mac address information that comprises AE in the ASUE certificate update respond packet in table 6, the mac address information of ASUE and the signing messages of ASE, AE is according to the mac address information of this AE, the mac address information of ASUE and the signing messages of ASE, the process of the fail safe of data message in the ASUE certificate update respond packet is acted on behalf of in checking, with the mac address information of AE according to the AE that comprises in the ASUE certificate update request grouping, the mac address information of ASUE and the signing messages of ASUE, it is identical whether checking ASUE has the process of upgrading authority, promptly judge the mac address information of self, the mac address information of the ASUE that self preserves and the signing messages of ASE, act on behalf of the mac address information of the AE that comprises in the ASUE certificate update respond packet with this, whether the mac address information of ASUE is consistent with the signing messages of ASE, when judging unanimity, then definite this acted on behalf of the safety of data message in the ASUE certificate update respond packet, otherwise, abandon this and act on behalf of ASUE certificate update respond packet.
This acts on behalf of the length information that also comprises ASUE new authentication file in the ASUE certificate update respond packet and the data message of ASUE new authentication file in table 6, AE is when this acts on behalf of data information security in the ASUE certificate update respond packet in checking, generation comprises the ASUE certificate update respond packet of the data message of the length information of described ASUE new authentication file and ASUE new authentication file, and sends to ASUE.
A kind of form of the ASUE certificate update respond packet that table 7 provides for the embodiment of the invention, to comprise the mac address information of AE in this ASUE certificate update respond packet, the mac address information of ASUE, the signing messages of AE, the signing messages of ASE, upgrading conversation index and upgrading identification information is that example describes, the mac address information that in this ASUE certificate update respond packet, comprises AE, the mac address information of ASUE, the signing messages of AE, the signing messages of ASE, when upgrading conversation index and upgrading one or more of identification information, its deterministic process is identical with deterministic process that should information at phase.
Table 7
Because once more in the process of new session, the renewal conversation index that each grouping comprises is identical, thus the renewal conversation index that comprises in this ASUE certificate update respond packet in the table 7 with act on behalf of ASUE certificate update respond packet in the renewal conversation index that comprises identical.ASUE is according to the renewal conversation index that comprises in the ASUE certificate update respond packet, the process whether checking is handled this ASUE certificate update respond packet, with AE according to acting on behalf of the renewal conversation index that comprises in the ASUE certificate update respond packet, it is identical whether checking acts on behalf of the process that ASUE certificate update respond packet handles to this.
Because once more in the process of new session, the more new logo that each grouping comprises is identical, thereby the more new logo that comprises in this ASUE certificate update respond packet in the table 7 is identical with more new logo in acting on behalf of ASUE certificate update respond packet, because this renewal conversation procedure is initiated by ASUE, so this ASUE certificate update respond packet all is 0 with acting on behalf of the more new logo that comprises in the ASUE certificate update respond packet.
The mac address information that in table 7, comprises AE in this ASUE certificate update respond packet, the mac address information of ASUE, the signing messages of ASE and the signing messages of AE, ASUE is according to the mac address information of this AE, the mac address information of ASUE, the signing messages of ASE and the signing messages of AE, verify the process of the fail safe of data message in this ASUE certificate update respond packet, with the mac address information of AE according to the AE that comprises in the ASUE certificate update request grouping, the mac address information of ASUE and the signing messages of ASUE, it is identical whether checking ASUE has the process of upgrading authority, promptly judge the mac address information of the AE that self preserves, the mac address information of self, the signing messages of ASE and the signing messages of AE, mac address information with the AE that comprises in this ASUE certificate update respond packet, the mac address information of ASUE, whether the signing messages of ASE is consistent with the signing messages of AE, when judging unanimity, then determine the safety of data message in this ASUE certificate update respond packet, obtain the ASUE certificate data information that comprises in this ASUE certificate update respond packet, otherwise, abandon this ASUE certificate update respond packet.
In table 7, also comprise the length information of ASUE new authentication file and the data message of ASUE new authentication file in this ASUE certificate update respond packet, ASUE is when the data information security of checking in this ASUE certificate update respond packet, obtain ASUE certificate data information, wherein, ASUE certificate data information comprises: the data message of the length information of ASUE new authentication file and ASUE new authentication file.
The process of the 4th kind of WAPI certificate update that Fig. 6 provides for the embodiment of the invention, this process specifically may further comprise the steps:
S601:ASE sends ASE to ASUE certificate update announcement grouping to AE.
Wherein, this ASE uses the PKI of AE to encrypt ASUE certificate update announcement grouping by ASE.
S602:AE announces grouping according to the ASE of reception to the ASUE certificate update, whether ASE is had the authority of renewal verify, when checking is passed through, carries out step S603, otherwise carries out step S614.
Before whether AE checking ASE had the authority of renewal, AE also needed the private key deciphering ASE of employing itself to ASUE certificate update announcement grouping, obtains data message wherein.
Whether AE has ASE is upgraded authority and verify and comprise: AE is according to the mac address information of ASE to comprising in the ASUE certificate update announcement grouping, and/or whether signing messages has the authority of renewal to ASE is verified.
Obstructed out-of-date when checking, AE abandons this ASE to ASUE certificate update announcement grouping, promptly it is not handled.
S603:AE generates AE to ASUE certificate update announcement grouping, and sends to ASUE.
Wherein, this AE uses the PKI of ASUE to encrypt ASUE certificate update announcement grouping by AE.
S604:ASUE announces grouping according to the AE of reception to the ASUE certificate update, whether AE is had the authority of renewal verify, when checking is passed through, carries out step S605, otherwise carries out step S614.
Before whether ASUE checking AE had the authority of renewal, ASUE also needed the private key deciphering AE of employing itself to ASUE certificate update announcement grouping, obtains data message wherein.
Whether ASUE has AE is upgraded authority and verify and comprise: ASUE is according to the mac address information of AE to comprising in the ASUE certificate update announcement grouping, and/or whether signing messages has the authority of renewal to AE is verified.
Obstructed out-of-date when checking, ASUE abandons this AE to ASUE certificate update announcement grouping, promptly it is not handled.
S605:ASUE generates ASUE certificate update request grouping, and sends to AE.
Whether S606:AE has the authority of renewal to ASUE and verifies according to the ASUE certificate update request grouping that receives, and when checking is passed through, carries out step S607, otherwise, carry out step S614.
Before whether AE checking ASUE had the authority of renewal, the private key that AE need employing itself divided into groups to be decrypted to this ASUE certificate update request, obtains data message wherein.
Whether AE has ASUE is upgraded authority and verify and comprise: whether AE has the renewal authority according to mac address information that comprises in the ASUE certificate update request grouping and signing messages checking ASUE; AE discerns the renewal identification information in the described ASUE certificate update request grouping, and owing to this certificate update conversation procedure is initiated by ASE, so the renewal in this ASUE certificate update request grouping is designated 1; Whether AE judges renewal conversation index and the challenge information of described AE to comprising in the announcement grouping of ASUE certificate update, equate with the renewal conversation index and the challenge information that comprise in the described ASUE certificate update request grouping, verifies whether ASUE has the renewal authority.
When above-mentioned at least one verify obstructed out-of-dately, determine that then ASUE does not have the renewal authority, AE abandons this ASUE certificate update request grouping, promptly it is not handled.
S607:AE generates and acts on behalf of ASUE certificate update request grouping, and sends to ASE.
Wherein, this is acted on behalf of ASUE certificate update request grouping and uses the PKI of ASE to encrypt by AE, and the grouping of the ASUE certificate update request of acting on behalf of after will encrypting sends to ASE.
Whether S608:ASE has the authority of renewal to AE and verifies according to the ASUE certificate update request of the acting on behalf of grouping that receives, and when checking is passed through, carries out step S609, otherwise, carry out step S614.
Before whether ASE checking AE had the authority of renewal, the private key that ASE need employing itself was acted on behalf of the request of ASUE certificate update to this and is divided into groups to be decrypted, and obtains data message wherein.
Whether ASE has AE is upgraded authority and verify and comprise: whether ASE has the authority of renewal to AE and verifies according to acting on behalf of the mac address information that comprises in the ASUE certificate update request grouping and signing messages; The described renewal identification information of acting on behalf of in the ASUE certificate update request grouping of ASE identification, owing to this certificate update conversation procedure is initiated by ASE, so this renewal of acting on behalf of in the ASUE certificate update request grouping is designated 1; ASE judges renewal conversation index and the challenge information that comprises in the described ASUE certificate update request grouping, whether with the described ASUE of agency certificate update request grouping in the renewal conversation index and the challenge information correspondent equal that comprise, whether checking AE has the renewal authority.
When above-mentioned at least one verify obstructed out-of-dately, determine that then AE does not have the renewal authority, ASE abandons this and acts on behalf of ASUE certificate update request grouping, promptly it is not handled.
S609:ASE obtains corresponding certificate data information, counts the ASUE certificate update respond packet of acting on behalf of of information and returns AE carrying this certificate.
Wherein, this is acted on behalf of ASUE certificate update respond packet and uses the PKI of AE to encrypt by ASE, and the ASUE certificate update respond packet of acting on behalf of after will encrypting sends to AE.
The fail safe of the data message that comprises in the ASUE certificate update respond packet is acted on behalf of in the S610:AE checking, when checking is passed through, carries out step S611, otherwise carries out step S614.
Before the fail safe of the data message that comprises in the ASUE certificate update respond packet is acted on behalf of in the AE checking, also need the private key of employing itself to be decrypted to acting on behalf of ASUE certificate update respond packet, obtain data message wherein.
The fail safe that the data message that comprises in the ASUE certificate update respond packet is acted on behalf of in the AE checking comprises: whether AE is identical with the mac address information of self according to this mac address information of acting on behalf of in the ASUE certificate update respond packet; Whether AE judges the signing messages of acting on behalf of in the ASUE certificate update respond packet, identical with the signing messages of self preserving; AE judges the described renewal conversation index of acting on behalf of in the ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update request grouping in the renewal conversation index identical; Described AE judges the described more new logo of acting on behalf of in the ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update request grouping in more new logo one or more in identical.
When above-mentioned at least one verify obstructed out-of-dately, determine that then the data message that comprises in the described ASUE of the agency certificate update respond packet is dangerous, AE abandons this and acts on behalf of ASUE certificate update respond packet, promptly it is not handled.
S611:AE generates ASUE certificate update respond packet, and sends to ASUE.
Wherein, this ASUE certificate update respond packet uses the PKI of ASUE to encrypt by AE, and the ASUE certificate update respond packet after will encrypting sends to ASUE.
The fail safe of the data message that comprises in the S612:ASUE checking ASUE certificate update respond packet when checking is passed through, is carried out step S613, otherwise is carried out step S614.
Before the fail safe of the data message that in ASUE checking ASUE certificate update respond packet, comprises, also need the private key of employing itself that ASUE certificate update respond packet is decrypted, obtain data message wherein.
The fail safe of the data message that comprises in the ASUE checking ASUE certificate update respond packet comprises: whether ASUE is identical with the mac address information of self according to the mac address information in this ASUE certificate update respond packet; Whether ASUE judges the signing messages in the ASUE certificate update respond packet, identical with the signing messages of self preserving; ASUE judges the renewal conversation index in the described ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update respond packet in the renewal conversation index identical; Described ASUE judges the more new logo in the described ASUE certificate update respond packet, whether with act on behalf of ASUE certificate update respond packet in more new logo one or more in identical.
When above-mentioned at least one verify obstructed out-of-dately, determine that then the data message that comprises in the described ASUE certificate update respond packet is dangerous, ASUE abandons this ASUE certificate update respond packet, and it is not handled.
S613:ASUE obtains the certificate data information in the ASUE certificate update respond packet.
S614: abandon this grouping, promptly it is not handled.
ASE a kind of form that announcement is divided into groups to the ASUE certificate update that table 8 provides for the embodiment of the invention, the mac address information that comprises AE during announcement is divided into groups to the ASUE certificate update with this ASE, the mac address information of ASUE, the signing messages of the ASE that the signing messages of the ASE that ASUE trusts and AE trust is that example describes, when this ASE announces the mac address information that only comprises AE in the grouping to the ASUE certificate update, the mac address information of ASUE, during one or more of the signing messages of the ASE that the signing messages of the ASE that ASUE trusts and AE trust, its deterministic process is identical with deterministic process that should information at phase.
Table 8
This ASE is to comprising the renewal conversation index of this certificate update process in the ASUE certificate update announcement grouping in table 8, and the effect of the renewal conversation index during this upgrades conversation index and the request of ASUE certificate update is divided into groups is identical, is used to prevent Replay Attack.AE can be according to the renewal conversation index of ASE to comprising in the ASUE certificate update announcement grouping, and the renewal conversation index of self preserving, whether checking announces the process that grouping is handled to this ASE to the ASUE certificate update, AE is according to the renewal conversation index that comprises in the ASUE certificate update request grouping in its process and the third execution mode, and the renewal conversation index of self preserving, the process whether checking is handled this ASUE certificate update request grouping is identical.
And because in a certificate update conversation procedure, the renewal conversation index that comprises in each grouping is identical, thereby carry out in the implementation process of certificate update session at this, ASE to ASUE certificate update announcement grouping, AE to ASUE certificate update announcement grouping, ASUE certificate update request grouping, act on behalf of ASUE certificate update request grouping, to act on behalf of the renewal conversation index that comprises in ASUE certificate update respond packet and the ASUE certificate update respond packet identical.
In addition, announcement can also comprise challenge information in dividing into groups to the ASUE certificate update at this ASE, and this challenge information is identical with the challenge information effect in the ASUE certificate update request grouping, is used to prevent Replay Attack.Because the more new session of this certificate is initiated by ASE, so this ASE is the random number that ASE adopts random algorithm to generate to the challenge information that comprises in the ASUE certificate update announcement grouping.And because in a certificate update conversation procedure, the challenge information that each grouping comprises is identical, thereby in this process, AE to the announcement grouping of ASUE certificate update, ASUE certificate update request grouping, act on behalf of ASUE certificate update request grouping, to act on behalf of the challenge information that comprises in ASUE certificate update respond packet, the ASUE certificate update respond packet identical with this ASE challenge information that announcement comprises in dividing into groups to the ASUE certificate update.AE can be according to the challenge information of ASE to comprising in the ASUE certificate update announcement grouping, and the challenge information of self preserving, whether checking is handled ASUE certificate update announcement grouping this ASE, AE is according to the challenge information that comprises in the ASUE certificate update request grouping in its process and the third execution mode, and the challenge information of self preserving, the process whether checking is handled this ASUE certificate update request grouping is identical.
This ASE is to comprising the mac address information of AE in the ASUE certificate update announcement grouping in table 8, the mac address information of ASUE, the ASE signing messages that ASE signing messages that ASUE trusts and AE trust, AE is according to the mac address information of this AE, the mac address information of ASUE, the ASE signing messages that ASE signing messages that ASUE trusts and AE trust, whether checking ASE has the process of upgrading authority, with the mac address information of AE in the third execution mode according to the AE that comprises in the ASUE certificate update request grouping, the mac address information of ASUE and the signing messages of ASUE, it is identical whether checking ASUE has the process of upgrading authority, promptly judge the mac address information of self, the mac address information of the ASUE that self preserves, the ASE signing messages that ASE signing messages that ASUE trusts and AE trust, mac address information with this ASE AE that announcement comprises in dividing into groups to the ASUE certificate update, the mac address information of ASUE, whether the ASE signing messages that ASUE trusts is consistent with the ASE signing messages that AE trusts, when judging unanimity, determine that then ASE has the renewal authority, otherwise, abandon this ASE to ASUE certificate update announcement grouping.
AE a kind of form that announcement is divided into groups to the ASUE certificate update that table 9 provides for the embodiment of the invention, is that example describes with this AE to the signing messages of the mac address information of the mac address information that comprises AE in the announcement grouping of ASUE certificate update, ASUE, ASE that ASUE trusts and the signing messages of AE, when this AE only comprised one or more of signing messages of the signing messages of the mac address information of mac address information, the ASUE of AE, ASE that ASUE trusts and AE in to the announcement grouping of ASUE certificate update, its deterministic process was identical with deterministic process that should information at phase.
Table 9
Because once more in the process of new session, the renewal conversation index that each grouping comprises is identical, thereby this AE is identical to the renewal conversation index that comprises in the ASUE certificate update announcement grouping with ASE to the renewal conversation index that comprises in the ASUE certificate update announcement grouping in the table 9.ASUE is according to the renewal conversation index of this AE to comprising in the ASUE certificate update announcement grouping, whether checking announces the process that grouping is handled to this AE to the ASUE certificate update, according to ASE the ASUE certificate update is announced the renewal conversation index that comprises in the grouping with AE, the process whether checking is handled ASUE certificate update announcement grouping this ASE is identical.
Because once more in the process of new session, the challenge information that each grouping comprises is identical, thereby the challenge information of this AE to comprising in the ASUE certificate update announcement grouping in the table 9, and is identical to the challenge information that comprises in the ASUE certificate update announcement grouping with ASE.ASUE is according to the challenge information of AE to comprising in the ASUE certificate update announcement grouping, the checking process whether this AE handles ASUE certificate update announcement grouping, according to ASE the ASUE certificate update is announced the challenge information that comprises in the grouping with AE, the process whether checking is handled ASUE certificate update announcement grouping this ASE is identical.
This AE is to also comprising the mac address information of AE in the ASUE certificate update announcement grouping in table 9, the mac address information of ASUE, ASE signing messages that ASUE trusts and the signing messages of AE, ASUE is according to the mac address information of this AE, the mac address information of ASUE, ASE signing messages that ASUE trusts and the signing messages of AE, whether checking AE has the process of upgrading authority, with the mac address information of AE in the third execution mode according to the AE that comprises in the ASUE certificate update request grouping, the mac address information of ASUE and the signing messages of ASUE, it is identical whether checking ASUE has the process of upgrading authority, promptly judge the mac address information of the AE that self preserves, the mac address information of self, ASE signing messages that ASUE trusts and the signing messages of AE, mac address information with this AE AE that announcement comprises in dividing into groups to the ASUE certificate update, the mac address information of ASUE, whether ASE signing messages that ASUE trusts and the signing messages of AE be consistent, when judging unanimity, determine that then AE has the renewal authority, otherwise, abandon this AE to ASUE certificate update announcement grouping.
In above-mentioned implementation process, the ASE that receives the ASE transmission as AE is to ASUE certificate update announcement grouping, and according to this ASE to the announcement grouping of ASUE certificate update, when checking ASE has the authority of renewal, this AE generates AE to ASUE certificate update announcement grouping, and send to ASUE, ASUE receives the AE of AE transmission to ASUE certificate update announcement grouping, and according to this AE to the announcement grouping of ASUE certificate update, when checking AE has the authority of renewal, this ASUE generates ASUE certificate update request grouping, wherein the information that comprises in this ASUE certificate update request grouping is described in detail in having carried out in the third execution mode, just the renewal conversation index that comprises in this ASUE certificate update request grouping this moment is identical to the renewal conversation index that comprises in the ASUE certificate update announcement grouping with ASE, and the challenge information that comprises in this ASUE certificate update request grouping is also identical to the challenge information that comprises in the ASUE certificate update announcement grouping with ASE, adopts random algorithm to generate by ASE.After AE receives this ASUE certificate update request grouping, can be according to mac address information, the mac address information of ASUE and the signing messages of ASUE of the AE that comprises in this ASUE certificate update request grouping, whether ASUE is had the authority of renewal is verified, and determine whether to obtain certificate data information, and generate and to act on behalf of ASUE certificate update request grouping according to the result of checking.
The ASUE certificate update request of the acting on behalf of grouping that generates in the ASUE certificate update request of the acting on behalf of grouping that AE generates and the third execution mode is basic identical, it is identical just to act on behalf of the renewal conversation index that the renewal conversation index that comprises in the ASUE certificate update request grouping and ASE comprise in to ASUE certificate update announcement grouping at this, and this to act on behalf of the challenge information that comprises in the ASUE certificate update request grouping also identical with the ASE challenge information that announcement comprises in dividing into groups to the ASUE certificate update.ASE acts on behalf of ASUE certificate update request grouping according to this, whether AE is had upgrade the process that authority is verified, and is identical with above-mentioned the third execution mode, here just do not give unnecessary details one by one.
ASE generates act on behalf of generate in ASUE certificate update respond packet and the third execution mode to act on behalf of ASUE certificate update respond packet basic identical, it is identical just to act on behalf of the renewal conversation index that the renewal conversation index that comprises in the ASUE certificate update respond packet and ASE comprise in to ASUE certificate update announcement grouping at this, and this to act on behalf of the challenge information that comprises in the ASUE certificate update respond packet also identical with the ASE challenge information that announcement comprises in dividing into groups to the ASUE certificate update.AE acts on behalf of ASUE certificate update respond packet according to this, and is identical with above-mentioned the third execution mode to the process that the fail safe of the data message that comprises in this grouping is verified, here just do not give unnecessary details one by one.
The ASUE certificate update respond packet that generates in the ASUE certificate update respond packet that AE generates and the third execution mode is basic identical, just the renewal conversation index that comprises in this ASUE certificate update respond packet is identical to the renewal conversation index that comprises in the ASUE certificate update announcement grouping with ASE, and the challenge information that comprises in this ASUE certificate update respond packet is also identical to the challenge information that comprises in the ASUE certificate update announcement grouping with ASE.ASUE is according to this ASUE certificate update respond packet, and is identical with above-mentioned the third execution mode to the process that the fail safe of the data message that comprises in this grouping is verified, here just do not give unnecessary details one by one.
The embodiment of the invention provides the method for certificate update under a kind of WAPI, this method ASE receives the certificate update request grouping that AE sends, grouping is verified to the certificate update request, and when the transmit leg of the described certificate update request grouping of checking has the authority of renewal, obtain corresponding certificate data information, the certificate update respond packet of carrying certificate data information is returned AE.Can be under the prerequisite of not introducing other agreements, by having expanded the field of WAI protocol packet under the WAPI, realize AE application certificate renewal, the renewal of ASUE application certificate, ASE notice AE carries out certificate update and ASE notice ASUE carries out certificate update, has improved the efficient of certificate update.
Fig. 7 provides a kind of system of WAPI certificate update for the embodiment of the invention, and this system comprises:
Discriminator entity A E701 is used for to differentiating that service entities ASE702 sends certificate update request grouping, receives the certificate update respond packet of carrying described certificate data information that described discriminating service entities ASE702 sends;
Described discriminating service entities ASE702, be used for the grouping of acceptance certificate update request, after the transmit leg of verifying described certificate update request grouping has the authority of renewal, according to described certificate update request grouping, obtain corresponding certificate data information, the certificate update respond packet of carrying described certificate data information is returned described discriminator entity A E701.
Described discriminating service entities ASE702 specifically is used for,
Judge the mac address information in the described certificate update request grouping, mac address information with self related discriminator entity A E701 is identical, and/or, judge the signing messages in the described certificate update request grouping, whether identical with the signing messages of self preserving, when checking is identical, determine that then the transmit leg of described certificate update request grouping has the renewal authority.
Described discriminating service entities ASE702 specifically is used for,
Receive the AE certificate update request grouping that described discriminator entity A E701 sends, and be used to receive the identification requester ASUE certificate update request of the acting on behalf of grouping that described discriminator entity A E701 sends, wherein, the request of the described ASUE of agency certificate update is grouped into described discriminator entity A E701 and receives the ASUE certificate update request grouping that identification requester ASUE703 sends, after the transmit leg of verifying described ASUE certificate update request grouping had the authority of renewal, generation described acted on behalf of ASUE certificate update request grouping.
