CN111935718B - WAPI authentication method, device, system, equipment and storage medium - Google Patents
WAPI authentication method, device, system, equipment and storage medium Download PDFInfo
- Publication number
- CN111935718B CN111935718B CN202011068800.9A CN202011068800A CN111935718B CN 111935718 B CN111935718 B CN 111935718B CN 202011068800 A CN202011068800 A CN 202011068800A CN 111935718 B CN111935718 B CN 111935718B
- Authority
- CN
- China
- Prior art keywords
- certificate
- authentication
- response message
- digest information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Abstract
The application relates to the field of network communication, and provides a WAPI authentication method, a device, a system, equipment and a storage medium, wherein the method comprises the following steps: receiving a certificate authentication request message, wherein the certificate authentication request message comprises a first certificate of a terminal and a second certificate of an authentication entity; respectively authenticating the first certificate and the second certificate to obtain a first authentication result and a second authentication result; calculating first digest information of the first certificate and second digest information of the second certificate; generating a certificate authentication response message according to the first summary information, the second summary information, the first authentication result and the second authentication result; sending the certificate authentication response message to the authenticating entity. The WAPI authentication method, the device, the system, the equipment and the storage medium provided by the application can avoid fragment transmission, and avoid authentication failure caused by information loss during fragment transmission.
Description
Technical Field
The present application relates to the field of network communications, and in particular, to a method and an apparatus for WAPI authentication, a computer device, and a storage medium.
Background
The WAPI (Wireless LAN Authentication and Privacy Infrastructure) is a WLAN security solution specified in the national standard GB15629.11 of the Wireless local area network against the security problem of the wired equivalent Privacy protocol in IEEE 802.11. With the increasing application of wireless networks in the fields including homes, offices, industrial sites and the like, the WAPI technology is also applied more and more for the application occasions with high network security and safety.
The WAPI adopts a ternary authentication technology, namely in the process of terminal access, a wireless terminal sends information such as a certificate of the terminal to an authentication entity, the authentication entity sends the certificate of the wireless terminal and the certificate of the terminal to an authentication service unit together for certificate authentication, the authentication service unit returns a certificate authentication result to the authentication entity, the authentication entity determines whether to allow the terminal to access according to the certificate authentication result of the authentication service unit and returns the certificate authentication result of the authentication service unit to the terminal, and the terminal determines whether to access the authentication entity for communication according to the certificate authentication result of the authentication service unit. In the access authentication process, the certificate authentication result is included in the certificate response message that the authentication service unit responds to the authentication entity, and is also included in the access authentication response message that the authentication entity responds to the terminal. Because the certificate authentication result message field comprises the certificate content and the authentication result of the terminal and the certificate content and the authentication result of the authentication entity, and the length of the general WAPI certificate is about 800 bytes, the certificate authentication response message from the authentication service unit to the authentication entity and the access authentication response message from the authentication entity to the terminal can exceed the maximum transmission unit length of the conventional Ethernet and wireless network by 1514 bytes, therefore, the certificate authentication response message and the access authentication response message can be transmitted in fragments, but the information is easily lost in fragment transmission, which causes authentication failure, and meanwhile, when the problem of complex fragment recombination processing is needed, the terminal user experience is influenced.
Disclosure of Invention
The present application mainly aims to provide a method, an apparatus, a system, a device and a storage medium for WAPI authentication, and aims to solve the technical problem that authentication fails due to loss of information when fragmentation transmission is adopted because a certificate authentication response message is too long.
The application provides a WAPI authentication method, which comprises the following steps:
receiving a certificate authentication request message, wherein the certificate authentication request message comprises a first certificate of a terminal and a second certificate of an authentication entity;
respectively authenticating the first certificate and the second certificate to obtain a first authentication result and a second authentication result;
calculating first digest information of the first certificate and second digest information of the second certificate;
generating a certificate authentication response message according to the first summary information, the second summary information, the first authentication result and the second authentication result;
sending the certificate authentication response message to the authenticating entity.
Further, the step of calculating the first digest information of the first certificate and the second digest information of the second certificate includes:
performing hash calculation on the first certificate to obtain the first summary information;
and carrying out Hash operation on the second certificate to obtain the second abstract information.
Further, the step of calculating the first digest information of the first certificate and the second digest information of the second certificate includes:
acquiring a first serial number of the first certificate, and performing hash operation on the first serial number and the first certificate to obtain summary information of the first certificate;
and acquiring a second serial number of the second certificate, and performing hash operation on the second serial number and the second certificate to obtain the summary information of the second certificate.
Further, the step of generating a certificate authentication response message according to the first digest information, the second digest information, the first authentication result, and the second authentication result, is followed by:
and setting a compression mark in the message header of the certificate authentication response message.
Further, the step of setting a compression flag in the message header of the certificate authentication response message includes:
reserving N blank bytes at the head of the message; wherein N is an integer greater than or equal to 1 and less than or equal to 5;
and setting a compression flag in the blank byte.
The present application further provides a WAPI authentication device, including:
a receiving unit, configured to receive a certificate authentication request message, where the certificate authentication request message includes a first certificate of a terminal and a second certificate of an authentication entity;
the authentication unit is used for authenticating the first certificate and the second certificate respectively to obtain a first authentication result and a second authentication result;
a calculating unit, configured to calculate first digest information of the first certificate and second digest information of the second certificate;
a generating unit, configured to generate a certificate authentication response message according to the first digest information, the second digest information, the first authentication result, and the second authentication result;
a first sending unit, configured to send the certificate authentication response message to the authentication entity.
The present application further provides a WAPI system, comprising:
the authentication service unit, the authentication entity and the terminal;
the terminal is used for sending an access authentication request message to the authentication entity; wherein the access authentication request message includes a first certificate;
the authentication entity is used for receiving the access authentication request message, generating a certificate authentication request message according to the access authentication request message and sending the certificate authentication request message to an authentication service unit; wherein the certificate authentication request message includes a first certificate of the terminal and a second certificate of the authentication entity;
the authentication service unit is configured to receive the certificate authentication request message, and authenticate the first certificate and the second certificate respectively to obtain a first authentication result and a second authentication result; calculating first digest information of the first certificate and second digest information of the second certificate; generating a certificate authentication response message according to the first summary information, the second summary information, the first authentication result and the second authentication result; sending the certificate authentication response message to the authenticating entity;
the authentication entity is further configured to receive the certificate authentication response message, parse the digest information in the certificate authentication response message, determine whether the first certificate and the second certificate in the certificate authentication request message and the certificate authentication response message are the same according to the parsed digest information, and if so, generate an access authentication response message according to the certificate authentication response message and send the access authentication response message to the terminal;
the terminal is further configured to receive the access certificate authentication response message, parse the digest information in the access certificate authentication response message, and determine whether the first certificate in the access certificate authentication response message and the first certificate in the access certificate authentication request message are the same according to the parsed digest information.
Further, the authentication service unit is further configured to set a compression flag in a message header of the certificate authentication response message.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the WAPI authentication method of any of the above.
The application provides a WAPI authentication method, a device, a system, equipment and a storage medium, a certificate authentication response message is generated according to summary information corresponding to a first certificate and a second certificate by obtaining the summary information, the byte length of the certificate authentication response message can be reduced to a great extent by replacing the first certificate and the second certificate with the corresponding summary information, fragmentation transmission is not needed, and information loss during fragmentation transmission is avoided, so that authentication failure is caused. Meanwhile, the complexity in the aspect of fragment processing in the authentication process is simplified, the transmission efficiency of the WAPI authentication message is improved, and the problem of poor end user experience caused by too long time in the authentication process due to fragment loss is solved.
Drawings
Fig. 1 is a schematic diagram illustrating steps of a WAPI authentication method according to an embodiment of the present application;
fig. 2 is a block diagram of a WAPI authentication device according to an embodiment of the present application;
fig. 3 is a block diagram of a WAPI system according to an embodiment of the present application;
fig. 4 is a block diagram illustrating a structure of a computer device according to an embodiment of the present application.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Referring to fig. 1, an embodiment of the present application provides a WAPI authentication method, including the following steps:
step S1, receiving a certificate authentication request message, wherein the certificate authentication request message includes a first certificate of a terminal and a second certificate of an authentication entity;
step S2, respectively authenticating the first certificate and the second certificate to obtain a first authentication result and a second authentication result;
step S3, calculating first digest information of the first certificate and second digest information of the second certificate;
step S4, generating a certificate authentication response message according to the first digest information, the second digest information, the first authentication result, and the second authentication result;
step S5, sending the certificate authentication response message to the authentication entity.
In this embodiment, as described in step S1 above, the certificate authentication request message is received, and the certificate authentication request message is sent by the authentication entity and includes the first certificate of the terminal and the second certificate of the authentication entity.
As described in step S2, the first certificate and the second certificate are authenticated respectively, and their respective legitimacy is authenticated, so as to generate a first authentication result corresponding to the first certificate and a second authentication result corresponding to the second certificate, and only the terminal whose first certificate is legitimate can access the authentication entity whose second certificate is legitimate.
As described in the above step S3, the first and second digest information are calculated, and the first and second digest information have uniqueness, and when the first certificate or the second certificate changes, the corresponding digest information changes accordingly.
As described in the above steps S4-S5, the certificate authentication response message includes four parts, which are the first authentication result and the first digest information corresponding to the first certificate and the second authentication result and the second digest information corresponding to the second certificate, respectively, and the generated certificate authentication response message is sent to the authentication entity.
In the embodiment, the first abstract information and the second abstract information are calculated, the certificate authentication response message is generated according to the first abstract information and the second abstract information, the byte length of the certificate authentication response message can be reduced to a great extent after the first certificate and the second certificate are replaced by the corresponding abstract information, fragmentation processing is not needed, and information loss during fragmentation transmission and authentication failure are avoided. Meanwhile, the complexity in the aspect of fragment processing in the authentication process is simplified, the transmission efficiency of the WAPI authentication message is improved, and the problem of poor end user experience caused by too long time in the authentication process due to fragment loss is solved. Specifically, the first digest information, the first authentication result, the second digest information, and the second authentication result form a certificate authentication result field, the certificate authentication response message further includes respective MAC addresses of the terminal and the authentication entity, the two MAC addresses are arranged in series before the certificate authentication result field, and the certificate authentication response message further includes a server signature trusted by the terminal and a server signature trusted by the authentication entity which are sequentially arranged after the certificate authentication result field.
In another embodiment, the step of calculating the first digest information of the first certificate and the second digest information of the second certificate further includes:
if the first authentication result or the second authentication result is illegal, calculating summary information only for the legal certificate, and calling a field with a preset length as the summary information of another illegal certificate.
For example, when the first authentication result is legal and the second authentication result is illegal, only the digest calculation is performed on the first certificate to obtain the first digest information, and the digest calculation is not performed on the second certificate, but a field with a preset byte length is used to replace the second digest information of the second certificate, so that the calculation resources of the authentication service unit are saved, and the distribution of the fields of each part of the certificate authentication response message is not affected. When the authentication entity receives the certificate authentication response message, field scanning is carried out on the certificate authentication response message, whether the preset field exists or not is searched in the position corresponding to the first abstract information and the second abstract information, if the preset field exists, the authentication failure of the terminal and the authentication entity is determined, only the first abstract information carried in the certificate authentication response message needs to be analyzed, corresponding authentication is carried out according to the analyzed first certificate, if the first certificate analyzed by the abstract information is the first certificate uploaded by the AP, the certificate authentication response message fed back by the authentication service unit is determined to be reliable information, and the action that the terminal is not accessed to the authentication entity for communication is executed.
In an embodiment, the step S3 of calculating the first digest information of the first certificate and the second digest information of the second certificate includes:
step S3a, performing hash calculation on the first certificate to obtain the first digest information;
step S3b, performing hash operation on the second certificate to obtain the second digest information.
In this embodiment, the first digest information corresponding to the first certificate and the second digest information corresponding to the second certificate are calculated through hash operation, and the hash operation can calculate data with any length to obtain a hash value with a fixed length. When the original data is changed, even if only 1 byte is modified, the obtained hash value is very different. Knowing the original data and its MD5 value, it is very difficult and unique to find a data with the same hash value (i.e. forged data). Specifically, the digest information obtained through the hash operation has 32 bytes which are far shorter than the byte length of the first certificate or the second certificate, and the digest information obtained through the hash operation can well avoid fragmentation processing.
In an embodiment, the step S3 of calculating the first digest information of the first certificate and the second digest information of the second certificate includes:
step S3A, acquiring a first serial number of the first certificate, and performing hash operation on the first serial number and the first certificate to obtain summary information of the first certificate;
step S3B, obtaining a second serial number of the second certificate, and performing hash operation on the second serial number and the second certificate to obtain digest information of the second certificate.
In this embodiment, as described in step S3A, the first serial number of the first certificate is obtained, each certificate has a corresponding serial number, the first serial number and the first certificate are combined, and then hash operation is performed on the data obtained by the combination, so as to obtain the digest information of the first certificate.
As described in step S3B, the serial number of the second certificate is obtained by combining the second serial number with the second certificate, and then performing hash operation on the combined data to obtain the digest information of the second certificate.
In this embodiment, the serial number and the corresponding first certificate or second certificate are combined and then subjected to hash operation, so that the obtained digest information is more unique, and counterfeit data is prevented.
In an embodiment, after the step S4 of generating the certificate authentication response message according to the first digest information, the second digest information, the first authentication result, and the second authentication result, the method includes:
step S41, a compression flag is set in the message header of the certificate authentication response message.
In this embodiment, a compression flag is set in a message header of the certificate authentication response message to indicate that the certificate authentication response message is compressed, that is, the certificate authentication response message is obtained through the digest information, and after receiving the certificate authentication response message, the authentication entity determines whether the certificate authentication response message needs to be parsed according to the compression flag. Specifically, a compression flag is set in a reserved field of a message header.
In an embodiment, the step S41 of setting a compression flag in the message header of the certificate authentication response message includes:
step S411, reserving N blank bytes at the head of the message; wherein N is an integer greater than or equal to 1 and less than or equal to 5;
step S412, a compression flag is set in the blank byte.
In this embodiment, N blank bytes are reserved in the header of the certificate authentication response message, and the compression flag is set at the blank bytes, in a specific embodiment, two bytes can be reserved in the header of the certificate authentication response message, and the authentication entity can directly know whether the compression flag is set by directly identifying the first two bytes of the header.
Referring to fig. 2, an embodiment of the present application provides a WAPI authentication apparatus, including:
a receiving unit 10, configured to receive a certificate authentication request message, where the certificate authentication request message includes a first certificate of a terminal and a second certificate of an authentication entity;
an authentication unit 20, configured to authenticate the first certificate and the second certificate respectively to obtain a first authentication result and a second authentication result;
a calculating unit 30, configured to calculate first digest information of the first certificate and second digest information of the second certificate;
a generating unit 40, configured to generate a certificate authentication response message according to the first digest information, the second digest information, the first authentication result, and the second authentication result;
a sending unit 50, configured to send the certificate authentication response message to the authentication entity.
In one embodiment, the computing unit 30 includes:
the first calculation subunit is configured to perform hash calculation on the first certificate to obtain the first digest information;
and the second calculation unit is used for carrying out hash operation on the second certificate to obtain the second abstract information.
In one embodiment, the computing unit 30 includes:
the third calculation unit is used for acquiring a first serial number of the first certificate, and performing hash operation on the first serial number and the first certificate to obtain summary information of the first certificate;
and the fourth calculating unit is used for acquiring a second serial number of the second certificate, and performing hash operation on the second serial number and the second certificate to obtain the summary information of the second certificate.
In an embodiment, the WAPI authentication apparatus further includes:
and the setting unit is used for setting a compression mark in the message header of the certificate authentication response message.
In one embodiment, the setting unit includes:
a reserving unit, configured to reserve N blank bytes in the header of the message packet; wherein N is an integer greater than or equal to 1 and less than or equal to 5;
and the setting subunit is used for setting a compression mark in the blank byte.
In this embodiment, please refer to the above method embodiment for the specific implementation of each unit and sub-unit, which is not described herein again.
Referring to fig. 3, an embodiment of the present application provides a WAPI system, including:
the authentication service unit, the authentication entity and the terminal;
the terminal 1A is configured to send an access authentication request message to the authentication entity 1B; wherein the access authentication request message includes a first certificate;
the authentication entity 1B is used for receiving the access authentication request message, generating a certificate authentication request message according to the access authentication request message and sending the certificate authentication request message to an authentication service unit 1C; wherein the certificate authentication request message includes a first certificate of the terminal and a second certificate of the authentication entity;
the authentication service unit 1C is configured to receive the certificate authentication request message, and authenticate the first certificate and the second certificate respectively to obtain a first authentication result and a second authentication result; calculating first digest information of the first certificate and second digest information of the second certificate; generating a certificate authentication response message according to the first summary information, the second summary information, the first authentication result and the second authentication result; sending the certificate authentication response message to the authenticating entity;
the authentication entity 1B is further configured to receive the certificate authentication response message, parse the digest information in the certificate authentication response message, determine whether the first certificate and the second certificate in the certificate authentication request message and the certificate authentication response message are the same according to the parsed digest information, and if so, generate an access authentication response message according to the certificate authentication response message and send the access authentication response message to the terminal 1A;
the terminal 1A is further configured to receive the access certificate authentication response message, parse the digest information in the access certificate authentication response message, and determine whether the first certificate in the access certificate authentication response message and the first certificate in the access certificate authentication request message are the same according to the parsed digest information.
In an embodiment, the authentication entity 1B is further configured to set a compression flag in a message header of the certificate authentication response message.
In this embodiment, when the terminal 1A sends the access authentication request message to the authentication entity 1B, a compression flag may be set in the message header to indicate that the terminal 1A supports certificate authentication result message compression. The compression flag may select two bytes of a reserved field in the WAPI message header flag in the current standard.
The authentication entity 1B checks whether or not there is a certificate authentication result message compression flag after receiving the access authentication request message of the terminal, and if so, the authentication entity 1B also sets the same compression flag in the message header when transmitting the certificate authentication request message to the authentication service unit 1C. If the certificate authentication request message does not have the compression mark, the certificate authentication request message does not carry the compression mark.
When the authentication service unit 1C receives the certificate authentication request message of the authentication entity, the authentication service unit 1C performs authentication of the first certificate and the second certificate, and the authentication process records the combination information of the serial numbers and the digest information of the first certificate and the second certificate, respectively. And forming a certificate authentication response message according to the combined information, setting a compression mark at the head of the certificate authentication response message, and sending the certificate authentication response message with the compression mark to an authentication entity.
After receiving the certificate authentication response message, the authentication entity 1B determines whether the header of the certificate authentication response message has a compression flag, and if so, parses the certificate authentication response message into the combination information of the serial number and the digest information, and checks the consistency between the certificate authentication response message and the first certificate and the second certificate in the transmitted certificate authentication request message according to the combination information. And if the compression mark is not available, the certificate authentication response message is analyzed into a corresponding first certificate and a second certificate.
When sending the access authentication response message to the terminal 1A, the authentication entity 1B determines whether to set a compression flag in the header of the access authentication response message according to whether the header of the certificate authentication response message has the compression flag. Specifically, the data field of the access authentication response message includes an identifier, a terminal challenge, an authentication entity challenge, an access result, terminal key data, authentication entity key data, an identity of the terminal, an identity of the authentication entity, and a certificate verification result field, a server signature trusted by the terminal, and a server signature trusted by the authentication entity in the certificate authentication response message.
After receiving the access authentication response message, the terminal 1A determines whether the header of the access authentication response message has a compression flag, and if so, parses the access authentication response message into the combined information of the serial number and the digest information, and checks the consistency of the first certificate of the access authentication response message and the first certificate of the access authentication request message according to the digest information. If the access authentication response message does not have the compression mark, the first certificate is analyzed from the access authentication response message.
Referring to fig. 4, a computer device, which may be a server and whose internal structure may be as shown in fig. 4, is also provided in the embodiment of the present application. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the computer designed processor is used to provide computational and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing the first certificate data, the second certificate data and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a WAPI authentication method.
Those skilled in the art will appreciate that the architecture shown in fig. 4 is only a block diagram of some of the structures associated with the present solution and is not intended to limit the scope of the present solution as applied to computer devices.
An embodiment of the present application further provides a computer-readable storage medium on which a computer program is stored, where the computer program, when executed by a processor, implements a WAPI authentication method.
In summary, according to the WAPI authentication method, apparatus, system, device and storage medium provided by the present application, the digest information corresponding to the first certificate and the second certificate is obtained, the certificate authentication response message is generated according to the digest information, and after the first certificate and the second certificate are replaced with the corresponding digest information, the byte length of the certificate authentication response message can be reduced to a great extent, fragmentation processing is not required, and information loss during fragmentation transmission, which leads to authentication failure, is avoided. Meanwhile, the complexity in the aspect of fragment processing in the authentication process is simplified, the transmission efficiency of the WAPI authentication message is improved, and the problem of poor end user experience caused by too long time in the authentication process due to fragment loss is solved.
It will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by hardware associated with instructions of a computer program, which may be stored on a non-volatile computer-readable storage medium, and when executed, may include processes of the above embodiments of the methods. Any reference to memory, storage, database, or other medium provided herein and used in the examples may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double-rate SDRAM (SSRSDRAM), Enhanced SDRAM (ESDRAM), synchronous link (Synchlink) DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that includes the element.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application, or which are directly or indirectly applied to other related technical fields, are also included in the scope of the present application.
Claims (10)
1. A WAPI authentication method is characterized by comprising the following steps:
receiving a certificate authentication request message, wherein the certificate authentication request message comprises a first certificate of a terminal and a second certificate of an authentication entity;
respectively authenticating the first certificate and the second certificate to obtain a first authentication result and a second authentication result;
calculating first digest information of the first certificate and second digest information of the second certificate;
generating a certificate authentication response message according to the first summary information, the second summary information, the first authentication result and the second authentication result;
sending the certificate authentication response message to the authenticating entity.
2. The WAPI authentication method as claimed in claim 1, wherein the step of calculating the first digest information of the first certificate and the second digest information of the second certificate comprises:
performing hash calculation on the first certificate to obtain the first summary information;
and carrying out Hash operation on the second certificate to obtain the second abstract information.
3. The WAPI authentication method as claimed in claim 1, wherein the step of calculating the first digest information of the first certificate and the second digest information of the second certificate comprises:
acquiring a first serial number of the first certificate, and performing hash operation on the first serial number and the first certificate to obtain summary information of the first certificate;
and acquiring a second serial number of the second certificate, and performing hash operation on the second serial number and the second certificate to obtain the summary information of the second certificate.
4. The WAPI authentication method of claim 1 wherein said step of generating a certificate authentication response message based on said first digest information, said second digest information, said first authentication result, and said second authentication result is followed by:
and setting a compression mark in the message header of the certificate authentication response message.
5. The WAPI authentication method of claim 4 wherein the step of setting a compression flag in a message header of the certificate authentication response message comprises:
reserving N blank bytes at the head of the message; wherein N is an integer greater than or equal to 1 and less than or equal to 5;
and setting a compression flag in the blank byte.
6. A WAPI authentication device, comprising:
a receiving unit, configured to receive a certificate authentication request message, where the certificate authentication request message includes a first certificate of a terminal and a second certificate of an authentication entity;
the authentication unit is used for authenticating the first certificate and the second certificate respectively to obtain a first authentication result and a second authentication result;
a calculating unit, configured to calculate first digest information of the first certificate and second digest information of the second certificate;
a generating unit, configured to generate a certificate authentication response message according to the first digest information, the second digest information, the first authentication result, and the second authentication result;
a first sending unit, configured to send the certificate authentication response message to the authentication entity.
7. A WAPI system, comprising:
the authentication service unit, the authentication entity and the terminal;
the terminal is used for sending an access authentication request message to the authentication entity; wherein the access authentication request message includes a first certificate;
the authentication entity is used for receiving the access authentication request message, generating a certificate authentication request message according to the access authentication request message and sending the certificate authentication request message to an authentication service unit; wherein the certificate authentication request message includes a first certificate of the terminal and a second certificate of the authentication entity;
the authentication service unit is configured to receive the certificate authentication request message, and authenticate the first certificate and the second certificate respectively to obtain a first authentication result and a second authentication result; calculating first digest information of the first certificate and second digest information of the second certificate; generating a certificate authentication response message according to the first summary information, the second summary information, the first authentication result and the second authentication result; sending the certificate authentication response message to the authenticating entity;
the authentication entity is further configured to receive the certificate authentication response message, parse the digest information in the certificate authentication response message, determine whether the first certificate and the second certificate in the certificate authentication request message and the certificate authentication response message are the same according to the parsed digest information, and if so, generate an access authentication response message according to the certificate authentication response message and send the access authentication response message to the terminal;
the terminal is further configured to receive the access certificate authentication response message, parse the digest information in the access certificate authentication response message, and determine whether the first certificate in the access certificate authentication response message and the first certificate in the access certificate authentication request message are the same according to the parsed digest information.
8. The WAPI system of claim 7 wherein the authentication service further configured to set a compression flag in a message header of the certificate authentication response message.
9. A computer device comprising a memory and a processor, the memory having stored therein a computer program, characterized in that the processor, when executing the computer program, implements the steps of the WAPI authentication method of any one of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the WAPI authentication method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011068800.9A CN111935718B (en) | 2020-10-09 | 2020-10-09 | WAPI authentication method, device, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011068800.9A CN111935718B (en) | 2020-10-09 | 2020-10-09 | WAPI authentication method, device, system, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111935718A CN111935718A (en) | 2020-11-13 |
| CN111935718B true CN111935718B (en) | 2021-01-08 |
Family
ID=73334307
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011068800.9A Active CN111935718B (en) | 2020-10-09 | 2020-10-09 | WAPI authentication method, device, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111935718B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442749A (en) * | 2008-12-15 | 2009-05-27 | 广州杰赛科技股份有限公司 | Authentication method for wireless netted network based on WAPI |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101311950B (en) * | 2007-05-25 | 2012-01-18 | 北京书生国际信息技术有限公司 | Electronic stamp realization method and device |
| CN100512112C (en) * | 2007-10-16 | 2009-07-08 | 西安西电捷通无线网络通信有限公司 | WAPI certificate identification method |
| CN102035797B (en) * | 2009-09-29 | 2013-06-05 | 中兴通讯股份有限公司 | WAPI (Wireless Local Area network Authentication and Privacy Infrastructure)-based media transmission system and method |
-
2020
- 2020-10-09 CN CN202011068800.9A patent/CN111935718B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442749A (en) * | 2008-12-15 | 2009-05-27 | 广州杰赛科技股份有限公司 | Authentication method for wireless netted network based on WAPI |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111935718A (en) | 2020-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7937071B2 (en) | Device management system and method of controlling the same | |
| CN107770182B (en) | Data storage method of home gateway and home gateway | |
| US8397071B2 (en) | Generation method and update method of authorization key for mobile communication | |
| CN106464499B (en) | Communication network system, transmission node, reception node, message checking method, transmission method, and reception method | |
| JP4841842B2 (en) | Contact authentication and reliable contact renewal in mobile radio communication equipment | |
| EP1430640B1 (en) | A method for authenticating a user in a terminal, an authentication system, a terminal, and an authorization device | |
| CN111107073B (en) | Application automatic login method and device, computer equipment and storage medium | |
| CN102547701A (en) | Authentication method and wireless access point as well as authentication server | |
| CN109391618B (en) | Method and system for establishing communication link | |
| US11943213B2 (en) | Device and method for mediating configuration of authentication information | |
| KR20100101887A (en) | Method and system for authenticating in communication system | |
| KR101718096B1 (en) | Method and system for authenticating in wireless communication system | |
| CN116015928A (en) | Single-packet authentication method, apparatus and computer-readable storage medium | |
| CN110213230B (en) | network security verification method and device for distributed communication | |
| CN110557387A (en) | cross-network equipment communication method, device, system, server and readable storage medium | |
| CN111935718B (en) | WAPI authentication method, device, system, equipment and storage medium | |
| US9532218B2 (en) | Implementing a security association during the attachment of a terminal to an access network | |
| CN106162645B (en) | A kind of the quick of Mobile solution reconnects method for authenticating and system | |
| CN111385258A (en) | Data communication method, device, client, server and storage medium | |
| CN111741464B (en) | Device connection method, master control device, controlled device, control system and medium | |
| CN113987445A (en) | User login method and device of USB-KEY, computer equipment and storage medium | |
| CN113098855A (en) | GW376.1 protocol message encryption method and device | |
| CN111711646A (en) | Method and equipment for ensuring communication security of block chain P2P network node | |
| CN113765916B (en) | IPTV multicast control method, system, computer equipment and storage medium | |
| CN114500098A (en) | Verification method and device, computer equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |