CN106878989B - Access control method and device - Google Patents
Access control method and device Download PDFInfo
- Publication number
- CN106878989B CN106878989B CN201611208815.4A CN201611208815A CN106878989B CN 106878989 B CN106878989 B CN 106878989B CN 201611208815 A CN201611208815 A CN 201611208815A CN 106878989 B CN106878989 B CN 106878989B
- Authority
- CN
- China
- Prior art keywords
- wireless network
- ssid
- bssid
- sharedkey
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an access control method and device, wherein the method comprises the steps of obtaining, encrypting and storing the mapping relation among SSID, BSSID, L assignment and sharedKEY of a legal wireless network, decrypting the mapping relation stored in local encryption according to the sharedKEY of the wireless network accessed by a user terminal when detecting that the user terminal is accessed to the wireless network, and controlling the user terminal to disconnect the accessed wireless network if decryption fails or succeeds, but the mapping relation among the SSID, BSSID, L assignment and sharedKEY of the legal wireless network obtained after decryption is inconsistent with the SSID, BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to an access control method and apparatus.
Background
With the popularization of wireless networks, the access of wireless terminals brings challenges to enterprise data security. Whether the terminal accesses the wireless network allowed by the enterprise can be generally solved by identifying the SSID (Service Set Identifier). But is not globally unique since the SSID can be duplicated. Therefore, the problem caused by configuring the duplicate SSID can exist, for example, the duplicate SSID is privately built inside an enterprise, and the enterprise network is accessed to acquire sensitive data; or the mobile terminal is taken away from the company, and confidential data of the terminal enterprise is obtained by counterfeiting SSID; or the same name of the trap SSID exists around the enterprise, so that the employee cannot recognize the same name and mistakenly enters the trap network, and data leakage is caused.
Disclosure of Invention
The invention provides an access control method and device, which are used for avoiding confidential data leakage caused by the fact that a user terminal is accessed into an illegal wireless network.
According to a first aspect of embodiments of the present invention, an access control method is provided, which is applied to a client agent deployed in a user equipment, and the method includes:
acquiring, encrypting and storing a mapping relation among a Service Set Identifier (SSID), a Basic Service Set Identifier (BSSID), a position L opportunity and a shared key share of a legal wireless network;
when detecting that a user terminal accesses a wireless network, acquiring the SSID, BSSID, L assignment and shared key of the wireless network accessed by the user terminal;
decrypting the mapping relation among the SSID, the BSSID, L encryption and the sharedKEY of the legal wireless network stored by local encryption according to the sharedKEY of the wireless network accessed by the user terminal;
if the decryption fails or succeeds, but the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network obtained after the decryption is inconsistent with the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal, controlling the user terminal to disconnect the accessed wireless network.
According to a second aspect of the embodiments of the present invention, there is provided an access control apparatus, which is applied to a client agent deployed in a user terminal, the apparatus including:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring the mapping relation among a service set identifier SSID, a basic service set identifier BSSID, a position L octant and a shared key shared of a legal wireless network;
the storage unit is used for encrypting and storing the mapping relation among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network acquired by the acquisition unit;
the detection unit is used for detecting whether the user terminal is accessed to the wireless network;
the acquiring unit is further configured to acquire an SSID, a BSSID, L assignment, and a shared key of a wireless network to which the user terminal accesses when the detecting unit detects that the user terminal accesses the wireless network;
the decryption unit is used for decrypting the mapping relation among the SSID, the BSSID, L ocation and sharedKEY of the legal wireless network which is locally encrypted and stored according to the sharedKEY of the wireless network accessed by the user terminal;
and the control unit is used for controlling the user terminal to disconnect the accessed wireless network if the decryption fails or succeeds, but the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network obtained after the decryption is inconsistent with the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal.
By applying the embodiment of the invention, the client agent is deployed in the user terminal, and the client agent acquires and stores the mapping relation among the SSID, BSSID, L assignment and sharedKEY of the legal wireless network, acquires the SSID, BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal when detecting that the user terminal accesses the wireless network, decrypts the mapping relation among the SSID, BSSID, L assignment and sharedKEY of the legal wireless network stored by local encryption according to the sharedKEY of the wireless network accessed by the user terminal, and controls the user terminal to disconnect the accessed wireless network when decryption fails or decryption succeeds, but the mapping relation among the SSID, BSSID, L assignment and sharedKEY of the legal wireless network obtained after decryption is inconsistent with the mapping relation among the SSID, BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal, so that data leakage caused by illegal access of the user terminal to the wireless network can be avoided.
Drawings
Fig. 1 is a flowchart illustrating an access control method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a specific application scenario provided in the embodiment of the present invention;
fig. 3 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the technical solutions in the embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of an access control method according to an embodiment of the present invention is shown in fig. 1, where the access control method includes the following steps:
it should be noted that, in the embodiment of the present invention, the execution subject of steps 101 to 103 may be a client agent deployed in a user terminal.
In the embodiment of the invention, in order to improve the security of the user terminal accessing the wireless network and avoid the user from intentionally or unintentionally accessing the illegal wireless network through the user terminal, the client agent can be deployed in the user terminal and is used for controlling the wireless network access of the user terminal.
In the embodiment of the present invention, for a valid wireless network, identification may be performed through information such as SSID, BSSID (Basic Service set identifier), L position, shared key, and the like.
The L location of the wireless network may be location information of a wireless AP (Access Point) device corresponding to the wireless network, and the sharedKEY of the wireless network may be pre-configured in the wireless AP device corresponding to the wireless network.
It should be noted that, in the embodiment of the present invention, sharedKEY of different wireless networks may be the same or different.
It should be noted that, in the embodiment of the present invention, the mapping relationships among the SSID, BSSID, L assignment, and sharedKEY of different legitimate wireless networks are not identical, that is, at least one of the SSID, BSSID, L assignment, and sharedKEY of different legitimate wireless networks is different.
For example, in a scenario where the same wireless AP device corresponds to a plurality of different wireless networks, BSSIDs, L assignment, and sharedKEY of different wireless networks corresponding to the same wireless AP device are the same, but SSIDs of the different wireless networks are different;
in a scenario where SSIDs of wireless networks corresponding to a plurality of different wireless AP devices are the same, SSIDs of wireless networks corresponding to the plurality of different wireless AP devices are the same, but BSSIDs and L assignment are different.
Accordingly, in order to control the wireless network access of the user terminal, the client agent needs to acquire the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network, and encrypt and store the acquired mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network.
As an optional implementation manner, in an embodiment of the present invention, the obtaining a mapping relationship between an SSID, a BSSID, L assignment, and share key of a valid wireless network may include:
and receiving the mapping relation among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network sent by the authentication server.
In this embodiment, for a scenario in which the user terminal needs to be authenticated by an Authentication server (e.g., AAA (Authentication, Authorization, Accounting, Authentication, Authorization, Accounting) server) before accessing the wireless network, a mapping relationship among the SSID, BSSID, L assignment, and sharedKEY of the legitimate wireless network may be configured in the Authentication server in advance, and when the user terminal is authenticated by the Authentication server, the Authentication server may issue a mapping relationship among the SSID, BSSID, L assignment, and sharedKEY of the legitimate wireless network to a client agent of the user terminal.
Optionally, In this embodiment, the authentication server may extend a private attribute (i.e., attribute No. 26) through RADIUS (Remote authentication dial In User Service) or a private message, and send the encrypted mapping relationship between the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network to the client agent deployed on the User terminal, and the mapping relationship is stored by the client agent.
It should be noted that, in this embodiment, it is considered that the user terminal needs to connect to the authentication server for authentication only when accessing a valid wireless network, and therefore, in this embodiment, it is necessary to embed relevant information of a specific valid wireless network, such as the SSID, BSSID, L assignment, and sharedKEY quadruplet information, in the user terminal in advance, when the user terminal initializes operation, it is necessary to connect to the authentication server for authentication by accessing the specific valid wireless network, and after the authentication is passed, it is necessary to receive a mapping relationship among the SSID, BSSID, L assignment, and sharedKEY of the valid wireless network issued by the authentication server.
As another alternative, in the embodiment of the present invention, the mapping relationship between the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network is configured in the installation file of the client agent.
In this embodiment, when customizing the client agent, the administrator may directly configure the mapping relationship among the SSID, BSSID, L assignment, and sharedKEY of the valid wireless network in the installation file of the client agent.
When the user installs the client agent customized by the administrator on the user terminal, the client agent may directly obtain the mapping relationship among the SSID, the BSSID, L assignment, and share key of the pre-configured valid wireless network from the installation file, and store the obtained SSID, the BSSID, L assignment, and share key of the valid wireless network.
Preferably, in this embodiment, the relationship among the SSID, BSSID, L assignment, and sharedKEY of the valid wireless network configured in the installation file of the client agent may be a mapping relationship among the SSID, BSSID, L assignment, and sharedKEY of the encrypted valid wireless network.
In the embodiment of the present invention, after the client proxy acquires the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network, the client proxy may store the acquired mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network.
As an optional implementation manner, in an embodiment of the present invention, the encrypting and storing a mapping relationship among an SSID, a BSSID, L assignment, and share key of a valid wireless network may include:
when the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is not encrypted, encrypting and storing the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network;
when the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is encrypted, the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is stored, or the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is decrypted and encrypted again for storage.
In this embodiment, in order to ensure the security of the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network stored by the client agent, the client agent may encrypt and store the acquired mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network.
Accordingly, in this embodiment, after obtaining the mapping relationship among the SSID, BSSID, L assignment, and sharedKEY of the legitimate wireless network, the client agent may first determine whether the mapping relationship among the SSID, BSSID, L assignment, and sharedKEY of the legitimate wireless network is encrypted.
If the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the obtained valid wireless network is not encrypted, the client agent may encrypt the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the corresponding valid wireless network through a preset encryption algorithm according to the sharedKEY of each valid wireless network, and store the encrypted mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network.
When sharedkeys of a plurality of legal wireless networks are the same, the client agent may encrypt the mapping relationships among SSIDs, BSSIDs, L assignment, and sharedkeys of the plurality of legal wireless networks in a unified manner, or may encrypt the mappings relationships respectively.
If the mapping relationship among the SSID, the BSSID, L position, and sharedKEY of the obtained valid wireless network is encrypted, in an embodiment, the client proxy may directly store the mapping relationship among the SSID, the BSSID, L position, and sharedKEY of the obtained valid wireless network.
In another embodiment, in order to further improve security, the client agent may first decrypt the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the obtained valid wireless network by using a preset decryption algorithm, then re-encrypt the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the corresponding decrypted valid wireless network by using another encryption algorithm according to the sharedKEY of each valid wireless network, and store the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the re-encrypted valid wireless network.
It should be noted that the step 101 is not required to be executed each time access control is performed, but only required to be executed when the access scheme is initially run or when the mapping relationship among the SSID, BSSID, L assignment, and shared key of the legitimate wireless network is updated.
In the embodiment of the present invention, when the client agent detects that the user terminal accesses the wireless network, the client agent may obtain an SSID, a BSSID, L assignment, and a shared key of the wireless network accessed by the user terminal.
In an optional embodiment, the client agent may obtain an SSID, a BSSID, L assignment, and a sharedKEY carried in a wireless Beacon (Beacon) frame or a Probe Response (Probe Response) frame sent by a wireless AP (Access Point) device corresponding to a wireless network to which the user terminal accesses.
Accordingly, in this embodiment, when the wireless AP device sends the Beacon frame or/and the Probe Response frame, L assignment and sharedKEY need to be additionally carried in addition to the SSID and BSSID of the wireless network that need to be carried in the Beacon frame or/and the Probe Response frame.
For example, Element IDs (Element identifiers) that are not used in the 802.11 protocol may be used to carry the L ocean and sharedKEY, that is, in addition to SSID and BSSID carried by Element IDs specified in the existing 802.11, the becon frames and Probe Response frames sent by the wireless AP devices need to carry L ocean and sharedKEY carried by Element IDs (that are not used in the 802.11 protocol).
It should be noted that, if the client agent cannot obtain the SSID, BSSID, L assignment, and sharedKEY of the wireless network accessed by the user terminal, it is indicated that L assignment or sharedKEY is not configured in the wireless Beacon frame or Probe Response frame sent by the wireless AP currently accessed by the user terminal, that is, the wireless network currently accessed is not a legitimate wireless network, and at this time, the connection between the user terminal and the wireless network is also disconnected.
And 103, decrypting the mapping relation among the SSID, the BSSID, L ocaiton and the sharedKEY of the legal wireless network which is locally encrypted and stored according to the sharedKEY of the wireless network accessed by the user terminal.
In the embodiment of the present invention, after acquiring the SSID, the BSSID, L assignment, and sharedKEY of the wireless network accessed by the user terminal, the client proxy may decrypt, according to the sharedKEY of the wireless network accessed by the user terminal, the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the legitimate wireless network stored in a locally encrypted manner, so as to determine whether a decryption success condition exists.
And step 104, if the decryption fails or is successful, but the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network obtained after the decryption is inconsistent with the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal, controlling the user terminal to disconnect the accessed wireless network.
In the embodiment of the present invention, if the client agent fails to decrypt the mapping relationships among the SSIDs, BSSIDs, L assignment, and sharedKEY of all valid wireless networks stored in the local encryption manner according to the sharedKEY of the wireless network to which the user terminal accesses, the client agent may consider the wireless network to which the user terminal accesses as an illegal wireless network.
If the client agent decrypts the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network stored in the local encryption manner according to the sharedKEY of the wireless network accessed by the user terminal, the client agent may further compare the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network obtained after decryption with the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the wireless network accessed by the user terminal.
If the two are not consistent, the client agent can consider that the wireless network accessed by the user terminal is an illegal wireless network.
If the two are consistent, the client agent may consider the wireless network accessed by the user terminal as a legal wireless network.
The mapping relationship between the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network is consistent with the mapping relationship between the SSID, the BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal, and the following conditions need to be satisfied:
the SSID, BSSID and shared key of a legal wireless network are respectively the same as the SSID, BSSID and shared key of a wireless network accessed by the user terminal;
meanwhile, L ocation of the legal wireless network is the same as L ocation of the wireless network accessed by the user terminal, or the distance between the two is smaller than a preset threshold value.
In the embodiment of the invention, when the client agent determines that the wireless network accessed by the user terminal is an illegal wireless network, the client agent can control the user terminal to disconnect the accessed wireless network, thereby avoiding that the user intentionally (such as the user himself forges the illegal wireless network) or unintentionally accesses the illegal wireless network.
For example, the method can prevent enterprise users from accessing the illegal wireless network which is forged by the enterprise users through the enterprise user terminals to access the internal data of the enterprise, thereby bringing potential safety hazards to the enterprise.
When the client agent determines that the wireless network to which the user terminal is accessed is a valid wireless network, the client agent may keep the user terminal accessed to the wireless network.
It can be seen that, in the method flow shown in fig. 1, a wireless network is identified by using SSID, BSSID, L assignment, and sharedKEY quadruplets, a client agent is deployed in a user terminal, a mapping relationship between SSID, BSSID, L assignment, and sharedKEY of a legitimate wireless network is obtained and stored by the client agent in an encrypted manner, when the user terminal accesses the wireless network, the client agent determines whether the wireless network accessed by the user terminal is a legitimate wireless network according to the SSID, BSSID, L assignment, and sharedKEY of the wireless network accessed by the user terminal, and when the wireless network accessed by the user terminal is determined to be an illegitimate wireless network, the user terminal is controlled to disconnect the accessed wireless network, so that not only is the identification of the illegitimate wireless network realized, but also the user can be effectively prevented from intentionally or unintentionally accessing the illegitimate wireless network.
In order to enable those skilled in the art to better understand the technical solution provided by the embodiment of the present invention, the technical solution provided by the embodiment of the present invention is described below with reference to a specific application scenario.
Referring to fig. 2, which is a schematic diagram of an architecture of a specific application scenario provided in an embodiment of the present invention, as shown in fig. 2, in the application scenario, an enterprise user terminal in a trust area may connect a legal wireless network configured by an enterprise after passing identity authentication, and access an Exchange server (mailbox server) and a data storage server inside a company; where a trust zone may be a company office.
Based on the application scenario shown in fig. 2, the access control scheme provided in the embodiment of the present invention is implemented as follows:
in case one, the enterprise user terminal can normally access the network only after being authenticated by the enterprise authentication server
1. Configuring a quadruplet of SSID (SSID), BSSID (service set identifier), L assignment and sharedKEY (service set identifier) of a legal wireless network in an enterprise authentication server, and encrypting the quadruplet by a preset encryption algorithm;
2. when the enterprise user terminal accesses an enterprise wireless network corresponding to the information of a specific legal wireless network which is built in advance, an authentication request is sent to an enterprise RADIUS authentication server, and after the authentication is passed, the enterprise RADIUS authentication server issues the encrypted quadruple information of the legal wireless network to a client agent deployed in the enterprise user terminal through an RADIUS 26 manufacturer extended attribute or a private message;
3. the client agent encrypts and stores the received quadruple information of the legal wireless network;
4. the client agent acquires (SSID, BSSID, L oscillation, sharedKEY) quadruplets of a wireless network accessed by the enterprise user terminal from the Beacon frame or the Probe Response frame, and decrypts the quadruplets information of the legal wireless network stored by local encryption according to the sharedKEY of the wireless network accessed by the user terminal;
5. if the decryption fails, the wireless network access of the enterprise user terminal is disconnected, and the enterprise user terminal cannot access an Exchange server and a data storage server in the enterprise;
6. if the decryption is successful, comparing the obtained four-tuple information of the legal wireless network with the (SSID, BSSID, L opportunity, shared key) four-tuple of the wireless network accessed by the enterprise user terminal, if the two are consistent (wherein, the consistency of L opportunity of the legal wireless network and L opportunity of the wireless network accessed by the enterprise user terminal can comprise that L opportunity of the legal wireless network is the same as L opportunity of the wireless network accessed by the enterprise user terminal or the distance between the two is less than a preset threshold value, the same is carried out below), keeping the wireless network access of the enterprise user terminal, and the enterprise user terminal can access an Exchange server and a data storage server inside the enterprise, otherwise, disconnecting the wireless network access of the enterprise user terminal, and the enterprise user terminal cannot access the Exchange server and the data storage server inside the enterprise.
Second, the enterprise is not provided with an enterprise authentication server
1. When an administrator customizes a client agent, configuring an encrypted quadruplet of (SSID, BSSID, L opportunity, shared key) of a legal wireless network in an installation file of the client agent;
2. the user installs the client agent on the enterprise user terminal, and encrypts and stores the quadruple information of the legal wireless network;
3. the client agent acquires (SSID, BSSID, L oscillation, sharedKEY) quadruplets of a wireless network accessed by the enterprise user terminal from the Beacon frame or the Probe Response frame, and decrypts the quadruplets information of the legal wireless network stored by local encryption according to the sharedKEY of the wireless network accessed by the user terminal;
4. if the decryption fails, the wireless network access of the enterprise user terminal is disconnected, and the enterprise user terminal cannot access an Exchange server and a data storage server in the enterprise;
5. if the decryption is successful, comparing the decrypted quadruple information of the legal wireless network with the quadruple (SSID, BSSID, L opportunity, shared key) of the wireless network accessed by the user terminal, if the quadruple information of the legal wireless network is consistent with the quadruple (SSID, BSSID, L opportunity, shared key) of the wireless network accessed by the user terminal, keeping the wireless network access of the enterprise user terminal, wherein the enterprise user terminal can access an Exchange server and a data storage server in the enterprise, otherwise, disconnecting the wireless network access of the enterprise user terminal, and the enterprise user terminal cannot access the Exchange server and the data storage server in the enterprise.
Therefore, in the embodiment of the invention, when a user accesses an illegal wireless network (including an illegal wireless network forged by the user or other trap wireless networks) in an untrusted area through an enterprise user terminal, an Exchange server and a data storage server in an enterprise cannot be accessed, so that the leakage of confidential data of the enterprise caused by the fact that the enterprise user terminal accesses the illegal and unavailable network is avoided.
As can be seen from the above description, in the technical solution provided in the embodiment of the present invention, a client proxy is deployed in a user terminal, and the client proxy acquires and stores a mapping relationship between an SSID, a BSSID, L encryption, and sharedKEY of a valid wireless network, when it is detected that the user terminal accesses the wireless network, acquires an SSID, a BSSID, L encryption, and sharedKEY of the wireless network accessed by the user terminal, and decrypts the mapping relationship between the SSID, the BSSID, L encryption, and sharedKEY of the valid wireless network stored in a local encryption manner according to the sharedKEY of the wireless network accessed by the user terminal, and when decryption fails or decryption succeeds, but the mapping relationship between the SSID, the BSSID, the L encryption, and the sharedKEY of the valid wireless network obtained after decryption is inconsistent with the mapping relationship between the SSID, the BSSID, the L encryption, and the sharedKEY of the wireless network accessed by the user terminal, the user terminal is controlled to be disconnected, so that confidential data of the user terminal is prevented from being leaked to the wireless network.
Referring to fig. 3, a schematic structural diagram of an access control apparatus according to an embodiment of the present invention is provided, where the apparatus may be applied to a client agent in the foregoing method embodiment, and as shown in fig. 3, the access control apparatus may include:
an obtaining unit 310, configured to obtain a mapping relationship between a service set identifier SSID, a basic service set identifier BSSID, a location L assignment, and a shared key sharedKEY of a valid wireless network;
a storing unit 320, configured to encrypt and store the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network acquired by the acquiring unit 310;
a detecting unit 330, configured to detect whether the ue accesses a wireless network;
the obtaining unit 310 is further configured to, when the detecting unit 330 detects that the user terminal accesses the wireless network, obtain an SSID, a BSSID, L assignment, and a shared key of the wireless network that the user terminal accesses;
a decryption unit 340, configured to decrypt, according to the sharedKEY of the wireless network accessed by the user terminal, a mapping relationship among the SSID, the BSSID, L assignment, and the sharedKEY of the valid wireless network that is locally encrypted and stored;
a control unit 350, configured to control the user terminal to disconnect the accessed wireless network if the decryption fails or is successful, but the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the legal wireless network obtained after the decryption is inconsistent with the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the wireless network accessed by the user terminal.
In an optional embodiment, the obtaining unit 310 is specifically configured to receive a mapping relationship among an SSID, a BSSID, L assignment, and sharedKEY of a valid wireless network, where the mapping relationship is sent by an authentication server.
In an optional embodiment, the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the legitimate wireless network is issued by the authentication server through RADIUS extension private attribute or private message encryption of a remote subscriber dial-up authentication system.
In an alternative embodiment, the mapping relationship between the SSID, BSSID, L assignment, and sharedKEY of the legitimate wireless network is configured in the installation file of the client agent.
In an optional embodiment, the storing unit 320 is specifically configured to, when the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network acquired by the acquiring unit 310 is not encrypted, encrypt and store the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network acquired by the acquiring unit 310, and when the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network acquired by the acquiring unit 310 is encrypted, store the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network acquired by the acquiring unit 310, or decrypt and re-encrypt and store the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network acquired by the acquiring unit.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
It can be seen from the foregoing embodiment that, by deploying a client agent in a user terminal, the client agent obtains and stores a mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of a valid wireless network, when it is detected that the user terminal accesses the wireless network, obtains the SSID, the BSSID, L assignment, and sharedKEY of the wireless network accessed by the user terminal, decrypts the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the valid wireless network stored in a locally encrypted manner according to the sharedKEY of the wireless network accessed by the user terminal, and when decryption fails or decryption succeeds, but the mapping relationship among the SSID, the BSSID, the L assignment, and the sharedKEY of the valid wireless network obtained after decryption is inconsistent with the mapping relationship among the SSID, the BSSID, the L assignment, and the sharedKEY of the wireless network accessed by the user terminal, the user terminal is controlled to disconnect the accessed wireless network, so as to avoid illegal data leakage caused by illegal access of the user terminal to the wireless network.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (8)
1. An access control method, applied to a client agent deployed in a user terminal, includes:
acquiring, encrypting and storing a mapping relation among a Service Set Identifier (SSID), a Basic Service Set Identifier (BSSID), a position L opportunity and a shared key share of a legal wireless network;
when detecting that a user terminal accesses a wireless network, acquiring the SSID, BSSID, L assignment and shared key of the wireless network accessed by the user terminal;
decrypting the mapping relation among the SSID, the BSSID, L encryption and the sharedKEY of the legal wireless network stored by local encryption according to the sharedKEY of the wireless network accessed by the user terminal;
if the decryption fails or succeeds, but the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network obtained after the decryption is inconsistent with the mapping relationship among the SSID, the BSSID, L assignment and the sharedKEY of the wireless network accessed by the user terminal, controlling the user terminal to disconnect the accessed wireless network;
the obtaining of the mapping relationship among the SSID, the BSSID, L assignment, and sharedKEY of the legitimate wireless network includes:
and receiving a mapping relation among SSID, BSSID, L oscillation and sharedKEY of a legal wireless network issued by an authentication server, presetting relevant information of a specific legal wireless network in the user terminal, and realizing connection to the authentication server by accessing the specific legal wireless network when the user terminal is initialized to operate.
2. The method according to claim 1, wherein the mapping relationship among the SSID, BSSID, L octation and sharedKEY of the legal wireless network is issued by the authentication server through RADIUS extended private Attribute or private message encryption.
3. The method of claim 1, wherein a mapping relationship between SSID, BSSID, L octation, and sharedKEY of the legitimate wireless network is configured in an installation file of the client agent.
4. The method of claim 1, wherein the encrypting maintains a mapping relationship between the SSID, the BSSID, L assignment, and sharedKEY of the legitimate wireless network, comprising:
when the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is not encrypted, encrypting and storing the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network;
when the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is encrypted, the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is stored, or the mapping relation among the SSID, the BSSID, the L assignment and the sharedKEY of the obtained legal wireless network is decrypted and encrypted again for storage.
5. An access control apparatus applied to a client agent deployed in a user terminal, the apparatus comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring the mapping relation among a service set identifier SSID, a basic service set identifier BSSID, a position L octant and a shared key shared of a legal wireless network;
the storage unit is used for encrypting and storing the mapping relation among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network acquired by the acquisition unit;
the detection unit is used for detecting whether the user terminal is accessed to the wireless network;
the acquiring unit is further configured to acquire an SSID, a BSSID, L assignment, and a shared key of a wireless network to which the user terminal accesses when the detecting unit detects that the user terminal accesses the wireless network;
the decryption unit is used for decrypting the mapping relation among the SSID, the BSSID, L ocation and sharedKEY of the legal wireless network which is locally encrypted and stored according to the sharedKEY of the wireless network accessed by the user terminal;
the control unit is used for controlling the user terminal to disconnect the accessed wireless network if the decryption fails or succeeds, but the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the legal wireless network obtained after the decryption is inconsistent with the mapping relationship among the SSID, the BSSID, L assignment and sharedKEY of the wireless network accessed by the user terminal;
the acquiring unit is specifically used for receiving a mapping relation among SSID, BSSID, L assignment and sharedKEY of a legal wireless network issued by the authentication server, the user terminal is preset with relevant information of a specific legal wireless network, and when the user terminal is initialized to operate, the user terminal is connected to the authentication server by accessing the specific legal wireless network.
6. The apparatus of claim 5, wherein the mapping relationship between SSID, BSSID, L octation and sharedKEY of the legal wireless network is issued by the authentication server through RADIUS extended private Attribute or private message encryption.
7. The apparatus of claim 5, wherein a mapping relationship between SSID, BSSID, L octation, and sharedKEY of the legitimate wireless network is configured in an installation file of the client agent.
8. The apparatus of claim 5,
the storage unit is specifically configured to encrypt and store the mapping relationship among the SSID, the BSSID, the L position, and the sharedKEY of the obtained valid wireless network when the mapping relationship among the SSID, the BSSID, the L position, and the sharedKEY of the valid wireless network obtained by the obtaining unit is not encrypted, store the mapping relationship among the SSID, the BSSID, the L position, and the sharedKEY of the obtained valid wireless network when the mapping relationship among the SSID, the BSSID, the L position, and the sharedKEY of the valid wireless network obtained by the obtaining unit is encrypted, or decrypt and re-encrypt and store the mapping relationship among the SSID, the BSSID, the L position, and the sharedKEY of the obtained valid wireless network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611208815.4A CN106878989B (en) | 2016-12-23 | 2016-12-23 | Access control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611208815.4A CN106878989B (en) | 2016-12-23 | 2016-12-23 | Access control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106878989A CN106878989A (en) | 2017-06-20 |
| CN106878989B true CN106878989B (en) | 2020-08-04 |
Family
ID=59165088
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611208815.4A Active CN106878989B (en) | 2016-12-23 | 2016-12-23 | Access control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106878989B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707560B (en) * | 2017-10-31 | 2019-11-08 | 迈普通信技术股份有限公司 | Authentication method, system, network access equipment and Portal server |
| CN110708697B (en) * | 2019-09-26 | 2022-11-18 | 维沃移动通信有限公司 | Encryption method, terminal equipment and server |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103648094A (en) * | 2013-11-19 | 2014-03-19 | 华为技术有限公司 | Method, device and system for detecting illegal wireless access point |
| CN102843682B (en) * | 2012-08-20 | 2015-03-18 | 中国联合网络通信集团有限公司 | Access point authorizing method, device and system |
| CN106102068A (en) * | 2016-08-23 | 2016-11-09 | 大连网月科技股份有限公司 | A kind of illegal wireless access point detection and attack method and device |
| CN106162649A (en) * | 2015-04-20 | 2016-11-23 | 中兴通讯股份有限公司 | A kind of identify the method for WAP legitimacy, terminal and system |
-
2016
- 2016-12-23 CN CN201611208815.4A patent/CN106878989B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843682B (en) * | 2012-08-20 | 2015-03-18 | 中国联合网络通信集团有限公司 | Access point authorizing method, device and system |
| CN103648094A (en) * | 2013-11-19 | 2014-03-19 | 华为技术有限公司 | Method, device and system for detecting illegal wireless access point |
| CN106162649A (en) * | 2015-04-20 | 2016-11-23 | 中兴通讯股份有限公司 | A kind of identify the method for WAP legitimacy, terminal and system |
| CN106102068A (en) * | 2016-08-23 | 2016-11-09 | 大连网月科技股份有限公司 | A kind of illegal wireless access point detection and attack method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106878989A (en) | 2017-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11616775B2 (en) | Network access authentication method, apparatus, and system | |
| WO2019184736A1 (en) | Access authentication method and device, and server | |
| EP2630816B1 (en) | Authentication of access terminal identities in roaming networks | |
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| KR101438243B1 (en) | Sim based authentication | |
| KR101315670B1 (en) | Method for smart phone registration when accessing security authentication device and method for access authentication of registered smart phone | |
| US9762567B2 (en) | Wireless communication of a user identifier and encrypted time-sensitive data | |
| JP6757845B2 (en) | Behavior related to user devices that use secret identifiers | |
| US20160057725A1 (en) | Security method and system for supporting re-subscription or additional subscription restriction policy in mobile communications | |
| US20040068653A1 (en) | Shared network access using different access keys | |
| US10470102B2 (en) | MAC address-bound WLAN password | |
| GB2518296A (en) | Methods and systems for communicating with an M2M device | |
| CN113556227B (en) | Network connection management method, device, computer readable medium and electronic equipment | |
| US20170238236A1 (en) | Mac address-bound wlan password | |
| CN106341815B (en) | Wireless connection method, terminal and AP | |
| CN103415010A (en) | D2D network authentication method and system | |
| CN101888626B (en) | Method and terminal equipment for realizing GBA key | |
| US20220295281A1 (en) | System, module, circuitry and method | |
| US20230007491A1 (en) | Managing a subscription identifier associated with a device | |
| CN106878989B (en) | Access control method and device | |
| CN108667800B (en) | Access authority authentication method and device | |
| KR20190038632A (en) | Method for provisioning a first communication device using a second communication device | |
| US20230023665A1 (en) | Privacy information transmission method, apparatus, computer device and computer-readable medium | |
| KR101604927B1 (en) | Automatic connection ststem and method using near field communication | |
| CN117692902B (en) | Intelligent home interaction method and system based on embedded home gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |