CN114731513A - Method for controlling communication access, AP and communication equipment - Google Patents

Abstract

A method for controlling communication access, an AP and a communication device are provided to solve the problem that the communication device is averse to access the AP in the prior art. In the application, the AP receives an authentication request message of the first communication equipment, responds to the authentication request message and sends identity authentication information to the server, so that the server authenticates the identity authentication information; if the first response message received by the AP indicates that the authentication is successful, sending an authorization request message to second communication equipment which is authorized to access the AP so as to request the second communication equipment to authorize the first communication equipment; and the AP receives a second response message fed back by the second communication equipment in response to the authorization request message, and performs access control on the first communication equipment according to the second response message. By authenticating the identity authentication information, the authenticity and validity of the first communication device can be ensured. And the security of the communication device accessing the AP can be further improved by the second communication device having been authorized to access the AP determining whether to authorize the first communication device.

Description

Method for controlling communication access, AP and communication equipment Technical Field

The present application relates to the field of communications technologies, and in particular, to a method for controlling communication access, an AP, and a communication device.

Background

Wireless Local Area Network (WLAN) communication technology and wireless fidelity (WiFi) communication technology are currently popularized and applied in a large scale, and with the wide application of WLAN/WiFi communication technology, the security of a wireless network becomes more and more important.

The development of the wireless security protocol has undergone the process of WEP- > WPA2- > WPA3, and the wireless security protocol enables a Station (STA) and an Access Point (AP) to establish a channel for secure communication. Since any person or organization can establish or set the WiFi network, and the WiFi network is open to the STA, when the STA needs to access the WiFi network, it only needs to acquire the Service Set Identifier (SSID) and the access password of the WiFi network. The SSID is broadcasted by the AP, and the STA can search for the SSID broadcasted by the AP in the vicinity of the AP, that is, the STA can access the WiFi network of the AP as long as it acquires the access password of the AP. Therefore, some malicious STAs may obtain the access password through brute force cracking, attack, packet capturing analysis by an air interface, forgery, and the like, so that the access password is accessed to the WiFi network of the AP, and thus the malicious STAs may threaten other STAs accessed to the WiFi network.

Disclosure of Invention

The application provides a method for controlling communication access, an AP and communication equipment, which are used for improving the safety of the communication equipment accessing the AP.

In a first aspect, the present application provides a method for controlling communication access, where the method includes an AP receiving an authentication request message from a first communication device, the authentication request message carrying identity authentication information of the first communication device, sending, in response to the authentication request message, the identity authentication information to a server, so that the server authenticates the first communication device according to the identity authentication information of the first communication device, receiving a first response message fed back from the server, and if the first response message indicates that the authentication is successful, sending, to a second communication device, an authorization request message to request the second communication device to authorize the first communication device to access the AP; receiving a second response message fed back by the second communication equipment in response to the authorization request message, and performing access control on the first communication equipment according to the second response message; wherein the second communication device is a communication device authorized to access the AP.

Based on the scheme, the server authenticates the identity authentication information of the first communication equipment, and whether the identity authentication information of the first communication equipment is real and effective can be determined, so that the authenticity of the communication equipment accessed to the AP can be guaranteed. Further, by determining whether to authorize the access of the first communication device by the second communication device authorized to access the AP, the security of the first communication device accessing the AP can be further improved. In other words, in the present application, the AP allows the first communication device to access the AP only after receiving the first response message fed back by the server indicating that the authentication is successful and receiving the authorization of the second communication device to access the AP, so that the security of the communication device accessing the AP can be improved.

In one possible implementation, the identity authentication information may include information of a Universal Subscriber Identity Module (USIM) or an Identity (ID) of the first communication device. When the identity authentication information includes the information of the USIM, the identity authentication information of the first communication apparatus can be authenticated through the operator server, so that the authenticity of the first communication apparatus can be further improved.

In one possible implementation, if the first response message indicates that the authentication fails, the AP denies the first communication device access. The server fails to authenticate the identity authentication information of the first communication device, which indicates that the identity authentication information of the first communication device is invalid, that is, the first communication device may be a forged communication device, and at this time, the AP denies the access of the first communication device, thereby being beneficial to improving the security of the communication device accessing the AP.

Further, optionally, if the second response message includes information indicating that the first communication device is authorized to access the AP, the AP allows the first communication device to access; and if the second response message comprises information indicating that the first communication equipment is refused to access the AP, the AP refuses the access of the first communication equipment.

In a second aspect, the present application provides a method for controlling communication access, where the method includes that a second communication device receives an authorization request message from an AP, and the second communication device responds to the received authorization request message and sends a second response message to the AP, so that the AP performs access control on a first communication device according to the second response message; wherein the second communication device is a communication device authorized to access the AP.

Based on the scheme, the second communication equipment which is authorized to access the AP determines whether to authorize the first communication equipment to access the AP or not, so that the safety of the communication equipment accessing the AP can be improved.

In one possible implementation, the second response message includes information indicating that the first communication device is authorized to access the AP or information indicating that the first communication device is denied access to the AP.

Two implementations of the second communication device determining whether to authorize the first communication device to access the AP are exemplarily presented below.

In a first implementation, the second communication device may be determined according to a black list and/or a white list.

In one possible implementation, the authorization request message may include an ID of the first communication device; if the second communication device determines that the ID of the first communication device belongs to the ID in the preset white list, sending a second response message including information indicating that the first communication device is authorized to access the AP to the AP; and if the second communication equipment determines that the ID of the first communication equipment belongs to the ID in the preset blacklist, sending a second response message including information indicating that the first communication equipment is refused to access the AP to the AP.

In a second implementation manner, the second communication device may be determined according to the detected operation instruction.

In a possible implementation manner, if the second communication device detects an operation instruction indicating that the first communication device is authorized to access the AP, the second communication device sends a second response message including information indicating that the first communication device is authorized to access the AP to the AP; and if the second communication equipment detects the operation instruction which indicates that the first communication equipment is refused to access the AP, sending a second response message which comprises information indicating that the first communication equipment is refused to access the AP to the AP.

In a third aspect, the present application provides a method for controlling communication access, where the method includes that a server receives identity authentication information of a first communication device sent by an AP in response to an authentication request, and the server authenticates the identity authentication information of the first communication device according to the identity authentication information of the first communication device, and feeds back a first response message to the AP.

Based on the scheme, the server authenticates the identity authentication information of the first communication equipment, and whether the identity authentication information of the first communication equipment is real and effective can be determined, namely the authenticity of the first communication equipment accessing the AP can be ensured.

In one possible implementation manner, the first response message may indicate that the authentication is successful or that the authentication is failed, and the first communication device is a communication device that requests to access the AP.

In a possible implementation manner, the identity authentication information may include information of a USIM, the information of the USIM may include a first token and an International Mobile Subscriber Identity (IMSI), and after receiving the information of the USIM, the server may determine a key corresponding to the IMSI and determine a second token according to the key; if the second token is determined to be consistent with the received first token, indicating that the authentication is successful to a first response message sent by the AP; and if the second token is determined to be inconsistent with the received first token, indicating that the authentication fails to the first response message sent to the AP.

In a fourth aspect, the present application provides a method for controlling communication access, where the method includes receiving, by a second communication device, a third response message from a server, where the third response message includes shared key information for accessing an AP, and when the second communication device determines that a first communication device is allowed to access the AP, providing the shared key information to the first communication device, where the second communication device is a communication device that is authorized to access the AP.

Based on the scheme, whether the first communication device is allowed to access the AP can be determined by the second communication device, and the second communication device is a communication device authorized to access the AP, so that the security of the communication device accessing the AP is improved.

In one possible implementation, the shared key information may be provided in the form of a password or a two-dimensional code. Thus, the first communication device can acquire the shared key information quickly. In addition, when the shared key information is a password, even if the password is leaked after being used by the first communication device, another communication device cannot be used any more, and thus, the security of the communication device accessing the AP can be further improved.

Two implementations are exemplarily shown for the second communication device determining to allow the first communication device to access the AP, as follows.

Implementation mode 1

And the second communication equipment acquires the identification ID of the first communication equipment, and provides the shared key information for the first communication equipment if the second communication equipment determines that the ID of the first communication equipment belongs to the ID in the preset white list.

Implementation mode 2

And if the second communication equipment detects an operation instruction indicating that the first communication equipment is authorized to access the AP, providing the shared key information to the first communication equipment.

In a fifth aspect, the present application provides a method for controlling communication access, where the method includes that a first communication device sends a request message for obtaining a shared key to a server through an AP, so as to request the server to generate shared key information for accessing the AP for the first communication device, the first communication device obtains the shared key information from a second communication device, and the first communication device accesses the AP through the shared key information, where the second communication device is a communication device that is authorized to access the AP.

Based on the scheme, whether the first communication device is allowed to access the AP can be determined by the second communication device, and the second communication device is a communication device authorized to access the AP, so that the security of the communication device accessing the AP is improved.

In a possible implementation manner, the first communication device may obtain the shared key information of the access AP by scanning a two-dimensional code provided by the second communication device. In another possible implementation manner, the first communication device may obtain the shared key information of the access AP by copying a password provided by the second communication device.

In one possible implementation, the request message to obtain the shared key includes an ID of the first communication device.

In a sixth aspect, the present application provides a method for controlling communication access, where the method includes receiving, by a server, a request message for obtaining a shared key from an AP, generating, by the server, shared key information for accessing the AP in response to the request message for obtaining the shared key, and sending, to a second communication device, a third response message, where the third response message includes the shared key information for accessing the AP, and the second communication device is a communication device that is authorized to access the AP.

Based on the scheme, the server sends the shared key information of the access AP to the second communication equipment, and the second communication equipment determines whether to allow the first communication equipment to access the AP or not, and the second communication equipment is the communication equipment authorized to access the AP. Thus, the security of the first communication device accessing the AP is improved.

In a seventh aspect, the present application provides an AP having a function of implementing the AP in the first aspect. The function can be realized by hardware, and can also be realized by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible implementation, the communication device may be an AP or a module, such as a chip or a system of chips or a circuit, that may be used in an AP. The beneficial effects can be seen from the description of the first aspect, which is not repeated herein. The communication device may include: a transceiver and a processor. The processor may be configured to enable the communication device to perform the respective functions of the AP shown above, and the transceiver is configured to enable communication between the communication device and the first communication device, the second communication device, the server, and the like. The transceiver may be a separate receiver, a separate transmitter, a transceiver with integrated transceiving function, or an interface circuit. Optionally, the communication device may also include a memory, which may be coupled to the processor, that retains program instructions and data necessary for the communication device.

The transceiver is used for receiving an authentication request message from the first communication device, the authentication request message carries identity authentication information of the first communication device, the authentication request message is responded, the identity authentication information of the first communication device is sent to the server, the server authenticates the first communication device according to the identity authentication information, and a first response message fed back from the server is received; if the first response message indicates that the authentication is successful, sending an authorization request message to the second communication equipment to request the second communication equipment to authorize the first communication equipment to access the AP, and receiving a second response message fed back by the second communication equipment in response to the authorization request message; the processor is used for performing access control on the first communication device according to the second response message, and the second communication device is a communication device authorized to access the AP.

In one possible implementation, the identity authentication information includes information of the USIM or an ID of the first communication device.

In a possible implementation manner, the processor is further configured to deny the first communication device access if the first response message indicates that the authentication fails.

In one possible implementation, the second response message includes information indicating that the first communication device is authorized to access the AP, or information indicating that the first communication device is denied access to the AP. The processor is specifically configured to allow the first communication device to access if the second response message includes information indicating that the first communication device is authorized to access the AP; the processor is specifically configured to deny the first communications device access if the second response message includes information indicating that the first communications device is denied access to the AP.

In an eighth aspect, the present application provides a communication device having a function of implementing the second communication device in the second aspect described above or the second communication device in the fourth aspect or the first communication device in the fifth aspect. The function can be realized by hardware, and can also be realized by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible implementation, the communication device may be the second communication device, or the first communication device, or a module, such as a chip or a system of chips or a circuit, usable for the second communication device, or a module usable for the first communication device. The communication device may include: a transceiver and a processor. The processor may be configured to enable the communication device to perform the respective functions of the second communication device or the first communication device as shown above, and the transceiver is configured to enable communication between the communication device and other communication devices, APs and the like. The transceiver may be a separate receiver, a separate transmitter, a transceiver with integrated transceiving function, or an interface circuit. Optionally, the communication device may also include a memory, which may be coupled to the processor, that retains program instructions and data necessary for the communication device.

In a possible situation, the communication device has a function of implementing the second communication device in the second aspect, and for beneficial effects, reference may be made to the description of the second aspect, and details are not repeated here.

The transceiver is used for receiving an authorization request message from an Access Point (AP), and the communication equipment is authorized to access the AP; the processor cooperates with the transceiver and is used for responding to the authorization request message and sending a second response message to the AP so that the AP performs access control on the first communication equipment according to the second response message.

In one possible implementation, the authorization request message may include an ID of the first communication device.

In one possible implementation, the processor cooperates with the transceiver, in particular to: if the processor determines that the ID of the first communication device belongs to the ID in the preset white list, the transceiver sends a second response message to the AP, wherein the second response message comprises information indicating that the first communication device is authorized to access the AP; if the processor determines that the ID of the first communication device belongs to the ID in the preset blacklist, the transceiver sends a second response message including information indicating that the first communication device is refused to access the AP to the AP.

In one possible implementation, the processor cooperates with the transceiver, in particular to: if the processor detects an operation instruction indicating that the first communication equipment is authorized to access the AP, the transceiver sends a second response message to the AP, wherein the second response message comprises information indicating that the first communication equipment is authorized to access the AP; if the processor detects an operation instruction indicating that the first communication device is rejected to access the AP, the transceiver sends a second response message including information indicating that the first communication device is rejected to access the AP to the AP.

In another possible situation, the second communication device has a function of implementing the second communication device in the fourth aspect, and for beneficial effects, reference may be made to the description of the fourth aspect, and details are not described here again.

The transceiver is used for receiving a third response message from the server, the third response message comprises shared key information of the access AP, and the communication equipment is communication equipment authorized to access the AP; the processor is configured to provide the first communication device with shared key information for accessing the AP when it is determined that the first communication device is allowed to access the AP.

In a possible implementation manner, the processor is specifically configured to generate a two-dimensional code or a password according to the shared key information; the communication device further comprises a display for displaying the two-dimensional code or the password to the first communication device.

In a possible implementation manner, the processor is specifically configured to obtain an identification ID of the first communication device; and if the ID of the first communication equipment is determined to belong to the ID in the preset white list, providing the shared key information to the first communication equipment.

In one possible implementation, the processor is specifically configured to provide the shared key information to the first communication device if an operation instruction indicating that the first communication device is authorized to access the AP is detected.

In another possible scenario, the communication device has a function of implementing the first communication device in the fifth aspect, and for beneficial effects, reference may be made to the description of the fifth aspect, and details are not described herein again.

The transceiver is used for sending a request message for acquiring the shared key to the server through the access point AP, and the request server is used as communication equipment to generate shared key information of the access point AP; the processor is used for obtaining the shared key information of the access AP from the second communication equipment, and accessing the AP through the shared key information of the access AP, wherein the second communication equipment is communication equipment authorized to access the AP.

In a possible implementation manner, the processor is specifically configured to obtain shared key information of the access AP by scanning a two-dimensional code provided by the second communication device; or may obtain the shared key information of the access AP by copying a password provided by the second communication device.

In one possible implementation, the request message to obtain the shared key includes an ID of the communication device.

In a ninth aspect, the present application provides a server having a function of implementing the server in the third aspect or the server in the sixth aspect. The function can be realized by hardware, and can also be realized by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

In one possible implementation, the server may include: a transceiver and a processor. The processor may be configured to enable the server to perform the respective functions of the server shown above, and the transceiver is configured to enable communication between the server and an AP or the like. The transceiver may be a separate receiver, a separate transmitter, a transceiver with integrated transceiving function, or an interface circuit. Optionally, the communication device may also include a memory, which may be coupled to the processor, that retains program instructions and data necessary for the communication device.

In a case, the server has a function of implementing the server in the third aspect, and beneficial effects can be referred to the description of the third aspect, and are not described herein again.

The transceiver is used for identity authentication information of first communication equipment from the AP, the processor is used for authenticating the identity authentication information of the first communication equipment according to the identity authentication information of the first communication equipment, and the transceiver is further used for sending a first response message to the AP, wherein the first response message indicates authentication success or authentication failure, and the first communication equipment is communication equipment requesting access to the AP.

In a possible implementation manner, the identity authentication information includes USIM information, the USIM information includes a first token and an IMSI, and the processor is specifically configured to determine a key corresponding to the IMSI and determine a second token according to the key; if the second token is determined to be consistent with the received first token, indicating that the authentication is successful through a first response message sent to the AP by the transceiver; and if the second token is determined to be inconsistent with the received first token, indicating that the authentication fails through a first response message sent to the AP by the transceiver.

In another case, the server has a function of implementing the server in the above sixth aspect, and beneficial effects can be referred to the description of the above sixth aspect, and are not described herein again.

The transceiver is used for receiving a request message for acquiring the shared key from the AP, the processor is used for responding to the request message for acquiring the shared key, generating shared key information of the access AP, and sending a third response message to the second communication device through the transceiver, wherein the third response message comprises the shared key information of the access AP, and the second communication device is a communication device which is authorized to access the AP.

In a tenth aspect, the present application provides an AP, where the AP is configured to implement the first aspect or any one of the first aspects, and includes corresponding functional modules, respectively configured to implement the steps in the above methods. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions.

In a possible implementation manner, the AP may include a processing module and a transceiver module, and these modules may execute corresponding functions of the terminal device in the foregoing method example, which is specifically referred to the detailed description in the method example, and is not described herein again.

In an eleventh aspect, the present application provides a communication device for implementing any one of the above second aspect or second aspect, or for implementing any one of the above fourth aspect or fourth aspect, or for implementing any one of the above fifth aspect or fifth aspect, including corresponding functional modules respectively for implementing the steps in the above methods. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-described functions.

In a possible implementation manner, the communication device may be a first communication device or a second communication device, and the first communication device or the second communication device may include a processing module and a transceiver module, which may execute corresponding functions of the terminal device in the foregoing method example, for specific reference, detailed description in the method example is given, and details are not repeated here.

In a twelfth aspect, the present application provides a server for implementing any one of the above third aspect or third aspect, or for implementing any one of the above sixth aspect or sixth aspect, including corresponding functional modules, respectively for implementing the steps in the above methods. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

In a thirteenth aspect, the present application provides a communication system including a first communication device, a second communication device, an AP, and a server. In a possible implementation manner, the AP may be configured to perform any one of the above first aspect or the first aspect, the second communication device may be configured to perform any one of the above second aspect or the second aspect, and the server may be configured to perform any one of the above third aspect or the third aspect. In another possible implementation manner, the second communication device may be configured to perform any one of the methods in the fourth aspect or the fourth aspect, the first communication device may be configured to perform any one of the methods in the fifth aspect or the fifth aspect, and the server may be configured to perform any one of the methods in the sixth aspect or the sixth aspect.

In a fourteenth aspect, the present application provides a computer-readable storage medium having stored therein a computer program or instructions, which, when executed by an AP, causes the AP to perform the method of the first aspect or any possible implementation manner of the first aspect.

In a fifteenth aspect, the present application provides a computer-readable storage medium having stored therein a computer program or instructions which, when executed by a communication device, cause the communication device to perform the method of the second aspect or any possible implementation of the second aspect described above, or cause the communication device to perform the method of the fourth aspect or any possible implementation of the fourth aspect, or cause the communication device to perform the method of the fifth aspect or any possible implementation of the fifth aspect.

In a sixteenth aspect, the present application provides a computer readable storage medium having stored therein a computer program or instructions which, when executed by a server, cause the server to perform the method of the third aspect or any possible implementation of the third aspect, or cause the communication device to perform the method of the sixth aspect or any possible implementation of the sixth aspect.

In a seventeenth aspect, the present application provides a computer program product comprising a computer program or instructions which, when executed by an AP, implements the method of the first aspect or any possible implementation manner of the first aspect.

Eighteenth aspect, the present application provides a computer program product comprising a computer program or instructions which, when executed by a communication device, implements the method of the second aspect or any possible implementation of the second aspect described above, or causes the communication device to perform the method of the fourth aspect or any possible implementation of the fourth aspect, or causes the communication device to perform the method of the fifth aspect or any possible implementation of the fifth aspect.

In a nineteenth aspect, the present application provides a computer program product comprising a computer program or instructions which, when executed by a server, implements the method of the third aspect or any possible implementation of the third aspect, or implements the method of the sixth aspect or any possible implementation of the sixth aspect.

Drawings

Fig. 1 is a schematic diagram of a communication system architecture provided in the present application;

fig. 2 is a schematic flowchart of a method for controlling a communication access method according to the present application;

fig. 3 is a schematic flowchart of a method for a communication device to access an AP according to the present application;

fig. 4 is a schematic flowchart of another method for controlling a communication access method provided in the present application;

fig. 5 is a schematic structural diagram of an AP provided in the present application;

fig. 6 is a schematic structural diagram of an AP provided in the present application;

fig. 7 is a schematic structural diagram of a communication device provided in the present application;

fig. 8 is a schematic structural diagram of a communication device provided in the present application;

fig. 9 is a schematic structural diagram of a terminal device provided in the present application.

Detailed Description

The embodiments of the present application will be described in detail below with reference to the accompanying drawings.

Fig. 1 is a schematic diagram of an architecture of a communication system to which the present application is applicable. As shown in fig. 1, the communication system may include an Access Point (AP) 101 and at least one Station (STA) (fig. 1 exemplifies STA102 and STA 103). WLAN/WiFi communication can be conducted between the AP101 and the STA102 and between the AP101 and the STA 103. STA103 may be fixed location or mobile. The number of APs and STAs included in the communication system is not limited in the present application. If WLAN communication is carried out between the AP and a single STA, the communication system can be used for single-user uplink and downlink transmission; if the AP communicates with multiple STAs via WLAN, the communication system may also be used for uplink and downlink transmission of multiple users. Further, optionally, the communication system may also include a server 104. The server 104 may also be a virtual server, and may be integrated in the AP.

An AP (e.g., AP101) is also called a wireless access point or a hotspot, and is a bridge for communication between a wireless network and a wired network, and is a core device for establishing a wireless local area network. The method is mainly used for providing mutual access between the STA and the wired local area network, and the STAs in the signal coverage range of the AP can communicate with each other through the AP. That is, the AP is an access point for STAs to enter the wired network. APs may be deployed in homes, buildings, and parks, typically covering a radius of tens to hundreds of meters. Of course, it can be deployed outdoors. The AP may be a base station (base station), an evolved NodeB (eNodeB), a Transmission Reception Point (TRP), a next generation base station (next generation NodeB, gNB) in a 5G communication system, a base station in a future communication system, or an access point in a wireless fidelity WiFi system, etc.; or may be a module or a unit that performs part of the functions of the base station, for example, a Centralized Unit (CU) or a Distributed Unit (DU); or a router; or may be a switch; or may be a bridge; or may be a wireless gateway; STA, etc. are also possible. The application does not limit the specific technology and the specific device form adopted by the AP. Optionally, the AP may support the 802.11ax protocol; further optionally, the AP may support multiple WLAN protocols, 802.11ac, 802.11n, 802.11g, 802.11b, and 802.11 a.

STAs (e.g., STA102 and STA103) are communication devices, such as wireless communication chips, terminal devices, etc., connected to a wireless network; the terminal device may also be referred to as a terminal, a User Equipment (UE), a mobile station, a mobile terminal, or the like. The terminal device can be a mobile phone, a tablet computer, a computer with a wireless transceiving function, a virtual reality terminal device, an augmented reality terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in remote operation, a wireless terminal in a smart grid, a wireless terminal in transportation safety, a wireless terminal in a smart city, a wireless terminal in a smart home and the like. The specific technology and the specific equipment form adopted by the terminal equipment are not limited in the application. In one possible implementation, the wireless terminal may be a terminal capable of running a physical Subscriber Identity Module (SIM) card or a virtual SIM card. Optionally, the STA may support the 802.11ax protocol; further optionally, the STAs may support multiple WLAN protocols, 802.11ac, 802.11n, 802.11g, 802.11b, and 802.11 a.

The AP and the STA may communicate with each other through a 2.4 gigahertz (GHz) spectrum, may communicate through a 5GHz spectrum, and may communicate through a 60GHz spectrum. The application does not limit the spectrum resources used between the AP and the STA.