Also comprise in the described system:
Identification requester ASUE703 is used to send ASUE certificate update request grouping.
Described discriminator entity A E701 specifically is used for,
The initiatively AE certificate request grouping that sends to described ASE, or the ASE that receives described discriminating service entities ASE702 transmission announces grouping to the AE certificate update, after verifying that the described ASE transmit leg that announcement is divided into groups to the AE certificate update has the authority of renewal, generate described AE certificate update request grouping, and described AE certificate update request grouping sends to described discriminating service entities ASE702.
Described discriminating service entities ASE702 specifically is used for, discern the more other identification information in the described AE certificate update request grouping, when described renewal identification information is 1, judge renewal conversation index and the challenge information of described ASE to comprising in the AE certificate update announcement grouping, whether with described AE certificate update request grouping in the renewal conversation index and the challenge information correspondent equal that comprise, verify whether described transmit leg has the renewal authority, when described renewal identification information is 0, judge the renewal conversation index that comprises in the described AE certificate update request grouping, whether, verify whether described transmit leg has the renewal authority greater than the renewal conversation index of self preserving.
Described discriminator entity A E701 specifically is used for,
Receive the ASUE certificate update request grouping that described identification requester ASUE703 initiatively sends, or the ASE that receives described discriminating service entities ASE702 transmission announces grouping to the ASUE certificate update, when demonstrate,proving described ASE the transmit leg of ASUE certificate update announcement grouping being had the authority of renewal, generate AE to ASUE certificate update announcement grouping, and described AE is sent to described identification requester ASUE703 to ASUE certificate update announcement grouping;
Described identification requester ASUE703 also is used for, the AE that receives described discriminator entity A E701 transmission is to ASUE certificate update announcement grouping, verify when the described AE transmit leg that announcement is divided into groups to the ASUE certificate update has the authority of renewal, generate described ASUE certificate update request grouping, and described ASUE certificate update request grouping is sent to described discriminator entity A E701.
Described discriminating service entities ASE702 specifically is used for, discern the described more other identification information of acting on behalf of in the ASUE certificate update request grouping, when described renewal identification information is 1, judge renewal conversation index and the challenge information of described ASE to comprising in the ASUE certificate update announcement grouping, whether with act on behalf of renewal conversation index and the challenge information correspondent equal that comprises in the ASUE certificate update request grouping, verify whether described transmit leg has the renewal authority, when described renewal identification information is 0, judge the renewal conversation index and the challenge information that comprise in the described ASUE of the agency certificate update request grouping, whether with ASUE certificate update request grouping in renewal conversation index and challenge information correspondent equal, verify whether described transmit leg has the renewal authority.
Described discriminating service entities ASE702 specifically is used for, and AE certificate update respond packet is returned described discriminator entity A E701;
Described discriminator entity A E701 specifically is used for, receive described AE certificate update respond packet, verify the fail safe of the data message that carries in the described certificate update respond packet, when checking was passed through, described discriminator entity A E701 obtained the certificate data information in the described certificate update respond packet.
Described discriminator entity A E701 specifically is used for, judge whether the mac address information in the described certificate update respond packet is identical with the mac address information of self, judge the signing messages in the described certificate update request grouping, whether identical with the signing messages of self preserving, judge the renewal conversation index in the described certificate update respond packet, whether identical with renewal conversation index in the certificate update request grouping, judge the more new logo in the described certificate update respond packet, one or more in whether identical with more new logo in the certificate update request grouping.
Described identification requester ASUE703 specifically is used for, receive when discriminator entity A E701 checking is described acts on behalf of the fail safe of ASUE certificate update respond packet by checking, and the ASUE certificate update respond packet that sends, verify the fail safe of the data message that carries in the described certificate update respond packet, when checking is passed through, obtain described certificate data information.
The embodiment of the invention provides the system of certificate update under a kind of WAPI, the ASE of this system receives the certificate update request grouping that AE sends, grouping is verified to the certificate update request, and when the transmit leg of the described certificate update request grouping of checking has the authority of renewal, obtain corresponding certificate data information, the certificate update respond packet of carrying certificate data information is returned AE.Owing to do not introduce other agreements in the embodiment of the invention, by having expanded the field of WAI protocol packet under the WAPI, realized the renewal of certificate under the WAPI, improved the efficient of certificate update.
The apparatus structure schematic diagram of a kind of WAPI certificate update that Fig. 8 provides for the embodiment of the invention, this device comprises:
The first certificate acquisition module 803 is used for obtaining corresponding certificate data information according to described certificate update request grouping;
First sending module 804 is used for the certificate update respond packet of carrying described certificate data information is returned described AE.
Described first authentication module 802 specifically is used for, judge the mac address information in the described certificate update request grouping, mac address information with self related AE is identical, verify whether described transmit leg has the renewal authority, and/or, judge the signing messages in the described certificate update request grouping, whether identical with the signing messages of self preserving, verify whether described transmit leg has the renewal authority.
The embodiment of the invention provides the device of certificate update under a kind of WAPI, this installs first receiver module 801 and receives the certificate update request grouping that AE sends, 802 pairs of certificate update request groupings of first authentication module are verified, and when the transmit leg of the described certificate update request grouping of checking has the authority of renewal, the first certificate acquisition module 803 is obtained corresponding certificate data information, and first sending module 804 will carry the certificate update respond packet of certificate data information and return AE.Owing to do not introduce other agreements in the embodiment of the invention, by having expanded the field of WAI protocol packet under the WAPI, realized the renewal of certificate under the WAPI, improved the efficient of certificate update.
The apparatus structure schematic diagram of a kind of WAPI certificate update that Fig. 9 provides for the embodiment of the invention, this device comprises:
Described second authentication module 903 specifically is used for, judge whether the mac address information in the described certificate update respond packet is identical with the mac address information of self, and/or whether described AE judges the signing messages in the described certificate update request grouping, identical with the signing messages of self preserving.
