CN113543131A - Network connection management method and device, computer readable medium and electronic equipment - Google Patents
Network connection management method and device, computer readable medium and electronic equipment Download PDFInfo
- Publication number
- CN113543131A CN113543131A CN202110780040.2A CN202110780040A CN113543131A CN 113543131 A CN113543131 A CN 113543131A CN 202110780040 A CN202110780040 A CN 202110780040A CN 113543131 A CN113543131 A CN 113543131A
- Authority
- CN
- China
- Prior art keywords
- access point
- key
- dynamic key
- access
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 121
- 238000000034 method Methods 0.000 claims description 41
- 238000004590 computer program Methods 0.000 claims description 15
- 238000004891 communication Methods 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 8
- 239000003999 initiator Substances 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 29
- 230000008569 process Effects 0.000 description 23
- 230000006870 function Effects 0.000 description 17
- 238000012795 verification Methods 0.000 description 11
- 230000006855 networking Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000002123 temporal effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the application provides a network connection management method and device, a computer readable medium and electronic equipment. The network connection management method comprises the following steps: receiving a dynamic key for connecting to an access point device; if receiving an access request containing the dynamic key sent by site equipment, responding to the access request and establishing connection with the site equipment; after the connection with the site equipment is successfully established, associating the physical address of the site equipment with the dynamic key to generate an association relation between the physical address and the dynamic key; and transmitting the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the station equipment based on the dynamic key according to the association relation. The technical scheme of the embodiment of the application can improve the access efficiency of the station equipment to the access point equipment.
Description
Technical Field
The present application relates to the field of computer and communication technologies, and in particular, to a network connection management method and apparatus, a computer-readable medium, and an electronic device.
Background
With the development of WLAN (Wireless Local Area Network) technology, in some application scenarios, a large number of Station devices (i.e., STAs) are required to Access an AP (Access Point), such as an enterprise-level WLAN, and how to effectively implement Network connection management on the Station devices in such an application scenario is a technical problem to be solved urgently.
Disclosure of Invention
Embodiments of the present application provide a network connection management method, an apparatus, a computer-readable medium, and an electronic device, so that access efficiency of a station device to an access point device can be improved at least to a certain extent.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.
According to an aspect of an embodiment of the present application, there is provided a network connection management method, including: receiving a dynamic key for connecting to an access point device; if receiving an access request containing the dynamic key sent by site equipment, responding to the access request and establishing connection with the site equipment; after the connection with the site equipment is successfully established, associating the physical address of the site equipment with the dynamic key to generate an association relation between the physical address and the dynamic key; and transmitting the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the station equipment based on the dynamic key according to the association relation.
According to an aspect of an embodiment of the present application, there is provided a network connection management method, including: distributing a dynamic key for connecting the access point equipment in response to the key application request; sending the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key; receiving an association relation between a physical address sent by the access point device and the dynamic key, wherein the physical address is an address owned by a station device which successfully accesses the access point device based on the dynamic key; and sending the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the station equipment based on the dynamic key based on the association relation.
According to an aspect of an embodiment of the present application, there is provided a network connection management method, including: receiving an association relation between a physical address and a dynamic key, wherein the association relation is generated by other access point equipment according to the dynamic key and the physical address of station equipment which uses the dynamic key and successfully establishes connection with other access points; if an access request sent by a designated device is received, acquiring a physical address of the designated device and an access key contained in the access request; and verifying the access request according to the incidence relation, the physical address of the specified equipment and the access key contained in the access request.
According to an aspect of an embodiment of the present application, there is provided a network connection management apparatus including: a first receiving unit configured to receive a dynamic key for connecting to an access point device; the first processing unit is configured to respond to an access request which is sent by site equipment and contains the dynamic secret key, and establish connection with the site equipment; the first generation unit is configured to associate the physical address of the site device with the dynamic key after the site device successfully establishes a connection with the site device, and generate an association relationship between the physical address and the dynamic key; a transmission unit, configured to transmit the association relationship to other access point devices, so that the other access point devices verify, according to the association relationship, an access request initiated by the station device based on the dynamic key.
In some embodiments of the present application, based on the foregoing scheme, the first receiving unit is configured to: receiving a dynamic key which is sent by an access point management platform and used for connecting the access point equipment; or receiving a pre-configured dynamic key for connecting to the access point device.
In some embodiments of the present application, based on the foregoing scheme, the transmission unit is configured to: sending the association relation to an access point management platform so that the access point management platform forwards the association relation to the other access point devices; or
And sending the association relation to the other access point equipment through a communication link between the other access point equipment and the other access point equipment.
In some embodiments of the present application, based on the foregoing scheme, the first receiving unit is further configured to: receiving an expiration date of the dynamic key; the first processing unit is configured to: and determining whether the dynamic key contained in the access request is within the valid period according to the valid period, and if the dynamic key is determined to be within the valid period, establishing connection with the site equipment.
In some embodiments of the present application, based on the foregoing scheme, the transmission unit is further configured to: and transmitting the validity period of the dynamic key to the other access point equipment so that the other access point equipment can verify the access request initiated by the station equipment based on the dynamic key according to the association relation within the validity period.
According to an aspect of an embodiment of the present application, there is provided a network connection management apparatus including: an allocation unit configured to allocate a dynamic key for connecting the access point device in response to a key application request; a first sending unit, configured to send the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key; a second receiving unit, configured to receive an association relationship between a physical address sent by the access point device and the dynamic key, where the physical address is an address owned by a station device that successfully accesses the access point device based on the dynamic key; a second sending unit, configured to send the association relationship to other access point devices, so that the other access point devices verify, based on the association relationship, an access request initiated by the station device based on the dynamic key.
In some embodiments of the present application, based on the foregoing solution, the network connection management apparatus further includes: a second generation unit configured to generate a validity period of the dynamic key; the first sending unit is further configured to send the validity period to the access point device, so that the access point device verifies the received access request based on the dynamic key within the validity period.
In some embodiments of the present application, based on the foregoing solution, the allocation unit is further configured to: and before responding to the key application request, receiving the key application request sent by the application program server side, wherein the key application request is sent by the application program server side after the authentication of the application program client side which initiates the key application is passed.
According to an aspect of an embodiment of the present application, there is provided a network connection management apparatus including: a third receiving unit, configured to receive an association relationship between a physical address and a dynamic key, where the association relationship is generated by other access point devices according to the dynamic key and a physical address of a station device that uses the dynamic key and successfully establishes a connection with the other access point; an obtaining unit, configured to obtain a physical address of a specified device and an access key included in an access request if the access request sent by the specified device is received; and the verification unit is configured to verify the access request according to the association relation, the physical address of the specified device and an access key contained in the access request.
In some embodiments of the present application, based on the foregoing solution, the verification unit is configured to: if the physical address of the designated equipment is determined to be associated with the access key contained in the access request according to the association relationship, the access request is determined to be successfully verified;
and if the physical address of the specified equipment does not exist in the association relationship, rejecting the access request.
In some embodiments of the present application, based on the foregoing scheme, the third receiving unit is further configured to: receiving an expiration date of the dynamic key; the verification unit is configured to: and in the valid period, verifying the access request according to the association relation, the physical address of the specified device and an access key contained in the access request.
According to an aspect of embodiments of the present application, there is provided a computer-readable medium on which a computer program is stored, the computer program, when executed by a processor, implementing a network connection management method as described in the above embodiments.
According to an aspect of an embodiment of the present application, there is provided an electronic device including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the network connection management method as described in the above embodiments.
According to an aspect of embodiments herein, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the network connection management method provided in the various alternative embodiments described above.
In the technical solutions provided in some embodiments of the present application, an access point device receives a dynamic key for connecting to an access point device, then, when receiving an access request including the dynamic key sent by a station device, establishes a connection with the station device in response to the access request, and after the connection is successfully established with the station device, associates a physical address of the station device with the dynamic key to generate an association relationship between the physical address and the dynamic key, and then transfers the association relationship to another access point device, so that the other access point device verifies, according to the association relationship, an access request initiated by the station device based on the dynamic key. Therefore, according to the technical scheme of the embodiment of the application, after the station equipment is accessed to the access point equipment through the dynamic key, the access point equipment can associate the physical address of the station equipment with the dynamic key and further transmit the physical address to other access point equipment, so that the station equipment can be conveniently and quickly accessed to other access point equipment, and the efficiency of accessing the station equipment to other access point equipment is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:
FIG. 1 shows a schematic diagram of WPA/WPA2-PSK authentication;
FIG. 2 shows a schematic diagram of WPA/WPA2-PPSK authentication;
fig. 3 shows a flow chart for establishing a connection between a STA and an AP;
fig. 4 shows a four-way handshake authentication diagram between a STA and an AP;
fig. 5 shows a key generation diagram in the authentication process between STA and AP;
FIG. 6 shows a schematic view of a Portal certified configuration interface;
FIG. 7 shows a flow diagram of a network connection management method according to one embodiment of the present application;
FIG. 8 shows a flow diagram of a network connection management method according to an embodiment of the present application;
FIG. 9 shows a flow diagram of a network connection management method according to one embodiment of the present application;
fig. 10 shows a scene schematic of a cloud AP according to an embodiment of the present application;
FIG. 11 shows a system architecture diagram of a cloud AP scenario according to an embodiment of the present application;
FIG. 12 shows a flow diagram of a network connection management method according to one embodiment of the present application;
FIG. 13 shows a push-to-talk interface schematic according to an embodiment of the present application;
FIG. 14 shows a flow diagram of a network connection management method according to one embodiment of the present application;
FIG. 15 illustrates a functional selection interface diagram according to an embodiment of the present application;
FIG. 16 shows a block diagram of a network connection management apparatus according to an embodiment of the present application;
FIG. 17 shows a block diagram of a network connection management apparatus according to an embodiment of the present application;
FIG. 18 shows a block diagram of a network connection management apparatus according to an embodiment of the present application;
FIG. 19 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
Detailed Description
Example embodiments are now described more fully with reference to the accompanying drawings. However, the illustrated embodiments can be embodied in various forms and should not be construed as limited to only these examples; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are set forth in order to provide a thorough understanding of embodiments of the present application. However, it will be recognized by one skilled in the art that all of the specific features of the embodiments may not be required to practice the subject innovation, one or more of the specific details may be omitted, or other methods, components, devices, steps, etc. may be utilized.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It should be noted that: reference herein to "a plurality" means two or more. "and/or" describe the association relationship of the associated objects, meaning that there may be three relationships, e.g., A and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
WPA is named as Wi-Fi Protected Access (Wi-Fi network security Access), has three standards of WPA, WPA2 and WPA3, and is a system for protecting the security of a wireless network. WPA/WPA2-PSK (Pre-Shared Key) is an authentication method for Pre-distributing Shared keys, and has higher security in an encryption method and a Key verification method. As shown in fig. 1, when WPA/WPA2-PSK authentication is employed, the access key is the same for all station devices connected to a specified SSID (Service Set Identifier) of the access point device 101, for example, the PSK of the station device 102 and the station device 103 is "12345".
The WPA/WPA2-PPSK (Private PSK) authentication inherits the advantages of WPA/WPA2-PSK authentication, deployment is simple, different pre-shared keys can be provided for different station devices, and network security is effectively improved. When using WPA/WPA2-PPSK authentication, site devices connected to the same SSID may have different access keys, different authorizations may be issued according to different users, and if one user has multiple site devices, these site devices may also be connected to the network through the same PPSK account. As shown in fig. 2 in particular, station device 202 and station device 203 connected to the same SSID of access point device 201 may use the same PSK, while station device 204 may use a different PSK than station device 202 and station device 203.
The connection process and the key negotiation process between the STA and the AP are consistent regardless of the WPA/WPA2-PSK mode or the WPA/WPA2-PPSK mode.
As shown in fig. 3, the process of establishing a connection between a station device STA and an access point device AP mainly includes:
step S301, SCAN phase (SCAN).
Specifically, the STA uses Scanning to search for APs, and when the STA roams to find a new AP to connect to, the STA searches on each available channel. The search method includes Active search (Active Scanning) and Passive search (Passive Scanning).
The active search is that the STA sends out Probe Request frames in each channel (1-13 channels) in turn, finds out an AP having the same SSID as the STA belongs to, and scans all the time if the AP having the same SSID cannot be found. The active search is characterized by rapidly searching for an AP.
Passive search is a process in which a STA discovers the network by listening to Beacon frames periodically transmitted by the AP, which provide information about the AP and the BSS (Basic Service Set). The passive search method may reduce power consumption of the STA, although it takes a long time to search for the AP.
Step S302, Authentication phase (Authentication).
Specifically, after the STA finds an AP having the same SSID as the STA, the STA selects an AP having the strongest signal among the APs having SSID matches according to the received AP signal strength, and then enters an authentication phase, where only the STA having passed the identity authentication can perform wireless access. The authentication method provided by the AP comprises the following steps: open-system authentication (open-system authentication), shared-key authentication (shared-key authentication), and pre-authentication (WPA PSK).
The open authentication process is that the STA initiates an authentication request and the authentication server responds after receiving the authentication request. The shared key authentication process is that the STA initiates an authentication request, the authentication server replies an inquiry text after receiving the request, the STA encrypts a plaintext by using a preset key and sends the plaintext to the authentication server, and the authentication server decrypts the plaintext by using the preset key and compares the plaintext with the plaintext before, if the plaintext is consistent with the preset key, the authentication is passed.
Step S303, Association phase (Association).
Specifically, when the AP returns authentication response information to the STA, the STA enters an association stage after the STA identity authentication is passed. In the association phase, the STA sends an association request to the AP, which returns an association response to the STA. Roaming is a concern when STAs move, and if roaming under the same network, re-authentication is not needed and only re-association is needed. After the association between the AP and the STA is completed, the access procedure of the STA is completed, that is, the connection between the STA and the AP is successful.
Before data transmission, a four-way handshake process based on EAPOL (Extensible Authentication Protocol OVER LAN, local area network-based extended Authentication Protocol) is required between the STA and the AP to generate a required key. In the specific process shown in fig. 4, the STA serves as a Supplicant (Supplicant) and the AP serves as an Authenticator (Authenticator) to perform a four-way handshake process.
In the four-way handshake process, the message 1 is that the authenticator sends an EAPOL-Key frame carrying the A-Nonce to the supplicant in a unicast mode. Where a-Nonce is a random number generated by the authenticator.
After the requester receives the message 1, because the requester has obtained a-Nonce and AA (Authenticator MAC address, i.e. MAC address of the Authenticator) and at the same time the requester has owned PMK (pair Master Key, i.e. a pair Master Key, usually a set of random numbers) and SPA (i.e. MAC address of the requester), PTK (pair Transient Key) can be calculated by the following function:
PTK=PRF(PMK+A-Nonce+S-Nonce+AA+SPA)
wherein, PRF represents pseudoandom function, i.e. pseudo-random function; S-Nonce is a random number generated by the requestor; the PMK in the formula is set by the requestor itself. The PTK generated contained 3 parts: KCK (Key validation Key), KEK (Key Encryption Key), and TK (Temporal Key). The KCK is used to calculate the integrity of the key generation message, the KEK is used to encrypt the key generation message, and the TK is actually used to encrypt data.
In the four-way handshake process, after the requesting party generates the PTK, the message 2 sends information such as S-Nonce, MIC (message integrity code, which is a hash value calculated for a set of data to be protected and is used to prevent the data from being tampered) to the authenticating party through the second EAPOL-Key frame. Therein, the MIC value in the message 2 is encrypted by KCK (Key configuration Key).
After receiving the message 2, the authenticator takes out the S-Nonce in the message 2, and performs similar calculation as in the supplicant to verify whether the message returned by the supplicant is correct, specifically, performs integrity check on the received MIC and the MIC generated by the authenticator. If not correct, i.e. fails the integrity check on the MIC, this indicates that the requester PMK is wrong, and the whole handshake work is stopped as it were.
If the authenticator verifies that the message returned by the supplicant is correct, the authenticator generates a PTK and a GTK (Group Temporal Key). The GTK is an encryption key used to encrypt multicast and broadcast data streams.
In the four-way handshake process, the message 3 is that the authenticator sends a third EAPOL-Key frame to the supplicant after generating the PTK and the GTK, where the third EAPOL-Key frame carries the GTK and the MIC. Wherein, GTK is encrypted by KEK, MIC is encrypted by KCK.
The supplicant, after receiving message 3, will also make some calculations to determine if the authenticator's PMK is correct. If the confirmation is correct, the requester sends an EAPOL-Key frame to the authenticator for the last time through a message 4 for confirmation, and if the authentication is successful, the requester and the authenticator both Install (Instally) a Key, wherein the installation (Instally) means that the Key is used for encrypting data. Specifically, the supplicant installs the PTK and the GTK, and the authenticator installs the PTK.
After the authentication of the supplicant and the authenticator is completed, the control port of the authenticator is opened, so that the 802.11 data frame can be normally transmitted, all unicast data frames are encrypted and protected by the PTK, and all multicast data and broadcast data are encrypted and protected by the GTK.
Key generation process in authentication process as shown in fig. 5, the PMK is generated by ESSID (Extended Service Set Identifier) and PSK, such as by SHA-1(Secure Hash Algorithm 1) Algorithm. The PTK is generated from the supplicant MAC (i.e., STA MAC), the authenticator MAC (which may be represented by BSSID), the PMK, the a-Nonce, and the S-Nonce acquired in the four-way handshake. The ciphertext and the MIC may then be encrypted by the PTK. The Encryption may be performed by AES (Advanced Encryption Standard) or TKIP (Temporal Key Integrity protocol).
In enterprise WLANs, WPA/WPA2-PPSK authentication is used more often, so that each user can have a different key and configuration and deployment are simple. However, this method needs to store the key of each user on the access authentication device, that is, the access authentication device needs to separately store the key list, and if the number of keys in the key list is large, the verification time is greatly increased when the key input by the user is verified. Meanwhile, if the number of the keys is large, when malicious equipment intentionally inputs wrong keys for attack, the problem that the access authentication equipment cannot work is caused, and the phenomenon of key mixing is difficult to avoid by the mode.
In addition, in the related art, there is also a method of using Portal authentication, where Portal is a WEB site serving as a gateway to the internet, and a Wi-Fi provider needs to configure the Portal authentication first, and as shown in fig. 6, a specific configuration interface needs to set a Portal URL (Uniform Resource Locator), an authentication Key, an authentication Secret, an authentication URL, a white list, a Check URL, a network type, and the like. After configuration is completed, a user can connect Wi-Fi without a password, then pop up a portal authentication interface through a browser, and can really surf the internet through a Wi-Fi network only after an authenticated user name and a password are filled in. The authentication scheme is not only complicated in operation, but also has compatibility problem in Portal authentication, and some terminals (such as mobile phones of some manufacturers) can not pop up pages of Portal authentication after being connected with Wi-Fi, so that authentication can not be performed.
Based on the above problems, embodiments of the present application provide a new network connection management scheme, which can associate an access key of a device to be accessed with a physical address, so that when an access point device verifies an access request, on one hand, whether the physical address of the device to be accessed exists in the association relationship can be verified, thereby preventing a malicious device from frequently initiating the access request and affecting the performance of the access point device, and on the other hand, when the physical address of the device to be accessed exists in the association relationship, an access key included in the access request can be quickly verified according to the access key corresponding to the physical address, thereby improving the efficiency of network access verification, and simultaneously, avoiding the problem of mixed use of the access key.
Further, in some scenarios, the same user may have multiple site devices, but some devices may not be able to present a convenient, functionally rich visualization interface to access a network, such as printer devices, scanner devices, and the like. For this situation, how to ensure that these devices conveniently access the network is an urgent requirement. The embodiment of the application provides that a dynamic key can be allocated to the station equipment, after the station equipment accesses a network based on the dynamic key, the access point equipment can associate a physical address of the station with the dynamic key and send the association to other access point equipment, and then when the station equipment moves to the position where the other access point equipment is located, efficient network access can be achieved. The specific implementation details are as follows:
fig. 7 illustrates a flow diagram of a network connection management method, which may be performed by an access point device, according to an embodiment of the present application. Referring to fig. 7, the network connection management method at least includes steps S710 to S740, which are described in detail as follows:
in step S710, a dynamic key for connecting to an access point device is received.
In one embodiment of the present application, an access point device may receive a dynamic key sent by an access point management platform for connecting to the access point device. In this case, the access point management platform may assign a dynamic key for a user-initiated key application request, and after assigning the dynamic key, may return the dynamic key to the user on the one hand and to the access point device on the other hand.
Alternatively, the user may initiate a key application request on the application client, and the application client may send the key application request to the application server, and then the key application request is forwarded by the application server to the access point management platform. In this case, after generating the dynamic key, the ap management platform may send the dynamic key to the application server, and then feed back the dynamic key to the application client.
In one embodiment of the present application, the access point device may also receive a pre-configured dynamic key for connecting to the access point device. In this case, the user also needs to obtain the preconfigured dynamic key in order to initiate a connection to the access point device.
In one embodiment of the present application, the dynamic key may further have a validity period, in which case the access point device further needs to receive the validity period of the dynamic key for access management based on the validity period. The technical scheme of the embodiment also enables the dynamic key to be managed through the valid period, and avoids the problem of disordered access management caused by the indefinite use of the dynamic key.
In step S720, if an access request including a dynamic key sent by the site device is received, a connection is established with the site device in response to the access request.
In an embodiment of the present application, after obtaining the dynamic key, the user provides the dynamic key to the site device, and then initiates an access request by the site device. For example, a user may establish a bluetooth connection with the site device (e.g., a printer device, a scanner device, etc.) through a smart phone, and then input the dynamic key into an interface provided by the smart phone, so that the smart phone transfers the dynamic key to the site device. Or the user may enter the dynamic key in an interface provided by the site device, which in turn initiates an access request based on the dynamic key.
Alternatively, if the dynamic key has a validity period, the access point device needs to determine whether the dynamic key included in the access request is within the validity period according to the validity period, and if the dynamic key included in the access request is within the validity period and matches the dynamic key previously received by the access point device, the access point device will establish a connection with the station device.
In step S730, after the connection is successfully established with the station device, the physical address of the station device is associated with the dynamic key, so as to generate an association relationship between the physical address and the dynamic key.
In one embodiment of the present application, the physical address of the station device may be a MAC (Media Access Control) address. Optionally, in order to improve the query efficiency of the dynamic key, a hash table may be generated according to the association relationship between the dynamic key and the physical address, that is, the association relationship between the physical address and the dynamic key may be embodied in the form of a hash table.
In step S740, the association relationship between the physical address and the dynamic key is transferred to other access point devices, so that the other access point devices verify, according to the association relationship, the access request initiated by the station device based on the dynamic key.
In one embodiment of the present application, the access point device may send the association relationship to the access point management platform, so that the access point management platform forwards the association relationship to other access point devices.
In one embodiment of the present application, the access point device may also send the association relationship to other access point devices via a communication link with the other access point devices. The technical scheme of the embodiment is suitable for application scenarios in which communication links are established between access point devices.
Alternatively, if the dynamic key has a validity period, the access point device needs to communicate the validity period of the dynamic key to other access point devices, so that the other access point devices can verify the access request initiated by the station device based on the dynamic key according to the association relationship within the validity period.
Fig. 7 is a diagram illustrating a technical solution of an embodiment of the present application from the perspective of an access point device, and the following describes the technical solution of the embodiment of the present application from the perspective of an access point management platform:
fig. 8 shows a flow diagram of a network connection management method according to an embodiment of the present application, which may be performed by an access point management platform, which may be a platform for access management. Referring to fig. 8, the network connection management method at least includes steps S810 to S840, and is described in detail as follows:
in step S810, a dynamic key for connecting to the access point device is allocated in response to the key application request.
In one embodiment of the present application, the key application request may be initiated by a terminal device of a user, for example, the user has a plurality of terminal devices, but some terminal devices cannot conveniently access a network, such as a printer device, a scanner device, and the like, in which case, the user may use a smart phone to initiate the key application request to the access point management platform to enable other terminal devices to access the network based on a dynamic key fed back by the access point management platform.
Alternatively, the terminal device of the user may directly establish a connection with the access point management platform to initiate the key application request. Or the terminal device of the user may also initiate a key application request to the ap management platform through a designated application program, for example, the user may initiate the key application request on the application client, and then the application client may send the key application request to the application server, and the application server forwards the key application request to the ap management platform. In this case, after generating the dynamic key, the ap management platform may send the dynamic key to the application server, and then feed back the dynamic key to the application client.
Optionally, the access point management platform may further generate a validity period of the dynamic key, and then send the validity period of the dynamic key to the access point device, so that the access point device verifies the received access request based on the dynamic key within the validity period.
In step S820, the dynamic key is sent to the access point device and the initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key.
Optionally, after receiving the dynamic key sent by the access point management platform, if the access request is received, the access point device may verify whether the dynamic key in the access request matches the dynamic key acquired by the access point device from the access point management platform, and if the dynamic key matches the dynamic key, may determine that the access request is verified. If the dynamic key has a validity period, the access point device also needs to determine whether the dynamic key is within the validity period, and if not, the access request using the dynamic key cannot be authenticated.
In step S830, an association relationship between a physical address and a dynamic key sent by the access point device is received, where the physical address is an address owned by a station device that successfully accesses the access point device based on the dynamic key.
Optionally, the process of generating the association relationship between the dynamic key and the physical address by the access point device may refer to the technical solution in the foregoing embodiment, and is not described again.
In step S840, the association between the physical address and the dynamic key is sent to the other access point device, so that the other access point device authenticates the access request initiated by the station device based on the dynamic key based on the association.
In the embodiment of the application, the association relationship between the physical address and the dynamic key is sent to other access point devices, so that when the station device moves to the coverage area of other access point devices, the other access point devices can quickly realize access verification on the station device based on the association relationship between the physical address and the dynamic key, and the network access efficiency is effectively improved.
The following describes a technical solution of an embodiment of the present application from the perspective of an access point device that receives an association relationship between a physical address and a dynamic key:
fig. 9 illustrates a flow diagram of a network connection management method, which may be performed by an access point device, according to an embodiment of the present application. Referring to fig. 9, the network connection management method at least includes steps S910 to S930, and the following details are introduced:
in step S910, an association relationship between the physical address and the dynamic key is received, where the association relationship is generated by the other access point device according to the dynamic key and the physical address of the station device that uses the dynamic key and successfully establishes a connection with the other access point.
Optionally, the process of generating the association relationship between the physical address and the dynamic key by the access point device may refer to the foregoing embodiment, and is not described again.
In an embodiment of the present application, the access point device may directly receive an association between a physical address and a dynamic key sent by another access point device, or receive an association between a physical address and a dynamic key forwarded by the access point management platform.
In step S920, if an access request sent by the specified device is received, the physical address of the specified device and the access key included in the access request are acquired.
In an embodiment of the present application, the specified device is a station device that needs to access the access point device. Since the designated device has communicated with the access point device before sending the access request to the access point device, the physical address of the designated device may have been obtained when the designated device sent the access request. Of course, the designated device may also carry its physical address again in the access request.
In step S930, the access request is verified according to the association relationship between the physical address and the dynamic key, the physical address of the specified device, and the access key included in the access request.
In one embodiment of the application, if it is determined that the physical address of the specified device is associated with the access key contained in the access request according to the association between the physical address and the dynamic key, it is determined that the authentication of the access request is successful. The verification process may specifically be: the access point device finds the corresponding dynamic key in the association relation according to the physical address of the specified device, then compares the found dynamic key with the access key actively contained in the access request, and if the found dynamic key is consistent with the access key actively contained in the access request, the access request is determined to be successfully verified.
In one embodiment of the present application, the access request is rejected if the physical address of the specified device does not exist in the above-mentioned association. The technical scheme of the embodiment can avoid the situation that the access point equipment cannot work normally due to the fact that malicious equipment frequently initiates connection requests.
Optionally, the ap device may further receive a validity period of the dynamic key, and may further authenticate the access request according to the association relationship, the physical address of the specific device, and the access key included in the access request within the validity period.
In the foregoing embodiment, the technical solutions of the embodiments of the present application are described from the perspective of an access point management platform and an access point device, and details of implementation of the embodiments of the present application are described in detail from the perspective of interaction between the devices.
In an application scenario of the present application, the access point device may be a cloud AP, where the cloud AP expands a management capability of the local AP to a cloud end, and performs unified management on a plurality of cloud APs through the cloud end (a cloud AP management platform, that is, the access point management platform in the foregoing embodiment), such as configuring a LAN, a WAN (Wide Area Network), a black-and-white list, and the like of the cloud AP. The cloud AP scene is shown in fig. 10, the cloud AP management platform directly communicates with the cloud AP through the Internet or the WLAN, or the cloud AP management platform communicates with the cloud AP through the firewall and the switch through the Internet or the WLAN, and the cloud AP is used for performing communication interaction with the wireless terminal.
The system architecture of the cloud AP scenario is shown in fig. 11, and mainly includes three parts: cloud AP hardware, a cloud AP management platform and an application program.
The cloud AP hardware mainly includes one or more cloud APs, and the cloud AP needs to be connected to a cloud AP management platform (specifically, the cloud AP needs to be connected through a multiport HUB), receives AP configuration information sent by the cloud AP management platform, receives key issuing and management of the PPSK, and receives and manages connection information of a terminal (i.e., site equipment).
The cloud AP management platform comprises an operation platform, a HUB, equipment management, enterprise configuration, an address list, key management, a database and the like.
The operation platform is used for managing cloud task scheduling, monitoring abnormal conditions and the like; the HUB is responsible for connecting with cloud AP hardware and maintaining related heartbeats; the device management is mainly used for managing the information of the connected cloud AP; the enterprise configuration is mainly used for managing the cloud AP configuration related to each enterprise; the address book is mainly used for recording information of enterprise employees, including mobile phone numbers or account information of instant messaging software and the like; the key management is used for generating, destroying and updating keys and distributing an MAC-PSK hash table to the enterprise; the Application service is used for providing corresponding API (Application Programming Interface) Interface information and the like for the Application program; the database is used as a basic component for carrying out persistent storage on the data.
The application program mainly refers to an application program corresponding to the cloud AP, and comprises a management page and application information of a front end, a platform and service capability of a rear end and the like. Alternatively, the application may be a hosted program, which is a program that exists depending on the hosting environment, such as an applet, a fast application, and the like.
Based on the system architecture shown in fig. 11, in an embodiment of the present application, the network access management may be implemented through the flow shown in fig. 12, which specifically includes the following steps:
step S1201, the enterprise application APP pushes the terminal MAC address and the current enterprise information to the enterprise application cloud platform.
It should be noted that the enterprise APP may be an APP developed separately for a certain enterprise, or may be a common platform for all enterprises. If the enterprise APP is a public platform for all enterprises, an enterprise user needs to create enterprise information on the public platform, bind a cloud AP of the enterprise with the enterprise information, and perform configuration on the cloud AP, such as SSID configuration and the like.
After the enterprise application APP is installed on the terminal of the enterprise employee and enters the enterprise to which the enterprise APP belongs, the enterprise application APP can collect the MAC address of the terminal and then push the information to the enterprise application cloud platform.
Step S1202, the enterprise application cloud platform pushes the MAC address and the binding relation of the enterprise employees to the cloud AP management platform.
In an embodiment of the application, the enterprise employee may be information such as a job number and a name of the enterprise employee, or may be information such as an account name of the enterprise employee in the enterprise application APP. Optionally, the enterprise application cloud platform may also only push the MAC address to the cloud AP management platform, and maintain the binding relationship between the MAC address and the enterprise employee locally.
Step S1203, the cloud AP management platform generates and pushes the MAC-PSK hash table to the device SDK of the AP.
In an embodiment of the application, the cloud AP management platform may generate a one-to-one secret MAC-PSK hash table according to the MAC address pushed by the enterprise application cloud platform, and send the MAC-PSK hash table to a device SDK (Software Development Kit) of the cloud AP.
Step S1204, the cloud AP management platform generates and pushes the PSK of the enterprise employee to the enterprise application cloud platform.
In an embodiment of the application, the cloud AP may send the association relationship between the PSK and the MAC address to the enterprise application cloud platform, so that the enterprise application cloud platform distributes the PSK according to the MAC address.
Optionally, there is no strict sequence between step S1204 and step S1203, and step S1203 may be executed first, and then step S1204 may be executed; step S1204 may be executed first, and then step S1203 may be executed; alternatively, step S1203 and step S1204 may be executed simultaneously.
And step S1205, the enterprise application cloud platform forwards the PSK of the enterprise employee to the APP of the enterprise.
Optionally, the enterprise application cloud platform pushes the PSK to the corresponding enterprise application APP according to the MAC address reported by the enterprise application APP and the association relationship between the MAC address and the PSK. It should be noted that: after the enterprise application cloud platform acquires the association relationship between the MAC address and the PSK, the PSK can be actively pushed to the corresponding enterprise application APP, and the access key can be sent to the corresponding enterprise application APP again when an access key acquisition request sent by the enterprise application APP is received.
Step S1206, the user initiates one-touch networking at the enterprise application APP.
Optionally, as shown in fig. 13, a "one-key networking" control 1301 may be displayed in the enterprise APP, and after the user selects an enterprise network that needs to be connected, the "one-key networking" control 1301 may be clicked, and then the enterprise APP on the terminal may push the PSK to the cloud AP device, because the cloud AP device also acquires the MAC address of the terminal in the process of communicating with the enterprise APP, and then the cloud AP device may perform fast verification according to the MAC-PSK hash table.
Specifically, the corresponding PSK can be retrieved from the MAC-PSK hash table according to the MAC address of the terminal, and then whether the PSK pushed by the enterprise application APP is consistent is verified, if so, the verification is determined to be successful. Meanwhile, the AP needs to verify whether the MAC address exists in the MAC-PSK hash table, so that an access request initiated by equipment with an illegal MAC address can be directly rejected, the problem that the performance of the access point equipment is influenced by the fact that malicious equipment frequently initiates the access request is avoided, and in addition, the technical scheme of the embodiment of the application can also avoid the problem that an access key is mixed.
The technical solution of the embodiment shown in fig. 12 is a one-secret application scenario, however, in some scenarios, some terminal devices cannot install the enterprise application APP, so that the terminal devices cannot access the network according to the flow shown in fig. 12. For such a situation, the embodiment of the present application proposes to use a dynamic key manner to ensure that the terminal devices are conveniently accessed to the network, for example, a user may initiate an application of a dynamic key on a terminal capable of installing an enterprise application APP, after a cloud AP management platform generates a corresponding dynamic key, the dynamic key may be returned to the user, and then the user may enable the terminal device to initiate an access request based on the dynamic key, and after a connection is successful, the access point device may add the MAC address and the dynamic key of the terminal device that is successfully connected to the MAC-PSK hash table, so as to implement the connection management scheme shown in fig. 12. Meanwhile, the dynamic key is limited in time and can be effective within the time, so that the effective management of the dynamic key is realized. The specific process can be shown in fig. 14, and includes the following steps:
step S1401, the enterprise application APP installed on the terminal 1 applies for the dynamic key to the enterprise application cloud platform.
It should be noted that the enterprise APP may be an APP developed separately for a certain enterprise, or may be a common platform for all enterprises. If the enterprise APP is a public platform for all enterprises, an enterprise user needs to create enterprise information on the public platform, bind a cloud AP of the enterprise with the enterprise information, and perform configuration on the cloud AP, such as SSID configuration and the like.
Step S1402, the enterprise application cloud platform verifies the identity of the employee, and then initiates a dynamic key application request to the cloud AP management platform.
In an embodiment of the application, the employee identity may be information such as a job number and a name of the employee, or may be information such as an account name of the employee of the enterprise in the enterprise application APP. The identity of the auditor staff can be whether the auditor staff is the staff of the enterprise, whether the auditor staff has authority to apply for the dynamic key, and the like.
In step S1403, the cloud AP management platform generates a dynamic key and a valid period of the dynamic key, and returns the dynamic key and the valid period to the device SDK of the cloud AP 1.
In step S1404, the cloud AP management platform returns the generated dynamic key and the validity period to the enterprise application cloud platform.
Optionally, the cloud AP management platform may only return the dynamic key to the enterprise application cloud platform, and the validity period of the dynamic key may not be returned to the enterprise application cloud platform.
It should be noted that: step S1404 and step S1403 do not have a strict sequence, and step S1403 may be executed first, and then step S1404 may be executed; step S1404 may be performed first, and then step S1403 may be performed; alternatively, step S1403 and step S1404 may be performed simultaneously.
Step S1405, the enterprise application cloud platform forwards the dynamic key and the validity period to the enterprise application APP of the terminal 1 applying for the dynamic key.
Alternatively, the enterprise application cloud platform may only return the dynamic key to the enterprise application APP, and the validity period of the dynamic key may not be returned to the enterprise application APP.
In step S1406, after the enterprise application APP of the terminal 1 obtains the dynamic key and the validity period, the user may input the dynamic key on other terminals (such as the terminal 2, the terminal 3, the terminal n, and the like) within the validity period to initiate networking to the cloud AP 1.
It should be noted that if the enterprise application APP of the terminal 1 does not obtain the validity period, the user may initiate connection on other terminals using the dynamic key, and then the cloud AP1 determines whether the dynamic key exceeds the validity period.
In step S1407, if the other terminal successfully connects to the cloud AP1, the device SDK of the cloud AP1 generates (or adds) a MAC-PSK hash table according to the MAC address and the dynamic key of the terminal, and pushes the MAC-PSK hash table to the cloud AP management platform.
Step S1408, the cloud AP management platform pushes the MAC-PSK hash table of the terminal device that successfully accesses the cloud AP1 to other APs of the enterprise (such as the cloud AP2 shown in fig. 14), so as to ensure that the terminal device can also be normally connected to other APs.
It should be noted that, when the terminal device connects to another AP, since the other AP already has the MAC-PSK hash table of the terminal device, the access authentication may be performed according to the authentication flow in fig. 12.
Based on the technical solutions shown in fig. 12 and 14, a specific application scenario is as follows: employee a has multiple devices, including smart phones, printer devices, and scanner devices. The smartphone of employee a may use the process shown in fig. 12 to perform networking, and after accessing the network, employee a also wants the printer device and the scanner device to access the network, but since the printer device and the scanner device cannot install the enterprise application APP, employee a may use the smartphone to apply for the dynamic key through the scheme shown in fig. 14.
After applying for the dynamic key, employee a uses the dynamic key to access the printer device and the scanner device to the network of AP1, while the printer device and the scanner device also store the dynamic key. And the AP1 may upload the MAC addresses of the printer device and the scanner device associated with the dynamic key to the cloud AP management platform and then send to other APs by the cloud AP management platform, such as to AP 2.
If employee a moves the printer device to another area, such as the coverage area of AP2, the printer device may initiate an access request to AP2 based on the previously saved dynamic key, and since AP2 already saves the association of the printer device's MAC address with the dynamic key, the printer device may be quickly authenticated to ensure that the printer device quickly accesses the network of AP 2.
In an embodiment of the present application, the technical solution of the embodiment shown in fig. 12 may be understood as a "one secret at a time" function, because a terminal device may assign an access key. The technical solution of the embodiment shown in fig. 14 may be understood as a function of "one secret machine" because one dynamic key may be used by a plurality of terminal devices. In an embodiment of the present application, the function of "one secret for one machine" and the function of "one secret for multiple machines" can be selectively turned on according to the actual application scenario and the requirements of the user. For example, as shown in fig. 15, switch controls of a "one secret key for one machine" function and a "one secret key for multiple machines" function may be displayed in the enterprise application APP, and if the user closes the "one secret key for one machine" function and opens the "one secret key for multiple machines" function, after selecting a network, the control 1501 of "one key application" may be clicked, and then the enterprise application APP on the terminal may send a dynamic key application request to the enterprise application cloud platform, so as to trigger the flow shown in fig. 14.
The following describes embodiments of an apparatus of the present application, which may be used to perform the network connection management method in the above embodiments of the present application. For details that are not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the network connection management method described above in the present application.
Fig. 16 shows a block diagram of a network connection management apparatus, which may be provided within an access point device, according to an embodiment of the present application.
Referring to fig. 16, a network connection management apparatus 1600 according to an embodiment of the present application includes: a first receiving unit 1602, a first processing unit 1604, a first generating unit 1606, and a transmitting unit 1608.
Wherein the first receiving unit 1602 is configured to receive a dynamic key for connecting to an access point device; the first processing unit 1604 is configured to, if an access request including the dynamic key sent by a site device is received, respond to the access request, and establish a connection with the site device; the first generating unit 1606 is configured to associate the physical address of the site device with the dynamic key after the connection with the site device is successfully established, and generate an association relationship between the physical address and the dynamic key; the transmission unit 1608 is configured to transmit the association relationship to other access point devices, so that the other access point devices verify, according to the association relationship, an access request initiated by the station device based on the dynamic key.
In some embodiments of the present application, based on the foregoing scheme, the first receiving unit 1602 is configured to: receiving a dynamic key which is sent by an access point management platform and used for connecting the access point equipment; or receiving a pre-configured dynamic key for connecting to the access point device.
In some embodiments of the present application, based on the foregoing scheme, the transmitting unit 1608 is configured to: sending the association relation to an access point management platform so that the access point management platform forwards the association relation to the other access point devices; or
And sending the association relation to the other access point equipment through a communication link between the other access point equipment and the other access point equipment.
In some embodiments of the present application, based on the foregoing solution, the first receiving unit 1602 is further configured to: receiving an expiration date of the dynamic key; the first processing unit is configured to: and determining whether the dynamic key contained in the access request is within the valid period according to the valid period, and if the dynamic key is determined to be within the valid period, establishing connection with the site equipment.
In some embodiments of the present application, based on the foregoing scheme, the transmitting unit 1608 is further configured to: and transmitting the validity period of the dynamic key to the other access point equipment so that the other access point equipment can verify the access request initiated by the station equipment based on the dynamic key according to the association relation within the validity period.
Fig. 17 illustrates a block diagram of a network connection management apparatus, which may be disposed within an access point management platform, according to an embodiment of the present application.
Referring to fig. 17, a network connection management apparatus 1700 according to an embodiment of the present application includes: an assignment unit 1702, a first transmission unit 1704, a second reception unit 1706, and a second transmission unit 1708.
Wherein the assigning unit 1702 is configured to assign a dynamic key for connecting to the access point device in response to the key application request; a first sending unit 1704 is configured to send the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key; a second receiving unit 1706 is configured to receive an association relationship between a physical address sent by the access point device and the dynamic key, where the physical address is an address owned by a station device that successfully accesses the access point device based on the dynamic key; the second sending unit 1708 is configured to send the association relationship to other access point devices, so that the other access point devices verify, based on the association relationship, an access request initiated by the station device based on the dynamic key.
In some embodiments of the present application, based on the foregoing solution, the network connection management apparatus 1700 further includes: a second generation unit configured to generate a validity period of the dynamic key; the first sending unit is further configured to send the validity period to the access point device, so that the access point device verifies the received access request based on the dynamic key within the validity period.
In some embodiments of the present application, based on the foregoing solution, the allocating unit 1702 is further configured to: and before responding to the key application request, receiving the key application request sent by the application program server side, wherein the key application request is sent by the application program server side after the authentication of the application program client side which initiates the key application is passed.
Fig. 18 shows a block diagram of a network connection management apparatus, which may be provided within an access point device, according to an embodiment of the present application.
Referring to fig. 18, a network connection management apparatus 1800 according to an embodiment of the present application includes: a third receiving unit 1802, an obtaining unit 1804, and a verifying unit 1806.
Wherein the third receiving unit 1802 is configured to receive an association relationship between a physical address and a dynamic key, the association relationship being generated by other access point devices according to the dynamic key and a physical address of a station device that uses the dynamic key and successfully establishes a connection with the other access point; the obtaining unit 1804 is configured to, if an access request sent by a specific device is received, obtain a physical address of the specific device and an access key included in the access request; the verifying unit 1806 is configured to verify the access request according to the association relationship, the physical address of the specified device, and the access key included in the access request.
In some embodiments of the present application, based on the foregoing solution, the verifying unit 1806 is configured to: if the physical address of the designated equipment is determined to be associated with the access key contained in the access request according to the association relationship, the access request is determined to be successfully verified;
and if the physical address of the specified equipment does not exist in the association relationship, rejecting the access request.
In some embodiments of the present application, based on the foregoing scheme, the third receiving unit 1802 is further configured to: receiving an expiration date of the dynamic key; the verification unit 1806 is configured to: and in the valid period, verifying the access request according to the association relation, the physical address of the specified device and an access key contained in the access request.
FIG. 19 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
It should be noted that the computer system 1900 of the electronic device shown in fig. 19 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 19, a computer system 1900 includes a Central Processing Unit (CPU)1901, which can perform various appropriate actions and processes, such as executing the method described in the above-described embodiment, according to a program stored in a Read-Only Memory (ROM) 1902 or a program loaded from a storage section 1908 into a Random Access Memory (RAM) 1903. In the RAM 1903, various programs and data necessary for system operation are also stored. The CPU 1901, ROM 1902, and RAM 1903 are connected to one another via a bus 1904. An Input/Output (I/O) interface 1905 is also connected to the bus 1904.
The following components are connected to the I/O interface 1905: an input section 1906 including a keyboard, a mouse, and the like; an output section 1907 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 1908 including a hard disk and the like; and a communication section 1909 including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section 1909 performs communication processing via a network such as the internet. Drivers 1910 are also connected to I/O interface 1905 as needed. A removable medium 1911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1910 as necessary, so that a computer program read out therefrom is mounted in the storage section 1908 as necessary.
In particular, according to embodiments of the application, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications portion 1909 and/or installed from removable media 1911. When the computer program is executed by the Central Processing Unit (CPU)1901, various functions defined in the system of the present application are executed.
It should be noted that the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with a computer program embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program embodied on the computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present application.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (15)
1. A network connection management method, comprising:
receiving a dynamic key for connecting to an access point device;
if receiving an access request containing the dynamic key sent by site equipment, responding to the access request and establishing connection with the site equipment;
after the connection with the site equipment is successfully established, associating the physical address of the site equipment with the dynamic key to generate an association relation between the physical address and the dynamic key;
and transmitting the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the station equipment based on the dynamic key according to the association relation.
2. The method of claim 1, wherein receiving a dynamic key for connecting to an access point device comprises:
receiving a dynamic key which is sent by an access point management platform and used for connecting the access point equipment; or
Receiving a preconfigured dynamic key for connecting to the access point device.
3. The method of claim 1, wherein communicating the association to other access point devices comprises:
sending the association relation to an access point management platform so that the access point management platform forwards the association relation to the other access point devices; or
And sending the association relation to the other access point equipment through a communication link between the other access point equipment and the other access point equipment.
4. The network connection management method according to any one of claims 1 to 3, wherein the network connection management method further comprises: receiving an expiration date of the dynamic key;
responding to the access request, and establishing connection with the site equipment, wherein the connection comprises the following steps: and determining whether the dynamic key contained in the access request is within the valid period according to the valid period, and if the dynamic key is determined to be within the valid period, establishing connection with the site equipment.
5. The network connection management method according to claim 4, further comprising:
and transmitting the validity period of the dynamic key to the other access point equipment so that the other access point equipment can verify the access request initiated by the station equipment based on the dynamic key according to the association relation within the validity period.
6. A network connection management method, comprising:
distributing a dynamic key for connecting the access point equipment in response to the key application request;
sending the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key;
receiving an association relation between a physical address sent by the access point device and the dynamic key, wherein the physical address is an address owned by a station device which successfully accesses the access point device based on the dynamic key;
and sending the association relation to other access point equipment so that the other access point equipment verifies the access request initiated by the station equipment based on the dynamic key based on the association relation.
7. The network connection management method according to claim 6, further comprising:
generating a validity period of the dynamic key;
sending the validity period to the access point device so that the access point device can verify the received access request based on the dynamic key within the validity period.
8. The network connection management method according to claim 6 or 7, wherein before the responding to the key application request, the network connection management method further comprises:
and receiving a key application request sent by an application program server, wherein the key application request is sent by the application program server after the authentication of the application program client initiating the key application is passed.
9. A network connection management method, comprising:
receiving an association relation between a physical address and a dynamic key, wherein the association relation is generated by other access point equipment according to the dynamic key and the physical address of station equipment which uses the dynamic key and successfully establishes connection with other access points;
if an access request sent by a designated device is received, acquiring a physical address of the designated device and an access key contained in the access request;
and verifying the access request according to the incidence relation, the physical address of the specified equipment and the access key contained in the access request.
10. The method according to claim 9, wherein verifying the access request according to the association relationship, the physical address of the specific device, and an access key included in the access request includes:
if the physical address of the designated equipment is determined to be associated with the access key contained in the access request according to the association relationship, the access request is determined to be successfully verified;
and if the physical address of the specified equipment does not exist in the association relationship, rejecting the access request.
11. The network connection management method according to claim 9 or 10, wherein the network connection management method further comprises: receiving an expiration date of the dynamic key;
according to the incidence relation, the physical address of the specified device and the access key contained in the access request, verifying the access request, including: and in the valid period, verifying the access request according to the association relation, the physical address of the specified device and an access key contained in the access request.
12. A network connection management apparatus, comprising:
a first receiving unit configured to receive a dynamic key for connecting to an access point device;
the first processing unit is configured to respond to an access request which is sent by site equipment and contains the dynamic secret key, and establish connection with the site equipment;
the first generation unit is configured to associate the physical address of the site device with the dynamic key after the site device successfully establishes a connection with the site device, and generate an association relationship between the physical address and the dynamic key;
a transmission unit, configured to transmit the association relationship to other access point devices, so that the other access point devices verify, according to the association relationship, an access request initiated by the station device based on the dynamic key.
13. A network connection management apparatus, comprising:
an allocation unit configured to allocate a dynamic key for connecting the access point device in response to a key application request;
a first sending unit, configured to send the dynamic key to the access point device and an initiator of the key application request, so that the access point device verifies the received access request based on the dynamic key;
a second receiving unit, configured to receive an association relationship between a physical address sent by the access point device and the dynamic key, where the physical address is an address owned by a station device that successfully accesses the access point device based on the dynamic key;
a second sending unit, configured to send the association relationship to other access point devices, so that the other access point devices verify, based on the association relationship, an access request initiated by the station device based on the dynamic key.
14. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the network connection management method according to any one of claims 1 to 11.
15. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the network connection management method of any one of claims 1 to 11.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110780040.2A CN113543131A (en) | 2021-07-09 | 2021-07-09 | Network connection management method and device, computer readable medium and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110780040.2A CN113543131A (en) | 2021-07-09 | 2021-07-09 | Network connection management method and device, computer readable medium and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113543131A true CN113543131A (en) | 2021-10-22 |
Family
ID=78098310
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110780040.2A Pending CN113543131A (en) | 2021-07-09 | 2021-07-09 | Network connection management method and device, computer readable medium and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113543131A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024082302A1 (en) * | 2022-10-21 | 2024-04-25 | Oppo广东移动通信有限公司 | Information update method and apparatus, and device and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109548018A (en) * | 2019-01-11 | 2019-03-29 | 腾讯科技(深圳)有限公司 | Wireless network access method, device, equipment and system |
CN109923883A (en) * | 2016-09-27 | 2019-06-21 | A9.Com公司 | The shared method of network configuration |
US20210099873A1 (en) * | 2019-09-30 | 2021-04-01 | Fortinet, Inc. | Authenticating client devices in a wireless communication network with client-specific pre-shared keys |
CN112672351A (en) * | 2020-12-15 | 2021-04-16 | 腾讯科技(深圳)有限公司 | Wireless local area network authentication method and device, electronic equipment and storage medium |
-
2021
- 2021-07-09 CN CN202110780040.2A patent/CN113543131A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109923883A (en) * | 2016-09-27 | 2019-06-21 | A9.Com公司 | The shared method of network configuration |
CN109548018A (en) * | 2019-01-11 | 2019-03-29 | 腾讯科技(深圳)有限公司 | Wireless network access method, device, equipment and system |
US20210099873A1 (en) * | 2019-09-30 | 2021-04-01 | Fortinet, Inc. | Authenticating client devices in a wireless communication network with client-specific pre-shared keys |
CN112672351A (en) * | 2020-12-15 | 2021-04-16 | 腾讯科技(深圳)有限公司 | Wireless local area network authentication method and device, electronic equipment and storage medium |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024082302A1 (en) * | 2022-10-21 | 2024-04-25 | Oppo广东移动通信有限公司 | Information update method and apparatus, and device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11178125B2 (en) | Wireless network connection method, wireless access point, server, and system | |
US10848970B2 (en) | Network authentication method, and related device and system | |
US10638321B2 (en) | Wireless network connection method and apparatus, and storage medium | |
CN113556227B (en) | Network connection management method, device, computer readable medium and electronic equipment | |
CN105706390B (en) | Method and apparatus for performing device-to-device communication in a wireless communication network | |
US8145193B2 (en) | Session key management for public wireless LAN supporting multiple virtual operators | |
EP3065334A1 (en) | Key configuration method, system and apparatus | |
JP2018519706A (en) | Method, network access device, application server, and non-volatile computer readable storage medium for causing a network access device to access a wireless network access point | |
WO2022111187A1 (en) | Terminal authentication method and apparatus, computer device, and storage medium | |
EP2879421B1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
CN105554747A (en) | Wireless network connecting method, device and system | |
WO2017054617A1 (en) | Wifi network authentication method, device and system | |
CN107094127B (en) | Processing method and device, and obtaining method and device of security information | |
KR20070120176A (en) | Exchange of key material | |
CN111182546B (en) | Method, equipment and system for accessing wireless network | |
WO2006097041A1 (en) | A general authentication former and a method for implementing the authentication | |
US11848926B2 (en) | Network authentication | |
CN108353279A (en) | A kind of authentication method and Verification System | |
KR20220076491A (en) | Provisioning a wireless network using a pre-shared key | |
CN111866881A (en) | Wireless local area network authentication method and wireless local area network connection method | |
WO2017091987A1 (en) | Method and apparatus for secure interaction between terminals | |
US20240089728A1 (en) | Communication method and apparatus | |
CN113543131A (en) | Network connection management method and device, computer readable medium and electronic equipment | |
WO2022094936A1 (en) | Access method, device, and cloud platform device | |
WO2016176902A1 (en) | Terminal authentication method, management terminal and application terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40053596 Country of ref document: HK |
|
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |