CN111432407B - Identity verification method, device, equipment and system - Google Patents
Identity verification method, device, equipment and system Download PDFInfo
- Publication number
- CN111432407B CN111432407B CN201910023648.3A CN201910023648A CN111432407B CN 111432407 B CN111432407 B CN 111432407B CN 201910023648 A CN201910023648 A CN 201910023648A CN 111432407 B CN111432407 B CN 111432407B
- Authority
- CN
- China
- Prior art keywords
- access
- network
- authentication
- access point
- configuration information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 91
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000004422 calculation algorithm Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 7
- 230000006855 networking Effects 0.000 claims 1
- 238000012545 processing Methods 0.000 abstract description 7
- 230000002829 reductive effect Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 19
- 101000893549 Homo sapiens Growth/differentiation factor 15 Proteins 0.000 description 9
- 101000692878 Homo sapiens Regulator of MON1-CCZ1 complex Proteins 0.000 description 9
- 102100026436 Regulator of MON1-CCZ1 complex Human genes 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 101100083745 Caenorhabditis elegans pmk-2 gene Proteins 0.000 description 7
- 238000004590 computer program Methods 0.000 description 7
- 102000008482 12E7 Antigen Human genes 0.000 description 6
- 108010020567 12E7 Antigen Proteins 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 6
- 101100534109 Schizosaccharomyces pombe (strain 972 / ATCC 24843) spm1 gene Proteins 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 101150028393 pmk-1 gene Proteins 0.000 description 3
- 230000002123 temporal effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101100083742 Caenorhabditis elegans pmk-1 gene Proteins 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention provides an identity verification method, device, equipment and system, wherein the method comprises the following steps: the terminal equipment acquires the network name and the first access password of the AP, generates authentication information of a user according to the network name and the first access password of the AP, and sends the authentication information to an AC corresponding to the AP through the AP so that the AC can authenticate the authentication information according to each acquired network access configuration information corresponding to the network name of the AP, wherein each network access configuration information corresponds to a second access password configured for a certain user corresponding to the AP; and receiving authentication information fed back by the AC through the AP. The authentication of the user who wants to access the AP is completed at the AC side with rich resources, so that the processing pressure of the AP for authentication of the user is reduced.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to an identity verification method, device, equipment, and system.
Background
Wireless networks have become an indispensable existence in people's life, work. In a home or an enterprise, one or several wireless access points (WIRELESS ACCESS points, abbreviated as APs) are generally set for users in the home or the enterprise to connect with the APs to access a wireless network.
An AP is typically configured with a network name, often represented by a service set identifier (SERVICE SET IDENTIFIER, SSID for short), and an access password, which may be unique to an AP. Thus, when a user wants to access an AP, the user may enter an access code of the AP to establish a connection with the AP by searching for the network name of the AP.
While for an AP it needs to authenticate each user to which it wants to connect according to a standard such as Wi-Fi access protection (Wi-Fi Protected Access, WPA for short) standard/WPA 2 standard. For example, in a scenario where there are a large number of employees in an enterprise, the AP needs to perform authentication on a large number of users, and the AP has limited resources, which may adversely affect the normal operation of the AP.
Disclosure of Invention
The embodiment of the invention provides an identity verification method, device, equipment and system, which are used for releasing the processing pressure of an AP (access point) for carrying out identity verification on a user in the process of accessing the user to the AP.
In a first aspect, an embodiment of the present invention provides an authentication method, applied to a terminal device, including:
acquiring a network name and a first access password of a wireless access point;
Generating authentication information according to the network name and the first access password;
Transmitting the identity verification information to an access controller corresponding to the wireless access point through the wireless access point, so that the access controller verifies the identity verification information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information corresponds to a second access password configured for a user;
and receiving verification information fed back by the access controller through the wireless access point.
In a second aspect, an embodiment of the present invention provides an authentication apparatus, located in a terminal device, including:
The acquisition module is used for acquiring the network name and the first access password of the wireless access point;
The generation module is used for generating identity verification information according to the network name and the first access password;
The sending module is used for sending the identity verification information to an access controller corresponding to the wireless access point through the wireless access point so that the access controller verifies the identity verification information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information corresponds to a second access password configured for a user;
And the receiving module is used for receiving the verification information fed back by the access controller through the wireless access point.
In a third aspect, an embodiment of the present invention provides a terminal device, including a first processor and a first memory, where the first memory stores executable code, and when the executable code is executed by the first processor, causes the first processor to perform the authentication method in the first aspect.
Embodiments of the present invention provide a non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of a terminal device, causes the processor to perform the authentication method in the first aspect.
In a fourth aspect, an embodiment of the present invention provides an authentication method, applied to an access controller, where the method includes:
Receiving authentication information sent by terminal equipment through a wireless access point, wherein the authentication information is generated by the terminal equipment according to a network name of the wireless access point and a first access password input by a user;
verifying the identity verification information according to network access configuration information corresponding to the network name obtained from a server, wherein the network access configuration information corresponds to a second access password configured for a user;
And if the identity authentication information passes the authentication, transmitting authentication information to the terminal equipment through the wireless access point.
In a fifth aspect, an embodiment of the present invention provides an authentication apparatus, located in an access controller, including:
the terminal equipment is used for receiving authentication information sent by the wireless access point through the terminal equipment, and the authentication information is generated by the terminal equipment according to the network name of the wireless access point and a first access password input by a user;
the authentication module is used for authenticating the identity authentication information according to network access configuration information corresponding to the network name obtained from the server, wherein the network access configuration information corresponds to a second access password configured for a user;
and the sending module is used for sending verification information to the terminal equipment through the wireless access point if the identity verification information passes the verification.
In a sixth aspect, an embodiment of the present invention provides an access controller, including a second processor and a second memory, where the second memory has executable code stored thereon, and when the executable code is executed by the second processor, causes the second processor to perform the authentication method in the fourth aspect.
Embodiments of the present invention provide a non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of an access controller, causes the processor to perform the authentication method in the fourth aspect.
In a seventh aspect, an embodiment of the present invention provides an authentication method, applied to a wireless access point, including:
Receiving identity verification information sent by terminal equipment, wherein the identity verification information is generated by the terminal equipment according to the network name of the wireless access point and a first access password input by a user;
The identity verification information is sent to a corresponding access controller, so that the access controller verifies the identity verification information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information corresponds to a second access password configured for a user;
and sending the verification information fed back by the access controller to the terminal equipment.
In an eighth aspect, an embodiment of the present invention provides an authentication apparatus located in a wireless access point, including:
The receiving module is used for receiving authentication information sent by the terminal equipment, wherein the authentication information is generated by the terminal equipment according to the network name of the wireless access point and a first access password input by a user;
And the sending module is used for sending the identity verification information to a corresponding access controller so that the access controller verifies the identity verification information according to the acquired network access configuration information corresponding to the network name, and sending the verification information fed back by the access controller to the terminal equipment, wherein the network access configuration information corresponds to a second access password configured for the user.
In a ninth aspect, an embodiment of the present invention provides a wireless access point, including a third processor and a third memory, where the third memory has executable code stored thereon, and when the executable code is executed by the third processor, the third processor is caused to perform the authentication method in the seventh aspect.
Embodiments of the present invention provide a non-transitory machine-readable storage medium having executable code stored thereon, which when executed by a processor of a wireless access point, causes the processor to perform the authentication method in the seventh aspect.
In a tenth aspect, an embodiment of the present invention provides an authentication system, including:
Terminal equipment, a wireless access point and an access controller;
The terminal equipment is used for acquiring a network name and a first access password of the wireless access point, generating identity verification information according to the network name and the first access password, transmitting the identity verification information to the wireless access point, and receiving the verification information transmitted by the wireless access point;
The wireless access point is used for sending the identity authentication information to the access controller and sending the authentication information fed back by the access controller to the terminal equipment;
The access controller is configured to verify the authentication information according to the obtained network access configuration information corresponding to the network name, and send the authentication information to the wireless access point when the authentication information passes the verification, where the network access configuration information corresponds to a second access password configured for the user.
Taking a scenario that a plurality of users to be accessed to the same AP have different access passwords as an example for explanation, in the embodiment of the present invention, based on the triggering of a certain user, the terminal device of the user generates authentication information corresponding to the user at least according to the network name of the AP selected by the user and the input access password, and then sends the authentication information to the AP. The AP sends the authentication information to an access Controller (WIRELESS ACCESS Point Controller, AC for short) responsible for managing the AP. And maintaining network access configuration information corresponding to each of a plurality of users capable of accessing the AP in the AC, wherein each network access configuration information corresponds to an access password allocated to the corresponding user by the server. Thus, the AC can verify the authentication information of a certain user received at this time according to each network access configuration information corresponding to the AP. In the scheme, the authentication of the user which is intended to be accessed to the AP is completed at the AC side with rich resources, so that the processing pressure of the AP for authentication of the user is reduced. In addition, because the access configuration information of the user is maintained at the AC side, and the identity verification of the user is completed through the AC, the access configuration information corresponding to sensitive contents such as access passwords and the like does not need to be sent to the AP, and the leakage risk of the access configuration information is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an identity verification system according to an embodiment of the present invention;
FIG. 2 is an interactive schematic diagram of one process of operation of the authentication system shown in FIG. 1;
FIG. 3 is a flowchart of an authentication method according to an embodiment of the present invention;
FIG. 4 is a flowchart of another authentication method according to an embodiment of the present invention;
FIG. 5 is a flowchart of another authentication method according to an embodiment of the present invention;
Fig. 6 is a schematic structural diagram of an authentication device according to an embodiment of the present invention;
Fig. 7 is a schematic structural diagram of a terminal device corresponding to the authentication device provided in the embodiment shown in fig. 6;
fig. 8 is a schematic structural diagram of another authentication device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an access controller corresponding to the authentication device provided in the embodiment shown in fig. 8;
fig. 10 is a schematic structural diagram of another authentication device according to an embodiment of the present invention;
Fig. 11 is a schematic structural diagram of a wireless access point corresponding to the authentication device provided in the embodiment shown in fig. 10.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, the "plurality" generally includes at least two, but does not exclude the case of at least one.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a product or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such product or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a commodity or system comprising such elements.
In addition, the sequence of steps in the method embodiments described below is only an example and is not strictly limited.
Fig. 1 is a schematic diagram of an authentication system according to an embodiment of the present invention, as shown in fig. 1, where the authentication system includes: terminal equipment, wireless Access Point (AP), access Controller (AC).
The authentication system may be deployed, for example, at an enterprise within which one or several of the APs illustrated in fig. 1 may be deployed, as well as an AC for managing the APs. Thus, the terminal devices illustrated in fig. 1 may correspond to users (which may be employees of the enterprise, among others) that are within the coverage of these APs. At this time, the authentication system is used for authentication of any user who wants to access the APs, specifically, authentication of the user who wants to access the APs through the AC.
In an alternative embodiment, for the same AP, different access passwords may be assigned to each user for some purpose, so that different users may access the AP with their respective assigned access passwords. For example, an AP is deployed in an enterprise, and a server (for example, a personnel management platform of the enterprise) can allocate access passwords required by accessing the AP to all users belonging to the enterprise, so that based on the differentiated access passwords of each user, statistics, identification and management can be performed on network access behaviors of each user.
It should be noted that, when an enterprise deploys multiple APs, the multiple APs may correspond to the same network name, i.e. to the same SSID, and it should be understood that the user wants to access the wireless lan of the enterprise. At this time, the user may connect to access the wlan by arbitrarily selecting one of the APs, and the access password allocated by the server for the user is applicable to each AP in the wlan.
Of course, in another alternative embodiment, a uniform access code may be set for the same AP, so that all users who want to access the AP with the access code. The identity verification system provided by the embodiment of the invention can be suitable for the two situations.
In the process of authenticating the user, the functions of all the components in the authentication system are as follows:
The terminal equipment is used for acquiring the network name and the first access password of the AP, generating identity verification information according to the network name and the first access password of the AP, sending the identity verification information to the AP, and receiving the verification information sent by the AP.
And the AP is used for sending the authentication information received from the terminal equipment to the AC and sending the authentication information fed back by the AC to the terminal equipment.
And the AC is used for verifying the identity verification information received from the AP according to the acquired network access configuration information corresponding to the network name of the AP, and sending the verification information to the AP when the identity verification information passes the verification, wherein the network access configuration information corresponds to a second access password which is configured for the user.
The above outline the function of each component in the authentication system, and a simple description of the operation of the authentication system follows:
As previously described, in an alternative embodiment, each user may have a different access password for the AP. Therefore, in this embodiment, the authentication process of the user will be described taking a case where different users are assigned different access passwords for the same AP as an example. It will be appreciated that the authentication process for a user is similar in the case where different users are assigned the same access password for the same AP.
As shown in fig. 1, in step s1, the terminal device acquires a network name and an access password (i.e., a first access password) of the AP. For a certain user, the user can search all APs existing around through terminal equipment such as a mobile phone, a tablet personal computer, a notebook computer and the like, select a certain AP to be accessed from among the APs, and then input an access password required for accessing the AP, namely the first access password.
In step s2, the terminal device generates authentication information corresponding to the user according to the network name of the AP and the first access password input by the user. The authentication information is sent to the AP in step s3. In step s4, the AP transmits authentication information received from the terminal device to the AC.
In an optional embodiment, the terminal device may encrypt the network name of the AP and the first access password by using a set encryption algorithm, where the encryption result is used as authentication information corresponding to the user. For example, the network name and the first access password may be encoded in some way, a hash function calculated, etc.
In another alternative embodiment, the terminal device may also encrypt the first access password with a set encryption algorithm, so that the authentication information of the user may include the encryption result of the first access password and the network name of the AP.
Even in an alternative embodiment, in the case of higher network security, the network name of the AP and the first access password may also form the authentication information of the user.
Optionally, in some embodiments, the identity verification information of the user may further include an identifier of the terminal device and/or an identifier of the user, where the identifier of the terminal device may be, for example, a Medium/MEDIA ACCESS Control (MAC) address, a device serial number, and the like of the terminal device; the user identifier may be, for example, a number allocated to the user by the server, a mobile phone number of the user, and the like.
In step s5, the AC verifies the authentication information received from the AP according to the acquired network access configuration information corresponding to the network name of the AP. In step s6, the AC transmits authentication information indicating that authentication is passed to the AP when the authentication information is passed. In step s7, the AP transmits authentication information to the terminal device.
As described above, taking an enterprise scenario as an example, the server may differentially allocate access passwords for accessing APs deployed in the enterprise to respective users (e.g., employees and visitors within the enterprise may be included) belonging to the enterprise. After the server allocates the access passwords corresponding to the users, the server can send the allocated access passwords to the users correspondingly, and can send the network access configuration information corresponding to the users to the AC for maintenance, so that the AC can verify the identity of the users accessing the AP based on the network access configuration information corresponding to the users. The access configuration information corresponding to a user corresponds to an access password (referred to as a second access password) assigned to the user. The correspondence between the network access configuration information and the second access password may be represented as follows: the network access configuration information of a certain user is directly the second access password allocated to the user, or the network access configuration information of the certain user is a calculation result obtained by calculating the second access password allocated to the user and the network name of the AP. The calculation processing here may refer to encryption processing in concert with the generation of the authentication information.
Based on the processing procedure of the server, the foregoing description refers to: the network access configuration information corresponding to the network name of the AP, which is obtained by the AC, refers to the network access configuration information of each user of the wireless local area network, which is sent to the AC by the server and can be accessed to the wireless local area network corresponding to the network name.
The AC performs a process of verifying the authentication information received from the AP according to the obtained network access configuration information corresponding to the network name of the AP, and the verification process may be slightly different according to the specific implementation manner of the authentication information and the network access configuration information, but in general, the verification process is: the AC searches whether network access configuration information matched with the identity authentication information of the user exists in the network access configuration information maintained by the AC, if so, the AC indicates that the user is really accessed to the AP by using an access password distributed by a server, the access behavior is reasonable, the identity authentication is passed, and otherwise, the identity authentication is not passed.
For example, when the authentication information of a user a is an encryption result (for convenience of description, referred to as a first encryption result) of encrypting the network name of the AP and the first access password, the access configuration information of any user B is an encryption result (for convenience of description, referred to as a second encryption result) of encrypting the network name of the AP and the second access password assigned to the user, the process of searching for whether the first encryption result exists in each stored second encryption result is performed by the AC when the user a is authenticated, and if the first encryption result exists, the user a passes the authentication.
For another example, when the authentication information of a user a is an encryption result (for convenience of description, referred to as a first encryption result) of encrypting the network name of the AP and the first access password, the network access configuration information of any user B may also be the network name of the AP and the second access password allocated to the user B, so that when the AC performs authentication on the user a, the same encryption algorithm may be adopted to encrypt the network name of the AP and the second access password in real time to obtain the second encryption result, and then whether the first encryption result exists in the obtained second encryption results is searched.
The above has described the composition of the authentication system and the main functions of the constituent elements and a simple working procedure, and another specific working procedure of the authentication system is described below.
Fig. 2 is an interactive schematic diagram of an operation of the authentication system shown in fig. 1, and as shown in fig. 2, may include the following steps:
201. the terminal equipment acquires the SSID and the first access password of the AP.
Wherein SSID represents the network name corresponding to AP.
202. And the terminal equipment generates PMK1 according to the SSID of the AP and the first access password.
Where PMK1 represents a first pairwise master key, the pairwise master key (PAIRWISE MASTER KEY, abbreviated PMK).
203. And the terminal equipment sends a verification instruction to the AP.
204. The AP generates an a-nonce.
Wherein a-nonce represents the first random number.
205. The AP sends the a-nonce and the AP's MAC address to the terminal device.
206. The terminal device generates s-nonces.
Wherein s-nonce represents the second random number.
207. The terminal device generates PTK1 according to the a-nonce, the s-nonce, the MAC address of the AP, the MAC address of the terminal device and PMK 1.
Where PTK1 represents a first pairwise temporal key, the pairwise temporal key (PAIRWISE TRANSIENT KEY, PTK for short).
208. The terminal device generates MIC1 from PMK1 and PTK 1.
Wherein MIC1 represents a first integrity check Code (MESSAGE INTEGRITY Code, abbreviated as MIC).
209. The terminal device sends MIC1, a-nonce, s-nonce, the MAC address of the AP, and the MAC address of the terminal device to the AP.
In practice, the terminal device may also transmit only s-nonce and MIC1 to the AP, since the MAC addresses of the a-nonce and the AP are known per se to the AP, and the MAC address of the terminal device may be carried in the authentication command when the terminal device sends the authentication command to the AP.
210. The AP transmits MIC1, a-nonce, s-nonce, MAC address of the AP, MAC address of the terminal device to the AC.
The authentication information of the user may be considered to include MIC1, a-nonce, s-nonce, MAC address of AP, MAC address of terminal device.
211. The AC receives PMK2 generated by the service end for each user.
Wherein PMK2 represents a second pairwise master key, and for a user, the PMK2 corresponding to the user is generated by the server according to the second access password allocated to the user and the SSID of the AP. The server may issue PMK2 to the AC by way of the SDK.
It is understood that the execution sequence of step 211 is not strictly limited, as long as it is executed before step 212.
212. The AC generates PTK2 from PMK2, a-nonce, s-nonce, the MAC address of the AP and the MAC address of the terminal device.
Wherein PTK2 represents the second pairwise temporal key.
213. The AC generates MIC2 from PMK2 and PTK 2.
Wherein MIC2 represents the second integrity check code.
214. AC compares MIC1 with MIC2.
215. When MIC1 matches MIC2, the AC feeds back authentication information to the AP.
It can be understood that, when the AC obtains PMK2 corresponding to each of the plurality of users from the server, the AC needs to find whether there is a MIC2 consistent with the MIC1 in the plurality of MIC2 maintained locally, and if so, it indicates that the authentication information of the current user passes the authentication.
216. The AP feeds back verification information to the terminal equipment.
In summary, in the authentication system provided herein, authentication of a user who intends to access an AP is completed at an AC side with abundant resources, so that the processing pressure of the AP for authentication of the user is reduced. In addition, because the access configuration information of the user is maintained at the AC side, and the identity verification of the user is completed through the AC, the access configuration information corresponding to sensitive contents such as access passwords and the like does not need to be sent to the AP, and the leakage risk of the access configuration information is avoided.
The specific execution actions of each component in the process of authenticating the user will be described below in terms of each component in the authentication system.
Fig. 3 is a flowchart of an authentication method according to an embodiment of the present invention, where the authentication method may be performed by the terminal device shown in fig. 1. As shown in fig. 3, the method comprises the steps of:
301. And acquiring the network name and the first access password of the AP.
302. And generating identity verification information according to the network name of the AP and the first access password.
303. And sending the authentication information to the AC through the AP so that the AC can verify the authentication information according to the obtained network access configuration information corresponding to the network name of the AP, wherein the network access configuration information corresponds to the second access password configured for the user.
304. And receiving authentication information fed back by the AC through the AP.
After receiving the verification information, the terminal device can establish connection with the AP.
In an alternative embodiment, step 302 may be implemented as: and encrypting the network name and the first access password of the AP by adopting a set encryption algorithm, wherein the encryption result is used as authentication information of the user.
In response to this, optionally, for any user corresponding to the AP, the access configuration information corresponding to the AP may also be an encryption result obtained by encrypting, by using the encryption algorithm, the two access passwords allocated to the user and the network name of the AP.
In another alternative embodiment, step 302 may be implemented as: generating a first pairing master key according to the network name and the first access password of the AP; obtaining a first random number and an MAC address of the AP from the AP; generating a second random number; generating a first pairing temporary key according to the first random number, the second random number, the MAC address of the AP, the MAC address of the terminal equipment and the first pairing master key; a first integrity check code is generated from the first pairwise master key and the first pairwise temporary key. At this time, the authentication information of the user includes the first random number, the second random number, the MAC address of the AP, the MAC address of the terminal device, and the first integrity check code.
In concert with this, optionally, for any user corresponding to the AP, its corresponding access configuration information may be: a second pairwise master key generated from the second access password assigned to the user and the network name of the AP.
In this embodiment, after the AC receives the authentication information of the user, the AC generates a second pairwise temporary key according to the first random number, the second random number, the MAC address of the AP, the MAC address of the terminal device, and the second pairwise master key, generates a second integrity check code according to the second pairwise master key and the second pairwise temporary key, determines whether the authentication information of the user passes the authentication according to whether the second integrity check code matches the first integrity check code, and feeds back the authentication information to the AP when the authentication passes.
The detailed description of the above embodiments may be referred to the description of the embodiments shown in fig. 1 and 2, and will not be repeated here.
Fig. 4 is a flowchart of another authentication method according to an embodiment of the present invention, which may be performed by the access controller shown in fig. 1. As shown in fig. 4, the steps may be included as follows:
401. And receiving authentication information sent by the terminal equipment through the AP, wherein the authentication information is generated by the terminal equipment according to the network name of the AP and a first access password input by a user.
402. And verifying the identity verification information according to the network access configuration information corresponding to the network name of the AP, which is obtained from the server, wherein the network access configuration information corresponds to the second access password configured for the user.
403. And if the authentication information passes the authentication, transmitting the authentication information to the terminal equipment through the AP.
Optionally, the authentication information may be a first encryption result obtained by encrypting the network name of the AP and the first access password by using a set encryption algorithm for the terminal device. Correspondingly, the network access configuration information may be a second encryption node obtained by encrypting the second access password and the network name of the AP by the server or the access controller using the same encryption algorithm. At this point, step 402 may be implemented as: and if the first encryption result is matched with the second encryption result, determining that the authentication information passes the authentication.
Optionally, the authentication information of the user may include a first random number obtained by the terminal device from the AP and a MAC address of the AP, a second random number generated by the terminal device, a MAC address of the terminal device, and a first integrity check code. Wherein the first integrity check code is generated by the terminal device from the first pairwise master key and the first pairwise temporary key. The first pairwise temporary key is generated by the terminal device based on the first random number, the second random number, the MAC address of the AP, the MAC address of the terminal device, and the first pairwise master key. The first pairwise master key is generated by the terminal device from the network name of the AP and the first access password. For any user to which the AP corresponds, its corresponding access configuration information may be a second pairwise master key generated from the second access password assigned thereto and the network name of the AP. At this point, step 402 may be implemented as: generating a second pairwise temporary key according to the first random number, the second random number, the MAC address of the AP, the MAC address of the terminal device and the second pairwise master key; generating a second integrity check code based on the second pairwise master key and the second pairwise temporary key; if the first integrity check code is matched with the second integrity check code, the identity verification information is determined to pass verification.
The detailed description of the above embodiments may be referred to the description of the embodiments shown in fig. 1 and 2, and will not be repeated here.
Fig. 5 is a flowchart of yet another authentication method according to an embodiment of the present invention, which may be performed by the wireless access point shown in fig. 1. As shown in fig. 5, the steps may be included as follows:
501. and receiving authentication information sent by the terminal equipment, wherein the authentication information is generated by the terminal equipment according to the network name of the AP and a first access password input by a user.
502. And sending the authentication information to the corresponding AC so that the AC can verify the authentication information according to the acquired network access configuration information corresponding to the network name of the AP, wherein the network access configuration information corresponds to the second access password configured for the user.
503. And sending the verification information fed back by the AC to the terminal equipment.
In an alternative embodiment, step 501 may further include the following steps: generating a first random number in response to a verification instruction sent by the terminal equipment; and sending the first random number and the MAC address of the AP to the terminal equipment so that the terminal equipment generates a first pairing temporary key according to the second random number generated by the terminal equipment, the first random number, the MAC address of the AP, the MAC address of the terminal equipment and the first pairing master key, and generates a first integrity check code according to the first pairing master key and the first pairing temporary key, wherein the first pairing master key is generated by the terminal equipment according to the network name of the AP and the first access password. Thus, the authentication information comprises a first random number, a second random number, a MAC address of the AP, a MAC address of the terminal device and a first integrity check code.
The detailed description of the above embodiments may be referred to the description of the embodiments shown in fig. 1 and 2, and will not be repeated here.
The authentication device of one or more embodiments of the present invention will be described in detail below. Those skilled in the art will appreciate that these authentication devices may be configured using commercially available hardware components through the steps taught by the present solution.
Fig. 6 is a schematic structural diagram of an authentication device according to an embodiment of the present invention, as shown in fig. 6, where the device includes: the device comprises an acquisition module 11, a generation module 12, a sending module 13 and a receiving module 14.
An obtaining module 11, configured to obtain a network name and a first access password of the wireless access point.
A generating module 12, configured to generate authentication information according to the network name and the first access password.
And a sending module 13, configured to send the authentication information to the access controller corresponding to the wireless access point through the wireless access point, so that the access controller verifies the authentication information according to the obtained network access configuration information corresponding to the network name, where the network access configuration information corresponds to a second access password configured for the user.
And the receiving module 14 is used for receiving the verification information fed back by the access controller through the wireless access point.
In an alternative embodiment, the generating module 12 may specifically be configured to: and encrypting the network name and the first access password by adopting a set encryption algorithm, wherein an encryption result is used as the identity authentication information. The network access configuration information may be an encryption result obtained by encrypting the second access password and the network name by using the encryption algorithm.
In another alternative embodiment, the generating module 12 may specifically be configured to: generating a first pairwise master key according to the network name and the first access password; obtaining a first random number and a media access control address of the wireless access point from the wireless access point; generating a second random number; generating a first pairing temporary key according to the first random number, the second random number, the media access control address of the wireless access point, the media access control address of the terminal equipment and the first pairing master key; generating a first integrity check code from the first pairwise master key and the first pairwise temporary key; the authentication information includes the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal device, and the first integrity check code.
The access configuration information is a second pairwise master key generated according to the second access password and the network name.
At this time, the authentication information causes the access controller to generate a second pairwise temporary key according to the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal device, and the second pairwise master key, generate a second integrity check code according to the second pairwise master key and the second pairwise temporary key, and determine the authentication information according to whether the second integrity check code matches the first integrity check code.
The apparatus shown in fig. 6 may perform the method performed by the terminal device in the foregoing embodiments, and for the parts not described in detail in this embodiment, reference may be made to the description related to the foregoing embodiments, which is not repeated herein.
In one possible design, the configuration of the authentication device shown in fig. 6 may be implemented as a terminal device, which may be, for example, a mobile phone, a tablet computer, a notebook computer, a digital assistant, etc. of the user. As shown in fig. 7, the terminal device may include: a first processor 21, and a first memory 22. Wherein the first memory 22 stores executable code thereon, which when executed by the first processor 21, causes at least the first processor 21 to perform the steps of:
acquiring a network name and a first access password of a wireless access point;
Generating authentication information according to the network name and the first access password;
Transmitting the identity verification information to an access controller corresponding to the wireless access point through the wireless access point, so that the access controller verifies the identity verification information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information corresponds to a second access password configured for a user;
and receiving verification information fed back by the access controller through the wireless access point.
The structure of the terminal device may further include a first communication interface 23, which is used for the terminal device to communicate with other devices or a communication network.
Further, embodiments of the present invention provide a non-transitory machine-readable storage medium having stored thereon executable code that, when executed by a processor of a terminal device, causes the processor to perform the steps performed by the terminal device in the foregoing embodiments.
Fig. 8 is a schematic structural diagram of another authentication device provided in an embodiment of the present invention, which is located in an access controller, as shown in fig. 8, and includes: a receiving module 31, a verifying module 32, and a transmitting module 33.
And the receiving module 31 is configured to receive authentication information sent by a terminal device through a wireless access point, where the authentication information is generated by the terminal device according to a network name of the wireless access point and a first access password input by a user.
And the verification module 32 is configured to verify the authentication information according to network access configuration information corresponding to the network name obtained from the server, where the network access configuration information corresponds to a second access password already configured for the user.
And a sending module 33, configured to send authentication information to the terminal device through the wireless access point if the authentication information passes authentication.
