CN115278676A - WAPI certificate application method, wireless terminal and certificate discriminator - Google Patents
WAPI certificate application method, wireless terminal and certificate discriminator Download PDFInfo
- Publication number
- CN115278676A CN115278676A CN202210920349.1A CN202210920349A CN115278676A CN 115278676 A CN115278676 A CN 115278676A CN 202210920349 A CN202210920349 A CN 202210920349A CN 115278676 A CN115278676 A CN 115278676A
- Authority
- CN
- China
- Prior art keywords
- certificate
- wapi
- authentication
- wapi certificate
- sta
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Abstract
The invention discloses a method for applying a WAPI certificate, a wireless terminal STA and a WAPI certificate discriminator AS, wherein the STA generates a first WAPI certificate through self-signature, the first WAPI certificate comprises a first extended attribute to represent the application intention of the WAPI certificate, the AS judges the application intention of the WAPI certificate of the STA based on the first extended attribute in the first WAPI certificate, generates a second WAPI certificate issued to the STA based on the information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate. The method can apply for the WAPI certificate on line based on the planned access WAPI network, does not need to use other networks, does not need to upgrade the prior AP, and has good convenience, compatibility and economy.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a method for applying a WAPI certificate, a wireless terminal and a certificate discriminator.
Background
The WAPI is WLAN wireless security standard and technology specified in China national wireless local area network standard GB 15629.11. The WAPI identifies the identities of a wireless Access Point (AP), a wireless terminal (STA) and a WAPI certificate discriminator by adopting a digital certificate, and authenticates the identities of the AP and the STA based on a ternary authentication system, thereby ensuring the security of wireless access authentication and effectively avoiding the access of an illegal terminal to a wireless network and the access of the terminal to an illegal counterfeit AP. In the WAPI wireless local area network, both the AP and the STA need to install a WAPI digital certificate to carry out ternary authentication. There are generally two ways to obtain the certificate of the WAPI wireless terminal:
mode A: a WAPI certificate Authentication Server (AS) generates a key pair (comprising a public key and a private key) for a WAPI wireless terminal, and generates a WAPI public key certificate based on the public key, wherein the public key certificate is signed by the private key of the AS; then, transmitting the public key certificate and the private key of the terminal equipment to the WAPI terminal through a safe channel for installation; the process needs a secure channel for certificate transmission, because the process includes sensitive information, namely a private key, in the process, besides identity check of an applicant, privacy and tamper resistance of messages need to be guaranteed, and if the secure channel is performed in an online manner, the transmitted information needs to be encrypted or processed in a secure tunnel.
Mode B: the WAPI terminal generates a key pair (comprising a public key and a private key) by itself and then generates a certificate signature application file, wherein the file is called a P10 (short for international standard PKCS # 10) file, the P10 file comprises information (applicant organization, equipment name and the like) of terminal equipment and public key information, but does not comprise private key information, and also comprises P10 signature information which is carried out by a generator by using the private key of the generator, and a receiver can carry out signature verification on the P10 by using the public key information in the P10 file; transmitting the P10 file to the AS, generating a public key certificate file for an applicant by the AS based on Subject information (Subject) and public key information in the P10 file, and signing the public key certificate file by using a private key of the AS; and then, the public key certificate file is issued to an applicant for installation, private key information of the terminal equipment is not included in the process, the identity of the applicant is only required to be checked in the transmission process, the transmitted information is checked for preventing falsification, and other requirements on safety are not required.
With the advance of digitization and intellectualization in recent years, the WAPI wireless network is applied more and more in the national key infrastructure industry, and more mobile operation terminals are accessed to the WAPI wireless private network, such as robots, operation panels and the like. In these industries, the WAPI wireless terminal applies for a certificate, generally using the method B. For mode B, there are two more specific modes:
mode B1: a manual process. The WAPI wireless terminal generates a P10 file, the P10 file is transmitted to a certificate application manager in a mode of connecting a non-WAPI network mail and the like, the manager finishes the generation of the certificate file through an AS man-machine interaction interface after obtaining the P10 file, and then sends the certificate file to an applicant in a mode of mail and the like. If the AS is in the intranet, a manager obtains the P10 file in an extranet computer, the copy of the P10 file from the extranet to the intranet is completed in a certain mode, after a certificate is generated through the AS, the copy is copied from the intranet to the extranet through the certificate, and then the copy is sent to an applicant.
Mode B2: assisting the system process. The online application of the WAPI certificate is completed through other networks except the WAPI network to be accessed, the WAPI terminal is temporarily connected to an auxiliary network when the WAPI terminal applies for the certificate, and the networked transfer of the P10 file is performed or the online application is completed through a software system based on the non-WAPI network.
The problem of the mode B1 is troublesome and inefficient, and the mode B2 can solve the problem, but has a cost problem in terms of the construction cost of the auxiliary network; meanwhile, in some industries with high security requirements, since the security management system does not allow "one-machine-dual-network", that is, one network device is not allowed to be used in multiple networks, the mode B2 is limited because the access of the WAPI terminal to other networks than the network to be accessed to the WAPI network is not allowed by the security management system.
Patent 200910189481.4 ' a method, apparatus and network system for acquiring a WAPI certificate, ' a method, apparatus and network system for acquiring a WAPI certificate based on a WAPI wireless network ', but it has no availability in some fields, for example, WAPI terminals used in a production network of a national infrastructure industry such AS a power grid industry often do not or even do not allow to have a mobile phone function, do not have an IMSI (international mobile subscriber identity) related to the patent, and do not have a preset WAPI certificate at the same time, and the document of this patent does not describe how to issue an issued certificate to a wireless terminal, nor how to download an AS certificate to a terminal.
Patent 201010221869.0 method, system and apparatus for updating a WAPI certificate provides a method for updating a WAPI certificate based on a WAPI wireless network, but it updates a certificate for an AP or an STA that already has a WAPI certificate, and cannot solve the problem that the STA without the WAPI certificate applies for the WAPI certificate on line for the first time, and meanwhile, a related method must perform protocol extension and modification on a common AP, which causes AP compatibility.
There are other invention methods, realize WAPI certificate online application based on WAPI wireless network through expanding to WAPI wireless authentication protocol, but this kind of protocol expansion needs to carry on AP software upgrade, there are compatibility problems, thus cause the actual use to receive certain restriction; further, this compatibility problem, if there are multiple vendor APs in the wireless network, will be more limited in the way the expanding WAPI wireless authentication protocol is implemented.
Disclosure of Invention
Based on the technical problems in the background art, the invention provides a method for applying a WAPI certificate, a wireless terminal and a WAPI certificate discriminator.
The STA generates a first WAPI certificate through self-signature, the first WAPI certificate comprises a first extended attribute to represent a WAPI certificate application intention, the AS judges the WAPI certificate application intention of the STA based on the first extended attribute in the first WAPI certificate, generates a second WAPI certificate issued to the STA based on information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate, wherein the modification comprises the steps of adding a second extended attribute to bear the second WAPI certificate, adding a third extended attribute to bear an AS public key certificate and re-signing, and the STA and the AS realize the transmission of the first WAPI certificate and the third WAPI certificate through the interaction of a WAPI wireless network based on a standard WAPI authentication protocol, so that the wireless terminal applies for the WAPI certificate on line;
s1: a wireless terminal STA associates a wireless access point AP to be accessed into a WAPI wireless network in order to apply for a WAPI certificate, and sends a standard WAPI access authentication message to the AP after receiving a WAPI authentication activation message sent by the AP, wherein a terminal certificate in the WAPI access authentication message is a first WAPI certificate generated by the STA through self-signature;
s2: after receiving a standard certificate authentication request message, a WAPI certificate authenticator AS obtains a terminal certificate, namely the first WAPI certificate, and judges whether the authentication request is a certificate application behavior of an STA or not by checking a first extended attribute of the first WAPI certificate, if so, performs applicant authorization check based on applicant authentication information included in the first extended attribute of the first WAPI certificate, if the authorization check is passed, generates a second WAPI certificate issued to the STA based on the first WAPI certificate, then modifies the first WAPI certificate to form a third WAPI certificate, and includes the third WAPI certificate AS the terminal certificate in a terminal certificate field of an authentication result of a certificate authentication response message, and uses a specific authentication result value to represent a certificate application result state; the modification of the first WAPI certificate comprises adding a second extended attribute to identify and comprise the second certificate, adding a third extended attribute to identify and comprise the AS certificate, and re-signing by using an AS private key;
s3: and after receiving the standard access authentication response message, the STA obtains a terminal certificate authentication result value from the standard access authentication response message to determine a certificate application result state, if the result state is successful, a terminal certificate in the authentication result, namely a third WAPI certificate is taken out, then a second WAPI certificate is taken out from a second extended attribute of the third WAPI certificate, namely the WAPI certificate applied by the STA, and an AS certificate is taken out from a third extended attribute of the third WAPI certificate.
