CN115278676A - WAPI certificate application method, wireless terminal and certificate discriminator - Google Patents

WAPI certificate application method, wireless terminal and certificate discriminator Download PDF

Info

Publication number
CN115278676A
CN115278676A CN202210920349.1A CN202210920349A CN115278676A CN 115278676 A CN115278676 A CN 115278676A CN 202210920349 A CN202210920349 A CN 202210920349A CN 115278676 A CN115278676 A CN 115278676A
Authority
CN
China
Prior art keywords
certificate
wapi
authentication
wapi certificate
sta
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210920349.1A
Other languages
Chinese (zh)
Inventor
刘高锦
丁亮
刘林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhikai Technology Co ltd
Original Assignee
Shenzhen Zhikai Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Zhikai Technology Co ltd filed Critical Shenzhen Zhikai Technology Co ltd
Priority to CN202210920349.1A priority Critical patent/CN115278676A/en
Publication of CN115278676A publication Critical patent/CN115278676A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Abstract

The invention discloses a method for applying a WAPI certificate, a wireless terminal STA and a WAPI certificate discriminator AS, wherein the STA generates a first WAPI certificate through self-signature, the first WAPI certificate comprises a first extended attribute to represent the application intention of the WAPI certificate, the AS judges the application intention of the WAPI certificate of the STA based on the first extended attribute in the first WAPI certificate, generates a second WAPI certificate issued to the STA based on the information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate. The method can apply for the WAPI certificate on line based on the planned access WAPI network, does not need to use other networks, does not need to upgrade the prior AP, and has good convenience, compatibility and economy.

Description

WAPI certificate application method, wireless terminal and certificate discriminator
Technical Field
The invention relates to the technical field of communication, in particular to a method for applying a WAPI certificate, a wireless terminal and a certificate discriminator.
Background
The WAPI is WLAN wireless security standard and technology specified in China national wireless local area network standard GB 15629.11. The WAPI identifies the identities of a wireless Access Point (AP), a wireless terminal (STA) and a WAPI certificate discriminator by adopting a digital certificate, and authenticates the identities of the AP and the STA based on a ternary authentication system, thereby ensuring the security of wireless access authentication and effectively avoiding the access of an illegal terminal to a wireless network and the access of the terminal to an illegal counterfeit AP. In the WAPI wireless local area network, both the AP and the STA need to install a WAPI digital certificate to carry out ternary authentication. There are generally two ways to obtain the certificate of the WAPI wireless terminal:
mode A: a WAPI certificate Authentication Server (AS) generates a key pair (comprising a public key and a private key) for a WAPI wireless terminal, and generates a WAPI public key certificate based on the public key, wherein the public key certificate is signed by the private key of the AS; then, transmitting the public key certificate and the private key of the terminal equipment to the WAPI terminal through a safe channel for installation; the process needs a secure channel for certificate transmission, because the process includes sensitive information, namely a private key, in the process, besides identity check of an applicant, privacy and tamper resistance of messages need to be guaranteed, and if the secure channel is performed in an online manner, the transmitted information needs to be encrypted or processed in a secure tunnel.
Mode B: the WAPI terminal generates a key pair (comprising a public key and a private key) by itself and then generates a certificate signature application file, wherein the file is called a P10 (short for international standard PKCS # 10) file, the P10 file comprises information (applicant organization, equipment name and the like) of terminal equipment and public key information, but does not comprise private key information, and also comprises P10 signature information which is carried out by a generator by using the private key of the generator, and a receiver can carry out signature verification on the P10 by using the public key information in the P10 file; transmitting the P10 file to the AS, generating a public key certificate file for an applicant by the AS based on Subject information (Subject) and public key information in the P10 file, and signing the public key certificate file by using a private key of the AS; and then, the public key certificate file is issued to an applicant for installation, private key information of the terminal equipment is not included in the process, the identity of the applicant is only required to be checked in the transmission process, the transmitted information is checked for preventing falsification, and other requirements on safety are not required.
With the advance of digitization and intellectualization in recent years, the WAPI wireless network is applied more and more in the national key infrastructure industry, and more mobile operation terminals are accessed to the WAPI wireless private network, such as robots, operation panels and the like. In these industries, the WAPI wireless terminal applies for a certificate, generally using the method B. For mode B, there are two more specific modes:
mode B1: a manual process. The WAPI wireless terminal generates a P10 file, the P10 file is transmitted to a certificate application manager in a mode of connecting a non-WAPI network mail and the like, the manager finishes the generation of the certificate file through an AS man-machine interaction interface after obtaining the P10 file, and then sends the certificate file to an applicant in a mode of mail and the like. If the AS is in the intranet, a manager obtains the P10 file in an extranet computer, the copy of the P10 file from the extranet to the intranet is completed in a certain mode, after a certificate is generated through the AS, the copy is copied from the intranet to the extranet through the certificate, and then the copy is sent to an applicant.
Mode B2: assisting the system process. The online application of the WAPI certificate is completed through other networks except the WAPI network to be accessed, the WAPI terminal is temporarily connected to an auxiliary network when the WAPI terminal applies for the certificate, and the networked transfer of the P10 file is performed or the online application is completed through a software system based on the non-WAPI network.
The problem of the mode B1 is troublesome and inefficient, and the mode B2 can solve the problem, but has a cost problem in terms of the construction cost of the auxiliary network; meanwhile, in some industries with high security requirements, since the security management system does not allow "one-machine-dual-network", that is, one network device is not allowed to be used in multiple networks, the mode B2 is limited because the access of the WAPI terminal to other networks than the network to be accessed to the WAPI network is not allowed by the security management system.
Patent 200910189481.4 ' a method, apparatus and network system for acquiring a WAPI certificate, ' a method, apparatus and network system for acquiring a WAPI certificate based on a WAPI wireless network ', but it has no availability in some fields, for example, WAPI terminals used in a production network of a national infrastructure industry such AS a power grid industry often do not or even do not allow to have a mobile phone function, do not have an IMSI (international mobile subscriber identity) related to the patent, and do not have a preset WAPI certificate at the same time, and the document of this patent does not describe how to issue an issued certificate to a wireless terminal, nor how to download an AS certificate to a terminal.
Patent 201010221869.0 method, system and apparatus for updating a WAPI certificate provides a method for updating a WAPI certificate based on a WAPI wireless network, but it updates a certificate for an AP or an STA that already has a WAPI certificate, and cannot solve the problem that the STA without the WAPI certificate applies for the WAPI certificate on line for the first time, and meanwhile, a related method must perform protocol extension and modification on a common AP, which causes AP compatibility.
There are other invention methods, realize WAPI certificate online application based on WAPI wireless network through expanding to WAPI wireless authentication protocol, but this kind of protocol expansion needs to carry on AP software upgrade, there are compatibility problems, thus cause the actual use to receive certain restriction; further, this compatibility problem, if there are multiple vendor APs in the wireless network, will be more limited in the way the expanding WAPI wireless authentication protocol is implemented.
Disclosure of Invention
Based on the technical problems in the background art, the invention provides a method for applying a WAPI certificate, a wireless terminal and a WAPI certificate discriminator.
The STA generates a first WAPI certificate through self-signature, the first WAPI certificate comprises a first extended attribute to represent a WAPI certificate application intention, the AS judges the WAPI certificate application intention of the STA based on the first extended attribute in the first WAPI certificate, generates a second WAPI certificate issued to the STA based on information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate, wherein the modification comprises the steps of adding a second extended attribute to bear the second WAPI certificate, adding a third extended attribute to bear an AS public key certificate and re-signing, and the STA and the AS realize the transmission of the first WAPI certificate and the third WAPI certificate through the interaction of a WAPI wireless network based on a standard WAPI authentication protocol, so that the wireless terminal applies for the WAPI certificate on line;
s1: a wireless terminal STA associates a wireless access point AP to be accessed into a WAPI wireless network in order to apply for a WAPI certificate, and sends a standard WAPI access authentication message to the AP after receiving a WAPI authentication activation message sent by the AP, wherein a terminal certificate in the WAPI access authentication message is a first WAPI certificate generated by the STA through self-signature;
s2: after receiving a standard certificate authentication request message, a WAPI certificate authenticator AS obtains a terminal certificate, namely the first WAPI certificate, and judges whether the authentication request is a certificate application behavior of an STA or not by checking a first extended attribute of the first WAPI certificate, if so, performs applicant authorization check based on applicant authentication information included in the first extended attribute of the first WAPI certificate, if the authorization check is passed, generates a second WAPI certificate issued to the STA based on the first WAPI certificate, then modifies the first WAPI certificate to form a third WAPI certificate, and includes the third WAPI certificate AS the terminal certificate in a terminal certificate field of an authentication result of a certificate authentication response message, and uses a specific authentication result value to represent a certificate application result state; the modification of the first WAPI certificate comprises adding a second extended attribute to identify and comprise the second certificate, adding a third extended attribute to identify and comprise the AS certificate, and re-signing by using an AS private key;
s3: and after receiving the standard access authentication response message, the STA obtains a terminal certificate authentication result value from the standard access authentication response message to determine a certificate application result state, if the result state is successful, a terminal certificate in the authentication result, namely a third WAPI certificate is taken out, then a second WAPI certificate is taken out from a second extended attribute of the third WAPI certificate, namely the WAPI certificate applied by the STA, and an AS certificate is taken out from a third extended attribute of the third WAPI certificate.
Further, in S1, the certificate body (or holder) of the first WAPI certificate includes key information and public key information of the applicant, and identifies the certificate application behavior through the first extended attribute of the first WAPI certificate, where the first extended attribute further includes applicant authentication information, and the authentication information is manually input by the applicant at the time of application.
The beneficial effects of the invention are as follows:
the method can apply for the WAPI certificate on line based on the planned access WAPI network, does not need to use other networks, does not need to upgrade the prior AP, and has good convenience, compatibility and economy.
Drawings
Fig. 1 shows a self-signed WAPI certificate, i.e., a first WAPI certificate, generated by the wireless terminal;
fig. 2 is the WAPI certificate authentication result configuration information;
FIG. 3 is a standard WAPI authentication flow;
fig. 4AS a third WAPI certificate formed based on the first WAPI certificate.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
Referring to fig. 1-4, a method for applying a WAPI certificate, a wireless terminal STA, and a WAPI certificate discriminator AS, where the STA generates a first WAPI certificate through self-signing, and includes a first extended attribute in the first WAPI certificate to characterize an application intention of the WAPI certificate, the AS determines the application intention of the WAPI certificate of the STA based on the first extended attribute in the first WAPI certificate, and generates a second WAPI certificate issued to the STA based on information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate, and the modification includes adding the second extended attribute to carry the second WAPI certificate, adding the third extended attribute to carry an AS public key certificate, and re-signing, and the STA and the AS implement transmission of the first WAPI certificate and the third WAPI certificate through interaction based on a standard WAPI authentication protocol over a WAPI wireless network, thereby implementing online application of the wireless terminal for the WAPI certificate;
s1: the method comprises the steps that a wireless terminal STA associates a wireless access point AP to be accessed into a WAPI wireless network in order to apply for a WAPI certificate, a standard WAPI access authentication message is sent to the AP after a WAPI authentication activation message sent by the AP is received, and a terminal certificate in the WAPI access authentication message is a first WAPI certificate generated by the STA through self-signature;
s2: after receiving a standard certificate authentication request message, a WAPI certificate authenticator AS obtains a terminal certificate, namely a first WAPI certificate, judges whether the authentication request is a certificate application behavior of an STA (station) or not by checking a first extended attribute of the first WAPI certificate, and if so, performs applicant authorization check based on applicant authentication information included in the first extended attribute of the first WAPI certificate;
s3: after receiving the standard access authentication response message, the STA obtains a terminal certificate authentication result value to determine a certificate application result state, if the result state is successful, a terminal certificate in the authentication result, namely a third WAPI certificate, is obtained, then a second WAPI certificate is obtained from a second extended attribute of the third WAPI certificate, namely a WAPI certificate applied by the STA, and an AS certificate is obtained from a third extended attribute of the third WAPI certificate, in S1, a certificate body (or a holder) of the first WAPI certificate includes applicant key information and public key information, and identifies a certificate application behavior through the first extended attribute of the first WAPI certificate, the first extended attribute further includes applicant authentication information, and the authentication information is manually input by the applicant during application. In S2, if the authorization check is passed, generating a second WAPI certificate issued to the STA based on the first WAPI certificate, then modifying the first WAPI certificate to form a third WAPI certificate, including the third WAPI certificate as an end certificate in an end certificate field of an authentication result of the certificate authentication response message, and representing a certificate application result state by using a specific authentication result value; and modifying the first WAPI certificate, including adding a second extended attribute to identify and include the second certificate, adding a third extended attribute to identify and include the AS certificate, and re-signing by using the AS private key.
To illustrate the embodiments of this patent, a standard WAPI authentication procedure is described. As shown in fig. 3, the procedure of the WAPI authentication is as follows:
(1) After the wireless terminal STA associates with the AP, the AP sends an authentication Activation (ACTIVE) message to the STA, wherein the message comprises the certificate information of the AP.
(2) After receiving the authentication activation message of the WAP, the STA sends an access authentication request message to the AP, wherein the message comprises certificate information of the STA.
(3) After receiving an access authentication request of the STA, the AP sends a certificate authentication request message to a WAPI certificate Authenticator (AS), wherein the message comprises the certificate information of the AP and the received STA certificate information.
(4) And after receiving the certificate authentication request of the AP, the AS performs certificate authentication check to form a certificate authentication result and sends a certificate authentication response message to the AP. The certificate authentication response message includes a "certificate authentication result" field, which includes information shown in fig. 2, i.e., the WAPI certificate authentication result configuration information, where the first authentication result and the first certificate are for the AP, and the second authentication result and the second certificate are for the STA.
(5) After receiving the certificate authentication response message sent by the AS, the AP sends an access authentication response message to the STA, wherein the message comprises the certificate authentication result of the AS, and the AP refuses or accepts the access of the STA according to the certificate authentication result.
(6) After the STA receives the access authentication response message of the AP, the message comprises a composite AS certificate authentication result, wherein the composite AS certificate authentication result comprises the AS certificate authentication result and the signature of the AS on the AS, and the STA determines whether to access the connected AP according to the AS certificate authentication result.
The following examples are given.
For the method for applying for the WAPI certificate and the wireless terminal and the WAPI certificate authenticator of the present invention, in the diagram shown in the standard WAPI authentication flow of fig. 3, the wireless terminal STA101 and the WAPI certificate authenticator AS103 relate to the implementation of the method related to the present invention, and the wireless access point AP102 does not relate to any implementation of the method related to the present invention.
After the STA101 is associated with the AP102, the AP102 may send a WAPI authentication activation message to the STA101, and after the STA101 receives the authentication activation message of the AP102, if the STA102 is applying for a WAPI certificate at this time, the STA101 may first generate a self-signed certificate, whose content is the self-signed WAPI certificate generated by the wireless terminal in fig. 3, that is, the first WAPI certificate, then package the first WAPI certificate as its own WAPI certificate in an STA certificate field of a standard WAPI access authentication message, and then send the first WAPI certificate to the AP102. In this embodiment, bit 2 (certificate verification request identifier) of the FLAG field of the WAPI access authentication packet sent by the STA101 is set to 1, which indicates that the STA101 requires to verify the validity of the AP102 certificate according to the protocol standard of the WAPI authentication, that is, after the AP102 receives the WAPI access authentication packet, the AP102 requests the AS103 to perform the authentication of the WAPI certificate.
In the method described in this patent, the STA101 replaces the aforementioned P10 file with a self-signed certificate, which includes all the key contents of the P10 file, i.e. a number of Domain Names (DNs) and a certificate public key of the certificate body (or the holder). The STA101 self-signs the generated first WAPI certificate and further includes an extended attribute, i.e. a first extended attribute 100. In the WAPI standard, digital certificates are in X509V3 format, which allows users to define domain-specific extended attributes in an extended attribute field, which are encapsulated with an ASN.1 encoded SEQUENCE type (i.e., type 0X 30), which includes two fields: object Identification (OID) and attribute value; the OID in the extended attribute is used to characterize the usage of the extended attribute, the type is ObjectIdenfier encoded by asn.1, the attribute value is the specific content related to the usage, and the type is OCTETString encoded by asn.1. The STA101 indicates to the AS103 that the STA101 is applying for the WAPI certificate through the first extended attribute 100; meanwhile, the STA also carries authorization authentication information of the wireless terminal through the attribute value of the first extended attribute 100, where the authorization information is a password or an authorization verification code, and is sent to the user of the STA101 (or a debugging installer) by an administrator of the AS103 through other channels, and the user of the STA101 inputs the authorization authentication information into the system of the STA101 before the STA101 initiates application of the WAPI certificate, for example, through a short message service, an internal mail organization, a telephone voice, and the like.
AS shown in fig. 3, AS a general wireless access point AP102, after receiving an access authentication request message sent by the STA101, the AP102 performs processing according to a standard wireless terminal access message processing flow, that is, puts the WAPI certificate (in this embodiment, the first WAPI certificate) of the STA101 and the WAPI certificate of the AP102 into a certificate authentication request message and sends the certificate authentication request message to the AS103. The so-called "generic" wireless access point AP102 does not contain any specific implementation related to this patent, i.e., the present invention does not require any modification of the wap 102 to the authentication process. According to the standard of the WAPI technology, the AP102 cannot check the WAPI certificate of the STA101, and meanwhile, AS the STA101 sets the bit 2 (certificate verification request identifier) of the FLAG field of the WAPI access authentication message to be 1, the AP102 needs to request the AS103 to perform certificate authentication.
After receiving the request for authenticating the WAPI certificate sent by the AP102, the AS103 authenticates the WAPI certificate of the AP102, which is the same AS the processing of a general WAPI authentication process; then, the certificate of the STA101, that is, the self-signed WAPI certificate generated by the STA101, that is, the first WAPI certificate, is subjected to checking processing, in this process, the AS103 first checks whether the first extended attribute 100 is included in the first WAPI certificate, performs a general authentication process of the WAPI certificate if the first extended attribute is not included, and performs a certificate application processing process if the first extended attribute is included, including:
(1) Application for authentication: and extracting authentication applicant authentication information from the first extended attribute 100 to perform authorization check, if the authorization check is not passed, recording the application result state value as R =102 to indicate that the application authentication is not passed, and then entering a certificate application result sending process, namely, the following (4) application result formation.
(2) Second certificate generation: if the authorization check is passed, continuing the issuing and generating process of the WAPI certificate, namely generating the WAPI certificate which is issued to the STA101 by the AS103 based on the attribute of the certificate body (Subject) in the first certificate and the public key information, namely generating the second WAPI certificate; if the process is successfully completed, the application result state value is recorded as R =100 to indicate that the application is successful, otherwise, the record of R =101 indicates that the certificate is signed abnormally.
(3) The third certificate forms: in order to transmit the second certificate and the AS certificate to the STA101 at the same time, AS a preferred scheme, the first WAPI certificate is modified: a) Adding a second extended attribute, wherein the OID field identifies the extended field as a certificate issued to the STA, and the value field of the second extended attribute is the content of the second certificate; b) Adding a third extended attribute, wherein the OID field identifies that the extended field is the public key certificate of the AS, and the value field is the content of the public key certificate of the AS; this modification process forms a third WAPI certificate, the contents of which are illustrated in fig. 4AS a third WAPI certificate formed based on the first WAPI certificate.
(4) The application results form: the certificate authentication result in the WAPI standard protocol is adopted to bear the application result and the third WAPI certificate, namely: a) The first authentication result and the certificate field of the certificate authentication result are filled with the authentication result value of the certificate of the AP102 and the certificate content of the AP102 by the AS103, which is the practice of the standard WAPI protocol; b) If R =100, the second authentication result and the certificate field of the certificate authentication result are filled with the aforementioned application result status value R and the third certificate contents, otherwise the second authentication result field of the certificate authentication result is filled with the aforementioned application result status value R and the first certificate contents.
(5) And sending an application result: after the AS103 forms the application result, a WAPI certificate authentication response message is formed according to the WAPI standard protocol and sent to the AP102, where the certificate authentication result field in the message is formed in the foregoing (4).
After receiving the response message of the authentication of the WAPI certificate sent by the AS103, the AP102 analyzes the "certificate authentication result" therein, because the second certificate authentication result of the "certificate authentication result" is not 0, that is, from the perspective of the standard WAPI authentication protocol, the authentication result of the WAPI certificate is unsuccessful, in this case, the AP102 also sends the standard access authentication response message to the STA101, and then the AP102 disconnects the wireless association with the STA 101; the "composite authentication result" field in the access authentication response message includes the "certificate authentication result" obtained by parsing the WAPI certificate authentication response message and a digital signature of the "certificate authentication result" by the AS103.
The STA101 receives the access authentication response message of the AP102, and since the STA101 knows that it is in the process of requesting the WAPI certificate, it parses the access authentication response message to obtain a "composite authentication result", parses the "composite authentication result" to obtain a "certificate authentication result", further parses the "certificate authentication result" to obtain a first certificate authentication result and a certificate (which is the certificate content of the AP 102), a second certificate authentication result and a certificate, and then enters a certificate request result processing flow, which includes:
(1) Checking the first certificate authentication result: if the result value is not 0, the certificate authentication of the AP102 is failed, which indicates that the AP102 is not trusted, the STA102 cannot accept the access authentication response message sent by the AP102, and the application of the WAPI certificate fails.
(2) Check second certificate authentication result: if the result value is not 100, the WAPI certificate application is not successful, and the value indicates the reason of the unsuccessful application; if the second certificate authentication result is equal to 100, the WAPI certificate application is successful.
(3) Verifying the digital signature of the "certificate authentication result": under the condition that the application of the WAPI certificate is successful, the STA101 takes a second certificate in the certificate authentication result AS a third WAPI certificate generated by the AS103, takes the second certificate out of a second extended attribute of the third WAPI certificate, takes a public key certificate of the AS out of a third extended attribute of the third WAPI certificate, verifies the digital signature of the composite authentication result by using the public key certificate of the AS, and if the signature does not pass, the application result obtained by the application of the WAPI certificate is not credible, and the application of the WAPI certificate fails; otherwise, if the signature passes, it indicates that the application result obtained by the present application of the WAPI certificate is authentic, and the STA102 receives the second certificate AS the applied digital certificate of the WAPI terminal and receives the AS certificate AS the public key certificate of the AS.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention should be equivalent or changed within the scope of the present invention.

Claims (2)

1. A method for applying for a WAPI certificate, a wireless terminal STA and a WAPI certificate discriminator AS are characterized in that the STA generates a first WAPI certificate through self-signing, the first WAPI certificate comprises a first extended attribute to represent the application intention of the WAPI certificate, the AS judges the application intention of the WAPI certificate of the STA based on the first extended attribute in the first WAPI certificate, generates a second WAPI certificate issued to the STA based on information in the first WAPI certificate, and forms a third WAPI certificate by modifying the first WAPI certificate, wherein the modification comprises the steps of adding the second extended attribute to bear the second WAPI certificate, adding the third extended attribute to bear an AS public key certificate and re-signing, and the STA and the AS realize the transmission of the first WAPI certificate and the third WAPI certificate through the interaction of a WAPI wireless network based on a standard WAPI authentication protocol, thereby realizing the online application for the WAPI certificate of the wireless terminal;
s1: in order to apply for a WAPI certificate, a wireless terminal STA (station) is associated with a wireless access point AP (access point) to be accessed into a WAPI wireless network, and after receiving a WAPI authentication activation message sent by the AP, a standard WAPI access authentication message is sent to the AP, wherein a terminal certificate in the WAPI access authentication message is a first WAPI certificate generated by the STA through self-signature;
s2: after receiving a standard certificate authentication request message, a WAPI certificate authenticator AS obtains a terminal certificate, namely the first WAPI certificate, and judges whether the authentication request is a certificate application behavior of an STA (station) or not by checking a first extended attribute item of the first WAPI certificate, if so, performs applicant authorization check based on applicant authentication information included in the first extended attribute of the first WAPI certificate, if the authorization check is passed, generates a second WAPI certificate issued to the STA based on the first WAPI certificate, then modifies the first WAPI certificate to form a third WAPI certificate, and includes the third WAPI certificate AS the terminal certificate in a terminal certificate field of an authentication result of a certificate authentication response message, and uses a specific authentication result value to represent a certificate application result state; the modification of the first WAPI certificate comprises adding a second extended attribute to identify and comprise the second certificate, adding a third extended attribute to identify and comprise the AS certificate, and re-signing by using an AS private key;
s3: after the STA receives the standard access authentication response message, the terminal certificate authentication result value is obtained from the standard access authentication response message to determine the certificate application result state, if the result state is successful, the terminal certificate in the authentication result, namely the third WAPI certificate, is taken out, the second WAPI certificate is taken out from the second extension attribute of the third WAPI certificate, namely the WAPI certificate applied by the STA, and the AS certificate is taken out from the third extension attribute of the third WAPI certificate.
2. The method, the wireless terminal and the WAPI certificate authenticator for WAPI certificate application as claimed in claim 1, wherein in the step S1, the certificate body (or the holder) of the first WAPI certificate includes key information and public key information of an applicant, and the certificate application behavior is identified by the first extended attribute of the first WAPI certificate, and the first extended attribute further includes applicant authentication information, and the authentication information is manually input by the applicant at the time of application.
CN202210920349.1A 2022-08-02 2022-08-02 WAPI certificate application method, wireless terminal and certificate discriminator Pending CN115278676A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210920349.1A CN115278676A (en) 2022-08-02 2022-08-02 WAPI certificate application method, wireless terminal and certificate discriminator

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210920349.1A CN115278676A (en) 2022-08-02 2022-08-02 WAPI certificate application method, wireless terminal and certificate discriminator

Publications (1)

Publication Number Publication Date
CN115278676A true CN115278676A (en) 2022-11-01

Family

ID=83747620

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210920349.1A Pending CN115278676A (en) 2022-08-02 2022-08-02 WAPI certificate application method, wireless terminal and certificate discriminator

Country Status (1)

Country Link
CN (1) CN115278676A (en)

Similar Documents

Publication Publication Date Title
CN1697552B (en) Techniques for performing server user proxy authentication using SIP (session initiation protocol) messages
US7142851B2 (en) Technique for secure wireless LAN access
KR101438243B1 (en) Sim based authentication
CN109729523B (en) Terminal networking authentication method and device
US8274401B2 (en) Secure data transfer in a communication system including portable meters
CN105828332B (en) improved method of wireless local area network authentication mechanism
CN112039918B (en) Internet of things credible authentication method based on identification cryptographic algorithm
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
JP2001524777A (en) Data connection security
KR20040102175A (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
CN112491829B (en) MEC platform identity authentication method and device based on 5G core network and blockchain
JP2001186122A (en) Authentication system and authentication method
CN108011873A (en) A kind of illegal connection determination methods based on set covering
CN111601280B (en) Access verification method and device
CN115022868A (en) Satellite terminal entity authentication method, system and storage medium
CN112423299B (en) Method and system for wireless access based on identity authentication
CN113364582A (en) Method for communication key configuration and update management in transformer substation
CN110996295B (en) Internet of vehicles node identity verification method and identity block
CN114599033B (en) Communication authentication processing method and device
CN111918292B (en) Access method and device
CN115278676A (en) WAPI certificate application method, wireless terminal and certificate discriminator
CN111800791B (en) Authentication method, core network equipment and terminal
CN213938340U (en) 5G application access authentication network architecture
CN115987583B (en) Binding control method for base of intelligent device, base, intelligent device and storage medium
CN111918291B (en) Access method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination