The content of the invention
To solve the above problems, present invention firstly provides a kind of safe login method of safe and reliable Wi-Fi hotspot.
A further object of the present invention is to propose a kind of Security Login System of safe and reliable Wi-Fi hotspot.
In order to solve the above-mentioned technical problem, the technical scheme is that:
A kind of safe login method of Wi-Fi hotspot, this method are related to server S VR, Duo Geti for being located at internet
For personal or enterprise's login mode focus AP1, AP2 ... and APj ... } it is and multiple equipped with WiFi network interface and movement
Network interface(Such as:3G, 4G etc.)Terminal { M1, M2 ..., Mi ... }, user can both pass through the WiFi network interface of terminal
The focus for logging in periphery accesses internet, can also access internet by mobile network's interface of terminal.
In the login method, user, focus and any of server are handed over by session to enter row information between the two
Change.At session initial stage, communicating pair is mutually authenticated mutual identity and generates voucher for session, and the voucher was used in the session phase
Between the information of exchange is signed.Multiple terminals can be used to establish multiple sessions with server or focus in one user, more
Individual user also can establish a session with server or focus respectively by a terminal.
The safe login method of Wi-Fi hotspot specifically includes:
(1)User carries out user's registration on the server by terminal, and user is noted for focus on the server by terminal
Volume account;
The user carries out user registration course on the server by terminal:User Alice is by terminal Mi to clothes
The request for device transmission registered user's account of being engaged in;Server is user Alice register account numbers and returns to registering result to terminal Mi;
User is that the process of hotspot registration account is on the server by terminal:User Alice is by terminal Mi to clothes
The request for device transmission registration focus account of being engaged in;Server generates focus APj label and is APj register account numbers, then server
Return to registering result to terminal Mi, as a result in include focus APj label;
(2)User Alice logs in focus by terminal request, and its detailed process is as follows:
(21)User Alice obtains periphery hot information by terminal Mi and generates hotspot list;User Alice is according to warm
Point list checks the information of periphery focus and selects focus APj,
(22)The login mode that terminal is provided according to focus APj logs in select to perform personal or enterprise;
In the personal login process, user Alice, focus APj and server are in ession for telecommunication, server two-by-two
Hold a wildcard PSK jointly with focus APj, user Alice asks login focus APj process such as by terminal Mi
Under:
(201)Focus APj generates random number Anonce and sends the first handshake information to terminal Mi;
(202)Terminal Mi forwards focus APj the first handshake information to server;
(203)Whether at least one is user Alice or its contact in server authentication focus APj all owners
People;Step is jumped to if being verified(204), otherwise termination user Alice logging request;
(204)Server generates random number Bnonce and generates a temporary key PTK using wildcard PSK,
Then Bnonce and PTK are encrypted with user Alice password and ciphertext is sent to terminal Mi;
(205)Terminal Mi obtains random number Bnonce and temporary key with user Alice password to ciphertext decryption
PTK, then send the second handshake information to focus APj;
(206)Focus APj is generated a temporary key PTK and is verified the PTK locally generated using wildcard PSK
It is whether identical with the PTK of terminal;It is identical, jump to step(207), otherwise termination user Alice logging request;
(207)Focus APj and terminal Mi perform the of traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode
3rd, 4-Way Handshake communication process come complete terminal log in focus process;
In enterprise's login process, user Alice, focus APj and server are in ession for telecommunication, user two-by-two
The process that Alice logs in focus APj by terminal Mi is as follows:
(211)User Alice sends authentication request by terminal Mi to focus APj;
(212)Focus APj forwards user Alice authentication request to server;
(213)Server and user Alice verify mutually mutual identity and verify each known focus APj label
Whether it is consistent;Step is jumped to if being verified(214), otherwise termination user Alice logging request;
(214)Whether at least one is user Alice or its contact in server authentication focus APj all owners
People;Step is jumped to if being verified(215), otherwise termination user Alice logging request;
(215)Server and terminal Mi, which hold consultation, carrys out each self-generating master key PMK, and then server is sent out to focus APj
Send master key PMK;
(216)Focus AP1 and terminal M1 perform holding for traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode
Hand communication process come complete terminal log in focus process.