Further, in S1, the certificate body (or holder) of the first WAPI certificate includes key information and public key information of the applicant, and identifies the certificate application behavior through the first extended attribute of the first WAPI certificate, where the first extended attribute further includes applicant authentication information, and the authentication information is manually input by the applicant at the time of application.
The beneficial effects of the invention are as follows:
the method can apply for the WAPI certificate on line based on the planned access WAPI network, does not need to use other networks, does not need to upgrade the prior AP, and has good convenience, compatibility and economy.
Drawings
Fig. 1 shows a self-signed WAPI certificate, i.e., a first WAPI certificate, generated by the wireless terminal;
fig. 2 is the WAPI certificate authentication result configuration information;
FIG. 3 is a standard WAPI authentication flow;
fig. 4AS a third WAPI certificate formed based on the first WAPI certificate.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
Referring to fig. 1-4, a method for applying a WAPI certificate, a wireless terminal STA, and a WAPI certificate discriminator AS, where the STA generates a first WAPI certificate through self-signing, and includes a first extended attribute in the first WAPI certificate to characterize an application intention of the WAPI certificate, the AS determines the application intention of the WAPI certificate of the STA based on the first extended attribute in the first WAPI certificate, and generates a second WAPI certificate issued to the STA based on information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate, and the modification includes adding the second extended attribute to carry the second WAPI certificate, adding the third extended attribute to carry an AS public key certificate, and re-signing, and the STA and the AS implement transmission of the first WAPI certificate and the third WAPI certificate through interaction based on a standard WAPI authentication protocol over a WAPI wireless network, thereby implementing online application of the wireless terminal for the WAPI certificate;
s1: the method comprises the steps that a wireless terminal STA associates a wireless access point AP to be accessed into a WAPI wireless network in order to apply for a WAPI certificate, a standard WAPI access authentication message is sent to the AP after a WAPI authentication activation message sent by the AP is received, and a terminal certificate in the WAPI access authentication message is a first WAPI certificate generated by the STA through self-signature;
s2: after receiving a standard certificate authentication request message, a WAPI certificate authenticator AS obtains a terminal certificate, namely a first WAPI certificate, judges whether the authentication request is a certificate application behavior of an STA (station) or not by checking a first extended attribute of the first WAPI certificate, and if so, performs applicant authorization check based on applicant authentication information included in the first extended attribute of the first WAPI certificate;
s3: after receiving the standard access authentication response message, the STA obtains a terminal certificate authentication result value to determine a certificate application result state, if the result state is successful, a terminal certificate in the authentication result, namely a third WAPI certificate, is obtained, then a second WAPI certificate is obtained from a second extended attribute of the third WAPI certificate, namely a WAPI certificate applied by the STA, and an AS certificate is obtained from a third extended attribute of the third WAPI certificate, in S1, a certificate body (or a holder) of the first WAPI certificate includes applicant key information and public key information, and identifies a certificate application behavior through the first extended attribute of the first WAPI certificate, the first extended attribute further includes applicant authentication information, and the authentication information is manually input by the applicant during application. In S2, if the authorization check is passed, generating a second WAPI certificate issued to the STA based on the first WAPI certificate, then modifying the first WAPI certificate to form a third WAPI certificate, including the third WAPI certificate as an end certificate in an end certificate field of an authentication result of the certificate authentication response message, and representing a certificate application result state by using a specific authentication result value; and modifying the first WAPI certificate, including adding a second extended attribute to identify and include the second certificate, adding a third extended attribute to identify and include the AS certificate, and re-signing by using the AS private key.