Optionally, the authentication information is a first encryption result obtained by encrypting the network name and the first access password by using the encryption algorithm, and the network access configuration information is a second encryption result obtained by encrypting the second access password and the network name by using a set encryption algorithm. At this time, the verification module 32 may specifically be configured to: and if the first encryption result is matched with the second encryption result, determining that the identity authentication information passes authentication.
Optionally, the authentication information includes a first random number obtained by the terminal device from the wireless access point and a medium access control address of the wireless access point, a second random number generated by the terminal device, a medium access control address of the terminal device, and a first integrity check code, where the first integrity check code is generated by the terminal device according to a first pairing master key and a first pairing temporary key, the first pairing temporary key is generated by the terminal device according to the first random number, the second random number, the medium access control address of the wireless access point, the medium access control address of the terminal device, and the first pairing master key is generated by the terminal device according to the network name and the first access password. The network access configuration information is a second pairwise master key generated according to the second access password and the network name. At this time, the verification module 32 may specifically be configured to: generating a second pairwise temporary key according to the first random number, the second random number, the media access control address of the wireless access point, the media access control address of the terminal device and the second pairwise master key; generating a second integrity check code from the second pairwise master key and the second pairwise temporary key; and if the first integrity check code is matched with the second integrity check code, determining that the identity verification information passes verification.
The apparatus shown in fig. 8 may perform the method performed by the access controller in the foregoing embodiments, and for the portions of this embodiment not described in detail, reference may be made to the description related to the foregoing embodiments, which are not described herein.
In one possible design, the configuration of the authentication device shown in fig. 8 described above may be implemented as an Access Controller (AC). As shown in fig. 9, the access controller may include: a second processor 41 and a second memory 42. Wherein the second memory 42 has executable code stored thereon, which when executed by the second processor 41, causes at least the second processor 41 to perform the steps of:
Receiving authentication information sent by terminal equipment through a wireless access point, wherein the authentication information is generated by the terminal equipment according to a network name of the wireless access point and a first access password input by a user;
verifying the identity verification information according to network access configuration information corresponding to the network name obtained from a server, wherein the network access configuration information corresponds to a second access password configured for a user;
And if the identity authentication information passes the authentication, transmitting authentication information to the terminal equipment through the wireless access point.
The access controller may further include a second communication interface 43 in the structure of the access controller, for communicating with other devices or communication networks.
Additionally, embodiments of the present invention provide a non-transitory machine-readable storage medium having executable code stored thereon that, when executed by a processor of an access controller, causes the processor to perform the steps performed by the access controller in the previous embodiments.
Fig. 10 is a schematic structural diagram of another authentication device provided in an embodiment of the present invention, which is located in a wireless access point, as shown in fig. 10, and includes: a receiving module 51, a transmitting module 52.
And the receiving module 51 is configured to receive authentication information sent by a terminal device, where the authentication information is generated by the terminal device according to a network name of the wireless access point and a first access password input by a user.
And a sending module 52, configured to send the authentication information to a corresponding access controller, so that the access controller verifies the authentication information according to the obtained network access configuration information corresponding to the network name, and sends the verification information fed back by the access controller to the terminal device, where the network access configuration information corresponds to a second access password configured for the user.
Optionally, the authentication device further comprises: and the generation module is used for responding to the verification instruction sent by the terminal equipment and generating a first random number. The sending module 52 is further configured to: transmitting the first random number and the media access control address of the wireless access point to the terminal equipment, so that the terminal equipment generates a first pairing temporary key according to the second random number generated by the terminal equipment, the first random number, the media access control address of the wireless access point, the media access control address of the terminal equipment and a first pairing master key, and generates a first integrity check code according to the first pairing master key and the first pairing temporary key, wherein the first pairing master key is generated by the terminal equipment according to the network name and the first access password; the authentication information includes the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal device, and the first integrity check code.
The apparatus shown in fig. 10 may perform the method performed by the wireless access point in the foregoing embodiments, and for the portions of this embodiment not described in detail, reference may be made to the related descriptions of the foregoing embodiments, which are not described herein again.
In one possible design, the configuration of the authentication device shown in fig. 10 described above may be implemented as a wireless Access Point (AP). As shown in fig. 11, the wireless access point may include: a third processor 61, and a third memory 62. Wherein the third memory 62 stores executable code, which when executed by the third processor 61, causes at least the third processor 61 to perform the steps of:
Receiving identity verification information sent by terminal equipment, wherein the identity verification information is generated by the terminal equipment according to the network name of the wireless access point and a first access password input by a user;
The identity verification information is sent to a corresponding access controller, so that the access controller verifies the identity verification information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information corresponds to a second access password configured for a user;
and sending the verification information fed back by the access controller to the terminal equipment.
The structure of the access controller may further include a third communication interface 63, which is used for the wireless access point to communicate with other devices or communication networks.
Additionally, embodiments of the present invention provide a non-transitory machine-readable storage medium having executable code stored thereon that, when executed by a processor of a wireless access point, causes the processor to perform the steps performed by the wireless access point in the previous embodiments.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by adding necessary general purpose hardware platforms, or may be implemented by a combination of hardware and software. Based on such understanding, the foregoing aspects, in essence and portions contributing to the art, may be embodied in the form of a computer program product, which may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (20)
1. An authentication method, applied to a terminal device, comprising:
acquiring a network name and a first access password of a wireless access point;
Generating authentication information according to the network name and the first access password;
The authentication information is sent to an access controller managing the wireless access point through the wireless access point, so that the access controller locally authenticates the authentication information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information is network access configuration information of each user sent to the access controller in advance by a server, and the network access configuration information of each user corresponds to a second access password configured for the user;
and receiving verification information fed back by the access controller through the wireless access point.
2. The method of claim 1, wherein the generating authentication information from the network name and the first access password comprises:
And encrypting the network name and the first access password by adopting a set encryption algorithm, wherein an encryption result is used as the identity authentication information.
3. The method according to claim 2, wherein the network access configuration information is an encryption result obtained by encrypting the second access password and the network name using the encryption algorithm.
4. The method of claim 1, wherein the generating authentication information from the network name and the first access password comprises:
generating a first pairwise master key according to the network name and the first access password;
Obtaining a first random number and a media access control address of the wireless access point from the wireless access point;
Generating a second random number;
Generating a first pairing temporary key according to the first random number, the second random number, the media access control address of the wireless access point, the media access control address of the terminal equipment and the first pairing master key;
generating a first integrity check code from the first pairwise master key and the first pairwise temporary key;
The authentication information includes the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal device, and the first integrity check code.
5. The method of claim 4, wherein the access configuration information is a second pairwise master key generated from the second access password and the network name.
6. The method of claim 5, wherein the authentication information causes the access controller to generate a second pairwise temporary key based on the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal device, and the second pairwise master key, and to generate a second integrity check code based on the second pairwise master key and the second pairwise temporary key, and to determine the authentication information based on whether the second integrity check code matches the first integrity check code.
7. An authentication method, applied to an access controller, comprising:
Receiving authentication information sent by a terminal device through a wireless access point, wherein the authentication information is generated by the terminal device according to a network name of the wireless access point and a first access password input by a user, and the access controller is an access controller for managing the wireless access point;
verifying the identity verification information according to network access configuration information corresponding to the network name, which is obtained from a server, wherein the network access configuration information is network access configuration information of each user sent to the access controller in advance by the server, and the network access configuration information of each user corresponds to a second access password configured for the user;
And if the identity authentication information passes the authentication, transmitting authentication information to the terminal equipment through the wireless access point.
8. The method according to claim 7, wherein the authentication information is a first encryption result obtained by encrypting the network name and the first access password using a set encryption algorithm, and the network access configuration information is a second encryption result obtained by encrypting the second access password and the network name using the encryption algorithm;
The step of verifying the identity verification information according to the network access configuration information corresponding to the network name obtained from the server side includes:
and if the first encryption result is matched with the second encryption result, determining that the identity authentication information passes authentication.
9. The method of claim 7, wherein the authentication information comprises a first random number obtained by the terminal device from the wireless access point and a medium access control address of the wireless access point, a second random number generated by the terminal device, a medium access control address of the terminal device, and a first integrity check code, wherein the first integrity check code is generated by the terminal device from a first pairwise master key and a first pairwise temporary key, the first pairwise temporary key is generated by the terminal device from the first random number, the second random number, the medium access control address of the wireless access point, the medium access control address of the terminal device, and the first pairwise master key, the first pairwise master key being generated by the terminal device from the network name and the first access password;
the network access configuration information is a second pairwise master key generated according to the second access password and the network name;
The step of verifying the identity verification information according to the network access configuration information corresponding to the network name obtained from the server side includes:
generating a second pairwise temporary key according to the first random number, the second random number, the media access control address of the wireless access point, the media access control address of the terminal device and the second pairwise master key;
Generating a second integrity check code from the second pairwise master key and the second pairwise temporary key;
And if the first integrity check code is matched with the second integrity check code, determining that the identity verification information passes verification.
10. An authentication method for use with a wireless access point, the method comprising:
Receiving identity verification information sent by terminal equipment, wherein the identity verification information is generated by the terminal equipment according to the network name of the wireless access point and a first access password input by a user;
the authentication information is sent to an access controller for managing the wireless access point, so that the access controller locally authenticates the authentication information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information is the network access configuration information of each user sent to the access controller in advance by a server, and the network access configuration information of each user corresponds to a second access password configured for the user;
and sending the verification information fed back by the access controller to the terminal equipment.
11. The method according to claim 10, wherein the method further comprises:
Generating a first random number in response to a verification instruction sent by the terminal equipment;
Transmitting the first random number and the media access control address of the wireless access point to the terminal equipment, so that the terminal equipment generates a first pairing temporary key according to the second random number generated by the terminal equipment, the first random number, the media access control address of the wireless access point, the media access control address of the terminal equipment and a first pairing master key, and generates a first integrity check code according to the first pairing master key and the first pairing temporary key, wherein the first pairing master key is generated by the terminal equipment according to the network name and the first access password;
The authentication information includes the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal device, and the first integrity check code.
12. An authentication apparatus, located in a terminal device, comprising:
The acquisition module is used for acquiring the network name and the first access password of the wireless access point;
The generation module is used for generating identity verification information according to the network name and the first access password;
The sending module is used for sending the authentication information to an access controller managing the wireless access point through the wireless access point so that the access controller locally verifies the authentication information according to the obtained network access configuration information corresponding to the network name, wherein the network access configuration information is network access configuration information of each user sent to the access controller in advance by a server side, and the network access configuration information of each user corresponds to a second access password configured for the user;
And the receiving module is used for receiving the verification information fed back by the access controller through the wireless access point.
13. A terminal device, comprising: a memory, a processor; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the authentication method of any of claims 1 to 6.
14. An authentication device, located in an access controller, comprising:
The terminal equipment is used for receiving authentication information sent by the wireless access point through the terminal equipment, the authentication information is generated by the terminal equipment according to the network name of the wireless access point and a first access password input by a user, and the access controller is an access controller for managing the wireless access point;
The authentication module is used for authenticating the identity authentication information according to the network access configuration information corresponding to the network name obtained from the server, wherein the network access configuration information is the network access configuration information of each user sent to the access controller in advance by the server, and the network access configuration information of each user corresponds to a second access password configured for the user;
and the sending module is used for sending verification information to the terminal equipment through the wireless access point if the identity verification information passes the verification.
15. An access controller, comprising: a memory, a processor; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the authentication method according to any of claims 7 to 9.
16. An authentication apparatus, located in a wireless access point, comprising:
The receiving module is used for receiving authentication information sent by the terminal equipment, wherein the authentication information is generated by the terminal equipment according to the network name of the wireless access point and a first access password input by a user;
And the sending module is used for sending the authentication information to an access controller for managing the wireless access point, so that the access controller locally verifies the authentication information according to the obtained network access configuration information corresponding to the network name, and sending the verification information fed back by the access controller to the terminal equipment, wherein the network access configuration information is network access configuration information of each user sent to the access controller in advance by a server, and the network access configuration information of each user corresponds to a second access password configured for the user.
17. A wireless access point, comprising: a memory, a processor; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the authentication method of claim 10 or 11.
18. An authentication system, comprising:
The system comprises terminal equipment, a wireless access point and an access controller for managing the wireless access point;
The terminal equipment is used for acquiring a network name and a first access password of the wireless access point, generating identity verification information according to the network name and the first access password, transmitting the identity verification information to the wireless access point, and receiving the verification information transmitted by the wireless access point;
The wireless access point is used for sending the identity authentication information to the access controller and sending the authentication information fed back by the access controller to the terminal equipment;
The access controller is configured to verify the authentication information according to the obtained network access configuration information corresponding to the network name, and send the authentication information to the wireless access point when the authentication information passes the verification, where the network access configuration information is network access configuration information of each user sent to the access controller in advance by the server, and the network access configuration information of each user corresponds to a second access password configured for the user.
19. The system according to claim 18, characterized in that in the process of generating the authentication information, the terminal device is specifically configured to: generating a first pairwise master key according to the network name and the first access password; obtaining a first random number and a media access control address of the wireless access point from the wireless access point; generating a second random number; generating a first pairing temporary key according to the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal equipment and the first pairing master key; generating a first integrity check code from the first pairwise master key and the first pairwise temporary key;
The authentication information includes the first random number, the second random number, a media access control address of the wireless access point, a media access control address of the terminal device, and the first integrity check code.
20. The system of claim 19, wherein the networking configuration information is a second pairwise master key generated from the second access password and the network name; and in verifying the authentication information, the access controller is specifically configured to: generating a second pairwise temporary key according to the first random number, the second random number, the media access control address of the wireless access point, the media access control address of the terminal device and the second pairwise master key; generating a second integrity check code from the second pairwise master key and the second pairwise temporary key; and if the first integrity check code is matched with the second integrity check code, determining that the identity verification information passes verification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910023648.3A CN111432407B (en) | 2019-01-10 | 2019-01-10 | Identity verification method, device, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910023648.3A CN111432407B (en) | 2019-01-10 | 2019-01-10 | Identity verification method, device, equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111432407A CN111432407A (en) | 2020-07-17 |
| CN111432407B true CN111432407B (en) | 2024-06-18 |
Family
ID=71546616
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910023648.3A Active CN111432407B (en) | 2019-01-10 | 2019-01-10 | Identity verification method, device, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111432407B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101925065A (en) * | 2010-08-05 | 2010-12-22 | 北京星网锐捷网络技术有限公司 | Authentication method, device, system and wireless access point |
| CN105898743A (en) * | 2015-06-17 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Network connection method, device and system |
| CN108012269A (en) * | 2017-12-08 | 2018-05-08 | 新华三技术有限公司 | A kind of radio switch-in method, device and equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101577978B (en) * | 2009-02-27 | 2011-02-16 | 西安西电捷通无线网络通信股份有限公司 | Method for realizing convergence WAPI network architecture in local MAC mode |
| CN103327519A (en) * | 2013-07-11 | 2013-09-25 | 成都西加云杉科技有限公司 | AP (Access Point) and system based AP and AC (AP Controller) architecture |
| CN104349318B (en) * | 2013-08-01 | 2018-01-30 | 中国移动通信集团山东有限公司 | The automatic authentication method of WLAN, device and system |
-
2019
- 2019-01-10 CN CN201910023648.3A patent/CN111432407B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101925065A (en) * | 2010-08-05 | 2010-12-22 | 北京星网锐捷网络技术有限公司 | Authentication method, device, system and wireless access point |
| CN105898743A (en) * | 2015-06-17 | 2016-08-24 | 乐卡汽车智能科技(北京)有限公司 | Network connection method, device and system |
| CN108012269A (en) * | 2017-12-08 | 2018-05-08 | 新华三技术有限公司 | A kind of radio switch-in method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111432407A (en) | 2020-07-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109286932B (en) | Network access authentication method, device and system | |
| CN106657152B (en) | Authentication method, server and access control device | |
| JP6632713B2 (en) | Method and apparatus for establishing a direct communication key | |
| US9654284B2 (en) | Group based bootstrapping in machine type communication | |
| US10505907B2 (en) | Securely recognizing mobile devices | |
| CN104519020B (en) | Manage method, server and the system of wireless network login password sharing function | |
| US20150281239A1 (en) | Provision of access privileges to a user | |
| TW201706900A (en) | Method and device for authentication using dynamic passwords | |
| CN110266656B (en) | Secret-free authentication identity identification method and device and computer equipment | |
| CN113556227B (en) | Network connection management method, device, computer readable medium and electronic equipment | |
| CN106304264B (en) | Wireless network access method and device | |
| JP2013503514A (en) | Service access method, system and apparatus based on WLAN access authentication | |
| EP2498469B1 (en) | Authenticating method of communicating connection, gateway apparatus using authenticating method, and communication system using authenticating method | |
| CN101039181B (en) | Method for preventing service function entity of general authentication framework from attack | |
| CN103812651A (en) | Password authentication method, device and system | |
| KR20220076491A (en) | Provisioning a wireless network using a pre-shared key | |
| CN111866881A (en) | Wireless local area network authentication method and wireless local area network connection method | |
| CN113472716A (en) | System access method, gateway device, server, electronic device, and storage medium | |
| CN102761940B (en) | A kind of 802.1X authentication method and equipment | |
| CN111431957B (en) | File processing method, device, equipment and system | |
| Khan et al. | chownIoT: enhancing IoT privacy by automated handling of ownership change | |
| US11070546B2 (en) | Two-user authentication | |
| CN110831000B (en) | Secure access method, device and system | |
| CN113132982B (en) | Data forwarding method and device, computer equipment and storage medium | |
| CN106537962B (en) | Wireless network configuration, access and access method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240617 Address after: Room 527, 5th Floor, Building 3, No. 969 Wenyi West Road, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province Applicant after: Nail (China) Information Technology Co.,Ltd. Country or region after: China Address before: Box 31119, Hongge, Furong Road, 802 West Bay Road, Grand Cayman, Cayman Islands KY1 1205 Applicant before: Nail holding (Cayman) Co.,Ltd. Country or region before: Cayman Islands |
|
| TA01 | Transfer of patent application right |