Summary of the invention
The embodiment of the present invention provides a kind of method and device of the wireless network access authentication based on CPK identification authentication, in order to solve problems of the prior art.
Embodiments provide a kind of method of wireless network access authentication, comprising:
Wireless user equipment end is integrated with CPK Key, and it sends in the access authentication solicited message of wireless controller end by being integrated into the CPK signed data of wireless user equipment unique characteristics code;
The access authentication request of wireless controller end to the wireless user equipment end received verifies, and first judges whether this access authentication solicited message comprises CPK signed data, if do not comprised, refuses access; If comprised, then judge whether the condition code in this CPK signed data is the authorized condition code of wireless controller end, if not authorized condition code, then refuses this wireless user equipment access network, if it is allow access;
Wireless controller end provides the change interface of convenient, flexible " authorisation features code table ", comprise by PC supersystem webmastering software increase authorize condition code or delete the condition code of having authorized.
The embodiment of the present invention additionally provides a kind of wireless user equipment end, comprising:
CPK Key integrated unit, completes the data interchange with CPK Key, realizes using the private key of CPK Key to the data signature of wireless user equipment condition code;
CPK identification authentication access request unit, enters into the Data Integration after completing by CPK private key signature the network access authentication flow process sending to wireless controller end.
The embodiment of the present invention additionally provides a kind of wireless controller end, comprising:
CPK identifies receiving element, receives the network access authentication solicited message that each wireless user equipment end sends, and judges whether comprise CPK signed data in access authentication solicited message;
CPK identity verification unit, verifies the legal CPK Key whether the CPK signed data received authorizes from keeper;
CPK identity management unit, being supplied to supersystem keeper increases or deletes the interface of authorizing CPK mark.
The method of the wireless network access authentication that the embodiment of the present invention provides and device, wireless controller end is made only to accept to have the access request of the wireless user equipment end that legal CPK authorizes, so, user just can unique foundation using CPK Key as access network, avoid the potential safety hazard that all users use unified password access network to bring, and for providing the foundation with the identify label of the CPK mark person that is used as internet behavior in the future.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
The wireless user equipment end method flow diagram of the wireless network access authentication based on CPK identification authentication that Fig. 1 provides for one embodiment of the invention, as shown in Figure 1, the method comprises:
At wireless user equipment end integrated CPK Key equipment, this CPK Key equipment built-in encryption intelligent chip, has certain memory space, can store the private key of user, and owing to encrypting the special process of intelligent chip, any method all cannot read out the private key for user information of chip internal.
This CPK Key can realize data interchange with the several frequently seen hardware interfaces such as USB interface, SD card interface or SIM card interface and existing wireless user equipment.
CPK key management algorithm utilizes elliptic curve cipher theoretical, constructs public affairs, private key matrix, generates a large amount of public, private key pair with a small amount of factor; With mapping algorithm, public affairs, private key variable and user ID are bound, solve the key management difficult problem based on mark.
CPK key cryptosystem has following feature:
Feature one, key management adopt centralized production distribution, dispersion use keeping pattern, achieve dispersion application with central controlled organic unity, have can control, manageable advantage, being convenient to build top-down trust systems, laying a good foundation for implementing macro-management;
Feature two, use public key encryption data, carry out data decryption with private key;
Feature three, use encrypted private key data (digital signature), carry out certifying digital signature with PKI.
After the integrated CPK Key of wireless user equipment end, carry out digital signature with its private key to the condition code of wireless user equipment, these condition codes include but not limited to the identification number of physical MAC address, organization unique identifier (OUI), CPK Key or the equipment Serial Number SN that dispatches from the factory; Then the data after signature are sent to wireless controller end with its access authentication solicited message.
Fig. 2 is the WPA-PSK identifying procedure of current standard WiFi, and it is divided into three steps at wireless user equipment end, is the request of inquiring after, link verification request, association request respectively; As long as this three steps success, the subscriber equipment of standard WiFi just can connect wireless controller, realizes function of surfing the Net.
The wireless controller end method flow diagram of the wireless network access authentication based on CPK identification authentication that Fig. 3 provides for one embodiment of the invention, as shown in Figure 3, the method comprises:
Step 301, the access authentication request of wireless controller end to the wireless user equipment end received verifies, and judges whether comprise CPK signed data in this authentication request information, if do not comprised, then refuses its access network; If comprised, then deciphering obtains wireless user equipment condition code.
Concrete, step 301 as shown in Figure 4, according to the feature of CPK system " private key signature; public key verifications ", wireless controller end utilizes CPK public key algorithm to be decrypted checking to the CPK signed data in access authentication request, if can go out wireless user equipment condition code by successful decryption, illustrate that this access authentication solicited message comprises CPK signed data, if can not decipher, then illustrate that this access authentication solicited message does not comprise CPK signed data, then refuse access network.
