CN104735052B - The safe login method and system of Wi-Fi hotspot - Google Patents

Abstract

The present invention proposes a kind of safe login method and system of Wi-Fi hotspot, it is an embedded globally unique label in the SSID of focus, server inquires about the description information of focus using the label as crucial clue, and user identifies the focus on periphery by sending from the focus description information of server；Contact relationship is established between the user of focus and the owner of focus so that user can log in all focuses using he or she or its contact person as owner by being logged in request；Server positioned at internet is safeguarded and the temporary key in personal login mode needed for user is generated using wildcard, the terminal that user uses carries out handshake communication by the temporary key distributed from server with focus, reduces the possibility that wildcard is compromised or cracked；User in the account of server registration and password by logging in the focus being operated under any login mode, and focus can any switching laws between different login modes, whole handoff procedure be transparent to user as needed.

Description

The safe login method and system of Wi-Fi hotspot

Technical field

The present invention relates to wireless communication field, more particularly to a kind of realize that terminal security logs in the method for Wi-Fi hotspot and is System.

Background technology

WiFi is a kind of wireless LAN communication technology for following the consensus standards of IEEE 802.11, a Wi-Fi hotspot （Access point, AP）Internet access service, currently used WiFi secure logs association can be provided to the user of login Discuss WPA（Wi-Fi protected access）There are personal and two kinds of login modes of enterprise.Each focus has one can arbitrarily set The SSID fixed, maximum length is 32 bytes（Service set identifier, service set）, focus is periodically The SSID is broadcasted on its channel, and connection is identified and logged in for terminal scanning.

In personal login mode, the canonical process that user logs in focus by terminal is：User and focus are arranged in advance One wildcard PSK（Pre-shared key, wildcard）, terminal communicates with focus progress 4-Way Handshake carrys out basis PSK generates a temporary key PTK（Pairwise transient key, pair temporal key）And then using generation PTK establishes the communication connection of encryption.

In enterprise's login mode, the canonical process that user logs in focus by terminal is：User is by terminal through focus With the certificate server positioned at internet（Such as radius server）It is authenticated communicating, server and terminal are in certification success Generate a master key PMK respectively afterwards（Pairwise master key, pairwise master key）And PMK is sent to heat by server Point, terminal communicates with focus progress 4-Way Handshake thereafter generates a temporary key PTK according to PMK and then uses what is generated PTK establishes the communication connection of encryption.

The process of 4-Way Handshake agreement in above-mentioned traditional WPA people and enterprise's login mode is：

(1) focus generates a random number Anonce and sends the first handshake information to terminal, the content of message include with Machine number Anonce, the MAC Address of focus }；

(2) terminal generate a random number Bnonce and use PSK/PMK, random number Anonce, the MAC Address of focus, Random number Bnonce, the MAC Address of terminal } generate a temporary key PTK.

(3) terminal generates an Integrity Code Amic and sends the second handshake information to focus, the content of message include Random number Bnonce, the MAC Address of terminal, Integrity Code Amic }；

(4) focus uses { PSK/PMK, random number Anonce, the MAC Address of focus, random number Bnonce, the MAC of terminal Address } generate temporary key PTK, then verify Integrity Code Amic confirm the PTK of local and terminal generation whether one Cause；

(5) focus generates an Integrity Code Bmic and sends the 3rd handshake information to terminal, and the content of message is { complete Whole property encodes Bmic }；

(6) terminal authentication Integrity Code Bmic；If being verified, terminal generate an Integrity Code Cmic and to Focus sends the 4th handshake information, and the content of message is { Integrity Code Cmic }；Otherwise, termination Alice login please Ask；

(7) focus checking Integrity Code Cmic；If authentication failed, termination Alice login process；

(8) terminal and focus establish the communication connection of encryption using PTK.

The safe login method of above-mentioned Wi-Fi hotspot exist one it is larger the shortcomings that：To the focus using personal login mode For, its wildcard PSK needs to allow the user for logging in the focus to disclose to all, cipher key management difficult and easily lets out Dew.

Prior art proposes a variety of solutions for the safety issue of personal login mode, including：

(1) method and system of the portable focus secure accessing of a kind of smart mobile phone, the intelligent hand as WAP Machine is led to by near-field communication technology NFC with being used as the smart mobile phone progress WPA-PSK safety certifications of access terminal to generate encryption Temporary key needed for letter, because NFC communication distance is within 10 centimetres, so third party is difficult to crack PSK.

(2) login method and system of a kind of Wi-Fi hotspot, positioned at the login of the server storage Wi-Fi hotspot of internet Information（Such as：WPA/WEP key）, the WiFi network interface of user's using terminal, which logs in the first Wi-Fi hotspot and obtained, is located at clothes The log-on message of second Wi-Fi hotspot of business device, or user are located at mobile network's interface access internet of terminal to obtain The log-on message of second Wi-Fi hotspot of server, thereafter user log in the second Wi-Fi hotspot using log-on message.

(3) update method and system of a kind of wildcard, communicating pair is by corresponding to wildcard to be updated Prime number parameter P of the quality number as Diffie-Hellman Diffie-Hellman, then communicating pair using prime number parameter P, Positive integer g less than P, and the random number sx and sy of each self-generating calculate PX and PY respectively, and communicating pair then exchanges PX With PY and use parameters such as { P, PX, PY, sx, sy } to calculate new wildcard.

Analysis understands, scheme (1) and (3) are directed to personal login mode, but with IEEE 802.11 relevant criterion agreement It is incompatible；Scheme (2) discloses to terminal user to be logged in key and stores the key in terminal local, lacks security.These sides Case has larger defect in enforcement difficulty and security.

The content of the invention

To solve the above problems, present invention firstly provides a kind of safe login method of safe and reliable Wi-Fi hotspot.

A further object of the present invention is to propose a kind of Security Login System of safe and reliable Wi-Fi hotspot.

In order to solve the above-mentioned technical problem, the technical scheme is that：

A kind of safe login method of Wi-Fi hotspot, this method are related to server S VR, Duo Geti for being located at internet For personal or enterprise's login mode focus AP1, AP2 ... and APj ... } it is and multiple equipped with WiFi network interface and movement Network interface（Such as：3G, 4G etc.）Terminal { M1, M2 ..., Mi ... }, user can both pass through the WiFi network interface of terminal The focus for logging in periphery accesses internet, can also access internet by mobile network's interface of terminal.

In the login method, user, focus and any of server are handed over by session to enter row information between the two Change.At session initial stage, communicating pair is mutually authenticated mutual identity and generates voucher for session, and the voucher was used in the session phase Between the information of exchange is signed.Multiple terminals can be used to establish multiple sessions with server or focus in one user, more Individual user also can establish a session with server or focus respectively by a terminal.

The safe login method of Wi-Fi hotspot specifically includes：

（1）User carries out user's registration on the server by terminal, and user is noted for focus on the server by terminal Volume account；

The user carries out user registration course on the server by terminal：User Alice is by terminal Mi to clothes The request for device transmission registered user's account of being engaged in；Server is user Alice register account numbers and returns to registering result to terminal Mi；

User is that the process of hotspot registration account is on the server by terminal：User Alice is by terminal Mi to clothes The request for device transmission registration focus account of being engaged in；Server generates focus APj label and is APj register account numbers, then server Return to registering result to terminal Mi, as a result in include focus APj label；

（2）User Alice logs in focus by terminal request, and its detailed process is as follows：

（21）User Alice obtains periphery hot information by terminal Mi and generates hotspot list；User Alice is according to warm Point list checks the information of periphery focus and selects focus APj,

（22）The login mode that terminal is provided according to focus APj logs in select to perform personal or enterprise；

In the personal login process, user Alice, focus APj and server are in ession for telecommunication, server two-by-two Hold a wildcard PSK jointly with focus APj, user Alice asks login focus APj process such as by terminal Mi Under：

（201）Focus APj generates random number Anonce and sends the first handshake information to terminal Mi；

（202）Terminal Mi forwards focus APj the first handshake information to server；

（203）Whether at least one is user Alice or its contact in server authentication focus APj all owners People；Step is jumped to if being verified（204）, otherwise termination user Alice logging request；

（204）Server generates random number Bnonce and generates a temporary key PTK using wildcard PSK, Then Bnonce and PTK are encrypted with user Alice password and ciphertext is sent to terminal Mi；

（205）Terminal Mi obtains random number Bnonce and temporary key with user Alice password to ciphertext decryption PTK, then send the second handshake information to focus APj；

（206）Focus APj is generated a temporary key PTK and is verified the PTK locally generated using wildcard PSK It is whether identical with the PTK of terminal；It is identical, jump to step（207）, otherwise termination user Alice logging request；

（207）Focus APj and terminal Mi perform the of traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode 3rd, 4-Way Handshake communication process come complete terminal log in focus process；

In enterprise's login process, user Alice, focus APj and server are in ession for telecommunication, user two-by-two The process that Alice logs in focus APj by terminal Mi is as follows：

（211）User Alice sends authentication request by terminal Mi to focus APj；

（212）Focus APj forwards user Alice authentication request to server；

（213）Server and user Alice verify mutually mutual identity and verify each known focus APj label Whether it is consistent；Step is jumped to if being verified（214）, otherwise termination user Alice logging request；

（214）Whether at least one is user Alice or its contact in server authentication focus APj all owners People；Step is jumped to if being verified（215）, otherwise termination user Alice logging request；

（215）Server and terminal Mi, which hold consultation, carrys out each self-generating master key PMK, and then server is sent out to focus APj Send master key PMK；

（216）Focus AP1 and terminal M1 perform holding for traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode Hand communication process come complete terminal log in focus process.

In registered user's account, user Alice need to submit the bases such as account, password and the pet name of user to server S VR This information, can also submit the other informations such as sex, age and the contact method of user as needed, and user account is globally unique.

When registering focus account, user Alice need to submit account, password and the pre-share of focus to server S VR The essential informations such as key PSK, can also submit the other informations such as the manufacturer of focus as needed, and focus account is globally unique.

Each user can claim the custodian that the user is these focuses in server registration one or more focus.Focus After succeeding in registration, user can add one or more owners in server for its focus managed, and the custodian of focus is also One owner of its focus managed.

Preferably, the step（21）Middle user Alice obtains periphery hot information by terminal Mi and generates focus and arranges The detailed process of table is：

（21a）User Alice searches for the broadcast singal of periphery focus by terminal Mi and obtains the SSID in signal and step on The hot informations such as record mode generate hotspot list；

（21b）Terminal Mi scan hot spots list simultaneously extracts focus label from the SSID of each focus successively；

（21c）User Alice selects one or more focuses from hotspot list and sent by terminal Mi to server The request of hot information is obtained, the label of these focuses is included in request；

（21d）Server inquired about according to focus label owner's account of related focus, owner numbering, owner's pet name and its His information simultaneously returns to Query Result to terminal Mi；The numbering of the owner is for identifying same focus by system generation The character string of different owners.

Preferably, the step（21d）In, whether each owner that server inquires about related focus successively is Alice Or its contact person, if the account of owner then is sent into terminal；Otherwise the numbering of owner is sent to terminal by server；It is described The numbering of owner is the character string for being used to identify the different owners of same focus by system generation.

Preferably, in the login method, the initial focus using enterprise's login mode can automatically switch to individual and step on Record mode, process are as follows：If to its communication between server congestion occurs for Hot spots detection, such as according to delay, packet loss etc. Parameter detects, then is switched to personal login mode；Otherwise maintain or switch back into enterprise's login mode.

Preferably, ession for telecommunication is in user Alice and Bob and server, user Alice passes through terminal request service The process that device addition focus APj owner Bob is contact person is as follows：

（1a）User Alice selects focus APj from terminal Mi hotspot list and from focus APj all non-contact person Owner in select one, then by terminal Mi to server send add the owner be contact person request, wrapped in request The label of the APj containing focus and the numbering of owner；

（1b）Server use is in step（1a）The focus APj label that receives and the numbering of owner know the owner For Bob, then request of the server to the user Bob terminal Mj forwarding users Alice used；

（1c）If user Bob refusal additions user Alice is contact person, it is contact person to terminate Alice request additions Bob Process；Otherwise step is jumped to（1d）；

（1d）User Bob sends the message for agreeing to that contact relationship is established with user Alice to server；

（1e）Server is established user Alice and Bob contact relationship and sent respectively to terminal Mi and Mj and successfully built The message of vertical contact relationship；I ≠ the j.

Preferably, ession for telecommunication is in user Alice and Bob and server, user Alice asks to take by terminal Mi The process that business device deletes contact person Bob is as follows：

(1) user Alice sends the request for deleting contact person Bob by terminal Mi to server；

(2) server releases user Alice and Bob contact relationship and used respectively to terminal Mi and user Bob Terminal Mj sends the message for successfully releasing contact relationship, the i ≠ j.

Preferably, the focus label is by character string of one of server generation for identifying different focuses, focus Label is globally unique；The label and CSSID of one focus（Customized service set identifier, self-defined clothes Business set identifier）The SSID of the focus is formed, wherein CSSID is a customized character string, and the CSSID of different focuses may It is identical may also be different.

A kind of Security Login System of Wi-Fi hotspot, the system includes a server, multiple to provide personal or enterprise The focus of login service and multiple terminals for users to use.

The server includes：

Server user's registering unit, registered user；

Server hotspot registration unit, register focus；

Relationship server administrative unit, addition and deletion contact person；

Server session administrative unit, foundation, maintenance and the session between log-on server and focus or user；

Server authentication unit, body each other is mutually authenticated with user or focus during ession for telecommunication or request log in Part；

Server authentication communication unit, it is authenticated communicating with user during asking to log in；

Server handshaking communication unit, handshake communication is carried out with focus and terminal during asking to log in；

Server data administrative unit, the content of server data table is handled, including lookup, additions and deletions and renewal；

Server message Transmit-Receive Unit, transmitting-receiving and the message between focus or terminal；

The server handshaking communication unit specifically includes：

Server key management module, wildcard, master key and temporary key are stored, generate and distributed on demand；

Server key encrypting module, encrypt temporary key；

Server random number generation module, generate random number；

The focus includes：

Focus signal radio unit, the hot information such as Broadcast SSIDs and login mode；

Focus session management unit, establish, maintain and nullify the session between focus and server or user；

Focus identity authenticating unit, identity each other is mutually authenticated in ession for telecommunication and server or user；

Focus handshake communication unit, handshake communication is carried out with user and server during asking to log in；

Hot spot data administrative unit, the content of hot spot data table is handled, including lookup, additions and deletions and renewal；

Focus messaging unit, transmitting-receiving and the message between server or terminal；

Focus login mode switch unit, maintains, switches the login of focus according to the communications status between server Mode；

The focus handshake communication unit specifically includes：

Focus key management module, store on demand, generate wildcard, master key and temporary key；

Focus random number generation module, generate random number；

Focus Integrity Code's generation module, generate Integrity Code；

The terminal for users to use includes：

Terminal signaling search unit, the signal of search periphery focus broadcast；

Terminal labels extraction unit, label is extracted from the SSID of the periphery focus searched；

End-user registration unit, ask registered user；

Terminal hotspot registration unit, request registration focus；

Terminal relationship administrative unit, request addition and deletion contact person；

Terminal session administrative unit, foundation, maintenance and the session between logging off users and server or focus；

Terminal identity authentication unit, body each other is mutually authenticated with server or focus during ession for telecommunication and request log in Part；

Terminal authentication communication unit, it is authenticated communicating with server during asking to log in；

Terminal handshake communication unit, handshake communication is carried out with focus and server during asking to log in；

Terminal data administrative unit, the content of terminal data table is handled including searched, additions and deletions and renewal；

Terminal message Transmit-Receive Unit, transmitting-receiving and the message between server or focus；

The terminal handshake communication unit specifically includes：

Terminal key management module, store on demand, generate wildcard, master key and temporary key；

Terminal key deciphering module, decrypt temporary key；

Terminal random number generation module, generate random number；

Endpoint integrity encodes generation module, generates Integrity Code.

Compared with prior art, the present invention embedded globally unique label in the SSID of focus, server should Label inquires about the description information of focus as crucial clue, and user is identified by sending from the focus description information of server The focus on periphery；Contact relationship is established between the user of focus and the owner of focus so that Yong Huneng by being logged in request Enough accounts and password using in server registration log in all focuses using he or she or its contact person as owner；Positioned at mutual The server of networking is safeguarded and the temporary key in personal login mode needed for user is generated using wildcard, and user makes Terminal carries out handshake communication by the temporary key distributed from server with focus, reduces wildcard and is compromised Or the possibility cracked；User can use account and password in server registration to be operated in log under any login mode Focus, focus can any switching laws between different login modes, whole handoff procedure be transparent to user as needed.The present invention With the relevant criterion protocol-compliants of IEEE 802.11, enforcement difficulty is small, safe.

Beneficial effects of the present invention are：Operation is easy, user by terminal can quick registration with he or she or its contact person It is increasingly automated for all focuses of owner, whole login process.

Easy to use, user in the account of server registration and password to log in by being operated under any login mode Focus, focus can any switching laws between different login modes, whole handoff procedure be transparent to user as needed.

Securely and reliably, in personal login mode, the server positioned at internet is stepped on using wildcard generation request The temporary key needed for the user of focus is recorded, third party is difficult to obtain and cracks the wildcard positioned at server；In focus SSID in an embedded globally unique label, the true and false for the focus that server is asked according to label Verification user.

Brief description of the drawings

Fig. 1 is the Organization Chart of the present invention.

Fig. 2 is focus label, SSID schematic diagram in embodiment.

Fig. 3 is the timing diagram of the handshake communication process of the personal login mode of the present invention.

Fig. 4 is the timing diagram of the handshake communication process of the personal login mode of tradition.

Fig. 5 is the schematic diagram of the tables of data of server, focus and user terminal in embodiment.

Fig. 6 is the schematic flow sheet that focus account is registered in embodiment.

Fig. 7 is the schematic flow sheet that periphery hot information is obtained in embodiment.

Fig. 8 is the schematic flow sheet that contact relationship is established in embodiment.

Fig. 9 is the schematic flow sheet that contact relationship is released in embodiment.

Figure 10 is the schematic flow sheet that focus is logged in embodiment.

Figure 11 is the schematic flow sheet of personal login process in embodiment.

Figure 12 is the schematic flow sheet of enterprise's login mode in embodiment.

Figure 13 is the schematic flow sheet that focus switches login mode in embodiment.

Figure 14 is system module schematic diagram in embodiment.

Embodiment

The present invention will be further described below in conjunction with the accompanying drawings, but embodiments of the present invention are not limited to this.

As shown in figure 1, user Alice terminal M1 is located at the wireless and movable signal covering model of focus AP1 and base station BS 1 In enclosing, user Bob terminal M2 is located in the signal cover of focus AP2 and base station BS 2, and Bob is a focus AP1 master People, AP1 all owners are not Alice or its contact person.

In the login method, user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through terminal The process that M1 request SVR addition focuses AP1 owner Bob is contact person is as follows：

(1) user Alice selects the master of focus AP1 and all non-contact persons from AP1 from terminal M1 hotspot list One is selected in people, is then sent by M1 to server S VR and adds the request that the owner is contact person, AP1 is included in request Label and owner numbering；

(2) server S VR is to know the owner using the AP1 label and the numbering of owner that are received in step (1) Bob, then requests of the SVR to the user Bob terminal M2 forwarding users Alice used；

(3) if user Bob refusal additions user Alice is contact person, it is contact person to terminate Alice request additions Bob Process；

(4) user Bob sends the message for agreeing to that contact relationship is established with user Alice to server S VR；

(5) server S VR establishes user Alice and Bob contact relationship and sent successfully to terminal M1 and M2 respectively Establish the message of contact relationship.

In the login method, user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through terminal The process that M1 request servers SVR deletes contact person Bob is as follows：

(1) user Alice sends the request for deleting contact person Bob by terminal M1 to server S VR；

(2) server S VR releases user Alice and Bob contact relationship and sent successfully to terminal M1 and M2 respectively Release the message of contact relationship.

In the login method, user Alice asks the process for logging in focus AP1 as follows by terminal M1：

(1) user Alice checks the information of periphery focus by terminal M1 hotspot list and selects focus AP1；

(2) login mode that terminal M1 is provided according to focus AP1 selects to perform personal or enterprise's login process.

In the personal login process, user Alice, focus AP1 and server S VR are in ession for telecommunication, SVR two-by-two Hold wildcard a PSK, Alice jointly with AP1 asks the process for logging in AP1 as follows by terminal M1：

(1) focus AP1 sends the first handshake information to terminal M1；

(2) terminal M1 forwards focus AP1 the first handshake information to server S VR；

(3) whether at least one is Alice or its contact person in server S VR checking focuses AP1 all owners；If The logging request of authentication failed, then termination Alice；

(4) server S VR generates a temporary key PTK using wildcard PSK, then with user Alice's Password is encrypted to PTK and ciphertext is sent into M1；

(5) terminal M1 obtains temporary key PTK with Alice password to ciphertext decryption, then sends the to focus AP1 Two handshake informations；

(6) focus AP1 using wildcard PSK come generate a temporary key PTK and verify the PTK locally generated and Whether the PTK of terminal is identical；If it is not, then termination Alice logging request；

(7) focus AP1 and terminal M1 perform the of traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode 3rd, 4-Way Handshake communication process come complete terminal log in focus process.

The said process the step of (2) and (4), terminal M1 and server S VR can by M1 WiFi network interface via Focus AP1 exchanges message, can also exchange message by M1 mobile network's interface.

As shown in Figure 3-4, traditional WPA people login mode is different from, personal login process of the present invention is to service Device end preserves PSK and the PTK of generation is sent into terminal, rather than preserves PSK and generation PTK in terminal.

In enterprise's login process, user Alice, focus AP1 and server S VR are in ession for telecommunication two-by-two, The process that Alice logs in AP1 by terminal M1 is as follows：

(1) user Alice sends authentication request by terminal M1 to focus AP1；

(2) focus AP1 forwards user Alice authentication request to server S VR；

(3) server S VR and user Alice verifies that mutually mutual identity and the respective known AP1 of checking label are It is no to be consistent；If authentication failed, termination Alice logging request；

In the step, focus AP1 and server S VR is in ession for telecommunication, so SVR knows AP1 account and label；And The label of AP1 known to Alice is that M1 obtains from its AP1 searched SSID.

(4) whether at least one is Alice or its contact person in server S VR checking focuses AP1 all owners；If Authentication failed, then terminate the process that Alice requests log in focus AP1；

(5) server S VR and terminal M1, which holds consultation, carrys out each self-generating master key PMK, and then SVR is sent to focus AP1 PMK；

In the step, server S VR and terminal M1 need to forward communication information by focus AP1 to consult to generate PMK, this Terminal M1 and focus AP1 obtain PMK after the completion of step.

(6) focus AP1 and terminal M1 perform shaking hands for traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode Communication process come complete terminal log in focus process.

It is initial that personal manner can be automatically switched to using the focus AP1 of enterprise's login mode in the login method, Process is as follows：

(1) if focus AP1 detects that congestion occurs for its communication between server S VR, such as according to delay, packet loss etc. Parameter detects, then is switched to personal login mode；Otherwise maintain or switch back into enterprise's login mode.

In said embodiment, user and terminal meet one-to-one relationship, i.e.,：Each user only uses an end End, each terminal are pertaining only to a user.Hereinafter, represented respectively using " user terminal " and " terminal user " in satisfaction State terminal and the user of corresponding relation.

In said embodiment, the tables of data of server, focus and user terminal is as shown in figure 5, be described in detail below：

The tables of data D10 of the server includes：

User's table D101：Record the information of all users, including user account, and user cipher, user's pet name, user's Other information } etc. field, user account it is globally unique.

Hot spot table D102：Record the information of all focuses, including { focus account, focus password, focus mark, focus master People's account, focus owner numbering, focus owner's pet name, the other information of focus } etc. field, focus account is globally unique, same The numbering of the different owners of focus is different, and focus owner account, numbering and nickname field include the account of all owners of focus, volume Number and nickname information.

Contact list D103, record the associated person information of all users, including { user account, contact person's account, contact person The pet name, the other information of contact person } etc. field.

User conversation table D104, record the session information between server and terminal user, including { session number, session Time started, conversation end time, session status, session voucher, user account } etc. field, session number it is globally unique.

Focus conversational list D105, record the session information between server and focus, including { session number, session start Time, conversation end time, session status, session voucher, focus account } etc. field, session number it is globally unique.

Contact person's event table D106：Record the information for establishing contact relationship event to be done, including Case Number, Source user account, purpose user account } etc. field, Case Number it is globally unique.

The tables of data D20 of the focus includes：

Hot spot table D201, records the information of focus, including focus account, focus password, focus SSID, focus MAC Location, focus login mode, the other information of focus } etc. field.

User conversation table D202, the session information between focus and terminal user is recorded, including { session number, session are opened Begin the time, conversation end time, session status, session voucher, user account } etc. field.

Server session table D203, the session information between focus and server is recorded, including { session number, session are opened Begin the time, conversation end time, session status, session voucher } etc. field.

The tables of data D30 of the user terminal includes：

User table D301, records the information of terminal user, including user account, and user cipher, user's pet name, user's Other information } etc. field.

Hot spot table D302, record the information of periphery focus, including { focus label, focus login mode, focus owner's account Number, focus owner's pet name, focus owner numbering, the other information of focus } etc. field.

Contact list D303, record the information of the contact person of terminal user, including { contact person's account, contact person's pet name, connection Be the other information of people } etc. field.

Focus conversational list D304, the session information between terminal user and focus is recorded, including { session number, session are opened Begin the time, conversation end time, session status, session voucher, focus label } etc. field.

Server session table D305, the information of the session between record terminal user and server, including session number, Session start time, conversation end time, session status, session voucher } etc. field.

System can be used and be not limited to be generated the label of focus using in the following manner：One is distributed for each focus uniquely Random number as its label, or using the MAC Address of focus as its label.In the present embodiment, by focus since 1 Registration order it is numbered and the label using the numbering as focus.As shown in Fig. 2 the SSID of focus is " WiFi- Bob@1000 ", the label and CSSID of focus are respectively " 1000 " and " WiFi-Bob ", and reserved character "@" is separator.

As shown in figure 1, terminal user Alice user terminal M1 is located at the signal cover of focus AP1 and base station BS 1 Interior, terminal user Bob user terminal M2 is located in the signal cover of focus AP2 and base station BS 2, and Bob is focus AP1 One owner, focus AP1 all owners are not Alice or its contact person.

In said embodiment, Alice by user terminal M1 server S VR registered user's accounts process S10 The step of it is as follows：

S101：Alice sends the request of registered user's account by user terminal M1 to server S VR.

S102：Server S VR sends the request for submitting log-on message to user terminal M1.

S103：Alice submits log-on message by user terminal M1 to server S VR, and the content of information includes { Alice Account, Alice password, the Alice pet name, Alice other information }.

S104：Server S VR is Alice registered users account and the message to succeed in registration is sent to user terminal M1.

S105：User terminal M1 updates Alice state.

S106：Terminate.

In said embodiment, terminal user Alice and server S VR is in ession for telecommunication, and Alice is whole by user Hold M1 as shown in Figure 6 the SVR registrations focus AP2 process S20 the step of：

S201：Alice sends the request of registration focus account by user terminal M1 to server S VR.

S202：Server S VR sends the request for submitting log-on message to user terminal M1.

S203：Alice submits log-on message by user terminal M1 to server S VR, and the content of information includes { AP2's Account, AP2 password, AP2 wildcard PSK, AP2 other information }.

S204：Server S VR is that focus AP2 registers focus account and the message to succeed in registration is sent to user terminal M1.

S205：Terminate.

In said embodiment, terminal user Alice and server S VR is in ession for telecommunication, and Alice is whole by user The step of holding M1 to obtain the process S30 of periphery hot information is as shown in Figure 7：

S301：Alice searches for the broadcast singal of periphery focus by user terminal M1 and generates hot spot table.

S302：User terminal M1 extracts focus label from focus AP1 ssid field.

S303：Alice by user terminal M1 to server S VR send obtain focus AP1 information request, request it is interior Appearance includes { AP1 label }.

S304：Server S VR sends focus AP1 information to user terminal M1, the content of information include AP1 label, AP1 owner's account, AP1 owner's numbering, AP1 owner's pet name, AP1 other information }.

In the step, server S VR inquires about focus AP1 information according to the AP1 received in step S303 label, And verify whether AP1 each owner and Alice are contact person successively；If the account of the owner is then sent to user terminal M1, the numbering of the owner is otherwise sent to M1.

S305：User terminal M1 updates hot spot table.

S306：Terminate.

In said embodiment, terminal user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through User terminal M1 to SVR ask addition focus AP1 owner Bob to be the process S40 of contact person the step of it is as shown in Figure 8：

S401：Alice selects focus AP1 and the selection one from the owner of AP1 all non-contact persons from hot spot table, Then sent by user terminal M1 to server S VR and add the request that the owner is contact person, the content of request includes { AP1 Label, the numbering of owner }.

S402：Server S VR obtains the account of owner according to AP1 label and the numbering of owner and learns that it is Bob, so SVR sends the request that addition Alice is contact person to Bob user terminal M2 afterwards, the content of request include Case Number, Alice account }.

In the step, server S VR asks one record of addition in contact person's event table for the contact person.

S403：If Bob agrees to addition, Alice be contact person, user terminal M2 sent to server S VR agree to and Alice establishes the message of contact relationship, and the content of message includes { Case Number }；Otherwise step S406 is jumped to.

S404：Server S VR sends the message for being successfully established contact relationship to user terminal M1 and M2 respectively, message Content is respectively { Bob account } and { Alice account }.

In the step, server S VR deletes the record of correlation in contact person's event table.

S405：User terminal M1 and M2 update contact list.

S406：Terminate.

In said embodiment, terminal user Alice and Bob and server S VR is in ession for telecommunication, and Alice passes through User terminal M1 asks the step of deletion contact person Bob process S50 as shown in Figure 9 to SVR：

S501：Alice sends the request for deleting contact person Bob, the content bag of request by terminal M1 to server S VR Include { Bob account }.

S502：Server S VR release Alice and Bob between contact relationship and to user terminal M1 and M2 send into Work(releases the message of contact relationship, and the content of message includes { Bob account, Alice account }.

S503：User terminal M1 and M2 update contact list.

S504：Terminate.

In said embodiment, the step of terminal user Alice requests log in focus AP1 process S60 is such as Figure 10 institutes Show：

S601：Alice selects focus AP1 from user terminal M1 hot spot table.

S602：If AP1 currently provides personal login service, personal login process S70a is called, otherwise calls enterprise to step on Record process S70b.

S603：Terminate.

It is as shown in figure 11 that Alice logs in the step of AP1 personal login process S70a by user terminal M1, wherein terminal User Alice, focus AP1 and server S VR are in ession for telecommunication two-by-two, and server S VR and focus AP1 hold pre-share jointly Key PSK：

S701a：Focus AP1 generate a random number Anonce and to terminal M1 send the first handshake information, message it is interior Appearance includes { random number Anonce, AP1 MAC Address }.

S702a：Terminal M1 forwards focus AP1 the first handshake information to server S VR, and the content of message is included { at random Number Anonce, AP1 MAC Address, M1 MAC Address, AP1 label }.

In the step, terminal M1 can be shaken hands by WiFi network interface via focus AP1 to server S VR forwardings to disappear Breath, internet can also be accessed by mobile network's interface to forward handshake information to SVR.Herein, terminal M1 passes through WiFi Network interface forwards handshake information via focus AP1 to server S VR.

S703a：Whether at least one is Alice or its contact in focus AP1 all owners for server S VR checkings People；If it is not, then jump to step S708a.

S704a：Server S VR generates random number Bnonce and temporary key PTK.

In the step, server S VR uses { PSK, random number Anonce, AP1 MAC Address, random number Bnonce, M1 MAC Address be calculated a temporary key PTK.

S705a：Server S VR is with user Alice password encryption temporary key PTK and by random number Bnonce and PTK Ciphertext be sent to terminal M1, the content of message is { random number Bnonce, temporary key PTK ciphertext, AP1 label }.

In the step, if terminal M1 sends handshake information, SVR warps by WiFi network interface in step S702a to SVR Message is forwarded from focus AP1 to M1 WiFi network interface；Otherwise, SVR sends message to M1 mobile network's interface.At this In, SVR forwards PTK via AP1 to M1.

In the step, terminal M1 decrypts the PTK received ciphertext with user Alice password.

S706a：Terminal M1 generates an Integrity Code Amic and sends the second handshake information to focus AP1, message Content includes { random number Bnonce, M1 MAC Address, Integrity Code Amic }.

S707a：Third and fourth handshake communication that focus AP1 and terminal M1 continues in WPA 4-Way Handshake communication process is come Complete the process that terminal logs in focus.

S708a：Return.

The step of Alice logs in focus AP1 process S70b by terminal M1 with enterprise's login mode is as shown in figure 12, its Middle terminal user Alice, focus AP1 and server S VR are in ession for telecommunication two-by-two：

S701b：Alice sends authentication request by user terminal M1 to focus AP1, the content of request include Alice account, AP1 SSID }.

S702b：Focus AP1 forwards Alice authentication request to server S VR.

S703b：Server S VR and Alice mutually verified by relatively mutual identity；If authentication failed, step is jumped to Rapid S708b.

In the step, according to used authentication algorithm, such as CHAP v2, user terminal M1 and server SVR it Between may need to carry out multiple information exchange through focus AP1.

S704b：Whether focus AP1 label in server S VR checking transmissions user terminal M1 and focus AP1 SSID Unanimously；If authentication failed, step S708b is jumped to.

In the step, server S VR is respectively in the conversation procedure with Alice authentication process itself and with focus AP1 Whether the label for obtaining AP1 SSID and therefrom extracting AP1 is identical to compare both.

S705b：Whether at least one is Alice or its contact in focus AP1 all owners for server S VR checkings People；If it is not, then jump to step S708b.

S706b：Server S VR and terminal M1, which holds consultation, carrys out each self-generating master key PMK, and then SVR is sent out to focus AP1 Send PMK.

S707b：Focus AP1 and terminal M1 perform WPA 4-Way Handshake agreement to complete the process that terminal logs in focus.

S708b：Return.

In said embodiment, the process of the focus AP1 automatic switchover login modes of enterprise's login mode is initially used The step of S80, is as shown in figure 13：

S801：Focus AP1 detects whether its communication between server S VR occurs congestion, if then jumping to step S803。

S802：Focus AP1 is maintained or is switched back into enterprise's login mode, jumps to step S804.

S803：Focus AP1 is switched to personal login mode.

S804：Terminate.

In said embodiment, system includes a server M10, multiple heat for providing individual or enterprise's login mode Point M20 and multiple user terminal M30.Figure 14 is system module schematic diagram, is described in detail below：

Server M10 includes：User register unit M101, hotspot registration unit M102, relation management unit M103, session Administrative unit M104, identity authenticating unit M105, certification communication unit M106, handshake communication unit M107, Data Management Unit M108, messaging unit M109.

Handshake communication unit M107 includes：Cipher key management unit M107a, secret key encryption unit M107b, generating random number list First M107c.

Focus M20 includes：Signal radio unit M201, session management unit M202, identity authenticating unit M203, shake hands it is logical Believe unit M204, Data Management Unit M205, messaging unit M206, focus login mode switch unit M207.

Handshake communication unit M204 includes：Cipher key management unit M204a, random number generation unit M204b, Integrity Code Generation unit M204c.

Terminal M30 includes：Signal search unit M301, tag extraction unit M302, user register unit M303, focus note Volume unit M304, relation management unit M305, session management unit M306, identity authenticating unit M307, certification communication unit M308, handshake communication unit M309, Data Management Unit M310, messaging unit M311.

Terminal handshake elements M309 includes：Cipher key management unit M309a, cipher key decryption unit M309b, generating random number list First M309c, Integrity Code's generation unit M309d.

Server M10 and terminal M30 user register unit M101 and M303 passes through messaging unit M109 and M311 Enter row information to exchange to perform user registration course.

Server M10 and terminal M30 hotspot registration unit M102 and M304 passes through messaging unit M109 and M311 Enter row information to exchange to perform hotspot registration process.

Focus M20 and terminal M30 signal radio unit M201 and signal search unit M301 broadcasts and received respectively heat The information of point.

The tag extraction unit M302 of terminal 30 extracts label from the SSID of periphery focus.

Server M10 and terminal M30 relation management unit M103 and M305 passes through messaging unit M109 and M311 Row information is exchanged to perform the foundation of contact relationship, deletion and the synchronizing process of associated person information.

Server M10, focus M20 and terminal M30 arbitrarily both session management units M104, M202 and M306 pass through Messaging unit M109, M206 and M311 enter row information and exchanged to perform the foundation of session, maintenance and termination procedure.In session Initial stage, identity authenticating unit M105, M203 and M307 of communicating pair are verified to mutual identity.

Server 10 and the certification communication unit M106 and M308 of terminal 30 are entered by messaging unit M109 and M311 Row information is exchanged to perform the certification communication process during the request logged in enterprise's mode logs in.In certification communication process, The identity authenticating unit M105 and M307 of communicating pair verify to mutual identity, focus M20 messaging unit Message between M206 forwarding servers M10 and terminal M30.The certification communication period of focus is logged in ession for telecommunication and request, User can carry out authentication using same group of account and password with server, can also use two groups of different accounts and Password to carry out authentication with server.In the present embodiment, user using same group of account and password come with server Carry out authentication.

Handshake communication unit M107, M204 and M309 of server 10, focus M20 and terminal M30 passes through information receiving and transmitting list First M109, M206 and M311 enter row information and exchanged to perform handshake communication process.

In personal login process, server M10 and focus M20 cipher key management unit M107a and M204a are according to pre- common Key PSK generation temporary key PTK are enjoyed, then server M10 secret key encryption unit M107b encrypts PTK and received by message PTK ciphertext is sent to terminal M30, terminal M30 cipher key decryption unit M309b and decrypts to obtain the bright of PTK by bill member M109 Text.

In enterprise's login process, server M10 cipher key management unit M107a will be led by messaging unit M109 Key PMK sends to focus M20, focus M20 and terminal M30 cipher key management unit M204a and M309a and generated according to PMK Temporary key PTK.

Random number generation unit M107c, M204b and M309c generation of server 10, focus M20 and terminal M30 are random Number.

Focus M20 and terminal M30 Integrity Code's generation unit M204c and M309d generation Integrity Code.

Server M10, focus M20 and terminal M30 Data Management Unit M108, M205 and M310 enter to data table related Row lookup, additions and deletions and renewal.The tables of data can be managed by text or database, and present embodiment is in server, heat Point and terminal are managed using database to data table related.

Focus M20 focus login mode switch unit M207 monitors communication conditions between focus and server simultaneously in real time According to the congestion condition of communication come the login mode that switches or maintain focus.

In the present invention, the pre-share password PSK of each focus is not only known to the focus and server and public to user Open, user also can not release pre-share password PSK according to the information obtained during use come counter, and user is using it in server The account of upper registration and password log in the focus worked under any login mode.Institute's extracting method can effectively lift user's login The convenience and security of focus.

Claims (8)

1. a kind of safe login method of Wi-Fi hotspot, it is characterised in that methods described is related to the server positioned at internet, more The focus of individual offer individual or enterprise's login mode AP1, AP2 ... APj ... and it is multiple equipped with least one WiFi nets The terminal of network interface and at least one mobile network's interface { M1, M2 ..., Mi ... }, the WiFi network interface that user passes through terminal The focus for logging in periphery accesses internet, is logged in by the WiFi network interface or mobile network's interface of terminal The information of Wi-Fi hotspot；Specifically include：

（1）User carries out user's registration on the server by terminal, and user is hotspot registration account on the server by terminal Number；

The process that the user carries out user's registration by terminal on the server is：User Alice is by terminal Mi to service Device sends the request of registered user's account；Server is user Alice register account numbers and returns to registering result to terminal Mi；

User is that the process of hotspot registration account is on the server by terminal：User Alice is by terminal Mi to server Send the request of registration focus account；Server generation focus APj label and be APj register account numbers, then server is to end Hold Mi to return to registering result, as a result in include focus APj label；

（2）User Alice logs in focus by terminal request, and its detailed process is as follows：

（21）User Alice obtains periphery hot information by terminal Mi and generates hotspot list；User Alice arranges according to focus Table checks the information of periphery focus and selects focus APj；

（22）The login mode that terminal Mi is provided according to focus APj logs in select to perform personal or enterprise；

In the personal login process, user Alice, focus APj and server are in ession for telecommunication, server and heat two-by-two Point APj holds a wildcard PSK jointly, and user Alice asks the process for logging in focus APj as follows by terminal Mi：

（201）Focus APj generates random number Anonce and sends the first handshake information to terminal Mi；

（202）Terminal Mi forwards focus APj the first handshake information to server；

（203）Whether at least one is user Alice or its contact person in server authentication focus APj all owners；Test Card is by then jumping to step（204）, otherwise termination Alice logging request；

（204）Server generates random number Bnonce and generates a temporary key PTK using wildcard PSK, then Bnonce and PTK are encrypted with user Alice password and ciphertext is sent to terminal Mi；

（205）Terminal Mi obtains random number Bnonce and temporary key PTK with user Alice password to ciphertext decryption, so Afterwards the second handshake information is sent to focus APj；

（206）Focus APj is generated a temporary key PTK and is verified the PTK locally generated and end using wildcard PSK Whether the PTK at end is identical；It is identical, jump to step（207）, otherwise termination user Alice logging request；

（207）Focus APj and terminal Mi perform traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode the 3rd, 4-Way Handshake communication process come complete terminal log in focus process；

In enterprise's login process, user Alice, focus APj and server are in ession for telecommunication, user Alice two-by-two The process that focus APj is logged in by terminal Mi is as follows：

（211）User Alice sends authentication request by terminal Mi to focus APj；

（212）Focus APj forwards user Alice authentication request to server；

（213）Server and user Alice verify mutually mutual identity and verify each known focus APj label whether It is consistent；It is verified, jumps to step（214）, otherwise termination Alice focus logging request；

（214）Whether at least one is user Alice or its contact person in server authentication focus APj all owners；Test Card is by then jumping to step（215）, otherwise termination Alice focus logging request；

（215）Server and terminal Mi, which hold consultation, carrys out each self-generating master key PMK, and then server sends to focus APj and led Key PMK；

（216）It is logical that focus AP1 and terminal M1 perform shaking hands for traditional WPA people and the 4-Way Handshake agreement in enterprise's login mode Letter process come complete terminal log in focus process.

2. the safe login method of Wi-Fi hotspot according to claim 1, it is characterised in that the step（21）Middle user Alice obtains periphery hot information by terminal Mi and generates the detailed process of hotspot list：

（21a）User Alice searches for the broadcast singal of periphery focus by terminal Mi and obtains the hot information next life in signal Into hotspot list；

（21b）Terminal Mi scan hot spots list simultaneously extracts focus label from the SSID of each focus successively；

（21c）User Alice selects one or more focuses and sent to server by terminal Mi to obtain from hotspot list The request of hot information, the label of these focuses is included in request；

（21d）Server inquires about owner's account of related focus, owner's numbering, owner's pet name and other letters according to focus label Cease and return to Query Result to terminal Mi；The numbering of the owner is the difference for being used to identify same focus by system generation The character string of owner.

3. the safe login method of Wi-Fi hotspot according to claim 2, it is characterised in that the step（21d）In, clothes Whether each owner that business device inquires about related focus successively is Alice or its contact person, if then sending the account of owner To terminal；Otherwise the numbering of owner is sent to terminal by server；The numbering of the owner is to be used to identify by system generation The character string of the different owners of same focus.

4. the safe login method of the Wi-Fi hotspot according to any one of claims 1 to 3, it is characterised in that the login In method, initial to automatically switch to personal login mode using the focus of enterprise's login mode, process is as follows：If focus is examined Measure its communication between server and congestion occurs, be then switched to personal login mode；Otherwise enterprise is maintained or switches back into step on Record mode.

5. the safe login method of Wi-Fi hotspot according to claim 4, it is characterised in that user Alice and Bob with Server is in ession for telecommunication, and the owner Bob that user Alice adds focus APj by terminal request server is contact person's Process is as follows：

（1a）User Alice selects the master of focus APj and all non-contact persons from focus APj from terminal Mi hotspot list One is selected in people, is then sent by terminal Mi to server and adds the request that the owner is contact person, heat is included in request Point APj label and the numbering of owner；

（1b）Server use is in step（1a）The focus APj label and the numbering of owner received be to know the owner Bob, then request of the server to the user Bob terminal Mk forwarding users Alice used；

（1c）If user Bob agrees to addition, user Alice is contact person, jumps to step（1d）；Otherwise, terminating Alice please Seek the process that addition Bob is contact person；

（1d）User Bob sends the message for agreeing to that contact relationship is established with user Alice to server；

（1e）Server, which is established user Alice and Bob contact relationship and sent respectively to terminal Mi and Mk, is successfully established connection It is the message of relationship；I ≠ the k.

6. the safe login method of Wi-Fi hotspot according to claim 4, it is characterised in that user Alice and Bob with Server is in ession for telecommunication, and the process that Alice deletes contact person Bob by terminal Mi request servers is as follows：

(1) user Alice sends the request for deleting contact person Bob by terminal Mi to server；

(2) terminal that server releases user Alice and Bob contact relationship and used respectively to terminal Mi and user Bob Mk sends the message for successfully releasing contact relationship, the i ≠ k.

7. the safe login method of Wi-Fi hotspot according to claim 2, it is characterised in that the focus label is by taking One character string for being used to identify different focuses of business device generation, focus label are globally unique；The label and CSSID of one focus The SSID of the focus is formed, wherein CSSID is a customized character string.

8. a kind of Security Login System of Wi-Fi hotspot, it is characterised in that the system includes a server, multiple offers The focus and multiple terminals for users to use of people or enterprise's login service；

The server includes：

Server user's registering unit, registered user；

Server hotspot registration unit, register focus；

Relationship server administrative unit, addition and deletion contact person；

Server session administrative unit, foundation, maintenance and the session between log-on server and focus or user；

Server authentication unit, identity each other is mutually authenticated with user or focus during ession for telecommunication or request log in；

Server authentication communication unit, it is authenticated communicating with user during asking to log in；

Server handshaking communication unit, handshake communication is carried out with focus and terminal during asking to log in；

Server data administrative unit, the content of server data table is handled, including lookup, additions and deletions and renewal；

Server message Transmit-Receive Unit, transmitting-receiving and the message between focus or terminal；

The server handshaking communication unit specifically includes：

Server key management module, wildcard, master key and temporary key are stored, generate and distributed on demand；

Server key encrypting module, encrypt temporary key；

Server random number generation module, generate random number；

The focus includes：

The hot information of focus signal radio unit, Broadcast SSIDs and login mode；

Focus session management unit, establish, maintain and nullify the session between focus and server or user；

Focus identity authenticating unit, identity each other is mutually authenticated in ession for telecommunication and server or user；

Focus handshake communication unit, handshake communication is carried out with user and server during asking to log in；

Hot spot data administrative unit, the content of hot spot data table is handled, including lookup, additions and deletions and renewal；

Focus messaging unit, transmitting-receiving and the message between server or terminal；

Focus login mode switch unit, the login mode of focus is maintained, switched according to the communications status between server；

The focus handshake communication unit specifically includes：

Focus key management module, store on demand, generate wildcard, master key and temporary key；

Focus random number generation module, generate random number；

Focus Integrity Code's generation module, generate Integrity Code；

The terminal for users to use includes：

Terminal signaling search unit, the signal of search periphery focus broadcast；

Terminal labels extraction unit, label is extracted from the SSID of the periphery focus searched；

End-user registration unit, ask registered user；

Terminal hotspot registration unit, request registration focus；

Terminal relationship administrative unit, request addition and deletion contact person；

Terminal session administrative unit, foundation, maintenance and the session between logging off users and server or focus；

Terminal identity authentication unit, identity each other is mutually authenticated with server or focus during ession for telecommunication and request log in；

Terminal authentication communication unit, it is authenticated communicating with server during asking to log in；

Terminal handshake communication unit, handshake communication is carried out with focus and server during asking to log in；

Terminal data administrative unit, the content of terminal data table is handled including searched, additions and deletions and renewal；

Terminal message Transmit-Receive Unit, transmitting-receiving and the message between server or focus；

The terminal handshake communication unit specifically includes：

Terminal key management module, store on demand, generate wildcard, master key and temporary key；

Terminal key deciphering module, decrypt temporary key；

Terminal random number generation module, generate random number；

Endpoint integrity encodes generation module, generates Integrity Code.