WO2009074082A1 - Access controlling method?system and device - Google Patents

Access controlling method?system and device Download PDF

Info

Publication number
WO2009074082A1
WO2009074082A1 PCT/CN2008/073256 CN2008073256W WO2009074082A1 WO 2009074082 A1 WO2009074082 A1 WO 2009074082A1 CN 2008073256 W CN2008073256 W CN 2008073256W WO 2009074082 A1 WO2009074082 A1 WO 2009074082A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
access
identifier
user equipment
remote server
Prior art date
Application number
PCT/CN2008/073256
Other languages
French (fr)
Chinese (zh)
Inventor
Mu Zhao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009074082A1 publication Critical patent/WO2009074082A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains

Definitions

  • the present invention relates to network communication technologies, and in particular, to an access control method, system and device.
  • Wireless Personal Area Network Wireless Personal Area Network
  • WPAN is a network of multiple devices that are close together. After the user equipment in the WPAN communicates with the equipment in the external carrier network, it is usually necessary to perform access control on the user equipment, for example, allowing certain authorized user equipments to access one server in the operator network, but rejecting Authorized user equipment access.
  • the process of performing access control on the user equipment in the WPAN is as follows: After the user equipment in the WPAN obtains the access key in advance, the user equipment in the WPAN identifies the user equipment and the obtained access key.
  • the access device that is sent to the WPAN in the access request the access device in the WPAN sends the user equipment identifier and the access key carried in the access request to the authentication server, and the authentication server receives the access according to the The key authenticates the access authority of the user equipment.
  • the access device in the WPAN performs address translation and protocol conversion on the access request, and sends the processed access request to the corresponding external operator.
  • the remote server, the corresponding remote server of the external operator provides the corresponding service service to the user equipment in the WPAN.
  • the purpose of the embodiments of the present invention is to provide a method and system for performing access control on a user equipment in a WPAN, and an access device, so as to reduce occupation of wireless transmission resources in the WPAN.
  • a method for performing access control on a user equipment of a WPAN comprising:
  • the access device receives an access request sent by the user equipment in the WPAN, where the access request carries a user equipment identifier and a service service identifier;
  • the access device is authenticated by accessing the user equipment
  • the access device sends an access request to a remote server corresponding to the service service identifier.
  • An access device comprising:
  • a storage unit configured to save a correspondence between the user equipment identifier in the WPAN and the service service identifier of the service service provided by the remote server enjoyed by the user equipment;
  • the information receiving and processing unit is configured to receive an access request sent by the user equipment in the WPAN, and provide the user equipment identifier and the service service identifier carried in the access request to the access control unit, and receive the access authority verification. After the notification is passed, the access request is sent to the remote server corresponding to the service service identifier carried in the access request;
  • the access control unit is configured to: after detecting that the user equipment identifier and the service service identifier provided by the information receiving processing unit are consistent with the corresponding relationship saved in the saving unit, notify the information receiving processing unit to pass the access authority verification.
  • a system for performing access control on a user equipment of a WPAN comprising:
  • the user equipment configured to send an access request to the access device in the WPAN, where the access request carries the user equipment identifier and the service service identifier; and the access request according to any one of claims 8-11 Access device.
  • the access device after the access control is performed on the user equipment in the WPAN, the access device performs the access authority verification according to the user equipment identifier and the service service identifier in the ACL, so that The user equipment in the WPAN does not need to obtain an access key, which avoids the need to occupy the WPAN in the prior art.
  • the shortcomings of limited transmission resources save the wireless transmission resources of WPAN and reduce the burden of WPAN.
  • FIG. 1 is a schematic diagram of the networking of WPAN.
  • FIG. 2 is a flow chart of performing access control on user equipment in a WPAN in the embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a first storage form of an ACL in an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a second storage form of an ACL in the embodiment of the present invention.
  • FIG. 5 is a schematic diagram showing the basic structure of an access device of a WPAN in the embodiment of the present invention.
  • FIG. 6 is a schematic diagram of an optimized structure of an access device of a WPAN in an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a system for performing access control on a user equipment in a WPAN in the embodiment of the present invention.
  • the embodiment of the present invention is mainly at
  • Corresponding relationship between the user equipment identifier in the WPAN and the service service identifier of the service service in the remote server enjoyed by the user equipment is preset in the access device of the WPAN; the access device receives the access request from the user equipment in the WPAN. After the access request carries the user equipment identifier and the service service identifier, if the user equipment identifier and the service service identifier carried in the access request are consistent with the corresponding relationship maintained by the access device, Authorization verification; The access device sends an access request to the remote server corresponding to the service service identifier.
  • FIG. 1 is a schematic diagram of networking of a WPAN.
  • a WPAN includes a plurality of user equipments and one or more access devices.
  • Each user equipment can directly communicate in the WPAN by means of wireless transmission, that is, data between user equipments does not need to be transmitted through the operator network.
  • the user equipment in the WPAN can also communicate with the equipment in the external carrier network. Therefore, the communication data needs to be forwarded through the access device in the WPAN.
  • FIG. 2 is a flowchart of performing access control on a user equipment in a WPAN in an embodiment of the present invention.
  • the user equipment needs to access the remote server 1 in the external carrier network, and the process of performing access control on the user equipment is taken as an example, and specifically includes the following. Steps:
  • Step 201 The access device in the remote server 1 and the WPAN acquires the same shared key Ku in advance.
  • the specific implementation process of this step may include: the operator separately sets the shared key Ku in the access device and the remote server 1 manually or in other secure manners; or, the operator manually or in other secure manners Setting a shared key Ku on any one of the access device and the remote server 1, as set on the remote server 1, and then sharing the key in a secure manner, such as by the device provided with the shared key Ku
  • the Ku is sent to another device such as an access device.
  • Step 202 The access device in the remote server 1 and the WPAN acquires in advance a key generation algorithm corresponding to each of the service services of the remote server 1.
  • the specific implementation process of the step may include: the operator manually setting a key generation algorithm corresponding to each service service of the remote server 1 in the access device and the remote server 1 manually or in other secure manners; Alternatively, the operator sets a key generation algorithm corresponding to each of the service services of the remote server 1 on any one of the access device and the remote server 1 manually or in another secure manner, such as setting on the remote server 1. Then, the device, which is provided with the key generation algorithm, transmits the key generation algorithm corresponding to each service service of the remote server 1 to another device such as the access device after performing encryption in a secure manner.
  • the key generation algorithms corresponding to different service services may be the same or different.
  • Step 203 The number of service services that the remote server 1 can provide to the user equipment in the WPAN
  • Step 204 For each service service that can be provided, the remote server 1 generates a access secret corresponding to the service service by using the shared key Ku, a key generation algorithm corresponding to the service service, and a random number. Key
  • the remote server 1 can provide n (n is a natural number) business service to the user equipment in the WPAN, then, in step 202, generate n random numbers, which are recorded as Randl, Rand2, 7-8 ., Randn.
  • Step 205 For each service service that the remote server 1 can provide, the access device utilizes the shared key Ku, a key generation algorithm corresponding to the service service and a random number, generates an access key corresponding to the service service.
  • an access key corresponding to each service service of the remote server 1 is obtained on the access device in the remote server 1 and the WPAN, respectively.
  • the specific embodiment of the correspondence is: the identifier of each type of service service, such as the name or code, and the correspondence relationship with the access key.
  • Step 206 The access device generates and saves an access control list (ACL) by using an identifier of the service service in the remote server 1 that the user equipment can be set in advance, and an access key corresponding to each service service. ).
  • ACL access control list
  • the identity of the service service in the remote server 1 that the user device can enjoy can be pre-set using the service subscription information provided by the remote server 1.
  • the ACL reflects the correspondence between the user equipment identifier, the service service identifier, and the access key of the service service.
  • the storage form of the correspondence between the three is the storage form of the ACL, including but not limited to the following two types:
  • the access device may store the correspondence between the user equipment identifier, the service service identifier, and the access key in the same ACL.
  • one record in the ACL is the correspondence between the user equipment 2, the service service 5, and the access key corresponding to the service service 5 in the WPAN, and the other record is the user equipment 2 in the WPAN.
  • the correspondence between the service service 9 and the access key corresponding to the service service 9 If a user equipment in the WPAN, such as the user equipment n, cannot enjoy the service of any remote server, the ACL shown in FIG. 3 also needs to establish a record for the user equipment n, where the user equipment in the record
  • the service service identifier and access key corresponding to n are all empty tags.
  • the access device may store the correspondence between the user equipment identifier and the service service identifier and the correspondence between the service service identifier and the access key in different ACLs. See AC shown in Figure 4.
  • Each of the records in the ACL1 is the mapping between the user equipment identifier and the service service identifier.
  • Each record in the ACL2 is a correspondence between the service service identifier and the access key. If a user equipment in the WPAN, such as the user equipment n, cannot enjoy the service of any one of the remote servers, then only one record needs to be established for the user equipment n in the ACL1 shown in FIG. 4, where the user equipment n The corresponding business service identifier is an empty tag.
  • Step 207 When a service service that can be provided to the user equipment is added to the remote server 1, the access key corresponding to the new service service is obtained on the remote server 1 and the access device respectively.
  • the access key corresponding to the new service service is obtained on the remote server 1 and the access device, and the access key corresponding to any one of the service services in the foregoing steps 202 to 205 is obtained.
  • the way is the same.
  • Step 208 When it is necessary to modify a service service, such as the access key corresponding to the service service 1, modify the access key of the service service 1 on the remote server 1 and the access device respectively.
  • the process of modifying the access key of the service service 1 on the remote server 1 and the access device respectively is similar to the process of newly generating the access key corresponding to the service service in the above steps, including: the remote server 1 Generating a new random number, and the remote server 1 regenerates the access key corresponding to the service service 1 by using the shared key Ku, the key generation algorithm corresponding to the service service 1, and the new random number, and uses the re-generation
  • the access key replaces the access key corresponding to the saved service service 1; and the remote server 1 transmits the generated new random number to the access device, and the access device utilizes the shared key Ku, corresponding to the service service 1
  • the key generation algorithm and the new random number regenerate an access key corresponding to the service service 1, and replace the stored access key corresponding to the service service 1 with the regenerated access key.
  • Step 209 After a service service in the remote server 1 is canceled, the remote server 1 carries the identifier of the canceled service service in the cancel notification message and sends it to the access device.
  • Step 210 The access device deletes the access key corresponding to the service service according to the identifier of the service service carried in the cancellation notification message.
  • the access device when a new type of remote server can be added to the user device
  • the service provider ⁇ the access device adds an access key of the newly added service service, a correspondence between the user equipment identifier and the newly added service service identifier in the ACL;
  • the access key of the service service the access device modifies the access key corresponding to the identifier of the service service in the ACL; when a service service in the remote server is canceled, the access device is in the AC L
  • the correspondence between the identifier of the service service, the user equipment identifier, and the access key is deleted.
  • the reason that the remote server 1 triggers the deletion of a record in the ACL, that is, the process corresponding to the foregoing steps 209 to 210 may be:
  • the business service subscribed to by the device has expired.
  • Step 211 When the user equipment in the WPAN needs to enjoy a service service in the remote server 1, the user equipment sends an access request of the remote server 1 identifier, the user equipment identifier, and the service service identifier to the WPAN. Access device.
  • the remote server identifier may also be combined with the service identifier, that is, the identifier of the remote server may be included in the service identifier field.
  • the service service identifier field saved in the access device may also include the identifier of the remote server.
  • Step 212 The access device in the WPAN uses the remote server 1 identifier, the user equipment identifier, and the service service identifier extracted from the received access request to search for the saved ACL, and determines whether the user equipment has the ACL according to the ACL. Access rights, if yes, go to step 214, otherwise, go to step 213.
  • the process of determining whether the user equipment has the access right according to the ACL is: determining whether the correspondence between the user equipment identifier and the service service identifier extracted from the access request can be found in the ACL, if If found, it is determined that the user equipment has access rights, otherwise, it is determined that the user equipment does not have access rights. If the ACL is saved in the form shown in Figure 3, you only need to search in the table in this step. When the ACL is saved in the form shown in Figure 4, this step is performed. Need to find in ACL1. [64] Step 213: The access device sends a reject access notification message to the user equipment in the WPAN, and ends the current process.
  • Step 214 The access device carries the address of the remote server 1, the service service identifier, and the access key corresponding to the service service identifier that is found according to the ACL, and is sent to the remote server 1 in the access request.
  • the address of the remote server 1 carried in the access request includes, but is not limited to, an IP address.
  • the specific implementation manner of carrying the access key in the access request may be to encapsulate the access key in the access request.
  • Step 215 The remote server 1 extracts the service service identifier and the access key from the received access request, and determines whether the access key is correct. If yes, step 217 is performed; otherwise, step 216 is performed. .
  • the remote server 1 determines whether the access key is correct: the remote server 1 searches for the access corresponding to the service service identifier saved by itself according to the service service identifier extracted from the received access request. The key is used to determine whether the access key extracted in the access request is the same as the found access key. If they are the same, the access key may be determined to be correct. Otherwise, the access key is determined to be incorrect.
  • Step 216 The remote server sends the access key error message to the access device, and the access device sends a reject access notification message to the user equipment in the WPA N, and the current process ends.
  • Step 217 The remote server 1 provides the corresponding service service to the user equipment in the WPAN through the access device.
  • the remote server refers to a device in the external carrier network that can provide or control the user equipment in the WPAN through the access device in the WPAN.
  • the external network includes but is not limited to the Internet, an IP network or a wireless network.
  • access devices in the WPAN include, but are not limited to, gateway devices or access points.
  • the identifier of the user equipment in the WPAN may be the IEEE of the user equipment. Address or other inherent information about the user device.
  • the access device obtains the access key by using the shared key Ku, the key generation algorithm, and the random number.
  • the method by which the access device obtains the access key is not limited thereto.
  • the remote server may encrypt the access key and send it to the access device by using a point-to-point key shared with the access device, or may obtain the access key through other secure methods, and then manually access the access key. Set the access key on the device.
  • the access device stores the correspondence between the user identifier and the service service identifier, and other forms may be used in addition to the ACL.
  • the access device may be first authenticated by the access device in the WPAN, and then again by the remote server.
  • the correctness of the access key is verified, and the double verification process further ensures the security of user equipment access.
  • the operator's trust mechanism for the access device can also be set in advance.
  • the remote server can provide the service service without performing access key verification.
  • the access device can only store the correspondence between the service service identifier and the user equipment identifier, and does not need to save the correspondence between the service service identifier and the access key.
  • the entire access control process does not need the dedicated key generation server and the dedicated authentication server in the prior art, and the function of generating a key and The authentication function can be completed by the remote server and the access device respectively, so that the operator does not need to set a dedicated key generation server and a dedicated authentication server in the network, thereby reducing the cost of the operator.
  • there is no need for a process of information interaction with a dedicated key generation server and a dedicated authentication server in the prior art after multiple users need to obtain a service service, it is not necessary for multiple users to interact with the external carrier network, only The access device needs to interact with the external carrier network. Therefore, the embodiment of the present invention also simplifies the process of access control.
  • an embodiment of the present invention further provides an access device.
  • Figure 5 is a WPA in an embodiment of the present invention A basic structure diagram of an access device of N. Referring to FIG. 5, the access device includes:
  • a saving unit configured to save a correspondence between the user equipment identifier in the WPAN and the service service identifier of the service service in the remote server enjoyed by the user equipment;
  • the information receiving and processing unit is configured to receive an access request sent by the user equipment in the WPAN, and provide the user equipment identifier and the service service identifier carried in the access request to the access control unit, and receive the access right. After verifying the passed notification, sending an access request to the remote server corresponding to the service identifier carried in the access request;
  • the access control unit is configured to: after detecting that the user equipment identifier and the service service identifier provided by the information receiving processing unit are consistent with the corresponding relationship saved in the saving unit, notify the information receiving processing unit to pass the access authority verification.
  • the saving unit is configured to save the correspondence between the user equipment identifier and the identifier of the service service in an ACL.
  • the saving unit is further configured to save a correspondence between the identifier of each service service and the access key in the remote server;
  • the access control unit further determines, according to the correspondence between the identifier of each service service and the access key stored in the storage unit, an access key corresponding to the service service identifier provided by the information receiving processing unit. Transmitting, to the information receiving and processing unit, the determined access key;
  • the information receiving processing unit further includes the received access key in the access request before transmitting the access request to the remote server.
  • the access device further includes an access key obtaining unit, where
  • the information receiving and processing unit further provides the random number corresponding to each service service sent by the remote server to the access key acquiring unit;
  • an access key obtaining unit configured to acquire a key Ku and a key generation algorithm corresponding to each service service of the remote server, using a key Ku, a key generation algorithm corresponding to each type of service service Corresponding relationship between the identifier of each service service and the access key in the remote server is obtained, and the correspondence is saved in the saving unit.
  • the correspondence between the user equipment identifier and the service service identifier in the access device and the correspondence between the identifier of each service service and the access key are saved in the ACL.
  • Saving order The method for saving the element may be: storing the correspondence between the user equipment identifier, the service service identifier, and the access key in the same ACL; or, the correspondence between the user equipment identifier and the service service identifier, and the service service identifier The correspondence with the access key is stored in a different ACL.
  • FIG. 7 is a schematic structural diagram of a system for performing access control on a user equipment in a WPAN according to an embodiment of the present invention. See Figure 7.
  • the system includes:
  • the user equipment is configured to send an access request to the access device in the WPAN, where the access request carries the user equipment identifier and the service service identifier.
  • An access device which may be the access device described in the above specific embodiments.

Abstract

A method for access controlling to the UE in WPAN is provide, which includes setting in advanced in the accessing device of WPAN the corresponding relationship of UE ID and affair service ID of the remote server's affair service which shared with the UE, the accessing device receiving the accessing request sent by the UE in WPAN, wherein the accessing request taking the UE ID and affair service ID, when the UE ID and the affair service ID taken in the accessing request is agree with the corresponding relationship stored in the accessing device, passing the access authority verification, the accessing device sending the accessing request to the remote server corresponding with the affair service ID A system and accessing device for access controlling to the UE in WPAN also is provided.

Description

一种接入控制方法、 系统和设备  Access control method, system and device
[1] 技术领域  [1] Technical field
[2] 本发明涉及网络通信技术, 特别是涉及一种接入控制方法、 系统和设备。  [2] The present invention relates to network communication technologies, and in particular, to an access control method, system and device.
[3] 发明背景  [3] Background of the invention
无线个人域网络 (Wireless Personal Area Network.  Wireless Personal Area Network (Wireless Personal Area Network.
WPAN) 是由多个彼此距离较近的设备组成的网络。 在 WPAN中的用户设备与外 部运营商网络中的设备进行通信吋, 通常需要对用户设备进行接入控制, 比如 , 允许某些授权的用户设备接入运营商网络中的一个服务器, 但拒绝未授权的 用户设备接入。 在现有技术中, 对 WPAN中的用户设备进行接入控制的过程具体 如下: WPAN中的用户设备预先获取接入密钥后, WPAN中的用户设备将用户设 备标识和获取的接入密钥携带在接入请求中发送至 WPAN中的接入设备, WPAN 中的接入设备将接入请求中携带的用户设备标识和接入密钥发送至认证服务器 , 由认证服务器根据接收到的接入密钥对用户设备进行接入权限验证; 在验证 成功后, WPAN中的接入设备对接入请求进行地址转换和协议转换等处理, 将处 理后的接入请求发送至外部运营商中对应的远程服务器, 外部运营商中对应的 远程服务器向 WPAN中的用户设备提供对应的业务服务。  WPAN) is a network of multiple devices that are close together. After the user equipment in the WPAN communicates with the equipment in the external carrier network, it is usually necessary to perform access control on the user equipment, for example, allowing certain authorized user equipments to access one server in the operator network, but rejecting Authorized user equipment access. In the prior art, the process of performing access control on the user equipment in the WPAN is as follows: After the user equipment in the WPAN obtains the access key in advance, the user equipment in the WPAN identifies the user equipment and the obtained access key. The access device that is sent to the WPAN in the access request, the access device in the WPAN sends the user equipment identifier and the access key carried in the access request to the authentication server, and the authentication server receives the access according to the The key authenticates the access authority of the user equipment. After the authentication succeeds, the access device in the WPAN performs address translation and protocol conversion on the access request, and sends the processed access request to the corresponding external operator. The remote server, the corresponding remote server of the external operator provides the corresponding service service to the user equipment in the WPAN.
[5] 由此可见, 在现有技术中, 在对 WPAN中的用户设备进行接入控制吋, 是根据 用户设备发来的接入密钥进行接入权限验证, 这样, 则必须由用户设备预先获 取接入密钥。 而 WPAN中的用户设备在获取接入密钥吋, 必须占用 WPAN的无线 传输资源向外部运营商网络中的密钥产生服务器发送请求消息, 在将密钥产生 服务器返回的接入密码发送给用户设备吋, 同样需要占用 WPAN的无线传输资源 。 并且, 如果要接入的用户设备有多个, 都需要分别获取接入密钥, 则占用的 无线传输资源更多。 由于 WPAN是无线传输方式的个人网络, 其无线传输资源非 常有限, 现有技术的做法由于需要占用大量的 WPAN的无线传输资源, 因此, 增 加了 WPAN的负担。  [5] It can be seen that in the prior art, after performing access control on the user equipment in the WPAN, the access authority is verified according to the access key sent by the user equipment, and thus, the user equipment must be Obtain the access key in advance. After obtaining the access key, the user equipment in the WPAN must use the wireless transmission resource of the WPAN to send a request message to the key generation server in the external carrier network, and send the access password returned by the key generation server to the user. The device 吋 also needs to occupy the wireless transmission resources of the WPAN. Moreover, if there are multiple user equipments to be accessed, each need to obtain an access key separately, and more wireless transmission resources are occupied. Since WPAN is a personal network with wireless transmission mode, its wireless transmission resources are very limited. The prior art practice requires a large amount of WPAN wireless transmission resources, thus increasing the burden of WPAN.
[6] 发明内容 [7] 本发明实施例的目的在于提供一种对 WPAN中的用户设备进行接入控制的方法 和系统, 以及一种接入设备, 以便于减少对 WPAN中无线传输资源的占用。 [6] Summary of the invention [7] The purpose of the embodiments of the present invention is to provide a method and system for performing access control on a user equipment in a WPAN, and an access device, so as to reduce occupation of wireless transmission resources in the WPAN.
[8] 为了达到上述目的, 本发明实施例的技术方案是这样实现的: [8] In order to achieve the above object, the technical solution of the embodiment of the present invention is implemented as follows:
[9] 一种对 WPAN的用户设备进行接入控制的方法, 该方法包括:  [9] A method for performing access control on a user equipment of a WPAN, the method comprising:
[10] 在 WPAN的接入设备中预置 WPAN中的用户设备标识与用户设备享有的远程服 务器中的业务服务的业务服务标识的对应关系;  [10] Presetting the correspondence between the user equipment identifier in the WPAN and the service service identifier of the service service in the remote server enjoyed by the user equipment in the access device of the WPAN;
[11] 所述接入设备接收所述 WPAN中的用户设备发送的接入请求, 所述接入请求中 携带用户设备标识和业务服务标识; [11] The access device receives an access request sent by the user equipment in the WPAN, where the access request carries a user equipment identifier and a service service identifier;
[12] 当所述接入请求中携带的用户设备标识和业务服务标识与所述接入设备所保存 的对应关系一致吋, 所述接入设备通过对所述用户设备的接入权限验证; [12] When the user equipment identifier and the service service identifier carried in the access request are consistent with the corresponding relationship maintained by the access device, the access device is authenticated by accessing the user equipment;
[13] 所述接入设备向业务服务标识所对应的远程服务器发送接入请求。 [13] The access device sends an access request to a remote server corresponding to the service service identifier.
[14] 一种接入设备, 该接入设备包括: [14] An access device, the access device comprising:
[15] 保存单元, 用于保存 WPAN中的用户设备标识与用户设备享有的远程服务器提 供的业务服务的业务服务标识的对应关系;  [15] a storage unit, configured to save a correspondence between the user equipment identifier in the WPAN and the service service identifier of the service service provided by the remote server enjoyed by the user equipment;
[16] 信息接收处理单元, 用于接收 WPAN中的用户设备发送的接入请求, 将接入请 求中携带的用户设备标识和业务服务标识提供给接入控制单元, 在接收到接入 权限验证通过的通知后, 向接入请求中携带的业务服务标识所对应的远程服务 器发送接入请求; [16] The information receiving and processing unit is configured to receive an access request sent by the user equipment in the WPAN, and provide the user equipment identifier and the service service identifier carried in the access request to the access control unit, and receive the access authority verification. After the notification is passed, the access request is sent to the remote server corresponding to the service service identifier carried in the access request;
[17] 接入控制单元, 用于检测到信息接收处理单元提供的用户设备标识和业务服务 标识与保存单元中保存的对应关系一致后, 通知信息接收处理单元接入权限验 证通过。  [17] The access control unit is configured to: after detecting that the user equipment identifier and the service service identifier provided by the information receiving processing unit are consistent with the corresponding relationship saved in the saving unit, notify the information receiving processing unit to pass the access authority verification.
[18] 一种对 WPAN的用户设备进行接入控制的系统, 该系统包括:  [18] A system for performing access control on a user equipment of a WPAN, the system comprising:
[19] 用户设备, 用于向 WPAN中的接入设备发送接入请求, 所述接入请求中携带用 户设备标识和业务服务标识; 以及如权利要求 8 - 11中任一项权利要求所述的接 入设备。 [19] the user equipment, configured to send an access request to the access device in the WPAN, where the access request carries the user equipment identifier and the service service identifier; and the access request according to any one of claims 8-11 Access device.
[20] 由此可见, 在本发明实施例中, 在对 WPAN中的用户设备进行接入控制吋, 是 由接入设备根据 ACL中用户设备标识和业务服务标识进行接入权限验证, 这样 , WPAN中的用户设备无需获取接入密钥, 避免了现有技术中需要占用 WPAN内 部有限的传输资源的缺点, 节约了 WPAN的无线传输资源, 降低了 WPAN的负担 [20] It can be seen that, in the embodiment of the present invention, after the access control is performed on the user equipment in the WPAN, the access device performs the access authority verification according to the user equipment identifier and the service service identifier in the ACL, so that The user equipment in the WPAN does not need to obtain an access key, which avoids the need to occupy the WPAN in the prior art. The shortcomings of limited transmission resources save the wireless transmission resources of WPAN and reduce the burden of WPAN.
[21] 附图简要说明 [21] BRIEF DESCRIPTION OF THE DRAWINGS
[22] 图 1是 WPAN的组网示意图。  [22] Figure 1 is a schematic diagram of the networking of WPAN.
[23] 图 2是在本发明实施例中对 WPAN中的用户设备进行接入控制的流程图。  2 is a flow chart of performing access control on user equipment in a WPAN in the embodiment of the present invention.
[24] 图 3是在本发明实施例中 ACL的第一种保存形式示意图。 FIG. 3 is a schematic diagram of a first storage form of an ACL in an embodiment of the present invention.
[25] 图 4是在本发明实施例中 ACL的第二种保存形式示意图。 FIG. 4 is a schematic diagram of a second storage form of an ACL in the embodiment of the present invention.
[26] 图 5是在本发明实施例中 WPAN的接入设备的基本结构示意图。 FIG. 5 is a schematic diagram showing the basic structure of an access device of a WPAN in the embodiment of the present invention.
[27] 图 6是在本发明实施例中 WPAN的接入设备的一种优化结构示意图。 6 is a schematic diagram of an optimized structure of an access device of a WPAN in an embodiment of the present invention.
[28] 图 7是在本发明实施例中对 WPAN中的用户设备进行接入控制的系统结构示意 图。 FIG. 7 is a schematic structural diagram of a system for performing access control on a user equipment in a WPAN in the embodiment of the present invention.
[29] 具体实施方式  [29] Specific implementation
[30] 为使本发明实施例的目的、 技术方案和优点更加清楚, 下面结合附图及具体实 施例对本发明实施例作进一步地详细描述。  The embodiments of the present invention will be further described in detail below with reference to the drawings and specific embodiments.
[31] 本发明实施例主要是在  [31] The embodiment of the present invention is mainly at
WPAN的接入设备中预先设置 WPAN中的用户设备标识与用户设备享有的远程服 务器中的业务服务的业务服务标识的对应关系; 在接入设备接收到 WPAN中的用 户设备发来的接入请求后, 所述接入请求中携带用户设备标识和业务服务标识 , 如果所述接入请求中携带的用户设备标识和业务服务标识与所述接入设备所 保存的对应关系一致, 则通过接入权限验证; 接入设备向所述业务服务标识所 对应的远程服务器发送接入请求。  Corresponding relationship between the user equipment identifier in the WPAN and the service service identifier of the service service in the remote server enjoyed by the user equipment is preset in the access device of the WPAN; the access device receives the access request from the user equipment in the WPAN. After the access request carries the user equipment identifier and the service service identifier, if the user equipment identifier and the service service identifier carried in the access request are consistent with the corresponding relationship maintained by the access device, Authorization verification; The access device sends an access request to the remote server corresponding to the service service identifier.
[32] 图 1是 WPAN的组网示意图。 参见图 1, WPAN中包括多个用户设备和一个或多 个接入设备。 其中, 各个用户设备在 WPAN内部可以通过无线传输的方式直接进 行通信, 即用户设备之间的数据无需经过运营商网络的传送。 当然, WPAN中的 用户设备也可以与外部运营商网络中的设备进行通信, 此吋, 通信数据需要通 过 WPAN中的接入设备进行转发。 图 2是在本发明实施例中对 WPAN中的用户设 备进行接入控制的流程图。 本实施例以用户设备需要接入外部运营商网络中的 远程服务器 1, 并对用户设备进行接入控制的过程为例, 具体包括如图 2所示的 步骤: [32] FIG. 1 is a schematic diagram of networking of a WPAN. Referring to FIG. 1, a WPAN includes a plurality of user equipments and one or more access devices. Each user equipment can directly communicate in the WPAN by means of wireless transmission, that is, data between user equipments does not need to be transmitted through the operator network. Of course, the user equipment in the WPAN can also communicate with the equipment in the external carrier network. Therefore, the communication data needs to be forwarded through the access device in the WPAN. FIG. 2 is a flowchart of performing access control on a user equipment in a WPAN in an embodiment of the present invention. In this embodiment, the user equipment needs to access the remote server 1 in the external carrier network, and the process of performing access control on the user equipment is taken as an example, and specifically includes the following. Steps:
[33] 步骤 201 : 远程服务器 1和 WPAN中的接入设备预先获取相同的共享密钥 Ku。  [33] Step 201: The access device in the remote server 1 and the WPAN acquires the same shared key Ku in advance.
[34] 本步骤的具体实现过程可以包括: 运营商以手动方式或以其他安全方式分别在 接入设备和远程服务器 1中设置共享密钥 Ku; 或者, 运营商以手动方式或以其他 安全方式在接入设备和远程服务器 1中的任意一个上设置共享密钥 Ku, 如在远程 服务器 1上设置, 然后由设置有共享密钥 Ku的该设备以安全方式如进行加密后, 将共享密钥 Ku发送给另一个设备如接入设备。  [34] The specific implementation process of this step may include: the operator separately sets the shared key Ku in the access device and the remote server 1 manually or in other secure manners; or, the operator manually or in other secure manners Setting a shared key Ku on any one of the access device and the remote server 1, as set on the remote server 1, and then sharing the key in a secure manner, such as by the device provided with the shared key Ku The Ku is sent to another device such as an access device.
[35] 步骤 202: 远程服务器 1和 WPAN中的接入设备预先获取对应于远程服务器 1的 每一种业务服务的密钥生成算法。  [35] Step 202: The access device in the remote server 1 and the WPAN acquires in advance a key generation algorithm corresponding to each of the service services of the remote server 1.
[36] 本步骤的具体实现过程可以包括: 运营商以手动方式或以其他安全方式分别在 接入设备和远程服务器 1中设置对应于远程服务器 1的每一种业务服务的密钥生 成算法; 或者, 运营商以手动方式或以其他安全方式在接入设备和远程服务器 1 中的任意一个上设置对应于远程服务器 1的每一种业务服务的密钥生成算法, 如 在远程服务器 1上设置, 然后由设置有密钥生成算法的该设备以安全方式如进行 加密后, 将对应于远程服务器 1的每一种业务服务的密钥生成算法发送给另一个 设备如接入设备。  [36] The specific implementation process of the step may include: the operator manually setting a key generation algorithm corresponding to each service service of the remote server 1 in the access device and the remote server 1 manually or in other secure manners; Alternatively, the operator sets a key generation algorithm corresponding to each of the service services of the remote server 1 on any one of the access device and the remote server 1 manually or in another secure manner, such as setting on the remote server 1. Then, the device, which is provided with the key generation algorithm, transmits the key generation algorithm corresponding to each service service of the remote server 1 to another device such as the access device after performing encryption in a secure manner.
[37] 本步骤中, 不同业务服务对应的密钥生成算法可以相同或不同。  [37] In this step, the key generation algorithms corresponding to different service services may be the same or different.
[38] 步骤 203: 远程服务器 1按照可以向 WPAN中的用户设备提供的业务服务的数量 [38] Step 203: The number of service services that the remote server 1 can provide to the user equipment in the WPAN
, 生成每一种业务服务对应的随机数, 并将每一种业务服务对应的随机数发送 至接入设备。 Generate a random number corresponding to each service service, and send the random number corresponding to each service service to the access device.
[39] 步骤 204: 针对可提供的每一种业务服务, 远程服务器 1利用共享密钥 Ku、 对应 于该种业务服务的密钥生成算法和随机数, 生成对应于该业务服务的接入密钥  [39] Step 204: For each service service that can be provided, the remote server 1 generates a access secret corresponding to the service service by using the shared key Ku, a key generation algorithm corresponding to the service service, and a random number. Key
[40] 比如, 远程服务器 1可以向 WPAN中的用户设备提供 n (n为自然数) 种业务服 务, 那么, 在步骤 202中则生成 n个随机数, 记为 Randl、 Rand2、 ......、 Randn。 [40] For example, the remote server 1 can provide n (n is a natural number) business service to the user equipment in the WPAN, then, in step 202, generate n random numbers, which are recorded as Randl, Rand2, ..... ., Randn.
[41] 在本步骤 203中, 远程服务器 1生成的对应于每一种业务服务的接入密钥可以分 别记为 Kl=hl(Ku, Randl)、 K2=h2(Ku, Rand2)、 、 Kn=hn(Ku, Randn)。  [41] In this step 203, the access keys generated by the remote server 1 corresponding to each type of service service may be respectively recorded as Kl=hl(Ku, Randl), K2=h2(Ku, Rand2), , Kn. =hn(Ku, Randn).
[42] 步骤 205: 针对远程服务器 1可提供的每一种业务服务, 接入设备利用共享密钥 Ku、 对应于该种业务服务的密钥生成算法和随机数, 生成对应于该业务服务的 接入密钥。 [42] Step 205: For each service service that the remote server 1 can provide, the access device utilizes the shared key Ku, a key generation algorithm corresponding to the service service and a random number, generates an access key corresponding to the service service.
[43] 这里, 接入设备所生成的对应于每一种业务服务的接入密钥与远程服务器 1相 同, 可以分别记为 Kl=hl(Ku, Randl)、 K2=h2(Ku, Rand2)、 、 Kn=hn(Ku, [43] Here, the access key generated by the access device corresponding to each service service is the same as the remote server 1, and can be respectively recorded as Kl=hl(Ku, Randl), K2=h2(Ku, Rand2). , , Kn=hn(Ku,
Randn)。 Randn).
[44] 执行到本步骤, 在远程服务器 1与 WPAN中的接入设备上则分别得到了对应于 远程服务器 1的每一种业务服务的接入密钥。 该对应关系的具体体现是: 每一种 业务服务的标识如名称或代码, 与接入密钥的对应关系。  [44] Executing this step, an access key corresponding to each service service of the remote server 1 is obtained on the access device in the remote server 1 and the WPAN, respectively. The specific embodiment of the correspondence is: the identifier of each type of service service, such as the name or code, and the correspondence relationship with the access key.
[45] 步骤 206: 接入设备利用预先设置的用户设备可享有的远程服务器 1中的业务服 务的标识, 以及对应于每一种业务服务的接入密钥, 生成并保存访问控制列表 (ACL) 。  [45] Step 206: The access device generates and saves an access control list (ACL) by using an identifier of the service service in the remote server 1 that the user equipment can be set in advance, and an access key corresponding to each service service. ).
[46] 在接入设备中, 用户设备可享有的远程服务器 1中的业务服务的标识可以利用 远程服务器 1提供的业务订阅信息来进行预先设置。  [46] In the access device, the identity of the service service in the remote server 1 that the user device can enjoy can be pre-set using the service subscription information provided by the remote server 1.
[47] 这里, ACL体现用户设备标识、 业务服务标识以及业务服务的接入密钥该三者 之间的对应关系。 该三者之间的对应关系的保存形式即 ACL的保存形式包括但 不限于如下两种: [47] Here, the ACL reflects the correspondence between the user equipment identifier, the service service identifier, and the access key of the service service. The storage form of the correspondence between the three is the storage form of the ACL, including but not limited to the following two types:
[48] 保存形式一、 [48] Form of preservation
[49] 在本步骤 206中, 接入设备可以将用户设备标识、 业务服务标识以及接入密钥 这三者之间的对应关系保存在同一 ACL中。 参见图 3所示的 ACL, ACL中的一条 记录为 WPAN中用户设备 2、 业务服务 5以及业务服务 5对应的接入密钥该三者的 对应关系, 另一条记录为 WPAN中用户设备 2、 业务服务 9以及业务服务 9对应的 接入密钥该三者的对应关系。 其中, 如果 WPAN中的一个用户设备如用户设备 n 无法享有任何一个远程服务器的业务服务, 那么, 在图 3所示的 ACL中也同样需 要针对该用户设备 n建立一条记录, 该记录中用户设备 n对应的业务服务标识和 接入密钥均为空标记。  [49] In this step 206, the access device may store the correspondence between the user equipment identifier, the service service identifier, and the access key in the same ACL. Referring to the ACL shown in Figure 3, one record in the ACL is the correspondence between the user equipment 2, the service service 5, and the access key corresponding to the service service 5 in the WPAN, and the other record is the user equipment 2 in the WPAN. The correspondence between the service service 9 and the access key corresponding to the service service 9 . If a user equipment in the WPAN, such as the user equipment n, cannot enjoy the service of any remote server, the ACL shown in FIG. 3 also needs to establish a record for the user equipment n, where the user equipment in the record The service service identifier and access key corresponding to n are all empty tags.
[50] 保存形式二、  [50] Form of preservation
[51] 在本步骤 206中, 接入设备可以将用户设备标识与业务服务标识的对应关系以 及业务服务标识与接入密钥的对应关系保存在不同的 ACL中。 参见图 4所示的 AC LI和 ACL2, ACL1中的每一条记录是用户设备标识与业务服务标识的对应关系 , 在 ACL2中的每一条记录是业务服务标识与接入密钥的对应关系。 其中, 如果 WPAN中的一个用户设备如用户设备 n无法享有任何一个远程服务器的业务服务 , 那么, 只需在图 4所示的 ACL1中针对该用户设备 n建立一条记录, 该记录中用 户设备 n对应的业务服务标识为空标记。 [51] In this step 206, the access device may store the correspondence between the user equipment identifier and the service service identifier and the correspondence between the service service identifier and the access key in different ACLs. See AC shown in Figure 4. Each of the records in the ACL1 is the mapping between the user equipment identifier and the service service identifier. Each record in the ACL2 is a correspondence between the service service identifier and the access key. If a user equipment in the WPAN, such as the user equipment n, cannot enjoy the service of any one of the remote servers, then only one record needs to be established for the user equipment n in the ACL1 shown in FIG. 4, where the user equipment n The corresponding business service identifier is an empty tag.