Step 302, wireless controller end inquires about in its " authorisation features code table " whether comprise existing reception and the wireless user equipment condition code decrypted, if do not comprised, then refuses its access network; If comprised, then allow its access network.
Concrete, step 302 as shown in Figure 5, after wireless controller end successful decryption goes out wireless user equipment condition code, go again to inquire about in its " authorisation features code table " whether comprise existing reception and the wireless user equipment condition code decrypted, if comprised, then illustrate that this wireless user equipment end is legal, allow its access network, if existing reception cannot be inquired and the wireless user equipment condition code decrypted in " authorisation features code table ", then illustrate that this wireless user equipment end is illegal or undelegated temporarily, then refuse its access network.
" the authorisation features code table " of wireless controller end only allows the authorized administrator with super authority to access line pipe reason of going forward side by side, and general authorized user only has the authority of access network, there is no the authority of amendment " authorisation features code table ".
The wireless network access authentication method that the embodiment of the present invention provides is just similar in the WPA-PSK identifying procedure of standard WiFi, embedded in CPK digital signature identification flow process, its access authentication process optimization is made to be four steps, the request of inquiring after, link verification request, CPK identification authentication request, association request respectively, as shown in Figure 6; Wireless user after optimization holds equipment to only have and successfully completes above-mentioned four step flow processs, ability access network, and the access authentication flow process secure and trusted more after therefore optimizing, also carries out place mat for later access user ALARA Principle can be reviewed.
The wireless network access authentication method that this inventive embodiments provides is not limited to the optimization of the WPA-PSK identifying procedure to standard WiFi, and the identifying procedure of other wireless networks (as bluetooth, ZigBee etc.) also can carry out CPK identification authentication strengthening according to this principle.
The wireless user equipment end that the embodiment of the present invention provides, as shown in Figure 7, comprising:
CPK Key integrated unit 701, by the data interchange of common USB interface, SD card interface or SIM card Interface realization and CPK Key.
Realize the data signature to wireless user equipment condition code with the private key of CPK Key, these condition codes include but not limited to the identification number of physical MAC address, organization unique identifier (OUI), CPK Key or the equipment Serial Number SN that dispatches from the factory.
CPK identification authentication access request unit 702, enters into the Data Integration after completing by CPK private key signature the network access authentication flow process sending to wireless controller end.
Exemplary, when CPK Key integrated unit 701 is integrated with the CPK Key that an identification number is EA, so CPK identification authentication access request unit 702 will carry out data signature with CPK private key to identification number EA, and the Data Integration after signature is entered into the network access authentication flow process sending to wireless controller end.
The wireless controller end that the embodiment of the present invention provides, as shown in Figure 8, comprising:
CPK identifies receiving element 801, receives the network access authentication solicited message that each wireless user equipment end sends, and judges whether comprise CPK signed data in access authentication solicited message.According to the feature of CPK system " private key signature; public key verifications ", CPK identifies receiving element 801 and utilizes CPK PKI to be decrypted checking to this signed data, if can go out wireless user equipment condition code by successful decryption, illustrates that this access authentication solicited message comprises CPK signed data; If can not decipher, then illustrate that this access authentication solicited message does not comprise CPK signed data, then refuse access network.
CPK identity verification unit 802, verifies the legal CPK Key whether the CPK signed data received authorizes from keeper.After CPK mark receiving element 801 successful decryption goes out wireless user equipment condition code, CPK identity verification unit 802 goes whether comprise existing reception and the wireless user equipment condition code decrypted in " the authorisation features code table " of inquiry wireless controller end again, if any comprising, then illustrate that this wireless user equipment end is legal, allow its access network; If existing reception cannot be inquired and the wireless user equipment condition code decrypted in " authorisation features code table ", then illustrate that this wireless user equipment end is illegal or undelegated temporarily, then refuse its access network.
Exemplary, if CPK identifies the network access authentication solicited message that receiving element 801 receives a wireless user equipment end transmission, and the identification number decrypted wherein containing EA, during so next CPK identity verification unit 802 will judge whether identification number EA is present in " authorisation features code table ".If " authorisation features code table " containing EA, does not then refuse the network insertion request of this wireless user equipment end; If contained, then allow its access network.
CPK identity management unit 803, being supplied to supersystem keeper increases or deletes the Man Machine Interface of authorizing CPK mark.
Exemplary, when due to job change, holding identification number is that the employee of the CPK Key of EA no longer needs to continue accesses network, the Man Machine Interface easily that so supersystem keeper just can be provided by CPK identity management unit 803 deletes the identification number of EA from " authorisation features code table ", holding identification number is accordingly that the employee of the CPK Key of EA also just cannot again by this wireless controller end accesses network.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Because protection scope of the present invention should be as the criterion with the protection range of described claim.