To illustrate the embodiments of this patent, a standard WAPI authentication procedure is described. As shown in fig. 3, the procedure of the WAPI authentication is as follows:
(1) After the wireless terminal STA associates with the AP, the AP sends an authentication Activation (ACTIVE) message to the STA, wherein the message comprises the certificate information of the AP.
(2) After receiving the authentication activation message of the WAP, the STA sends an access authentication request message to the AP, wherein the message comprises certificate information of the STA.
(3) After receiving an access authentication request of the STA, the AP sends a certificate authentication request message to a WAPI certificate Authenticator (AS), wherein the message comprises the certificate information of the AP and the received STA certificate information.
(4) And after receiving the certificate authentication request of the AP, the AS performs certificate authentication check to form a certificate authentication result and sends a certificate authentication response message to the AP. The certificate authentication response message includes a "certificate authentication result" field, which includes information shown in fig. 2, i.e., the WAPI certificate authentication result configuration information, where the first authentication result and the first certificate are for the AP, and the second authentication result and the second certificate are for the STA.
(5) After receiving the certificate authentication response message sent by the AS, the AP sends an access authentication response message to the STA, wherein the message comprises the certificate authentication result of the AS, and the AP refuses or accepts the access of the STA according to the certificate authentication result.
(6) After the STA receives the access authentication response message of the AP, the message comprises a composite AS certificate authentication result, wherein the composite AS certificate authentication result comprises the AS certificate authentication result and the signature of the AS on the AS, and the STA determines whether to access the connected AP according to the AS certificate authentication result.
The following examples are given.
For the method for applying for the WAPI certificate and the wireless terminal and the WAPI certificate authenticator of the present invention, in the diagram shown in the standard WAPI authentication flow of fig. 3, the wireless terminal STA101 and the WAPI certificate authenticator AS103 relate to the implementation of the method related to the present invention, and the wireless access point AP102 does not relate to any implementation of the method related to the present invention.
After the STA101 is associated with the AP102, the AP102 may send a WAPI authentication activation message to the STA101, and after the STA101 receives the authentication activation message of the AP102, if the STA102 is applying for a WAPI certificate at this time, the STA101 may first generate a self-signed certificate, whose content is the self-signed WAPI certificate generated by the wireless terminal in fig. 3, that is, the first WAPI certificate, then package the first WAPI certificate as its own WAPI certificate in an STA certificate field of a standard WAPI access authentication message, and then send the first WAPI certificate to the AP102. In this embodiment, bit 2 (certificate verification request identifier) of the FLAG field of the WAPI access authentication packet sent by the STA101 is set to 1, which indicates that the STA101 requires to verify the validity of the AP102 certificate according to the protocol standard of the WAPI authentication, that is, after the AP102 receives the WAPI access authentication packet, the AP102 requests the AS103 to perform the authentication of the WAPI certificate.
