CN104735052A - WiFi hot spot safe login method and system - Google Patents
WiFi hot spot safe login method and system Download PDFInfo
- Publication number
- CN104735052A CN104735052A CN201510043780.2A CN201510043780A CN104735052A CN 104735052 A CN104735052 A CN 104735052A CN 201510043780 A CN201510043780 A CN 201510043780A CN 104735052 A CN104735052 A CN 104735052A
- Authority
- CN
- China
- Prior art keywords
- focus
- server
- terminal
- user
- alice
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 106
- 230000006854 communication Effects 0.000 claims abstract description 68
- 238000004891 communication Methods 0.000 claims abstract description 56
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 claims abstract description 22
- 238000012217 deletion Methods 0.000 claims description 8
- 230000037430 deletion Effects 0.000 claims description 8
- 238000007792 addition Methods 0.000 claims description 7
- 108020004705 Codon Proteins 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 6
- 230000015572 biosynthetic process Effects 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 238000001514 detection method Methods 0.000 claims description 2
- 230000011664 signaling Effects 0.000 claims description 2
- 238000005336 cracking Methods 0.000 abstract 1
- 230000002093 peripheral effect Effects 0.000 abstract 1
- 238000007726 management method Methods 0.000 description 16
- 238000013523 data management Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
Abstract
The invention provides a WiFi hot spot safe login method and system. A label which is unique globally is embedded in an SSID of a hot spot, a server inquires description information of the hot spot with the label as a key clue, and a user identifies peripheral hot spots through the hot spot description information sent from the server; a contact relation is established between the user with the hot spot login request and owners of the hot spots so that the user can log into all the hot spots with the owners being the user or contacts of the user; the server located in the internet is maintained, a temporary key needed by the user in a personal login mode is generated through a pre-shared key, a terminal used by the user is in handshake communication with the hot spots through the temporary key distributed from the server, and the possibility of pre-shared key leakage or cracking is lowered. The user logs into the hot spots working in any login mode through an account number registered in the server and a password, the different login modes of the hot spots can be switched at will, and the whole switching process is transparent to the user.
Description
Technical field
The present invention relates to wireless communication field, particularly relate to a kind of method and system realizing terminal security login Wi-Fi hotspot.
Background technology
WiFi is a kind of wireless LAN communication technology following IEEE 802.11 consensus standard, a Wi-Fi hotspot (access point, AP) Internet access service can be provided to the user logged in, WiFi secure login protocol WPA (Wi-Fi protected access) a guy conventional at present and enterprise's two kinds of login modes.Each focus has that can set arbitrarily, that maximum length is a 32 bytes SSID(service set identifier, service set), focus periodically broadcasts this SSID on its channel, is connected with login for terminal scanning identification.
In individual login mode, the canonical process that user logs in focus by terminal is: user and focus arrange a wildcard PSK(pre-shared key in advance, wildcard), terminal and focus carry out 4-Way Handshake communicate generate a temporary key PTK(pairwise transient key, pair temporal key according to PSK) and then use the PTK of generation to set up the communication connection of encryption.
In enterprise's login mode, the canonical process that user logs in focus by terminal is: user carries out authentication communication by terminal through focus and the certificate server (such as radius server) being positioned at the Internet, server and terminal generate a master key PMK(pairwise master key after the authentication has been successful respectively, pairwise master key) and PMK is sent to focus by server, terminal and focus carry out 4-Way Handshake and communicate and generate a temporary key PTK according to PMK and then use the PTK of generation to set up the communication connection of encrypting thereafter.
The process of the 4-Way Handshake agreement in above-mentioned traditional WPA people and enterprise's login mode is:
(1) focus generates a random number Anonce and sends the first handshake information to terminal, and the content of message comprises { random number Anonce, the MAC Address of focus };
(2) terminal generates a random number Bnonce and uses { PSK/PMK, random number Anonce, the MAC Address of focus, random number Bnonce, the MAC Address of terminal } to generate a temporary key PTK.
(3) terminal generates an Integrity Code Amic and sends the second handshake information to focus, and the content of message comprises { random number Bnonce, the MAC Address of terminal, Integrity Code Amic };
(4) focus uses { PSK/PMK, random number Anonce, the MAC Address of focus, random number Bnonce, the MAC Address of terminal } to generate temporary key PTK, then verifies that Integrity Code Amic confirms local whether consistent with the PTK of terminal generation;
(5) focus generates an Integrity Code Bmic and sends the 3rd handshake information to terminal, and the content of message is { Integrity Code Bmic};
(6) terminal authentication Integrity Code Bmic; If be verified, then terminal generates an Integrity Code Cmic and sends the 4th handshake information to focus, and the content of message is { Integrity Code Cmic}; Otherwise, the logging request of termination Alice;
(7) hotspot validates Integrity Code Cmic; If authentication failed, then the login process of termination Alice;
(8) terminal and focus use PTK to set up the communication connection of encryption.
There is a larger shortcoming in the safe login method of above-mentioned Wi-Fi hotspot: for the focus adopting individual login mode, and its wildcard PSK needs to allow the user logging in this focus open to all, cipher key management difficult and easily revealing.
Prior art proposes multiple solution for the safety issue of individual login mode, comprising:
(1) method and system of the portable focus secure accessing of a kind of smart mobile phone, as WAP (wireless access point) smart mobile phone by near-field communication technology NFC with carry out WPA-PSK safety certification as the smart mobile phone accessed terminal and generate temporary key needed for coded communication, because the communication distance of NFC is within 10 centimetres, so third party is difficult to crack PSK.
(2) a kind of login method of Wi-Fi hotspot and system, be positioned at the log-on message (such as: the key of WPA/WEP) of the server stores Wi-Fi hotspot of the Internet, user uses the WiFi network interface of terminal to log in the first Wi-Fi hotspot and obtains the log-on message being positioned at the second Wi-Fi hotspot of server, or user obtains the log-on message of the second Wi-Fi hotspot being positioned at server with mobile network's interface accessing Internet of terminal, and user uses log-on message to log in the second Wi-Fi hotspot thereafter.
(3) a kind of update method of wildcard and system, communicating pair is using the prime number parameter P of the quality number corresponding to wildcard to be updated as Diffie-Hellman Diffie-Hellman, then communicating pair uses prime number parameter P, is less than the positive integer g of P, and the random number sx of each self-generating and sy calculates PX and PY respectively, communicating pair then exchanges PX and PY and uses { P, PX, PY, sx, sy } etc. parameter calculate new wildcard.
Analyze known, scheme (1) and (3) for individual login mode, but incompatible with the relevant criterion agreement of IEEE 802.11; Scheme (2) openly logs in key to terminal use and stores this key in terminal local, lacks fail safe.These schemes have larger defect in enforcement difficulty and fail safe.
Summary of the invention
For solving the problem, first the present invention proposes a kind of safe login method of safe and reliable Wi-Fi hotspot.
Another object of the present invention is the Security Login System proposing a kind of safe and reliable Wi-Fi hotspot.
In order to solve the problems of the technologies described above, technical scheme of the present invention is:
A kind of safe login method of Wi-Fi hotspot, the method relates to one and is positioned at the server S VR of the Internet, multiple focus { AP1 providing individual or enterprise's login mode, AP2, APj, and multiple terminal { M1 being equipped with WiFi network interface and mobile network's interface (such as: 3G, 4G etc.), M2, Mi,, user both can carry out accessing Internet by the focus of the WiFi network interface login periphery of terminal, also can carry out accessing Internet by mobile network's interface of terminal.
In described login method, user, focus and any of server carry out information exchange by session between the two.At the session initial stage, communicating pair verifies that identity is each other also that session generates voucher mutually, and this voucher is used to sign to the information exchanged during session.A user can use multiple terminal to come to set up multiple session with server or focus, and multiple user also comes to set up a session with server or focus respectively by a terminal.
The safe login method of Wi-Fi hotspot specifically comprises:
(1) user carries out user's registration on the server by terminal, and user is hotspot registration account by terminal on the server;
Described user carries out user registration course on the server by terminal: user Alice sends the request of registered user's account to server by terminal Mi; Server is user Alice register account number and returns registering result to terminal Mi;
The process that user is hotspot registration account by terminal is on the server: user Alice sends the request of registration focus account to server by terminal Mi; Server generates the label of focus APj and is APj register account number, and then server returns registering result to terminal Mi, comprises the label of focus APj in result;
(2) user Alice logs in focus by terminal request, and its detailed process is as follows:
(21) user Alice obtains periphery hot information and Heat of Formation point list by terminal Mi; User Alice checks the information of periphery focus according to hotspot list and selects focus APj,
(22) terminal is selected to perform individual or enterprise's login according to the login mode that focus APj provides;
In described individual login process, during user Alice, focus APj and server are in session between two, server and focus APj hold a wildcard PSK jointly, and the process that user Alice logs in focus APj by terminal Mi request is as follows:
(201) focus APj generates random number Anonce and sends the first handshake information to terminal Mi;
(202) terminal Mi forwards first handshake information of focus APj to server;
(203) one whether is had in all owners of server authentication focus APj at least for user Alice or its contact person; If be verified, jump to step (204), otherwise the logging request of termination user Alice;
(204) server generates random number Bnonce and uses wildcard PSK to generate a temporary key PTK, is then encrypted with codon pair Bnonce and PTK of user Alice and ciphertext is sent to terminal Mi;
(205) terminal Mi obtains random number Bnonce and temporary key PTK with the codon pair decrypt ciphertext of user Alice, then sends the second handshake information to focus APj;
(206) focus APj uses wildcard PSK to generate a temporary key PTK and verifies that whether the local PTK generated is identical with the PTK of terminal; Identical, jump to step (207), otherwise the logging request of termination user Alice;
(207) focus APj and terminal Mi performs third and fourth handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus;
In described enterprise login process, during user Alice, focus APj and server are in session between two, the process that user Alice logs in focus APj by terminal Mi is as follows:
(211) user Alice sends authentication request by terminal Mi to focus APj;
(212) focus APj forwards the authentication request of user Alice to server;
(213) server and user Alice verify that mutually identity each other also verifies whether the label of focus APj known separately conforms to; If be verified, jump to step (214), otherwise the logging request of termination user Alice;
(214) one whether is had in all owners of server authentication focus APj at least for user Alice or its contact person; If be verified, jump to step (215), otherwise the logging request of termination user Alice;
(215) server and terminal Mi hold consultation each self-generating master key PMK, and then server sends master key PMK to focus APj;
(216) focus AP1 and terminal M1 performs the handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus.
When registered user's account, user Alice need to essential informations such as the account of server S VR submission user, password and the pet names, and also can submit other information such as the sex of user, age and contact method as required to, the user account overall situation is unique.
When registering focus account, user Alice need to essential informations such as the account of server S VR submission focus, password and wildcard PSK, and also can submit other information such as the manufacturer of focus as required to, the focus account overall situation is unique.
Each user can at the one or more focus of server registration, claims this user to be the custodian of these focuses.After hotspot registration success, user can at server for the focus that it manages adds one or more owner, and the custodian of focus is also an owner of the focus that it manages.
Preferably, user Alice obtains periphery hot information by terminal Mi and the detailed process of Heat of Formation point list is in described step (21):
(21a) user Alice searches for the broadcast singal of periphery focus by terminal Mi and the hot information such as the SSID obtained in signal and login mode generates hotspot list;
(21b) list of terminal Mi scan hot spot also extracts focus label successively from the SSID of each focus;
(21c) user Alice selects one or more focus and sends to server the request obtaining hot information by terminal Mi from hotspot list, comprises the label of these focuses in request;
(21d) server inquires about owner's account of relevant focus, owner's numbering, owner's pet name and other information return Query Result to terminal Mi according to focus label; The numbering of described owner is the character string of the different owners for identifying same focus generated by system.
Preferably, in described step (21d), whether each owner that server inquires about relevant focus is successively Alice or its contact person, if then the account of owner is sent to terminal; Otherwise the numbering of owner is sent to terminal by server; The numbering of described owner is the character string of the different owners for identifying same focus generated by system.
Preferably, in described login method, the initial focus of enterprise's login mode that adopts can automatically switch to individual login mode, and process is as follows: if Hot spots detection occurs congested to the communication between itself and server, such as detect according to parameters such as delay, packet losses, be then switched to individual login mode; Otherwise maintain or switch back enterprise's login mode.
Preferably, during user Alice and Bob and server are in session, user Alice is that the process of contact person is as follows by the owner Bob that terminal request server adds focus APj:
(1a) user Alice selects focus APj and select one from the owner of all non-contact person of focus APj from the hotspot list of terminal Mi, then sending this owner of interpolation by terminal Mi to server is the request of contact person, comprises the label of focus APj and the numbering of owner in request;
(1b) server is used in the label of focus APj and the numbering of owner that step (1a) receives to know that this owner is Bob, and then server forwards the request of user Alice to the terminal Mj that user Bob uses;
If (1c) user Bob refusal interpolation user Alice is contact person, then stopping Alice request interpolation Bob is the process of contact person; Otherwise jump to step (1d);
(1d) user Bob sends the message agreeing to set up contact relationship with user Alice to server;
(1e) server is set up the contact relationship of user Alice and Bob and is sent the message successfully setting up contact relationship respectively to terminal Mi and Mj; Described i ≠ j.
Preferably, during user Alice and Bob and server are in session, the process that user Alice deletes contact person Bob by terminal Mi request server is as follows:
(1) user Alice sends the request of deleting contact person Bob to server by terminal Mi;
(2) server is removed the contact relationship of user Alice and Bob and is sent the message successfully removing contact relationship, described i ≠ j respectively to the terminal Mj that terminal Mi and user Bob uses.
Preferably, described focus label be generated by server one for identifying the character string of different focus, the focus label overall situation is unique; The label of a focus and CSSID(customized service set identifier, self-defined service set identifier) form the SSID of this focus, wherein CSSID is a self-defining character string, the CSSID of different focus may identical also may be different.
A Security Login System for Wi-Fi hotspot, described system comprises a server, multiplely provides individual or the focus of enterprise's login service and multiple terminal for user.
Described server comprises:
Server user's registering unit, registered user;
Server hotspot registration unit, registration focus;
Relationship server administrative unit, adds and deletes contact person;
Server session administrative unit, sets up, maintains and session between log-on server and focus or user;
Server authentication unit, mutually verifies identity each other with user or focus during session or during request login;
Server authentication communication unit, carries out authentication communication with user during request logs in;
Server handshaking communication unit, carries out handshake communication with focus and terminal during request logs in;
Server data administrative unit, processes the content of server data table, comprise search, additions and deletions and renewal;
Server message Transmit-Receive Unit, transmitting-receiving and the message between focus or terminal;
Described server handshaking communication unit specifically comprises:
Server key administration module, stores, generates and distributes wildcard, master key and temporary key as required;
Server key encrypting module, encryption temporary key;
Server random number generation module, generates random number;
Described focus comprises:
Focus signal radio unit, the hot information such as Broadcast SSIDs and login mode;
Focus session management unit, sets up, maintains and nullify the session between focus and server or user;
Focus identity authenticating unit, mutually verifies identity each other with server or user during session;
Focus handshake communication unit, carries out handshake communication with user and server during request logs in;
Hot spot data administrative unit, processes the content of hot spot data table, comprise search, additions and deletions and renewal;
Focus messaging unit, transmitting-receiving and the message between server or terminal;
Focus login mode switch unit, maintains according to the communications status between server, switches the login mode of focus;
Described focus handshake communication unit specifically comprises:
Focus key management module, stores as required, generates wildcard, master key and temporary key;
Focus random number generation module, generates random number;
Focus Integrity Code generation module, generates Integrity Code;
The described terminal for user comprises:
Terminal signaling search unit, the signal of search periphery focus broadcast;
Terminal labels extraction unit, extracts label from the SSID of the periphery focus searched;
End-user registration unit, request registration user;
Terminal hotspot registration unit, request registration focus;
Terminal relationship administrative unit, request is added and is deleted contact person;
Terminal session administrative unit, sets up, maintains and session between logging off users and server or focus;
Terminal identity authentication unit, mutually verifies identity each other with server or focus during session and during request login;
Terminal authentication communication unit, carries out authentication communication with server during request logs in;
Terminal handshake communication unit, carries out handshake communication with focus and server during request logs in;
Terminal data administrative unit, the content of terminal data table is processed, comprise search, additions and deletions and renewal;
Terminal message Transmit-Receive Unit, transmitting-receiving and the message between server or focus;
Described terminal handshake communication unit specifically comprises:
Terminal key administration module, stores as required, generates wildcard, master key and temporary key;
Terminal key deciphering module, deciphering temporary key;
Terminal random number generation module, generates random number;
Endpoint integrity coding generation module, generates Integrity Code.
Compared with prior art, the present invention embeds the unique label of an overall situation in the SSID of focus, and the descriptor of focus inquired about by this label by server as crucial clue, and user identifies the focus of periphery from the focus descriptor of server by sending; Setting up contact relationship by logging between the user of focus and the owner of focus in request, making user can be used in the account of server registration and password to log in all focuses being owner with he or she or its contact people; Be arranged in the server maintenance of the Internet and use wildcard to generate the temporary key needed for individual login mode user, the terminal that user uses carries out handshake communication by distributing from the temporary key of server and focus, reduces the possibility that wildcard is revealed or cracked; User can be used in the account of server registration and password and log in the focus be operated under any login mode, and focus can any switching laws between different login modes as required, and whole handoff procedure is to user transparent.The present invention and IEEE 802.11 relevant criterion protocol-compliant, implement difficulty little, fail safe is high.
Beneficial effect of the present invention is: processing ease, and user can contact with he or she or its all focuses that people is owner by quick registration by terminal, and whole login process is increasingly automated.
Easy to use, user is by logging in the account of server registration and password the focus be operated under any login mode, and focus can any switching laws between different login modes as required, and whole handoff procedure is to user transparent.
Safe and reliable, in individual login mode, the server being positioned at the Internet uses wildcard to generate the temporary key needed for user of request login focus, and third party is difficult to obtain and crack the wildcard being positioned at server; In the SSID of focus, embed the unique label of an overall situation, server is according to the true and false of the focus of label authentication of users request.
Accompanying drawing explanation
Fig. 1 is Organization Chart of the present invention.
Fig. 2 is the schematic diagram of focus label, SSID in embodiment.
Fig. 3 is the sequential chart of the handshake communication process of the present invention individual login mode.
Fig. 4 is the sequential chart of the handshake communication process of traditional individual login mode.
Fig. 5 is the schematic diagram of the tables of data of server, focus and user terminal in embodiment.
Fig. 6 is the schematic flow sheet registering focus account in embodiment.
Fig. 7 is the schematic flow sheet obtaining periphery hot information in embodiment.
Fig. 8 is the schematic flow sheet setting up contact relationship in embodiment.
Fig. 9 is the schematic flow sheet removing contact relationship in embodiment.
Figure 10 is the schematic flow sheet logging in focus in embodiment.
Figure 11 is the schematic flow sheet of individual login process in embodiment.
Figure 12 is the schematic flow sheet of enterprise's login mode in embodiment.
Figure 13 is the schematic flow sheet that in embodiment, focus switches login mode.
Figure 14 is system module schematic diagram in embodiment.
Embodiment
Below in conjunction with accompanying drawing, the present invention will be further described, but embodiments of the present invention are not limited to this.
As shown in Figure 1, the terminal M1 of user Alice is positioned at the wireless and movable signal coverage of focus AP1 and base station BS 1, the terminal M2 of user Bob is positioned at the signal cover of focus AP2 and base station BS 2, Bob is an owner of focus AP1, and all owners of AP1 are not all Alice or its contact person.
In described login method, during user Alice and Bob and server S VR is in session, Alice is that the process of contact person is as follows by the owner Bob that terminal M1 asks SVR to add focus AP1:
(1) user Alice selects focus AP1 and select one from the owner of all non-contact person of AP1 from the hotspot list of terminal M1, then sending this owner of interpolation by M1 to server S VR is the request of contact person, comprises the label of AP1 and the numbering of owner in request;
(2) server S VR is used in the label of AP1 and the numbering of owner that step (1) receives to know that this owner is Bob, and then SVR forwards the request of user Alice to the terminal M2 that user Bob uses;
(3) if it is contact person that user Bob refuses to add user Alice, then stopping Alice request interpolation Bob is the process of contact person;
(4) user Bob sends the message agreeing to set up contact relationship with user Alice to server S VR;
(5) server S VR sets up the contact relationship of user Alice and Bob and sends the message successfully setting up contact relationship respectively to terminal M1 and M2.
In described login method, during user Alice and Bob and server S VR is in session, the process that Alice deletes contact person Bob by terminal M1 request server SVR is as follows:
(1) user Alice sends the request of deleting contact person Bob to server S VR by terminal M1;
(2) server S VR removes the contact relationship of user Alice and Bob and sends the message successfully removing contact relationship respectively to terminal M1 and M2.
In described login method, the process that user Alice logs in focus AP1 by terminal M1 request is as follows:
(1) user Alice checks the information of periphery focus by the hotspot list of terminal M1 and selects focus AP1;
(2) terminal M1 selects to perform individual or enterprise's login process according to the login mode that focus AP1 provides.
In described individual login process, during user Alice, focus AP1 and server S VR are in session between two, SVR and AP1 holds a wildcard PSK jointly, and the process that Alice logs in AP1 by terminal M1 request is as follows:
(1) focus AP1 sends the first handshake information to terminal M1;
(2) terminal M1 forwards first handshake information of focus AP1 to server S VR;
(3) server S VR verifies in all owners of focus AP1 whether have one at least for Alice or its contact person; If authentication failed, then the logging request of termination Alice;
(4) server S VR uses wildcard PSK to generate a temporary key PTK, then encrypts with the codon pair PTK of user Alice and ciphertext is sent to M1;
(5) terminal M1 obtains temporary key PTK with the codon pair decrypt ciphertext of Alice, then sends the second handshake information to focus AP1;
(6) focus AP1 uses wildcard PSK to generate a temporary key PTK and verifies that whether the local PTK generated is identical with the PTK of terminal; If not, then the logging request of termination Alice;
(7) focus AP1 and terminal M1 performs third and fourth handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus.
In step (2) and (4) of said process, terminal M1 and server S VR exchanges messages via focus AP1 by the WiFi network interface of M1, also can be exchanged messages by mobile network's interface of M1.
As shown in Figure 3-4, be different from traditional WPA people's login mode, individual login process of the present invention is preserved PSK at server end and the PTK of generation is sent to terminal, instead of preserve PSK in terminal and generate PTK.
In described enterprise login process, during user Alice, focus AP1 and server S VR are in session between two, the process that Alice logs in AP1 by terminal M1 is as follows:
(1) user Alice sends authentication request by terminal M1 to focus AP1;
(2) focus AP1 forwards the authentication request of user Alice to server S VR;
(3) server S VR and user Alice verify that mutually identity each other also verifies whether the label of AP1 known separately conforms to; If authentication failed, then the logging request of termination Alice;
In this step, during focus AP1 and server S VR is in session, so SVR knows account and the label of AP1; And the label of AP1 known to Alice obtains the SSID of the AP1 that M1 searches from it.
(4) server S VR verifies in all owners of focus AP1 whether have one at least for Alice or its contact person; If authentication failed, then stop the process that Alice request logs in focus AP1;
(5) server S VR and terminal M1 hold consultation come each self-generating master key PMK, then SVR to focus AP1 send PMK;
In this step, server S VR and terminal M1 needs to forward communication information by focus AP1 to be consulted to generate PMK, and after this step completes, terminal M1 and focus AP1 obtains PMK.
(6) focus AP1 and terminal M1 performs the handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus.
In described login method, the initial focus AP1 of enterprise's login mode that adopts can automatically switch to personal manner, and process is as follows:
(1) if focus AP1 detects that the communication between itself and server S VR occurs congested, such as detect according to parameters such as delay, packet losses, be then switched to individual login mode; Otherwise maintain or switch back enterprise's login mode.
In said embodiment, user and terminal meet one-to-one relationship, that is: each user only uses a terminal, and each terminal only belongs to a user.Hereinafter, " user terminal " and " terminal use " is used to represent the terminal and user that meet above-mentioned corresponding relation respectively.
In said embodiment, the tables of data of server, focus and user terminal as shown in Figure 5, specifically describes as follows:
The tables of data D10 of described server comprises:
Subscriber's meter D101: the information recording all users, comprises fields such as { user account, user cipher, user's pet name, other information of user }, and the user account overall situation is unique.
Hot spot table D102: the information recording all focuses, comprise { focus account, focus password, focus marks, focus owner account, focus owner numbers, the focus owner pet name, other information of focus } etc. field, the focus account overall situation is unique, the numbering of the different owners of same focus is different, and focus owner account, numbering and nickname field comprise the account of all owners of focus, numbering and nickname information.
Contact list D103, records the associated person information of all users, comprises fields such as { user account, contact person's account, contact person's pet name, other information of contact person }.
User conversation table D104, the session information between record server and terminal use, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, user accounts }, and the session number overall situation is unique.
Focus conversational list D105, the session information between record server and focus, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, focus accounts }, and the session number overall situation is unique.
Contact person's event table D106: record the to be done information setting up contact relationship event, comprises fields such as { Case Number, source user account, object user accounts }, and the Case Number overall situation is unique.
The tables of data D20 of described focus comprises:
Hot spot table D201, the information of record focus, comprises fields such as { focus account, focus password, focus SSID, focus MAC Address, focus login mode, other information of focus }.
User conversation table D202, the session information between record focus and terminal use, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, user accounts }.
Server session table D203, the session information between record focus and server, comprises fields such as { session number, session start time, conversation end time, session status, session vouchers }.
The tables of data D30 of described user terminal comprises:
Subscriber's meter D301, the information of record terminal use, comprises fields such as { user account, user cipher, user's pet name, other information of user }.
Hot spot table D302, the information of record periphery focus, comprises fields such as { focus label, focus login mode, focus owner account, the focus owner pet name, focus owner numbering, other information of focus }.
Contact list D303, the information of the contact person of record terminal use, comprises fields such as { contact person's account, contact person's pet name, other information of contact person }.
Focus conversational list D304, the session information between record terminal use and focus, comprises fields such as { session number, session start time, conversation end time, session status, session voucher, focus labels }.
Server session table D305, the information of the session between record terminal use and server, comprises fields such as { session number, session start time, conversation end time, session status, session vouchers }.
System can use and be not limited to the label that makes to generate focus with the following methods: for each focus distributes a unique random number as its label, or using the MAC Address of focus as its label.In the present embodiment, by the registration order of focus it to be numbered from 1 and using the label of this numbering as focus.As shown in Figure 2, the SSID of focus is " WiFi-Bob@1000 ", and label and the CSSID of focus are respectively " 1000 " and " WiFi-Bob ", and reserved character "@" is separator.
As shown in Figure 1, the user terminal M1 of terminal use Alice is positioned at the signal cover of focus AP1 and base station BS 1, the user terminal M2 of terminal use Bob is positioned at the signal cover of focus AP2 and base station BS 2, Bob is an owner of focus AP1, and all owners of focus AP1 are not all Alice or its contact person.
In said embodiment, Alice is as follows in the step of the process S10 of server S VR registered user account by user terminal M1:
S101:Alice sends the request of registered user's account to server S VR by user terminal M1.
S102: server S VR to user terminal M1 sends the request submitting log-on message to.
S103:Alice submits log-on message by user terminal M1 to server S VR, and the content of information comprises { account of Alice, the password of Alice, the pet name of Alice, other information of Alice }.
S104: server S VR is Alice registered user account and sends the message succeeded in registration to user terminal M1.
The state of S105: user terminal M1 renewal Alice.
S106: terminate.
In said embodiment, during terminal use Alice and server S VR is in session, Alice registers the step of the process S20 of focus AP2 as shown in Figure 6 at SVR by user terminal M1:
S201:Alice sends the request of registration focus account to server S VR by user terminal M1.
S202: server S VR to user terminal M1 sends the request submitting log-on message to.
S203:Alice submits log-on message by user terminal M1 to server S VR, and the content of information comprises { account of AP2, the password of AP2, other information of the wildcard PSK of AP2, AP2 }.
S204: server S VR is that focus AP2 registers focus account and sends the message succeeded in registration to user terminal M1.
S205: terminate.
In said embodiment, during terminal use Alice and server S VR is in session, Alice obtains the step of the process S30 of periphery hot information as shown in Figure 7 by user terminal M1:
S301:Alice searches for the broadcast singal of periphery focus by user terminal M1 and generates hot spot table.
S302: user terminal M1 extracts focus label from the ssid field of focus AP1.
S303:Alice sends the request obtaining focus AP1 information to server S VR by user terminal M1, the content of request comprises { label of AP1 }.
The information of S304: server S VR to user terminal M1 transmission focus AP1, the content of information comprises { label of AP1, owner's account of AP1, owner's numbering of AP1, owner's pet name of AP1, other information of AP1 }.
In this step, server S VR inquires about the information of focus AP1 according to the label of the AP1 received in step S303, and verifies whether each owner of AP1 and Alice are contact person successively; If then the account of this owner is sent to user terminal M1, otherwise the numbering of this owner is sent to M1.
S305: user terminal M1 upgrades hot spot table.
S306: terminate.
In said embodiment, during terminal use Alice and Bob and server S VR is in session, Alice by user terminal M1 to the owner Bob that focus AP1 is added in SVR request be the step of the process S40 of contact person as shown in Figure 8:
S401:Alice selects focus AP1 and select one from the owner of all non-contact person of AP1 from hot spot table, then sending this owner of interpolation by user terminal M1 to server S VR is the request of contact person, the content of request comprises { label of AP1, the numbering of owner }.
S402: server S VR obtains the account of owner according to the label of AP1 and the numbering of owner and learns that it is Bob, then SVR is the request of contact person to the user terminal M2 transmission interpolation Alice of Bob, the content of request comprises { Case Number, the account of Alice }.
In this step, server S VR in contact person's event table for this contact person asks interpolation record.
S403: if Bob agrees to that adding Alice is contact person, then user terminal M2 sends the message agreeing to set up contact relationship with Alice to server S VR, and the content of message comprises { Case Number }; Otherwise jump to step S406.
S404: server S VR sends respectively to user terminal M1 and M2 the message successfully setting up contact relationship, and the content of message is respectively { account of Bob } and { account of Alice }.
In this step, server S VR deletes relevant record in contact person's event table.
S405: user terminal M1 and M2 upgrades contact list.
S406: terminate.
In said embodiment, during terminal use Alice and Bob and server S VR is in session, Alice deletes the step of the process S50 of contact person Bob as shown in Figure 9 by user terminal M1 to SVR request:
S501:Alice sends the request of deleting contact person Bob to server S VR by terminal M1, the content of request comprises { account of Bob }.
S502: server S VR removes the contact relationship between Alice and Bob and sends the message successfully removing contact relationship to user terminal M1 and M2, and the content of message comprises { account of Bob, the account of Alice }.
S503: user terminal M1 and M2 upgrades contact list.
S504: terminate.
In said embodiment, terminal use Alice asks the step of the process S60 logging in focus AP1 as shown in Figure 10:
S601:Alice selects focus AP1 from the hot spot table of user terminal M1.
S602: if AP1 is current provide individual login service, then call individual login process S70a, otherwise call enterprise login process S70b.
S603: terminate.
Alice logs in the step of the individual login process S70a of AP1 as shown in figure 11 by user terminal M1, during wherein terminal use Alice, focus AP1 and server S VR are in session between two, server S VR and focus AP1 holds wildcard PSK jointly:
S701a: focus AP1 generates a random number Anonce and sends the first handshake information to terminal M1, and the content of message comprises { MAC Address of random number Anonce, AP1 }.
First handshake information of S702a: terminal M1 to server S VR forwarding focus AP1, the content of message comprises { MAC Address of random number Anonce, AP1, the MAC Address of M1, the label of AP1 }.
In this step, terminal M1 can forward handshake information via focus AP1 to server S VR by WiFi network interface, also can come to forward handshake information to SVR by mobile network's interface accessing Internet.Here, terminal M1 forwards handshake information via focus AP1 to server S VR by WiFi network interface.
Whether S703a: server S VR checking has one at least for Alice or its contact person in all owners of focus AP1; If not, then step S708a is jumped to.
S704a: server S VR generates random number Bnonce and temporary key PTK.
In this step, server S VR uses { PSK, the MAC Address of random number Anonce, AP1, the MAC Address of random number Bnonce, M1 } to calculate a temporary key PTK.
The ciphertext of random number Bnonce and PTK is sent to terminal M1 with the password encryption temporary key PTK of user Alice by S705a: server S VR, and the content of message is { random number Bnonce, the ciphertext of temporary key PTK, the label of AP1 }.
In this step, if terminal M1 sends handshake information by WiFi network interface to SVR in step S702a, then SVR is via the WiFi network interface forwarding messages of focus AP1 to M1; Otherwise SVR sends message to mobile network's interface of M1.Here, SVR forwards PTK via AP1 to M1.
In this step, terminal M1 deciphers the ciphertext of the PTK received with the password of user Alice.
S706a: terminal M1 generates an Integrity Code Amic and sends the second handshake information to focus AP1, and the content of message comprises { MAC Address of random number Bnonce, M1, Integrity Code Amic }.
S707a: focus AP1 and terminal M1 third and fourth handshake communication continued in the 4-Way Handshake communication process of WPA complete terminal and log in the process of focus.
S708a: return.
Alice logs in the step of the process S70b of focus AP1 as shown in figure 12 with enterprise's login mode by terminal M1, during wherein terminal use Alice, focus AP1 and server S VR are in session between two:
S701b:Alice sends authentication request by user terminal M1 to focus AP1, and the content of request comprises { account of Alice, the SSID of AP1 }.
The authentication request of S702b: focus AP1 to server S VR forwarding Alice.
S703b: server S VR and Alice mutual identity is relative to each other verified; If authentication failed, then jump to step S708b.
In this step, according to used authentication algorithm, such as CHAP v2, may need between user terminal M1 and server SVR to carry out repeatedly information exchange through focus AP1.
Whether S704b: server S VR checking sends user terminal M1 consistent with the label of focus AP1 in the SSID of focus AP1; If authentication failed, then jump to step S708b.
In this step, server S VR respectively with the authentication process itself of Alice and with obtain the SSID of AP1 in the conversation procedure of focus AP1 and the label therefrom extracting AP1 compares whether both identical.
Whether S705b: server S VR checking has one at least for Alice or its contact person in all owners of focus AP1; If not, then step S708b is jumped to.
S706b: server S VR and terminal M1 hold consultation come each self-generating master key PMK, then SVR to focus AP1 send PMK.
S707b: focus AP1 and terminal M1 perform the 4-Way Handshake agreement of WPA and complete the process that terminal logs in focus.
S708b: return.
In said embodiment, the step of the process S80 of the focus AP1 automatic switchover login mode of initial employing enterprise login mode is as shown in figure 13:
Whether S801: the focus AP1 communication detected between itself and server S VR occurs congested, if then jump to step S803.
S802: focus AP1 maintains or switches back enterprise's login mode, jumps to step S804.
S803: focus AP1 is switched to individual login mode.
S804: terminate.
In said embodiment, system comprises a server M10, multiplely provides individual or the focus M20 of enterprise's login mode and multiple user terminal M30.Figure 14 is system module schematic diagram, specifically describes as follows:
Server M10 comprises: user register unit M101, hotspot registration unit M102, relation management unit M103, session management unit M104, identity authenticating unit M105, authentication communication unit M106, handshake communication unit M107, Data Management Unit M108, messaging unit M109.
Handshake communication unit M107 comprises: cipher key management unit M107a, secret key encryption unit M107b, random number generation unit M107c.
Focus M20 comprises: signal radio unit M201, session management unit M202, identity authenticating unit M203, handshake communication unit M204, Data Management Unit M205, messaging unit M206, focus login mode switch unit M207.
Handshake communication unit M204 comprises: cipher key management unit M204a, random number generation unit M204b, Integrity Code's generation unit M204c.
Terminal M30 comprises: signal search unit M301, tag extraction unit M302, user register unit M303, hotspot registration unit M304, relation management unit M305, session management unit M306, identity authenticating unit M307, authentication communication unit M308, handshake communication unit M309, Data Management Unit M310, messaging unit M311.
Terminal handshake elements M309 comprises: cipher key management unit M309a, cipher key decryption unit M309b, random number generation unit M309c, Integrity Code's generation unit M309d.
The user register unit M101 of server M10 and terminal M30 and M303 carries out information exchange by messaging unit M109 and M311 and performs user registration course.
Hotspot registration unit M102 and M304 of server M10 and terminal M30 carries out information exchange by messaging unit M109 and M311 and performs hotspot registration process.
Signal radio unit M201 and the signal search unit M301 of focus M20 and terminal M30 broadcast respectively and receive the information of focus.
The tag extraction unit M302 of terminal 30 extracts label from the SSID of periphery focus.
Relation management unit M103 and M305 of server M10 and terminal M30 performs the synchronizing process of the foundation of contact relationship, deletion and associated person information by the capable information exchange of messaging unit M109 and M311.
Both session management unit M104, M202 and M306 any of server M10, focus M20 and terminal M30 carries out information exchange by messaging unit M109, M206 and M311 and performs the foundation of session, maintenance and termination procedure.At the session initial stage, identity authenticating unit M105, M203 and M307 of communicating pair verify identity each other.
Authentication communication unit M106 and M308 of server 10 and terminal 30 carries out information exchange to perform the authentication communication process during the request login logged in enterprise's mode by messaging unit M109 and M311.In authentication communication process, the identity authenticating unit M105 of communicating pair and M307 verifies identity each other, the message between the messaging unit M206 forwarding server M10 and terminal M30 of focus M20.During session and during request logs in the authentication communication of focus, user can use same group of account and password to come to carry out authentication with server, and two groups of different accounts and password also can be used to carry out authentication with server.In the present embodiment, user uses same group of account and password to come to carry out authentication with server.
Handshake communication unit M107, M204 and M309 of server 10, focus M20 and terminal M30 carry out information exchange by messaging unit M109, M206 and M311 and perform handshake communication process.
In individual login process, the cipher key management unit M107a of server M10 and focus M20 and M204a generates temporary key PTK according to wildcard PSK, then the secret key encryption unit M107b of server M10 encrypts PTK and by messaging unit M109, the ciphertext of PTK is sent to terminal M30, and the cipher key decryption unit M309b deciphering of terminal M30 obtains the plaintext of PTK.
In enterprise's login process, master key PMK is sent to focus M20 by messaging unit M109 by the cipher key management unit M107a of server M10, and the cipher key management unit M204a of focus M20 and terminal M30 and M309a generates temporary key PTK according to PMK.
Random number generation unit M107c, M204b and M309c of server 10, focus M20 and terminal M30 generate random number.
Integrity Code's generation unit M204c and M309d of focus M20 and terminal M30 generates Integrity Code.
Data Management Unit M108, M205 and M310 of server M10, focus M20 and terminal M30 search data table related, additions and deletions and renewal.Described tables of data manages by text or database, and present embodiment manages data table related in server, focus and terminal usage data storehouse.
The focus login mode switch unit M207 of focus M20 monitors the communication conditions between focus with server in real time and switches according to the congestion condition communicated or maintain the login mode of focus.
In the present invention, the pre-share password PSK of each focus is only open to user known to this focus and server, user also instead according to the information obtained in use procedure cannot release pre-share password PSK, and the account that user uses it to register on the server and password log in the focus worked under any login mode.Institute's extracting method effectively can promote convenience and the fail safe that user logs in focus.
Claims (8)
1. the safe login method of a Wi-Fi hotspot, it is characterized in that, described method relates to the server being positioned at the Internet, multiple focus { AP1 providing individual or enterprise's login mode, AP2, APj, and multiple terminal { M1 being equipped with at least one WiFi network interface and at least one mobile network's interface, M2, Mi,, the focus that user logs in periphery by the WiFi network interface of terminal carrys out accessing Internet, obtains by the WiFi network interface of terminal or mobile network's interface the information logging in Wi-Fi hotspot; Specifically comprise:
(1) user carries out user's registration on the server by terminal, and user is hotspot registration account by terminal on the server;
Described user is carried out process that user registers on the server as: user Alice by terminal and to be sent the request of registered user's account by terminal Mi to server; Server is user Alice register account number and returns registering result to terminal Mi;
The process that user is hotspot registration account by terminal is on the server: user Alice sends the request of registration focus account to server by terminal Mi; Server generates the label of focus APj and is APj register account number, and then server returns registering result to terminal Mi, comprises the label of focus APj in result;
(2) user Alice logs in focus by terminal request, and its detailed process is as follows:
(21) user Alice obtains periphery hot information and Heat of Formation point list by terminal Mi; User Alice checks the information of periphery focus according to hotspot list and selects focus APj;
(22) terminal Mi selects to perform individual or enterprise's login according to the login mode that focus APj provides;
In described individual login process, during user Alice, focus APj and server are in session between two, server and focus APj hold a wildcard PSK jointly, and the process that user Alice logs in focus APj by terminal Mi request is as follows:
(201) focus APj generates random number Anonce and sends the first handshake information to terminal Mi;
(202) terminal Mi forwards first handshake information of focus APj to server;
(203) one whether is had in all owners of server authentication focus APj at least for user Alice or its contact person; Be verified, jump to step (204), otherwise the logging request of termination Alice;
(204) server generates random number Bnonce and uses wildcard PSK to generate a temporary key PTK, is then encrypted with codon pair Bnonce and PTK of user Alice and ciphertext is sent to terminal Mi;
(205) terminal Mi obtains random number Bnonce and temporary key PTK with the codon pair decrypt ciphertext of user Alice, then sends the second handshake information to focus APj;
(206) focus APj uses wildcard PSK to generate a temporary key PTK and verifies that whether the local PTK generated is identical with the PTK of terminal; Identical, jump to step (207), otherwise the logging request of termination user Alice;
(207) focus APj and terminal Mi performs third and fourth handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus;
In described enterprise login process, during user Alice, focus APj and server are in session between two, the process that user Alice logs in focus APj by terminal Mi is as follows:
(211) user Alice sends authentication request by terminal Mi to focus APj;
(212) focus APj forwards the authentication request of user Alice to server;
(213) server and user Alice verify that mutually identity each other also verifies whether the label of focus APj known separately conforms to; Be verified, jump to step (214), otherwise the focus logging request of termination Alice;
(214) one whether is had in all owners of server authentication focus APj at least for user Alice or its contact person; Be verified, jump to step (215), otherwise the focus logging request of termination Alice;
(215) server and terminal Mi hold consultation each self-generating master key PMK, and then server sends master key PMK to focus APj;
(216) focus AP1 and terminal M1 performs the handshake communication process of the 4-Way Handshake agreement in traditional WPA people and enterprise's login mode to complete the process that terminal logs in focus.
2. the safe login method of Wi-Fi hotspot according to claim 1, is characterized in that, the middle user Alice of described step (21) obtains periphery hot information by terminal Mi and the detailed process of Heat of Formation point list is:
(21a) user Alice searches for the broadcast singal of periphery focus by terminal Mi and the hot information obtained in signal generates hotspot list;
(21b) list of terminal Mi scan hot spot also extracts focus label successively from the SSID of each focus;
(21c) user Alice selects one or more focus and sends to server the request obtaining hot information by terminal Mi from hotspot list, comprises the label of these focuses in request;
(21d) server inquires about owner's account of relevant focus, owner's numbering, owner's pet name and other information return Query Result to terminal Mi according to focus label; The numbering of described owner is the character string of the different owners for identifying same focus generated by system.
3. the safe login method of Wi-Fi hotspot according to claim 2, is characterized in that, in described step (21d), whether each owner that server inquires about relevant focus is successively Alice or its contact person, if then the account of owner is sent to terminal; Otherwise the numbering of owner is sent to terminal by server; The numbering of described owner is the character string of the different owners for identifying same focus generated by system.
4. the safe login method of the Wi-Fi hotspot according to any one of claims 1 to 3, it is characterized in that, in described login method, the focus of initial employing enterprise login mode can automatically switch to individual login mode, process is as follows: if Hot spots detection occurs congested to the communication between itself and server, be then switched to individual login mode; Otherwise maintain or switch back enterprise's login mode.
5. the safe login method of Wi-Fi hotspot according to claim 4, is characterized in that, during user Alice and Bob and server are in session, user Alice is that the process of contact person is as follows by the owner Bob that terminal request server adds focus APj:
(1a) user Alice selects focus APj and select one from the owner of all non-contact person of focus APj from the hotspot list of terminal Mi, then sending this owner of interpolation by terminal Mi to server is the request of contact person, comprises the label of focus APj and the numbering of owner in request;
(1b) server is used in the label of focus APj and the numbering of owner that step (1a) receives to know that this owner is Bob, and then server forwards the request of user Alice to the terminal Mj that user Bob uses;
If (1c) user Bob agrees to that adding user Alice is contact person, then jump to step (1d); Otherwise stopping Alice request interpolation Bob is the process of contact person;
(1d) user Bob sends the message agreeing to set up contact relationship with user Alice to server;
(1e) server is set up the contact relationship of user Alice and Bob and is sent the message successfully setting up contact relationship respectively to terminal Mi and Mj; Described i ≠ j.
6. the safe login method of Wi-Fi hotspot according to claim 4, is characterized in that, during user Alice and Bob and server are in session, the process that Alice deletes contact person Bob by terminal Mi request server is as follows:
(1) user Alice sends the request of deleting contact person Bob to server by terminal Mi;
(2) server is removed the contact relationship of user Alice and Bob and is sent the message successfully removing contact relationship, described i ≠ j respectively to the terminal Mj that terminal Mi and user Bob uses.
7. the safe login method of Wi-Fi hotspot according to claim 2, is characterized in that, described focus label be generated by server one for identifying the character string of different focus, the focus label overall situation is unique; The label of a focus and CSSID form the SSID of this focus, and wherein CSSID is a self-defining character string.
8. a Security Login System for Wi-Fi hotspot, is characterized in that, described system comprises a server, multiplely provides individual or the focus of enterprise's login service and multiple terminal for user;
Described server comprises:
Server user's registering unit, registered user;
Server hotspot registration unit, registration focus;
Relationship server administrative unit, adds and deletes contact person;
Server session administrative unit, sets up, maintains and session between log-on server and focus or user;
Server authentication unit, mutually verifies identity each other with user or focus during session or during request login;
Server authentication communication unit, carries out authentication communication with user during request logs in;
Server handshaking communication unit, carries out handshake communication with focus and terminal during request logs in;
Server data administrative unit, processes the content of server data table, comprise search, additions and deletions and renewal;
Server message Transmit-Receive Unit, transmitting-receiving and the message between focus or terminal;
Described server handshaking communication unit specifically comprises:
Server key administration module, stores, generates and distributes wildcard, master key and temporary key as required;
Server key encrypting module, encryption temporary key;
Server random number generation module, generates random number;
Described focus comprises:
Focus signal radio unit, the hot information of Broadcast SSIDs and login mode;
Focus session management unit, sets up, maintains and nullify the session between focus and server or user;
Focus identity authenticating unit, mutually verifies identity each other with server or user during session;
Focus handshake communication unit, carries out handshake communication with user and server during request logs in;
Hot spot data administrative unit, processes the content of hot spot data table, comprise search, additions and deletions and renewal;
Focus messaging unit, transmitting-receiving and the message between server or terminal;
Focus login mode switch unit, maintains according to the communications status between server, switches the login mode of focus;
Described focus handshake communication unit specifically comprises:
Focus key management module, stores as required, generates wildcard, master key and temporary key;
Focus random number generation module, generates random number;
Focus Integrity Code generation module, generates Integrity Code;
The described terminal for user comprises:
Terminal signaling search unit, the signal of search periphery focus broadcast;
Terminal labels extraction unit, extracts label from the SSID of the periphery focus searched;
End-user registration unit, request registration user;
Terminal hotspot registration unit, request registration focus;
Terminal relationship administrative unit, request is added and is deleted contact person;
Terminal session administrative unit, sets up, maintains and session between logging off users and server or focus;
Terminal identity authentication unit, mutually verifies identity each other with server or focus during session and during request login;
Terminal authentication communication unit, carries out authentication communication with server during request logs in;
Terminal handshake communication unit, carries out handshake communication with focus and server during request logs in;
Terminal data administrative unit, the content of terminal data table is processed, comprise search, additions and deletions and renewal;
Terminal message Transmit-Receive Unit, transmitting-receiving and the message between server or focus;
Described terminal handshake communication unit specifically comprises:
Terminal key administration module, stores as required, generates wildcard, master key and temporary key;
Terminal key deciphering module, deciphering temporary key;
Terminal random number generation module, generates random number;
Endpoint integrity coding generation module, generates Integrity Code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510043780.2A CN104735052B (en) | 2015-01-28 | 2015-01-28 | The safe login method and system of Wi-Fi hotspot |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510043780.2A CN104735052B (en) | 2015-01-28 | 2015-01-28 | The safe login method and system of Wi-Fi hotspot |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104735052A true CN104735052A (en) | 2015-06-24 |
| CN104735052B CN104735052B (en) | 2017-12-08 |
Family
ID=53458487
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510043780.2A Active CN104735052B (en) | 2015-01-28 | 2015-01-28 | The safe login method and system of Wi-Fi hotspot |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104735052B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105050086A (en) * | 2015-07-23 | 2015-11-11 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method for terminal to log in Wifi hotspot |
| CN105050089A (en) * | 2015-08-21 | 2015-11-11 | 深圳市九洲电器有限公司 | Wireless network login verification method and system |
| CN105357181A (en) * | 2015-09-29 | 2016-02-24 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method for monitoring Wi-Fi label through multiple terminals |
| CN105554014A (en) * | 2015-12-30 | 2016-05-04 | 联想(北京)有限公司 | Wireless network login method and first electronic device |
| CN105763318A (en) * | 2016-01-29 | 2016-07-13 | 杭州华三通信技术有限公司 | Pre-shared key obtaining method, pre-shared key distribution method and pre-shared key distribution device |
| CN106028328A (en) * | 2016-05-19 | 2016-10-12 | 徐美琴 | NFC-based hotspot authentication method |
| CN106101058A (en) * | 2016-05-19 | 2016-11-09 | 郑建钦 | A kind of hot information processing method based on Quick Response Code |
| CN106714158A (en) * | 2015-08-18 | 2017-05-24 | 中国移动通信集团公司 | WiFi access method and device |
| CN106776094A (en) * | 2016-12-12 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of tgtd method of servicing, device and client |
| CN106982189A (en) * | 2016-01-18 | 2017-07-25 | 天津赞普科技股份有限公司 | Universal code key chain authentication mechanism for business WiFi |
| CN107979594A (en) * | 2017-11-21 | 2018-05-01 | 重庆邮电大学 | It is a kind of based on prime factorization verification stricks precaution WLAN break association attack method |
| CN108616884A (en) * | 2016-11-30 | 2018-10-02 | 上海掌门科技有限公司 | Method and apparatus for wireless access point connection |
| CN110087240A (en) * | 2019-03-28 | 2019-08-02 | 中国科学院计算技术研究所 | Wireless network secure data transmission method and system based on WPA2-PSK mode |
| CN111768162A (en) * | 2019-04-02 | 2020-10-13 | 上海观创智能科技有限公司 | Enterprise office management system and method |
| CN112702776A (en) * | 2020-12-15 | 2021-04-23 | 锐捷网络股份有限公司 | Method for realizing wireless terminal access to wireless local area network and wireless access point |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6920559B1 (en) * | 2000-04-28 | 2005-07-19 | 3Com Corporation | Using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed |
| CN101123811A (en) * | 2006-08-09 | 2008-02-13 | 三星电子株式会社 | Apparatus and method for managing stations associated with WPA-PSK wireless network |
| CN101931954A (en) * | 2009-06-22 | 2010-12-29 | 南京中兴软件有限责任公司 | Method for improving quality of service (QoS) of real-time service in wireless local area network based on service differentiation |
| US20110055409A1 (en) * | 2009-08-27 | 2011-03-03 | Arcadyan Technology Corp. | Method For Network Connection |
| CN102958051A (en) * | 2011-08-23 | 2013-03-06 | 上海贝尔股份有限公司 | CAPWAP (control and provisioning of wireless access points) architecture access controller and key management method thereof |
| CN103533670A (en) * | 2013-10-15 | 2014-01-22 | 深圳市江波龙电子有限公司 | Method and device for connecting wireless network equipment, and wireless network system |
-
2015
- 2015-01-28 CN CN201510043780.2A patent/CN104735052B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6920559B1 (en) * | 2000-04-28 | 2005-07-19 | 3Com Corporation | Using a key lease in a secondary authentication protocol after a primary authentication protocol has been performed |
| CN101123811A (en) * | 2006-08-09 | 2008-02-13 | 三星电子株式会社 | Apparatus and method for managing stations associated with WPA-PSK wireless network |
| CN101931954A (en) * | 2009-06-22 | 2010-12-29 | 南京中兴软件有限责任公司 | Method for improving quality of service (QoS) of real-time service in wireless local area network based on service differentiation |
| US20110055409A1 (en) * | 2009-08-27 | 2011-03-03 | Arcadyan Technology Corp. | Method For Network Connection |
| CN102958051A (en) * | 2011-08-23 | 2013-03-06 | 上海贝尔股份有限公司 | CAPWAP (control and provisioning of wireless access points) architecture access controller and key management method thereof |
| CN103533670A (en) * | 2013-10-15 | 2014-01-22 | 深圳市江波龙电子有限公司 | Method and device for connecting wireless network equipment, and wireless network system |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105050086B (en) * | 2015-07-23 | 2019-02-05 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | A kind of method that terminal logs in Wifi hot spot |
| CN105050086A (en) * | 2015-07-23 | 2015-11-11 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method for terminal to log in Wifi hotspot |
| CN106714158B (en) * | 2015-08-18 | 2020-02-18 | 中国移动通信集团公司 | WiFi access method and device |
| CN106714158A (en) * | 2015-08-18 | 2017-05-24 | 中国移动通信集团公司 | WiFi access method and device |
| CN105050089B (en) * | 2015-08-21 | 2019-04-02 | 深圳市九洲电器有限公司 | Wireless network login validation method and system |
| CN105050089A (en) * | 2015-08-21 | 2015-11-11 | 深圳市九洲电器有限公司 | Wireless network login verification method and system |
| CN105357181A (en) * | 2015-09-29 | 2016-02-24 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method for monitoring Wi-Fi label through multiple terminals |
| CN105357181B (en) * | 2015-09-29 | 2018-06-12 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | A kind of method of multiple terminals monitoring Wi-Fi labels |
| CN105554014A (en) * | 2015-12-30 | 2016-05-04 | 联想(北京)有限公司 | Wireless network login method and first electronic device |
| CN105554014B (en) * | 2015-12-30 | 2019-03-08 | 联想(北京)有限公司 | A kind of login method and the first electronic equipment of wireless network |
| CN106982189A (en) * | 2016-01-18 | 2017-07-25 | 天津赞普科技股份有限公司 | Universal code key chain authentication mechanism for business WiFi |
| CN105763318A (en) * | 2016-01-29 | 2016-07-13 | 杭州华三通信技术有限公司 | Pre-shared key obtaining method, pre-shared key distribution method and pre-shared key distribution device |
| CN105763318B (en) * | 2016-01-29 | 2018-09-04 | 新华三技术有限公司 | A kind of wildcard obtains, distribution method and device |
| CN106028328A (en) * | 2016-05-19 | 2016-10-12 | 徐美琴 | NFC-based hotspot authentication method |
| CN106101058A (en) * | 2016-05-19 | 2016-11-09 | 郑建钦 | A kind of hot information processing method based on Quick Response Code |
| CN108616884A (en) * | 2016-11-30 | 2018-10-02 | 上海掌门科技有限公司 | Method and apparatus for wireless access point connection |
| CN108616884B (en) * | 2016-11-30 | 2022-01-07 | 上海掌门科技有限公司 | Method and apparatus for wireless access point connection |
| CN106776094A (en) * | 2016-12-12 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of tgtd method of servicing, device and client |
| CN106776094B (en) * | 2016-12-12 | 2020-02-21 | 郑州云海信息技术有限公司 | Tgtd service method, device and client |
| CN107979594A (en) * | 2017-11-21 | 2018-05-01 | 重庆邮电大学 | It is a kind of based on prime factorization verification stricks precaution WLAN break association attack method |
| CN110087240A (en) * | 2019-03-28 | 2019-08-02 | 中国科学院计算技术研究所 | Wireless network secure data transmission method and system based on WPA2-PSK mode |
| CN111768162A (en) * | 2019-04-02 | 2020-10-13 | 上海观创智能科技有限公司 | Enterprise office management system and method |
| CN112702776A (en) * | 2020-12-15 | 2021-04-23 | 锐捷网络股份有限公司 | Method for realizing wireless terminal access to wireless local area network and wireless access point |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104735052B (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104735052A (en) | WiFi hot spot safe login method and system | |
| CN107317674B (en) | Key distribution and authentication method, device and system | |
| KR100655665B1 (en) | Subscription portability for wireless systems | |
| US10003965B2 (en) | Subscriber profile transfer method, subscriber profile transfer system, and user equipment | |
| EP2309698B1 (en) | Exchange of key material | |
| CN101406021B (en) | SIM based authentication | |
| US10306432B2 (en) | Method for setting terminal in mobile communication system | |
| KR101629118B1 (en) | A method and a device of authentication in the converged wireless network | |
| CN102026178B (en) | User identity protection method based on public-key mechanism | |
| CN105792194B (en) | Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy | |
| CN102223231B (en) | M2M terminal authentication system and authentication method | |
| CN102187599A (en) | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system | |
| CN104871579A (en) | Security management method and apparatus for group communication in mobile communication system | |
| CN101102186A (en) | Method for implementing general authentication framework service push | |
| CN102333309B (en) | Method, equipment system for key transmission in wireless local area network | |
| CN108882233B (en) | IMSI encryption method, core network and user terminal | |
| KR100330418B1 (en) | Authentication Method in Mobile Communication Environment | |
| CN111866829A (en) | Direct communication method for authorizing 5GD2D service through NFC | |
| KR101940722B1 (en) | Method for providing communication security for user mobile in open wifi zone | |
| CN100518055C (en) | Secure data transmission method | |
| KR20140055675A (en) | Geography-based pre-authentication for wlan data offloading in umts-wlan networks | |
| CN112383915B (en) | Wireless network access method, wireless access device and terminal | |
| EP4284047A1 (en) | System and method for intermediating cellular voice communication | |
| JP2017103761A (en) | Transfer authentication method, user device, and transfer confirmation method | |
| CN102740291A (en) | System for realizing wireless LAN authentication and privacy infrastructure (WAPI) authentication and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: Yunnan Hongxin Technology Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023420000297 Denomination of invention: Secure login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20230817 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: ANHUI YUNSEN INTERNET OF THINGS TECHNOLOGY Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980053524 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20231221 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: GUANGZHOU RISHUN ELECTRONIC TECHNOLOGY Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980053975 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20231225 |
|
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: GUANGDONG TECSUN TECHNOLOGY Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980054607 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20231229 Application publication date: 20150624 Assignee: Huanyi (Guangdong) emergency safety Technology Group Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980054606 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20231229 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: SHENZHEN RONGSHENG INTELLIGENT EQUIPMENT Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980054616 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20231229 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: Guangzhou Kangpusi Network Technology Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980054833 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20240104 Application publication date: 20150624 Assignee: Guangdong Digital Smart City Technology Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980054832 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20240104 Application publication date: 20150624 Assignee: Guangdong Runyu Information Technology Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2023980054831 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20240104 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: Hefei Baihe Intelligent Technology Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2024980000442 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20240110 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20150624 Assignee: Guangzhou Love Time Information Technology Co.,Ltd. Assignor: SUN YAT-SEN University Contract record no.: X2024980002510 Denomination of invention: Security login methods and systems for WiFi hotspots Granted publication date: 20171208 License type: Common License Record date: 20240306 |
|
| EE01 | Entry into force of recordation of patent licensing contract |