[52] 步骤 207: 当在远程服务器 1上新增了一种可向用户设备提供的业务服务吋, 在 远程服务器 1和接入设备上分别得到该新增业务服务对应的接入密钥。  [52] Step 207: When a service service that can be provided to the user equipment is added to the remote server 1, the access key corresponding to the new service service is obtained on the remote server 1 and the access device respectively.
[53] 在本步骤中, 在远程服务器 1和接入设备上得到该新增业务服务对应的接入密 钥的方式与上述步骤 202至 205中得到任意一种业务服务对应的接入密钥的方式 相同。  [53] In this step, the access key corresponding to the new service service is obtained on the remote server 1 and the access device, and the access key corresponding to any one of the service services in the foregoing steps 202 to 205 is obtained. The way is the same.
[54] 步骤 208: 当需要修改一种业务服务如业务服务 1对应的接入密钥吋, 在远程服 务器 1和接入设备上分别修改业务服务 1的接入密钥。  [54] Step 208: When it is necessary to modify a service service, such as the access key corresponding to the service service 1, modify the access key of the service service 1 on the remote server 1 and the access device respectively.
[55] 这里, 在远程服务器 1和接入设备上分别修改业务服务 1的接入密钥的过程与上 述步骤中新生成一个业务服务对应的接入密钥的过程类似, 包括: 远程服务器 1 生成一个新的随机数, 远程服务器 1利用共享密钥 Ku、 对应于业务服务 1的密钥 生成算法和该新的随机数, 重新生成对应于业务服务 1的接入密钥, 利用该重新 生成的接入密钥替换保存的业务服务 1对应的接入密钥; 并且, 远程服务器 1将 生成的新的随机数发送至接入设备, 接入设备利用共享密钥 Ku、 对应于业务服 务 1的密钥生成算法和该新的随机数重新生成对应于业务服务 1的接入密钥, 利 用该重新生成的接入密钥替换保存的业务服务 1对应的接入密钥。  [55] Here, the process of modifying the access key of the service service 1 on the remote server 1 and the access device respectively is similar to the process of newly generating the access key corresponding to the service service in the above steps, including: the remote server 1 Generating a new random number, and the remote server 1 regenerates the access key corresponding to the service service 1 by using the shared key Ku, the key generation algorithm corresponding to the service service 1, and the new random number, and uses the re-generation The access key replaces the access key corresponding to the saved service service 1; and the remote server 1 transmits the generated new random number to the access device, and the access device utilizes the shared key Ku, corresponding to the service service 1 The key generation algorithm and the new random number regenerate an access key corresponding to the service service 1, and replace the stored access key corresponding to the service service 1 with the regenerated access key.
[56] 步骤 209: 当远程服务器 1中的一种业务服务取消后, 远程服务器 1将该取消的 业务服务的标识携带在取消通知消息中发送至接入设备。  [56] Step 209: After a service service in the remote server 1 is canceled, the remote server 1 carries the identifier of the canceled service service in the cancel notification message and sends it to the access device.
[57] 步骤 210: 接入设备根据取消通知消息中携带的业务服务的标识, 删除自身中 与该业务服务对应的接入密钥。  [57] Step 210: The access device deletes the access key corresponding to the service service according to the identifier of the service service carried in the cancellation notification message.
[58] 在上述步骤 207至步骤 210中, 当接入设备新增一个业务服务及其对应的接入密 钥、 修改一个业务服务及其对应的接入密钥以及删除一个业务服务及其对应的 接入密钥吋, 均需要对应修改 ACL, 即对应地在 ACL中新增一个记录、 修改一 个记录和删除一个记录。 也就是说, 当远程服务器中新增一种可向用户设备提 供的业务服务吋, 所述接入设备在 ACL中增加所获取的该新增业务服务的接入 密钥、 用户设备标识与该新增业务服务标识的对应关系; 当需要修改远程服务 器中一种业务服务的接入密钥吋, 所述接入设备在 ACL中修改该业务服务的标 识对应的接入密钥; 当远程服务器中一种业务服务取消吋, 所述接入设备在 AC L中删除该业务服务的标识、 用户设备标识与接入密钥该三者的对应关系。 [58] In the foregoing steps 207 to 210, when the access device adds a service service and its corresponding access key, modifies a service service and its corresponding access key, and deletes a service service and its corresponding The access key must be modified correspondingly, that is, a record is added to the ACL, a record is deleted, and a record is deleted. In other words, when a new type of remote server can be added to the user device The service provider 吋, the access device adds an access key of the newly added service service, a correspondence between the user equipment identifier and the newly added service service identifier in the ACL; The access key of the service service, the access device modifies the access key corresponding to the identifier of the service service in the ACL; when a service service in the remote server is canceled, the access device is in the AC L The correspondence between the identifier of the service service, the user equipment identifier, and the access key is deleted.
[59] 另外, 从上述步骤 207至步骤 210的实现过程可以看出, 在接入设备中的 ACL形 成后, 只有远程服务器 1有权发送命令对 ACL进行修改, 即触发接入设备在 ACL 中新增、 修改和删除一条记录。 其中, 远程服务器 1触发在 ACL中新增一条记录 即对应上述步骤 207的过程的原因可以是: WPAN中的用户设备通过某种方式订 阅了远程服务器 1的该新增的业务服务。 其中, 远程服务器 1触发在 ACL中删除 一条记录即对应上述步骤 209至步骤 210的过程的原因可以是: WPAN中的用户设 备通过某种方式取消了远程服务器 1的业务服务, 或远程服务器发现用户设备订 阅的该业务服务已经到期。  [59] In addition, from the implementation process of the foregoing steps 207 to 210, it can be seen that after the ACL in the access device is formed, only the remote server 1 has the right to send a command to modify the ACL, that is, the access device is triggered in the ACL. Add, modify, and delete a record. The reason that the remote server 1 triggers a new record in the ACL, that is, the process corresponding to the foregoing step 207, may be: The user equipment in the WPAN subscribes to the newly added service service of the remote server 1 in some manner. The reason that the remote server 1 triggers the deletion of a record in the ACL, that is, the process corresponding to the foregoing steps 209 to 210 may be: The user equipment in the WPAN cancels the service of the remote server 1 in some way, or the remote server discovers the user. The business service subscribed to by the device has expired.
[60] 步骤 211 : 当 WPAN中的用户设备需要享有远程服务器 1中一种业务服务吋, 用 户设备将携带远程服务器 1标识、 该用户设备标识以及业务服务标识的接入请求 发送至 WPAN中的接入设备。  [60] Step 211: When the user equipment in the WPAN needs to enjoy a service service in the remote server 1, the user equipment sends an access request of the remote server 1 identifier, the user equipment identifier, and the service service identifier to the WPAN. Access device.
[61] 在本实施例中, 远程服务器标识也可以与业务标识合在一起, 也就是说, 业务 服务标识字段中可以包含远程服务器的标识。 相应的, 接入设备中保存的业务 服务标识字段也可以包含远程服务器的标识。  [61] In this embodiment, the remote server identifier may also be combined with the service identifier, that is, the identifier of the remote server may be included in the service identifier field. Correspondingly, the service service identifier field saved in the access device may also include the identifier of the remote server.
[62] 步骤 212: WPAN中的接入设备利用从接收到的接入请求中提取出的远程服务 器 1标识、 该用户设备标识以及业务服务标识, 査找保存的 ACL, 根据 ACL判断 用户设备是否有接入权限, 如果是, 则执行步骤 214, 否则, 执行步骤 213。  [62] Step 212: The access device in the WPAN uses the remote server 1 identifier, the user equipment identifier, and the service service identifier extracted from the received access request to search for the saved ACL, and determines whether the user equipment has the ACL according to the ACL. Access rights, if yes, go to step 214, otherwise, go to step 213.
[63] 这里, 根据 ACL判断用户设备是否有接入权限的过程为: 判断 ACL中是否可査 找到从接入请求中提取出的该用户设备标识以及业务服务标识该两者的对应关 系, 如果可査找到, 则确定用户设备有接入权限, 否则, 确定用户设备没有接 入权限。 其中, 当 ACL的保存形式为图 3所示的一张表吋, 则本步骤中只需在该 一张表中进行査找; 当 ACL的保存形式为图 4所示的两张表吋, 则本步骤中需要 在 ACL1中进行査找。 [64] 步骤 213: 接入设备向 WPAN中的该用户设备发送拒绝接入通知消息, 结束当 前流程。 [63] Here, the process of determining whether the user equipment has the access right according to the ACL is: determining whether the correspondence between the user equipment identifier and the service service identifier extracted from the access request can be found in the ACL, if If found, it is determined that the user equipment has access rights, otherwise, it is determined that the user equipment does not have access rights. If the ACL is saved in the form shown in Figure 3, you only need to search in the table in this step. When the ACL is saved in the form shown in Figure 4, this step is performed. Need to find in ACL1. [64] Step 213: The access device sends a reject access notification message to the user equipment in the WPAN, and ends the current process.
[65] 步骤 214: 接入设备将远程服务器 1的地址、 业务服务标识以及根据 ACL査找到 的该业务服务标识对应的接入密钥, 携带在接入请求中发送至远程服务器 1。  [65] Step 214: The access device carries the address of the remote server 1, the service service identifier, and the access key corresponding to the service service identifier that is found according to the ACL, and is sent to the remote server 1 in the access request.
[66] 这里, 携带在接入请求中的远程服务器 1的地址包括但不限于 IP地址。 [66] Here, the address of the remote server 1 carried in the access request includes, but is not limited to, an IP address.
[67] 较佳地, 将接入密钥携带在接入请求中的具体实现方式可以是将该接入密钥封 装在接入请求中。 Preferably, the specific implementation manner of carrying the access key in the access request may be to encapsulate the access key in the access request.
[68] 步骤 215: 远程服务器 1从接收到的接入请求中提取出业务服务标识和接入密钥 , 判断该接入密钥是否正确, 如果是, 则执行步骤 217, 否则, 执行步骤 216。  [68] Step 215: The remote server 1 extracts the service service identifier and the access key from the received access request, and determines whether the access key is correct. If yes, step 217 is performed; otherwise, step 216 is performed. .
[69] 这里, 远程服务器 1判断接入密钥是否正确的过程为: 远程服务器 1根据从接收 到的接入请求中提取出的业务服务标识, 査找自身保存的该业务服务标识对应 的接入密钥, 判断接入请求中提取出的接入密钥与査找到的接入密钥是否相同 , 如果相同, 则可确定接入密钥正确, 否则, 确定接入密钥错误。  [69] Here, the remote server 1 determines whether the access key is correct: the remote server 1 searches for the access corresponding to the service service identifier saved by itself according to the service service identifier extracted from the received access request. The key is used to determine whether the access key extracted in the access request is the same as the found access key. If they are the same, the access key may be determined to be correct. Otherwise, the access key is determined to be incorrect.
[70] 步骤 216: 远程服务器 1将接入密钥错误信息发送至接入设备, 接入设备向 WPA N中的该用户设备发送拒绝接入通知消息, 结束当前流程。  [70] Step 216: The remote server sends the access key error message to the access device, and the access device sends a reject access notification message to the user equipment in the WPA N, and the current process ends.
[71] 步骤 217: 远程服务器 1通过接入设备向 WPAN中的所述用户设备提供对应的业 务服务。  [71] Step 217: The remote server 1 provides the corresponding service service to the user equipment in the WPAN through the access device.
[72] 需要说明的是, 在上述图 2所示流程中, 针对远程服务器 1可提供的每一种业务 服务分别生成对应的接入密钥的做法, 只是本发明实施例中为了避免一种业务 服务的接入密钥被盗窃后, 影响其他业务服务的一种较佳处理方式。 在实际的 业务实现中, 也可以不考虑远程服务器 1可提供的业务服务的数量, 所有业务服 务共享一个密钥生成算法和一个随机数, 也就是说, 所有业务服务对应一个共 享的接入密钥。 其具体实现过程与上述图 2所示过程类似。  [72] It should be noted that, in the foregoing process shown in FIG. 2, a corresponding access key is generated for each service service that the remote server 1 can provide, but only one embodiment is avoided in the embodiment of the present invention. After the access key of the service service is stolen, it affects a better processing method of other service services. In the actual service implementation, the number of service services that the remote server 1 can provide can also be disregarded. All service services share a key generation algorithm and a random number, that is, all service services correspond to one shared access secret. key. The specific implementation process is similar to the process shown in Figure 2 above.
[73] 在本发明实施例中, 远程服务器是指外部运营商网络中能够通过 WPAN中的接 入设备向 WPAN中的用户设备提供服务或对用户设备进行控制的设备。 其中, 外 部网络包括但不限于互联网、 IP网络或无线网络。 并且, WPAN中的接入设备包 括但不限于网关设备或接入点。  In the embodiment of the present invention, the remote server refers to a device in the external carrier network that can provide or control the user equipment in the WPAN through the access device in the WPAN. Among them, the external network includes but is not limited to the Internet, an IP network or a wireless network. Also, access devices in the WPAN include, but are not limited to, gateway devices or access points.
[74] 并且, 在本发明实施例中, WPAN中用户设备的标识可以是该用户设备的 IEEE 地址或该用户设备其他的固有信息。 [74] Moreover, in the embodiment of the present invention, the identifier of the user equipment in the WPAN may be the IEEE of the user equipment. Address or other inherent information about the user device.
[75] 需要说明的是, 本实施例中, 接入设备利用共享密钥 Ku、 密钥生成算法和随机 数来得到接入密钥。 但是, 接入设备获得接入密钥的方法并不局限于此。 例如 , 可以由远程服务器使用与接入设备共享的点对点密钥将接入密钥加密后发送 给接入设备, 也可以通过其他安全的方式获得接入密钥后, 釆用手动方式在接 入设备上进行接入密钥的设置。 此外, 接入设备保存用户标识与业务服务标识 的对应关系, 除了釆用 ACL之外, 也可以釆用其他形式。  [75] It should be noted that, in this embodiment, the access device obtains the access key by using the shared key Ku, the key generation algorithm, and the random number. However, the method by which the access device obtains the access key is not limited thereto. For example, the remote server may encrypt the access key and send it to the access device by using a point-to-point key shared with the access device, or may obtain the access key through other secure methods, and then manually access the access key. Set the access key on the device. In addition, the access device stores the correspondence between the user identifier and the service service identifier, and other forms may be used in addition to the ACL.
[76] 根据图 3所示的本发明实施例的流程可以看出, 在本发明实施例中, 可以首先 由 WPAN中的接入设备对用户设备进行接入权限验证, 然后由远程服务器再次对 接入密钥的正确性进行验证, 双重验证过程进一步保证了用户设备接入的安全 性。 当然, 也可以事前设置运营商对接入设备的信任机制, 在接入权限验证通 过后, 远程服务器就可以提供业务服务, 而不需要再进行接入密钥验证。 在不 需要接入密钥验证的情况下, 接入设备中可以只保存业务服务标识与用户设备 标识的对应关系, 而不需保存业务服务标识与接入密钥的对应关系。 根据图 2所 示的本发明实施例的流程可以看出, 在本发明实施例中, 整个接入控制过程无 需现有技术中的专用密钥产生服务器和专用认证服务器, 产生密钥的功能和认 证的功能可以分别由远程服务器和接入设备完成, 这样, 运营商则无需在网络 中设置专用的密钥产生服务器和专用认证服务器, 降低了运营商的成本。 并且 , 无需现有技术中与专用的密钥产生服务器和专用的认证服务器进行信息交互 的过程; 在多个用户都需要获取业务服务吋, 无需多个用户分别与外部运营商 网络进行交互, 只需要接入设备与与外部运营商网络进行交互。 因此, 本发明 实施例还简化了接入控制的过程。  [76] According to the flow of the embodiment of the present invention shown in FIG. 3, in the embodiment of the present invention, the access device may be first authenticated by the access device in the WPAN, and then again by the remote server. The correctness of the access key is verified, and the double verification process further ensures the security of user equipment access. Of course, the operator's trust mechanism for the access device can also be set in advance. After the access authority is verified, the remote server can provide the service service without performing access key verification. In the case that the access key authentication is not required, the access device can only store the correspondence between the service service identifier and the user equipment identifier, and does not need to save the correspondence between the service service identifier and the access key. According to the flow of the embodiment of the present invention shown in FIG. 2, in the embodiment of the present invention, the entire access control process does not need the dedicated key generation server and the dedicated authentication server in the prior art, and the function of generating a key and The authentication function can be completed by the remote server and the access device respectively, so that the operator does not need to set a dedicated key generation server and a dedicated authentication server in the network, thereby reducing the cost of the operator. Moreover, there is no need for a process of information interaction with a dedicated key generation server and a dedicated authentication server in the prior art; after multiple users need to obtain a service service, it is not necessary for multiple users to interact with the external carrier network, only The access device needs to interact with the external carrier network. Therefore, the embodiment of the present invention also simplifies the process of access control.
[77] 可以理解的是, 虽然上述实施例中, 为便于理解, 对方法的步骤釆用了顺序性 描述, 但是应当指出的是, 对于上述步骤的顺序并不做严格的限制。  [77] It will be understood that, although the above embodiments have used a sequential description of the steps of the method for ease of understanding, it should be noted that the order of the above steps is not strictly limited.
[78] 本领域普通技术人员还可以理解, 上述实施例中的全部或部分步骤可以通过程 序来指令相关的硬件来实现, 所述的程序可以存储于一计算机可读取存储介质 中, 所述的存储介质, 可以是 ROM/RAM、 磁碟、 光盘等。  [78] It is also understood by those skilled in the art that all or part of the steps in the above embodiments may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium. The storage medium may be a ROM/RAM, a magnetic disk, an optical disk, or the like.
[79] 相应地, 本发明实施例还提出了一种接入设备。 图 5是在本发明实施例中 WPA N的接入设备的基本结构示意图。 参见图 5, 该接入设备包括: Correspondingly, an embodiment of the present invention further provides an access device. Figure 5 is a WPA in an embodiment of the present invention A basic structure diagram of an access device of N. Referring to FIG. 5, the access device includes:
[80] 保存单元, 用于保存 WPAN中的用户设备标识与用户设备享有的远程服务器中 的业务服务的业务服务标识的对应关系; [80] a saving unit, configured to save a correspondence between the user equipment identifier in the WPAN and the service service identifier of the service service in the remote server enjoyed by the user equipment;
[81] 信息接收处理单元, 用于接收 WPAN中的用户设备发来的接入请求, 将接入请 求中携带的用户设备标识和业务服务标识提供给接入控制单元, 在接收到接入 权限验证通过的通知后, 向接入请求中携带的业务标识所对应的远程服务器发 送接入请求; [81] The information receiving and processing unit is configured to receive an access request sent by the user equipment in the WPAN, and provide the user equipment identifier and the service service identifier carried in the access request to the access control unit, and receive the access right. After verifying the passed notification, sending an access request to the remote server corresponding to the service identifier carried in the access request;
[82] 接入控制单元, 用于检测到信息接收处理单元提供的用户设备标识和业务服务 标识与保存单元中保存的对应关系一致后, 通知信息接收处理单元接入权限验 证通过。  [82] The access control unit is configured to: after detecting that the user equipment identifier and the service service identifier provided by the information receiving processing unit are consistent with the corresponding relationship saved in the saving unit, notify the information receiving processing unit to pass the access authority verification.
[83] 较佳地, 所述保存单元, 用于将所述用户设备标识与业务服务的标识的对应关 系保存在 ACL中。  [83] Preferably, the saving unit is configured to save the correspondence between the user equipment identifier and the identifier of the service service in an ACL.
[84] 为了进一步实现后续远程服务器对接入密钥的验证, 所述保存单元, 进一步用 于保存所述远程服务器中每一种业务服务的标识与接入密钥的对应关系;  [84] In order to further implement the verification of the access key by the subsequent remote server, the saving unit is further configured to save a correspondence between the identifier of each service service and the access key in the remote server;
[85] 所述接入控制单元, 进一步根据保存单元中保存的每一种业务服务的标识与接 入密钥的对应关系, 确定与信息接收处理单元提供的业务服务标识对应的接入 密钥, 向所述信息接收处理单元发送所确定出的接入密钥; [85] The access control unit further determines, according to the correspondence between the identifier of each service service and the access key stored in the storage unit, an access key corresponding to the service service identifier provided by the information receiving processing unit. Transmitting, to the information receiving and processing unit, the determined access key;
[86] 所述信息接收处理单元, 进一步在将接入请求发送至远程服务器之前, 将接收 到的接入密钥包含在该接入请求中。 [86] The information receiving processing unit further includes the received access key in the access request before transmitting the access request to the remote server.
[87] 较佳地, 参见图 6, 该接入设备进一步包括接入密钥获取单元, 其中, [87] Preferably, the access device further includes an access key obtaining unit, where
[88] 所述信息接收处理单元, 进一步将远程服务器发来的每一种业务服务对应的随 机数提供给接入密钥获取单元; [88] The information receiving and processing unit further provides the random number corresponding to each service service sent by the remote server to the access key acquiring unit;
[89] 接入密钥获取单元, 用于获取密钥 Ku以及对应于远程服务器的每一种业务服务 的密钥生成算法, 利用密钥 Ku、 对应于每一种业务服务的密钥生成算法和随机 数, 得到所述远程服务器中每一种业务服务的标识与接入密钥的对应关系, 将 该对应关系保存到所述保存单元中。 [89] an access key obtaining unit, configured to acquire a key Ku and a key generation algorithm corresponding to each service service of the remote server, using a key Ku, a key generation algorithm corresponding to each type of service service Corresponding relationship between the identifier of each service service and the access key in the remote server is obtained, and the correspondence is saved in the saving unit.
[90] 较佳地, 当所述接入设备中的用户设备标识与业务服务标识的对应关系以及每 一种业务服务的标识与接入密钥的对应关系, 均保存在 ACL中吋, 所述保存单 元进行保存的方式可以为: 将用户设备标识、 业务服务标识与接入密钥这三者 的对应关系保存在同一 ACL中; 或者, 将用户设备标识与业务服务标识的对应 关系以及业务服务标识与接入密钥的对应关系保存在不同的 ACL中。 [90] Preferably, the correspondence between the user equipment identifier and the service service identifier in the access device and the correspondence between the identifier of each service service and the access key are saved in the ACL. Saving order The method for saving the element may be: storing the correspondence between the user equipment identifier, the service service identifier, and the access key in the same ACL; or, the correspondence between the user equipment identifier and the service service identifier, and the service service identifier The correspondence with the access key is stored in a different ACL.
[91] 相应地, 本发明实施例还提出了一种对用户设备进行接入控制的系统。 图 7是 在本发明实施例中对 WPAN中的用户设备进行接入控制的系统结构示意图。 参见 图 7, 该系统包括: Correspondingly, an embodiment of the present invention further provides a system for performing access control on a user equipment. FIG. 7 is a schematic structural diagram of a system for performing access control on a user equipment in a WPAN according to an embodiment of the present invention. See Figure 7. The system includes:
[92] 用户设备, 用于向 WPAN中的接入设备发送接入请求, 该接入请求中携带用户 设备标识和业务服务标识。  [92] The user equipment is configured to send an access request to the access device in the WPAN, where the access request carries the user equipment identifier and the service service identifier.
[93] 接入设备, 该接入设备可以为上述具体实施例中描述的接入设备。 [93] An access device, which may be the access device described in the above specific embodiments.
[94] 可以理解的是, 附图中或实施例中所示仅仅是示意性的, 表示逻辑结构, 其中 所述作为分离部件显示的单元可能是或者可能不是物理上分开的, 作为单元显 示的部件可能是或者可能不是物理单元, 即可以位于一个地方, 或者分布到几 个网络单元上。 [94] It will be understood that the figures or embodiments are merely illustrative and represent logical structures in which the units shown as separate components may or may not be physically separate, displayed as a unit. Components may or may not be physical units, ie they may be located in one place or distributed over several network elements.
[95] 总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本发明的保护范 围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。  In summary, the above description is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求书 Claim
[1] 一种对无线个人域网络 WPAN的用户设备进行接入控制的方法, 其特征在 于, 该方法包括:  [1] A method for performing access control on a user equipment of a wireless personal area network WPAN, the method comprising:
在 WPAN的接入设备中预置 WPAN中的用户设备标识与用户设备享有的远 程服务器中的业务服务的业务服务标识的对应关系;  Corresponding relationship between the user equipment identifier in the WPAN and the service service identifier of the service service in the remote server enjoyed by the user equipment is preset in the access device of the WPAN;
所述接入设备接收所述 WPAN中的用户设备发送的接入请求, 所述接入请 求中携带用户设备标识和业务服务标识;  The access device receives an access request sent by the user equipment in the WPAN, where the access request carries the user equipment identifier and the service service identifier;
当所述接入请求中携带的用户设备标识和业务服务标识与所述接入设备所 保存的对应关系一致吋, 所述接入设备通过对所述用户设备的接入权限验 证;  And when the user equipment identifier and the service service identifier carried in the access request are consistent with the corresponding relationship saved by the access device, the access device is authenticated by accessing the user equipment;
所述接入设备向业务服务标识所对应的远程服务器发送接入请求。  The access device sends an access request to a remote server corresponding to the service service identifier.
[2] 根据权利要求 1所述的方法, 其特征在于, 在所述接入设备中预置所述远程 服务器中的业务服务的业务服务标识与接入密钥的对应关系。  [2] The method according to claim 1, wherein the correspondence between the service service identifier of the service service in the remote server and the access key is preset in the access device.
[3] 根据权利要求 2所述的方法, 其特征在于,  [3] The method according to claim 2, characterized in that
所述接入设备向保存的业务服务标识所对应的远程服务器发送接入请求的 步骤包括: 所述接入设备根据业务服务标识与接入密钥的对应关系, 确定 与接入请求中携带的业务服务标识对应的接入密钥, 向该业服务标识所对 应的远程服务器发送接入请求, 该接入请求中包含所确定的接入密钥。  The step of the access device sending an access request to the remote server corresponding to the saved service service identifier includes: determining, by the access device, the information carried in the access request according to the correspondence between the service service identifier and the access key The access key corresponding to the service service identifier is sent to the remote server corresponding to the service service identifier, where the access request includes the determined access key.
[4] 根据权利要求 3所述的方法, 其特征在于, 所述接入设备向所述业务服务标 识所对应的远程服务器发送接入请求之后, 进一步包括: 当所述接入请求 中携带的业务服务标识和接入密钥与所述远程服务器中保存的对应关系一 致吋, 所述远程服务器向所述用户设备提供与所述接入请求中携带的业务 服务标识对应的业务服务。  [4] The method according to claim 3, wherein, after the access device sends an access request to the remote server corresponding to the service service identifier, the method further includes: when the access request is carried The service service identifier and the access key are consistent with the corresponding relationship stored in the remote server, and the remote server provides the user equipment with a service service corresponding to the service service identifier carried in the access request.
[5] 根据权利要求 2所述的方法, 其特征在于, 所述接入设备预置所述远程服务 器中的业务服务的业务服务标识与接入密钥的对应关系的方法包括: 所述接入设备根据来自于所述远程服务器的密钥 Ku、 以及对应于所述远程 服务器的每一种业务服务的密钥生成算法和随机数, 得到每一种业务服务 所对应的接入密钥; 设置每一种业务服务的业务服务标识与接入密钥的对应关系。 [5] The method according to claim 2, wherein the method for the access device to preset the correspondence between the service service identifier of the service service and the access key in the remote server comprises: The ingress device obtains an access key corresponding to each service service according to a key Ku from the remote server and a key generation algorithm and a random number corresponding to each service service of the remote server; Set the correspondence between the service service identifier and the access key of each service service.
[6] 根据权利要求 2所述的方法, 其特征在于, 所述业务服务标识字段中包含远 程服务器的标识。 [6] The method according to claim 2, wherein the service service identification field includes an identifier of the remote server.
[7] 根据权利要求 2至 6中任意一项所述的方法, 其特征在于, 将所述用户设备 标识与业务服务标识的对应关系以及业务服务标识与接入密钥的对应关系 以访问控制列表 ACL的形式保存在接入设备中。  [7] The method according to any one of claims 2 to 6, wherein the correspondence between the user equipment identifier and the service service identifier and the correspondence between the service service identifier and the access key are used for access control. The form of the list ACL is saved in the access device.
[8] 根据权利要求 7所述的方法, 其特征在于, 所述远程服务器对接入设备中的  [8] The method according to claim 7, wherein the remote server is in the access device
ACL进行更新维护。  The ACL is updated and maintained.
[9] 根据权利要求 6所述的方法, 其特征在于, 将用户设备标识、 业务服务标识 与接入密钥三者的对应关系保存在同一 ACL中;  [9] The method according to claim 6, wherein the correspondence between the user equipment identifier, the service service identifier and the access key is saved in the same ACL;
或者,  Or,
将用户设备标识与业务服务标识的对应关系以及业务服务标识与接入密钥 的对应关系分别保存在不同的 ACL中。  The corresponding relationship between the user equipment identifier and the service service identifier and the correspondence between the service service identifier and the access key are stored in different ACLs.
[10] 一种接入设备, 其特征在于, 该接入设备包括: [10] An access device, where the access device includes:
保存单元, 用于保存 WPAN中的用户设备标识与用户设备享有的远程服务 器提供的业务服务的业务服务标识的对应关系;  a storage unit, configured to save a correspondence between the user equipment identifier in the WPAN and the service service identifier of the service service provided by the remote server by the user equipment;
信息接收处理单元, 用于接收 WPAN中的用户设备发送的接入请求, 将接 入请求中携带的用户设备标识和业务服务标识提供给接入控制单元, 在接 收到接入权限验证通过的通知后, 向接入请求中携带的业务服务标识所对 应的远程服务器发送接入请求;  The information receiving and processing unit is configured to receive an access request sent by the user equipment in the WPAN, and provide the user equipment identifier and the service service identifier carried in the access request to the access control unit, and receive the notification that the access authority is verified And sending an access request to the remote server corresponding to the service service identifier carried in the access request;
接入控制单元, 用于检测到信息接收处理单元提供的用户设备标识和业务 服务标识与保存单元中保存的对应关系一致后, 通知信息接收处理单元接 入权限验证通过。  The access control unit is configured to: after detecting that the user equipment identifier and the service service identifier provided by the information receiving processing unit are consistent with the corresponding relationship saved in the saving unit, the notification information receiving processing unit passes the access authority verification.
[11] 根据权利要求 10所述的接入设备, 其特征在于, 所述保存单元还用于保存 远程服务器中的业务服务的业务服务标识与接入密钥的对应关系。  [11] The access device according to claim 10, wherein the saving unit is further configured to save a correspondence between a service service identifier of the service service in the remote server and an access key.
[12] 根据权利要求 10或 11所述的接入设备, 其特征在于, 所述接入控制单元, 进一步根据保存单元中保存的业务服务标识与接入密钥的对应关系, 确定 与信息接收处理单元提供的业务服务标识对应的接入密钥, 向所述信息接 收处理单元提供所确定的接入密钥; [12] The access device according to claim 10 or 11, wherein the access control unit further determines and receives the information according to the correspondence between the service service identifier and the access key stored in the storage unit. The access key corresponding to the service service identifier provided by the processing unit is connected to the information Receiving processing unit provides the determined access key;
所述信息接收处理单元, 进一步用于将所确定的接入密钥携带在所述接入 请求中向远程服务器发送。  The information receiving processing unit is further configured to: carry the determined access key in the access request to send to a remote server.
[13] 根据权利要求 12所述的接入设备, 其特征在于, 所述保存单元将用户设备 标识、 业务服务标识与接入密钥这三者的对应关系保存在同一 ACL中; 或 者, 将用户设备标识与业务服务标识的对应关系以及业务服务标识与接入 密钥的对应关系保存在不同的 ACL中。 [13] The access device according to claim 12, wherein the saving unit saves the correspondence between the user equipment identifier, the service service identifier, and the access key in the same ACL; or The correspondence between the user equipment identifier and the service service identifier and the correspondence between the service service identifier and the access key are stored in different ACLs.
[14] 一种对 WPAN的用户设备进行接入控制的系统, 其特征在于, 所述系统包 括: [14] A system for performing access control on a user equipment of a WPAN, wherein the system comprises:
用户设备, 用于向 WPAN中的接入设备发送接入请求, 所述接入请求中携 带用户设备标识和业务服务标识; 以及如权利要求 10 - 13中任一项权利要 求所述的接入设备。  a user equipment, configured to send an access request to the access device in the WPAN, where the access request carries the user equipment identifier and the service service identifier; and the access according to any one of claims 10-13 device.
PCT/CN2008/073256 2007-12-03 2008-11-28 Access controlling method?system and device WO2009074082A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710187579.7 2007-12-03
CN2007101875797A CN101453394B (en) 2007-12-03 2007-12-03 Method, system and equipment for access control

Publications (1)

Publication Number Publication Date
WO2009074082A1 true WO2009074082A1 (en) 2009-06-18

Family

ID=40735424

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073256 WO2009074082A1 (en) 2007-12-03 2008-11-28 Access controlling method?system and device

Country Status (2)

Country Link
CN (1) CN101453394B (en)
WO (1) WO2009074082A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111770087A (en) * 2020-06-29 2020-10-13 深圳市网心科技有限公司 Service node verification method and related equipment
CN116049860A (en) * 2023-03-06 2023-05-02 深圳前海环融联易信息科技服务有限公司 Access control method, device, computer equipment and storage medium

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102083089A (en) * 2009-11-27 2011-06-01 中国移动通信集团山东有限公司 Access business monitoring method, system and apparatus thereof
CN102143126B (en) * 2010-01-29 2016-04-13 北京邮电大学 The access method of CPM meeting history record and message storage server
CN102271382B (en) * 2010-06-07 2014-08-20 电信科学技术研究院 Access control method and equipment for machine type communication (MTC) equipment
CN102104923B (en) * 2011-01-13 2013-04-24 华为技术有限公司 Method and device for controlling UE (User Equipment) residency by AP (Access point)
CN102594782B (en) * 2011-01-14 2016-03-02 中国移动通信集团公司 IP Multimedia System method for authenticating, system and server
CN104754015B (en) * 2013-12-31 2018-11-13 华为技术有限公司 A kind of methods, devices and systems for establishing remote session
WO2017084089A1 (en) * 2015-11-20 2017-05-26 华为技术有限公司 Internet of vehicle verification method, device and internet of vehicle system
CN106921632B (en) * 2015-12-25 2020-02-07 北京奇虎科技有限公司 Wireless hotspot access control method and device
CN105872059B (en) * 2016-03-31 2019-08-09 北京奇艺世纪科技有限公司 A kind of remote execution method and device
CN110324287B (en) * 2018-03-31 2020-10-23 华为技术有限公司 Access authentication method, device and server
CN109246226A (en) * 2018-09-25 2019-01-18 行吟信息科技(上海)有限公司 A kind of method for generating message and device
CN109587113A (en) * 2018-10-30 2019-04-05 歌尔科技有限公司 A kind of equipment correlating method, equipment and storage medium
CN109561431B (en) * 2019-01-17 2021-07-27 西安电子科技大学 WLAN access control system and method based on multi-password identity authentication
CN111159693B (en) * 2019-12-28 2022-11-29 西安精雕软件科技有限公司 Electronic equipment permission verification method, device and system and readable medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1225870C (en) * 2002-09-23 2005-11-02 华为技术有限公司 Method and apparatus for VLAN based network access control
CN1794720A (en) * 2005-07-29 2006-06-28 华为技术有限公司 Data service system and access control method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100539521C (en) * 2003-05-16 2009-09-09 华为技术有限公司 A kind of method that realizes radio local area network authentication
CN100563161C (en) * 2006-10-23 2009-11-25 华为技术有限公司 A kind of method and system of identifying service block

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1225870C (en) * 2002-09-23 2005-11-02 华为技术有限公司 Method and apparatus for VLAN based network access control
CN1794720A (en) * 2005-07-29 2006-06-28 华为技术有限公司 Data service system and access control method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111770087A (en) * 2020-06-29 2020-10-13 深圳市网心科技有限公司 Service node verification method and related equipment
CN116049860A (en) * 2023-03-06 2023-05-02 深圳前海环融联易信息科技服务有限公司 Access control method, device, computer equipment and storage medium
CN116049860B (en) * 2023-03-06 2023-06-02 深圳前海环融联易信息科技服务有限公司 Access control method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN101453394A (en) 2009-06-10
CN101453394B (en) 2011-06-01

Similar Documents

Publication Publication Date Title
WO2009074082A1 (en) Access controlling method?system and device
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
US10945127B2 (en) Exclusive preshared key authentication
JP6612358B2 (en) Method, network access device, application server, and non-volatile computer readable storage medium for causing a network access device to access a wireless network access point
RU2409853C2 (en) Management of access control in wireless networks
KR102134302B1 (en) Wireless network access method and apparatus, and storage medium
US8275355B2 (en) Method for roaming user to establish security association with visited network application server
US8112790B2 (en) Methods and apparatus for authenticating a remote service to another service on behalf of a user
WO2016141856A1 (en) Verification method, apparatus and system for network application access
JP2008506139A (en) System and method for managing user authentication and service authorization, realizing single sign-on, and accessing multiple network interfaces
CN101986598B (en) Authentication method, server and system
DK2924944T3 (en) Presence authentication
US9608971B2 (en) Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers
CN102111766A (en) Network accessing method, device and system
JP2007529763A (en) How to get user identity for network application entities
CN100514333C (en) Data base safety access method and system
WO2016188224A1 (en) Service authorization method, apparatus, system and router
WO2019056971A1 (en) Authentication method and device
WO2011022950A1 (en) Service access method, system and device based on wlan access authentication
KR20150053912A (en) Method and devices for registering a client to a server
US20220053334A1 (en) Using a network requirements field to provide a station access to a network
JP4109273B2 (en) Network connection system, network connection device and program
CN101771722B (en) System and method for WAPI terminal to access Web application site
US20190319780A1 (en) Method for Enrolling Nodes in a Communications Network
CN102938757A (en) Method for sharing user data in network and identity provider

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08858828

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08858828

Country of ref document: EP

Kind code of ref document: A1