WO2008080352A1 - A wlan authentication charging method based on wapi - Google Patents

A wlan authentication charging method based on wapi Download PDF

Info

Publication number
WO2008080352A1
WO2008080352A1 PCT/CN2007/071371 CN2007071371W WO2008080352A1 WO 2008080352 A1 WO2008080352 A1 WO 2008080352A1 CN 2007071371 W CN2007071371 W CN 2007071371W WO 2008080352 A1 WO2008080352 A1 WO 2008080352A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile terminal
access point
authentication
certificate
wireless access
Prior art date
Application number
PCT/CN2007/071371
Other languages
French (fr)
Chinese (zh)
Inventor
Benteng Ma
Jun Cao
Bianling Zhang
Xiaolong Lai
Xiangchen Ma
Original Assignee
China Mobile Group Design Institute Co., Ltd.
China Iwncomm Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Design Institute Co., Ltd., China Iwncomm Co., Ltd. filed Critical China Mobile Group Design Institute Co., Ltd.
Publication of WO2008080352A1 publication Critical patent/WO2008080352A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention relates to the field of network and wireless communication technologies, and more particularly to the field of wireless local area networks, and in particular to a method for WLAN operation based on wireless local area network authentication and privacy infrastructure WAPI. Background technique
  • WLAN Wireless Local Area Network
  • WLAN Wireless Local Area Network
  • the purpose of mobile operators to build wireless LANs is to use WLANs to combine existing mobile networks and functions to provide users with faster and wider mobile voice and data access services, as well as a complementary means of wired data access.
  • As an operational WLAN it no longer only provides users with simple network interconnection, but more importantly, implements carrier-class operations. Therefore, it is necessary to add a series of functions such as billing, network management, and authentication on the basis of the basic architecture. Access control method and billing method.
  • Wired LANs For wireless LANs, security is of paramount importance, and WLAN-related standards have been initially formed, including a new WLAN Authentication and Privacy Infrastructure (WAPI) security mechanism.
  • WAPI WLAN Authentication and Privacy Infrastructure
  • This security mechanism consists of wireless LANs. It is composed of two parts: WAI (WLAN Authentication Infrastructure) and WPA (WLAN Privacy Infrastructure).
  • WAPI provides certificate-based authentication and key negotiation methods. This method provides high security, ensures legitimate users access to legitimate networks, and protects data on wireless links.
  • the current authentication mechanism (such as Radius) only implements one-way authentication of the network to the user, and implements charging and other functions based on the authentication.
  • the authentication and charging mode is effective when the link is relatively secure, that is, in a wired environment. The next is more suitable.
  • wireless LAN links are not always secure due to their open features.
  • the present invention provides a method for authentication and charging of a wireless local area network, which is compatible with related authentication methods, and supports various authentication and charging methods currently used to implement certificate-based WAPI wireless local area network operation.
  • the invention provides a WAPI-based WLAN authentication method, including: issuing the same certificate for all mobile terminals, and installing the issued certificates on each mobile terminal;
  • the mobile terminal accesses the network
  • the mobile terminal is associated with the wireless access point to establish a link connection
  • the present invention provides a WAPI-based WLAN authentication and charging method, including: issuing the same certificate for all mobile terminals, and installing the issued certificates on each mobile terminal;
  • the mobile terminal accesses the network
  • the mobile terminal is associated with the wireless access point to establish a link connection
  • the mobile terminal and the wireless access point Separating the certificate of the mobile terminal and the certificate of the associated wireless access point respectively; when the certificate authentication is successful, the mobile terminal and the wireless access point perform session key negotiation, and the wireless connection Invoicing a multicast key to the mobile terminal to allow the mobile terminal to access;
  • the account information of the mobile terminal is authenticated
  • the mobile terminal authentication information is given based on the result of the account information authentication, so that the mobile terminal can access the network.
  • the same certificate is issued for all the mobile terminals, and different certificates are issued for each wireless access point, and the link-level authentication and the user-level identity are separated into two independent processes, the chain.
  • Road-level authentication is used to protect the security of wireless link access.
  • User-level identity authentication is used for management services such as authorization and accounting, so that the wireless local area network can be used as an extension of the original operating network, and the operation management and original operation of the wireless local area network are enabled.
  • the network is consistent.
  • the invention can implement two-way identity authentication between the user and the network in the link-level authentication process, and is compatible with the original authorization and accounting management systems, and supports related standards.
  • the invention adopts a certificate mechanism based on a public key cryptosystem in the link-level authentication process, and truly realizes two-way authentication between a mobile terminal (MT, Mobile Terminal) and a wireless access point (AP, Access Point), which fully satisfies The operator's requirements for secure access ensure the security of the wireless link.
  • the network further authenticates the user identity of the mobile terminal, controls whether the mobile terminal can access the network, and according to the authentication. The result is controlled by accessing the network and billing the user access network, effectively protecting the information of the subsequent user account authentication phase, and thus the security is high.
  • the wireless access point After the wireless access point is set up with a certificate, it is no longer necessary to set up the AAA server in the background. It is easy to install and network, and can be used for operations in large-scale hotspots. At the same time, users only need to install a certificate to cover the WLAN. Roaming in different areas, convenient for users.
  • the invention uses the same terminal certificate on the basis of ensuring secure access, so that operation and maintenance operations and processes are simplified, and the cost is greatly reduced.
  • the mobile terminal (MT) in this specification is a terminal in which a wireless network adapter is installed.
  • a wireless access point is a device that provides network access services for mobile terminals.
  • the server is a network entity that provides identity authentication services and certificate management functions.
  • the authentication step where the link level authentication steps are as follows:
  • the server issues the same certificate for all mobile terminals, and issues a certificate for each wireless access point, wherein different wireless access points issue different certificates, and the mobile terminal and the wireless access point install the certificate issued by the server;
  • the mobile terminal When the mobile terminal needs to access the network, the mobile terminal first associates with the wireless access point to establish a link connection;
  • the wireless access point sends the authentication activation frame to the mobile terminal, and starts the authentication process
  • the mobile terminal sends an access authentication request to the wireless access point, where the certificate of the mobile terminal is included;
  • the wireless access point sends a certificate authentication request to the server, which includes a certificate of the mobile terminal and the wireless access point;
  • the server verifies the certificate of the mobile terminal and the wireless access point, and verifies whether the certificate of the mobile terminal is a unified legal certificate issued for all mobile terminals in the network, and verifies whether the certificate of the wireless access point is a legal certificate (wireless connection)
  • the certificate of the entry cannot be the same as the certificate issued for the mobile terminal on the network).
  • the wireless access point determines whether the mobile terminal is allowed to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal;
  • the mobile terminal determines whether to access the wireless access point according to the certificate authentication result of the wireless access point by the server in the access authentication response, and if yes, proceeds to step 5), otherwise ends.
  • the mobile terminal and the wireless access point perform session key negotiation, and the wireless access point notifies the mobile terminal of the multicast key, as follows:
  • the wireless access point sends a unicast key negotiation request to the mobile terminal, where the mobile terminal receives the unicast key negotiation request, and sends a unicast key negotiation response to the wireless access point after receiving the unicast key negotiation request.
  • the data includes the record data of the session key; after receiving the unicast key negotiation response, the wireless access point sends a unicast key negotiation confirmation to the mobile terminal.
  • the wireless access point sends a multicast key advertisement to the mobile terminal, which includes a key for encrypting the multicast data, and the terminal sends a multicast key notification response to the wireless access point after receiving the call.
  • the wireless access point allows the mobile terminal to access
  • the access controller sends the account information of the mobile terminal to the server for authentication, and the access controller (AC, Access Controller) is a network device that provides access control for the user to access the network;
  • the server gives the mobile terminal authentication information according to the result of the account information authentication, and the mobile terminal exchanges information data with the network, that is, the mobile terminal can access the network.
  • step 7 the access controller accesses the account information of the mobile terminal according to the following steps:
  • the system automatically pops up a web page prompting the user to enter a user name and password.
  • the server verifies the identity of the user according to the user name and password, and controls the network access according to the authentication result.
  • the terminal can access the network.
  • Step 7) The account information of the access controller to the mobile terminal can also be authenticated as follows:
  • the mobile terminal uses the information in the subscriber identity module (ie, the SIM card) to perform identity authentication and session key negotiation with the wireless access point through the authentication server, and controls network access according to the authentication result.
  • the mobile terminal can access the network.
  • the split link level authentication and the user level identity authentication performed are two. Independent processes, link-level authentication is used to protect the security of wireless link access, user-level identity authentication is used for management services such as authorization and billing, so that the wireless LAN can be used as an extension of the original operating network, and the wireless local area network is enabled.
  • the operation management is consistent with the original operation network.
  • the invention can realize two-way identity authentication between the user and the network in the link level authentication process, and is compatible with the original authorization and accounting management systems, and supports related standards.
  • the invention adopts a certificate mechanism based on a public key cryptosystem in the link-level authentication process, and truly realizes two-way authentication between the mobile terminal MT and the wireless access point AP, which fully satisfies the requirements of the operator for secure access, so that The security of the wireless link is ensured.
  • the network further authenticates the user identity of the mobile terminal, controls whether the mobile terminal can access the network, and controls access to the network and access to the network according to the result of the authentication.
  • the billing is performed to effectively protect the information of the subsequent user account authentication phase, so the security is high.
  • the wireless access point After the wireless access point is set up with a certificate, it is no longer necessary to set up the AAA server in the background. It is easy to install and network, and can be used for operations in large-scale hotspots. At the same time, users only need to install a certificate to cover the WLAN. Roaming in different areas, convenient for users.
  • the invention uses the same terminal certificate on the basis of ensuring secure access, so that operation and maintenance operations and processes are simplified, and the cost is greatly reduced.
  • the steps in the above embodiments can be implemented by instructing related hardware by a program, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a disk. , CD, etc. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof may be fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.

Abstract

A WLAN authentication charging method based on WAPI includes the steps: a same certificate is issued to all mobile terminals, different certificate is issued to each radio access point. When a mobile terminal accesses a network, the mobile terminal associates to a radio access point, and establishes a link connection. The certificate of the mobile terminal and the certificate of the radio access point associated to the mobile terminal are authenticated. When the certificate authentication is successful, the mobile terminal and the radio access point negotiate session keys, the radio access point notifies multicast keys to the mobile terminalto allow the mobile terminal access. After the mobile terminal accesses the network, the account information of the mobile terminal is authenticated. The authentication information of the mobile terminal is obtained according to the result of the account information authentication so that the mobile terminal can access the network. According to the present invention, the operation management of the WLAN is in conformity to original operation network, the bi-directional identity authentication between the user and the network can be realized, and the original authority, charging system can be compatible to, and the related standards are supported.

Description

一种基于 WAPI的 WLAN认证计费的方法 本申请要求于 2006 年 12 月 29 日提交中国专利局、 申请号为 200610105377.9、 发明名称为"釆用一张终端证书实现基于 WAPI的 WLAN运 营的方法"的中国专利申请的优先权, 其全部内容通过引用结合在本申请 中。 技术领域  Method for WLAN authentication and charging based on WAPI This application claims to be submitted to the Chinese Patent Office on December 29, 2006, the application number is 200610105377.9, and the invention name is "Method for implementing WAPI-based WLAN operation with a terminal certificate" Priority of the Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field
本发明涉及网络及无线通信技术领域, 尤其涉及无线局域网领域, 具 体地说, 涉及一种基于无线局域网鉴别与保密基础结构 WAPI的 WLAN运 营的方法。 背景技术  The present invention relates to the field of network and wireless communication technologies, and more particularly to the field of wireless local area networks, and in particular to a method for WLAN operation based on wireless local area network authentication and privacy infrastructure WAPI. Background technique
无线局域网 WLAN ( Wireless Local Area Network )以其构架的灵活性、 快捷性及可扩展性, 近几年发展迅速, 已经广泛应用于热点地区运营、 企 业、 行业和家庭领域。 移动运营商建设无线局域网的目的在于利用 WLAN 结合现有的移动网络和功能, 为用户提供更快捷更广泛的移动语音和数据 接入服务, 同时也作为有线数据接入的补充手段。 作为可运营的 WLAN不 再仅仅为用户提供简单的网络互连, 更重要的是实现电信级运营, 因此要 在基本架构的基础上添加计费、 网管、 认证等一系列功能, 必然要考虑用 户的访问控制方法和计费方式。  WLAN (Wireless Local Area Network) has developed rapidly in recent years due to its flexibility, speed and scalability. It has been widely used in hotspot operations, enterprises, industries and homes. The purpose of mobile operators to build wireless LANs is to use WLANs to combine existing mobile networks and functions to provide users with faster and wider mobile voice and data access services, as well as a complementary means of wired data access. As an operational WLAN, it no longer only provides users with simple network interconnection, but more importantly, implements carrier-class operations. Therefore, it is necessary to add a series of functions such as billing, network management, and authentication on the basis of the basic architecture. Access control method and billing method.
对于无线局域网来说, 安全至关重要, 已初步形成了无线局域网相关 的标准, 包含了全新的无线局域网鉴别与保密基础结构 WAPI ( WLAN Authentication and Privacy Infrastructure )安全机制 , 这种安全机制由无线局 域网鉴别 WAI( WLAN Authentication Infrastructure )和无线局域网保密 WPI ( WLAN Privacy Infrastructure ) 两部分组成。  For wireless LANs, security is of paramount importance, and WLAN-related standards have been initially formed, including a new WLAN Authentication and Privacy Infrastructure (WAPI) security mechanism. This security mechanism consists of wireless LANs. It is composed of two parts: WAI (WLAN Authentication Infrastructure) and WPA (WLAN Privacy Infrastructure).
WAPI提供了基于证书的认证及密钥协商方法,该方法可以提供很高的 安全性, 保证合法的用户接入合法的网络, 保护无线链路上的数据安全。  WAPI provides certificate-based authentication and key negotiation methods. This method provides high security, ensures legitimate users access to legitimate networks, and protects data on wireless links.
当 WLAN在运营环境下应用时, 认证和计费有非常密切的关系。 计费 是在认证的基础上进行, 目前运营商们已经有各自成熟的认证计费方式, 但这些方式不一定与相关的证书认证融合, 如何匹配这些成熟的认证计费 方式和相关的证书认证, 是 WLAN运营的关键问题之一。 When a WLAN is used in an operating environment, authentication and charging have a very close relationship. Billing is performed on the basis of authentication. At present, operators have their own mature authentication and charging methods, but these methods are not necessarily integrated with related certificate authentication. How to match these mature authentication charges The way and related certificate authentication is one of the key issues in WLAN operations.
目前的认证机制 (如 Radius )仅实现网络对用户的单向认证, 在认证 的基础上实现计费等功能, 该认证计费方式在链路比较安全的情况下是有 效的, 即在有线环境下比较适合。 但无线局域网链路由于其开放特征而非 常不安全, 这些认证计费方式直接应用在无线局域网中会出现较大的安全 问题。 发明内容  The current authentication mechanism (such as Radius) only implements one-way authentication of the network to the user, and implements charging and other functions based on the authentication. The authentication and charging mode is effective when the link is relatively secure, that is, in a wired environment. The next is more suitable. However, wireless LAN links are not always secure due to their open features. These authentication and charging methods are directly applied to wireless LANs, which may cause major security problems. Summary of the invention
本发明提供一种无线局域网的认证和计费的方法, 可与相关的认证方 法兼容, 支持目前使用的多种认证、 计费方法以实现基于证书的 WAPI 的 无线局域网运营。  The present invention provides a method for authentication and charging of a wireless local area network, which is compatible with related authentication methods, and supports various authentication and charging methods currently used to implement certificate-based WAPI wireless local area network operation.
本发明提供的一种基于 WAPI的 WLAN的认证方法, 包括: 为所有移动终端颁发同一个证书, 并在各移动终端上安装所颁发的证 书;  The invention provides a WAPI-based WLAN authentication method, including: issuing the same certificate for all mobile terminals, and installing the issued certificates on each mobile terminal;
为每个无线接入点颁发不同证书, 并在分别在各无线接入点安装所颁 发的证书;  Issue different certificates for each wireless access point and install the issued certificates at each wireless access point;
当移动终端访问网络时, 所述移动终端关联至无线接入点, 建立链路 连接;  When the mobile terminal accesses the network, the mobile terminal is associated with the wireless access point to establish a link connection;
分别对所述移动终端的证书及其关联的无线接入点的证书进行认证; 当证书认证成功, 移动终端和无线接入点进行会话密钥协商, 无线接 入点向移动终端通告组播密钥, 以允许所述移动终端接入。  And authenticating the certificate of the mobile terminal and the certificate of the associated wireless access point respectively; when the certificate authentication is successful, the mobile terminal and the wireless access point perform session key negotiation, and the wireless access point notifies the mobile terminal of the multicast secret Key to allow access by the mobile terminal.
本发明提供一种基于 WAPI的 WLAN的认证计费方法, 包括: 为所有移动终端颁发同一个证书, 并在各移动终端上安装所颁发的证 书;  The present invention provides a WAPI-based WLAN authentication and charging method, including: issuing the same certificate for all mobile terminals, and installing the issued certificates on each mobile terminal;
为每个无线接入点颁发不同证书, 并在分别在各无线接入点安装所颁 发的证书;  Issue different certificates for each wireless access point and install the issued certificates at each wireless access point;
当移动终端访问网络时, 所述移动终端关联至无线接入点, 建立链路 连接;  When the mobile terminal accesses the network, the mobile terminal is associated with the wireless access point to establish a link connection;
分别对所述移动终端的证书及其关联的无线接入点的证书进行认证; 当证书认证成功, 移动终端和无线接入点进行会话密钥协商, 无线接 入点向移动终端通告组播密钥, 以允许所述移动终端接入; Separating the certificate of the mobile terminal and the certificate of the associated wireless access point respectively; when the certificate authentication is successful, the mobile terminal and the wireless access point perform session key negotiation, and the wireless connection Invoicing a multicast key to the mobile terminal to allow the mobile terminal to access;
当移动终端接入网络后, 对移动终端的帐户信息进行认证;  After the mobile terminal accesses the network, the account information of the mobile terminal is authenticated;
根据帐户信息认证的结果给出移动终端鉴权信息, 使得移动终端可以 访问网络。  The mobile terminal authentication information is given based on the result of the account information authentication, so that the mobile terminal can access the network.
本发明实施例提供的方案中, 为所有移动终端颁发同一个证书, 而为 每个无线接入点颁发不同证书, 通过分离链路级认证和用户级身份鉴别为 两个相互独立的过程, 链路级认证用于保护无线链路接入的安全, 用户级 身份鉴别用于授权以及计费等管理服务, 使得无线局域网可作为原来运营 网络的扩展, 并且使无线局域网的运营管理和原来的运营网络相一致, 本 发明在链路级认证过程可实现用户和网络之间双向身份鉴别, 又可与原来 的授权、 计费等管理系统兼容, 并且支持相关标准。  In the solution provided by the embodiment of the present invention, the same certificate is issued for all the mobile terminals, and different certificates are issued for each wireless access point, and the link-level authentication and the user-level identity are separated into two independent processes, the chain. Road-level authentication is used to protect the security of wireless link access. User-level identity authentication is used for management services such as authorization and accounting, so that the wireless local area network can be used as an extension of the original operating network, and the operation management and original operation of the wireless local area network are enabled. The network is consistent. The invention can implement two-way identity authentication between the user and the network in the link-level authentication process, and is compatible with the original authorization and accounting management systems, and supports related standards.
另外, 本发明在链路级认证过程釆用基于公钥密码体系的证书机制, 真正实现了移动终端 (MT, Mobile Terminal )与无线接入点 (AP, Access Point ) 间的双向认证, 完全满足运营商对安全接入的要求, 使得无线链路 的安全性得到保证; 而且, 在用户帐户信息认证阶段, 网络对移动终端的 用户身份进行进一步验证, 控制移动终端是否可以访问网络, 并根据认证 的结果控制访问网络以及对用户访问网络进行计费, 有效地保护后续的用 户帐户认证阶段的信息, 因此安全性高。  In addition, the invention adopts a certificate mechanism based on a public key cryptosystem in the link-level authentication process, and truly realizes two-way authentication between a mobile terminal (MT, Mobile Terminal) and a wireless access point (AP, Access Point), which fully satisfies The operator's requirements for secure access ensure the security of the wireless link. Moreover, during the user account information authentication phase, the network further authenticates the user identity of the mobile terminal, controls whether the mobile terminal can access the network, and according to the authentication. The result is controlled by accessing the network and billing the user access network, effectively protecting the information of the subsequent user account authentication phase, and thus the security is high.
无线接入点设置好证书后, 无需再对后台的 AAA服务器进行设置, 安 装、 组网便捷, 可用于大规模的热点等地区的运营, 同时用户只需安装一 张证书就可在覆盖 WLAN的不同地区漫游, 方便用户使用。  After the wireless access point is set up with a certificate, it is no longer necessary to set up the AAA server in the background. It is easy to install and network, and can be used for operations in large-scale hotspots. At the same time, users only need to install a certificate to cover the WLAN. Roaming in different areas, convenient for users.
本发明在保证安全接入的基础上, 釆用同一个终端证书, 使运营维护 操作和流程简化, 大大降低了成本。 附图说明 程图。 具体实施方式  The invention uses the same terminal certificate on the basis of ensuring secure access, so that operation and maintenance operations and processes are simplified, and the cost is greatly reduced. BRIEF DESCRIPTION OF THE DRAWINGS detailed description
为使本发明的原理、 特性和优点更加清楚, 下面结合具体实施例进行 描述。 本说明书中移动终端 (MT )为安装有无线网络适配器的终端。 In order to make the principles, features and advantages of the present invention more apparent, the following description will be described in conjunction with the specific embodiments. The mobile terminal (MT) in this specification is a terminal in which a wireless network adapter is installed.
无线接入点 (AP )为为移动终端提供网络接入服务的设备。  A wireless access point (AP) is a device that provides network access services for mobile terminals.
服务器(AS ) 为提供身份鉴别服务和证书管理功能的网络实体。 认证步骤, 其中链路级认证步骤如下:  The server (AS) is a network entity that provides identity authentication services and certificate management functions. The authentication step, where the link level authentication steps are as follows:
1 )服务器为所有移动终端颁发同一个证书, 为每个无线接入点颁发证 书, 其中不同的无线接入点颁发不同的证书, 移动终端和无线接入点安装 服务器颁发的证书;  1) The server issues the same certificate for all mobile terminals, and issues a certificate for each wireless access point, wherein different wireless access points issue different certificates, and the mobile terminal and the wireless access point install the certificate issued by the server;
2 ) 当移动终端需要访问网络时, 首先由移动终端关联至无线接入点, 建立链路连接;  2) When the mobile terminal needs to access the network, the mobile terminal first associates with the wireless access point to establish a link connection;
3 )移动终端关联至无线接入点后, 无线接入点向移动终端发送鉴别激 活帧, 启动认证过程;  3) after the mobile terminal is associated with the wireless access point, the wireless access point sends the authentication activation frame to the mobile terminal, and starts the authentication process;
4 )根据相关操作流程, 通过服务器对所述移动终端和无线接入点进行 证书认证;  4) performing certificate authentication on the mobile terminal and the wireless access point by using a server according to a related operation procedure;
4.1 )移动终端向无线接入点发送接入鉴别请求, 其中包含移动终端的 证书;  4.1) the mobile terminal sends an access authentication request to the wireless access point, where the certificate of the mobile terminal is included;
4.2 )无线接入点向服务器发送证书鉴别请求, 其中包含移动终端和无 线接入点的证书;  4.2) The wireless access point sends a certificate authentication request to the server, which includes a certificate of the mobile terminal and the wireless access point;
4.3 )服务器对移动终端和无线接入点的证书进行验证, 验证移动终端 的证书是否是为网络中所有移动终端颁发的统一合法证书, 验证无线接入 点的证书是否为合法的证书 (无线接入点的证书不能与网络中为移动终端 颁发的证书相同)。 并向无线接入点返回证书鉴别响应, 其中包含移动终端 和无线接入点证书的鉴别结果;  4.3) The server verifies the certificate of the mobile terminal and the wireless access point, and verifies whether the certificate of the mobile terminal is a unified legal certificate issued for all mobile terminals in the network, and verifies whether the certificate of the wireless access point is a legal certificate (wireless connection) The certificate of the entry cannot be the same as the certificate issued for the mobile terminal on the network). And returning a certificate authentication response to the wireless access point, where the authentication result of the mobile terminal and the wireless access point certificate is included;
4.4 )无线接入点根据服务器返回的移动终端证书鉴别结果确定是否允 许该移动终端接入, 并向移动终端发送接入鉴别响应;  4.4) the wireless access point determines whether the mobile terminal is allowed to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal;
4.5 )移动终端根据接入鉴别响应中服务器对无线接入点的证书鉴别结 果确定是否接入该无线接入点, 若是, 则进至步骤 5 ), 否则结束。  4.5) The mobile terminal determines whether to access the wireless access point according to the certificate authentication result of the wireless access point by the server in the access authentication response, and if yes, proceeds to step 5), otherwise ends.
5 )如果证书认证成功, 移动终端和无线接入点进行会话密钥协商, 无 线接入点向移动终端通告组播密钥, 具体如下: 无线接入点向移动终端发送单播密钥协商请求, 其中包括形成会话密 钥的随记数据; 移动终端收到单播密钥协商请求后, 向无线接入点发送单 播密钥协商响应, 其中包括形成会话密钥的随记数据; 无线接入点收到单 播密钥协商响应后, 向移动终端发送单播密钥协商确认。 5) If the certificate authentication is successful, the mobile terminal and the wireless access point perform session key negotiation, and the wireless access point notifies the mobile terminal of the multicast key, as follows: The wireless access point sends a unicast key negotiation request to the mobile terminal, where the mobile terminal receives the unicast key negotiation request, and sends a unicast key negotiation response to the wireless access point after receiving the unicast key negotiation request. The data includes the record data of the session key; after receiving the unicast key negotiation response, the wireless access point sends a unicast key negotiation confirmation to the mobile terminal.
无线接入点向移动终端发送组播密钥通告, 其中包含用于组播数据加 密的密钥, 终端收到后向无线接入点发送组播密钥通告响应。  The wireless access point sends a multicast key advertisement to the mobile terminal, which includes a key for encrypting the multicast data, and the terminal sends a multicast key notification response to the wireless access point after receiving the call.
6 )无线接入点允许移动终端接入;  6) The wireless access point allows the mobile terminal to access;
进一步地, 帐户信息认证步骤如下:  Further, the account information authentication steps are as follows:
7 )接入控制器把移动终端的帐户信息发送给服务器进行认证, 接入控 制器( AC , Access Controller )为对用户访问网络提供接入控制的网络设备; 7) The access controller sends the account information of the mobile terminal to the server for authentication, and the access controller (AC, Access Controller) is a network device that provides access control for the user to access the network;
8 )服务器根据帐户信息认证的结果给出移动终端鉴权信息, 移动终端 与网络进行信息数据的交换, 即移动终端可以访问网络。 8) The server gives the mobile terminal authentication information according to the result of the account information authentication, and the mobile terminal exchanges information data with the network, that is, the mobile terminal can access the network.
其中步骤 7 ) 中接入控制器对移动终端的帐户信息按如下步骤进行认 证:  In step 7), the access controller accesses the account information of the mobile terminal according to the following steps:
当证书认证阶段完成, 用户浏览网络时, 系统自动弹出网页, 提示用 户输入用户名和密码, 服务器根据用户名和密码验证用户的身份, 并根据 认证结果控制网络的访问, 当 3全证通过后, 移动终端可访问网络。  When the certificate authentication phase is completed and the user browses the network, the system automatically pops up a web page prompting the user to enter a user name and password. The server verifies the identity of the user according to the user name and password, and controls the network access according to the authentication result. The terminal can access the network.
步骤 7 ) 中接入控制器对移动终端的帐户信息还可按如下步骤进行认 证:  Step 7) The account information of the access controller to the mobile terminal can also be authenticated as follows:
当证书认证阶段完成, 移动终端利用用户识别模块(即 SIM卡) 中的 信息, 通过认证服务器与无线接入点进行身份认证和会话密钥协商, 并根 据认证结果控制网络的访问, 如果认证成功, 移动终端可以访问网络。  When the certificate authentication phase is completed, the mobile terminal uses the information in the subscriber identity module (ie, the SIM card) to perform identity authentication and session key negotiation with the wireless access point through the authentication server, and controls network access according to the authentication result. The mobile terminal can access the network.
由上述本发明实施例提供的方案可以得知, 通过为所有移动终端颁发 同一个证书, 而为每个无线接入点颁发不同证书, 所进行的分离链路级认 证和用户级身份鉴别为两个相互独立的过程, 链路级认证用于保护无线链 路接入的安全, 用户级身份鉴别用于授权以及计费等管理服务, 使得无线 局域网可作为原来运营网络的扩展, 并且使无线局域网的运营管理和原来 的运营网络相一致, 本发明在链路级认证过程可实现用户和网络之间双向 身份鉴别, 又可与原来的授权、 计费等管理系统兼容, 并且支持相关标准。 另外, 本发明在链路级认证过程釆用基于公钥密码体系的证书机制, 真正实现了移动终端 MT与无线接入点 AP间的双向认证,完全满足运营商 对安全接入的要求, 使得无线链路的安全性得到保证; 而且, 在用户帐户 信息认证阶段, 网络对移动终端的用户身份进行进一步验证, 控制移动终 端是否可以访问网络, 并根据认证的结果控制访问网络以及对用户访问网 络进行计费, 有效地保护后续的用户帐户认证阶段的信息, 因此安全性高。 According to the solution provided by the foregoing embodiment of the present invention, by issuing the same certificate for all mobile terminals and issuing different certificates for each wireless access point, the split link level authentication and the user level identity authentication performed are two. Independent processes, link-level authentication is used to protect the security of wireless link access, user-level identity authentication is used for management services such as authorization and billing, so that the wireless LAN can be used as an extension of the original operating network, and the wireless local area network is enabled. The operation management is consistent with the original operation network. The invention can realize two-way identity authentication between the user and the network in the link level authentication process, and is compatible with the original authorization and accounting management systems, and supports related standards. In addition, the invention adopts a certificate mechanism based on a public key cryptosystem in the link-level authentication process, and truly realizes two-way authentication between the mobile terminal MT and the wireless access point AP, which fully satisfies the requirements of the operator for secure access, so that The security of the wireless link is ensured. Moreover, in the user account information authentication phase, the network further authenticates the user identity of the mobile terminal, controls whether the mobile terminal can access the network, and controls access to the network and access to the network according to the result of the authentication. The billing is performed to effectively protect the information of the subsequent user account authentication phase, so the security is high.
无线接入点设置好证书后, 无需再对后台的 AAA服务器进行设置, 安 装、 组网便捷, 可用于大规模的热点等地区的运营, 同时用户只需安装一 张证书就可在覆盖 WLAN的不同地区漫游, 方便用户使用。  After the wireless access point is set up with a certificate, it is no longer necessary to set up the AAA server in the background. It is easy to install and network, and can be used for operations in large-scale hotspots. At the same time, users only need to install a certificate to cover the WLAN. Roaming in different areas, convenient for users.
本发明在保证安全接入的基础上, 釆用同一个终端证书, 使运营维护 操作和流程简化, 大大降低了成本。  The invention uses the same terminal certificate on the basis of ensuring secure access, so that operation and maintenance operations and processes are simplified, and the cost is greatly reduced.
本领域技术人员可以理解, 上述实施例中的各步骤是可以通过程序来 指令相关硬件来实现, 所述程序可存储于计算机可读取存储介质中, 所述 存储介质, 如 ROM/RAM、 磁盘、 光碟等。 或者将它们分别制作成各个集 成电路模块, 或者将它们中的多个模块或步骤制作成单个集成电路模块来 实现。 这样, 本发明不限制于任何特定的硬件和软件结合。  Those skilled in the art can understand that the steps in the above embodiments can be implemented by instructing related hardware by a program, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a disk. , CD, etc. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof may be fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
上述实施例是用于说明和解释本发明的原理的。 可以理解, 本发明的 具体实施方式不限于此。 对于本领域技术人员而言, 在不脱离本发明的实 质和范围的前提下, 进行的各种变更和修改均涵盖在本发明的保护范围之 内。  The above embodiments are intended to illustrate and explain the principles of the invention. It is to be understood that the specific embodiments of the present invention are not limited thereto. It will be apparent to those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims

权 利 要 求 Rights request
1、 一种基于 WAPI的 WLAN的认证计费方法, 其特征在于, 包括: 为所有移动终端颁发同一个证书, 并在各移动终端上安装所颁发的证 书; A WAPI-based authentication and charging method for a WLAN, comprising: issuing the same certificate to all mobile terminals, and installing the issued certificate on each mobile terminal;
为每个无线接入点颁发不同证书, 并在分别在各无线接入点安装所颁 发的证书;  Issue different certificates for each wireless access point and install the issued certificates at each wireless access point;
当移动终端访问网络时, 所述移动终端关联至无线接入点, 建立链路 连接;  When the mobile terminal accesses the network, the mobile terminal is associated with the wireless access point to establish a link connection;
分别对所述移动终端的证书及其关联的无线接入点的证书进行认证; 当证书认证成功, 移动终端和无线接入点进行会话密钥协商, 无线接 入点向移动终端通告组播密钥, 以允许所述移动终端接入;  And authenticating the certificate of the mobile terminal and the certificate of the associated wireless access point respectively; when the certificate authentication is successful, the mobile terminal and the wireless access point perform session key negotiation, and the wireless access point notifies the mobile terminal of the multicast secret a key to allow access by the mobile terminal;
当移动终端接入网络后, 对移动终端的帐户信息进行认证;  After the mobile terminal accesses the network, the account information of the mobile terminal is authenticated;
根据帐户信息认证的结果给出移动终端鉴权信息, 使得移动终端可以 访问网络。  The mobile terminal authentication information is given based on the result of the account information authentication, so that the mobile terminal can access the network.
2、 根据权利要求 1所述的方法, 其特征在于, 还包括:  2. The method according to claim 1, further comprising:
移动终端关联至无线接入点后, 无线接入点向移动终端发送鉴别激活 分组, 以启动认证过程。  After the mobile terminal is associated with the wireless access point, the wireless access point sends an authentication activation packet to the mobile terminal to initiate the authentication process.
3、 根据权利要求 1所述的方法, 其特征在于, 所述证书认证的具体包 括如下步骤:  3. The method according to claim 1, wherein the certificate authentication comprises the following steps:
无线接入点向移动终端发送鉴别激活分组;  The wireless access point sends an authentication activation packet to the mobile terminal;
无线接入点接收移动终端向无线接入点发送的接入鉴别请求, 该鉴别 请求携带有移动终端的证书;  Receiving, by the wireless access point, an access authentication request sent by the mobile terminal to the wireless access point, where the authentication request carries a certificate of the mobile terminal;
无线接入点向服务器转发所述证书鉴别请求, 该鉴别请求携带有移动 终端和无线接入点的证书;  The wireless access point forwards the certificate authentication request to the server, where the authentication request carries a certificate of the mobile terminal and the wireless access point;
当服务器对移动终端和无线接入点的证书完成验证, 所述无线接入点 接收到所述服务器返回的证书鉴别响应消息, 该响应消息携带有移动终端 和无线接入点证书的鉴别结果;  When the server completes verification of the certificate of the mobile terminal and the wireless access point, the wireless access point receives the certificate authentication response message returned by the server, and the response message carries the authentication result of the mobile terminal and the wireless access point certificate;
无线接入点根据服务器返回的移动终端证书鉴别结果确定是否允许该 移动终端接入, 并向移动终端发送接入鉴别响应。 The wireless access point determines whether the mobile terminal is allowed to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal.
4、 根据权利要求 1或 2所述的方法, 其特征在于, 所述对移动终端的 帐户信息进行认证过程, 包括: The method according to claim 1 or 2, wherein the performing the authentication process on the account information of the mobile terminal comprises:
当证书认证阶段完成, 提示用户输入用户名和密码;  When the certificate authentication phase is completed, the user is prompted to enter a username and password;
服务器根据用户名和密码验证用户的身份, 并根据认证结果控制网络 的访问, 当 3全证通过后, 移动终端可访问网络。  The server verifies the identity of the user according to the user name and password, and controls the access of the network according to the authentication result. When the full certificate is passed, the mobile terminal can access the network.
5、 根据权利要求 1或 2所述的方法, 其特征在于: 所述对移动终端的 帐户信息进行认证包括:  The method according to claim 1 or 2, wherein: the authenticating the account information of the mobile terminal comprises:
当证书认证阶段完成, 移动终端利用 SIM卡中的信息, 通过认证服务 器与无线接入点进行身份认证和会话密钥协商, 并根据认证结果控制网络 的访问, 如果认证成功, 移动终端可以访问网络。  When the certificate authentication phase is completed, the mobile terminal uses the information in the SIM card to perform identity authentication and session key negotiation with the wireless access point through the authentication server, and controls network access according to the authentication result. If the authentication is successful, the mobile terminal can access the network. .
6、 一种基于 WAPI的 WLAN的认证方法, 其特征在于, 包括: 为所有移动终端颁发同一个证书, 并在各移动终端上安装所颁发的证 书;  A WAPI-based WLAN authentication method, comprising: issuing the same certificate to all mobile terminals, and installing the issued certificate on each mobile terminal;
为每个无线接入点颁发不同证书, 并在分别在各无线接入点安装所颁 发的证书;  Issue different certificates for each wireless access point and install the issued certificates at each wireless access point;
当移动终端访问网络时, 所述移动终端关联至无线接入点, 建立链路 连接;  When the mobile terminal accesses the network, the mobile terminal is associated with the wireless access point to establish a link connection;
分别对所述移动终端的证书及其关联的无线接入点的证书进行认证; 当证书认证成功, 移动终端和无线接入点进行会话密钥协商, 无线接 入点向移动终端通告组播密钥, 以允许所述移动终端接入。  And authenticating the certificate of the mobile terminal and the certificate of the associated wireless access point respectively; when the certificate authentication is successful, the mobile terminal and the wireless access point perform session key negotiation, and the wireless access point notifies the mobile terminal of the multicast secret Key to allow access by the mobile terminal.
7、 根据权利要求 6所述的方法, 其特征在于, 所述证书认证的具体包 括如下步骤:  The method according to claim 6, wherein the certificate authentication specifically includes the following steps:
无线接入点向移动终端发送鉴别激活分组;  The wireless access point sends an authentication activation packet to the mobile terminal;
无线接入点接收移动终端向无线接入点发送的接入鉴别请求, 该鉴别 请求携带有移动终端的证书;  Receiving, by the wireless access point, an access authentication request sent by the mobile terminal to the wireless access point, where the authentication request carries a certificate of the mobile terminal;
无线接入点向服务器转发所述证书鉴别请求, 该鉴别请求携带有移动 终端和无线接入点的证书;  The wireless access point forwards the certificate authentication request to the server, where the authentication request carries a certificate of the mobile terminal and the wireless access point;
当服务器对移动终端和无线接入点的证书完成验证, 所述无线接入点 接收到所述服务器返回的证书鉴别响应消息, 该响应消息携带有移动终端 和无线接入点证书的鉴别结果; When the server completes verification of the certificate of the mobile terminal and the wireless access point, the wireless access point receives the certificate authentication response message returned by the server, and the response message carries the mobile terminal. And the identification result of the wireless access point certificate;
无线接入点根据服务器返回的移动终端证书鉴别结果确定是否允许该 移动终端接入, 并向移动终端发送接入鉴别响应。  The wireless access point determines whether the mobile terminal is allowed to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal.
PCT/CN2007/071371 2006-12-29 2007-12-28 A wlan authentication charging method based on wapi WO2008080352A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610105377.9 2006-12-29
CNB2006101053779A CN100512110C (en) 2006-12-29 2006-12-29 The method for realizing WAPI-based WLAN operation via a terminal certificate

Publications (1)

Publication Number Publication Date
WO2008080352A1 true WO2008080352A1 (en) 2008-07-10

Family

ID=38251796

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/071371 WO2008080352A1 (en) 2006-12-29 2007-12-28 A wlan authentication charging method based on wapi

Country Status (2)

Country Link
CN (1) CN100512110C (en)
WO (1) WO2008080352A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100512110C (en) * 2006-12-29 2009-07-08 中国移动通信集团设计院有限公司 The method for realizing WAPI-based WLAN operation via a terminal certificate
CN101483866B (en) * 2009-02-11 2011-03-16 中兴通讯股份有限公司 WAPI terminal certificate managing method, apparatus and system
CN102104857B (en) * 2009-12-16 2013-10-02 华为技术有限公司 Charging method and communication system
CN102571792A (en) * 2012-01-06 2012-07-11 西安润基投资控股有限公司 Identity authentication method allowing intelligent mobile wireless terminal to access cloud server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1399490A (en) * 2002-08-15 2003-02-26 西安西电捷通无线网络通信有限公司 Safe access method of mobile terminal to radio local area network
CN1429005A (en) * 2001-12-25 2003-07-09 深圳市中兴通讯股份有限公司上海第二研究所 Wide-band network authentication, authorization and accounting method
CN1564524A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Method of radio terminal charging fee in radio LAN
CN1996841A (en) * 2006-12-29 2007-07-11 中国移动通信集团设计院有限公司 The method for WAPI-based WLAN operation via a terminal certificate

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1429005A (en) * 2001-12-25 2003-07-09 深圳市中兴通讯股份有限公司上海第二研究所 Wide-band network authentication, authorization and accounting method
CN1399490A (en) * 2002-08-15 2003-02-26 西安西电捷通无线网络通信有限公司 Safe access method of mobile terminal to radio local area network
CN1564524A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Method of radio terminal charging fee in radio LAN
CN1996841A (en) * 2006-12-29 2007-07-11 中国移动通信集团设计院有限公司 The method for WAPI-based WLAN operation via a terminal certificate

Also Published As

Publication number Publication date
CN100512110C (en) 2009-07-08
CN1996841A (en) 2007-07-11

Similar Documents

Publication Publication Date Title
WO2008080351A1 (en) Wireless local network operation method based on wapi
JP5313200B2 (en) Key generation method and apparatus in communication system
JP4624785B2 (en) Interworking function in communication system
US8094821B2 (en) Key generation in a communication system
JP4687788B2 (en) Wireless access system and wireless access method
EP1852999A1 (en) An access authentication method suitable for the wire-line and wireless network
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
WO2009065347A1 (en) Security communication method, system and apparatus for home base-station
CN1859098A (en) Method for realizing EAP identification relay in radio cut-in system
WO2011015060A1 (en) Extensible authentication protocol authentication method, base station and authentication server thereof
WO2007131426A1 (en) Aaa system and authentication method of multi-hosts network
WO2010069202A1 (en) Authentication negotiation method and the system thereof, security gateway, home node b
WO2012151905A1 (en) Method and device for network handover
Yang et al. 3G and WLAN interworking security: Current status and key issues
WO2008080352A1 (en) A wlan authentication charging method based on wapi
WO2008080353A1 (en) A wlan operation method based on wapi
WO2010102496A1 (en) Method for implementing zero-interference charging at wapi system terminal
WO2008148348A1 (en) Communication method, system, and home bs
WO2012113225A1 (en) Method, device and system for securely accessing wapi network
KR101068426B1 (en) Inter-working function for a communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07846197

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07846197

Country of ref document: EP

Kind code of ref document: A1