In registered user's account, user Alice need to submit the bases such as account, password and the pet name of user to server S VR
This information, can also submit the other informations such as sex, age and the contact method of user as needed, and user account is globally unique.
When registering focus account, user Alice need to submit account, password and the pre-share of focus to server S VR
The essential informations such as key PSK, can also submit the other informations such as the manufacturer of focus as needed, and focus account is globally unique.
Each user can claim the custodian that the user is these focuses in server registration one or more focus.Focus
After succeeding in registration, user can add one or more owners in server for its focus managed, and the custodian of focus is also
One owner of its focus managed.
Preferably, the step(21)Middle user Alice obtains periphery hot information by terminal Mi and generates focus and arranges
The detailed process of table is:
(21a)User Alice searches for the broadcast singal of periphery focus by terminal Mi and obtains the SSID in signal and step on
The hot informations such as record mode generate hotspot list;
(21b)Terminal Mi scan hot spots list simultaneously extracts focus label from the SSID of each focus successively;
(21c)User Alice selects one or more focuses from hotspot list and sent by terminal Mi to server
The request of hot information is obtained, the label of these focuses is included in request;
(21d)Server inquired about according to focus label owner's account of related focus, owner numbering, owner's pet name and its
His information simultaneously returns to Query Result to terminal Mi;The numbering of the owner is for identifying same focus by system generation
The character string of different owners.
Preferably, the step(21d)In, whether each owner that server inquires about related focus successively is Alice
Or its contact person, if the account of owner then is sent into terminal;Otherwise the numbering of owner is sent to terminal by server;It is described
The numbering of owner is the character string for being used to identify the different owners of same focus by system generation.
Preferably, in the login method, the initial focus using enterprise's login mode can automatically switch to individual and step on
Record mode, process are as follows:If to its communication between server congestion occurs for Hot spots detection, such as according to delay, packet loss etc.
Parameter detects, then is switched to personal login mode;Otherwise maintain or switch back into enterprise's login mode.
Preferably, ession for telecommunication is in user Alice and Bob and server, user Alice passes through terminal request service
The process that device addition focus APj owner Bob is contact person is as follows:
(1a)User Alice selects focus APj from terminal Mi hotspot list and from focus APj all non-contact person
Owner in select one, then by terminal Mi to server send add the owner be contact person request, wrapped in request
The label of the APj containing focus and the numbering of owner;
(1b)Server use is in step(1a)The focus APj label that receives and the numbering of owner know the owner
For Bob, then request of the server to the user Bob terminal Mj forwarding users Alice used;
(1c)If user Bob refusal additions user Alice is contact person, it is contact person to terminate Alice request additions Bob
Process;Otherwise step is jumped to(1d);
(1d)User Bob sends the message for agreeing to that contact relationship is established with user Alice to server;
(1e)Server is established user Alice and Bob contact relationship and sent respectively to terminal Mi and Mj and successfully built
The message of vertical contact relationship;I ≠ the j.
Preferably, ession for telecommunication is in user Alice and Bob and server, user Alice asks to take by terminal Mi
The process that business device deletes contact person Bob is as follows:
(1) user Alice sends the request for deleting contact person Bob by terminal Mi to server;
(2) server releases user Alice and Bob contact relationship and used respectively to terminal Mi and user Bob
Terminal Mj sends the message for successfully releasing contact relationship, the i ≠ j.
Preferably, the focus label is by character string of one of server generation for identifying different focuses, focus
Label is globally unique;The label and CSSID of one focus(Customized service set identifier, self-defined clothes
Business set identifier)The SSID of the focus is formed, wherein CSSID is a customized character string, and the CSSID of different focuses may
It is identical may also be different.
A kind of Security Login System of Wi-Fi hotspot, the system includes a server, multiple to provide personal or enterprise
The focus of login service and multiple terminals for users to use.
The server includes:
Server user's registering unit, registered user;
Server hotspot registration unit, register focus;
Relationship server administrative unit, addition and deletion contact person;
Server session administrative unit, foundation, maintenance and the session between log-on server and focus or user;
Server authentication unit, body each other is mutually authenticated with user or focus during ession for telecommunication or request log in
Part;
Server authentication communication unit, it is authenticated communicating with user during asking to log in;
Server handshaking communication unit, handshake communication is carried out with focus and terminal during asking to log in;
Server data administrative unit, the content of server data table is handled, including lookup, additions and deletions and renewal;
Server message Transmit-Receive Unit, transmitting-receiving and the message between focus or terminal;
The server handshaking communication unit specifically includes:
Server key management module, wildcard, master key and temporary key are stored, generate and distributed on demand;
Server key encrypting module, encrypt temporary key;
Server random number generation module, generate random number;
The focus includes:
Focus signal radio unit, the hot information such as Broadcast SSIDs and login mode;
Focus session management unit, establish, maintain and nullify the session between focus and server or user;
Focus identity authenticating unit, identity each other is mutually authenticated in ession for telecommunication and server or user;
Focus handshake communication unit, handshake communication is carried out with user and server during asking to log in;
Hot spot data administrative unit, the content of hot spot data table is handled, including lookup, additions and deletions and renewal;
Focus messaging unit, transmitting-receiving and the message between server or terminal;
Focus login mode switch unit, maintains, switches the login of focus according to the communications status between server
Mode;
The focus handshake communication unit specifically includes:
Focus key management module, store on demand, generate wildcard, master key and temporary key;
Focus random number generation module, generate random number;
Focus Integrity Code's generation module, generate Integrity Code;
The terminal for users to use includes:
Terminal signaling search unit, the signal of search periphery focus broadcast;
Terminal labels extraction unit, label is extracted from the SSID of the periphery focus searched;
End-user registration unit, ask registered user;
Terminal hotspot registration unit, request registration focus;
Terminal relationship administrative unit, request addition and deletion contact person;
Terminal session administrative unit, foundation, maintenance and the session between logging off users and server or focus;
Terminal identity authentication unit, body each other is mutually authenticated with server or focus during ession for telecommunication and request log in
Part;
Terminal authentication communication unit, it is authenticated communicating with server during asking to log in;
Terminal handshake communication unit, handshake communication is carried out with focus and server during asking to log in;
Terminal data administrative unit, the content of terminal data table is handled including searched, additions and deletions and renewal;
Terminal message Transmit-Receive Unit, transmitting-receiving and the message between server or focus;
The terminal handshake communication unit specifically includes:
Terminal key management module, store on demand, generate wildcard, master key and temporary key;
Terminal key deciphering module, decrypt temporary key;
Terminal random number generation module, generate random number;
Endpoint integrity encodes generation module, generates Integrity Code.
Compared with prior art, the present invention embedded globally unique label in the SSID of focus, server should
Label inquires about the description information of focus as crucial clue, and user is identified by sending from the focus description information of server
The focus on periphery;Contact relationship is established between the user of focus and the owner of focus so that Yong Huneng by being logged in request
Enough accounts and password using in server registration log in all focuses using he or she or its contact person as owner;Positioned at mutual
The server of networking is safeguarded and the temporary key in personal login mode needed for user is generated using wildcard, and user makes
Terminal carries out handshake communication by the temporary key distributed from server with focus, reduces wildcard and is compromised
Or the possibility cracked;User can use account and password in server registration to be operated in log under any login mode
Focus, focus can any switching laws between different login modes, whole handoff procedure be transparent to user as needed.The present invention
With the relevant criterion protocol-compliants of IEEE 802.11, enforcement difficulty is small, safe.
Beneficial effects of the present invention are:Operation is easy, user by terminal can quick registration with he or she or its contact person
It is increasingly automated for all focuses of owner, whole login process.
Easy to use, user in the account of server registration and password to log in by being operated under any login mode
Focus, focus can any switching laws between different login modes, whole handoff procedure be transparent to user as needed.
Securely and reliably, in personal login mode, the server positioned at internet is stepped on using wildcard generation request
The temporary key needed for the user of focus is recorded, third party is difficult to obtain and cracks the wildcard positioned at server;In focus
SSID in an embedded globally unique label, the true and false for the focus that server is asked according to label Verification user.
Embodiment
The present invention will be further described below in conjunction with the accompanying drawings, but embodiments of the present invention are not limited to this.
As shown in figure 1, user Alice terminal M1 is located at the wireless and movable signal covering model of focus AP1 and base station BS 1
In enclosing, user Bob terminal M2 is located in the signal cover of focus AP2 and base station BS 2, and Bob is a focus AP1 master
People, AP1 all owners are not Alice or its contact person.
In the login method, user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through terminal
The process that M1 request SVR addition focuses AP1 owner Bob is contact person is as follows:
(1) user Alice selects the master of focus AP1 and all non-contact persons from AP1 from terminal M1 hotspot list
One is selected in people, is then sent by M1 to server S VR and adds the request that the owner is contact person, AP1 is included in request
Label and owner numbering;
(2) server S VR is to know the owner using the AP1 label and the numbering of owner that are received in step (1)
Bob, then requests of the SVR to the user Bob terminal M2 forwarding users Alice used;
(3) if user Bob refusal additions user Alice is contact person, it is contact person to terminate Alice request additions Bob
Process;
(4) user Bob sends the message for agreeing to that contact relationship is established with user Alice to server S VR;
(5) server S VR establishes user Alice and Bob contact relationship and sent successfully to terminal M1 and M2 respectively
Establish the message of contact relationship.
In the login method, user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through terminal
The process that M1 request servers SVR deletes contact person Bob is as follows:
(1) user Alice sends the request for deleting contact person Bob by terminal M1 to server S VR;
(2) server S VR releases user Alice and Bob contact relationship and sent successfully to terminal M1 and M2 respectively
Release the message of contact relationship.
In the login method, user Alice asks the process for logging in focus AP1 as follows by terminal M1:
(1) user Alice checks the information of periphery focus by terminal M1 hotspot list and selects focus AP1;
(2) login mode that terminal M1 is provided according to focus AP1 selects to perform personal or enterprise's login process.
In the personal login process, user Alice, focus AP1 and server S VR are in ession for telecommunication, SVR two-by-two
Hold wildcard a PSK, Alice jointly with AP1 asks the process for logging in AP1 as follows by terminal M1:
(1) focus AP1 sends the first handshake information to terminal M1;
(2) terminal M1 forwards focus AP1 the first handshake information to server S VR;
(3) whether at least one is Alice or its contact person in server S VR checking focuses AP1 all owners;If
The logging request of authentication failed, then termination Alice;
(4) server S VR generates a temporary key PTK using wildcard PSK, then with user Alice's
Password is encrypted to PTK and ciphertext is sent into M1;
(5) terminal M1 obtains temporary key PTK with Alice password to ciphertext decryption, then sends the to focus AP1
Two handshake informations;
(6) focus AP1 using wildcard PSK come generate a temporary key PTK and verify the PTK locally generated and
Whether the PTK of terminal is identical;If it is not, then termination Alice logging request;
(7) focus AP1 and terminal M1 perform the of traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode
3rd, 4-Way Handshake communication process come complete terminal log in focus process.
The said process the step of (2) and (4), terminal M1 and server S VR can by M1 WiFi network interface via
Focus AP1 exchanges message, can also exchange message by M1 mobile network's interface.
As shown in Figure 3-4, traditional WPA people login mode is different from, personal login process of the present invention is to service
Device end preserves PSK and the PTK of generation is sent into terminal, rather than preserves PSK and generation PTK in terminal.
In enterprise's login process, user Alice, focus AP1 and server S VR are in ession for telecommunication two-by-two,
The process that Alice logs in AP1 by terminal M1 is as follows:
(1) user Alice sends authentication request by terminal M1 to focus AP1;
(2) focus AP1 forwards user Alice authentication request to server S VR;
(3) server S VR and user Alice verifies that mutually mutual identity and the respective known AP1 of checking label are
It is no to be consistent;If authentication failed, termination Alice logging request;
In the step, focus AP1 and server S VR is in ession for telecommunication, so SVR knows AP1 account and label;And
The label of AP1 known to Alice is that M1 obtains from its AP1 searched SSID.
(4) whether at least one is Alice or its contact person in server S VR checking focuses AP1 all owners;If
Authentication failed, then terminate the process that Alice requests log in focus AP1;
(5) server S VR and terminal M1, which holds consultation, carrys out each self-generating master key PMK, and then SVR is sent to focus AP1
PMK;
In the step, server S VR and terminal M1 need to forward communication information by focus AP1 to consult to generate PMK, this
Terminal M1 and focus AP1 obtain PMK after the completion of step.
(6) focus AP1 and terminal M1 perform shaking hands for traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode
Communication process come complete terminal log in focus process.
It is initial that personal manner can be automatically switched to using the focus AP1 of enterprise's login mode in the login method,
Process is as follows:
(1) if focus AP1 detects that congestion occurs for its communication between server S VR, such as according to delay, packet loss etc.
Parameter detects, then is switched to personal login mode;Otherwise maintain or switch back into enterprise's login mode.
In said embodiment, user and terminal meet one-to-one relationship, i.e.,:Each user only uses an end
End, each terminal are pertaining only to a user.Hereinafter, represented respectively using " user terminal " and " terminal user " in satisfaction
State terminal and the user of corresponding relation.
In said embodiment, the tables of data of server, focus and user terminal is as shown in figure 5, be described in detail below:
The tables of data D10 of the server includes:
User's table D101:Record the information of all users, including user account, and user cipher, user's pet name, user's
Other information } etc. field, user account it is globally unique.
Hot spot table D102:Record the information of all focuses, including { focus account, focus password, focus mark, focus master
People's account, focus owner numbering, focus owner's pet name, the other information of focus } etc. field, focus account is globally unique, same
The numbering of the different owners of focus is different, and focus owner account, numbering and nickname field include the account of all owners of focus, volume
Number and nickname information.
Contact list D103, record the associated person information of all users, including { user account, contact person's account, contact person
The pet name, the other information of contact person } etc. field.
User conversation table D104, record the session information between server and terminal user, including { session number, session
Time started, conversation end time, session status, session voucher, user account } etc. field, session number it is globally unique.
Focus conversational list D105, record the session information between server and focus, including { session number, session start
Time, conversation end time, session status, session voucher, focus account } etc. field, session number it is globally unique.
Contact person's event table D106:Record the information for establishing contact relationship event to be done, including Case Number,
Source user account, purpose user account } etc. field, Case Number it is globally unique.
The tables of data D20 of the focus includes:
Hot spot table D201, records the information of focus, including focus account, focus password, focus SSID, focus MAC
Location, focus login mode, the other information of focus } etc. field.
User conversation table D202, the session information between focus and terminal user is recorded, including { session number, session are opened
Begin the time, conversation end time, session status, session voucher, user account } etc. field.
Server session table D203, the session information between focus and server is recorded, including { session number, session are opened
Begin the time, conversation end time, session status, session voucher } etc. field.
The tables of data D30 of the user terminal includes:
User table D301, records the information of terminal user, including user account, and user cipher, user's pet name, user's
Other information } etc. field.
Hot spot table D302, record the information of periphery focus, including { focus label, focus login mode, focus owner's account
Number, focus owner's pet name, focus owner numbering, the other information of focus } etc. field.
Contact list D303, record the information of the contact person of terminal user, including { contact person's account, contact person's pet name, connection
Be the other information of people } etc. field.
Focus conversational list D304, the session information between terminal user and focus is recorded, including { session number, session are opened
Begin the time, conversation end time, session status, session voucher, focus label } etc. field.
Server session table D305, the information of the session between record terminal user and server, including session number,
Session start time, conversation end time, session status, session voucher } etc. field.
System can be used and be not limited to be generated the label of focus using in the following manner:One is distributed for each focus uniquely
Random number as its label, or using the MAC Address of focus as its label.In the present embodiment, by focus since 1
Registration order it is numbered and the label using the numbering as focus.As shown in Fig. 2 the SSID of focus is " WiFi-
Bob@1000 ", the label and CSSID of focus are respectively " 1000 " and " WiFi-Bob ", and reserved character "@" is separator.
As shown in figure 1, terminal user Alice user terminal M1 is located at the signal cover of focus AP1 and base station BS 1
Interior, terminal user Bob user terminal M2 is located in the signal cover of focus AP2 and base station BS 2, and Bob is focus AP1
One owner, focus AP1 all owners are not Alice or its contact person.
In said embodiment, Alice by user terminal M1 server S VR registered user's accounts process S10
The step of it is as follows:
S101:Alice sends the request of registered user's account by user terminal M1 to server S VR.
S102:Server S VR sends the request for submitting log-on message to user terminal M1.
S103:Alice submits log-on message by user terminal M1 to server S VR, and the content of information includes { Alice
Account, Alice password, the Alice pet name, Alice other information }.
S104:Server S VR is Alice registered users account and the message to succeed in registration is sent to user terminal M1.
S105:User terminal M1 updates Alice state.
S106:Terminate.
In said embodiment, terminal user Alice and server S VR is in ession for telecommunication, and Alice is whole by user
Hold M1 as shown in Figure 6 the SVR registrations focus AP2 process S20 the step of:
S201:Alice sends the request of registration focus account by user terminal M1 to server S VR.
S202:Server S VR sends the request for submitting log-on message to user terminal M1.
S203:Alice submits log-on message by user terminal M1 to server S VR, and the content of information includes { AP2's
Account, AP2 password, AP2 wildcard PSK, AP2 other information }.
S204:Server S VR is that focus AP2 registers focus account and the message to succeed in registration is sent to user terminal M1.
S205:Terminate.
In said embodiment, terminal user Alice and server S VR is in ession for telecommunication, and Alice is whole by user
The step of holding M1 to obtain the process S30 of periphery hot information is as shown in Figure 7:
S301:Alice searches for the broadcast singal of periphery focus by user terminal M1 and generates hot spot table.
S302:User terminal M1 extracts focus label from focus AP1 ssid field.
S303:Alice by user terminal M1 to server S VR send obtain focus AP1 information request, request it is interior
Appearance includes { AP1 label }.
S304:Server S VR sends focus AP1 information to user terminal M1, the content of information include AP1 label,
AP1 owner's account, AP1 owner's numbering, AP1 owner's pet name, AP1 other information }.
In the step, server S VR inquires about focus AP1 information according to the AP1 received in step S303 label,
And verify whether AP1 each owner and Alice are contact person successively;If the account of the owner is then sent to user terminal
M1, the numbering of the owner is otherwise sent to M1.
S305:User terminal M1 updates hot spot table.
S306:Terminate.
In said embodiment, terminal user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through
User terminal M1 to SVR ask addition focus AP1 owner Bob to be the process S40 of contact person the step of it is as shown in Figure 8:
S401:Alice selects focus AP1 and the selection one from the owner of AP1 all non-contact persons from hot spot table,
Then sent by user terminal M1 to server S VR and add the request that the owner is contact person, the content of request includes { AP1
Label, the numbering of owner }.
S402:Server S VR obtains the account of owner according to AP1 label and the numbering of owner and learns that it is Bob, so
SVR sends the request that addition Alice is contact person to Bob user terminal M2 afterwards, the content of request include Case Number,
Alice account }.
In the step, server S VR asks one record of addition in contact person's event table for the contact person.
S403:If Bob agrees to addition, Alice be contact person, user terminal M2 sent to server S VR agree to and
Alice establishes the message of contact relationship, and the content of message includes { Case Number };Otherwise step S406 is jumped to.
S404:Server S VR sends the message for being successfully established contact relationship to user terminal M1 and M2 respectively, message
Content is respectively { Bob account } and { Alice account }.
In the step, server S VR deletes the record of correlation in contact person's event table.
S405:User terminal M1 and M2 update contact list.
S406:Terminate.
In said embodiment, terminal user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through
User terminal M1 asks the step of deletion contact person Bob process S50 as shown in Figure 9 to SVR:
S501:Alice sends the request for deleting contact person Bob, the content bag of request by terminal M1 to server S VR
Include { Bob account }.
S502:Server S VR release Alice and Bob between contact relationship and to user terminal M1 and M2 send into
Work(releases the message of contact relationship, and the content of message includes { Bob account, Alice account }.
S503:User terminal M1 and M2 update contact list.
S504:Terminate.
In said embodiment, the step of terminal user Alice requests log in focus AP1 process S60 is such as Figure 10 institutes
Show:
S601:Alice selects focus AP1 from user terminal M1 hot spot table.
S602:If AP1 currently provides personal login service, personal login process S70a is called, otherwise calls enterprise to step on
Record process S70b.
S603:Terminate.
It is as shown in figure 11 that Alice logs in the step of AP1 personal login process S70a by user terminal M1, wherein terminal
User Alice, focus AP1 and server S VR are in ession for telecommunication two-by-two, and server S VR and focus AP1 hold pre-share jointly
Key PSK:
S701a:Focus AP1 generate a random number Anonce and to terminal M1 send the first handshake information, message it is interior
Appearance includes { random number Anonce, AP1 MAC Address }.
S702a:Terminal M1 forwards focus AP1 the first handshake information to server S VR, and the content of message is included { at random
Number Anonce, AP1 MAC Address, M1 MAC Address, AP1 label }.
In the step, terminal M1 can be shaken hands by WiFi network interface via focus AP1 to server S VR forwardings to disappear
Breath, internet can also be accessed by mobile network's interface to forward handshake information to SVR.Herein, terminal M1 passes through WiFi
Network interface forwards handshake information via focus AP1 to server S VR.
S703a:Whether at least one is Alice or its contact in focus AP1 all owners for server S VR checkings
People;If it is not, then jump to step S708a.
S704a:Server S VR generates random number Bnonce and temporary key PTK.
In the step, server S VR uses { PSK, random number Anonce, AP1 MAC Address, random number Bnonce, M1
MAC Address be calculated a temporary key PTK.
S705a:Server S VR is with user Alice password encryption temporary key PTK and by random number Bnonce and PTK
Ciphertext be sent to terminal M1, the content of message is { random number Bnonce, temporary key PTK ciphertext, AP1 label }.
In the step, if terminal M1 sends handshake information, SVR warps by WiFi network interface in step S702a to SVR
Message is forwarded from focus AP1 to M1 WiFi network interface;Otherwise, SVR sends message to M1 mobile network's interface.At this
In, SVR forwards PTK via AP1 to M1.
In the step, terminal M1 decrypts the PTK received ciphertext with user Alice password.
S706a:Terminal M1 generates an Integrity Code Amic and sends the second handshake information to focus AP1, message
Content includes { random number Bnonce, M1 MAC Address, Integrity Code Amic }.
S707a:Third and fourth handshake communication that focus AP1 and terminal M1 continues in WPA 4-Way Handshake communication process is come
Complete the process that terminal logs in focus.
S708a:Return.
The step of Alice logs in focus AP1 process S70b by terminal M1 with enterprise's login mode is as shown in figure 12, its
Middle terminal user Alice, focus AP1 and server S VR are in ession for telecommunication two-by-two:
S701b:Alice sends authentication request by user terminal M1 to focus AP1, the content of request include
Alice account, AP1 SSID }.
S702b:Focus AP1 forwards Alice authentication request to server S VR.
S703b:Server S VR and Alice mutually verified by relatively mutual identity;If authentication failed, step is jumped to
Rapid S708b.
In the step, according to used authentication algorithm, such as CHAP v2, user terminal M1 and server SVR it
Between may need to carry out multiple information exchange through focus AP1.
S704b:Whether focus AP1 label in server S VR checking transmissions user terminal M1 and focus AP1 SSID
Unanimously;If authentication failed, step S708b is jumped to.
In the step, server S VR is respectively in the conversation procedure with Alice authentication process itself and with focus AP1
Whether the label for obtaining AP1 SSID and therefrom extracting AP1 is identical to compare both.
S705b:Whether at least one is Alice or its contact in focus AP1 all owners for server S VR checkings
People;If it is not, then jump to step S708b.
S706b:Server S VR and terminal M1, which holds consultation, carrys out each self-generating master key PMK, and then SVR is sent out to focus AP1
Send PMK.
S707b:Focus AP1 and terminal M1 perform WPA 4-Way Handshake agreement to complete the process that terminal logs in focus.
S708b:Return.
In said embodiment, the process of the focus AP1 automatic switchover login modes of enterprise's login mode is initially used
The step of S80, is as shown in figure 13:
S801:Focus AP1 detects whether its communication between server S VR occurs congestion, if then jumping to step
S803。
S802:Focus AP1 is maintained or is switched back into enterprise's login mode, jumps to step S804.
S803:Focus AP1 is switched to personal login mode.
S804:Terminate.
In said embodiment, system includes a server M10, multiple heat for providing individual or enterprise's login mode
Point M20 and multiple user terminal M30.Figure 14 is system module schematic diagram, is described in detail below:
Server M10 includes:User register unit M101, hotspot registration unit M102, relation management unit M103, session
Administrative unit M104, identity authenticating unit M105, certification communication unit M106, handshake communication unit M107, Data Management Unit
M108, messaging unit M109.
Handshake communication unit M107 includes:Cipher key management unit M107a, secret key encryption unit M107b, generating random number list
First M107c.
Focus M20 includes:Signal radio unit M201, session management unit M202, identity authenticating unit M203, shake hands it is logical
Believe unit M204, Data Management Unit M205, messaging unit M206, focus login mode switch unit M207.
Handshake communication unit M204 includes:Cipher key management unit M204a, random number generation unit M204b, Integrity Code
Generation unit M204c.
Terminal M30 includes:Signal search unit M301, tag extraction unit M302, user register unit M303, focus note
Volume unit M304, relation management unit M305, session management unit M306, identity authenticating unit M307, certification communication unit
M308, handshake communication unit M309, Data Management Unit M310, messaging unit M311.
Terminal handshake elements M309 includes:Cipher key management unit M309a, cipher key decryption unit M309b, generating random number list
First M309c, Integrity Code's generation unit M309d.
Server M10 and terminal M30 user register unit M101 and M303 passes through messaging unit M109 and M311
Enter row information to exchange to perform user registration course.
Server M10 and terminal M30 hotspot registration unit M102 and M304 passes through messaging unit M109 and M311
Enter row information to exchange to perform hotspot registration process.
Focus M20 and terminal M30 signal radio unit M201 and signal search unit M301 broadcasts and received respectively heat
The information of point.
The tag extraction unit M302 of terminal 30 extracts label from the SSID of periphery focus.
Server M10 and terminal M30 relation management unit M103 and M305 passes through messaging unit M109 and M311
Row information is exchanged to perform the foundation of contact relationship, deletion and the synchronizing process of associated person information.
Server M10, focus M20 and terminal M30 arbitrarily both session management units M104, M202 and M306 pass through
Messaging unit M109, M206 and M311 enter row information and exchanged to perform the foundation of session, maintenance and termination procedure.In session
Initial stage, identity authenticating unit M105, M203 and M307 of communicating pair are verified to mutual identity.
Server 10 and the certification communication unit M106 and M308 of terminal 30 are entered by messaging unit M109 and M311
Row information is exchanged to perform the certification communication process during the request logged in enterprise's mode logs in.In certification communication process,
The identity authenticating unit M105 and M307 of communicating pair verify to mutual identity, focus M20 messaging unit
Message between M206 forwarding servers M10 and terminal M30.The certification communication period of focus is logged in ession for telecommunication and request,
User can carry out authentication using same group of account and password with server, can also use two groups of different accounts and
Password to carry out authentication with server.In the present embodiment, user using same group of account and password come with server
Carry out authentication.
Handshake communication unit M107, M204 and M309 of server 10, focus M20 and terminal M30 passes through information receiving and transmitting list
First M109, M206 and M311 enter row information and exchanged to perform handshake communication process.
In personal login process, server M10 and focus M20 cipher key management unit M107a and M204a are according to pre- common
Key PSK generation temporary key PTK are enjoyed, then server M10 secret key encryption unit M107b encrypts PTK and received by message
PTK ciphertext is sent to terminal M30, terminal M30 cipher key decryption unit M309b and decrypts to obtain the bright of PTK by bill member M109
Text.
In enterprise's login process, server M10 cipher key management unit M107a will be led by messaging unit M109
Key PMK sends to focus M20, focus M20 and terminal M30 cipher key management unit M204a and M309a and generated according to PMK
Temporary key PTK.
Random number generation unit M107c, M204b and M309c generation of server 10, focus M20 and terminal M30 are random
Number.
Focus M20 and terminal M30 Integrity Code's generation unit M204c and M309d generation Integrity Code.
Server M10, focus M20 and terminal M30 Data Management Unit M108, M205 and M310 enter to data table related
Row lookup, additions and deletions and renewal.The tables of data can be managed by text or database, and present embodiment is in server, heat
Point and terminal are managed using database to data table related.
Focus M20 focus login mode switch unit M207 monitors communication conditions between focus and server simultaneously in real time
According to the congestion condition of communication come the login mode that switches or maintain focus.
In the present invention, the pre-share password PSK of each focus is not only known to the focus and server and public to user
Open, user also can not release pre-share password PSK according to the information obtained during use come counter, and user is using it in server
The account of upper registration and password log in the focus worked under any login mode.Institute's extracting method can effectively lift user's login
The convenience and security of focus.