In the method described in this patent, the STA101 replaces the aforementioned P10 file with a self-signed certificate, which includes all the key contents of the P10 file, i.e. a number of Domain Names (DNs) and a certificate public key of the certificate body (or the holder). The STA101 self-signs the generated first WAPI certificate and further includes an extended attribute, i.e. a first extended attribute 100. In the WAPI standard, digital certificates are in X509V3 format, which allows users to define domain-specific extended attributes in an extended attribute field, which are encapsulated with an ASN.1 encoded SEQUENCE type (i.e., type 0X 30), which includes two fields: object Identification (OID) and attribute value; the OID in the extended attribute is used to characterize the usage of the extended attribute, the type is ObjectIdenfier encoded by asn.1, the attribute value is the specific content related to the usage, and the type is OCTETString encoded by asn.1. The STA101 indicates to the AS103 that the STA101 is applying for the WAPI certificate through the first extended attribute 100; meanwhile, the STA also carries authorization authentication information of the wireless terminal through the attribute value of the first extended attribute 100, where the authorization information is a password or an authorization verification code, and is sent to the user of the STA101 (or a debugging installer) by an administrator of the AS103 through other channels, and the user of the STA101 inputs the authorization authentication information into the system of the STA101 before the STA101 initiates application of the WAPI certificate, for example, through a short message service, an internal mail organization, a telephone voice, and the like.
AS shown in fig. 3, AS a general wireless access point AP102, after receiving an access authentication request message sent by the STA101, the AP102 performs processing according to a standard wireless terminal access message processing flow, that is, puts the WAPI certificate (in this embodiment, the first WAPI certificate) of the STA101 and the WAPI certificate of the AP102 into a certificate authentication request message and sends the certificate authentication request message to the AS103. The so-called "generic" wireless access point AP102 does not contain any specific implementation related to this patent, i.e., the present invention does not require any modification of the wap 102 to the authentication process. According to the standard of the WAPI technology, the AP102 cannot check the WAPI certificate of the STA101, and meanwhile, AS the STA101 sets the bit 2 (certificate verification request identifier) of the FLAG field of the WAPI access authentication message to be 1, the AP102 needs to request the AS103 to perform certificate authentication.
After receiving the request for authenticating the WAPI certificate sent by the AP102, the AS103 authenticates the WAPI certificate of the AP102, which is the same AS the processing of a general WAPI authentication process; then, the certificate of the STA101, that is, the self-signed WAPI certificate generated by the STA101, that is, the first WAPI certificate, is subjected to checking processing, in this process, the AS103 first checks whether the first extended attribute 100 is included in the first WAPI certificate, performs a general authentication process of the WAPI certificate if the first extended attribute is not included, and performs a certificate application processing process if the first extended attribute is included, including:
(1) Application for authentication: and extracting authentication applicant authentication information from the first extended attribute 100 to perform authorization check, if the authorization check is not passed, recording the application result state value as R =102 to indicate that the application authentication is not passed, and then entering a certificate application result sending process, namely, the following (4) application result formation.
(2) Second certificate generation: if the authorization check is passed, continuing the issuing and generating process of the WAPI certificate, namely generating the WAPI certificate which is issued to the STA101 by the AS103 based on the attribute of the certificate body (Subject) in the first certificate and the public key information, namely generating the second WAPI certificate; if the process is successfully completed, the application result state value is recorded as R =100 to indicate that the application is successful, otherwise, the record of R =101 indicates that the certificate is signed abnormally.
(3) The third certificate forms: in order to transmit the second certificate and the AS certificate to the STA101 at the same time, AS a preferred scheme, the first WAPI certificate is modified: a) Adding a second extended attribute, wherein the OID field identifies the extended field as a certificate issued to the STA, and the value field of the second extended attribute is the content of the second certificate; b) Adding a third extended attribute, wherein the OID field identifies that the extended field is the public key certificate of the AS, and the value field is the content of the public key certificate of the AS; this modification process forms a third WAPI certificate, the contents of which are illustrated in fig. 4AS a third WAPI certificate formed based on the first WAPI certificate.
(4) The application results form: the certificate authentication result in the WAPI standard protocol is adopted to bear the application result and the third WAPI certificate, namely: a) The first authentication result and the certificate field of the certificate authentication result are filled with the authentication result value of the certificate of the AP102 and the certificate content of the AP102 by the AS103, which is the practice of the standard WAPI protocol; b) If R =100, the second authentication result and the certificate field of the certificate authentication result are filled with the aforementioned application result status value R and the third certificate contents, otherwise the second authentication result field of the certificate authentication result is filled with the aforementioned application result status value R and the first certificate contents.
(5) And sending an application result: after the AS103 forms the application result, a WAPI certificate authentication response message is formed according to the WAPI standard protocol and sent to the AP102, where the certificate authentication result field in the message is formed in the foregoing (4).
After receiving the response message of the authentication of the WAPI certificate sent by the AS103, the AP102 analyzes the "certificate authentication result" therein, because the second certificate authentication result of the "certificate authentication result" is not 0, that is, from the perspective of the standard WAPI authentication protocol, the authentication result of the WAPI certificate is unsuccessful, in this case, the AP102 also sends the standard access authentication response message to the STA101, and then the AP102 disconnects the wireless association with the STA 101; the "composite authentication result" field in the access authentication response message includes the "certificate authentication result" obtained by parsing the WAPI certificate authentication response message and a digital signature of the "certificate authentication result" by the AS103.
The STA101 receives the access authentication response message of the AP102, and since the STA101 knows that it is in the process of requesting the WAPI certificate, it parses the access authentication response message to obtain a "composite authentication result", parses the "composite authentication result" to obtain a "certificate authentication result", further parses the "certificate authentication result" to obtain a first certificate authentication result and a certificate (which is the certificate content of the AP 102), a second certificate authentication result and a certificate, and then enters a certificate request result processing flow, which includes:
(1) Checking the first certificate authentication result: if the result value is not 0, the certificate authentication of the AP102 is failed, which indicates that the AP102 is not trusted, the STA102 cannot accept the access authentication response message sent by the AP102, and the application of the WAPI certificate fails.
(2) Check second certificate authentication result: if the result value is not 100, the WAPI certificate application is not successful, and the value indicates the reason of the unsuccessful application; if the second certificate authentication result is equal to 100, the WAPI certificate application is successful.
(3) Verifying the digital signature of the "certificate authentication result": under the condition that the application of the WAPI certificate is successful, the STA101 takes a second certificate in the certificate authentication result AS a third WAPI certificate generated by the AS103, takes the second certificate out of a second extended attribute of the third WAPI certificate, takes a public key certificate of the AS out of a third extended attribute of the third WAPI certificate, verifies the digital signature of the composite authentication result by using the public key certificate of the AS, and if the signature does not pass, the application result obtained by the application of the WAPI certificate is not credible, and the application of the WAPI certificate fails; otherwise, if the signature passes, it indicates that the application result obtained by the present application of the WAPI certificate is authentic, and the STA102 receives the second certificate AS the applied digital certificate of the WAPI terminal and receives the AS certificate AS the public key certificate of the AS.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention should be equivalent or changed within the scope of the present invention.
Claims (2)
1. A method for applying for a WAPI certificate, a wireless terminal STA and a WAPI certificate discriminator AS are characterized in that the STA generates a first WAPI certificate through self-signing, the first WAPI certificate comprises a first extended attribute to represent the application intention of the WAPI certificate, the AS judges the application intention of the WAPI certificate of the STA based on the first extended attribute in the first WAPI certificate, generates a second WAPI certificate issued to the STA based on information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate, wherein the modification comprises the steps of adding the second extended attribute to bear the second WAPI certificate, adding the third extended attribute to bear an AS public key certificate and re-signing, and the STA and the AS realize the transmission of the first WAPI certificate and the third WAPI certificate through the interaction of a WAPI wireless network based on a standard WAPI authentication protocol, thereby realizing the online application for the WAPI certificate of the wireless terminal;
s1: in order to apply for a WAPI certificate, a wireless terminal STA (station) is associated with a wireless access point AP (access point) to be accessed into a WAPI wireless network, and after receiving a WAPI authentication activation message sent by the AP, a standard WAPI access authentication message is sent to the AP, wherein a terminal certificate in the WAPI access authentication message is a first WAPI certificate generated by the STA through self-signature;
s2: after receiving a standard certificate authentication request message, a WAPI certificate authenticator AS obtains a terminal certificate, namely the first WAPI certificate, and judges whether the authentication request is a certificate application behavior of an STA (station) or not by checking a first extended attribute item of the first WAPI certificate, if so, performs applicant authorization check based on applicant authentication information included in the first extended attribute of the first WAPI certificate, if the authorization check is passed, generates a second WAPI certificate issued to the STA based on the first WAPI certificate, then modifies the first WAPI certificate to form a third WAPI certificate, and includes the third WAPI certificate AS the terminal certificate in a terminal certificate field of an authentication result of a certificate authentication response message, and uses a specific authentication result value to represent a certificate application result state; the modification of the first WAPI certificate comprises adding a second extended attribute to identify and comprise the second certificate, adding a third extended attribute to identify and comprise the AS certificate, and re-signing by using an AS private key;
s3: after the STA receives the standard access authentication response message, the terminal certificate authentication result value is obtained from the standard access authentication response message to determine the certificate application result state, if the result state is successful, the terminal certificate in the authentication result, namely the third WAPI certificate, is taken out, the second WAPI certificate is taken out from the second extension attribute of the third WAPI certificate, namely the WAPI certificate applied by the STA, and the AS certificate is taken out from the third extension attribute of the third WAPI certificate.
2. The method, the wireless terminal and the WAPI certificate authenticator for WAPI certificate application as claimed in claim 1, wherein in the step S1, the certificate body (or the holder) of the first WAPI certificate includes key information and public key information of an applicant, and the certificate application behavior is identified by the first extended attribute of the first WAPI certificate, and the first extended attribute further includes applicant authentication information, and the authentication information is manually input by the applicant at the time of application.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210920349.1A CN115278676A (en) | 2022-08-02 | 2022-08-02 | WAPI certificate application method, wireless terminal and certificate discriminator |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210920349.1A CN115278676A (en) | 2022-08-02 | 2022-08-02 | WAPI certificate application method, wireless terminal and certificate discriminator |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115278676A true CN115278676A (en) | 2022-11-01 |
Family
ID=83747620
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210920349.1A Pending CN115278676A (en) | 2022-08-02 | 2022-08-02 | WAPI certificate application method, wireless terminal and certificate discriminator |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115278676A (en) |
-
2022
- 2022-08-02 CN CN202210920349.1A patent/CN115278676A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1697552B (en) | Techniques for performing server user proxy authentication using SIP (session initiation protocol) messages | |
US7142851B2 (en) | Technique for secure wireless LAN access | |
KR101438243B1 (en) | Sim based authentication | |
CN109729523B (en) | Terminal networking authentication method and device | |
US8274401B2 (en) | Secure data transfer in a communication system including portable meters | |
CN105828332B (en) | improved method of wireless local area network authentication mechanism | |
CN112039918B (en) | Internet of things credible authentication method based on identification cryptographic algorithm | |
KR20050064119A (en) | Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal | |
JP2001524777A (en) | Data connection security | |
KR20040102175A (en) | Certificate based authentication authorization accounting scheme for loose coupling interworking | |
CN112491829B (en) | MEC platform identity authentication method and device based on 5G core network and blockchain | |
JP2001186122A (en) | Authentication system and authentication method | |
CN108011873A (en) | A kind of illegal connection determination methods based on set covering | |
CN111601280B (en) | Access verification method and device | |
CN115022868A (en) | Satellite terminal entity authentication method, system and storage medium | |
CN112423299B (en) | Method and system for wireless access based on identity authentication | |
CN113364582A (en) | Method for communication key configuration and update management in transformer substation | |
CN110996295B (en) | Internet of vehicles node identity verification method and identity block | |
CN114599033B (en) | Communication authentication processing method and device | |
CN111918292B (en) | Access method and device | |
CN115278676A (en) | WAPI certificate application method, wireless terminal and certificate discriminator | |
CN111800791B (en) | Authentication method, core network equipment and terminal | |
CN213938340U (en) | 5G application access authentication network architecture | |
CN115987583B (en) | Binding control method for base of intelligent device, base, intelligent device and storage medium | |
CN111918291B (en) | Access method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |