CN1299526C - A method of wireless local area network terminal user authentication based on user identifying module - Google Patents

A method of wireless local area network terminal user authentication based on user identifying module Download PDF

Info

Publication number
CN1299526C
CN1299526C CN 200310118977 CN200310118977A CN1299526C CN 1299526 C CN1299526 C CN 1299526C CN 200310118977 CN200310118977 CN 200310118977 CN 200310118977 A CN200310118977 A CN 200310118977A CN 1299526 C CN1299526 C CN 1299526C
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
user
wireless
local
module
area
Prior art date
Application number
CN 200310118977
Other languages
Chinese (zh)
Other versions
CN1547405A (en )
Inventor
阎雄伟
Original Assignee
大唐电信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

一种基于用户识别模块的无线局域网终端用户认证方法,该方法是在WLAN用户识别模块内存储了WLAN网络的配置信息,并将EAP SIM认证的核心处理算法在WLAN用户识别模块内实现。 Wireless LAN terminal user authentication method based on the user identification module, which is stored configuration information in the WLAN network WLAN user identification module, and the EAP SIM authentication algorithm core processing within the WLAN subscriber identity module. WLAN用户识别模块通过与WLAN终端实体进行信息的交互,完成EAPSIM的认证流程并自动进行用户终端设备的WLAN网络参数配置。 WLAN subscriber identification module information via interaction with the WLAN terminal entity, the authentication process is completed EAPSIM and automatically WLAN network configuration parameters of the user terminal device. 通过将EAP SIM客户端认证算法在WLAN用户识别模块内实现,解决了用户信息与EAP SIM认证算法存在的安全性问题,为WLAN终端多样化与WLAN的广泛应用提供了基础,也为WLAN的公共运营提供了技术上的保证。 By EAP SIM client authentication algorithm within the WLAN subscriber identity module, to solve the security problems of user information and EAP SIM authentication algorithms exist, it is widely used as a diversification of WLAN terminals and WLAN offers a foundation for the public WLAN operations provided technical assurance.

Description

一种基于用户识别模块的无线局域网终端用户认证方法 Wireless LAN terminal user authentication method based on the user identity module

技术领域 FIELD

本发明涉及无线通信领域的用户终端设备,特别涉及一种支持EAP SIM(Extended Authentication Protocol Subscriber Identity Mode:基于用户识别模块的扩展认证协议)的WLAN(Wireless Local Access Network:无线局域网)终端设备的用户认证方法。 The present invention relates to the field of wireless communications user terminal apparatus, and particularly to a support EAP SIM (Extended Authentication Protocol Subscriber Identity Mode: based on Extensible Authentication Protocol Subscriber Identity Module) (Wireless Local Access Network: WLAN) user terminal a WLAN device authentication method.

背景技术 Background technique

互联网技术的发展和数据应用的日益广泛推动了无线数据接入技术的飞速发展,在解决无线数据接入方面,采用无线局域网技术是实现移动数据接入的一种很好途径。 Development of Internet technology and data applications used widely to promote the rapid development of wireless data access technology, in addressing wireless data access, using wireless LAN technology is a good way to move data access implementation.

利用无线局域网络开展无线数据的公共运营,可以为客户提供廉价的、易实施的高速宽带无线接入服务。 The use of wireless local area network to carry out the public operator of wireless data, can provide customers with low-cost, easy to implement high-speed broadband wireless access services. 特别是运营商在利用无线局域网络技术为用户提供无线接入服务时,往往结合现有的移动通信网络资源,如将无线局域网与全球移动通信系统/通用分组无线业务GSM/GPRS(Global System for MobileCommunications/General Packet Radio Service:)移动网络结合,利用GSM/GPRS移动网络成熟的用户认证、计费等资源来实现无线局域网络用户的认证、计费和用户管理,即通过使用移动网络用户的用户识别模块SIM(SubscriberIdentity Model:)实现对无线局域网络用户的身份认证与管理,此过程通过EAP SIM协议来实现。 Especially in the use of carriers WLAN radio access technology to provide users with services, often combined with the existing mobile communication network resources, such as wireless LAN and the GSM / General Packet Radio Service GSM / GPRS (Global System for MobileCommunications / General Packet radio Service :) mobile networks using GSM / GPRS mobile network sophisticated user authentication, accounting and other resources to implement a wireless local area network user authentication, billing and management of user, i.e. the mobile network by using the user's user identity module SIM (SubscriberIdentity Model :) achieve authentication and management of wireless local area network users, this process is achieved by EAP SIM protocol.

在现有支持EAP SIM认证的无线局域网络终端设备里,集成了SIM卡读卡设备,用户通过在无线局域网络终端设备内插入移动网络运营商发放的SIM卡来实现对无线局域网络用户的认证,此认证主要由两个重要步骤实现:一是SIM卡为无线局域网络与EAP SIM认证机制提供用户的原始身份信息,如国际移动用户标识符IMSI(International Mobile Equipment Identifier)与EAP SIM认证中所需的多组随机数、密钥等原始身份信息;二是WLAN终端设备完成EAPSIM客户端算法,实现网络对用户的认证。 In the existing support EAP SIM authentication of wireless local area network terminal device, the integrated SIM card reader devices, users achieve wireless local area network user authentication by inserting a mobile network operator, issued in the wireless local area network terminal device SIM card this certification mainly by two important steps: First, the SIM card is a wireless local area network with EAP SIM authentication mechanism provides the user's original identity information, such as the international mobile Subscriber identifier IMSI (international mobile Equipment identifier) ​​and the EAP SIM authentication the identity of the original set of random numbers required multiple key information; Second WLAN client terminal device is completed EAPSIM algorithms, network authentication of the user.

目前这种通过无线局域网络终端实现用户认证的方法有如下弊端:1、EAP SIM客户端算法由无线局域网络终端设备厂家实现,会导致不同厂家无线局域网络终端设备与网络内EAP SIM服务器不兼容;2、EAP SIM算法在SIM卡外实现,而在EAP SIM客户端算法实现过程中需要SIM卡提供多组的随机数与密钥,这样使得黑客能够比较容易就获得用户SIM卡内的重要信息,这会严重威胁到无线局域网络和整个移动通信网络的安全性;3、EAP SIM算法在客户端的实现与SIM卡分离,容易造成用户身份标识与验证的分离,使移动通信网络对无线局域网络用户的管理出现混乱,容易出现非法用户冒充合法用户接入移动通信网络;4、无线局域网络终端设备要接入无线局域网络正常工作需要进行许多的专业参数配置,这需要具备一定专业知识的人士才能完成。 This method is now user authentication through a wireless local area network terminal has the following drawbacks: 1, EAP SIM client algorithm implemented by a wireless local area network terminal equipment manufacturers, different manufacturers can cause wireless LAN terminal equipment and the network server is not compatible with EAP SIM ; 2, EAP SIM algorithm implemented outside the SIM card, the SIM card is necessary to provide multiple sets of random number with the key in the EAP SIM client algorithm process, so that a hacker can be relatively easy user access to important information in the SIM card this will be a serious threat to the security of wireless local area networks and the entire mobile communications network; 3, EAP SIM algorithm separating the client to achieve with the SIM card, likely to cause separation of user identification and authentication, the mobile communications network to a wireless local area network 4 people, wireless local area network terminal device to access the wireless local area network work requires many professional parameters configuration, which requires a certain expertise; user management confusion, prone to illegal users impersonate legitimate users to access the mobile communication network to complete. 这就为普通用户的使用带来困难,也为运营商扩展无线业务带来困难,限制了无线局域网络的运营和发展。 This is difficult for the average user to use, but also difficult for operators to extend wireless business, limiting the operation and development of wireless local area network.

发明内容 SUMMARY

本发明的目的是提供一种支持无线局域网络的用户识别模块WSIM(Wireless Subscriber Identity Mode,无线局域网络用户识别模块),解决现有无线局域网络终端内EAP SIM算法与SIM卡分离的问题,使EAP SIM算法在WSIM卡内实现而不在无线局域网络用户终端内实现;用一种WSIM的接口方式以解决WSIM与无线局域网络终端的信息交互问题;另外,通过WSIM的用户信息存储功能解决无线局域网络终端设备的无线局域网的网络配置问题。 Object of the present invention is to provide a wireless local area network subscriber identification module WSIM (Wireless Subscriber Identity Mode, the WLAN subscriber identity module), to solve problems in the conventional wireless LAN terminal and the EAP SIM card SIM algorithm separating the EAP SIM card algorithm is not implemented within WSIM implemented within the WLAN user terminal; WSIM way with an interface to solve the problem of information exchange with the wireless LAN terminal WSIM; in addition, solved by a wireless LAN in the user information storage function WSIM network terminal device of a wireless local area network configuration.

为实现上述目的,本发明提供一种支持基于用户识别模块的扩展认证协议的无线局域网WLAN终端装置,它包括:1、WLAN无线局域网络终端实体S1,可完成与WLAN本身有关的声音、数据传输等功能并用于支持EAP SIM的工作流程和接口S4,S1可包括无线局域网卡、GPRS/无线局域网络双模网卡、无线局域网络手持设备、基于无线局域网络技术的语音或数据设备等WLAN终端实体;2、WSIM S3,用于支持无线局域网络网络认证的SIM模块,实现EAP SIM的核心处理算法、存储无线局域网络网络配置信息功能;3、WALN终端设备S1与WSIM S3间的接口S4。 To achieve the above object, the present invention provides a wireless local area network WLAN terminal apparatus based on the Extensible Authentication Protocol Subscriber Identity Module support, comprising: 1, WLAN wireless local area network terminal entity Sl, the sound can be accomplished with the WLAN itself related data transmission and other functions to support the EAP SIM interfaces and workflows S4, S1 may include a wireless LAN card, GPRS / WLAN dual-mode network card, a wireless local area network handheld device, a wireless local area network technology based on the voice or data terminal equipment, such as WLAN entities ; 2, WSIM S3, wireless local area networks to support network authentication SIM module, the EAP SIM core processing algorithm, the storage network configuration information of WLAN functions; 3, the interface between S4 and S1 WALN terminal WSIM S3.

本发明涉及一种基于EAP SIM认证的无线局域网络用户终端网络自动配置方法。 The present invention relates to a wireless local area network based on network user terminal EAP SIM authentication autoconfiguration method. 该方法的主要特征是:EAP SIM的核心处理算法在存储了无线局域网络配置信息的WSIM内实现。 The main features of the method are: EAP SIM memory core processing algorithm implemented within a wireless local area network WSIM configuration information. WSIM通过本发明的接口S4与无线局域网络终端实体进行信息交互,无线局域网络终端实体完成EAP SIM的流程并自动进行用户终端设备的网络配置。 WSIM S4 perform information interaction through the interface of the present invention, the wireless local area network terminal entity, the WLAN terminal entity complete EAP SIM process and automatically configure the network user terminal device.

本发明还涉及一种支持无线局域网网络认证协议EAP SIM的用户识别模块WSIM,其特征在于在WSIM内实现EAP SIM客户端的认证算法并存储无线局域网络的网络配置信息。 The present invention further relates to a subscriber identification module for supporting WSIM WLAN network authentication protocol EAP SIM, characterized in that the algorithms for authentication and EAP SIM client WLAN storage network configuration information in WSIM.

本发明还涉及一种无线局域网络终端实体与WSIM间的接口操作方式,通过此接口提供命令信息与响应信息来实现WSIM模块与无线局域网络终端实体间的信息交互,其主要特征是提供下列命令信息以实现对EAP SIM认证流程的支持与无线局域网络网络配置信息的读写:获取当前版本命令,无线局域网络终端实体用该命令来获得WSIM支持的EAP SIM协议的版本号与WSIM本身的版本号,并通过反馈响应信息获得当前WSIM支持的EAP SIM协议的版本号与WSIM本身的版本号;获取首选身份命令,无线局域网络终端实体用该命令来获得该WSIM对应的首选用户身份信息,通过反馈响应信息获得该WSIM对应的首选用户身份信息;选择身份命令,无线局域网络终端实体用该命令选择EAP SIM协议里定义的用户身份信息,并通过反馈响应信息获得EAP SIM服务器所要求的用户身份信息;获取随机数命 The present invention further relates to an interface operation between a wireless local area network terminal and WSIM entity, provided by the command information and response information to implement information interaction interfaces between the module and the wireless local area network WSIM terminal entity, its main feature is to provide the following command WSIM version number and get the current version of the command, wireless local area network terminal entity with the command to get WSIM supported EAP SIM protocol itself: the information in order to achieve the EAP SIM authentication procedure support and a wireless LAN network configuration information literacy version number WSIM EAP SIM protocol number, and obtains the current WSIM support response information fed back upstream version number; obtaining a preferred status command, the wireless local area network terminal entity with the command to get the preferred user identity information WSIM corresponding through the preferred user identity information feedback response information obtains the WSIM corresponds; selecting identity command, the wireless local area network terminal entity selected user identity information EAP SIM protocol defined in by the command and obtain the user identity EAP SIM server requested response information feedback information; acquiring a random number life 令,无线局域网络终端实体用该命令来获得EAPSIM认证过程中所需的随机数,通过反馈响应信息获得EAP SIM认证过程中所需的随机数;EAP SIM处理命令,无线局域网络终端实体用该命令启动WSIM内的EAP SIM客户端算法,并通过反馈响应信息获得EAP SIM客户端认证结果与主会话密钥;获取无线局域网络网络配置命令,无线局域网络终端实体用这个命令来获得WSIM内存储的无线局域网络网络配置信息,为无线局域网络终端自动进行无线局域网络网络配置提供依据,并通过反馈响应信息获得无线局域网络网络的配置参数。 So, the WLAN terminal with the entity in order to obtain the desired random number EAPSIM authentication process, the information needed to obtain the EAP SIM authentication process by the random number in response to the feedback; EAP SIM processing command, the WLAN terminal with the entity command to start the EAP SIM client algorithm within WSIM, EAP SIM client and access authentication result to the master session key in response to a feedback information; acquire wireless LAN network configuration command, the wireless local area network terminal entity with the command to get the storage WSIM the wireless LAN network configuration information, network configuration for a wireless local area network provides a basis for automatic wireless LAN terminal and obtain the configuration parameters of wireless LAN network through the feedback response information.

本发明还包括一种无线局域网络终端实体与WSIM间的接口工作流程,无线局域网络终端实体与WSIM依据该工作流程完成EAP SIM协议所定义的客户端功能,其接口工作流程具有如下特征:在无线局域网络终端实体S1收到无线局域网络网络服务器S2发出的请求身份命令后,无线局域网络终端实体S1通过“获取首选身份命令”从WSIM内获得用户的首选身份信息相应信息,并将该身份信息响应给无线局域网络网络服务器S3以判决用户身份的合法性,如为合法用户,则无线局域网络网络服务器S3向无线局域网络终端实体S1发起EAP SIM认证开始信息;无线局域网络终端实体S1收到EAP SIM认证开始信息后,通过“选择身份命令”从WSIM获得无线局域网络网络服务器S3所需要认证的用户身份信息,通过使用“获得当前版本命令”从WSIM卡S3获得WSIM当前版本,通过使用“获得随机数命 The present invention further includes an interface between a workflow WLAN entity and WSIM terminal, a wireless local area network terminal entity WSIM complete EAP SIM client functionality according to the protocol defined in the workflow, the workflow its interface with the following characteristics: the after the WLAN terminal S1 receives identity of the requesting entity commands the wireless LAN network server S2 sent, the WLAN terminal entity S1 'Get command preferred identity "preferred identity information corresponding to the user information obtained from the WSIM, and the identity information legitimacy response to the wireless LAN network server S3 decision to the user's identity, such as a legitimate user, the wireless LAN network server S3 initiates EAP SIM authentication start message to the wireless local area network terminal entity S1; wireless local area network terminal entity S1 income to the EAP SIM authentication start message, obtained by the "select identity command" from WSIM wireless LAN network server S3 needed to authenticate user identity information, S3 obtain WSIM current version from WSIM card "to get the current version of command" by using by using "get a random number life ”从WSIM内获得EAP SIM认证所需的随机数。 "EAP SIM obtain the required certification from the inside WSIM random number. 无线局域网络终端实体S1将用户身份信息、版本号、随机数发送给无线局域网络网络服务器S3;无线局域网络网络服务器S3根据得到的用户身份信息、版本号、随机数启动EAP SIM协议里规定的服务器端算法,并将计算得到的EAP SIM认证质询信息反馈给无线局域网络终端实体S1,无线局域网络终端实体S1通过“EAP SIM处理命令”传给WSIM,启动EAP SIM客户端算法,并将计算结果通过反馈响应信息反馈给无线局域网络终端实体S1;无线局域网络终端实体S1将WSIM客户端算法处理结果传至无线局域网络网络服务器S3,由无线局域网络网络服务器S3处理该结果,并向无线局域网络终端S1发出EAP SIM认证结果信息。 Wireless local area network terminal entity S1 user identity information, the version number, the random number sent to the wireless LAN network server S3; WLAN network server S3 according to the obtained user identification information, version number, a random number starts EAP SIM protocol in a predetermined EAP SIM authentication algorithm the server challenge information, and calculated back to the wireless LAN terminal entity S1, S1 WLAN terminal entity through "EAP SIM processing command" transmitted to the WSIM, start EAP SIM client algorithm, and the calculated results in response to feedback information back to the wireless local area network terminal entity S1; wireless local area network terminal entity S1 is WSIM client algorithm processing the results to the WLAN network server S3, the result of the processing by the wireless LAN network server S3, to the radio LAN terminal S1 EAP SIM authentication result information issued.

通过本发明,解决了用户信息与EAP SIM认证算法存在的安全性问题,为WLAN终端多样化与WLAN的广泛应用提供了基础,也为WLAN的公共运营提供了技术上的保证。 With the invention, to solve the security problems of user information and EAP SIM authentication algorithms exist, is widely used as a WLAN terminal and WLAN diversity provides a basis, but also provides technical guarantee for public WLAN operators.

附图说明 BRIEF DESCRIPTION

图1为WLAN终端实体与其系统应用联网图图2为WLAN终端实体工作流程图图3为WLAN终端实体与WSIM之间接口操作命令与工作流程图具体实施方式下面描述了无线局域网络终端设备及其信息认证方法的一个实施例,并结合实施例对本发明的内容作进一步的描述。 FIG 1 is a WLAN terminal network entity and its system application of FIG. 2 is a flowchart of FIG entity WLAN terminal 3 and the operation command to the terminal entity working between WLAN interfaces WSIM flowchart DETAILED DESCRIPTION The following describes a wireless LAN terminal apparatus and embodiment of a method of authenticating information according to, and embodiments of the present invention will be further described.

下例为一个支持EAP SIM认证、符合本发明内容的无线局域网络网卡设备。 The following example is a support EAP SIM authentication, the wireless local area network card device complies with the present invention. 该网卡支持PCMCIA(Personal Computer Memory Card InternationalAssociation:个人计算机机内存卡国际协会)接口,通过PCMCIA接口连接到笔记本电脑上。 The card supports PCMCIA (Personal Computer Memory Card InternationalAssociation: International Association of personal computer machine memory card) interface to connect to a laptop via a PCMCIA interface. 该网卡支持IEEE 802.11b(Institute of Electrical andElectronic Engineers:国际电子电气工程协会,802.11b为IEEE制定的一种无线局域网络规范)的无线局域网络规范。 The card supports IEEE 802.11b (Institute of Electrical andElectronic Engineers: International Association of Electrical and Electronic Engineering, 802.11b wireless local area network as a specification developed by IEEE) wireless local area network specification. 在该网卡内内置了用户识别模块WSIM的读卡器设备。 WSIM built subscriber identification module card reader device within the card.

在WSIM卡座插入WSIM,组成一个完整的支持EAP SIM认证的无线局域网络网卡终端设备,如图2所示,该无线局域网络网卡的工作原理与流程如下:A1开机,无线局域网络网卡启动;A2无线局域网络网卡通过“获取无线局域网络网络配置命令”从WSIM内取得无线局域网络网络的配置信息,无线局域网络网卡依据这些参数对无线局域网络网卡的参数进行自动配置;A3在对无线局域网络网卡配置过程中,如果检测到无线局域网络可用,终端实体网卡等待系统启动EAP SIM的命令,否则系统停止运行;A4无线局域网络网卡配置自动完成后,从WSIM获取用户版本信息和身份信息;A5无线局域网络终端实体依据EAP SIM的工作流程与无线局域网络认证服务器交互,通过如图1所示的接口S4完成无线局域网络用户的认证。 WSIM WSIM inserted cartridge, consisting of a complete support EAP SIM card authentication of the wireless LAN terminal apparatus, shown in Figure 2, the working principle and flow of the WLAN card is as follows: A1 startup, start the WLAN card; A2 WLAN card through the "get a wireless LAN network configuration command" get configuration information for wireless LAN networks from within WSIM, wireless local area network card for automatic configuration of the parameters of the wireless LAN card based on these parameters; A3 in wireless LAN network card configuration process, if it detects a wireless local area network is available, the end entity NIC wait for the system to start EAP SIM command, otherwise the system stops running; after A4 wireless local area network card configuration automatically, get user version information and identity information from WSIM; A5 WLAN terminal entity based workflow EAP SIM authentication server interaction with the wireless local area network, wireless local area network to complete authentication of the user via an interface S4 shown in FIG. 1.

WSIM与无线局域网络网卡依据上述的工作流程与接口操作方式相互配合完成基于EAP SIM的认证处理。 WSIM with WLAN card according to the above workflow interface with the completion of each operation mode based on the EAP SIM authentication process.

其中,WSIM与无线局域网络网卡的接口遵照ISO7816标准的规定,采用ISO7816标准所定义的信息结构,信息结构有两种:一是命令信息结构;二是响应信息结构。 Wherein, in accordance with the provisions of the interface with the ISO7816 standard WSIM WLAN card information structure, the information structure using ISO7816 standard defined in two ways: First, the command information structure; second response information structure. WSIM与无线局域网络网卡通过采用命令与响应的方式进行交互,无线局域网络网卡发出命令,WSIM处理该命令,给出对该命令的响应。 WSIM WLAN card and interact through the use of commands and responses, the WLAN card issue a command, the command processing WSIM, gives response to the command.

结合上面所述,此无线局域网络网卡设备实现一次完整的EAP SIM认证流程中无线局域网络网卡和WSIM的信息交互过程示例如下:P1:无线局域网络网卡使用“获取首选身份”命令从WSIM内获得WSIM的AID(应用程序标识符)信息。 Binding the above, the wireless LAN card device to implement information interaction procedure example of a full EAP SIM authentication process and the wireless LAN card WSIM follows: P1: wireless LAN card using the "Get preferred status" command obtained from WSIM WSIM of AID (application identifier) ​​information. 此命令的参数为“1”表示获取WSIM的AID信息;P2:响应信息返回AID,AID标识了该卡是否作为WALN网络的EAP SIM认证用;无线局域网络网卡将上述首选身份信息响应给无线局域网络网络服务器,服务器判决该用户身份的合法性,如果为合法用户,则向无线局域网络网卡发起EAP SIM认证开始信息,在该信息内带有服务器所要认证的用户身份类型信息与服务器支持的EAP SIM版本号信息。 Parameters for this command is "1" retrieves AID information WSIM of; P2: response information returned AID, AID identifies whether the card as WALN network EAP SIM authentication; wireless LAN card above preferred identity information in response to a wireless local area network legality network network server, ruled that the identity of the user, if a legitimate user, initiating EAP SIM authentication start message to the wireless local area network card, user identity information and the type of server support to be authenticated with a server in the EAP information SIM version number information.

P3:无线局域网络网卡收到无线局域网络网络服务器发出的请求身份命令后,通过“选择身份命令”从WSIM内获得用户的身份信息;P4:WISM向无线局域网络网卡返回选择身份命令的响应信息;P5:无线局域网络网卡收到无线局域网络网络服务器EAP SIM认证开始信息后,使用“获得当前版本命令”从WSIM内获得版本信息;“获得当前版本命令”的数据段内容为服务器支持的EAP SIM版本号信息;P6:用户识别模块向无线局域网络网卡返回当前版本命令的响应信息;P7:无线局域网络网卡收到无线局域网络网络服务器EAP SIM认证开始信息后,使用“获得随机数命令”从WSIM内获得EAP SIM认证所需的随机数NONCE MT。 P3: After receiving the request the wireless LAN card WLAN network identity server issued the command to obtain information from the user's identity by WSIM "command selecting identity"; P4: WISM return command selecting identity card to the wireless local area network in response to information ; P5: the wireless local area network LAN receive wireless LAN network server EAP SIM authentication information to start using the "get the current version of command" to get the version information from within WSIM; "command to get the current version of" data segment content server supports EAP SIM version number information; P6: the subscriber identity module returns a response to the command information of the current version of the wireless local area network card; P7: the WLAN network WLAN card server receives the EAP SIM authentication start information, using the "command obtains the random number" EAP SIM obtain the required certification from the inside WSIM random number nONCE MT.

P8:用户识别模块向无线局域网络网卡返回随机数响应信息;无线局域网络网卡将从用户识别模块的身份信息、版本信息和随机数信息反馈无线局域网络服务器,运行EAP SIM协议里规定的服务器端的算法,产生EAP SIM认证质询信息,并将质询信息发到无线局域网络网卡。 P8: user identification module returns to the wireless LAN card random number in response to information; identity WLAN card from the Subscriber Identity Module, version information and the random number feedback wireless local area network server, the server requirements to run EAP SIM protocol in the end algorithm, generating EAP SIM authentication challenge information and challenge message sent to the wireless LAN card.

P9:无线局域网络网卡将质询信通过“EAP SIM处理命令”传给WSIM,启动WSIM内的EAP SIM客户端算法;P10:WSIM经过EAP SIM客户端算法处理后的结果通过响应信息反馈给无线局域网络网卡。 P9: Wireless LAN card will challenge by the letter "EAP SIM processing command" transmitted WSIM, EAP SIM client start algorithm within WSIM; P10: WSIM result through the EAP SIM client feedback arithmetic processing in response to the wireless local area network network card. 该响应信息里还包括WSIM产生的主会话密,作为后续用户信息加密所用的密钥使用。 In response to the information further comprises a master session secret WSIM generated subsequent user using a key information used for encryption.

无线局域网络网卡将该结果反馈给服务器,EAP SIM客户端的认证结果体现在响应信息的返回状态码与响应信息分组里,可以标示为EAP-RESPONSE,为WSIM运算得到的EAP SIM客户端AT_SRES。 The wireless LAN card results back to the server, the authentication result EAP SIM client is embodied in the code and returns a status response information in response to information in the packet may be marked as EAP-RESPONSE, EAP SIM client is obtained by the calculation WSIM end AT_SRES. 服务器将AT_SRES与原先自己计算的SRES比较,如果相同则向无线局域网络网卡发出EAP SIM成功信息,用户就可以接入互联网络。 The server AT_SRES compared with the previous calculation of own SRES, if the same is issued successfully EAP SIM card information to a wireless local area network, users can access the Internet.

在实施本发明时,无线局域网络终端设备不局限于上述实施例所述的无线局域网络网卡,也可以是其他的无线局域网络设备,如:支持无线局域网络功能的多模网卡,支持无线局域网络的手机设备或其他支持无线局域网络功能的语音、数据设备等,同时也不限于采用IEEE 802.11b规范的无线局域网络设备。 In the practice of the present invention, the wireless LAN terminal apparatus is not limited to the above embodiment of the wireless local area network card of the embodiment, and may be other wireless LAN devices, such as: wireless LAN function multimode card, wireless LAN phone network devices or other wireless LAN function of voice, data and other equipment, while not limited to wireless local area network equipment using IEEE 802.11b specification. 采取使用用户识别模块来实现EAP SIM认证的无线局域网络设备,均不脱离本发明的思想;在实施本发明时,也可以不采取上述实施例所述的WSIM与无线局域网络终端接口的方式。 Wireless local area network device to take a Subscriber Identity Module EAP SIM authentication is achieved, without departing from the idea of ​​the present invention; in the embodiment of the present invention, may not take the form described in the above-described embodiment the wireless LAN terminal WSIM interface.

Claims (4)

  1. 1.一种基于用户识别模块的无线局域网终端用户认证方法,其特征在于至少包括以下步骤:在无线局域网络终端实体(S1)收到无线局域网络网络服务器(S2)发出的请求身份命令后,网络终端实体(S1)从无线局域网络用户识别模块(S3)内获得用户的首选身份信息,并将该身份信息响应给网络服务器(S2)以判断用户身份的合法性,若为合法用户,则网络服务器(S2)向网络终端实体(S1)发起认证开始信息;网络终端实体(S1)收到认证开始信息后,网络终端实体(S1)与无线局域网络用户识别模块(S3)进行信息交互,从无线局域网络用户识别模块(S3)获得用户信息;网络终端实体(S1)将上述信息发送给网络服务器(S2);网络服务器(S2)根据得到的上述信息,启动服务器端算法,并将计算得到的认证质询信息反馈给网络终端实体(S1),由网络终端实体(S1)传给无线局域网络用户识别模 A method of wireless LAN terminal user authentication based on the user identification module, characterized by comprising at least the steps of: receiving a request identity WLAN network server (S2) emitted in a wireless local area network terminal entity (S1) command, obtain the user's terminal within the network entity (S1) from the wireless local area network subscriber identification module (S3) the preferred identity information and the identity information to the web server in response (S2) to judge the legitimacy of the user's identity, if it is a legitimate user network server (S2) initiating terminal authentication start information to the network entity (S1); the network terminal entity (S1) receiving an authentication start information, the network terminal entity (S1) with the WLAN subscriber identification module (S3) to exchange information, obtained from a wireless local area network subscriber identification module (S3) information of the user; a network entity terminal (S1) sends the information to the network server (S2); a network server (S2) based on the obtained information, the server start algorithm, and the calculated authentication challenge information obtained is fed back to the network terminal entity (S1), the terminal by a network entity (S1) transmitted to the WLAN Subscriber Identity module (S3),无线局域网络用户识别模块(S3)启动客户端算法,并将计算结果通过响应信息反馈给网络终端实体(S1);网络终端实体(S1)将无线局域网络用户识别模块(S3)客户端算法处理结果传至网络服务器(S2),由网络服务器(S2)处理并向网络终端实体(S1)发出认证结果信息。 (S3), a wireless local area network subscriber identification module (S3) start the client algorithm, the calculation result in response to the feedback terminal network entity (S1); network terminal entity (S1) to the WLAN subscriber identification module (S3) the client algorithm processing the results to the network server (S2), the network terminal and the server by a network entity (S2) processing (S1) an authentication result information.
  2. 2.根据权利要求1所述的基于用户识别模块的无线局域网终端用户认证方法,其特征在于,所述无线局域网络用户识别模块(S3)存储有无线局域网络配置信息,网络终端实体(S1)与无线局域网络用户识别模块(S3)进行信息交互获取上述配置信息并完成用户终端设备的网络配置。 The wireless LAN terminal user authentication method based on the user identity module according to claim 1, wherein the wireless local area network subscriber identification module (S3) is stored wireless local area network configuration information, terminal network entity (S1) exchange information with the wireless local area network subscriber identification module (S3) acquires the configuration information and network configuration of the user terminal device.
  3. 3.根据权利要求1或2所述的基于用户识别模块的无线局域网终端用户认证方法,其特征在于,所述网络终端实体(S1)与无线局域网络用户识别模块(S3)进行信息交互至少包括:获取无线局域网络网络配置命令、获取首选身份命令、选择身份命令、获得当前版本命令、获得随机数命令、处理命令以及上述命令的响应信息。 The wireless LAN terminal user authentication method based on a user identity module of claim 1 or claim 2, wherein said network terminal entity (S1) with the WLAN subscriber identification module (S3) to exchange information including at least : get wireless LAN network configuration command to obtain preferred status command, select the command status, get the current version of the command, the command to get a random number, processing commands and response information of the command.
  4. 4.根据权利要求1所述的基于用户识别模块的无线局域网终端用户认证方法,其特征在于,所述用户信息包括:用户身份信息、版本信息和随机数。 The wireless LAN terminal user authentication method based on the user identity module according to claim 1, wherein the user information includes: user identity information, the version information and the random number.
CN 200310118977 2003-12-10 2003-12-10 A method of wireless local area network terminal user authentication based on user identifying module CN1299526C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200310118977 CN1299526C (en) 2003-12-10 2003-12-10 A method of wireless local area network terminal user authentication based on user identifying module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200310118977 CN1299526C (en) 2003-12-10 2003-12-10 A method of wireless local area network terminal user authentication based on user identifying module

Publications (2)

Publication Number Publication Date
CN1547405A true CN1547405A (en) 2004-11-17
CN1299526C true CN1299526C (en) 2007-02-07

Family

ID=34338097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200310118977 CN1299526C (en) 2003-12-10 2003-12-10 A method of wireless local area network terminal user authentication based on user identifying module

Country Status (1)

Country Link
CN (1) CN1299526C (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1941636A4 (en) 2005-05-10 2016-10-19 Network Equipment Tech Lan-based uma network controller with proxy connection
KR100770928B1 (en) 2005-07-02 2007-10-26 삼성전자주식회사 Authentication system and method thereofin a communication system
CN101141354B (en) 2007-10-11 2010-09-29 中兴通讯股份有限公司 Terminal of selecting access to mobile network or wireless LAN
CN101510853B (en) 2009-04-09 2011-11-09 杭州华三通信技术有限公司 Method and apparatus for implementing WLAN wireless bridge, and wireless access client terminal
CN101621801B (en) * 2009-08-11 2012-11-28 华为终端有限公司 Method, system, server and terminal for authenticating wireless local area network
CN103415012A (en) * 2013-08-15 2013-11-27 惠州Tcl移动通信有限公司 Authentication method and authentication device of wireless router
CN105430651A (en) * 2015-11-02 2016-03-23 上海斐讯数据通信技术有限公司 Method and system used for detecting illegal wireless access points

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1286767A (en) * 1997-11-19 2001-03-07 艾利森电话股份有限公司 Method, and associated apparatus, for selectively permitting access by mobile terminal to packet data network
CN1453953A (en) * 2002-04-23 2003-11-05 华为技术有限公司 Fusion method between radio LAN and mobile network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1286767A (en) * 1997-11-19 2001-03-07 艾利森电话股份有限公司 Method, and associated apparatus, for selectively permitting access by mobile terminal to packet data network
CN1453953A (en) * 2002-04-23 2003-11-05 华为技术有限公司 Fusion method between radio LAN and mobile network

Also Published As

Publication number Publication date Type
CN1547405A (en) 2004-11-17 application

Similar Documents

Publication Publication Date Title
Koien et al. Security aspects of 3G-WLAN interworking
US8191124B2 (en) Systems and methods for acquiring network credentials
US6915124B1 (en) Method and apparatus for executing secure data transfer in a wireless network
US20110047603A1 (en) Systems and Methods for Obtaining Network Credentials
US20040010713A1 (en) EAP telecommunication protocol extension
US20070113269A1 (en) Controlling access to a network using redirection
US20080108321A1 (en) Over-the-air (OTA) device provisioning in broadband wireless networks
US20050021979A1 (en) Methods and systems of remote authentication for computer networks
US20060189298A1 (en) Method and software program product for mutual authentication in a communications network
US7190793B2 (en) Key generation in a communication system
US8266681B2 (en) System and method for automatic network logon over a wireless network
US20060046693A1 (en) Wireless local area network (WLAN) authentication method, WLAN client and WLAN service node (WSN)
US20050188219A1 (en) Method and a system for communication between a terminal and at least one communication equipment
US20060045272A1 (en) Control program, communication relay apparatus control method, communication relay apparatus, and system
US20070180499A1 (en) Authenticating clients to wireless access networks
US20090024550A1 (en) Systems and Methods for Wireless Network Selection
US8019082B1 (en) Methods and systems for automated configuration of 802.1x clients
US20120072976A1 (en) Dynamic Account Creation With Secured Hotspot Network
US20090205032A1 (en) Identification and access control of users in a disconnected mode environment
US8341717B1 (en) Dynamic network policies based on device classification
US20100100951A1 (en) Communication system and method
US20130047218A1 (en) Wireless device authentication between different networks
US7194763B2 (en) Method and apparatus for determining authentication capabilities
US7197763B2 (en) Authentication in a communication system
US20090068988A1 (en) Sim based authentication

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted