CN106330828B - Network security access method and terminal equipment - Google Patents
Network security access method and terminal equipment Download PDFInfo
- Publication number
- CN106330828B CN106330828B CN201510358818.5A CN201510358818A CN106330828B CN 106330828 B CN106330828 B CN 106330828B CN 201510358818 A CN201510358818 A CN 201510358818A CN 106330828 B CN106330828 B CN 106330828B
- Authority
- CN
- China
- Prior art keywords
- network access
- access point
- network
- authentication server
- party authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a network security access method, terminal equipment and an authentication server. An embodiment of the present invention comprises the steps of: before the terminal accesses the network through the network access point, the third party authentication server verifies the network access point; the terminal accesses the network only through the network access point authenticated by the third party authentication server. In the embodiment, after the third-party authentication server judges that the network access point is a legal access point, the terminal is accessed to the network through the network access point, and therefore potential safety hazards caused by incapability of judging the authenticity of the identity of the network access point when the terminal is directly accessed to the network through the network access point are solved.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method, a terminal device, and an authentication server for secure network access in the field of communications.
Background
With the development of science and technology, the application of network technology is also increasingly widespread. But the network environment is becoming more complex, computers are vulnerable to attacks and spoofing at the link layer and the network layer, and network security concerns must be considered by all network device manufacturers.
When the terminal accesses by using WiFi, the terminal can only be distinguished by SSID (Service Set Identifier), and other people can easily forge WiFi hotspots to trap the user to work, thereby causing great hidden danger to the safety of the user terminal. Typical examples of attacks are: 1. forging a target AP (network access point), and acquiring a WiFi password of a user; 2. forging a target AP, intercepting and capturing transmission data of a user, even forging a Domain Name System (DNS), and introducing the user into a phishing website; 3. and directly accessing the user terminal through the forged AP to perform security attack.
The prior art does not have an effective means to confirm the authenticity and security of the AP. In addition, the prior art has the following problems: as long as the network is accessed, the terminal does not provide enough information to confirm the security level of the network. For some applications with high safety requirements, whether the environment is safe or not can be confirmed only by manual work, and the method is very unreliable.
Disclosure of Invention
The invention aims to provide a network security access method, terminal equipment and an authentication server, which solve the potential safety hazard caused by incapability of judging the authenticity of the identity of a network access point when a traditional wireless network is accessed.
In order to solve the above technical problem, the present invention provides a method for network security access, which comprises the following steps: before the terminal accesses the network through the network access point, the third party authentication server verifies the network access point; the terminal accesses the network only through the network access point authenticated by the third party authentication server.
The present invention also provides a terminal device, comprising: the access module is used for initiating a request for accessing the network to the network access point and waiting for the verification result of the third-party authentication server to the network access point after initiating the request for accessing the network; the receiving module is used for receiving a verification result from the third-party authentication server; the detection module is used for detecting the identity validity of the third-party authentication server according to the verification result received by the receiving module, and judging the validity of the network access point according to the verification result after judging that the identity of the third-party authentication server is legal; the access module is also used for accessing the network through the network access point after the detection module judges that the network access point is legal.
The present invention also provides an authentication server, comprising: the registration module is used for issuing a private key to the network access point which is successfully registered; the authentication request receiving module is used for receiving an authentication request from a network access point; the verification module is used for verifying whether the verification request is a valid verification request; the verification module detects whether the verification request is encrypted by an issued private key, and if not, the verification fails; and if the verification request is encrypted by the issued private key, judging the validity of the verification request according to the connection parameters carried in the verification request. And the feedback module is used for sending the verification result of the verification module to the terminal equipment initiating the network access request.
Compared with the prior art, the embodiment of the invention judges the network access point to be a legal access point through the third-party authentication server, and then accesses the terminal to the network through the network access point, thereby solving the potential safety hazard caused by incapability of judging the authenticity of the identity of the network access point when the terminal is directly accessed to the network through the network access point.
In addition, before the terminal accesses the network through the network access point, the step of verifying the network access point by the third party authentication server comprises the following substeps: after initiating a request for accessing a network to a network access point, a terminal waits for a verification result of a third-party authentication server to the network access point; the step that the terminal accesses the network only through the network access point authenticated by the third party authentication server comprises the following substeps: after receiving the verification result from the third party authentication server, the terminal detects the identity validity of the third party authentication server; if the identity of the third party authentication server is legal, judging the legality of the network access point according to the verification result; and if the network access point is judged to be legal, the terminal accesses the network through the network access point. And judging whether the terminal is accessed to the network through the network access point or not by judging the identity of the third-party authentication server and whether the network access point is legal or not. The terminal can be accessed to the network through the network access point only when the identity of the third party authentication server and the network access point are legal; the potential safety hazard caused by the fact that the authenticity of the identity of the network access point cannot be judged when the terminal accesses the traditional network through the network access point is solved.
In addition, the method for network security access further comprises the following steps: after a terminal initiates a request for accessing a network to a network access point, if the terminal receives a password input request for accessing the network, the terminal inputs a password for accessing the network after judging that the network access point is legal. After the network access point is judged to be legal, the password for accessing the network is input, so that the forged access point can be effectively prevented from cheating the network password from the terminal.
In addition, the third party authentication server verifies the network access point by: the third party authentication server issues a private key to the successfully registered network access point in advance; when receiving a verification request from a network access point, a third party authentication server detects whether the verification request is a verification request encrypted by an issued private key, and if not, the verification fails; and if the verification request is encrypted by the issued private key, judging the validity of the verification request according to the connection parameters carried in the verification request. After the verification request is judged to be the verification request encrypted by the issued private key, the validity of the verification request is judged according to the connection parameters carried in the verification request, and the reliability and the authenticity of the verification result are further ensured.
In addition, after initiating a request for accessing the network to the network access point, before the step of waiting for the verification result of the third-party authentication server to the network access point, the method further includes: the terminal detects whether the currently set network security requirement is a forced access security network; if the network access point is set to be forcibly accessed into the secure network, then entering a step of waiting for the verification result of the third-party authentication server on the network access point after initiating a request for accessing the network to the network access point; if the terminal is not set to be forcibly accessed to the secure network, the terminal directly performs the network access process after initiating a request for accessing the network to the network access point; after the terminal accesses the network, displaying a corresponding network access icon according to the security level of the network access point; the network access points verified by the third party authentication server are network access points with high security level, the network access points not verified by the third party authentication server are network access points with low security level, and the network access points with different security levels correspond to different network access icons. The problem that the terminal does not distinguish the security level of the accessed wireless network is solved, so that the network application of the terminal can judge whether the accessed network is safe or not according to the network access icon.
In addition, a trust list is stored in the terminal in advance, and the trust list comprises a root certificate of at least one trusted third-party authentication server; the step of verifying the network access point by the third party authentication server comprises the following substeps: the third party authentication server issues a certificate of the third party authentication server to the network access point which is successfully registered; the step that the terminal accesses the network only through the network access point authenticated by the third party authentication server comprises the following substeps: after initiating a request for accessing a network to a network access point, a terminal receives a response message from the network access point; the terminal judges whether the certificate is in a trust list of the terminal or not by calculating the certificate carried in the response message; and if the network access point is judged to be in the trust list, judging that the network access point is legal and accessing the network access point. And issuing the certificate of the third party authentication server to the successfully registered network access point through the third party authentication server, judging that the network access point is legal by the terminal through calculating the certificate carried in the response message and judging that the certificate is in the trust list of the terminal, and accessing the network access point.
In addition, a trust list is stored in the terminal in advance, and the trust list comprises at least one root certificate of a trusted certification authority; in the step of detecting the identity validity of the third-party authentication server, whether the issued certificate is in the trust list of the terminal is judged by calculating the certificate issued by the third-party authentication server, and the identity validity of the third-party authentication server is detected. The identity validity of the third-party authentication server is verified, whether the issued certificate is consistent with the prestored certificate is judged by judging that the issued certificate is consistent with the root certificate of the trusted authentication authority prestored in the terminal, namely the issued certificate is in the trust list of the terminal, so that the identity validity of the third-party authentication server is verified, counterfeiting of the authentication server can be avoided, the safety of a network access point is further ensured, the verification mode is simple, and the verification method is easy to realize.
Drawings
Fig. 1 is a flow chart illustrating a method for network security access according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a network connection state of a result of falsification of a network access point and a third party authentication server according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of a network connection state of a forged network access point according to a first embodiment of the present invention;
fig. 4 is a state diagram of network security access according to the first embodiment of the present invention;
fig. 5 is a flowchart illustrating a method for secure network access according to a second embodiment of the present invention;
fig. 6 is a schematic configuration diagram of a terminal device according to a fourth embodiment of the present invention;
fig. 7 is a schematic configuration diagram of an authentication server according to a fifth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solutions claimed in the claims of the present application can be implemented without these technical details and with various changes and modifications based on the following embodiments.
The embodiment of the invention provides a network security access method, before a terminal accesses a network through a network access point, a third party authentication server verifies the network access point; the terminal accesses the network only through the network access point authenticated by the third party authentication server. The embodiment of the invention solves the potential safety hazard caused by the fact that the authenticity of the identity of the network access point cannot be known when the terminal is directly accessed to the network through the network access point. The present application is further explained in detail by the following detailed description.
The first embodiment of the invention relates to a network security access method. The specific flow is shown in figure 1.
In step 101, after initiating a request for accessing the network to the network access point, the terminal waits for a verification result of the third-party authentication server on the network access point.
Where a third party authentication server refers to a server capable of providing secure communication between entities that are not known to each other, the third party authentication server is capable of generating messages to prove to one entity the identity of another entity. After the terminal initiates a request for accessing the network to the network access point, the network access point sends a verification request to the third-party authentication server to request the third-party authentication server to verify the validity of the network access point. The third party authentication server can confirm whether the identity of the network access point is legal or illegal to the terminal, and the terminal waits for the verification result of the third party authentication server on the network access point.
It should be noted that, after the terminal initiates a request for accessing the network to the network access point, the network access point needs to send a verification request to the third-party authentication server. Specifically, the third party authentication server issues private keys to the registered network access points respectively. If the network access point obtains the private key (which indicates that the network access point has finished the authentication and becomes a legal access point), the network access point carries the connection parameter and is encrypted by the private key, the connection parameter is transferred to a Portal page of a third-party authentication server through https, and the third-party authentication server initiates a verification request. The connection parameters include parameters of the terminal itself, such as a terminal identification number and a time for requesting connection. The terminal identification number is used for the third party authentication server to subsequently send a verification result to the terminal; the time for requesting connection is set, so that the network access point can be prevented from sending the intercepted connection request to the server and cheating the terminal password.
If the network access point does not send a verification request to the third-party authentication server, the terminal cannot receive the verification result of the third-party authentication server to the network access point. That is, if the terminal does not receive the verification result of the third-party authentication server on the network access point within the preset time after initiating the request for accessing the network to the network access point, the terminal needs to disconnect from the network access point, that is, the terminal stops the network access process.
Then, step 102 is performed, and after the terminal receives the verification result from the third-party authentication server, it determines whether the identity of the third-party authentication server is legal. If the identity of the third party authentication server is legal, step 103 is entered; if the identity of the third party authentication server is not legitimate, step 105 is entered.
The terminal is internally pre-stored with a trust list, wherein the trust list comprises a root certificate of at least one trusted third party authentication server; in the step of detecting the identity validity of the third party authentication server, whether the certificate is in a trust list of the terminal is judged by calculating the certificate carried in the verification result; and if the third party authentication server is judged to be in the trust list, judging that the identity of the third party authentication server is legal.
Specifically, the terminal calculates the certificate carried in the verification result, and compares the calculated certificate carried in the verification result with the root certificate in the trust list by using a built-in comparison module. If the certificate carried in the verification result obtained by comparison is in the trust list, the identity of the third party authentication server is legal; if the certificate carried in the verification result obtained by the comparison is not in the trust list, the identity of the third party authentication server is illegal (as shown in fig. 2). Since the forged certificate of the third party authentication server is not accepted, if the certificate of the third party authentication server is forged in the verification result received by the terminal, the terminal does not receive the verification result. Therefore, if the identity of the third party authentication server is determined to be illegal, step 105 is entered.
In addition, the terminal manufacturer stores the certificate of the legal third party certification authority in the terminal. After the terminal successfully accesses the network through the network access point, the certificate of the legal third-party certificate authority prestored in the terminal can be updated online. The online updating mode provided by the terminal can be automatic updating or manual updating, and a corresponding operation icon is provided on a corresponding setting interface for a user to select automatic updating or manual updating according to the needs of the user. The updated certificate is stored in the terminal and is used as the certificate of the legal third-party certification authority when the terminal accesses the network through the network access point next time, and the safety of the terminal accessing the network is further ensured.
In step 103, the terminal determines whether the network access point is legal according to the verification result. If the network access point is legal, go to step 104; if the network access point is not legitimate, step 105 is entered.
Specifically, the third party authentication server feeds back a verification result of the network access point to the terminal, wherein when receiving a verification request from the network access point, the third party authentication server detects whether the verification request is encrypted by an issued private key, and if not, the verification fails; and if the verification request is encrypted by the issued private key, judging the validity of the verification request according to the connection parameters carried in the verification request.
As shown in fig. 3, after the terminal initiates a request for accessing the network to the network access point, if the network access point does not obtain the private key, the third party authentication server does not verify that the result of the authentication of the network access point is illegal, i.e. the authentication does not pass. At this time, the network access point is illegal, the network access point is defined as a fake network access point, the verification result of the third party authentication server received by the terminal is verification failure, the terminal is disconnected with the network access point, and the step 105 is entered.
In step 104, the terminal accesses the network through the network access point.
As shown in fig. 4, after the terminal initiates a request for accessing the network to the network access point, if the received determination result is that the identity of the third party authentication server is legal, then it is determined whether the network access point is legal according to the third party authentication server; if the network access point received by the terminal through the third party authentication server is also legal; the terminal confirms the connection with the network access point.
In step 105, the terminal terminates the network access procedure and disconnects the terminal from the network access point.
It should be noted that, after a terminal initiates a request for accessing a network to a network access point, if the terminal receives a password input request for accessing the network, the terminal inputs a password for accessing the network after determining that the network access point is legal. If the password input by the terminal after judging that the network access point is legal is consistent with the password stored in advance, the terminal accesses the network through the network access point after receiving the connection confirmation operation; if the inputted password is not consistent with the pre-stored password, the terminal terminates the network access process. After the network access point is judged to be legal, the password for accessing the network is input, so that the forged access point can be effectively prevented from cheating the network password from the terminal.
The second embodiment of the present invention relates to a method for network security access, and is an improvement on the first embodiment. The main improvement lies in that: in the second embodiment of the present invention, the terminal can grade the security of the accessed wireless network, and the network access points with different security levels correspond to different network access icons (e.g., network access icons with different colors), so that the network application of the terminal can determine whether the accessed network is secure according to the color of the network access icon.
As shown in fig. 5, in step 501, it is determined whether the currently set network security requirement is to force access to a secure network. If the currently set network security requirement is to force access to the secure network, go to step 502; otherwise, go to step 507.
Specifically, if the currently set network security requirement is not to force access to the secure network, it indicates that the terminal is allowed to access the network with a low security level, and then step 507 may be entered. If the currently set network security requirement is to forcibly access the secure network, it indicates that the terminal is required to access the network with high security, at this time, the terminal cannot directly access the network through the network access point, and the network access point needs to be verified before accessing the network, and the process proceeds to step 502.
In step 502, after initiating a request for accessing the network to the network access point, the terminal waits for a verification result of the third-party authentication server on the network access point.
Then, step 505 is entered, and the terminal accesses the network through the network access point and displays the corresponding network access icon.
Then, step 506 is entered, and the terminal terminates the network access procedure.
This step is the same as step 105 of the first embodiment, and is not described herein again.
In step 507, the terminal directly performs a network access process after initiating a request for accessing the network to the network access point.
Then, step 508 is entered, and a corresponding network access icon is displayed according to the security level of the network access point.
The network access point verified by the third-party authentication server is a network access point with a high security level, the network access point not verified by the third-party authentication server is a network access point with a low security level, and the network access points with different security levels correspond to different network access icons (such as network access icons with different colors).
Such as: if the network access point is a network access point with a high security level, the network access icon can be displayed in green, and a word of 'trusted WiFi' can be displayed below the green network access icon; if the network access point is a low security level network access point, the network access icon may be displayed in red and the word "untrusted WiFi" may be displayed below the red network access icon. The color of the network access icon is not limited to red and green, and may be different colors, and the colors of the network access icons can be visually distinguished. The words displayed below the network access icon are not limited to "trusted WiFi" and "untrusted WiFi," and may be differentiated according to the level, such as "first-level security network" and "second-level security network," where the network access point with a high security level corresponds to the "first-level security network" and the network access point with a low security level corresponds to the "second-level security network.
A third embodiment of the present invention relates to a method for network security access, and the main difference between the present embodiment and the first and/or second embodiment is: in the third embodiment of the present invention, the third party authentication server issues the certificate of the third party authentication server directly to the network access point which has successfully registered, and the terminal verifies the validity of the certificate.
In the embodiment, a trust list is stored in the terminal in advance, and the trust list comprises a root certificate of at least one trusted third party authentication server; and the third party authentication server issues the certificate of the third party authentication server to the network access point which is successfully registered.
After initiating a request for accessing a network to a network access point, a terminal receives a response message from the network access point; and the terminal judges whether the certificate is in the trust list of the terminal or not by calculating the certificate carried in the response message.
The terminal calculates the certificate carried in the response message through a built-in calculation module, judges the calculation result of the certificate through the calculation module according to a built-in judgment module, and judges whether the calculated certificate is in a trust list of the terminal. If the calculation result is in the trust list, namely the certificate can be judged to be in the trust list, the network access point is judged to be legal, and the network access point is accessed; if the calculation result is not in the trust list, namely the certificate is judged not to be in the trust list, the network access point is judged to be illegal, and the network access process is disconnected.
In the embodiment, the certificate of the third party authentication server is issued to the network access point which is successfully registered through the third party authentication server, the terminal judges that the certificate is in the trust list of the terminal through calculating the certificate carried in the response message, and then the network access point is judged to be legal and accessed into the network access point, so that the potential safety hazard caused by incapability of judging the authenticity of the identity of the network access point when the terminal is directly accessed into the network through the network access point is solved.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the steps contain the same logical relationship, which is within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A fourth embodiment of the present invention relates to a terminal device, as shown in fig. 6, including:
a terminal device, comprising: the access module is used for initiating a request for accessing the network to the network access point and waiting for the verification result of the third-party authentication server to the network access point after initiating the request for accessing the network; the receiving module is used for receiving a verification result from the third-party authentication server; the detection module is used for detecting the identity validity of the third-party authentication server according to the verification result received by the receiving module, and judging the validity of the network access point according to the verification result after judging that the identity of the third-party authentication server is legal; the access module is also used for accessing the network through the network access point after the detection module judges that the network access point is legal.
Further, the access module comprises: the judgment submodule is used for judging whether a password input request for accessing the network is received or not after a request for accessing the network is initiated to the network access point; and the password input submodule is used for inputting the password for accessing the network after the judgment submodule judges that the password input request is received and the detection module judges that the network access point is legal.
In this embodiment, after determining that the identity of the third-party authentication server is legitimate, it is determined whether the network access point is legitimate. If the network access point is legal, the terminal is accessed into the network through the network access point, so that the potential safety hazard caused by incapability of judging the authenticity of the identity of the network access point when the terminal is accessed into the traditional network through the network access point is solved; the password for setting the access network can prevent illegal use, and further prevent illegal network access points from accessing the network.
It should be understood that this embodiment is a system example corresponding to the first embodiment, and may be implemented in cooperation with the first embodiment. The related technical details mentioned in the first embodiment are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first embodiment.
It should be noted that each module referred to in this embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
A fifth embodiment of the present invention relates to an authentication server, as shown in fig. 7.
Comprises the following steps: the registration module is used for issuing a private key to the network access point which is successfully registered; the authentication request receiving module is used for receiving an authentication request from a network access point; the verification module is used for verifying whether the verification request is a valid verification request; the verification module detects whether the verification request is encrypted by an issued private key, and if not, the verification fails; and if the verification request is encrypted by the issued private key, judging the validity of the verification request according to the connection parameters carried in the verification request. And the feedback module is used for sending the verification result of the verification module to the terminal equipment initiating the network access request.
In the embodiment, the validity of the verification request is judged according to the verification request encrypted by the issued private key and the connection parameters carried in the verification request, so that the potential safety hazard caused by incapability of judging the authenticity of the identity of the network access point when the terminal accesses the traditional wireless network through the network access point is solved; and the intercepted connection request is prevented from being sent to a third party authentication server, the terminal password is cheated, and illegal use or illegal network access points are prevented from accessing the network.
Since the fourth embodiment corresponds to the present embodiment, the present embodiment can be implemented in cooperation with the fourth embodiment. The related technical details mentioned in the fourth embodiment are still valid in the present embodiment, and the technical effects that can be achieved in the fourth embodiment can also be achieved in the present embodiment, and are not described herein again in order to reduce the repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the fourth embodiment.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (8)
1. A method for secure network access, comprising the steps of:
before the terminal accesses the network through the network access point, the third party authentication server verifies the network access point;
the terminal accesses the network only through the network access point authenticated by the third party authentication server;
before the terminal accesses the network through the network access point, the step of verifying the network access point by the third-party authentication server comprises the following substeps: after initiating a request for accessing a network to a network access point, a terminal waits for a verification result of a third-party authentication server to the network access point;
the step that the terminal accesses the network only through the network access point authenticated by the third party authentication server comprises the following substeps:
after receiving the verification result from the third party authentication server, the terminal detects the identity validity of the third party authentication server;
if the identity of the third party authentication server is legal, judging the legality of the network access point according to the verification result;
if the network access point is judged to be legal, the terminal accesses the network through the network access point;
a trust list is stored in the terminal in advance, and the trust list comprises root certificates of at least one trusted third-party authentication server;
in the step of detecting the identity validity of the third party authentication server, whether the certificate is in a trust list of the terminal is judged by calculating the certificate carried in the verification result;
and if the third party authentication server is judged to be in the trust list, judging that the identity of the third party authentication server is legal.
2. The method for network security access according to claim 1, further comprising the steps of:
after the terminal initiates a request for accessing the network to the network access point, if the terminal receives a password input request for accessing the network, the terminal inputs the password for accessing the network after judging that the network access point is legal.
3. The method for network security access according to claim 1, further comprising the steps of:
and if the identity of the third-party authentication server is illegal or the network access point is judged to be illegal, the terminal terminates the network access process.
4. The method for network security access according to any one of claims 1 to 3, wherein the third party authentication server verifies the network access point by:
the third party authentication server issues a private key to the successfully registered network access point in advance;
when the third party authentication server receives a verification request from a network access point, detecting whether the verification request is a verification request encrypted by the issued private key, if not, the verification fails; and if the verification request is encrypted by the issued private key, judging the validity of the verification request according to the connection parameters carried in the verification request.
5. The method for network security access according to claim 4, wherein before the step of waiting for the verification result of the third-party authentication server on the network access point after the step of initiating the request for network access to the network access point, further comprising:
the terminal detects whether the currently set network security requirement is a forced access security network;
if the network access point is set to be forcibly accessed into the secure network, then entering the step of waiting for the verification result of the network access point by a third-party authentication server after the request for initiating the network access to the network access point is sent;
if the terminal is not set to be forcibly accessed to the secure network, the terminal directly performs a network access process after initiating a network access request to a network access point;
after the terminal accesses the network, displaying a corresponding network access icon according to the security level of the network access point;
the network access point verified by the third party authentication server is a network access point with a high security level, the network access point not verified by the third party authentication server is a network access point with a low security level, and the network access points with different security levels correspond to different network access icons.
6. The method for network secure access according to claim 1, wherein a trust list is pre-stored in the terminal, and the trust list includes a root certificate of at least one trusted third party authentication server;
the step of verifying the network access point by the third-party authentication server comprises the following substeps:
the third party authentication server issues a certificate of the third party authentication server to the network access point which is successfully registered;
the step that the terminal accesses the network only through the network access point authenticated by the third party authentication server comprises the following substeps:
after initiating a request for accessing a network to a network access point, a terminal receives a response message from the network access point;
the terminal judges whether the certificate is in a trust list of the terminal or not by calculating the certificate carried in the response message;
and if the network access point is judged to be in the trust list, judging that the network access point is legal and accessing the network access point.
7. A terminal device, comprising:
the access module is used for initiating a request for accessing the network to the network access point and waiting for the verification result of the third-party authentication server on the network access point after initiating the request for accessing the network;
a receiving module, configured to receive the verification result from a third party authentication server;
the detection module is used for detecting the identity validity of the third-party authentication server according to the verification result received by the receiving module, and judging the validity of the network access point according to the verification result after judging that the identity of the third-party authentication server is legal;
the access module is also used for accessing the network through the network access point after the detection module judges that the network access point is legal;
a trust list is prestored in the terminal equipment, and the trust list comprises root certificates of at least one trusted third-party authentication server;
during the detection of the identity validity of the third party authentication server by the detection module, whether the certificate is in a trust list of the terminal is judged by calculating the certificate carried in the verification result;
and if the third party authentication server is judged to be in the trust list, judging that the identity of the third party authentication server is legal.
8. The terminal device of claim 7, wherein the access module comprises:
the judgment submodule is used for judging whether a password input request for accessing the network is received or not after a request for accessing the network is initiated to the network access point;
and the password input submodule is used for inputting the password for accessing the network after the judgment submodule judges that the password input request is received and the detection module judges that the network access point is legal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510358818.5A CN106330828B (en) | 2015-06-25 | 2015-06-25 | Network security access method and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510358818.5A CN106330828B (en) | 2015-06-25 | 2015-06-25 | Network security access method and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106330828A CN106330828A (en) | 2017-01-11 |
| CN106330828B true CN106330828B (en) | 2020-02-18 |
Family
ID=57729454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510358818.5A Active CN106330828B (en) | 2015-06-25 | 2015-06-25 | Network security access method and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106330828B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107040928B (en) * | 2017-06-12 | 2019-08-09 | 迈普通信技术股份有限公司 | Illegal WIFI detection method, terminal, aaa server and system |
| CN107294977A (en) * | 2017-06-28 | 2017-10-24 | 迈普通信技术股份有限公司 | The method and device of Wi Fi secure connections |
| CN108429726B (en) * | 2017-07-12 | 2023-09-26 | 深圳市创想网络系统有限公司 | Secure WIFI certificate encryption verification access method and system thereof |
| CN110149215A (en) * | 2019-06-10 | 2019-08-20 | 深圳市风云实业有限公司 | Method for network authorization, device and electronic equipment |
| CN111182532B (en) * | 2019-06-26 | 2022-07-29 | 腾讯科技(深圳)有限公司 | Wireless local area network connection method, device, system, equipment and storage medium |
| US11877154B2 (en) | 2020-03-05 | 2024-01-16 | Cisco Technology, Inc. | Identifying trusted service set identifiers for wireless networks |
| CN112039894B (en) * | 2020-08-31 | 2023-01-10 | 北京天融信网络安全技术有限公司 | Network access control method, device, storage medium and electronic equipment |
| CN114553502B (en) * | 2022-01-29 | 2024-03-29 | 联想开天科技有限公司 | Network authentication method and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1426200A (en) * | 2002-11-06 | 2003-06-25 | 西安西电捷通无线网络通信有限公司 | Sefe access of movable terminal in radio local area network and secrete data communication method in radio link |
| CN101018411A (en) * | 2007-02-16 | 2007-08-15 | 西安西电捷通无线网络通信有限公司 | A certificate roaming authentication method based on WAPI |
| CN101610515A (en) * | 2009-07-22 | 2009-12-23 | 中兴通讯股份有限公司 | A kind of Verification System and method based on WAPI |
| CN104243490A (en) * | 2014-09-30 | 2014-12-24 | 北京金山安全软件有限公司 | Method and device for identifying pseudo wireless network access point and mobile terminal |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101345943B1 (en) * | 2012-02-29 | 2013-12-27 | 주식회사 팬택 | Mobile device for access point verification and method for operating mobile device |
-
2015
- 2015-06-25 CN CN201510358818.5A patent/CN106330828B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1426200A (en) * | 2002-11-06 | 2003-06-25 | 西安西电捷通无线网络通信有限公司 | Sefe access of movable terminal in radio local area network and secrete data communication method in radio link |
| CN101018411A (en) * | 2007-02-16 | 2007-08-15 | 西安西电捷通无线网络通信有限公司 | A certificate roaming authentication method based on WAPI |
| CN101610515A (en) * | 2009-07-22 | 2009-12-23 | 中兴通讯股份有限公司 | A kind of Verification System and method based on WAPI |
| CN104243490A (en) * | 2014-09-30 | 2014-12-24 | 北京金山安全软件有限公司 | Method and device for identifying pseudo wireless network access point and mobile terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106330828A (en) | 2017-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106330828B (en) | Network security access method and terminal equipment | |
| CN109076080B (en) | Authentication method and system | |
| CN102868665B (en) | The method of data transmission and device | |
| EP2770662A1 (en) | Centralized security management method and system for third party application and corresponding communication system | |
| CN104202338B (en) | A kind of safety access method being applicable to enterprise-level Mobile solution | |
| GB2547472A (en) | Method and system for authentication | |
| JP2018537017A (en) | How to control access to non-vehicle wireless networks | |
| CN105187431A (en) | Log-in method, server, client and communication system for third party application | |
| CN112640385B (en) | non-SI device and SI device for use in SI system and corresponding methods | |
| CN105262597A (en) | Network access authentication method, client terminal, access device and authentication device | |
| JP7337912B2 (en) | Non-3GPP device access to core network | |
| WO2013045924A1 (en) | Secure wireless network connection method | |
| US9338185B2 (en) | Service provision | |
| CN106789858B (en) | Access control method and device and server | |
| CN106912049B (en) | Method for improving user authentication experience | |
| KR101879843B1 (en) | Authentication mehtod and system using ip address and short message service | |
| KR102313868B1 (en) | Cross authentication method and system using one time password | |
| CN111274570A (en) | Encryption authentication method and device, server, readable storage medium and air conditioner | |
| EP3123758B1 (en) | User equipment proximity requests authentication | |
| EP3437293B1 (en) | Securing remote authentication | |
| CN105099710A (en) | Cross-domain access control method for trusted radio frequency identification network | |
| CN111835765B (en) | Verification method and device | |
| US20200053578A1 (en) | Verification of wireless network connection | |
| KR102199747B1 (en) | Security method and system using virtual keyboard based on OTP | |
| CN103152730A (en) | Anti-DoS (Denial of Service) radio access method for universal mobile telecommunications system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170111 Assignee: Shanghai Li Ke Semiconductor Technology Co., Ltd. Assignor: Leadcore Technology Co., Ltd. Contract record no.: 2018990000159 Denomination of invention: Method for network secure access, terminal device and authentication server License type: Common License Record date: 20180615 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |