Summary of the invention
For solving the problem, first the present invention proposes a kind of safe login method of safe and reliable Wi-Fi hotspot.
Another object of the present invention is the Security Login System proposing a kind of safe and reliable Wi-Fi hotspot.
In order to solve the problems of the technologies described above, technical scheme of the present invention is:
A kind of safe login method of Wi-Fi hotspot, the method relates to one and is positioned at the server S VR of the Internet, multiple focus { AP1 providing individual or enterprise's login mode, AP2, APj, and multiple terminal { M1 being equipped with WiFi network interface and mobile network's interface (such as: 3G, 4G etc.), M2, Mi,, user both can carry out accessing Internet by the focus of the WiFi network interface login periphery of terminal, also can carry out accessing Internet by mobile network's interface of terminal.
In described login method, user, focus and any of server carry out information exchange by session between the two.At the session initial stage, communicating pair verifies that identity is each other also that session generates voucher mutually, and this voucher is used to sign to the information exchanged during session.A user can use multiple terminal to come to set up multiple session with server or focus, and multiple user also comes to set up a session with server or focus respectively by a terminal.
The safe login method of Wi-Fi hotspot specifically comprises:
(1) user carries out user's registration on the server by terminal, and user is hotspot registration account by terminal on the server;
Described user carries out user registration course on the server by terminal: user Alice sends the request of registered user's account to server by terminal Mi; Server is user Alice register account number and returns registering result to terminal Mi;
The process that user is hotspot registration account by terminal is on the server: user Alice sends the request of registration focus account to server by terminal Mi; Server generates the label of focus APj and is APj register account number, and then server returns registering result to terminal Mi, comprises the label of focus APj in result;
(2) user Alice logs in focus by terminal request, and its detailed process is as follows:
(21) user Alice obtains periphery hot information and Heat of Formation point list by terminal Mi; User Alice checks the information of periphery focus according to hotspot list and selects focus APj,
(22) terminal is selected to perform individual or enterprise's login according to the login mode that focus APj provides;
In described individual login process, during user Alice, focus APj and server are in session between two, server and focus APj hold a wildcard PSK jointly, and the process that user Alice logs in focus APj by terminal Mi request is as follows:
(201) focus APj generates random number Anonce and sends the first handshake information to terminal Mi;
(202) terminal Mi forwards first handshake information of focus APj to server;
(203) one whether is had in all owners of server authentication focus APj at least for user Alice or its contact person; If be verified, jump to step (204), otherwise the logging request of termination user Alice;
(204) server generates random number Bnonce and uses wildcard PSK to generate a temporary key PTK, is then encrypted with codon pair Bnonce and PTK of user Alice and ciphertext is sent to terminal Mi;
(205) terminal Mi obtains random number Bnonce and temporary key PTK with the codon pair decrypt ciphertext of user Alice, then sends the second handshake information to focus APj;
(206) focus APj uses wildcard PSK to generate a temporary key PTK and verifies that whether the local PTK generated is identical with the PTK of terminal; Identical, jump to step (207), otherwise the logging request of termination user Alice;
(207) focus APj and terminal Mi performs third and fourth handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus;
In described enterprise login process, during user Alice, focus APj and server are in session between two, the process that user Alice logs in focus APj by terminal Mi is as follows:
(211) user Alice sends authentication request by terminal Mi to focus APj;
(212) focus APj forwards the authentication request of user Alice to server;
(213) server and user Alice verify that mutually identity each other also verifies whether the label of focus APj known separately conforms to; If be verified, jump to step (214), otherwise the logging request of termination user Alice;
(214) one whether is had in all owners of server authentication focus APj at least for user Alice or its contact person; If be verified, jump to step (215), otherwise the logging request of termination user Alice;
(215) server and terminal Mi hold consultation each self-generating master key PMK, and then server sends master key PMK to focus APj;
(216) focus AP1 and terminal M1 performs the handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus.
When registered user's account, user Alice need to essential informations such as the account of server S VR submission user, password and the pet names, and also can submit other information such as the sex of user, age and contact method as required to, the user account overall situation is unique.
When registering focus account, user Alice need to essential informations such as the account of server S VR submission focus, password and wildcard PSK, and also can submit other information such as the manufacturer of focus as required to, the focus account overall situation is unique.
Each user can at the one or more focus of server registration, claims this user to be the custodian of these focuses.After hotspot registration success, user can at server for the focus that it manages adds one or more owner, and the custodian of focus is also an owner of the focus that it manages.
Preferably, user Alice obtains periphery hot information by terminal Mi and the detailed process of Heat of Formation point list is in described step (21):
(21a) user Alice searches for the broadcast singal of periphery focus by terminal Mi and the hot information such as the SSID obtained in signal and login mode generates hotspot list;
(21b) list of terminal Mi scan hot spot also extracts focus label successively from the SSID of each focus;
(21c) user Alice selects one or more focus and sends to server the request obtaining hot information by terminal Mi from hotspot list, comprises the label of these focuses in request;
(21d) server inquires about owner's account of relevant focus, owner's numbering, owner's pet name and other information return Query Result to terminal Mi according to focus label; The numbering of described owner is the character string of the different owners for identifying same focus generated by system.
Preferably, in described step (21d), whether each owner that server inquires about relevant focus is successively Alice or its contact person, if then the account of owner is sent to terminal; Otherwise the numbering of owner is sent to terminal by server; The numbering of described owner is the character string of the different owners for identifying same focus generated by system.
Preferably, in described login method, the initial focus of enterprise's login mode that adopts can automatically switch to individual login mode, and process is as follows: if Hot spots detection occurs congested to the communication between itself and server, such as detect according to parameters such as delay, packet losses, be then switched to individual login mode; Otherwise maintain or switch back enterprise's login mode.
Preferably, during user Alice and Bob and server are in session, user Alice is that the process of contact person is as follows by the owner Bob that terminal request server adds focus APj:
(1a) user Alice selects focus APj and select one from the owner of all non-contact person of focus APj from the hotspot list of terminal Mi, then sending this owner of interpolation by terminal Mi to server is the request of contact person, comprises the label of focus APj and the numbering of owner in request;
(1b) server is used in the label of focus APj and the numbering of owner that step (1a) receives to know that this owner is Bob, and then server forwards the request of user Alice to the terminal Mj that user Bob uses;
If (1c) user Bob refusal interpolation user Alice is contact person, then stopping Alice request interpolation Bob is the process of contact person; Otherwise jump to step (1d);
(1d) user Bob sends the message agreeing to set up contact relationship with user Alice to server;
(1e) server is set up the contact relationship of user Alice and Bob and is sent the message successfully setting up contact relationship respectively to terminal Mi and Mj; Described i ≠ j.
Preferably, during user Alice and Bob and server are in session, the process that user Alice deletes contact person Bob by terminal Mi request server is as follows:
(1) user Alice sends the request of deleting contact person Bob to server by terminal Mi;
(2) server is removed the contact relationship of user Alice and Bob and is sent the message successfully removing contact relationship, described i ≠ j respectively to the terminal Mj that terminal Mi and user Bob uses.
Preferably, described focus label be generated by server one for identifying the character string of different focus, the focus label overall situation is unique; The label of a focus and CSSID(customized service set identifier, self-defined service set identifier) form the SSID of this focus, wherein CSSID is a self-defining character string, the CSSID of different focus may identical also may be different.
A Security Login System for Wi-Fi hotspot, described system comprises a server, multiplely provides individual or the focus of enterprise's login service and multiple terminal for user.
Described server comprises:
Server user's registering unit, registered user;
Server hotspot registration unit, registration focus;
Relationship server administrative unit, adds and deletes contact person;
Server session administrative unit, sets up, maintains and session between log-on server and focus or user;
Server authentication unit, mutually verifies identity each other with user or focus during session or during request login;
Server authentication communication unit, carries out authentication communication with user during request logs in;
Server handshaking communication unit, carries out handshake communication with focus and terminal during request logs in;
Server data administrative unit, processes the content of server data table, comprise search, additions and deletions and renewal;
Server message Transmit-Receive Unit, transmitting-receiving and the message between focus or terminal;
Described server handshaking communication unit specifically comprises:
Server key administration module, stores, generates and distributes wildcard, master key and temporary key as required;
Server key encrypting module, encryption temporary key;
Server random number generation module, generates random number;
Described focus comprises:
Focus signal radio unit, the hot information such as Broadcast SSIDs and login mode;
Focus session management unit, sets up, maintains and nullify the session between focus and server or user;
Focus identity authenticating unit, mutually verifies identity each other with server or user during session;
Focus handshake communication unit, carries out handshake communication with user and server during request logs in;
Hot spot data administrative unit, processes the content of hot spot data table, comprise search, additions and deletions and renewal;
Focus messaging unit, transmitting-receiving and the message between server or terminal;
Focus login mode switch unit, maintains according to the communications status between server, switches the login mode of focus;
Described focus handshake communication unit specifically comprises:
Focus key management module, stores as required, generates wildcard, master key and temporary key;
Focus random number generation module, generates random number;
Focus Integrity Code generation module, generates Integrity Code;
The described terminal for user comprises:
Terminal signaling search unit, the signal of search periphery focus broadcast;
Terminal labels extraction unit, extracts label from the SSID of the periphery focus searched;
End-user registration unit, request registration user;
Terminal hotspot registration unit, request registration focus;
Terminal relationship administrative unit, request is added and is deleted contact person;
Terminal session administrative unit, sets up, maintains and session between logging off users and server or focus;
Terminal identity authentication unit, mutually verifies identity each other with server or focus during session and during request login;
Terminal authentication communication unit, carries out authentication communication with server during request logs in;
Terminal handshake communication unit, carries out handshake communication with focus and server during request logs in;
Terminal data administrative unit, the content of terminal data table is processed, comprise search, additions and deletions and renewal;
Terminal message Transmit-Receive Unit, transmitting-receiving and the message between server or focus;
Described terminal handshake communication unit specifically comprises:
Terminal key administration module, stores as required, generates wildcard, master key and temporary key;
Terminal key deciphering module, deciphering temporary key;
Terminal random number generation module, generates random number;
Endpoint integrity coding generation module, generates Integrity Code.
Compared with prior art, the present invention embeds the unique label of an overall situation in the SSID of focus, and the descriptor of focus inquired about by this label by server as crucial clue, and user identifies the focus of periphery from the focus descriptor of server by sending; Setting up contact relationship by logging between the user of focus and the owner of focus in request, making user can be used in the account of server registration and password to log in all focuses being owner with he or she or its contact people; Be arranged in the server maintenance of the Internet and use wildcard to generate the temporary key needed for individual login mode user, the terminal that user uses carries out handshake communication by distributing from the temporary key of server and focus, reduces the possibility that wildcard is revealed or cracked; User can be used in the account of server registration and password and log in the focus be operated under any login mode, and focus can any switching laws between different login modes as required, and whole handoff procedure is to user transparent.The present invention and IEEE 802.11 relevant criterion protocol-compliant, implement difficulty little, fail safe is high.
Beneficial effect of the present invention is: processing ease, and user can contact with he or she or its all focuses that people is owner by quick registration by terminal, and whole login process is increasingly automated.
Easy to use, user is by logging in the account of server registration and password the focus be operated under any login mode, and focus can any switching laws between different login modes as required, and whole handoff procedure is to user transparent.
Safe and reliable, in individual login mode, the server being positioned at the Internet uses wildcard to generate the temporary key needed for user of request login focus, and third party is difficult to obtain and crack the wildcard being positioned at server; In the SSID of focus, embed the unique label of an overall situation, server is according to the true and false of the focus of label authentication of users request.
Embodiment
Below in conjunction with accompanying drawing, the present invention will be further described, but embodiments of the present invention are not limited to this.
As shown in Figure 1, the terminal M1 of user Alice is positioned at the wireless and movable signal coverage of focus AP1 and base station BS 1, the terminal M2 of user Bob is positioned at the signal cover of focus AP2 and base station BS 2, Bob is an owner of focus AP1, and all owners of AP1 are not all Alice or its contact person.
In described login method, during user Alice and Bob and server S VR is in session, Alice is that the process of contact person is as follows by the owner Bob that terminal M1 asks SVR to add focus AP1:
(1) user Alice selects focus AP1 and select one from the owner of all non-contact person of AP1 from the hotspot list of terminal M1, then sending this owner of interpolation by M1 to server S VR is the request of contact person, comprises the label of AP1 and the numbering of owner in request;
(2) server S VR is used in the label of AP1 and the numbering of owner that step (1) receives to know that this owner is Bob, and then SVR forwards the request of user Alice to the terminal M2 that user Bob uses;
(3) if it is contact person that user Bob refuses to add user Alice, then stopping Alice request interpolation Bob is the process of contact person;
(4) user Bob sends the message agreeing to set up contact relationship with user Alice to server S VR;
(5) server S VR sets up the contact relationship of user Alice and Bob and sends the message successfully setting up contact relationship respectively to terminal M1 and M2.
In described login method, during user Alice and Bob and server S VR is in session, the process that Alice deletes contact person Bob by terminal M1 request server SVR is as follows:
(1) user Alice sends the request of deleting contact person Bob to server S VR by terminal M1;
(2) server S VR removes the contact relationship of user Alice and Bob and sends the message successfully removing contact relationship respectively to terminal M1 and M2.
In described login method, the process that user Alice logs in focus AP1 by terminal M1 request is as follows:
(1) user Alice checks the information of periphery focus by the hotspot list of terminal M1 and selects focus AP1;
(2) terminal M1 selects to perform individual or enterprise's login process according to the login mode that focus AP1 provides.
In described individual login process, during user Alice, focus AP1 and server S VR are in session between two, SVR and AP1 holds a wildcard PSK jointly, and the process that Alice logs in AP1 by terminal M1 request is as follows:
(1) focus AP1 sends the first handshake information to terminal M1;
(2) terminal M1 forwards first handshake information of focus AP1 to server S VR;
(3) server S VR verifies in all owners of focus AP1 whether have one at least for Alice or its contact person; If authentication failed, then the logging request of termination Alice;
(4) server S VR uses wildcard PSK to generate a temporary key PTK, then encrypts with the codon pair PTK of user Alice and ciphertext is sent to M1;
(5) terminal M1 obtains temporary key PTK with the codon pair decrypt ciphertext of Alice, then sends the second handshake information to focus AP1;
(6) focus AP1 uses wildcard PSK to generate a temporary key PTK and verifies that whether the local PTK generated is identical with the PTK of terminal; If not, then the logging request of termination Alice;
(7) focus AP1 and terminal M1 performs third and fourth handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus.
In step (2) and (4) of said process, terminal M1 and server S VR exchanges messages via focus AP1 by the WiFi network interface of M1, also can be exchanged messages by mobile network's interface of M1.
As shown in Figure 3-4, be different from traditional WPA people's login mode, individual login process of the present invention is preserved PSK at server end and the PTK of generation is sent to terminal, instead of preserve PSK in terminal and generate PTK.
In described enterprise login process, during user Alice, focus AP1 and server S VR are in session between two, the process that Alice logs in AP1 by terminal M1 is as follows:
(1) user Alice sends authentication request by terminal M1 to focus AP1;
(2) focus AP1 forwards the authentication request of user Alice to server S VR;
(3) server S VR and user Alice verify that mutually identity each other also verifies whether the label of AP1 known separately conforms to; If authentication failed, then the logging request of termination Alice;
In this step, during focus AP1 and server S VR is in session, so SVR knows account and the label of AP1; And the label of AP1 known to Alice obtains the SSID of the AP1 that M1 searches from it.
(4) server S VR verifies in all owners of focus AP1 whether have one at least for Alice or its contact person; If authentication failed, then stop the process that Alice request logs in focus AP1;
(5) server S VR and terminal M1 hold consultation come each self-generating master key PMK, then SVR to focus AP1 send PMK;
In this step, server S VR and terminal M1 needs to forward communication information by focus AP1 to be consulted to generate PMK, and after this step completes, terminal M1 and focus AP1 obtains PMK.
(6) focus AP1 and terminal M1 performs the handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus.
In described login method, the initial focus AP1 of enterprise's login mode that adopts can automatically switch to personal manner, and process is as follows:
(1) if focus AP1 detects that the communication between itself and server S VR occurs congested, such as detect according to parameters such as delay, packet losses, be then switched to individual login mode; Otherwise maintain or switch back enterprise's login mode.
In said embodiment, user and terminal meet one-to-one relationship, that is: each user only uses a terminal, and each terminal only belongs to a user.Hereinafter, " user terminal " and " terminal use " is used to represent the terminal and user that meet above-mentioned corresponding relation respectively.
In said embodiment, the tables of data of server, focus and user terminal as shown in Figure 5, specifically describes as follows:
The tables of data D10 of described server comprises:
Subscriber's meter D101: the information recording all users, comprises fields such as { user account, user cipher, user's pet name, other information of user }, and the user account overall situation is unique.
Hot spot table D102: the information recording all focuses, comprise { focus account, focus password, focus marks, focus owner account, focus owner numbers, the focus owner pet name, other information of focus } etc. field, the focus account overall situation is unique, the numbering of the different owners of same focus is different, and focus owner account, numbering and nickname field comprise the account of all owners of focus, numbering and nickname information.
Contact list D103, records the associated person information of all users, comprises fields such as { user account, contact person's account, contact person's pet name, other information of contact person }.
User conversation table D104, the session information between record server and terminal use, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, user accounts }, and the session number overall situation is unique.
Focus conversational list D105, the session information between record server and focus, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, focus accounts }, and the session number overall situation is unique.
Contact person's event table D106: record the to be done information setting up contact relationship event, comprises fields such as { Case Number, source user account, object user accounts }, and the Case Number overall situation is unique.
The tables of data D20 of described focus comprises:
Hot spot table D201, the information of record focus, comprises fields such as { focus account, focus password, focus SSID, focus MAC Address, focus login mode, other information of focus }.
User conversation table D202, the session information between record focus and terminal use, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, user accounts }.
Server session table D203, the session information between record focus and server, comprises fields such as { session number, session start time, conversation end time, session status, session vouchers }.
The tables of data D30 of described user terminal comprises:
Subscriber's meter D301, the information of record terminal use, comprises fields such as { user account, user cipher, user's pet name, other information of user }.
Hot spot table D302, the information of record periphery focus, comprises fields such as { focus label, focus login mode, focus owner account, the focus owner pet name, focus owner numbering, other information of focus }.
Contact list D303, the information of the contact person of record terminal use, comprises fields such as { contact person's account, contact person's pet name, other information of contact person }.
Focus conversational list D304, the session information between record terminal use and focus, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, focus labels }.
Server session table D305, the information of the session between record terminal use and server, comprises fields such as { session number, session start time, conversation end time, session status, session vouchers }.
System can use and be not limited to the label that makes to generate focus with the following methods: for each focus distributes a unique random number as its label, or using the MAC Address of focus as its label.In the present embodiment, by the registration order of focus it to be numbered from 1 and using the label of this numbering as focus.As shown in Figure 2, the SSID of focus is " WiFi-Bob@1000 ", and label and the CSSID of focus are respectively " 1000 " and " WiFi-Bob ", and reserved character "@" is separator.
As shown in Figure 1, the user terminal M1 of terminal use Alice is positioned at the signal cover of focus AP1 and base station BS 1, the user terminal M2 of terminal use Bob is positioned at the signal cover of focus AP2 and base station BS 2, Bob is an owner of focus AP1, and all owners of focus AP1 are not all Alice or its contact person.
In said embodiment, Alice is as follows in the step of the process S10 of server S VR registered user account by user terminal M1:
S101:Alice sends the request of registered user's account to server S VR by user terminal M1.
S102: server S VR to user terminal M1 sends the request submitting log-on message to.
S103:Alice submits log-on message by user terminal M1 to server S VR, and the content of information comprises { account of Alice, the password of Alice, the pet name of Alice, other information of Alice }.
S104: server S VR is Alice registered user account and sends the message succeeded in registration to user terminal M1.
The state of S105: user terminal M1 renewal Alice.
S106: terminate.
In said embodiment, during terminal use Alice and server S VR is in session, Alice registers the step of the process S20 of focus AP2 as shown in Figure 6 at SVR by user terminal M1:
S201:Alice sends the request of registration focus account to server S VR by user terminal M1.
S202: server S VR to user terminal M1 sends the request submitting log-on message to.
S203:Alice submits log-on message by user terminal M1 to server S VR, and the content of information comprises { account of AP2, the password of AP2, other information of the wildcard PSK of AP2, AP2 }.
S204: server S VR is that focus AP2 registers focus account and sends the message succeeded in registration to user terminal M1.
S205: terminate.
In said embodiment, during terminal use Alice and server S VR is in session, Alice obtains the step of the process S30 of periphery hot information as shown in Figure 7 by user terminal M1:
S301:Alice searches for the broadcast singal of periphery focus by user terminal M1 and generates hot spot table.
S302: user terminal M1 extracts focus label from the ssid field of focus AP1.
S303:Alice sends the request obtaining focus AP1 information to server S VR by user terminal M1, the content of request comprises { label of AP1 }.
The information of S304: server S VR to user terminal M1 transmission focus AP1, the content of information comprises { label of AP1, owner's account of AP1, owner's numbering of AP1, owner's pet name of AP1, other information of AP1 }.
In this step, server S VR inquires about the information of focus AP1 according to the label of the AP1 received in step S303, and verifies whether each owner of AP1 and Alice are contact person successively; If then the account of this owner is sent to user terminal M1, otherwise the numbering of this owner is sent to M1.
S305: user terminal M1 upgrades hot spot table.
S306: terminate.
In said embodiment, during terminal use Alice and Bob and server S VR is in session, Alice by user terminal M1 to the owner Bob that focus AP1 is added in SVR request be the step of the process S40 of contact person as shown in Figure 8:
S401:Alice selects focus AP1 and select one from the owner of all non-contact person of AP1 from hot spot table, then sending this owner of interpolation by user terminal M1 to server S VR is the request of contact person, the content of request comprises { label of AP1, the numbering of owner }.
S402: server S VR obtains the account of owner according to the label of AP1 and the numbering of owner and learns that it is Bob, then SVR is the request of contact person to the user terminal M2 transmission interpolation Alice of Bob, the content of request comprises { Case Number, the account of Alice }.
In this step, server S VR in contact person's event table for this contact person asks interpolation record.
S403: if Bob agrees to that adding Alice is contact person, then user terminal M2 sends the message agreeing to set up contact relationship with Alice to server S VR, and the content of message comprises { Case Number }; Otherwise jump to step S406.
S404: server S VR sends respectively to user terminal M1 and M2 the message successfully setting up contact relationship, and the content of message is respectively { account of Bob } and { account of Alice }.
In this step, server S VR deletes relevant record in contact person's event table.
S405: user terminal M1 and M2 upgrades contact list.
S406: terminate.
In said embodiment, during terminal use Alice and Bob and server S VR is in session, Alice deletes the step of the process S50 of contact person Bob as shown in Figure 9 by user terminal M1 to SVR request:
S501:Alice sends the request of deleting contact person Bob to server S VR by terminal M1, the content of request comprises { account of Bob }.
S502: server S VR removes the contact relationship between Alice and Bob and sends the message successfully removing contact relationship to user terminal M1 and M2, and the content of message comprises { account of Bob, the account of Alice }.
S503: user terminal M1 and M2 upgrades contact list.
S504: terminate.
In said embodiment, terminal use Alice asks the step of the process S60 logging in focus AP1 as shown in Figure 10:
S601:Alice selects focus AP1 from the hot spot table of user terminal M1.
S602: if AP1 is current provide individual login service, then call individual login process S70a, otherwise call enterprise login process S70b.
S603: terminate.
Alice logs in the step of the individual login process S70a of AP1 as shown in figure 11 by user terminal M1, during wherein terminal use Alice, focus AP1 and server S VR are in session between two, server S VR and focus AP1 holds wildcard PSK jointly:
S701a: focus AP1 generates a random number Anonce and sends the first handshake information to terminal M1, and the content of message comprises { MAC Address of random number Anonce, AP1 }.
First handshake information of S702a: terminal M1 to server S VR forwarding focus AP1, the content of message comprises { MAC Address of random number Anonce, AP1, the MAC Address of M1, the label of AP1 }.
In this step, terminal M1 can forward handshake information via focus AP1 to server S VR by WiFi network interface, also can come to forward handshake information to SVR by mobile network's interface accessing Internet.Here, terminal M1 forwards handshake information via focus AP1 to server S VR by WiFi network interface.
Whether S703a: server S VR checking has one at least for Alice or its contact person in all owners of focus AP1; If not, then step S708a is jumped to.
S704a: server S VR generates random number Bnonce and temporary key PTK.
In this step, server S VR uses { PSK, the MAC Address of random number Anonce, AP1, the MAC Address of random number Bnonce, M1 } to calculate a temporary key PTK.
The ciphertext of random number Bnonce and PTK is sent to terminal M1 with the password encryption temporary key PTK of user Alice by S705a: server S VR, and the content of message is { random number Bnonce, the ciphertext of temporary key PTK, the label of AP1 }.
In this step, if terminal M1 sends handshake information by WiFi network interface to SVR in step S702a, then SVR is via the WiFi network interface forwarding messages of focus AP1 to M1; Otherwise SVR sends message to mobile network's interface of M1.Here, SVR forwards PTK via AP1 to M1.
In this step, terminal M1 deciphers the ciphertext of the PTK received with the password of user Alice.
S706a: terminal M1 generates an Integrity Code Amic and sends the second handshake information to focus AP1, and the content of message comprises { MAC Address of random number Bnonce, M1, Integrity Code Amic }.
S707a: focus AP1 and terminal M1 third and fourth handshake communication continued in the 4-Way Handshake communication process of WPA complete terminal and log in the process of focus.
S708a: return.
Alice logs in the step of the process S70b of focus AP1 as shown in figure 12 with enterprise's login mode by terminal M1, during wherein terminal use Alice, focus AP1 and server S VR are in session between two:
S701b:Alice sends authentication request by user terminal M1 to focus AP1, and the content of request comprises { account of Alice, the SSID of AP1 }.
The authentication request of S702b: focus AP1 to server S VR forwarding Alice.
S703b: server S VR and Alice mutual identity is relative to each other verified; If authentication failed, then jump to step S708b.
In this step, according to used authentication algorithm, such as CHAP v2, may need between user terminal M1 and server SVR to carry out repeatedly information exchange through focus AP1.
Whether S704b: server S VR checking sends user terminal M1 consistent with the label of focus AP1 in the SSID of focus AP1; If authentication failed, then jump to step S708b.
In this step, server S VR respectively with the authentication process itself of Alice and with obtain the SSID of AP1 in the conversation procedure of focus AP1 and the label therefrom extracting AP1 compares whether both identical.
Whether S705b: server S VR checking has one at least for Alice or its contact person in all owners of focus AP1; If not, then step S708b is jumped to.
S706b: server S VR and terminal M1 hold consultation come each self-generating master key PMK, then SVR to focus AP1 send PMK.
S707b: focus AP1 and terminal M1 perform the 4-Way Handshake agreement of WPA and complete the process that terminal logs in focus.
S708b: return.
In said embodiment, the step of the process S80 of the focus AP1 automatic switchover login mode of initial employing enterprise login mode is as shown in figure 13:
Whether S801: the focus AP1 communication detected between itself and server S VR occurs congested, if then jump to step S803.
S802: focus AP1 maintains or switches back enterprise's login mode, jumps to step S804.
S803: focus AP1 is switched to individual login mode.
S804: terminate.
In said embodiment, system comprises a server M10, multiplely provides individual or the focus M20 of enterprise's login mode and multiple user terminal M30.Figure 14 is system module schematic diagram, specifically describes as follows:
Server M10 comprises: user register unit M101, hotspot registration unit M102, relation management unit M103, session management unit M104, identity authenticating unit M105, authentication communication unit M106, handshake communication unit M107, Data Management Unit M108, messaging unit M109.
Handshake communication unit M107 comprises: cipher key management unit M107a, secret key encryption unit M107b, random number generation unit M107c.
Focus M20 comprises: signal radio unit M201, session management unit M202, identity authenticating unit M203, handshake communication unit M204, Data Management Unit M205, messaging unit M206, focus login mode switch unit M207.
Handshake communication unit M204 comprises: cipher key management unit M204a, random number generation unit M204b, Integrity Code's generation unit M204c.
Terminal M30 comprises: signal search unit M301, tag extraction unit M302, user register unit M303, hotspot registration unit M304, relation management unit M305, session management unit M306, identity authenticating unit M307, authentication communication unit M308, handshake communication unit M309, Data Management Unit M310, messaging unit M311.
Terminal handshake elements M309 comprises: cipher key management unit M309a, cipher key decryption unit M309b, random number generation unit M309c, Integrity Code's generation unit M309d.
The user register unit M101 of server M10 and terminal M30 and M303 carries out information exchange by messaging unit M109 and M311 and performs user registration course.
Hotspot registration unit M102 and M304 of server M10 and terminal M30 carries out information exchange by messaging unit M109 and M311 and performs hotspot registration process.
Signal radio unit M201 and the signal search unit M301 of focus M20 and terminal M30 broadcast respectively and receive the information of focus.
The tag extraction unit M302 of terminal 30 extracts label from the SSID of periphery focus.
Relation management unit M103 and M305 of server M10 and terminal M30 performs the synchronizing process of the foundation of contact relationship, deletion and associated person information by the capable information exchange of messaging unit M109 and M311.
Both session management unit M104, M202 and M306 any of server M10, focus M20 and terminal M30 carries out information exchange by messaging unit M109, M206 and M311 and performs the foundation of session, maintenance and termination procedure.At the session initial stage, identity authenticating unit M105, M203 and M307 of communicating pair verify identity each other.
Authentication communication unit M106 and M308 of server 10 and terminal 30 carries out information exchange to perform the authentication communication process during the request login logged in enterprise's mode by messaging unit M109 and M311.In authentication communication process, the identity authenticating unit M105 of communicating pair and M307 verifies identity each other, the message between the messaging unit M206 forwarding server M10 and terminal M30 of focus M20.During session and during request logs in the authentication communication of focus, user can use same group of account and password to come to carry out authentication with server, and two groups of different accounts and password also can be used to carry out authentication with server.In the present embodiment, user uses same group of account and password to come to carry out authentication with server.
Handshake communication unit M107, M204 and M309 of server 10, focus M20 and terminal M30 carry out information exchange by messaging unit M109, M206 and M311 and perform handshake communication process.
In individual login process, the cipher key management unit M107a of server M10 and focus M20 and M204a generates temporary key PTK according to wildcard PSK, then the secret key encryption unit M107b of server M10 encrypts PTK and by messaging unit M109, the ciphertext of PTK is sent to terminal M30, and the cipher key decryption unit M309b deciphering of terminal M30 obtains the plaintext of PTK.
In enterprise's login process, master key PMK is sent to focus M20 by messaging unit M109 by the cipher key management unit M107a of server M10, and the cipher key management unit M204a of focus M20 and terminal M30 and M309a generates temporary key PTK according to PMK.
Random number generation unit M107c, M204b and M309c of server 10, focus M20 and terminal M30 generate random number.
Integrity Code's generation unit M204c and M309d of focus M20 and terminal M30 generates Integrity Code.
Data Management Unit M108, M205 and M310 of server M10, focus M20 and terminal M30 search data table related, additions and deletions and renewal.Described tables of data manages by text or database, and present embodiment manages data table related in server, focus and terminal usage data storehouse.
The focus login mode switch unit M207 of focus M20 monitors the communication conditions between focus with server in real time and switches according to the congestion condition communicated or maintain the login mode of focus.
In the present invention, the pre-share password PSK of each focus is only open to user known to this focus and server, user also instead according to the information obtained in use procedure cannot release pre-share password PSK, and the account that user uses it to register on the server and password log in the focus worked under any login mode.Institute's extracting method effectively can promote convenience and the fail safe that user logs in focus.