The embodiment of the invention provides a kind of method, system and device of WAPI certificate update, this method ASE receives the certificate update request grouping that AE sends, grouping is verified to the certificate update request, and when the transmit leg of the described certificate update request grouping of checking has the authority of renewal, obtain corresponding certificate data information, the certificate update respond packet of carrying certificate data information is returned AE.Owing to do not introduce other agreements in the embodiment of the invention, by having expanded the field of WAI protocol packet under the WAPI, realized the renewal of certificate under the WAPI, improved the efficient of certificate update.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (24)
1. the method for a WAPI WAPI certificate update is characterized in that, comprising:
Differentiate that service entities ASE receives the certificate update request grouping that discriminator entity A E sends; And
After the transmit leg of verifying described certificate update request grouping has the authority of renewal,, obtain corresponding certificate data information according to described certificate update request grouping;
Described ASE will carry the certificate update respond packet of described certificate data information and return described AE.
2. the method for claim 1 is characterized in that, whether the transmit leg of verifying described certificate update request grouping has the authority of renewal comprises:
Described ASE is by judging the medium access control mac address information in the described certificate update request grouping, and the mac address information with self related AE is identical, verifies whether described transmit leg has the renewal authority; And/or,
Whether described ASE is by judging the signing messages in the described certificate update request grouping, identical with the signing messages of self preserving, and verifies whether described transmit leg has the renewal authority.
3. method as claimed in claim 1 or 2 is characterized in that, the certificate update request grouping that described ASE receives the AE transmission comprises:
Described ASE receives the AE certificate update request grouping that described AE sends; Or
Described ASE receives the identification requester ASUE certificate update request of the acting on behalf of grouping that described AE sends, wherein, the request of the described ASUE of agency certificate update is grouped into described AE and receives the ASUE certificate update request grouping that ASUE sends, after the transmit leg of verifying described ASUE certificate update request grouping had the authority of renewal, generation described acted on behalf of ASUE certificate update request grouping.
4. method as claimed in claim 3 is characterized in that, described AE sends AE certificate update request grouping to described ASE and comprises:
The AE certificate request grouping that described AE initiatively sends to described ASE; Or,
Described AE receives the ASE of described ASE transmission to AE certificate update announcement grouping, after described AE verifies that the described ASE transmit leg that announcement is divided into groups to the AE certificate update has the authority of renewal, generate described AE certificate update request grouping, and described AE certificate update request grouping is sent to described ASE.
5. method as claimed in claim 4 is characterized in that, whether the transmit leg of verifying described certificate update request grouping has the authority of renewal further comprises:
Described ASE discerns the renewal identification information in the described AE certificate update request grouping;
When described renewal identification information is 1, described ASE judges renewal conversation index and the challenge information of described ASE to comprising in the AE certificate update announcement grouping, whether with described AE certificate update request grouping in the renewal conversation index and the challenge information correspondent equal that comprise, verify whether described transmit leg has the renewal authority;
When described renewal identification information was 0, described ASE judged the renewal conversation index that comprises in the described AE certificate update request grouping, whether greater than the renewal conversation index of self preserving, verifies whether described transmit leg has the renewal authority.
6. method as claimed in claim 3 is characterized in that, the ASUE certificate update request grouping that described AE receives described ASUE transmission comprises:
Described AE receives the ASUE certificate update request grouping that described ASUE initiatively sends; Or,
Described AE receives the ASE of described ASE transmission to ASUE certificate update announcement grouping, verify when the described ASE transmit leg that announcement is divided into groups to the ASUE certificate update has the authority of renewal, generate AE to ASUE certificate update announcement grouping, and with described AE announcement grouping sends to described ASUE to the ASUE certificate update, receive described ASUE and verify when the described AE transmit leg that announcement is divided into groups to the ASUE certificate update has the authority of renewal, the ASUE certificate update request grouping that generates and sends.
7. method as claimed in claim 6 is characterized in that, whether the transmit leg of verifying described certificate update request grouping has the authority of renewal further comprises:
The described renewal identification information of acting on behalf of in the ASUE certificate update request grouping of described ASE identification;
When described renewal identification information is 1, described ASE judges renewal conversation index and the challenge information of described ASE to comprising in the ASUE certificate update announcement grouping, whether with act on behalf of renewal conversation index and the challenge information correspondent equal that comprises in the ASUE certificate update request grouping, verify whether described transmit leg has the renewal authority;
When described renewal identification information is 0, described ASE judges renewal conversation index and the challenge information that comprises in the described ASUE of the agency certificate update request grouping, whether with ASUE certificate update request grouping in renewal conversation index and challenge information correspondent equal, verify whether described transmit leg has the renewal authority.
8. method as claimed in claim 1 or 2 is characterized in that, described ASE will carry the certificate update respond packet of described certificate data information and return after the described AE, and described method further comprises:
Described AE receives the certificate update respond packet that described ASE returns;
Described AE verifies the fail safe of the data message that carries in the described certificate update respond packet;
When checking was passed through, described AE obtained the certificate data information in the described certificate update respond packet.
9. method as claimed in claim 8 is characterized in that, described AE verifies that the fail safe of the data message that carries in the described certificate update respond packet comprises one or more in the following mode:
Described AE judges whether the mac address information in the described certificate update respond packet is identical with the mac address information of self;
Whether described AE judges the signing messages in the described certificate update respond packet, identical with the signing messages of self preserving;
Whether described AE judges the renewal conversation index in the described certificate update respond packet, identical with renewal conversation index in the certificate update request grouping; With,
Whether described AE judges the more new logo in the described certificate update respond packet, identical with more new logo in the certificate update request grouping.
10. method as claimed in claim 1 or 2, it is characterized in that, act on behalf of ASUE certificate update request when grouping when described certificate update request is grouped into, described ASE will carry the certificate update respond packet of described certificate data information and return after the described AE, and described method further comprises:
ASUE receives when the AE checking is described acts on behalf of the fail safe of ASUE certificate update respond packet by checking, the ASUE certificate update respond packet of transmission;
Described ASUE verifies the fail safe of the data message that carries in the described certificate update respond packet, and when checking was passed through, described ASUE obtained described certificate data information.
11. the system of a WAPI certificate update is characterized in that, comprising:
Discriminator entity A E is used for to differentiating that service entities ASE sends certificate update request grouping, receives the certificate update respond packet of carrying described certificate data information that described ASE sends;
Described ASE, be used for the grouping of acceptance certificate update request, after the transmit leg of verifying described certificate update request grouping has the authority of renewal, according to described certificate update request grouping, obtain corresponding certificate data information, the certificate update respond packet of carrying described certificate data information is returned described AE.
12. system as claimed in claim 11, it is characterized in that, described ASE specifically is used for, by judging the mac address information in the described certificate update request grouping, the mac address information with self related AE is identical, verifies whether described transmit leg has the renewal authority, and/or, by judging the signing messages in the described certificate update request grouping, whether identical with the signing messages of self preserving, verify whether described transmit leg has the renewal authority.
13. as claim 11 or 12 described systems, it is characterized in that,
Described ASE specifically is used for, receive the AE certificate update request grouping that described AE sends, or be used to receive the identification requester ASUE certificate update request of the acting on behalf of grouping that described AE sends, wherein, the request of the described ASUE of agency certificate update is grouped into described AE and receives the ASUE certificate update request grouping that ASUE sends, after the transmit leg of verifying described ASUE certificate update request grouping had the authority of renewal, generation described acted on behalf of ASUE certificate update request grouping;
Also comprise in the described system:
ASUE is used to send ASUE certificate update request grouping.
14. system as claimed in claim 13, it is characterized in that, described AE specifically is used for, the initiatively AE certificate request grouping that sends to described ASE, or the ASE that receives described ASE transmission announces grouping to the AE certificate update, after verifying that the described ASE transmit leg that announcement is divided into groups to the AE certificate update has the authority of renewal, generate described AE certificate update request grouping, and described AE certificate update request grouping is sent to described ASE.
15. system as claimed in claim 14, it is characterized in that, described ASE specifically is used for, discern the more other identification information in the described AE certificate update request grouping, when described renewal identification information is 1, judge renewal conversation index and the challenge information of described ASE to comprising in the AE certificate update announcement grouping, whether with described AE certificate update request grouping in the renewal conversation index and the challenge information correspondent equal that comprise, verify whether described transmit leg has the renewal authority, when described renewal identification information is 0, judge the renewal conversation index that comprises in the described AE certificate update request grouping, whether, verify whether described transmit leg has the renewal authority greater than the renewal conversation index of self preserving.
16. system as claimed in claim 13, it is characterized in that, described AE specifically is used for, receive the ASUE certificate update request grouping that described ASUE initiatively sends, or the ASE that receives described ASE transmission announces grouping to the ASUE certificate update, verify when described ASE has the authority of renewal to the transmit leg of ASUE certificate update announcement grouping, generate AE to ASUE certificate update announcement grouping, and described AE is sent to described ASUE to ASUE certificate update announcement grouping;
Described ASUE also is used for, receive described AE to ASUE certificate update announcement grouping, and verify whether described AE has the renewal authority to the transmit leg of ASUE certificate update announcement grouping, when described transmit leg has the authority of renewal, generate ASUE certificate update request grouping, and described ASUE certificate update request grouping is sent to AE.
17. system as claimed in claim 16, it is characterized in that, described ASE specifically is used for, discern the described more other identification information of acting on behalf of in the ASUE certificate update request grouping, when described renewal identification information is 1, judge renewal conversation index and the challenge information of described ASE to comprising in the ASUE certificate update announcement grouping, whether with act on behalf of renewal conversation index and the challenge information correspondent equal that comprises in the ASUE certificate update request grouping, verify whether described transmit leg has the renewal authority, when described renewal identification information is 0, judge the renewal conversation index and the challenge information that comprise in the described ASUE of the agency certificate update request grouping, whether with ASUE certificate update request grouping in renewal conversation index and challenge information correspondent equal, verify whether described transmit leg has the renewal authority.
18. as claim 11 or 12 described systems, it is characterized in that described ASE specifically is used for, AE certificate update respond packet returned described AE;
Described AE specifically is used for, and receives described AE certificate update respond packet, verifies the fail safe of the data message that carries in the described certificate update respond packet, and when checking was passed through, described AE obtained the certificate data information in the described certificate update respond packet.
19. system as claimed in claim 17, it is characterized in that, described AE specifically is used for, judge whether the mac address information in the described certificate update respond packet is identical with the mac address information of self, judge the signing messages in the described certificate update request grouping, whether identical with the signing messages of self preserving, judge the renewal conversation index in the described certificate update respond packet, whether identical with renewal conversation index in the certificate update request grouping, judge the more new logo in the described certificate update respond packet, one or more in whether identical with more new logo in the certificate update request grouping.
20. as claim 11 or 12 described systems, it is characterized in that, described ASUE specifically is used for, receive when the AE checking is described acts on behalf of the fail safe of ASUE certificate update respond packet by checking, and the ASUE certificate update respond packet that sends, verify the fail safe of the data message that carries in the described certificate update respond packet, when checking is passed through, obtain described certificate data information.
21. the device of a WAPI certificate update is characterized in that, comprising:
First receiver module is used to receive the certificate update request grouping that discriminator entity A E sends;
First authentication module is used to verify whether the transmit leg of described certificate update request grouping has the renewal authority;
The certificate acquisition module is used for obtaining corresponding certificate data information according to described certificate update request grouping;
First sending module is used for the certificate update respond packet of carrying described certificate data information is returned described AE.
22. device as claimed in claim 21, it is characterized in that, described first authentication module specifically is used for, judge the mac address information in the described certificate update request grouping, the mac address information with self related AE is identical, verifies whether described transmit leg has the renewal authority, and/or, judge the signing messages in the described certificate update request grouping, whether identical with the signing messages of self preserving, verify whether described transmit leg has the renewal authority.
23. the device of a WAPI certificate update is characterized in that, comprising:
Second sending module is used for to differentiating that service entities ASE sends certificate update request grouping;
Second receiver module is used to receive the certificate update respond packet of the certificate data information of carrying that described ASE sends;
Second authentication module, the fail safe of the data message that is used for verifying that described certificate update respond packet is carried.
24. device as claimed in claim 23, it is characterized in that, described second authentication module specifically is used for, judge whether the mac address information in the described certificate update respond packet is identical with the mac address information of self, and/or, described AE judges the signing messages in the described certificate update request grouping, whether identical with the signing messages of self preserving, judge the renewal conversation index in the described certificate update respond packet, whether identical with renewal conversation index in the certificate update request grouping, judge the more new logo in the described certificate update respond packet, one or more in whether identical with more new logo in the certificate update request grouping.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010221869.0A CN101895884B (en) | 2010-06-29 | 2010-06-29 | Method, system and device for updating WAPI certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010221869.0A CN101895884B (en) | 2010-06-29 | 2010-06-29 | Method, system and device for updating WAPI certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101895884A true CN101895884A (en) | 2010-11-24 |
| CN101895884B CN101895884B (en) | 2012-12-12 |
Family
ID=43104916
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010221869.0A Expired - Fee Related CN101895884B (en) | 2010-06-29 | 2010-06-29 | Method, system and device for updating WAPI certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101895884B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905390A (en) * | 2012-12-26 | 2014-07-02 | 联想(北京)有限公司 | Permission acquisition method, device, electronic equipment and system |
| WO2017031664A1 (en) * | 2015-08-24 | 2017-03-02 | Arris Enterprises, Inc. | Wireless setup procedure enabling modification of wireless credentials |
| CN107425981A (en) * | 2017-06-12 | 2017-12-01 | 清华大学 | A kind of digital certificate management method and system based on block chain |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953445A (en) * | 2005-10-21 | 2007-04-25 | 北京中电华大电子设计有限责任公司 | A method and installation to resolve the safety problem for certificate cancellation in WAPI |
| WO2008101426A1 (en) * | 2007-02-16 | 2008-08-28 | China Iwncomm Co., Ltd. | A roaming authentication method based on wapi certificate |
| CN101483866A (en) * | 2009-02-11 | 2009-07-15 | 中兴通讯股份有限公司 | WAPI terminal certificate managing method, apparatus and system |
| CN101568116A (en) * | 2009-05-19 | 2009-10-28 | 中兴通讯股份有限公司 | Method for obtaining certificate state information and certificate state management system |
-
2010
- 2010-06-29 CN CN201010221869.0A patent/CN101895884B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953445A (en) * | 2005-10-21 | 2007-04-25 | 北京中电华大电子设计有限责任公司 | A method and installation to resolve the safety problem for certificate cancellation in WAPI |
| WO2008101426A1 (en) * | 2007-02-16 | 2008-08-28 | China Iwncomm Co., Ltd. | A roaming authentication method based on wapi certificate |
| CN101483866A (en) * | 2009-02-11 | 2009-07-15 | 中兴通讯股份有限公司 | WAPI terminal certificate managing method, apparatus and system |
| CN101568116A (en) * | 2009-05-19 | 2009-10-28 | 中兴通讯股份有限公司 | Method for obtaining certificate state information and certificate state management system |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905390A (en) * | 2012-12-26 | 2014-07-02 | 联想(北京)有限公司 | Permission acquisition method, device, electronic equipment and system |
| CN103905390B (en) * | 2012-12-26 | 2017-05-24 | 联想(北京)有限公司 | Permission acquisition method, device, electronic equipment and system |
| WO2017031664A1 (en) * | 2015-08-24 | 2017-03-02 | Arris Enterprises, Inc. | Wireless setup procedure enabling modification of wireless credentials |
| US10548009B2 (en) | 2015-08-24 | 2020-01-28 | Arris Enterprises Llc | Wireless setup procedure enabling modification of wireless credentials |
| CN107425981A (en) * | 2017-06-12 | 2017-12-01 | 清华大学 | A kind of digital certificate management method and system based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101895884B (en) | 2012-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110035433B (en) | Verification method and device adopting shared secret key, public key and private key | |
| US11122428B2 (en) | Transmission data protection system, method, and apparatus | |
| EP3493462B1 (en) | Authentication method, authentication apparatus and authentication system | |
| US8295488B2 (en) | Exchange of key material | |
| US8503376B2 (en) | Techniques for secure channelization between UICC and a terminal | |
| US8000478B2 (en) | Key handshaking method and system for wireless local area networks | |
| US9392453B2 (en) | Authentication | |
| EP2288195B1 (en) | Method and apparatus for operating a base station in a wireless communication system | |
| US10588015B2 (en) | Terminal authenticating method, apparatus, and system | |
| CN101483866B (en) | WAPI terminal certificate managing method, apparatus and system | |
| US20110320802A1 (en) | Authentication method, key distribution method and authentication and key distribution method | |
| CN105554747A (en) | Wireless network connecting method, device and system | |
| CN105577680A (en) | Key generation method, encrypted data analyzing method, devices and key managing center | |
| KR101706117B1 (en) | Apparatus and method for other portable terminal authentication in portable terminal | |
| US11381973B2 (en) | Data transmission method, related device, and related system | |
| KR20150051568A (en) | Security supporting method and system for proximity based service device to device discovery and communication in mobile telecommunication system environment | |
| CN111601280A (en) | Access verification method and device | |
| AU2010284792B2 (en) | Method and apparatus for reducing overhead for integrity check of data in wireless communication system | |
| CN101715190B (en) | System and method for realizing authentication of terminal and server in WLAN (Wireless Local Area Network) | |
| CN101895884B (en) | Method, system and device for updating WAPI certificate | |
| JP2007110487A (en) | Lan system and its communication method | |
| CN101483867B (en) | User identity verification method, related device and system in WAP service | |
| KR100330418B1 (en) | Authentication Method in Mobile Communication Environment | |
| WO2017009714A1 (en) | Establishing a temporary subscription with isolated e-utran network | |
| CN102404736B (en) | Method and device for WAI Certificate authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121212 |