CN101998407A - WLAN access authentication based method for accessing services - Google Patents
WLAN access authentication based method for accessing services Download PDFInfo
- Publication number
- CN101998407A CN101998407A CN2009101696866A CN200910169686A CN101998407A CN 101998407 A CN101998407 A CN 101998407A CN 2009101696866 A CN2009101696866 A CN 2009101696866A CN 200910169686 A CN200910169686 A CN 200910169686A CN 101998407 A CN101998407 A CN 101998407A
- Authority
- CN
- China
- Prior art keywords
- terminal
- authentication center
- cookie
- identity token
- business authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses a WLAN access authentication based method for accessing services, comprising the following steps: in the process that a terminal undergoes WLAN access authentication, a WLAN portal server sends first Cookie to the terminal which has passed WLAN access authentication; the terminal requests access to the services of application systems and service authentication centers associated with the application systems determine that the terminal has passed WLAN access authentication according to the first Cookie; the associated service authentication centers obtain the terminal identity token via the first Cookie; the associated service authentication centers send the obtained terminal identity token to the application systems; and the application systems provide access to the services according to the terminal identity token. Through the method, after passing WLAN access authentication, the terminal can access the services provided by a plurality of application systems without service authentication, thus improving the user experience and reducing the overhead of the application systems.
Description
Technical field
The application relates to wireless communication field, relates in particular to a kind of Operational Visit method based on the WLAN access authentication.
Background technology
Raising along with development of wireless communication devices and social informatization degree, on the one hand, via WLAN (Wireless Local Area Network, be WLAN (wireless local area network)) requirements for access of application system that value-added service is provided is increased day by day, on the other hand, can provide the application system of Operational Visit also more and more.
Fig. 1 shows a kind of structure of WLAN access authentication system 1, can comprise terminal 11, access point (Access Point, be called for short AP) 12, access control point (Access Controller is called for short AC) 13, access authentication server 14 and door (Portal) server 15.In system 1, access point 12 can provide the wireless access of terminal 11.The process that 13 pairs of terminals of access control point 11 insert WLAN is controlled.Access control point 13, access authentication server 14 and the portal server 15 collaborative access authentications of finishing terminal 11.Describe this WLAN access authentication method in detail in the applicant's No. 200610169785.0 unsettled Chinese patent application (publication number is CN 101212297A), the full content of this application is incorporated this paper into as a reference, repeats no more herein.
Fig. 2 shows a kind of single-node login system 2, makes terminal pass through the business that business authentication just can be visited a plurality of application systems.System 2 can comprise application system, business authentication center and terminal database.Application system can be divided into one-level application system 21 and secondary application system 22, and related with one-level business authentication center 23 and secondary traffic authentication center 24 respectively.Application system can be obtained required terminal identity token by the business authentication center of association, and provides Operational Visit according to the terminal identity token to terminal.Each secondary traffic authentication center 24 is related with the terminal database 25 that records a plurality of end messages.Describe this single-point logging method in detail in still undocumented No. 200810116578.8 Chinese patent application of the applicant, the full content of this application is incorporated this paper into as a reference, repeats no more herein.
But because the business authentication of above-mentioned WLAN access authentication and single-node login system is independently of one another, terminal is by behind the WLAN access authentication, still needs to carry out the business that at least business authentication ability access application system provides.The authentication that repeats has so not only influenced user experience, and has increased overhead owing to application system needs the required terminal data of maintenance service authentication.
Summary of the invention
In order to overcome repetition authentication question of the prior art, an embodiment according to the application, a kind of Operational Visit method based on the WLAN access authentication is provided, comprise: carry out in the WLAN access authentication procedure in terminal, the WLAN portal server sends a Cookie to the terminal by the WLAN access authentication; The business of terminal request access application system, the business authentication center related with application system determine that according to a Cookie terminal is by the WLAN access authentication; The business authentication center of described association obtains the terminal identity token by a Cookie; The business authentication center of described association sends to application system with the terminal identity token that is obtained; And application system provides Operational Visit according to the terminal identity token to terminal.
By above method, terminal need not business authentication and just can visit the business that a plurality of application systems provide by behind the WLAN access authentication, has improved user experience, has alleviated the overhead of application system.
Description of drawings
Fig. 1 is a kind of structural representation of WLAN access authentication system;
Fig. 2 is a kind of structural representation of single-node login system;
Fig. 3 is the flow chart based on the Operational Visit method of WLAN access authentication according to the application's first embodiment;
Fig. 4 is the flow chart based on the Operational Visit method of WLAN access authentication according to the application's second embodiment;
Fig. 5 is the flow chart based on the Operational Visit method of WLAN access authentication according to the application's the 3rd embodiment;
Fig. 6 is the flow chart based on the Operational Visit method of WLAN access authentication according to the application's the 4th embodiment;
Fig. 7 is the flow chart based on the Operational Visit method of WLAN access authentication according to the application's the 5th embodiment;
Fig. 8 is the process chart based on the Operational Visit method of WLAN access authentication of an exemplary application scene of the application;
Fig. 9 is the process chart based on the Operational Visit method of WLAN access authentication of another exemplary application scene of the application.
Embodiment
According to the application, when terminal is initiated the request of certain application system business of visit, if terminal has been passed through the WLAN access authentication, then application system can be obtained the terminal identity token by the business authentication center that is associated with this terminal, provide Operational Visit according to the terminal identity token for terminal, and needn't carry out business authentication.Those skilled in the art can understand, the terminal identity token is that application system provides Operational Visit required information for terminal, can comprise for example MSISDN of terminal (Mobile Station international ISDN number, i.e. Mobile Subscriber International ISDN number), charge information etc.
In existing WLAN cut-in method, portal server can send the access authentication results page to terminal.According to the application's a embodiment, when portal server passes through the WLAN access authentication in terminal,, also can send Cookie to terminal except sending the access authentication results page to terminal.Cookie is a text that is kept at terminal, can comprise that to the content of the Cookie of terminal transmission terminal iidentification and access authentication are by sign by portal server.In this application, terminal iidentification be can unique definite terminal identity identification code, MSISDN of terminal etc. for example.Access authentication can be to determine that terminal by the various information of WLAN access authentication, as a non-limiting example, can be portal server sign, for example title of portal server or address etc. by sign.Be appreciated that portal server can send to terminal with the access authentication results page with Cookie, also can before or after sending the access authentication results page, send Cookie to terminal individually.
With reference to Fig. 3 to Fig. 7, describe Operational Visit method below, wherein, provide system's employing two level frameworks as shown in Figure 2 of Operational Visit based on the WLAN access authentication according to the application.The first step (step 401 among the step 301 among Fig. 3, Fig. 4, the step 501 among Fig. 5, the step 601 among Fig. 6 and the step 701 among Fig. 7) of the method that Fig. 3 is extremely shown in Figure 7 can be that aforesaid portal server is to the step that sends Cookie by the terminal of WLAN access authentication.Be appreciated that in terminal after application system is sent the Operational Visit request to check in this application system whether have the terminal identity token,, then can directly provide Operational Visit for terminal if having.Therefore, only in application system, do not have under the situation of terminal identity token of terminal of requested service visit, just can carry out as Fig. 3 to the portal server of method shown in Figure 7 each step after the terminal by the WLAN access authentication sends the first step of Cookie.
In method as shown in Figure 3 according to the application's first embodiment, after step 301, when terminal is initiated when using the access request of system business, the business authentication center that is associated with this application system can judge whether terminal has passed through WLAN access authentication (step 302) according to the Cookie in the terminal.At this moment, application system is redirected to the business authentication center related with this application system with the Operational Visit request.For example, if terminal wants to visit is the business of one-level application system, then judge that by one-level business authentication center whether this terminal is by the WLAN access authentication; If what terminal was wanted to visit is the business of secondary application system, then judge that by the secondary traffic authentication center that is associated with this secondary application system whether this terminal is by the WLAN access authentication.As mentioned above, carry out in the WLAN access authentication procedure in terminal, portal server has sent terminal iidentification and the access authentication Cookie by sign for the terminal by the WLAN access authentication.Therefore, the business authentication center can determine that this terminal passed through the WLAN access authentication according to the access authentication that Cookie comprised in the terminal by sign.
Then, Cookie can be passed through in the business authentication center, obtains required terminal identity token (step 303).The business authentication center receives after the terminal identity token, and it is sent to application system (step 304), and application system can provide Operational Visit (step 305) to terminal according to the terminal identity token.Be appreciated that, the mind-set application system sends in the step 304 of terminal identity token in business authentication, the business authentication center also can send to terminal with the terminal identity token earlier, sends to application system by terminal again, so that application system provides required Operational Visit to this terminal.
According to as shown in Figure 4 the application's second embodiment, portal server sends Cookie in step 401 to the terminal by the WLAN access authentication.Determine according to the Cookie in the terminal that at the business authentication center terminal is by behind the WLAN access authentication (step 402), the business authentication center can be adopted to come in such a way and be obtained the terminal identity token by Cookie, that is: terminal iidentification can be obtained in the business authentication center from Cookie, and the secondary traffic authentication center that belongs to according to the terminal iidentification requesting terminal provides terminal identity token (step 403).The business authentication center receives after the terminal identity token, and it is sent to application system (step 404), and application system then can provide Operational Visit (step 405) to terminal according to the terminal identity token.
As mentioned above, each secondary traffic authentication center is all related with the terminal database that records a plurality of end messages.In this application, terminal " ownership " refers to terminal information and is recorded in the terminal database related with this secondary traffic authentication center in certain secondary traffic authentication center.Before the secondary traffic authentication center request to terminal attaching provides the terminal identity token, the business authentication center needs to judge earlier terminal attaching is in which secondary traffic authentication center, the business authentication center can be by various existing methods, determine the secondary traffic authentication center that this terminal belonged to according to the terminal iidentification of from Cookie, obtaining, for concise and to the point purpose, the application is not described in detail determination methods.The requesting terminal identity token is come with the secondary traffic authentication center that terminal iidentification sends terminal attaching in the business authentication center, like this, the secondary traffic authentication center of terminal attaching can obtain corresponding terminal identity token and send it to the business authentication center according to terminal iidentification.The secondary traffic authentication center that it will be understood by those skilled in the art that terminal attaching can adopt various existing modes according to terminal iidentification, searches related with it terminal database and obtains the terminal identity token, also repeats no more here.
Alternatively, but business authentication center storage terminal identity token.Like this, in step 403 shown in Figure 4, after terminal iidentification is obtained from Cookie in the business authentication center, whether the terminal identity token that can at first judge this terminal iidentification correspondence is stored in its this locality: if do not have, then needing provides the terminal identity token according to the secondary traffic authentication center of terminal iidentification requesting terminal ownership, and is obtaining behind the identity token it to be stored in this locality; If have, the secondary traffic authentication center that then can omit the requesting terminal ownership provides the process of terminal identity token.For example, can come the storage terminal identity token at business authentication center configuration terminal identity token table.Be appreciated that in terminal identity token table, in other words the index information of terminal iidentification as each terminal identity token, can be able to be recorded the corresponding relation of terminal iidentification and terminal identity token in the terminal identity token table.Therefore, the business authentication center can obtain corresponding terminal identity token by searching terminal identity token table according to terminal iidentification.
In order to improve fail safe, the Cookie that is sent to terminal by portal server can comprise the terminal iidentification that process is encrypted, and like this, can obtain terminal iidentification just the business authentication center need be decrypted the terminal iidentification of encrypting among the Cookie.Those skilled in the art can adopt various cryptographic systems to realize the encryption and decryption of terminal iidentification.As a specific embodiment, can adopt symmetric cryptographic algorithm, promptly a key K a is shared at portal server and business authentication center.Particularly, by in the terminal of WLAN access authentication Cookie comprised is ciphertext after portal server is encrypted terminal iidentification with key K a, after the business authentication center obtains this Cookie, with key K a the terminal iidentification of encrypting is decrypted the back and obtains correct terminal iidentification.Can adopt various symmetric cryptographic algorithms, for example: DES algorithm, 3-DES algorithm, aes algorithm etc.As another specific embodiment, can adopt asymmetric cryptographic algorithm, promptly, by in the terminal of WLAN access authentication Cookie comprised is ciphertext after portal server is encrypted terminal iidentification with PKI Kp, after the business authentication center obtains this Cookie, can use its private key Ks that the terminal iidentification of encrypting is decrypted.Can adopt various asymmetric cryptographic algorithms, for example: RSA Algorithm, ElGmal algorithm, ECC algorithm etc.
Though be appreciated that terminal iidentification can be improved fail safe to a certain extent through encrypting back adding Cookie, Replay Attack (replay attack) still may take place.For this reason, according to the application's a embodiment, the business authentication center can be stored terminal iidentification obtain terminal iidentification from Cookie after, and is each terminal iidentification distributing terminals identification index.In this case, the Cookie that provides by portal server before the business authentication center can replace it to the Cookie that terminal send to be rewritten, the Cookie of this rewriting can comprise the business authentication center sign (for example information such as the title at this business authentication center, address) and with the corresponding terminal iidentification index of terminal iidentification.As mentioned above, the mind-set application system sends in the step of terminal identity token in business authentication, and the business authentication center can send to terminal with the terminal identity token earlier, sends to application system by terminal again.Therefore, can the terminal identity token be sent to via terminal in the process of application system, the Cookie that rewrites be sent to replace original C ookie in the terminal at the business authentication center.Like this, when terminal request visit Another Application system professional, the business authentication center related with this application system can be according to the sign and the terminal iidentification index at the business authentication center that is comprised among the Cookie that rewrites, send the terminal iidentification index to business authentication center by business authentication center sign representative, business authentication center by the sign representative of business authentication center obtains corresponding terminal iidentification according to the terminal iidentification index, thereby obtains required terminal identity token.In aforesaid business authentication, establish in the heart under the situation of terminal identity token table with the storage terminal identity token, can transform, increase the list item of the record terminal iidentification index corresponding therein with terminal iidentification to terminal identity token table.Like this, the business authentication center of the business authentication center sign representative among the Cookie that rewrites can be according to terminal iidentification index search terminal identity token table, if do not find corresponding terminal identity token, then can from terminal identity token table, obtain corresponding terminal iidentification, obtain required terminal identity token according to terminal iidentification.By such mode, the Cookie that includes terminal iidentification uses once when only requested service is visited first after terminal is passed through the WLAN access authentication, therefore can avoid Replay Attack.
Be appreciated that and between between the secondary traffic authentication center of business authentication center and terminal attaching and business authentication center and related application system, set up the transmission that secure transmission channel carries out terminal iidentification and/or terminal identity token.As an example, above-mentioned secure transmission channel can be VPN (Virtual Private Network, i.e. Virtual Private Network), for example SSL secure tunnel.
Fig. 5 and Fig. 6 show the Operational Visit method based on the WLAN access authentication according to the application's third and fourth embodiment, wherein, secondary traffic authentication center is not directly to the secondary traffic authentication center requesting terminal identity token of terminal attaching, but provide the terminal identity token via the secondary traffic authentication center of one-level business authentication center requests terminal attaching, this can be avoided the interconnection between the different secondary traffic authentication center and the netted visit situation that causes, thereby has avoided possible congestion information.
Particularly, by the terminal transmission Cookie (step 601 of the step 501 of Fig. 5, Fig. 6) of WLAN access authentication, the business authentication center determines that according to the Cookie in the terminal terminal is by WLAN access authentication (step 602 of the step 502 of Fig. 5, Fig. 6) to portal server to.Afterwards, the rank that can judge the business authentication center is one-level or secondary (step 603 of the step 503 of Fig. 5, Fig. 6).If judge the business authentication center is one-level business authentication center, then terminal iidentification is obtained at one-level business authentication center from Cookie, and the secondary traffic authentication center that belongs to according to the terminal iidentification requesting terminal provides terminal identity token (step 604 of the step 504 of Fig. 5, Fig. 6).If judging the business authentication center is secondary traffic authentication center, method then shown in Figure 5 is slightly different with the processing of method shown in Figure 6.
Judging under the situation that the business authentication center is a secondary traffic authentication center, as shown in Figure 5, secondary traffic authentication center is after obtaining terminal iidentification from Cookie, terminal iidentification is sent to one-level business authentication center (step 505), provide terminal identity token (step 506) by one-level business authentication center according to the secondary traffic authentication center that the terminal iidentification requesting terminal belongs to, and send terminal identity token (step 507) to the secondary traffic authentication center of requesting terminal identity token.And as shown in Figure 6, secondary traffic authentication center is sent to one-level business authentication center (step 605) with Cookie, from Cookie, obtain terminal iidentification by one-level business authentication center, secondary traffic authentication center according to terminal iidentification requesting terminal ownership provides terminal identity token (step 606), and sends terminal identity token (step 607) to the secondary traffic authentication center of requesting terminal identity token.As can be seen, in method shown in Figure 5, be responsible for from Cookie, obtaining terminal iidentification by secondary traffic authentication center, and in method shown in Figure 6, from Cookie, obtain terminal iidentification by one-level business authentication center.
After the business authentication center receives the terminal identity token, method shown in Figure 5 and method shown in Figure 6 will be carried out same treatment: the business authentication center sends to application system (step 608 of the step 508 of Fig. 5, Fig. 6) with the terminal identity token, and application system then can provide Operational Visit (step 609 of the step 509 of Fig. 5, Fig. 6) to terminal according to the terminal identity token.
Alternatively, but business authentication center storage terminal identity token also can be set up aforesaid terminal identity token table, wherein can record the corresponding relation of terminal iidentification and terminal identity token.Like this, if in step 503 shown in Figure 5 or step 603 shown in Figure 6, determine that through judging the business authentication center is one-level business authentication center, then one-level business authentication center is after obtaining terminal iidentification from Cookie, can judge at first whether required terminal identity token is stored in one-level business authentication center:, then can provide the terminal identity token according to the secondary traffic authentication center of terminal iidentification requesting terminal ownership if do not have; If have, the secondary traffic authentication center that then can omit the requesting terminal ownership provides the process of terminal identity token.On the other hand, at the business authentication center is under the situation of secondary traffic authentication center, in method shown in Figure 5, this secondary traffic authentication center obtains terminal iidentification from Cookie after, can judge whether required terminal identity token is stored in its this locality, if have, provide the process of terminal identity token after then can omitting via the secondary traffic authentication center of one-level business authentication center requests terminal attaching; In method shown in Figure 6, one-level business authentication center is obtained after the terminal iidentification from the Cookie that is received from secondary traffic authentication center, if judge that required terminal identity token has been stored in one-level business authentication center, the secondary traffic authentication center that then can omit the requesting terminal ownership provides the process of terminal identity token.
Also can set up the transmission that secure transmission channel carries out terminal iidentification and/or terminal identity token similarly.As an example, secure transmission channel can be VPN, for example the SSL secure tunnel.
According to an embodiment, the Cookie that is sent to terminal by the WLAN portal server can comprise the terminal iidentification that process is encrypted.Be appreciated that, under the encrypted situation of terminal iidentification, because in the method shown in Figure 6 is to obtain terminal iidentification by one-level business authentication center from Cookie, therefore, secondary traffic authentication center does not need to preserve deciphering required key K a (symmetric cryptographic algorithm) or private key Ks (asymmetric cryptographic algorithm), therefore can reduce the memory data output and the operand of secondary traffic authentication center.
Be appreciated that, in Fig. 5 and method shown in Figure 6, the step that the Cookie that provides by portal server before mind-set terminal in the business authentication sends the Cookie that rewrites and replaces it also can further be provided, wherein, the Cookie of rewriting can comprise business authentication center sign and with the corresponding terminal iidentification index of terminal iidentification.Need to prove, in according to method shown in Figure 6, if the business authentication center is a secondary traffic authentication center, though from Cookie, obtain terminal iidentification by one-level business authentication center, but when mind-set secondary traffic authentication center sends the terminal identity token in the one-level business authentication, also terminal iidentification can be sent to this secondary traffic authentication center.Therefore, the business authentication center can be stored terminal iidentification after having obtained terminal iidentification, and is each terminal iidentification distributing terminals identification index.
In the above method of describing with reference to Fig. 3 to Fig. 6, the business authentication center sends it to application system after obtaining the terminal identity token.As a kind of selection, can store under the situation of the terminal identity token that obtain by for example configurating terminal identity token table at the business authentication center, each terminal identity token that the business authentication center can be storage is provided with corresponding terminal identity token numbering.Fig. 7 shows the method according to this embodiment, at portal server to step 701, business authentication center that the terminal by the WLAN access authentication sends Cookie are determined terminal step 702, the business authentication center by the WLAN access authentication have been got access to the step 703 of terminal identity token according to the Cookie in the terminal after, the business authentication center does not directly send the terminal identity token to application system, but the terminal identity token is stored, for example, be stored in the terminal identity token table, and corresponding terminal identity token numbering be set for it.Therefore, the mind-set application system sends in the business authentication is terminal identity token numbering (step 704) and be not direct transmission terminal identity token.Application system is after receiving terminal identity token numbering, set up secure transmission channel with the business authentication center, provide terminal identity token numbering to the business authentication center, from terminal identity token table, find corresponding terminal identity token by the business authentication center, via above-mentioned secure transmission channel the terminal identity token is sent to application system (step 705) again.As an example, can between business authentication center and application system, set up VPN and come the transmission terminal identity token, for example the SSL secure tunnel.After application system obtains the terminal identity token, can provide Operational Visit (step 706) to terminal according to the terminal identity token.
As describing before, the business authentication center can send to application system via terminal with the terminal identity token, so that application system provides required Operational Visit to this terminal.But generally, the transmission channel fail safe between transmission channel between business authentication center and the terminal and terminal and the application system is relatively poor, and therefore, the transmission terminal identity token may produce the potential safety hazard that the terminal identity token is stolen.And according to method shown in Figure 7, the information that the business authentication center sends to application system via terminal is terminal identity token numbering, and the terminal identity token transmits in secure transmission channel, thereby has improved fail safe.
For the ease of understanding,, be that example illustrates the detailed process process based on the Operational Visit method of WLAN access authentication according to the embodiment of the present application with two concrete application scenarioss below with reference to Fig. 8 and Fig. 9.
What Fig. 8 represented is the exemplary scenario of terminal a visit one-level application system A behind process WLAN access authentication, wherein, one-level application system A is associated with one-level business authentication center 1, secondary traffic authentication center 2 is associated with the terminal database B of the information that records terminal a, that is, terminal a belongs to secondary traffic authentication center 2.In the WLAN of terminal a access authentication procedure, the WLAN portal server sends to the terminal a that has passed through the WLAN access authentication and comprises the Cookie of access authentication by sign and encrypted terminal iidentification.Handling process shown in Figure 8 is as follows:
Step 801: terminal a initiates the Operational Visit request to one-level application system A;
Step 802: one-level application system A checks the terminal identity token that whether has terminal a, if having, then jumps to step 814;
Step 803: one-level application system A is redirected to one-level business authentication center 1 with the Operational Visit request of terminal a;
Step 804: whether one-level business authentication center 1 has access authentication by sign according to the Cookie among the terminal a, judge that whether terminal a is by the WLAN access authentication, if by the WLAN access authentication, then the terminal iidentification to the encryption among the Cookie is decrypted, obtain terminal iidentification, storage terminal identifies and for it is provided with corresponding terminal iidentification index, if pass through the WLAN access authentication, then carries out the WLAN access authentication procedure of terminal a;
Step 805: secure transmission channel is set up with secondary traffic authentication center 2 in one-level business authentication center 1, sends terminal iidentification, requesting terminal identity token to secondary traffic authentication center 2;
Step 806: secondary traffic authentication center 2 sends the terminal identity token request to terminal database B;
Step 807: terminal database B sends the terminal identity token to secondary traffic authentication center 2;
Step 808: the secure transmission channel that secondary traffic authentication center 2 sets up by step 805 sends the terminal identity token to one-level business authentication center 1;
Step 809: one-level business authentication center 1 storage terminal identity token for the terminal identity token is provided with terminal identity token numbering, generates to comprise the sign at one-level business authentication center 1 and the new Cookie of terminal iidentification index;
Step 810: one-level business authentication center 1 is redirected to one-level application system A with the Operational Visit request of terminal a, in this process, send terminal identity token numbering to one-level application system A, the Cookie that before the new Cookie of terminal a transmission replaces it, provides by portal server;
Step 811: secure transmission channel is set up at one-level application system A and one-level business authentication center 1, sends terminal identity token numbering with the requesting terminal identity token to one-level business authentication center 1;
Step 812: one-level business authentication center 1 obtains the terminal identity token according to terminal identity token numbering;
Step 813: one-level business authentication center 1 sends the terminal identity token by the secure transmission channel of setting up in the step 811 to one-level application system A;
Step 814: one-level application system A provides Operational Visit according to the terminal identity token for terminal a.
What Fig. 9 represented is the exemplary scenario of terminal a visit secondary application system A ' behind process WLAN access authentication, wherein, secondary application system A ' is associated with secondary traffic authentication center 3, and secondary traffic authentication center 3 is associated with one-level business authentication center 1.Secondary traffic authentication center 2 is associated with the terminal database B of the information that records terminal a, that is, terminal a belongs to secondary traffic authentication center 2.In the WLAN of terminal a access authentication procedure, the WLAN portal server sends to the terminal a that has passed through the WLAN access authentication and comprises the Cookie of access authentication by sign and encrypted terminal iidentification.Handling process shown in Figure 9 is as follows:
Step 901: terminal a initiates the Operational Visit request to secondary application system A ';
Step 902: secondary application system A ' checks the terminal identity token that whether has terminal a, if having, then jumps to step 917;
Step 903: secondary application system A ' is redirected to secondary traffic authentication center 3 with the Operational Visit request of terminal a;
Step 904: whether secondary traffic authentication center 3 has access authentication by sign according to the Cookie among the terminal a, whether judges terminal a by the WLAN access authentication, if not by the WLAN access authentication, then carry out the WLAN access authentication procedure of terminal a;
Step 905: secondary traffic authentication center 3 sends Cookie to one-level business authentication center 1, and request one-level business authentication center 1 provides the terminal identity token;
Step 906: the terminal iidentification of the encryption among the 1 couple of Cookie in one-level business authentication center is decrypted, and obtains terminal iidentification, the storage terminal sign;
Step 907: secure transmission channel is set up with secondary traffic authentication center 2 in one-level business authentication center 1, sends terminal iidentification, requesting terminal identity token to secondary traffic authentication center 2;
Step 908: secondary traffic authentication center 2 sends the terminal identity token request to terminal database B;
Step 909: terminal database B sends the terminal identity token to secondary traffic authentication center 2;
Step 910: the secure transmission channel of secondary traffic authentication center 2 by setting up in the step 907 sends the terminal identity token to one-level business authentication center 1;
Step 911: one-level business authentication center 1 sends terminal identity token and terminal iidentification to secondary traffic authentication center 3;
Step 912: secondary traffic authentication center 3 storage terminal identity token and terminal iidentifications, for the terminal identity token is provided with terminal identity token numbering, for terminal iidentification is provided with the terminal iidentification index, generation comprises the sign of secondary traffic authentication center 3 and the new Cookie of terminal iidentification index;
Step 913: secondary traffic authentication center 3 is redirected to secondary application system A ' with the Operational Visit request of terminal a, in this process, send terminal identity token numbering to secondary application system A ', the Cookie that before the new Cookie of terminal a transmission replaces it, provides by portal server;
Step 914: secondary application system A ' and secondary traffic authentication center 3 set up secure transmission channel, send terminal identity token numbering with the requesting terminal identity token to secondary traffic authentication center 3;
Step 915: secondary traffic authentication center 3 obtains the terminal identity token according to terminal identity token numbering;
Step 916: secondary traffic authentication center 3 sends the terminal identity token by the secure transmission channel of setting up in the step 914 to secondary application system A ';
Step 917: secondary application system A ' provides Operational Visit according to the terminal identity token for terminal a.
Abovely be described with reference to the exemplary embodiment of accompanying drawing to the application.It should be appreciated by those skilled in the art that above-mentioned embodiment only is for illustrative purposes and the example of being lifted, rather than be used for limiting.All in the application instruction and the claim protection range under done any modification, be equal to replacement etc., all should be included in the claimed scope of the application.
Claims (11)
1. Operational Visit method based on the WLAN access authentication comprises:
Carry out in the WLAN access authentication procedure in terminal, the WLAN portal server sends a Cookie to the terminal by the WLAN access authentication;
The business of terminal request access application system, the business authentication center related with application system determine that according to a Cookie terminal is by the WLAN access authentication;
The business authentication center of described association obtains the terminal identity token by a Cookie;
The business authentication center of described association sends to application system with the terminal identity token that is obtained; And
Application system provides Operational Visit according to the terminal identity token to terminal.
2. the method for claim 1, wherein a Cookie comprises access authentication by sign and terminal iidentification.
3. method as claimed in claim 2, wherein, the terminal iidentification that comprises among the Cookie is through encrypting.
4. as claim 2 or 3 described methods, the business authentication center of described association comprises by the step that a Cookie obtains the terminal identity token: terminal iidentification is obtained in the business authentication center of described association from a Cookie, and the secondary traffic authentication center that belongs to according to the terminal iidentification requesting terminal provides the terminal identity token.
5. method as claimed in claim 4, further comprise: the business authentication center of described association is after obtaining terminal iidentification from a Cookie, the storage terminal sign, be terminal iidentification distributing terminals identification index, send the sign at the business authentication center comprise described association and the 2nd Cookie of terminal iidentification index replaces a Cookie to terminal.
6. as claim 2 or 3 described methods, if the business authentication center of described association is one-level business authentication center, then the business authentication center of described association comprises by the step that a Cookie obtains the terminal identity token: terminal iidentification is obtained in the business authentication center of described association from a Cookie, and the secondary traffic authentication center that belongs to according to the terminal iidentification requesting terminal provides the terminal identity token;
If the business authentication center of described association is a secondary traffic authentication center, then the business authentication center of described association comprises by the step that a Cookie obtains the terminal identity token: the business authentication center of described association is via one-level business authentication center, and the secondary traffic authentication center that belongs to by a Cookie requesting terminal provides the terminal identity token.
7. method as claimed in claim 6, at the business authentication center of described association is under the situation of secondary traffic authentication center, the business authentication center of described association comprises by the step that a Cookie obtains the terminal identity token: the business authentication center of described association is sent to one-level business authentication center with a Cookie, terminal iidentification is obtained in one-level business authentication center from a Cookie, secondary traffic authentication center according to terminal iidentification requesting terminal ownership provides the terminal identity token, and sends terminal identity token and terminal iidentification to the business authentication center of described association.
8. method as claimed in claim 7, further comprise: the business authentication center of described association is after the terminal iidentification that receives the transmission of one-level business authentication center, the storage terminal sign, be terminal iidentification distributing terminals identification index, send the sign at the business authentication center comprise described association and the 2nd Cookie of terminal iidentification index replaces a Cookie to terminal.
9. method as claimed in claim 6, at the business authentication center of described association is under the situation of secondary traffic authentication center, the business authentication center of described association comprises by the step that a Cookie obtains the terminal identity token: terminal iidentification is obtained in the business authentication center of described association from a Cookie, terminal iidentification is sent to one-level business authentication center, one-level business authentication center provides the terminal identity token according to the secondary traffic authentication center of terminal iidentification requesting terminal ownership, and sends the terminal identity token to the business authentication center of described association.
10. method as claimed in claim 9, further comprise: the business authentication center of described association is after obtaining terminal iidentification from a Cookie, the storage terminal sign, be terminal iidentification distributing terminals identification index, send the sign at the business authentication center comprise described association and the 2nd Cookie of terminal iidentification index replaces a Cookie to terminal.
11. the method for claim 1, wherein, the business authentication center can the storage terminal identity token, and can corresponding terminal identity token numbering be set for each terminal identity token, the business authentication center of described association further comprises the step that the terminal identity token that is obtained sends to application system:
The mind-set application system sends terminal identity token numbering in the business authentication of described association;
Application system asks the business authentication center of described association to provide corresponding terminal identity token according to terminal identity token numbering via secure transmission channel.
Priority Applications (7)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910169686.6A CN101998407B (en) | 2009-08-31 | 2009-08-31 | WLAN access authentication based method for accessing services |
| EP10811116.2A EP2475194B1 (en) | 2009-08-31 | 2010-08-31 | Service access method, system and device based on wlan access authentication |
| US13/393,162 US20120198539A1 (en) | 2009-08-31 | 2010-08-31 | Service Access Method, System and Device Based on WLAN Access Authentication |
| PCT/CN2010/001327 WO2011022950A1 (en) | 2009-08-31 | 2010-08-31 | Service access method, system and device based on wlan access authentication |
| JP2012525856A JP2013503514A (en) | 2009-08-31 | 2010-08-31 | Service access method, system and apparatus based on WLAN access authentication |
| KR1020127008361A KR101442136B1 (en) | 2009-08-31 | 2010-08-31 | Service access method, system and device based on wlan access authentication |
| RU2012108415/08A RU2573212C2 (en) | 2009-08-31 | 2010-08-31 | Method of accessing services, systems and devices based on wlan access authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910169686.6A CN101998407B (en) | 2009-08-31 | 2009-08-31 | WLAN access authentication based method for accessing services |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101998407A true CN101998407A (en) | 2011-03-30 |
| CN101998407B CN101998407B (en) | 2014-07-02 |
Family
ID=43787783
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910169686.6A Expired - Fee Related CN101998407B (en) | 2009-08-31 | 2009-08-31 | WLAN access authentication based method for accessing services |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101998407B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013040957A1 (en) * | 2011-09-20 | 2013-03-28 | 中兴通讯股份有限公司 | Single sign-on method and system, and information processing method and system |
| CN103067337A (en) * | 2011-10-19 | 2013-04-24 | 中兴通讯股份有限公司 | Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system |
| CN104270404A (en) * | 2014-08-29 | 2015-01-07 | 小米科技有限责任公司 | Login method and device based on terminal identification |
| CN105210076A (en) * | 2013-04-03 | 2015-12-30 | 赛门铁克公司 | Resilient and restorable dynamic device identification |
| CN106790331A (en) * | 2015-11-23 | 2017-05-31 | 腾讯科技(深圳)有限公司 | A kind of business access method, system and relevant apparatus |
| CN110958119A (en) * | 2019-10-25 | 2020-04-03 | 泰康保险集团股份有限公司 | Identity verification method and device |
| US10984078B2 (en) * | 2018-07-16 | 2021-04-20 | Vmware, Inc. | Systems and methods for improved authentication |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1855814A (en) * | 2005-04-29 | 2006-11-01 | 中国科学院计算机网络信息中心 | Safety uniform certificate verification design |
| CN101399724B (en) * | 2007-09-28 | 2011-11-30 | 中国电信股份有限公司 | Disposal authentication method for network access and service application oriented to user |
-
2009
- 2009-08-31 CN CN200910169686.6A patent/CN101998407B/en not_active Expired - Fee Related
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023856B (en) * | 2011-09-20 | 2018-07-13 | 中兴通讯股份有限公司 | Method, system and the information processing method of single-sign-on, system |
| CN103023856A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Single sign-on method, single sign-on system, information processing method and information processing system |
| WO2013040957A1 (en) * | 2011-09-20 | 2013-03-28 | 中兴通讯股份有限公司 | Single sign-on method and system, and information processing method and system |
| CN103067337A (en) * | 2011-10-19 | 2013-04-24 | 中兴通讯股份有限公司 | Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system |
| CN103067337B (en) * | 2011-10-19 | 2017-02-15 | 中兴通讯股份有限公司 | Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system |
| CN105210076A (en) * | 2013-04-03 | 2015-12-30 | 赛门铁克公司 | Resilient and restorable dynamic device identification |
| CN105210076B (en) * | 2013-04-03 | 2018-12-18 | 赛门铁克公司 | Elastic, recoverable dynamic device identification |
| CN104270404A (en) * | 2014-08-29 | 2015-01-07 | 小米科技有限责任公司 | Login method and device based on terminal identification |
| CN104270404B (en) * | 2014-08-29 | 2018-09-04 | 小米科技有限责任公司 | A kind of login method and device based on terminal iidentification |
| CN106790331A (en) * | 2015-11-23 | 2017-05-31 | 腾讯科技(深圳)有限公司 | A kind of business access method, system and relevant apparatus |
| CN106790331B (en) * | 2015-11-23 | 2020-07-03 | 腾讯科技(深圳)有限公司 | Service access method, system and related device |
| US10984078B2 (en) * | 2018-07-16 | 2021-04-20 | Vmware, Inc. | Systems and methods for improved authentication |
| US11809529B2 (en) | 2018-07-16 | 2023-11-07 | Vmware, Inc. | Systems and methods for improved authentication |
| CN110958119A (en) * | 2019-10-25 | 2020-04-03 | 泰康保险集团股份有限公司 | Identity verification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101998407B (en) | 2014-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110493261B (en) | Verification code obtaining method based on block chain, client, server and storage medium | |
| CN103873454B (en) | Authentication method and equipment | |
| KR101442136B1 (en) | Service access method, system and device based on wlan access authentication | |
| US20210056541A1 (en) | Method and system for mobile cryptocurrency wallet connectivity | |
| CN104852925B (en) | Mobile intelligent terminal anti-data-leakage secure storage, backup method | |
| CN103036867B (en) | Based on virtual private network services equipment and the method for mutual certification | |
| CN101998407B (en) | WLAN access authentication based method for accessing services | |
| CN101772024B (en) | User identification method, device and system | |
| US10250613B2 (en) | Data access method based on cloud computing platform, and user terminal | |
| US8527762B2 (en) | Method for realizing an authentication center and an authentication system thereof | |
| US20070220598A1 (en) | Proactive credential distribution | |
| RU2683853C1 (en) | Method for improving gprs key, sgsn device, user device, hlr / hss and gprs system | |
| KR20160123069A (en) | Unification Authentication Control Method for Terminal and Apparatus thereof | |
| CN103699854B (en) | Data storing method, data access method and storing equipment | |
| CN104756458A (en) | Method and apparatus for securing a connection in a communications network | |
| CN107920081A (en) | Login authentication method and device | |
| CN106911702A (en) | Based on the cloud storage block encryption access control method for improving CP ABE | |
| CN108200014A (en) | The method, apparatus and system of server are accessed using intelligent key apparatus | |
| US20160226661A1 (en) | Secure execution environment communication | |
| CN101998406B (en) | WLAN access authentication based method for accessing services | |
| CN105915566A (en) | Safety system used for real-time account access | |
| CN109413648A (en) | Access control method, terminal, smart card, background server and storage medium | |
| CN103916404A (en) | Data management method and system | |
| CN101998405B (en) | WLAN access authentication based method for accessing services | |
| CN105577609B (en) | Method and apparatus for being controlled the content of access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140702 Termination date: 20210831 |