The communication system shown in fig. 1 is applicable to a WiFi network of a smart home. When the communication system shown in fig. 1 is applied to a WiFi network of a smart home, the AP101 may be a router, the STA102 and the STA103 may be wireless terminals in the smart home, such as a mobile phone, a tablet computer, a notebook computer, a smart refrigerator, a smart air conditioner, and the like. In a possible case, a new wireless terminal needs to access the WiFi network of the smart home, for example, a guest visits, and a guest mobile phone may need to access the WiFi network of the smart home.

It should be noted that the system architecture and the application scenario described in the present application are for more clearly illustrating the technical solution of the present application, and do not constitute a limitation to the technical solution provided in the present application, and as a person of ordinary skill in the art knows, along with the evolution of the system architecture and the appearance of a new service scenario, the technical solution provided in the present application is also applicable to similar technical problems.

Hereinafter, some terms in the present application are explained to facilitate understanding by those skilled in the art.

1) Basic service set (basic service set, BSS)

BSS is used to describe a group of mobile devices that communicate with each other in an 802.11 WLAN. A BSS may or may not include an AP (access point). Basic service sets are of two types: one is an Independent Basic Service Set (IBSS), a temporary network consisting of a small number of stations for a specific purpose, because of not long duration, very small size and special purpose, sometimes called an ad hoc BSS or ad hoc network, in which the stations can communicate directly with each other, but the distance between them must be within a range that allows direct communication. The other is an infrastructure BSS (infrastructure BSS), which includes an AP and a plurality of mobile stations.

2) Service Set Identifier (SSID)

The SSID can divide a wireless local area network into a plurality of sub-networks which need different authentication, each sub-network needs independent authentication, and only the users who pass the authentication can enter the corresponding sub-network, so that the unauthorized users are prevented from entering the network.

3)IMSI

The IMSI is an identification code that is not repeated in all cellular networks to distinguish different users in the cellular networks. The handset may send the IMSI to the network in a 64-bit field. The IMSI may be used to query a Home Location Register (HLR) or a Visitor Location Register (VLR) for subscriber information.

4)USIM

The USIM is also called as an upgrading SIM, and the USIM upgrades the algorithm in the security direction and adds the function of accessing the network to the AP by the card. Such mutual authentication can effectively prevent attacks on the card by hackers.

5) Quick Response (QR) code

A QR code is a two-dimensional code capable of storing information, which can be obtained by encrypting characters, Uniform Resource Locator (URL) addresses, and other types of data.

6) Password

Each password can only be used once, according to unpredictable combinations of random numbers and/or letters generated by a specialized algorithm.

7) Shared secret key

A shared key for verifying a Unicode (Unicode) string of a layer 2 tunneling protocol (L2 TP)/internet security protocol (IPSec) connection. The user may enter the same key, which may be 8 to 63 ASCII characters or 64 16-digit numbers (256 bits), that is pre-configured to access the network.

A method for controlling communication access provided by the present application to solve the technical problems of the background art is described in detail below. In the following description, the AP may be the AP101 in fig. 1, and the STA may be the STA102 or the STA103 in fig. 1. If the communication system shown in fig. 1 is applied to a WiFi network of a smart home, the first communication device may be a communication device to be accessed to the WiFi network of the smart home, for example, a mobile phone of a visiting guest; the second communication device may be any communication device in the WiFi network of the smart home that has been authorized to access the AP, for example, a host cell phone.

Referring to fig. 2, a flowchart of a method for controlling communication access provided by the present application is shown. In the following description, an access AP refers to a network of access APs or a BSS of access APs. For example, the first communication device accessing the AP refers to the first communication device accessing the network of the AP or the first communication device accessing the BSS of the AP. For another example, the second communication device accessing the AP refers to the second communication device accessing the network of the AP or the BSS of the second communication device accessing the AP. The method for controlling communication access comprises the following steps:

and 200, accessing the second communication equipment to the AP.

This step 200 may be an optional step.

Here, the second type communication device can access the AP through a plurality of rights. For example, the second communication device may access the AP in a certificate encryption manner, and when the access is based on the certificate encryption manner, the second communication device has a high right; for another example, the second communication device may access the AP by using a dedicated password, and when the AP is accessed based on the dedicated password, the second communication device has a middle-level permission. The second communication equipment is accessed to the AP through a special password or certificate encryption mode and the like, on one hand, the second communication equipment can be ensured to be communication equipment authorized to be accessed to the AP; on the other hand, the second communication device is secure to the AP.

Step 201, the first communication device sends an authentication request message to the AP. Accordingly, the AP receives an authentication request message from the first communication device.

Here, the authentication request message carries identity authentication information of the first communication device, and the identity authentication information can uniquely identify the first communication device.

In one possible implementation, the identity authentication information of the first communication device may include information of a SIM of the first communication device, such as information of a USIM; or the identity authentication information of the first communication device includes an ID of the first communication device, for example, an ID generated by the first communication device through a specific application, and for example, account information generated by the system based on huawei. It can be understood that what kind of the first communication device selects as the identity authentication information may be that the first communication device and the server agree in advance, may also be that the first communication device notifies the server after determining, or may also be that a protocol specifies, which is not limited in this application.

Step 202, the AP sends the identity authentication information of the first communication device to the server in response to the authentication request message. Accordingly, the server receives the authentication information of the first communication device from the AP.

The identity authentication information of the first communication equipment can be used for the server to authenticate the identity authentication information of the first communication equipment.

In a possible implementation manner, the authentication request message may only include the identity authentication information of the first communication device, and the AP may directly forward the authentication request message to the server in response to the authentication request message. In another possible implementation manner, the authentication request message may include the identity authentication information of the first communication device, a supported encryption mode, and the like, and the AP may send the identity authentication information of the first communication device in the authentication request message to the server in response to the authentication request message.

Step 203, the server may authenticate the first communication device according to the identity authentication information.

Here, based on the identity authentication information of the first communication device, two ways of authenticating the first communication device by the server are exemplarily given as follows.

In the first mode, the identity authentication information of the first communication device is information of a SIM card of the first communication device.

As an example, the information of the SIM card is information of the USIM, the information of the USIM may include a first token and an IMSI, where the first token is calculated by the USIM through a preset key.

In one embodiment, the server may be a telecom operator server. In one possible implementation, the relationship between the IMSI of the USIM issued and the key is stored in the telecommunications operator server.

Based on the first mode, the authentication process of the server to the first communication device comprises the following steps: after receiving the information (i.e., the first token and the IMSI) of the USIM of the first communication device, the server determines the key corresponding to the IMSI, and determines the second token according to the key, for example, the determined key may be calculated by a first encryption algorithm to obtain the second token. If the received first token is determined to be consistent with the calculated second token, the server determines that the authentication of the first communication device is successful, that is, the identity authentication information of the first communication device is true and valid. And if the received first token is determined to be inconsistent with the calculated second token, the server determines that the authentication of the first communication device fails. I.e. the authentication information of the first communication device is not authentic. It should be understood that the first encryption algorithm may be agreed between the server and the first communication device, or may be notified to the first communication device after the server determines, which is not limited in this application.

In the second mode, the identity authentication information of the first communication device is the ID of the first communication device. Further, optionally, the identity authentication information of the first communication device may further include first verification information.

Based on the second mode, if the ID of the first communication device is based on the account information generated by the huawei system, the server may be the huawei server. In one possible implementation manner, the first verification information may be determined by the first communication device according to an ID (i.e., account information) of the first communication device, for example, the first communication device may calculate the ID (i.e., account information) of the first communication device through the second encryption algorithm. It should be noted that the second encryption algorithm may be agreed in advance by the hua shi server and the first communication device, or may be notified to the first communication device after the hua shi server determines the second encryption algorithm, which is not limited in this application.

Based on the second mode, the authentication process of the server to the first communication device comprises the following steps: after receiving the ID (account information) of the first communication equipment, the server calculates the ID of the first communication equipment through a second encryption algorithm to obtain second check-up information; and if the received first check information is determined to be consistent with the calculated second check information, the server determines that the authentication of the first communication equipment is successful. And if the received first check information is determined to be inconsistent with the calculated second check information, the server determines that the authentication of the first communication equipment fails.

Based on the second mode, if the ID of the first communication device is the ID of a specific device, for example, the Media Access Control (MAC) address of the specific device, the server may be a server supporting the authentication service. If the ID of the first communication device is an ID generated by a specific application, for example, an ID generated according to information such as a MAC address and time of the first communication device; the server may also be a server supporting authentication services. The authentication process of the server supporting the authentication service to the first communication device may refer to the authentication process of the server to the first communication device, which is not described in detail herein.

It should be noted that the first encryption algorithm may be a Hash Message Authentication Code (HMAC) -Message Digest (MD) 5, an HMAC-Secure Hash Algorithm (SHA) 1, an HMAC-SHA256, an HMAC-SHA512, or the like, and the second encryption algorithm may be the same as or different from the first encryption algorithm, which is not limited in this application.

In the application, the authentication of the server to the first communication device can ensure that the identity authentication information of the first communication device is real and effective, so that illegal communication devices can be effectively prevented from accessing the AP.

Step 204, the server feeds back the first response message to the AP. Accordingly, the AP receives the first response message from the server feedback.

Here, the first response message indicates authentication failure or indicates authentication success. It can also be understood that, if the server successfully authenticates the first communication device based on the step 203, the first response message indicates that the authentication is successful; if the server fails to authenticate the first communication device based on step 203, the first response message indicates that the authentication failed.

Illustratively, the first response message may be 1 bit, for example, "0" indicates authentication failure and "1" indicates authentication success. The first response message may also indicate success or failure of authentication in other manners, which is not limited in this application.

It should be noted that, after the step 204, if the first response message indicates that the authentication is successful, step 205 is executed; if the first response message indicates a failure of authentication, step 206 is performed.

In step 205, the AP sends an authorization request message to the second communication device. Accordingly, the second communication device receives an authorization request message from the AP. Step 207 is performed after step 205.

Here, the authorization request message is used to request the second communication device to authorize the first communication device to access the AP.

In one possible implementation, the authorization request message may include an ID of the first communication device, e.g., a MAC address of the first communication device, such as identity certificate information of the first communication device.

In step 206, the AP denies access to the first communication device.

For example, after receiving the first response information from the server and indicating that the authentication fails, the AP may send a message of authentication failure to the first communication device to notify the first communication device of the authentication failure. That is, the AP does not allow the first communication device to access.

Step 207, the second communication device responds to the authorization request message and feeds back a second response message to the AP. Accordingly, the AP receives a second response message fed back from the second communication device.

Here, the second response message includes information indicating that the first communication device is authorized to access the AP, or information indicating that the first communication device is denied access to the AP. It can also be understood that, if the second communication device authorizes the first communication device to access the AP, the second response message includes information indicating that the first communication device is authorized to access the AP; and if the second communication equipment rejects the first communication equipment to access the corresponding network of the AP, the second response message comprises information indicating that the first communication equipment is rejected to access the AP.

Illustratively, the information indicating that the first communication device is authorized to access the AP may be 2 bits, for example, "11" indicates that the first communication device is denied access to the AP may be 2 bits, for example, "00", which is not limited in this application.

In a possible implementation manner, a preset blacklist and a preset whitelist may be stored in the second communication device. The authorization request message comprises the ID of the first communication equipment, and if the second communication equipment determines that the tag ID of the first communication equipment, which is included in the authorization request message, is on the white list, the second communication equipment sends a second response message comprising information indicating that the first communication equipment is authorized to access the AP to the AP; and if the second communication device determines that the ID of the first communication device included in the authorization request message is on the blacklist, the second communication device sends a second response message including information indicating that the first communication device is refused to access the AP to the AP.

In combination with the above scenario, if the AP is a router in a WiFi network in an intelligent home, the white list may set an identifier of the intelligent home in the home, which may be an MAC address of the intelligent home. Therefore, the method helps to avoid the situation that the owner is required to determine whether to authorize the smart home one by one each time the smart home accesses the WiFi network in the smart home.

In another possible implementation manner, the second communication device may display the ID of the first communication device on the interface, and the user using the second communication device may perform an operation on the displayed interface of the second communication device based on the ID of the first communication device displayed by the second communication device, for example, prompt information buttons of "authorization" and "denial" may be displayed on the interface; if the second communication device detects an operation instruction indicating that the first communication device is authorized to access the AP, sending a second response message including information indicating that the first communication device is authorized to access the AP to the AP; and if the second communication equipment detects the operation instruction which indicates that the first communication equipment is refused to access the AP, sending a second response message which comprises information indicating that the first communication equipment is refused to access the AP to the AP.

And step 208, the AP performs access control on the first communication device according to the second response message.

Here, if the second response message includes information indicating that the first communication device is authorized to access the AP, the AP allows the first communication device to access the AP; and if the second response message comprises information indicating that the first communication equipment is refused to access the AP, the AP refuses the first communication equipment to access the AP.

As can be seen from the foregoing steps 201 to 208, by authenticating the authentication information of the first communication device by the server, it can be determined whether the authentication information of the first communication device is authentic and valid, that is, it is helpful to ensure the authenticity of the communication device accessing the AP. Further, by determining whether to authorize the first communication device to access the AP by the second communication device that has been authorized to access the AP, the security of the communication device accessing the AP can be further improved. That is to say, the AP allows the first communication device to access the AP only after receiving the first response message fed back by the server indicating that the authentication is successful and receiving the authorization from the second communication device that the first communication device accesses the AP, so that the security of the communication device accessing the AP can be improved.

In this application, after the AP allows the first communication device to access the AP, the first communication device may access the AP based on a four-way handshake manner, referring to fig. 3, taking WiFi Protected Access (WPA)/WPA 2-pre-shared key (PSK) as an example, a schematic flow diagram of a method for accessing the AP by the communication device is provided in this application. The method comprises the following steps:

in step 301, the AP sends a first random number (ANonce) to the first communication device. Accordingly, the first communication device receives a first random number (ANonce) from the AP.

Here, after receiving the ANonce, the first communication device may generate a temporary key (PTK) from the ANonce.

In step 302, the first communication device sends a second random number (SNonce) and a key confirmation key (MIC) to the AP. Accordingly, the AP receives the SNonce and the MIC from the first communication device.

Here, the AP integrity-checks the received MIC and the generated MIC. If the verification fails, the handshake fails; if the verification is successful, the AP may generate a PTK and a Group Transient Key (GTK) according to SNonce.

Step 303, the AP sends the GTK and the MIC to the first communication device.

Here, since both the AP and the first communication device have already obtained the PTK, the AP encrypts the GTK with a Key Encryption Key (KEK).

In step 304, the first communication device sends an Acknowledgement Character (ACK) to the AP for acknowledgement.

Based on the above steps 301 to 304, the four-way handshake is completed, and the first communication device accesses the AP.

It should be noted that the method flow of accessing the AP by the communication device shown in fig. 3 is only an exemplary description, and the first communication device may also access the AP in other manners, which is not limited in this application.

Fig. 4 is a schematic flowchart of another method for controlling a communication access method according to the present application. The method comprises the following steps:

step 400, the second communication device accesses the AP.

The step 400 is an optional step, and the detailed description can refer to the description of the step 200, which is not described herein again.

In step 401, the first communication device sends a request message for acquiring a shared key to a server through an AP. Accordingly, the server receives a request message to acquire the shared key from the AP.

Here, the request message for obtaining the shared key is used to request the server to generate shared key information for accessing the AP for the first communication device. This step 401 may also be understood as that the first communication device sends a request message for obtaining the shared key to the AP, and the AP may forward the request message for obtaining the shared key to the server.

In a possible implementation manner, the request message for obtaining the shared key includes an ID of the first communication device, such as a MAC address of the first communication device, for example, an ID generated by the first communication device through a specific application, for example, account information generated for the system based on wayside, or another ID that can uniquely identify the first communication device. It is to be understood that what kind of the first communication device is selected as the ID of the first communication device may be a pre-agreement between the first communication device and the server, or may be a notification of the server after the first communication device determines, or may be a protocol specification, which is not limited in this application.

Step 402, the server responds to the request message for obtaining the shared key, and generates the shared key information of the access AP.

This step 402 is an optional step.

In one possible implementation manner, the server may generate shared key information of the access AP according to the ID of the first communication device included in the request message for obtaining the shared key, where the shared key information includes an access password of the access AP.

Illustratively, the server may calculate the ID of the first communication device using a key generation algorithm, such as HMAC-SHA256 algorithm, to generate the shared key information for the first communication device to access the AP.

In step 403, the server sends a third response message to the second communication device. Accordingly, the second communication device receives a third response message from the server.

Wherein the third response message includes the shared key information of the access AP.

In step 404, when the second communication device determines that the first communication device is allowed to access the AP, the second communication device provides the first communication device with the shared key information for accessing the AP.

As follows, three implementations are exemplarily provided for the second communication device to determine whether to allow the first communication device to access the AP.

Implementation mode 1

And the second communication equipment acquires the identification ID of the first communication equipment, and provides the shared key information for the first communication equipment if the second communication equipment determines that the ID of the first communication equipment belongs to the ID in the preset white list.

Implementation mode 2

And if the second communication equipment detects an operation instruction indicating that the first communication equipment is authorized to access the AP, providing the shared key information to the first communication equipment. Illustratively, the second communication device may authorize or deny operations at the interface, e.g., the interface may display "authorize" and "deny" prompt information buttons.

Implementation mode 3

And presetting a legal token in the first communication device and the second communication device, and if the second communication device determines that the locally preset token and the token from the first communication device are always received within a certain time limit, determining that the first communication device is allowed to access the AP.

In the application, the second communication device may generate a two-dimensional code or a password according to the shared key information of the access AP, where the two-dimensional code may be a QR code, and the password may be a character string password.

In one possible implementation, the second communication device may display the two-dimensional code or the character string password on an interface of the second communication device. Thus, the first communication device can acquire the shared key information quickly. In addition, when the shared key information is a password, even if the password is leaked after being used by the first communication device, another communication device cannot be used any more, and thus, the security of the communication device accessing the AP can be further improved.

In step 405, the first communication device obtains the shared key information of the access AP from the second communication device.

If the second communication device displays the two-dimensional code, the first communication device can scan the two-dimensional code displayed by the second communication device to obtain the shared key information of the access AP. If the second communication device displays the character string password, the first communication device may obtain the shared key information of the access AP by copying the character string password.

In step 406, the first communication device accesses the AP by accessing the shared key information of the AP.

Here, the AP may acquire the shared key information from the server. For example, after determining the shared key information between the first communication device and the AP, the server transmits the shared key information to the AP. After both the AP and the first communication device acquire the shared key information, the first communication device may access the AP through the shared key information. It should be noted that the shared key information of the first communication device accessing the AP is also determined by the server.

As can be seen from steps 401 to 406, it can be determined by the second communication device whether to allow the first communication device to access the AP, and this helps to improve the security of the communication device accessing the AP because the second communication device is a communication device authorized to access the AP.

It should be noted that, before step 406, the second communication device may send the authentication policies supported by the second communication device to the server, and the server may determine one authentication policy from the authentication policies supported by the second communication device as the authentication policy between the first communication device and the AP, so as to facilitate the first communication device to access the AP. The authentication policy comprises WPA, WPA2, WPA3 or other private encryption authentication protocols. Of course, the authentication policy between the AP and the first communication device may also be agreed in advance, which is not limited in this application.

It is understood that, in order to implement the functions of the above-described embodiments, the communication device and the server include corresponding hardware structures and/or software modules for performing the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software driven hardware depends on the particular application scenario and design constraints imposed on the solution.

Fig. 5 and 6 are schematic structural diagrams of possible APs provided by the present application. These APs can be used to implement the APs in the above method embodiments, and therefore, the beneficial effects of the above method embodiments can also be achieved. In the present application, the communication device may be the AP101 shown in fig. 1, and may also be a module (module such as a chip) applied to the communication device or the AP.

As shown in fig. 5, the communication device 500 includes a processing module 501 and a transceiver module 502. The communication device 500 is used to implement the functions of the AP in the method embodiments shown in fig. 2, fig. 3 or fig. 4 described above.

When the communication device 500 is used to implement the functionality of the AP of the method embodiment shown in fig. 2: the transceiver module 502 is configured to receive an authentication request message from the first communication device, where the authentication request message carries identity authentication information of the first communication device; responding to the authentication request message, and sending the identity authentication information of the first communication equipment to the server to enable the server to authenticate the identity authentication information of the first communication equipment; receiving a first response message fed back from the server, if the first response message indicates that authentication is successful, sending an authorization request message to the second communication device to request the second communication device to authorize the first communication device to access the AP, and receiving a second response message fed back by the second communication device in response to the authorization request message, wherein the second communication device is a communication device authorized to access the AP; the processing module 501 is configured to perform access control on the first communication device according to the second response message.

More detailed descriptions about the processing module 501 and the transceiver module 502 can be directly obtained by referring to the related descriptions in the embodiment of the method shown in fig. 2, and are not repeated here.

It should be understood that the processing module 501 in the embodiments of the present application may be implemented by a processor or a processor-related circuit component, and the transceiver module 502 may be implemented by a transceiver or a transceiver-related circuit component.

Based on the above and the same concept, as shown in fig. 6, the present application further provides an AP 600. The AP600 may include a processor 601 and a transceiver 602. The processor 601 and the transceiver 602 are coupled to each other. It is understood that the transceiver 602 may be an interface circuit or an input-output interface. Optionally, the communication device 600 may further include a memory 603 for storing instructions executed by the processor 601 or for storing input data required by the processor 601 to execute the instructions or for storing data generated by the processor 601 after executing the instructions.

When the communication device 600 is configured to implement the method shown in fig. 2, the processor 601 is configured to execute the functions of the processing module 501, and the transceiver 602 is configured to execute the functions of the transceiver module 502, which is not described in detail herein.

Fig. 7 and 8 are schematic structural diagrams of possible communication devices provided by the present application. These communication devices can be used to implement the functions of the first communication device or the second communication device in the above method embodiments, and therefore, the advantageous effects of the above method embodiments can also be achieved. In this application, the communication device may be the STA102 or the STA103 shown in fig. 1, and may also be a module (module such as a chip) applied to the communication device.

As shown in fig. 7, the communication device 700 includes a processing module 701 and a transceiver module 702. Further, optionally, the communication device may further include a display module 703. The communication device 700 is used to implement the functionality of the first communication device or the second communication device in the above-described method embodiments illustrated in fig. 2, 3 or 4.

When the communication device 700 is used to implement the functionality of the second communication device of the method embodiment shown in fig. 2: the transceiver module 702 is configured to receive an authorization request message from an access point AP, where the communication device is a communication device authorized to access the AP; the processing module 701 cooperates with the transceiver module 702, and is configured to respond to the authorization request message and send a second response message to the AP, so that the AP performs access control on the first communication device according to the second response message.

The more detailed description of the processing module 701 and the transceiver module 702 can be directly obtained by referring to the related description in the embodiment of the method shown in fig. 2, and is not repeated here.

It should be understood that the processing module 701 in the embodiments of the present application may be implemented by a processor or a processor-related circuit component, and the transceiver module 702 may be implemented by a transceiver or a transceiver-related circuit component.

When the communication device 700 is used to implement the functionality of the second communication device of the method embodiment shown in fig. 3: the transceiver module 702 is configured to receive a third response message from the server, where the third response message includes shared key information of an access AP, and the communication device is a communication device that is authorized to access the AP; the processing module 701 is configured to, when determining that the first communication device is allowed to access the AP, provide shared key information for accessing the AP to the first communication device.

When the communication device 700 is used to implement the functionality of the first communication device of the method embodiment shown in fig. 3: the transceiver module 702 is configured to send a request message for obtaining a shared key to a server through an access point AP, so as to request the server to generate shared key information of the access point AP for a communication device; the processing module 701 is configured to obtain the shared key information of the access AP from the second communication device, and access the AP through the shared key information of the access AP, where the second communication device is a communication device to which the AP is authorized.

More detailed descriptions about the processing module 701 and the transceiver module 702 can be directly obtained by referring to the related descriptions in the embodiment of the method shown in fig. 3, and are not described again.

Based on the above and the same concept, as shown in fig. 8, the present application further provides a communication device 800. The communication device 800 may include a processor 801 and a transceiver 802. The processor 801 and the transceiver 802 are coupled to each other. It is understood that the transceiver 802 may be an interface circuit or an input-output interface. Optionally, the communication device 800 may further include a memory 803 for storing instructions to be executed by the processor 801 or for storing input data required by the processor 801 to execute the instructions or for storing data generated by the processor 801 after executing the instructions. Further, optionally, the communication device may also include a display 804.

When the communication device 800 is configured to implement the method shown in fig. 2, the processor 801 is configured to execute the functions of the processing module 701, and the transceiver 802 is configured to execute the functions of the transceiver module 702, which is not described in detail herein.

When the communication device is a terminal device, fig. 9 shows a simplified structural diagram of the terminal device. For easy understanding and illustration, in fig. 9, the terminal device is exemplified by a mobile phone. As shown in fig. 9, the terminal apparatus 900 includes a processor, a memory, a radio frequency circuit, an antenna, and an input-output device. The processor is mainly configured to process the communication protocol and the communication data, control the entire terminal device, execute a software program, and process data of the software program, for example, to support the terminal device 900 to perform the method executed by the terminal device in any of the embodiments described above. The memory is used primarily for storing software programs and data. The radio frequency circuit is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user. It should be noted that some kinds of terminal devices may not have input/output means.

When the terminal device is started, the processor can read the software program in the memory, interpret and execute the instruction of the software program, and process the data of the software program. When data needs to be transmitted, the processor performs baseband processing on the data to be transmitted and outputs baseband signals to the radio frequency circuit, and the radio frequency circuit performs radio frequency processing on the baseband signals and transmits the radio frequency signals to the outside in the form of electromagnetic waves through the antenna. When data is transmitted to the terminal apparatus 900, the radio frequency circuit receives a radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data.

As an alternative implementation manner, the processor may include a baseband processor and a central processing unit, the baseband processor is mainly used for processing the communication protocol and the communication data, and the central processing unit is mainly used for controlling the whole terminal device 900, executing the software program, and processing the data of the software program. The processor in fig. 9 integrates the functions of the baseband processor and the central processing unit, and it should be noted that the baseband processor and the central processing unit may also be independent processors, and are interconnected through a bus or the like. In addition, terminal device may include multiple baseband processors to accommodate different network formats, terminal device 900 may include multiple central processors to enhance its processing capabilities, and various components of terminal device 900 may be connected by various buses. The baseband processor may also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit may also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and the communication data may be built in the processor, or may be stored in the storage unit in the form of a software program, and the processor executes the software program to realize the baseband processing function.

In this application, the antenna and the rf circuit having the transceiving function may be regarded as a transceiving unit of the terminal device, and the processor having the processing function may be regarded as a processing unit of the terminal device. As shown in fig. 9, the terminal device includes a processing unit 901 and a transceiving unit 902. The transceiver unit may also be referred to as a transceiver, transceiving means, etc., and the processing unit may also be referred to as a processor, processing board, processing unit, processing means, etc. Alternatively, a device for implementing a receiving function in the transceiving unit may be regarded as a receiving unit, and a device for implementing a sending function in the transceiving unit may be regarded as a sending unit, that is, the transceiving unit includes a receiving unit and a sending unit, the receiving unit may also be referred to as a receiver, a receiving circuit, and the like, and the sending unit may be referred to as a transmitter, a sending circuit, and the like.

Downlink signals (including data and/or control information) transmitted by the network equipment are received on the downlink through the antenna, uplink signals (including data and/or control information) are transmitted to the network equipment or other terminal equipment through the antenna on the uplink, and traffic data and signaling messages are processed in the processor according to the radio access technology (e.g., the access technology of LTE, NR, and other evolved systems) adopted by the radio access network. The processor is further configured to control and manage the actions of the terminal device, and is configured to perform the processing performed by the terminal device in the foregoing embodiment. The processor is further configured to support the terminal device to execute the execution method of the first communication device or the second communication device referred to in fig. 2; or is also used for supporting the terminal device to execute the execution method of the first communication device or the second communication device related to fig. 3.

It should be noted that fig. 9 only shows one memory, one processor and one antenna. In an actual terminal device, the terminal device may contain any number of antennas, memories, processors, etc. The memory may also be referred to as a storage medium or a storage device. In addition, the memory may be provided separately from the processor, or may be integrated with the processor, which is not limited in this embodiment.

It should be understood that the transceiver unit 902 is configured to perform the transmitting operation and the receiving operation on the first communication device side or the second communication device side in the above-described method embodiment shown in fig. 2, and the processing unit 901 is configured to perform other operations besides the transceiving operation on the first communication device side or the second communication device side in the above-described method embodiment shown in fig. 2. For example, the transceiving unit 902 is configured to perform transceiving steps on the second communication device side in the embodiment shown in fig. 2, such as step 205 and step 209; or for performing transceiving steps on the first communication device side, such as step 201 and step 206. A processing unit 901, configured to perform other operations besides the transceiving operation, of the first communication device or the second communication device in the embodiment shown in fig. 2.

For another example, the transceiving unit 902 is configured to perform transceiving steps on the second communication device side in the embodiment shown in fig. 4, for example, step 404; or for performing transceiving steps on the first communication device side, such as step 405. A processing unit 901, configured to execute other operations except transceiving operations on the first communication device or the second communication device side in the embodiment shown in fig. 4.

When the communication device is a chip-like device or circuit, the communication device may include a transceiver module and a processing module. The transceiver module can be an input/output circuit and/or an interface circuit; the processing module may be a processor or microprocessor or an integrated circuit integrated on the chip.

It is understood that the Processor in the embodiments of the present Application may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. The general purpose processor may be a microprocessor, but may be any conventional processor.

The method steps in the embodiments of the present application may be implemented by hardware, or may be implemented by software instructions executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash Memory, Read-Only Memory (ROM), Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. In addition, the ASIC may reside in a network device or a terminal device. Of course, the processor and the storage medium may reside as discrete components in a network device or a terminal device.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on a computer, the procedures or functions of the embodiments of the present application are performed in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a network appliance, a user device, or other programmable apparatus. The computer program or instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer program or instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wire or wirelessly. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that integrates one or more available media. The available media may be magnetic media, such as floppy disks, hard disks, magnetic tape; or optical media such as Digital Video Disks (DVDs); it may also be a semiconductor medium, such as a Solid State Drive (SSD).

In various embodiments of the present application, unless otherwise specified or conflicting, terms and/or descriptions between different embodiments have consistency and may be mutually referenced, and technical features in different embodiments may be combined to form a new embodiment according to their inherent logical relationships.

In the present application, "and/or" describes an association relationship of associated objects, which means that there may be three relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In the description of the text of this application, the character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

It is to be understood that the various numerical references referred to in the embodiments of the present application are merely for descriptive convenience and are not intended to limit the scope of the embodiments of the present application. The sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of the processes should be determined by their functions and inherent logic. The terms "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprises" and "comprising," as well as any variations thereof, are intended to cover a non-exclusive inclusion, such as a list of steps or elements. A method, system, article, or apparatus is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not explicitly listed or inherent to such process, system, article, or apparatus.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (34)

1. A method of controlling communication access, comprising:

   an Access Point (AP) receives an authentication request message from first communication equipment, wherein the authentication request message carries identity authentication information of the first communication equipment;

   the AP responds to the authentication request message and sends the identity authentication information to a server, so that the server authenticates the first communication equipment according to the identity authentication information;

   the AP receives a first response message fed back by the server;

   if the first response message indicates that the authentication is successful, sending an authorization request message to a second communication device to request the second communication device to authorize the first communication device to access the AP, wherein the second communication device is a communication device authorized to access the AP;

   and the AP receives a second response message fed back by the second communication equipment responding to the authorization request message, and performs access control on the first communication equipment according to the second response message.
2. The method of claim 1, wherein the identity authentication information includes information of a universal subscriber identity card (USIM) or an Identification (ID) of the first communication device.
3. The method of claim 1 or 2, wherein the method further comprises:

   and if the first response message indicates that the authentication fails, the AP refuses the access of the first communication equipment.
4. The method of claim 1 or 2, wherein the second response message includes information indicating that the first communication device is authorized to access the AP, or information indicating that the first communication device is denied access to the AP;

   the AP performs access control on the first communication device according to the second response message, including:

   if the second response message comprises information indicating that the first communication device is authorized to access the AP, the AP allows the first communication device to access;

   and if the second response message comprises information indicating that the first communication equipment is refused to access the AP, the AP refuses the first communication equipment to access.
5. A method of controlling communication access, comprising:

   receiving an authorization request message from an Access Point (AP) by second communication equipment, wherein the second communication equipment is communication equipment authorized to access the AP;

   and the second communication equipment responds to the authorization request message and sends a second response message to the AP, so that the AP performs access control on the first communication equipment according to the second response message.
6. The method of claim 5, wherein the authorization request message includes an Identification (ID) of the first communication device;

   the second communication device responds to the authorization request message and sends a second response message to the AP, including:

   if the second communication device determines that the ID of the first communication device belongs to the ID in the preset white list, sending a second response message including information indicating that the first communication device is authorized to access the AP to the AP;

   and if the second communication equipment determines that the ID of the first communication equipment belongs to the ID in a preset blacklist, sending a second response message including information indicating that the first communication equipment is refused to access the AP to the AP.
7. The method of claim 5, wherein the second communication device sending a second response message to the AP in response to the authorization request message, comprising:

   if the second communication device detects an operation instruction indicating that the first communication device is authorized to access the AP, sending a second response message including information indicating that the first communication device is authorized to access the AP to the AP;

   and if the second communication equipment detects an operation instruction indicating that the first communication equipment is refused to access the AP, sending a second response message comprising information indicating that the first communication equipment is refused to access the AP to the AP.
8. A method of controlling communication access, comprising:

   receiving a third response message from the server by the second communication device, wherein the third response message comprises shared key information of an Access Point (AP), and the second communication device is a communication device which is authorized to access the AP;

   and when the second communication equipment determines that the first communication equipment is allowed to access the AP, providing the shared key information to the first communication equipment.
9. The method of claim 8, wherein the second communication device providing the shared key information to the first communication device comprises:

   the second communication equipment generates a two-dimensional code or a password according to the shared key information;

   and the second communication equipment displays the two-dimensional code or the password to the first communication equipment.
10. The method of claim 8 or 9, wherein the second communication device determining to allow the first communication device to access the AP comprises:

    the second communication equipment acquires the identification ID of the first communication equipment;

    and if the second communication equipment determines that the ID of the first communication equipment belongs to the ID in a preset white list, providing the shared key information to the first communication equipment.
11. The method of claim 8 or 9, wherein the second communication device determining to allow the first communication device to access the AP comprises:

    and if the second communication equipment detects an operation instruction indicating that the first communication equipment is authorized to access the AP, providing the shared key information to the first communication equipment.
12. A method of controlling communication access, comprising:

    a first communication device sends a request message for acquiring a shared key to a server through an Access Point (AP) so as to request the server to generate shared key information for accessing the AP for the first communication device;

    the first communication device acquires the shared key information from a second communication device, wherein the second communication device is a communication device authorized to access the AP;

    and the first communication equipment accesses the AP through the shared key information.
13. The method of claim 12, wherein the first communication device obtaining shared key information from a second communication device, comprising:

    the first communication equipment obtains the shared key information by scanning the two-dimensional code provided by the second communication equipment; or,

    and the first communication equipment acquires the shared key information by copying the password provided by the second communication equipment.
14. The method according to claim 12 or 13, wherein the request message to obtain the shared key comprises an identification, ID, of the first communication device.
15. An Access Point (AP), comprising a transceiver module and a processing module:

    the receiving and sending module is used for receiving an authentication request message from first communication equipment, wherein the authentication request message carries identity authentication information of the first communication equipment; responding the authentication request message, sending the identity authentication information to a server, and enabling the server to authenticate the first communication equipment according to the identity authentication information; receiving a first response message fed back by the server; if the first response message indicates that the authentication is successful, sending an authorization request message to a second communication device to request the second communication device to authorize the first communication device to access the AP, wherein the second communication device is a communication device authorized to access the AP; receiving a second response message fed back by the second communication device in response to the authorization request message;

    and the processing module is used for performing access control on the first communication equipment according to the second response message.
16. The AP of claim 15, wherein the identity authentication information includes information of a universal subscriber identity card USIM or an identification ID of the first communication device.
17. The AP of claim 15 or 16, wherein the processing module is further configured to deny access to the first communication device if the first response message indicates an authentication failure.
18. The AP of claim 15 or 16, wherein the second response message includes information indicating that the first communication device is authorized to access the AP, or information indicating that the first communication device is denied access to the AP;

    if the second response message includes information indicating that the first communication device is authorized to access the AP, the processing module is specifically configured to: allowing access to the first communication device;

    if the second response message includes information indicating that the first communication device is denied access to the AP, the processing module is specifically configured to: denying access to the first communication device.
19. A communication device, comprising a transceiver module and a processing module:

    the transceiver module is configured to receive an authorization request message from an access point AP, where the communication device is a communication device authorized to access the AP;

    the transceiver module cooperates with the processing module, and is configured to send a second response message to the AP in response to the authorization request message, so that the AP performs access control on the first communication device according to the second response message.
20. The communication device of claim 19, wherein the authorization request message includes an identification ID of the first communication device;

    the processing module cooperates with the transceiver module, and is specifically configured to:

    if the processing module determines that the ID of the first communication device belongs to the ID in the preset white list, the transceiver module sends a second response message to the AP, wherein the second response message comprises information indicating that the first communication device is authorized to access the AP;

    if the processing module determines that the ID of the first communication device belongs to the ID in the preset blacklist, the transceiver module sends a second response message including information indicating that the first communication device is refused to access the AP to the AP.
21. The communication device of claim 19,

    the processing module cooperates with the transceiver module, and is specifically configured to:

    if the processing module detects an operation instruction indicating that the first communication device is authorized to access the AP, the transceiver module sends a second response message to the AP, wherein the second response message comprises information indicating that the first communication device is authorized to access the AP;

    if the processing module detects an operation instruction indicating that the first communication device is rejected to access the AP, the transceiver module sends a second response message including information indicating that the first communication device is rejected to access the AP to the AP.
22. A communication device, comprising a transceiver module and a processing module:

    the transceiver module is configured to receive a third response message from the server, where the third response message includes shared key information of an access point AP, and the communication device is a communication device that is authorized to access the AP;

    the processing module is configured to provide the shared key information to the first communication device when it is determined that the first communication device is allowed to access the AP.
23. The communications device of claim 22, wherein the processing module is specifically configured to:

    generating a two-dimensional code or a password according to the shared key information;

    the communication device further comprises a display module configured to:

    and displaying the two-dimensional code or the password to the first communication device.
24. The communications device according to claim 22 or 23, wherein the processing module is specifically configured to:

    acquiring an identification ID of the first communication equipment;

    and if the ID of the first communication equipment is determined to belong to the ID in the preset white list, providing the shared key information for the first communication equipment.
25. The communication device according to claim 22 or 23, wherein the processing module is specifically configured to:

    and if an operation instruction indicating that the first communication equipment is authorized to access the AP is detected, providing the shared key information for the first communication equipment.
26. A communication device, comprising a transceiver module and a processing module:

    the transceiver module is used for sending a request message for acquiring a shared key to a server through an Access Point (AP) so as to request the server to generate shared key information for accessing the AP for the communication equipment;

    the processing module is configured to obtain the shared key information from a second communication device, and access the AP through the shared key information, where the second communication device is a communication device authorized to access the AP.
27. The communications device of claim 26, wherein the processing module is specifically configured to:

    acquiring the shared key information by scanning the two-dimensional code provided by the second communication equipment; or,

    and obtaining the shared key information by copying the password provided by the second communication equipment.
28. The communication device according to claim 26 or 27, wherein the request message to obtain a shared key comprises an identification, ID, of the communication device.
29. An access point, AP, comprising a processor and a transceiver for receiving and transmitting signals from or transmitting signals to other communication devices than the communication device, the processor being configured to implement the method of any one of claims 1 to 4 by logic circuits or executing code instructions.
30. A communications apparatus comprising a processor and a transceiver for receiving and transmitting signals from or transmitting signals to other communications devices than the communications device, the processor being configured to implement the method of any one of claims 5 to 7, or any one of claims 8 to 11, or any one of claims 12 to 14 by logic circuits or executing code instructions.
31. A computer-readable storage medium, in which a computer program or instructions are stored which, when executed by an Access Point (AP), implement the method of any one of claims 1 to 4.
32. A computer-readable storage medium, having stored thereon a computer program or instructions which, when executed by a communication device, carry out the method of any of claims 5 to 7, or any of claims 8 to 11, or any of claims 12 to 14.
33. A computer program product, characterized in that it comprises a computer program or instructions which, when executed by an access point AP, implement the method according to any one of claims 1 to 4.
34. A computer program product comprising a computer program or instructions for implementing the method of any of claims 5 to 7, or any of claims 8 to 11, or any of claims 12 to 14 when executed by a communication device.

Images