CN106559785B - Authentication method, device and system, access device and terminal - Google Patents
Authentication method, device and system, access device and terminal Download PDFInfo
- Publication number
- CN106559785B CN106559785B CN201510639360.0A CN201510639360A CN106559785B CN 106559785 B CN106559785 B CN 106559785B CN 201510639360 A CN201510639360 A CN 201510639360A CN 106559785 B CN106559785 B CN 106559785B
- Authority
- CN
- China
- Prior art keywords
- authentication
- access
- user
- equipment
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Abstract
The invention discloses an authentication method, authentication equipment, an authentication system, access equipment and an authentication terminal. The authentication method comprises the following steps: the authentication equipment receives an authentication request sent by the access equipment in response to an access request of a terminal, wherein the authentication request comprises encrypted user identification information and an access equipment identification; the authentication equipment decrypts the encrypted user identification information to obtain a user identification, and performs matching authentication on the user identification obtained by decryption and mapping information between the access equipment identification in the authentication request and the recorded user identification and access equipment identification; and the authentication equipment returns an authentication response to the access equipment according to the matching authentication result so that the access equipment can perform access control on the terminal according to the authentication response. Thereby improving the security of wireless network access.
Description
Technical Field
The invention relates to the technical field of mobile internet, in particular to a technology for carrying out access control on portable equipment in a wireless communication network.
Background
WiFi (Wireless Fidelity) access is increasingly widely used due to its good access convenience and service flexibility, and is particularly applied more and more in public service places such as fast food restaurants, coffee shops, hotels, shopping malls, walking streets, universities, scenic spots and other areas, in which a user mobile terminal can conveniently obtain network access capability through WiFi access, and WiFi service providers can also achieve the purposes of promoting enterprise images and products, improving brand awareness, improving service level, enhancing customer stickiness and the like by providing WiFi access service.
The WiFi service is convenient to use, convenience conditions are created for illegal attackers, an illegal wireless access point is erected to enable an unknown user to access a network so as to steal private user information such as a user internet account password, and the like, and great hidden danger is brought to information safety of the user. Therefore, there is a need to improve the security of WiFi access.
Disclosure of Invention
The embodiment of the invention aims to solve the technical problem that: how to improve the security of WiFi access.
According to an aspect of an embodiment of the present invention, there is provided an authentication method including: the authentication equipment receives an authentication request sent by the access equipment in response to an access request of the terminal, wherein the authentication request comprises encrypted user identification information and an access equipment identification; the authentication equipment decrypts the encrypted user identification information to obtain a user identification, and performs matching authentication on the user identification obtained by decryption and mapping information between the access equipment identification in the authentication request and the recorded user identification and access equipment identification; and the authentication equipment returns an authentication response to the access equipment according to the matching authentication result so that the access equipment can perform access control on the terminal according to the authentication response.
In one embodiment, the authentication device establishes mapping information between the user identifier and the access device identifier by adopting the following method: the authentication equipment receives a login request sent by a terminal, wherein the login request comprises encrypted user identification information and an access equipment identification; the authentication device decrypts the encrypted user identification information to obtain a user identification, verifies the user identification obtained by decryption and the user registration information, and verifies the access device identification and the access device registration information in the login request; the authentication device returns a login response to the terminal according to the verification result of the user identifier and the access device identifier, and records mapping information between the user identifier and the access device identifier under the condition that the user identifier and the access device identifier are successfully verified.
In one embodiment, the access device identification is a BSSID (Basic service set identification) of the access device, where one access device may have multiple BSSIDs.
In one embodiment, the user Identification is a user ID (identity), wherein one user ID may be bound to multiple terminal MAC addresses.
According to another aspect of the embodiments of the present invention, there is provided an authentication method, including: the access equipment responds to an access request of the terminal and sends an authentication request to the authentication equipment, the authentication request comprises encrypted user identification information and an access equipment identification, so that the authentication equipment performs matching authentication on the user identification obtained by decryption and mapping information between the access equipment identification in the authentication request and the recorded user identification and access equipment identification, and returns a corresponding authentication response according to a matching authentication result; and the access equipment receives the authentication response returned by the authentication equipment and performs access control on the terminal according to the authentication response.
According to another aspect of the embodiments of the present invention, there is provided an authentication method, including: the terminal sends a login request to the authentication equipment, wherein the login request comprises encrypted user identification information and an access equipment identification, so that the authentication equipment can verify the decrypted user identification and the user registration information, verify the access equipment identification in the login request and the access equipment registration information, and return a corresponding login response according to the verification results of the user identification and the access equipment identification; the terminal receives the login response returned by the authentication device, and if the login response indicates that the login is allowed, the terminal sends an access request to the access device for access.
According to still another aspect of an embodiment of the present invention, there is provided an authentication apparatus including: the information receiving unit is used for receiving an authentication request sent by the access equipment in response to an access request of the terminal, wherein the authentication request comprises encrypted user identification information and an access equipment identification; the information decryption unit is used for decrypting the encrypted user identification information by the authentication equipment to obtain a user identification; the matching authentication unit is used for matching and authenticating the mapping information between the user identifier obtained by decryption and the access equipment identifier in the authentication request and the recorded user identifier and access equipment identifier; and the information sending unit is used for returning an authentication response to the access equipment according to the matching authentication result so that the access equipment can perform access control on the terminal according to the authentication response.
In one embodiment, the authentication device further comprises a verification unit and an information storage unit, wherein the information receiving unit is further configured to receive a login request sent by the terminal, and the login request includes encrypted user identification information and an access device identification; the information decryption unit is also used for decrypting the encrypted user identification information to obtain a user identification; the verification unit is used for verifying the user identification and the user registration information obtained by decryption and verifying the access equipment identification and the access equipment registration information in the login request; the information sending unit is also used for returning a login response to the terminal according to the verification result of the user identifier and the access equipment identifier; the information storage unit is used for recording mapping information between the user identification and the access equipment identification under the condition that the user identification and the access equipment identification are successfully verified.
According to still another aspect of the embodiments of the present invention, there is provided an access device, including: the information sending unit is used for responding to an access request of the terminal and sending an authentication request to the authentication equipment, wherein the authentication request comprises encrypted user identification information and an access equipment identification, so that the authentication equipment carries out matching authentication on the user identification obtained by decryption and mapping information between the access equipment identification in the authentication request and the recorded user identification and access equipment identification, and returns a corresponding authentication response according to a matching authentication result; and the information receiving unit is used for receiving the authentication response returned by the authentication equipment and carrying out access control on the terminal according to the authentication response.
According to still another aspect of an embodiment of the present invention, there is provided a terminal including: the information sending unit is used for sending a login request to the authentication equipment, wherein the login request comprises encrypted user identification information and an access equipment identification, so that the authentication equipment can verify the decrypted user identification and the user registration information, verify the access equipment identification and the access equipment registration information in the login request, and return a corresponding login response according to the verification results of the user identification and the access equipment identification; the information receiving unit is used for receiving a login response returned by the authentication equipment; and the access unit is used for sending an access request to the access equipment for access when the login response indicates that the login is allowed.
According to still another aspect of the embodiments of the present invention, there is provided an authentication system, including the above authentication device and the above access device. Further, the terminal is also included.
The invention has at least the following advantages:
the mapping relation between the user identification and the access equipment identification which are established in advance is matched and authenticated, so that the security of wireless network access can be improved.
Other features of the present invention and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 shows a schematic flow chart of an embodiment of the authentication method of the present invention.
Fig. 2 shows a schematic flow chart of another embodiment of the authentication method of the present invention.
Fig. 3 shows a schematic structural diagram of an embodiment of the authentication apparatus of the present invention.
FIG. 4 is a schematic diagram of another embodiment of the authentication device of the present invention
Fig. 5 shows a schematic structural diagram of an embodiment of the access device of the present invention.
Fig. 6 shows a schematic structural diagram of an embodiment of the terminal of the present invention.
Fig. 7 shows a schematic structural diagram of an embodiment of the authentication system of the present invention.
Fig. 8 shows a schematic structural diagram of an embodiment of the authentication system of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An authentication method of one embodiment of the present invention is described below with reference to fig. 1.
Fig. 1 is a flowchart illustrating an authentication method according to an embodiment of the present invention. As shown in fig. 1, the method of this embodiment includes:
step S102, when the user terminal detects a certain wireless network and wants to access the wireless network, it sends an access request to the access device. The wireless network includes, for example, a WiFi network.
Step S104, the access device responds to the access request of the terminal and sends an authentication request to the authentication device, and the authentication request comprises encrypted user identification information and an access device identification.
The encrypted user identification information may be a token, a digital signature, or the like, which may identify the user identity and take encryption measures. In the invention, the digital signature of the user ID is selected as the encrypted user identification information, and the user identification obtained by decryption can be the user ID. One user ID may be bound to MAC addresses of multiple terminals so that multiple terminals may access the network using the same user ID.
The access device identifier is, for example, an IP address, a MAC address, or other information capable of identifying the access device. In the invention, a Basic Service Set Identifier (BSSID) of the access equipment is selected as the access equipment identifier, one access equipment can have a plurality of BSSIDs, and different WiFi networks can have different BSSIDs, thereby realizing the independent authentication of different access networks to which the same access equipment belongs.
Step S106, after the authentication device receives the authentication request sent by the access device, the authentication device decrypts the encrypted user identification information to obtain the user identification.
Step S108, the authentication device carries out matching authentication on the user identification obtained by decryption and the access device identification in the authentication request and the recorded mapping information between the user identification and the access device identification. That is, the authentication device needs to check whether mapping information between the decrypted user identifier and the access device identifier in the trusted mapping information between the user identifier and the access device identifier recorded by the authentication device exists, if so, the matching authentication is passed, otherwise, the matching authentication is not passed.
And step S110, the authentication equipment returns corresponding authentication response to the access equipment according to the matching authentication result. If the matching authentication passes, an authentication success response can be returned, and if the matching authentication does not pass, an authentication failure response can be returned.
And step S112, the access equipment performs access control on the terminal according to the received authentication response. If the authentication response is that the authentication is successful, the access equipment passes the permission and allows the terminal to access; and if the authentication response is authentication failure, the access equipment forbids the terminal to access.
After the authentication is successful, the terminal does not need to authenticate again when surfing the Internet again, and the authentication process when surfing the Internet is simplified.
According to the scheme, the mapping relation between the user identifier and the Access equipment identifier and the mapping relation between the user identifier and the Access equipment identifier, which are established in advance, are matched and authenticated, so that unsafe factors caused by phishing APs (Access points) and the like can be effectively prevented, and the safety of wireless network Access is improved.
In the present invention, mapping information between the user identifier and the access device identifier may be established by means of authentication, which is described below with reference to fig. 2.
An authentication method according to another embodiment of the present invention is described below with reference to fig. 2.
Fig. 2 is a flowchart illustrating an authentication method according to another embodiment of the present invention. As shown in fig. 2, before implementing the above steps S102 to S112, login authentication may be performed on the user identifier and the access device identifier. The method specifically comprises the following steps:
and step S200, the terminal accesses the authentication equipment to register the user, the authentication equipment distributes or records the user identification and returns the encrypted user identification information, and the terminal receives and records the encrypted user identification information returned by the authentication equipment. The facilitator accesses the authentication device to register the access device, and submits an access device identification (e.g., BSSID), Service Set Identification (SSID), password, facilitator ID, etc.
Step S202, the terminal sends a login request to the authentication device, and the login request carries the encrypted user identification information and the access device identification.
Step S204, after the authentication device receives the login request sent by the terminal, the encrypted user identification information is decrypted to obtain the user identification.
In step S206, the authentication device checks whether the decrypted user identifier and the access device identifier in the login request are both registered. That is, whether the decrypted user identifier is registered when the terminal accesses the authentication device for the first time, and whether the access device identifier in the login request is registered by the service provider. If the user identification and the access equipment identification are registered, the authentication is passed, otherwise, if the user identification or the access equipment identification is not registered, the authentication is not passed.
And step S208, the authentication device returns a corresponding login response to the access device according to the verification result of the login request. If the verification is passed, a login permission response is returned, and if the verification is not passed, a login prohibition response is returned.
Step S210, the terminal receives the login response returned by the authentication device, if the login response indicates that the login is allowed, the authentication device establishes and records the mapping information between the user identifier and the access device identifier, and triggers the terminal to send an access request to the access device.
The user identification and the access equipment identification are subjected to login authentication, a dual verification mechanism can be formed by combining the login authentication with the mapping information matching authentication between the user identification and the access equipment identification in the embodiment, and the access security is further improved by a dual authentication mode.
In addition, the access device identifier adopted by the existing authentication technology is a Media Access Control (MAC) address of the access device. The same access device can only correspond to a unique MAC address, but can correspond to a plurality of different SSIDs (Service set identification). In the existing authentication technology, different SSIDs of an access device are associated with a unique MAC address of the access device, which results in the same information provided when accessing and authenticating different SSIDs, and thus the information configuration and authentication procedures are also the same. For example, the SSIDs of the three WiFi networks corresponding to a certain access device are SSID1, SSID2, and SSID3, respectively, and if access authentication is performed by using the MAC address of the access device as the access device identifier, access authentication information of the three WiFi networks is the same, for example, the same password is required for accessing the three WiFi networks, which is not favorable for authentication management of different SSIDs.
In the invention, whether the login authentication process is carried out on the user identification and the access equipment identification or the matching authentication process is carried out on the mapping information between the user identification and the access equipment identification, the BSSID of the access equipment can be adopted as the equipment identification for authentication. Because the same access device has a plurality of BSSIDs, each BSSID corresponds to an SSID, and different SSIDs of the access device are associated with different BSSIDs of the device, the information provided when the access authentication is carried out on different SSIDs is different, so that the information configuration and the authentication flow are different. For example, for three SSIDs corresponding to a certain access device, the SSIDs are SSID1, SSID2, and SSID3, respectively, and the BSSID of the access device is used as an access device identifier to perform access authentication, so that functions of a terminal that requires a password 1 for accessing SSID1, a password 2 for accessing SSID2, and a password for accessing SSID3 can be achieved, which is convenient for the device to manage different SSIDs.
In addition, the user identifier used in the existing authentication technology is the MAC address of the terminal. Since the authentication process is associated with the unique MAC address of the terminal, when the user changes the terminal, the MAC address of the terminal changes, and the access authentication needs to be performed again.
In the invention, the user ID can be used as the user identification to carry out access authentication no matter the login authentication process is carried out on the user identification and the access equipment identification, or the matching authentication process is carried out on the mapping information between the user identification and the access equipment identification. Because the authentication process is associated with the user ID, the user ID is not changed when the user changes the terminal, and the access authentication is not required to be carried out again, so that convenience is provided for the user, and the user experience is improved. Meanwhile, the same user ID may be associated with MAC addresses of multiple terminals, for example, in a home life scenario, multiple family members may access WiFi to surf the internet using different terminals associated with the same user ID.
In addition, in the existing access authentication process, the terminal needs to perform access authentication every time a session is initiated, and even if the access device successfully authenticates the terminal, the terminal still needs to carry a token to be checked every time data is received and transmitted, so the authentication process is relatively complicated.
In the invention, the access authentication process is carried out aiming at the mapping information between the user identification and the access equipment identification, and after the access equipment is successfully authenticated and released, the authentication check is not carried out on each data receiving and sending of the terminal within a period of time, thereby simplifying the authentication process of the access equipment to the terminal.
An authentication apparatus of one embodiment of the present invention is described below with reference to fig. 3.
Fig. 3 shows a schematic structural diagram of an embodiment of the authentication apparatus of the present invention. As shown in fig. 3, the authentication apparatus 30 provided by the present invention includes an information receiving unit 302, an information decrypting unit 304, a matching authentication unit 306, and an information transmitting unit 308. The information receiving unit 302 is configured to receive an authentication request sent by an access device in response to an access request of a terminal, the information decrypting unit 304 is configured to decrypt encrypted user identification information by the access device to obtain a user identifier, the matching authenticating unit 306 is configured to perform matching authentication on the user identifier obtained by decryption and mapping information between an access device identifier in the authentication request and a recorded user identifier and an access device identifier, and the information sending unit 308 is configured to return an authentication response to the access device according to a result of the matching authentication, so that the access device performs access control on the terminal according to the authentication response.
An authentication apparatus of another embodiment of the present invention is described below with reference to fig. 4.
Fig. 4 is a schematic structural diagram of another embodiment of the authentication apparatus of the present invention. As shown in fig. 3, based on the above embodiment, another authentication device 30 provided by the present invention further includes a verification unit 410 and an information storage unit 412. The information receiving unit 302 is further configured to receive a login request sent by the terminal; the information decryption unit 304 is further configured to decrypt the encrypted user identification information to obtain a user identification, and the authentication unit 410 is configured to authenticate the user identification obtained by decryption and the user registration information, and authenticate the access device identification in the login request and the access device registration information; the information sending unit 308 is further configured to return a login response to the terminal according to the verification result of the user identifier and the access device identifier; the information storage unit 412 is configured to record mapping information between the user identifier and the access device identifier in case that the user identifier and the access device identifier are successfully verified.
An access device of one embodiment of the present invention is described below with reference to fig. 5.
Fig. 5 shows a schematic structural diagram of an embodiment of the access device of the present invention. As shown in fig. 5, the access device 50 provided by the present invention includes an information sending unit 502 and an information receiving unit 504, where the information sending unit 502 is configured to send an authentication request to an authentication device in response to an access request of a terminal, where the authentication request includes encrypted user identification information and an access device identification, so that the authentication device performs matching authentication on a decrypted user identification and mapping information between an access device identification in the authentication request and a recorded user identification and access device identification, and returns a corresponding authentication response according to a result of the matching authentication; the information receiving unit 504 is configured to receive an authentication response returned by the authentication device, and perform access control on the terminal according to the authentication response.
A terminal of one embodiment of the present invention is described below with reference to fig. 6.
Fig. 6 shows a schematic structural diagram of an embodiment of the terminal of the present invention. As shown in fig. 5, the terminal 60 of the present invention includes an information transmitting unit 602 and an information receiving unit 604. The information sending unit 602 is configured to send a login request to the authentication device, where the login request includes encrypted user identification information and an access device identification, so that the authentication device verifies the decrypted user identification and user registration information, verifies the access device identification and the access device registration information in the login request, and returns a corresponding login response according to a verification result of the user identification and the access device identification; the information receiving unit 604 is configured to receive a login response returned by the authentication device; the accessing unit 606 is configured to send an access request to the access device for access when the login response indicates that login is allowed.
An authentication system of one embodiment of the present invention is described below with reference to fig. 7.
Fig. 7 shows a schematic structural diagram of an embodiment of the authentication system of the present invention. As shown in fig. 7, the authentication system 70 provided by the present invention includes the authentication device 30 and the access device 50.
An authentication system of another embodiment of the present invention is described below with reference to fig. 8.
Fig. 8 is a schematic structural diagram of another embodiment of the authentication system of the present invention. As shown in fig. 8, the authentication system 80 provided by the present invention includes the authentication device 30, the access device 50, and the terminal 60.
Furthermore, the method according to the invention may also be implemented as a computer program product comprising a computer readable medium having stored thereon a computer program for performing the above-mentioned functions defined in the method of the invention. Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (18)
1. An authentication method, comprising:
the authentication equipment receives an authentication request sent by the access equipment in response to an access request of a terminal, wherein the authentication request comprises encrypted user identification information and an access equipment identification;
the authentication equipment decrypts the encrypted user identification information to obtain a user identification, and performs matching authentication on the user identification obtained by decryption and mapping information between the access equipment identification in the authentication request and the recorded user identification and access equipment identification; the mapping information is established by the authentication equipment through login authentication of a user identifier and an access equipment identifier sent by a terminal;
and the authentication equipment returns an authentication response to the access equipment according to the matching authentication result so that the access equipment can perform access control on the terminal according to the authentication response.
2. The authentication method according to claim 1, wherein the authentication device establishes the mapping information between the user identifier and the access device identifier by using the following method:
the authentication equipment receives a login request sent by a terminal, wherein the login request comprises encrypted user identification information and an access equipment identification;
the authentication device decrypts the encrypted user identification information to obtain a user identification, verifies the user identification obtained by decryption and user registration information, and verifies the access device identification and the access device registration information in the login request;
the authentication device returns a login response to the terminal according to the verification result of the user identifier and the access device identifier, and records mapping information between the user identifier and the access device identifier under the condition that the user identifier and the access device identifier are successfully verified.
3. The authentication method according to claim 1 or 2, wherein the access device identification identifies a BSSID for a basic service set of the access device, wherein one access device may have multiple BSSIDs.
4. The authentication method according to claim 1 or 2, wherein the user identifier is a user ID, wherein one user ID can be bound with a plurality of terminal MAC addresses.
5. An authentication method, comprising:
the access equipment responds to an access request of a terminal and sends an authentication request to authentication equipment, wherein the authentication request comprises encrypted user identification information and an access equipment identification, so that the authentication equipment performs matching authentication on the user identification obtained by decryption and mapping information between the access equipment identification in the authentication request and the recorded user identification and the access equipment identification, and returns a corresponding authentication response according to a matching authentication result; the mapping information is established by the authentication equipment through login authentication of a user identifier and an access equipment identifier sent by a terminal;
and the access equipment receives the authentication response returned by the authentication equipment and performs access control on the terminal according to the authentication response.
6. The authentication method according to claim 5,
the access equipment identification is BSSID of the access equipment, wherein one access equipment can have a plurality of BSSIDs;
the user identification is a user ID, wherein one user ID can be bound with a plurality of terminal MAC addresses.
7. An authentication method, comprising:
the terminal sends a login request to the authentication equipment, wherein the login request comprises encrypted user identification information and an access equipment identification, so that the authentication equipment can verify the decrypted user identification and user registration information, verify the access equipment identification and the access equipment registration information in the login request, return a corresponding login response according to the verification results of the user identification and the access equipment identification, and establish mapping information between the user identification and the access equipment identification by performing login authentication on the user identification and the access equipment identification sent by the terminal;
the terminal receives the login response returned by the authentication device, and if the login response indicates that the login is allowed, the terminal sends an access request to the access device for access.
8. The authentication method according to claim 7,
the access equipment identification is BSSID of the access equipment, wherein one access equipment can have a plurality of BSSIDs;
the user identification is a user ID, wherein one user ID can be bound with a plurality of terminal MAC addresses.
9. An authentication device comprising:
the information receiving unit is used for receiving an authentication request sent by the access equipment in response to an access request of the terminal, wherein the authentication request comprises encrypted user identification information and an access equipment identification;
the information decryption unit is used for decrypting the encrypted user identification information by the authentication equipment to obtain a user identification;
the matching authentication unit is used for matching and authenticating the user identifier obtained by decryption and the mapping information between the access equipment identifier in the authentication request and the recorded user identifier and access equipment identifier; the mapping information is established by the authentication equipment through login authentication of a user identifier and an access equipment identifier sent by a terminal;
and the information sending unit is used for returning an authentication response to the access equipment according to the matching authentication result so that the access equipment can perform access control on the terminal according to the authentication response.
10. The authentication apparatus according to claim 9, further comprising a verification unit, an information storage unit;
the information receiving unit is also used for receiving a login request sent by the terminal, wherein the login request comprises encrypted user identification information and an access device identification;
the information decryption unit is also used for decrypting the encrypted user identification information to obtain a user identification;
the verification unit is used for verifying the user identification and the user registration information obtained by decryption and verifying the access equipment identification and the access equipment registration information in the login request;
the information sending unit is also used for returning a login response to the terminal according to the verification result of the user identification and the access equipment identification;
and the information storage unit is used for recording mapping information between the user identifier and the access equipment identifier under the condition that the user identifier and the access equipment identifier are successfully verified.
11. The authentication device according to claim 9 or 10, wherein the access device identification is a BSSID of the access device, wherein one access device may have a plurality of BSSIDs.
12. The authentication device according to claim 9 or 10, wherein the user identifier is a user ID, wherein one user ID can be bound to a plurality of terminal MAC addresses.
13. An access device, comprising:
an information sending unit, configured to send an authentication request to an authentication device in response to an access request of a terminal, where the authentication request includes encrypted user identifier information and an access device identifier, so that the authentication device performs matching authentication on a decrypted user identifier and mapping information between the access device identifier in the authentication request and a recorded user identifier and access device identifier, and returns a corresponding authentication response according to a result of the matching authentication; the mapping information is established by the authentication equipment through login authentication of a user identifier and an access equipment identifier sent by a terminal;
and the information receiving unit is used for receiving the authentication response returned by the authentication equipment and carrying out access control on the terminal according to the authentication response.
14. The access device of claim 13,
the access equipment identification is BSSID of the access equipment, wherein one access equipment can have a plurality of BSSIDs;
the user identification is a user ID, wherein one user ID can be bound with a plurality of terminal MAC addresses.
15. A terminal, comprising:
an information sending unit, configured to send a login request to an authentication device, where the login request includes encrypted user identifier information and an access device identifier, so that the authentication device verifies the decrypted user identifier and user registration information, verifies the access device identifier and the access device registration information in the login request, returns a corresponding login response according to a verification result of the user identifier and the access device identifier, and establishes mapping information between the user identifier and the access device identifier by performing login authentication on the user identifier and the access device identifier sent by a terminal;
the information receiving unit is used for receiving a login response returned by the authentication equipment;
and the access unit is used for sending an access request to the access equipment for access when the login response indicates that the login is allowed.
16. The terminal of claim 15,
the access equipment identification is BSSID of the access equipment, wherein one access equipment can have a plurality of BSSIDs;
the user identification is a user ID, wherein one user ID can be bound with a plurality of terminal MAC addresses.
17. An authentication system comprising an authentication device according to any one of claims 9 to 12 and an access device according to claim 13 or 14.
18. An authentication system according to claim 17, further comprising a terminal according to claim 15 or 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510639360.0A CN106559785B (en) | 2015-09-30 | 2015-09-30 | Authentication method, device and system, access device and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510639360.0A CN106559785B (en) | 2015-09-30 | 2015-09-30 | Authentication method, device and system, access device and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106559785A CN106559785A (en) | 2017-04-05 |
| CN106559785B true CN106559785B (en) | 2020-02-14 |
Family
ID=58417260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510639360.0A Active CN106559785B (en) | 2015-09-30 | 2015-09-30 | Authentication method, device and system, access device and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106559785B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107181759B (en) * | 2017-07-05 | 2020-07-07 | 杭州迪普科技股份有限公司 | Authentication method and device for user equipment |
| CN110198539B (en) * | 2019-01-02 | 2021-12-10 | 腾讯科技(深圳)有限公司 | Authentication method and device, equipment and storage medium thereof |
| CN110401668B (en) * | 2019-07-31 | 2021-10-15 | 中科创达(重庆)汽车科技有限公司 | Method and device for determining use permission of vehicle-mounted debugging equipment |
| CN110602130B (en) * | 2019-09-24 | 2021-10-08 | 中盈优创资讯科技有限公司 | Terminal authentication system and method, equipment terminal and authentication server |
| CN112073414B (en) * | 2020-09-08 | 2021-12-21 | 国网电子商务有限公司 | Industrial Internet equipment secure access method, device, equipment and storage medium |
| CN114186282B (en) * | 2020-09-15 | 2023-09-19 | 中移互联网有限公司 | Block chain certification system, method and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101540757A (en) * | 2008-03-19 | 2009-09-23 | 北京艾科网信科技有限公司 | Method and system for identifying network and identification equipment |
| CN103873454A (en) * | 2012-12-18 | 2014-06-18 | 中国移动通信集团山东有限公司 | Authentication method and equipment |
| CN104506510A (en) * | 2014-12-15 | 2015-04-08 | 百度在线网络技术(北京)有限公司 | Method and device for equipment authentication and authentication service system |
| CN104901940A (en) * | 2015-01-13 | 2015-09-09 | 易兴旺 | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101834834A (en) * | 2009-03-09 | 2010-09-15 | 华为软件技术有限公司 | Authentication method, device and system |
-
2015
- 2015-09-30 CN CN201510639360.0A patent/CN106559785B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101540757A (en) * | 2008-03-19 | 2009-09-23 | 北京艾科网信科技有限公司 | Method and system for identifying network and identification equipment |
| CN103873454A (en) * | 2012-12-18 | 2014-06-18 | 中国移动通信集团山东有限公司 | Authentication method and equipment |
| CN104506510A (en) * | 2014-12-15 | 2015-04-08 | 百度在线网络技术(北京)有限公司 | Method and device for equipment authentication and authentication service system |
| CN104901940A (en) * | 2015-01-13 | 2015-09-09 | 易兴旺 | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106559785A (en) | 2017-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106559785B (en) | Authentication method, device and system, access device and terminal | |
| KR102018971B1 (en) | Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium | |
| US10638321B2 (en) | Wireless network connection method and apparatus, and storage medium | |
| US9843579B2 (en) | Dynamically generated SSID | |
| WO2018050081A1 (en) | Device identity authentication method and apparatus, electric device, and storage medium | |
| US9432349B2 (en) | Service access authentication method and system | |
| CN112260995A (en) | Access authentication method, device and server | |
| CA2879910C (en) | Terminal identity verification and service authentication method, system and terminal | |
| US10588015B2 (en) | Terminal authenticating method, apparatus, and system | |
| US20160014112A1 (en) | Wireless communication of a user identifier and encrypted time-sensitive data | |
| CN110545252B (en) | Authentication and information protection method, terminal, control function entity and application server | |
| WO2017185450A1 (en) | Method and system for authenticating terminal | |
| US8234497B2 (en) | Method and apparatus for providing secure linking to a user identity in a digital rights management system | |
| CN101986598B (en) | Authentication method, server and system | |
| CN106304264B (en) | Wireless network access method and device | |
| US11711693B2 (en) | Non-3GPP device access to core network | |
| US10484187B2 (en) | Cellular network authentication | |
| JP7337912B2 (en) | Non-3GPP device access to core network | |
| WO2017076216A1 (en) | Server, mobile terminal, and internet real name authentication system and method | |
| WO2019056971A1 (en) | Authentication method and device | |
| KR20150053912A (en) | Method and devices for registering a client to a server | |
| WO2013185709A1 (en) | Call authentication method, device, and system | |
| CN105763517A (en) | Router security access and control method and system | |
| US20080126455A1 (en) | Methods of protecting management frames exchanged between two wireless equipments, and of receiving and transmitting such frames, computer programs, and data media containing said computer programs | |
| CN106714158B (en) | WiFi access method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |