CN107360125A - Access authentication method, WAP and user terminal - Google Patents

Access authentication method, WAP and user terminal Download PDF

Info

Publication number
CN107360125A
CN107360125A CN201610306323.2A CN201610306323A CN107360125A CN 107360125 A CN107360125 A CN 107360125A CN 201610306323 A CN201610306323 A CN 201610306323A CN 107360125 A CN107360125 A CN 107360125A
Authority
CN
China
Prior art keywords
wap
access
request message
authentication request
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610306323.2A
Other languages
Chinese (zh)
Inventor
吕征南
韦玮
胡静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Potevio Information Technology Co Ltd
Putian Information Technology Co Ltd
Original Assignee
Putian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Putian Information Technology Co Ltd filed Critical Putian Information Technology Co Ltd
Priority to CN201610306323.2A priority Critical patent/CN107360125A/en
Publication of CN107360125A publication Critical patent/CN107360125A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a kind of access authentication method, WAP and user terminal, the digital certificate of the WAP of itself and the terminal is sent to certificate server and is authenticated by WAP after the access authentication request message of user terminal transmission is received;And the authentication result of certificate server is sent to user terminal;User terminal can determine whether the WAP passes through certification after such authentication result is received.Whether this makes it possible to user terminal is determined ask the access point of access to be safe access point.Digital Access point can also determine whether the terminal is validated user.And the access authentication request message sent due to user terminal and the access response message received are all the message for meeting WIFI consensus standards, therefore WIFI modules realization that can be based on user terminal sends and receives process accordingly, without carrying out the improvement of hardware to user terminal, reduce and realize difficulty.

Description

Access authentication method, WAP and user terminal
Technical field
The present invention relates to communication technical field, and in particular to a kind of access authentication method, wirelessly connects Access point and user terminal.
Background technology
Developed rapidly with the comprehensive popularization and mobile Internet business of intelligent terminal, WLAN shows the situation of fast development, have become user family and airport, railway station, The main broadband access method of the public places such as hotel.The WLAN covered on a large scale is also in city In progressively dispose, be city emphasis as China Mobile has deployed nearly ten thousand focuses in Beijing In the range of user provide easily WLAN access.
WLAN applications at present are based on WIFI agreements serial 802.1x, its authentication process bag Containing enterprise version and home edition, home edition is not required to access authentication, can directly be connected into network;Enterprise version Also the individual event certification to terminal identity is merely provided, protocol procedures are all plaintext transmission in addition, Dos attack be present, distort the potential safety hazards such as MAC Address, camouflage AP.
Existing 802.11 agreement is not prescribed by authenticating to WAP (AP) legitimacy Journey, the whether wireless-access mode of personal version or enterprise version, whether it differs only in right Terminal carries out legitimacy certification, and such mechanism has larger potential safety hazard, once attacker Using camouflage AP, terminal user's None- identified, important information will be faced and be stolen, usurp, The risk even to cause any property loss.
The content of the invention
For in the prior art the defects of, the present invention provide one kind enable to user terminal to nothing The method that line access point carries out security credential.
In a first aspect, the invention provides a kind of access authentication method, methods described includes:
WAP is when receiving the access authentication request message of user terminal transmission, generation Two-way authentication request message is simultaneously sent to certificate server;The access authentication request message is symbol The message of WIFI consensus standards is closed, wherein carrying terminal digital certificate;The two-way authentication please Ask and the terminal digital certificate and the WAP obtained in advance numeral card are carried in message Book;
WAP receives end of the certificate server according to the terminal numeral certificates constructing Hold authentication result and the WAP certification generated according to the WAP digital certificate As a result;
Whether WAP judges the user terminal by recognizing according to the terminal authentication result Card;
The WAP sends access response message to the user terminal;Wherein, it is described It is the message for meeting WIFI consensus standards to access response message, wherein including the terminal authentication knot Fruit and the WAP authentication result.
Further, the WAP generates two-way authentication request message and is sent to certification Server, including:
The WAP numeral obtained in advance is added in the access authentication request message received Certificate obtains two-way authentication request message.
Further, the WAP generates two-way authentication request message and is sent to certification Server, specifically include:
The WAP uses to be added based on what is specified in the WAP digital certificate of itself The two-way authentication request message of generation is encrypted the signature private key of close algorithm generation, and will add Two-way authentication request message after close is sent to certificate server.
Second aspect, the invention provides a kind of access authentication method, this method includes:
User terminal is sent to the WAP of request access meets connecing for WIFI consensus standards Enter authentication request message;The number of terminals obtained in advance is carried in the access authentication request message Word certificate;
User terminal receives the access for the meeting WIFI consensus standards response that WAP is sent Message;Certificate server is carried in the access response message to click through for the wireless access The WAP authentication result that is generated after row certification and generate after being authenticated to the terminal Terminal authentication result;
Whether user terminal judges the WAP according to the WAP authentication result Certification is passed through.
Further, the user terminal is sent to the WAP of request access meets WIFI The access authentication request message of consensus standard, including:
User terminal generates the access authentication request message for meeting WIFI consensus standards;
User terminal uses what is generated based on the AES specified in the terminal digital certificate of itself The access authentication request message of generation is encrypted signature private key;
Access authentication request message after encryption is sent to the WAP by user terminal.
The third aspect, the invention provides a kind of WAP, including:
First communication module, for receiving the access authentication request message of user terminal transmission When, generate two-way authentication request message and be sent to certificate server;The access authentication request Message is to meet the message of WIFI consensus standards, wherein carrying terminal digital certificate;It is described double The terminal digital certificate and the wireless access obtained in advance are carried into authentication request message Point digital certificate;
Second communication module, for receiving the certificate server according to the terminal digital certificate The terminal authentication result of generation and wirelessly connecing according to WAP digital certificate generation Access point authentication result;
Judge module, for judging whether the user terminal leads to according to the terminal authentication result Cross certification;
Third communication module, access response message is sent to the user terminal;Wherein, it is described It is the message for meeting WIFI consensus standards to access response message, wherein including the terminal authentication knot Fruit and the WAP authentication result.
Further, the first communication module is used to generate two-way authentication request message and send To certificate server, including:
The first communication module adds advance acquisition in the access authentication request message received WAP digital certificate obtain two-way authentication request message.
Further, the first communication module is used to generate two-way authentication request message and send To certificate server, specifically include:
The first communication module uses to be calculated based on the encryption specified in WAP digital certificate The two-way authentication request message of generation is encrypted the signature private key of method generation, and by after encryption Two-way authentication request message be sent to certificate server.
Fourth aspect, the invention provides a kind of user terminal, including:
First communication module, meet WIFI agreements for being sent to the WAP of request access The access authentication request message of standard;Advance acquisition is carried in the access authentication request message Terminal digital certificate;
Second communication module, meet WIFI consensus standards for receive WAP transmission Access response message;Certificate server is carried in the access response message for described wireless The WAP authentication result and recognize the terminal that access point generates after being authenticated The terminal authentication result generated after card;
Judge module, for judging the wireless access according to the WAP authentication result Whether point has passed through certification.
Further, the first communication module is used to send to the WAP and met The access authentication request message of WIFI consensus standards, including:
The first communication module generation meets the access authentication request message of WIFI consensus standards; Access of the signature private key for the AES generation specified in using terminal digital certificate to generation is recognized Card request message is encrypted;Access authentication request message after encryption is sent to wireless access Point is sent.
In the present invention, WAP disappears in the access authentication request for receiving user terminal transmission After breath, the WAP digital certificate of itself is sent to certificate server and is authenticated;And Certificate server is sent to user terminal to the authentication result of itself;User terminal is receiving It can determine whether the WAP passes through certification after such authentication result.This makes it possible to User terminal is allowd to determine to ask whether the access point of access is safe access point.And And due to the user terminal access authentication request message sent and the access response message received All it is the message for meeting WIFI consensus standards, therefore can the WIFI modules based on user terminal Realization sends and receives process accordingly, without carrying out the improvement of hardware to user terminal, reduces Realize difficulty.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below Simply introduce, show by making one to the required accompanying drawing used in embodiment or description of the prior art It is general for this area and easy insight, drawings in the following description are some embodiments of the present invention , on the premise of not paying creative work, can also be attached according to these for logical technical staff Figure obtains other accompanying drawings.
Fig. 1 is a kind of schematic flow sheet of access authentication method provided by the invention;
Fig. 2 is the schematic flow sheet of another access authentication method provided by the invention;
Fig. 3 is the flow chart that access authentication is carried out using the access authentication method shown in Fig. 1 and Fig. 2;
Fig. 4 is a kind of structural representation of WAP provided by the invention;
Fig. 5 is a kind of structural representation of user terminal provided by the invention.
Embodiment
, below will knot to make the purpose, technical scheme and advantage of the embodiment of the present invention clearer Close the embodiment of the present invention in accompanying drawing, the technical scheme in the embodiment of the present invention is carried out it is clear, It is fully described by, it is clear that described embodiment is part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not having The every other embodiment obtained under the premise of creative work is made, belongs to protection of the present invention Scope.
In a first aspect, the invention provides a kind of access authentication method, the authentication method can be by WAP performs, for realizing the two-way authentication between WAP and user terminal Journey, participates in Fig. 1, and this method includes:
Step S11, WAP are receiving the access authentication request message of user terminal transmission When, generate two-way authentication request message and be sent to certificate server;The access authentication request Message is to meet the message of WIFI consensus standards, wherein carrying terminal digital certificate;It is described double The terminal digital certificate and the wireless access obtained in advance are carried into authentication request message Point digital certificate.
Understandable to be, the signified message for meeting WIFI consensus standards of the present invention refers to meet Message as defined in WIFI agreements.Signified user terminal and WAP refer to energy in the present invention The user terminal and WAP of WIFI communications are enough supported, that is to say and be wherein provided with correspondingly Can realize WIFI communication communications module.Here terminal digital certificate can be referred to Show the whether legal digital certificate of the terminal, how digital certificate, which specifically designs, may be referred to now There is technology, the present invention no longer describes in detail herein.Here wireless access end numeral card accordingly Book refers to can be used in the digital certificate for showing whether the WAP is legal, specifically how set Meter can also refer to prior art.
Step S12, WAP receive the certificate server according to the terminal digital certificate The terminal authentication result of generation and wirelessly connecing according to WAP digital certificate generation Access point authentication result.Understandable to be, the signified terminal authentication result of the present invention is being capable of table Whether bright terminal is by the information of certification, and WAP authentication result is then that can show that nothing Whether line access point passes through the information of certification.
Step S13, WAP judge that the user terminal is according to the terminal authentication result It is no to pass through certification.
Step S14, WAP send access response message to the user terminal;Wherein, The access response message is the message for meeting WIFI consensus standards, wherein recognizing comprising the terminal Demonstrate,prove result and the WAP authentication result.
After step s 13, user terminal can receive the WAP authentication result, And judge whether the WAP has passed through certification by the wireless access end authentication result, enter And allow users to the authentication result determined by and perform corresponding operation (for example to work as judgement When WAP is not over certification, it is no longer attached on the WAP, or only permits Perhaps the relatively low access of required safe class is carried out by the WAP).Other wireless access Point can also according to terminal authentication result judge corresponding to user terminal whether be legal terminal, and According to judged result perform corresponding operation (such as when judging that user terminal is illegal, can be with Refuse user terminal access) and Fig. 1 shown in method in, due to user terminal send Access authentication request message and the access response message received are all to meet WIFI Protocol Standards Accurate message, therefore WIFI modules realization that can be based on user terminal sends and connect accordingly Receipts process, without the improvement to user terminal progress hardware, (current user terminal typically all wraps Module containing WIFI), reduce and realize difficulty.In addition, in the present invention, user terminal and wireless Access point can also judge whether itself has passed through certification according to authentication result.
In the specific implementation, each step can be accomplished in several ways, for example as one The optional embodiment of kind, above-mentioned step S11 generation two-way authentication request messages are simultaneously sent to The step of certificate server can be specially:
The WAP numeral obtained in advance is added in the access authentication request message received Certificate obtains two-way authentication request message.
In this way, the difficulty of generation two-way authentication request message can be effectively reduced. And in this way, can be in the terminal numeral card in nonrecognition access authentication request message Two-way authentication request message is generated in the case of book.User terminal is so allowed for terminal numeral Certificate is encrypted, so as to effectively avoid illegal wireless access point from distorting the terminal digital certificate, And distort the situation of WAP and the terminal authentication result.
, can also be right in above-mentioned step S11 for example as another optional embodiment The two-way authentication request message generated is encrypted, and afterwards asks the two-way authentication after encryption Message is sent to certificate server.Specifically, based on the WAP digital certificate of itself In specify AES generation signature private key the two-way authentication request message of generation is added It is close, and the two-way authentication request message after encryption is sent to certificate server, so that certification takes Business device public key pair according to corresponding to above-mentioned signature private key after two-way authentication request message is received Two-way authentication request message is decrypted that (public key, certificate server can be two-way from what is received Respective field in authentication request message, which is read, to be obtained), and after decryption to terminal therein numeral Certificate and WAP digital certificate are authenticated respectively.In this way, can be effective Avoid two-way authentication request message from illegally being distorted, so as to ensure that verification process is effectively carried out.
Understandable to be, in the specific implementation, above-mentioned two kinds of preferred embodiments can be same When implement, i.e., by added in the access authentication request message received obtain in advance it is wireless Access point digital certificate obtains two-way authentication request message, and obtained two-way authentication is asked afterwards Message is sent to certificate server after being encrypted.
Before step S11, WAP can get corresponding nothing in several ways Line access point digital certificate, for example can be downloaded from specific website, or can also be by recognizing Demonstrate,prove server to import, specifically how obtaining such WAP digital certificate can't influence The implementation of the present invention, corresponding technical scheme should also fall into protection scope of the present invention.
Based on same design, the second aspect of the invention additionally provides another access authentication Method, this method can be performed by user terminal, including:
Step S21, user terminal is sent to the WAP of request access meets WIFI agreements The access authentication request message of standard;Advance acquisition is carried in the access authentication request message Terminal digital certificate.
Step S22, what user terminal reception WAP was sent meets WIFI consensus standards Access response message;Certificate server is carried in the access response message for described wireless The WAP authentication result and recognize the terminal that access point generates after being authenticated The terminal authentication result generated after card;
Step S23, user terminal judge described wirelessly to connect according to the WAP authentication result Whether access point has passed through certification.
It is understandable to be, in step S23, if WAP authentication result indicates nothing Line access point has passed through certification, then can determine wirelessly to connect according to the WAP authentication result Access point has passed through certification, is otherwise unsafe access point for the access point of safety.Pass through this Kind mode so that user terminal is with can determine whether the WAP to be accessed is safety WAP so that user terminal can complete the security credential to WAP, It can be controlled afterwards according to access behavior of the authentication result to user terminal.In addition, with Family terminal also can determine whether itself has passed through certification.
In the specific implementation, as a preferred embodiment, above-mentioned step S21 can be with Comprise the following steps:
Step S211, the access authentication request that user terminal generation meets WIFI consensus standards disappear Breath;
Step S212, user terminal are used based on the encryption specified in the terminal digital certificate of itself The access authentication request message of generation is encrypted the signature private key of algorithm generation;
Access authentication request message after encryption is sent to the nothing by step S213, user terminal Line access point.
WAP can be so avoided to parse the access authentication request message, so as to avoid Ask the WAP of access to obtain terminal digital certificate and forge authentication result.Now, After WAP receives the access authentication request message, directly it can add wherein wireless Access point digital certificate generates two-way authentication request message.Two-way authentication server is receiving afterwards To after two-way authentication request message, user corresponding to the private key signature of user terminal can be used whole The public key at end the terminal digital certificate in two-way authentication request message is decrypted (public key, Certificate server can read from the respective field in the two-way authentication request message received and obtain) To terminal digital certificate.
In addition, in the method, when user terminal is not connected to comprising WAP certification knot During the access response message of fruit, it can directly judge WAP not over certification.
In the specific implementation, in the access authentication method described in above-mentioned Fig. 1 and Fig. 2, access In authentication request message in addition to terminal digital certificate, terminal can also each be included and signed;And Terminal signature can also be carried in two-way authentication request message, and can also carry and wirelessly connect Access point is signed.Now, certificate server is recognized according to terminal digital certificate and terminal signature Card, and certification by when, generate the terminal authentication result passed through for instruction terminal certification, Otherwise the terminal authentication result not over certification for instruction terminal is generated.And according to wirelessly connecing Access point digital certificate and WAP signature are authenticated, and certification by when, it is raw Into the WAP authentication result passed through for indicating WAP certification, otherwise generation is used Terminal authentication result in instruction WAP not over certification.So can further it increase The security of strong access authentication.Here terminal signature can also obtain the process of digital certificate In get, idiographic flow repeats no more.
Below in conjunction with the accompanying drawings to some preferred flows of the access authentication method shown in Fig. 1 and Fig. 2 It is described in more detail, referring to Fig. 3, carrying out the idiographic flow of two-way authentication can specifically wrap Include:
Detailed process is as follows:
Step S31, terminal (STA) meet the WAP of WIFI consensus standards to support (AP) access authentication request message is sent, so as to start the two-way authentication based on safety certificate Journey, wherein:
Before the step is performed, STA and AP are both needed to completion certificate server (AS) and registered Journey, by register the safety certificate for obtaining AS respectively and being issued as it (STA acquisitions for number of terminals Word certificate, hereinafter referred to as STA certificates, AP obtain for WAP digital certificate, Hereinafter referred to as AP certificates), the proof as its identity legitimacy.
Here access authentication request message is the certification message for meeting WIFI consensus standards, wherein wrapping Certificate containing STA and STA signatures.STA signature process is that authentication request message uses STA Private key encryption process, the message after encryption is sent to AP by the service connection established.
Step S32, after AP receives the authentication request message of STA transmissions, adds in the message first Add AP certificates and AP digital signature, be then two-way authentication request by new authentication request message Message uses AP private key encryption, and is sent to AS.
Step S33, after AS receives the certification request of AP transmissions, to the legal of AP and STA Property is authenticated respectively, and authentication result is formed into authentication response message, is added by AS private keys After close signature, AP is sent to.Wherein:
AS can use AP public key decryptions, Ran Houjin to two-way authentication request message first Row certification.AS is first authenticated to AP signatures and the legitimacy of certificate, if authentication result is not just Really, then verification process fails;If AP certifications pass through further certification STA signatures and card Book.
Step S34, after certification, AS is to STA and AP authentication result using AS's Private key encryption, the result composition authentication response message after encryption.Wherein, STA authentication result Including STA certificates and identification result, AP authentication result includes AP certificates and identification result, And AS private key signature, AS signature process are the private key that authentication request message uses AS Ciphering process.
Here authentication response message can be packaged according to WIFI agreements first, be used afterwards IP agreement is packaged, and AP is after the authentication response message is received, first according to IP agreement Decapsulated, obtain the message of WIFI protocol formats, can be sent this message to afterwards STA;So for AP, even if will not be unsealed to the message of WIFI protocol formats Dress, also can be transferred to STA by corresponding message.Thus AP can be avoided to change the message The AP authentication results of middle carrying, further improve the security of certification.
Step S35, after AP receives the authentication response message that AS is sent, using AS public key solutions Close STA authentication result, if STA authentication results are correct, it is allowed to which STA is accessed;Conversely, Then cancel STA connection;The authentication response message that the other AP also sends AS is sent to STA。
Step S36, after STA receives the authentication response message that AP is sent, using AS public key solutions Close AP authentication result, if AP authentication results are correct, continue to access the AP, keep Network connection;Otherwise, the connection with the AP is cancelled.
The third aspect, can be above-mentioned to perform present invention also offers a kind of WAP First aspect described in access authentication method, referring to Fig. 4, the WAP can include:
First communication module 41, for disappearing in the access authentication request for receiving user terminal transmission During breath, generate two-way authentication request message and be sent to certificate server;The access authentication please It is to meet the message of WIFI consensus standards to seek message, wherein carrying terminal digital certificate;It is described The terminal digital certificate is carried in two-way authentication request message and what is obtained in advance wirelessly connects Access point digital certificate;
Second communication module 42, demonstrate,proved for receiving the certificate server according to terminal numeral Inteilectual into terminal authentication result and according to the WAP digital certificate generate it is wireless Access point authentication result;
Judge module 43, for whether judging the user terminal according to the terminal authentication result Pass through certification;
Third communication module 44, access response message is sent to the user terminal;Wherein, institute It is the message for meeting WIFI consensus standards to state access response message, wherein including the terminal authentication As a result with the WAP authentication result.
Further, the first communication module 41 is concurrent for generating two-way authentication request message Certificate server is sent to, including:
The first communication module 41 is added in the access authentication request message received and obtained in advance The WAP digital certificate taken obtains two-way authentication request message.
Further, the first communication module 41 is concurrent for generating two-way authentication request message Certificate server is sent to, is specifically included:
The first communication module 41 is using based on the encryption specified in WAP digital certificate The two-way authentication request message of generation is encrypted the signature private key of algorithm generation, and will encryption Two-way authentication request message afterwards is sent to certificate server.
By the WAP that the present invention is introduced connects for what implementation first aspect present invention provided Enter device used by authentication method, so based on the access described in first aspect present invention Authentication method, those skilled in the art can understand the tool of the WAP of the present embodiment Body embodiment and its various change form, so how real for the WAP herein Access authentication method in existing first aspect present invention is no longer discussed in detail.As long as belonging to this area Device used by access authentication method, is belonged in technical staff's implementation first aspect present invention The scope to be protected of the application.
Fourth aspect, can be performing second aspect the invention provides a kind of user terminal Described access authentication method, referring to Fig. 5, the user terminal can include:
First communication module 51, meet WIFI for being sent to the WAP of request access The access authentication request message of consensus standard;Carried in the access authentication request message in advance The terminal digital certificate of acquisition;
Second communication module 52, for receive WAP transmission meet WIFI Protocol Standards Accurate access response message;Certificate server is carried for described in the access response message The WAP authentication result and enter to the terminal that WAP generates after being authenticated The terminal authentication result generated after row certification;
Judge module 53, for judging described wirelessly to connect according to the WAP authentication result Whether access point has passed through certification.
Further, the first communication module 51 is used to send to the WAP and met The access authentication request message of WIFI consensus standards, including:Generation meets WIFI consensus standards Access authentication request message;The label for the AES generation specified in using terminal digital certificate The access authentication request message of generation is encrypted name private key;Please by the access authentication after encryption Message is asked to be sent to WAP transmission.
The access provided by the user terminal that the present invention is introduced for implementation second aspect of the present invention Device used by authentication method, so recognized based on the access described in second aspect of the present invention Card method, those skilled in the art can understand the specific reality of the user terminal of the present embodiment Mode and its various change form are applied, so how to realize this hair for the user terminal herein Access authentication method in bright second aspect is no longer discussed in detail.As long as the affiliated technology people in this area Device used by access authentication method, belongs to the application in member's implementation second aspect of the present invention The scope to be protected.
In the specification of the present invention, numerous specific details are set forth.It is to be appreciated, however, that this The embodiment of invention can be put into practice in the case of these no details.In some instances, Known method, structure and technology is not been shown in detail, so as not to the fuzzy reason to this specification Solution.
Similarly, it will be appreciated that disclose to simplify the present invention and help to understand each invented party One or more of face, in the description to the exemplary embodiment of the present invention above, this hair Bright each feature is grouped together into single embodiment, figure or descriptions thereof sometimes. It is intended to however, should not explain the method for the disclosure in reflection is following:It is i.e. claimed Application claims features more more than the feature being expressly recited in each claim.It is more true Say with cutting, as the following claims reflect, inventive aspect is less than disclosed above All features of single embodiment.Therefore, it then follows claims of embodiment are thus The embodiment is expressly incorporated in, wherein each claim is in itself as the present invention's Separate embodiments.
In the description of the invention it should be noted that term the instruction such as " on ", " under " side Position or position relationship are based on orientation shown in the drawings or position relationship, are for only for ease of description The present invention and simplified description, rather than indicate or imply that signified device or element must be with spies Fixed orientation, with specific azimuth configuration and operation, therefore it is not intended that limit to the present invention It is fixed.Unless otherwise clearly defined and limited, term " installation ", " connected ", " connection " are answered It broadly understood, for example, it may be fixedly connected or be detachably connected, or one Ground connects;Can be mechanical connection or electrical connection;Can be joined directly together, also may be used Can be the connection of two element internals to be indirectly connected by intermediary.For this area Those of ordinary skill for, can understand above-mentioned term in the present invention as the case may be Concrete meaning.
It should also be noted that, herein, such as first and second or the like relational terms It is used merely to make a distinction an entity or operation with another entity or operation, and differs Provisioning request either implies between these entities or operation any this actual relation or suitable be present Sequence.Moreover, term " comprising ", "comprising" or its any other variant are intended to non-row His property includes, so that process, method, article or equipment including a series of elements Not only include those key elements, but also the other element including being not expressly set out, or also Including for this process, method, article or the intrinsic key element of equipment.Do not limiting more In the case of fixed, the key element that is limited by sentence "including a ...", it is not excluded that including Other identical element also be present in the process of the key element, method, article or equipment.
The above embodiments are merely illustrative of the technical solutions of the present invention, rather than it is limited;Although The present invention is described in detail with reference to the foregoing embodiments, one of ordinary skill in the art It should be understood that:It can still modify to the technical scheme described in foregoing embodiments, Or equivalent substitution is carried out to which part technical characteristic;And these modifications or replacement, not The essence of appropriate technical solution is set to depart from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (10)

1. a kind of access authentication method, it is characterised in that methods described includes:
WAP is when receiving the access authentication request message of user terminal transmission, generation Two-way authentication request message is simultaneously sent to certificate server;The access authentication request message is symbol The message of WIFI consensus standards is closed, wherein carrying terminal digital certificate;The two-way authentication please Ask and the terminal digital certificate and the WAP obtained in advance numeral card are carried in message Book;
WAP receives end of the certificate server according to the terminal numeral certificates constructing Hold authentication result and the WAP certification generated according to the WAP digital certificate As a result;
Whether WAP judges the user terminal by recognizing according to the terminal authentication result Card;
The WAP sends access response message to the user terminal;Wherein, it is described It is the message for meeting WIFI consensus standards to access response message, wherein including the terminal authentication knot Fruit and the WAP authentication result.
2. the method as described in claim 1, it is characterised in that the WAP generation Two-way authentication request message is simultaneously sent to certificate server, including:
The WAP numeral obtained in advance is added in the access authentication request message received Certificates constructing two-way authentication request message.
3. according to the method for claim 1, it is characterised in that the WAP life It is in pairs to authentication request message and to be sent to certificate server, specifically include:
The WAP uses to be added based on what is specified in the WAP digital certificate of itself The two-way authentication request message of generation is encrypted the signature private key of close algorithm generation, and will add Two-way authentication request message after close is sent to certificate server.
4. a kind of access authentication method, it is characterised in that this method includes:
User terminal is sent to the WAP of request access meets connecing for WIFI consensus standards Enter authentication request message;The number of terminals obtained in advance is carried in the access authentication request message Word certificate;
User terminal receives the access for the meeting WIFI consensus standards response that WAP is sent Message;Certificate server is carried in the access response message to click through for the wireless access The WAP authentication result that is generated after row certification and generate after being authenticated to the terminal Terminal authentication result;
Whether user terminal judges the WAP according to the WAP authentication result Certification is passed through.
5. according to the method for claim 4, it is characterised in that the user terminal to please The WAP of access is asked to send the access authentication request message for meeting WIFI consensus standards, bag Include:
User terminal generates the access authentication request message for meeting WIFI consensus standards;
User terminal uses what is generated based on the AES specified in the terminal digital certificate of itself The access authentication request message of generation is encrypted signature private key;
Access authentication request message after encryption is sent to the WAP by user terminal.
A kind of 6. WAP, it is characterised in that including:
First communication module, for receiving the access authentication request message of user terminal transmission When, generate two-way authentication request message and be sent to certificate server;The access authentication request Message is to meet the message of WIFI consensus standards, wherein carrying terminal digital certificate;It is described double The terminal digital certificate and the wireless access obtained in advance are carried into authentication request message Point digital certificate;
Second communication module, for receiving the certificate server according to the terminal digital certificate The terminal authentication result of generation and wirelessly connecing according to WAP digital certificate generation Access point authentication result;
Judge module, for judging whether the user terminal leads to according to the terminal authentication result Cross certification;
Third communication module, access response message is sent to the user terminal;Wherein, it is described It is the message for meeting WIFI consensus standards to access response message, wherein including the terminal authentication knot Fruit and the WAP authentication result.
7. WAP according to claim 6, it is characterised in that described first is logical Letter module is used to generate two-way authentication request message and be sent to certificate server, including:
The first communication module adds advance acquisition in the access authentication request message received WAP digital certificate obtain two-way authentication request message.
8. WAP according to claim 6, it is characterised in that described first is logical Letter module is used to generate two-way authentication request message and be sent to certificate server, specifically includes:
The first communication module uses to be calculated based on the encryption specified in WAP digital certificate The two-way authentication request message of generation is encrypted the signature private key of method generation, and by after encryption Two-way authentication request message be sent to certificate server.
A kind of 9. user terminal, it is characterised in that including:
First communication module, meet WIFI agreements for being sent to the WAP of request access The access authentication request message of standard;Advance acquisition is carried in the access authentication request message Terminal digital certificate;
Second communication module, meet WIFI consensus standards for receive WAP transmission Access response message;Certificate server is carried in the access response message for described wireless The WAP authentication result and recognize the terminal that access point generates after being authenticated The terminal authentication result generated after card;
Judge module, for judging the wireless access according to the WAP authentication result Whether point has passed through certification.
10. user terminal according to claim 9, it is characterised in that described first is logical The access authentication that letter module is used to meet to the WAP transmission WIFI consensus standards please Message is sought, including:
The first communication module generation meets the access authentication request message of WIFI consensus standards; Access of the signature private key for the AES generation specified in using terminal digital certificate to generation is recognized Card request message is encrypted;Access authentication request message after encryption is sent to wireless access Point is sent.
CN201610306323.2A 2016-05-10 2016-05-10 Access authentication method, WAP and user terminal Pending CN107360125A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610306323.2A CN107360125A (en) 2016-05-10 2016-05-10 Access authentication method, WAP and user terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610306323.2A CN107360125A (en) 2016-05-10 2016-05-10 Access authentication method, WAP and user terminal

Publications (1)

Publication Number Publication Date
CN107360125A true CN107360125A (en) 2017-11-17

Family

ID=60271307

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610306323.2A Pending CN107360125A (en) 2016-05-10 2016-05-10 Access authentication method, WAP and user terminal

Country Status (1)

Country Link
CN (1) CN107360125A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471423A (en) * 2018-04-02 2018-08-31 北京奇艺世纪科技有限公司 A kind of acquisition methods and system of private key
CN108882237A (en) * 2018-05-31 2018-11-23 四川斐讯信息技术有限公司 A kind of wireless networking verification method and system of digital certificate formula
CN108989044A (en) * 2018-06-01 2018-12-11 四川斐讯信息技术有限公司 The safe verification method and security authentication systems of wireless router
CN110995418A (en) * 2019-11-27 2020-04-10 中国联合网络通信集团有限公司 Cloud storage authentication method and system, edge computing server and user router
CN113316149A (en) * 2021-06-04 2021-08-27 广东电网有限责任公司 Identity security authentication method, device, system, wireless access point and medium
CN113612780A (en) * 2021-08-05 2021-11-05 中国电信股份有限公司 Certificate request, generation and access methods, devices, communication equipment and medium
CN113727297A (en) * 2020-05-11 2021-11-30 上汽通用汽车有限公司 Vehicle-connected secure access method and system
CN114040383A (en) * 2021-11-25 2022-02-11 广东电网有限责任公司广州供电局 WAPI (wireless LAN authentication and privacy infrastructure) secure network control method, device and equipment based on 5G node
CN114745180A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Access authentication method and device and computer equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426200A (en) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network and secrete data communication method in radio link
CN101212297A (en) * 2006-12-28 2008-07-02 中国移动通信集团公司 WEB-based WLAN access authentication method and system
CN101527907A (en) * 2009-03-31 2009-09-09 刘建 Wireless local area network access authentication method and wireless local area network system
CN104135366A (en) * 2013-05-03 2014-11-05 北大方正集团有限公司 Data authentication system and data authentication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426200A (en) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network and secrete data communication method in radio link
CN101212297A (en) * 2006-12-28 2008-07-02 中国移动通信集团公司 WEB-based WLAN access authentication method and system
CN101527907A (en) * 2009-03-31 2009-09-09 刘建 Wireless local area network access authentication method and wireless local area network system
CN101527907B (en) * 2009-03-31 2015-05-13 中兴通讯股份有限公司 Wireless local area network access authentication method and wireless local area network system
CN104135366A (en) * 2013-05-03 2014-11-05 北大方正集团有限公司 Data authentication system and data authentication method

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471423A (en) * 2018-04-02 2018-08-31 北京奇艺世纪科技有限公司 A kind of acquisition methods and system of private key
CN108882237A (en) * 2018-05-31 2018-11-23 四川斐讯信息技术有限公司 A kind of wireless networking verification method and system of digital certificate formula
CN108989044A (en) * 2018-06-01 2018-12-11 四川斐讯信息技术有限公司 The safe verification method and security authentication systems of wireless router
CN110995418A (en) * 2019-11-27 2020-04-10 中国联合网络通信集团有限公司 Cloud storage authentication method and system, edge computing server and user router
CN110995418B (en) * 2019-11-27 2022-07-22 中国联合网络通信集团有限公司 Cloud storage authentication method and system, edge computing server and user router
CN113727297A (en) * 2020-05-11 2021-11-30 上汽通用汽车有限公司 Vehicle-connected secure access method and system
CN113316149A (en) * 2021-06-04 2021-08-27 广东电网有限责任公司 Identity security authentication method, device, system, wireless access point and medium
CN113612780A (en) * 2021-08-05 2021-11-05 中国电信股份有限公司 Certificate request, generation and access methods, devices, communication equipment and medium
CN114040383A (en) * 2021-11-25 2022-02-11 广东电网有限责任公司广州供电局 WAPI (wireless LAN authentication and privacy infrastructure) secure network control method, device and equipment based on 5G node
CN114745180A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Access authentication method and device and computer equipment

Similar Documents

Publication Publication Date Title
CN107360125A (en) Access authentication method, WAP and user terminal
CN105050081B (en) Method, device and system for connecting network access device to wireless network access point
CN109150548B (en) Digital certificate signing and signature checking method and system and digital certificate system
US8875232B2 (en) User authentication
Nakhjiri et al. AAA and network security for mobile access: radius, diameter, EAP, PKI and IP mobility
CN103812871B (en) Development method and system based on mobile terminal application program security application
EP2304636B1 (en) Mobile device assisted secure computer network communications
KR100851976B1 (en) Method and apparatus of transmitting private information using trusted apparatus
CN101300808B (en) Method and arrangement for secure autentication
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
CN106534143A (en) Method and system capable of realizing cross-application authentication authorization
CN101212296B (en) Certificate and SIM based WLAN access authentication method and system
CN103326862B (en) Electronically signing method and system
CN108684041A (en) The system and method for login authentication
Sankar Cisco wireless LAN security
CN101577917A (en) Safe dynamic password authentication method based on mobile phone
CN107040513A (en) A kind of credible access registrar processing method, user terminal and service end
CN105898743B (en) A kind of method for connecting network, apparatus and system
Nyamtiga et al. Enhanced security model for mobile banking systems in Tanzania
CN102780674A (en) Method and system for processing network service by utilizing multifactor authentication method
WO2021113034A1 (en) Full-duplex password-less authentication
US20150208238A1 (en) Terminal identity verification and service authentication method, system and terminal
CN106713279A (en) Video terminal identity authentication system
CN107360124A (en) Access authentication method and device, WAP and user terminal
CN107679847A (en) A kind of move transaction method for secret protection based on near-field communication bidirectional identity authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171117