WO2010091563A1 - Wapi终端证书的管理方法、装置及系统 - Google Patents

Wapi终端证书的管理方法、装置及系统 Download PDF

Info

Publication number
WO2010091563A1
WO2010091563A1 PCT/CN2009/072692 CN2009072692W WO2010091563A1 WO 2010091563 A1 WO2010091563 A1 WO 2010091563A1 CN 2009072692 W CN2009072692 W CN 2009072692W WO 2010091563 A1 WO2010091563 A1 WO 2010091563A1
Authority
WO
WIPO (PCT)
Prior art keywords
wapi
terminal
certificate
wapi terminal
public key
Prior art date
Application number
PCT/CN2009/072692
Other languages
English (en)
French (fr)
Inventor
施元庆
康望星
刘家兵
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2010091563A1 publication Critical patent/WO2010091563A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

  • the present invention relates to the field of communications, and in particular to a method, device, and system for managing a WAPI terminal certificate.
  • WEP Wired Equivalent Privacy
  • the standard uses the WLAN Authentication and Privacy Infrastructure (WAPI) instead of WEP to solve the security problem of wireless LAN.
  • WAPI WLAN Authentication and Privacy Infrastructure
  • the WAPI consists of a WLAN Authentication Infrastructure (WAI) and a WLAN Privacy Infrastructure (WPI).
  • WAI adopts public key encryption technology for mutual authentication between terminals and access points; WPI uses the symmetric cryptographic algorithm for WLAN approved by the National Password Management Committee Office to implement data protection, MAC for MAC sublayer
  • the Service Data Unit (MAC Service Data Unit) is used for power port and decryption processing.
  • 1 is a schematic structural diagram of a WAPI infrastructure according to the related art. As shown in FIG. 1, the method includes: an access point (Access Point, referred to as an AP) refers to any site having a site function, and is provided by an associated site through a wireless medium.
  • Access Point access Point
  • AP access Point
  • an authentication requester entity (Authentication Supplicant Entity, referred to as ASUE) is an entity that requests an authentication operation before accessing the monthly service, and the entity is mainly set in the terminal; the authenticator entity (Authenticator Entity, The cartridge is called ⁇ ) to identify the entity that the requester provides the authentication operation before accessing the service.
  • the entity is mainly set in the access point; the basic function of the authentication service unit (A service unit is called ASU) is Realizing the management of user certificates and the identification of user identity, etc., is an important part of the WAI authentication infrastructure based on public key cryptography; the authentication service entity (Authentication Service Entity, ASE) is the discriminator and authentication request.
  • the entity that provides the identity authentication month which resides in the ASU.
  • the user certificate is a public key certificate, which is an important part of the WAI system structure.
  • the public key certificate is a digital identity credential of the network user, and the identity of the network user can be uniquely determined by the private key verification.
  • the site supports WAI authentication and password management in two ways. One is based on the certificate and the other is based on the shared key. According to the network type, the two types are classified into the basic service group (Basic Service Set, BSS) under the authentication and the independent basic service set (the independent basic service set, called IBSS).
  • BSS Basic Service Set
  • IBSS independent basic service set
  • the site where the requester entity is authenticated that is, the terminal needs to attach its own certificate in the access authentication request, and the discriminator entity will determine the certificate in the request field.
  • the identification service unit completes the risk certificate, and completes the authentication of the access point to the authentication requester by jt ⁇ .
  • WAPI can be regarded as the public key infrastructure in the wireless local area network (Public Key Infrastructure), and the authentication service unit functions as a certificate authority (CA) in the PKI.
  • CA certificate authority
  • the authentication service unit When using X.509 v3-based certificates, the authentication service unit must also have CA functions related to certificate application, issuance, periodic release of certificate invalidation, and response to user certificate revocation.
  • the user application or cancellation certificate and the corresponding private key in the PKI are performed in an offline or external manner to avoid being stolen or tampered with during transmission.
  • the certificate expires after the expiration of the validity period, and the user must actively complete the local certificate update offline, which is very inconvenient.
  • the main object of the present invention is to provide a method, device, and system for managing a WAPI terminal certificate to solve related problems. At least one of the above problems in the technology.
  • a WAPI terminal certificate management method for managing a public key certificate of a WAPI terminal based on SIP is provided.
  • the management method of the WAPI terminal certificate includes: the WAPI authentication server and the WAPI terminal negotiate the session key; the WAPI authentication 1 J server receives the subscription request message from the WAPI terminal, wherein the subscription request message is used for the non-first request WAPI terminal The public key certificate and the private key; the WAPI server sends a notification message carrying the encrypted public key certificate and the private key to the WAPI terminal for updating by the WAPI terminal, wherein the public key is encrypted by using the session key Key certificate and private key.
  • the method further includes: the access point performs access authentication on the WAPI terminal, and in the case that the WAPI terminal passes the authentication, allows the WAPI authentication server and the WAPI terminal.
  • the processing of the WAPI authentication server and the WAPI terminal to negotiate the session key comprises: the WAPI authentication server receiving the registration request message from the WAPI terminal, wherein the registration request message carries the first random number generated by the WAPI terminal;
  • the device sends a registration rejection message to the WAPI terminal, where the registration rejection message carries the second random number generated by the WAPI authentication server;
  • the WAPI authentication server receives the new registration request message from the WAPI terminal, and if the registration is successful,
  • the WAPI server and the WAPI terminal calculate the session key according to the first random number and the second random number, wherein the session key is obtained by performing a hash operation after the second random number is concatenated with the first random number.
  • the first random number sent by the WAPI terminal is encrypted by the WAPI terminal using the public key of the WAPI authentication server.
  • the second random number sent by the WAPI authentication server is secreted by the WAPI authentication server using the public key of the WAPI terminal.
  • the method further comprises: the WAPI terminal receiving the notification message, decrypting the public key certificate and the private key by using the session key, and utilizing the decrypted public key The certificate and private key update the public key certificate and private key local to the WAPI terminal.
  • the WAPI authentication server revokes the public key certificate of the WAPI terminal, specifically: the WAPI authentication server sends a public secret for revoking the WAPI terminal to the WAPI terminal.
  • the notification message of the key certificate is used to notify the WAPI terminal to re-establish the access authentication, wherein the length of the message body of the notification message for revoking the public key certificate of the WAPI terminal is configured to be 0.
  • the method further includes: the WAPI authentication server pre-requests the acquisition to the public authentication center, or pre-saves the public key certificate and the private secret by the WAPI authentication server. key.
  • a management apparatus for a WAPI terminal certificate the apparatus being provided to a WAPI authentication server.
  • the management device of the WAPI terminal certificate includes: a negotiation module for negotiating a session key with the WAPI terminal; and a receiving module, configured to receive a subscription request message from the WAPI terminal, wherein the subscription request message is used for non-first request WAPI a public key certificate and a private key of the terminal; an encryption module, configured to encrypt the public key certificate and the private key by using the session key; and a sending module, configured to send the public key certificate and the private key carrying the encryption to the WAPI terminal The notification message of the key is updated by the WAPI terminal.
  • a management system for a WAPI terminal certificate includes: a WAPI authentication server, a WAPI terminal.
  • the WAPI authentication server includes: a first receiving module, configured to receive a subscription request message from the WAPI terminal, where the subscription request message is used for a public key certificate and a private key that are not the first requesting the WAPI terminal;
  • the public key certificate and the private key are encrypted by using a pre-generated session key;
  • the first sending module is configured to send, to the WAPI terminal, a notification message carrying the encrypted public key certificate and the private key for updating by the WAPI terminal.
  • the WAPI terminal includes: a second sending module, configured to send a subscription request message to the WAPI authentication server; and a second receiving module, configured to receive the notification message from the WAPI authentication server that carries the encrypted public key certificate and the private key a decryption module, configured to decrypt the encrypted public key certificate and the private key by using the pre-generated session key; and an update module, configured to update the public key certificate local to the WAPI terminal by using the decrypted public key certificate and the private key And private key.
  • the session key is pre-negotiated and the public key certificate and the private key of the terminal are encrypted by using the session key, and the public key certificate and the private key of the WAPI terminal are sent to the WAPI terminal by using the SIP mechanism.
  • FIG. 1 is a schematic structural diagram of a WAPI infrastructure according to the related art
  • FIG. 2 is a schematic diagram showing the structure of a WAPI authentication server and a WAPI terminal according to an embodiment of the present invention
  • FIG. 4 is a flowchart of a WAPI terminal generating session key flow according to an embodiment of the present invention
  • FIG. 5 is a WAPI authentication server generating a session key according to an embodiment of the present invention
  • FIG. 6 is a flowchart of processing a subscription and notification message by a WAPI terminal according to an embodiment of the present invention
  • FIG. 7 is a flowchart of processing a subscription and notification message by a WAPI authentication server according to an embodiment of the present invention
  • 8 is a schematic structural diagram of a WAPI authentication server acquiring a WAPI terminal certificate according to an embodiment of the present invention
  • FIG. 9 is a schematic diagram of SIP signaling processing according to a method for managing a WAPI terminal certificate according to an embodiment of the present invention.
  • FIG. 11 is a block diagram of a management system of a WAPI terminal certificate according to an embodiment of the present invention.
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The main idea of the present invention is that the present invention proposes a technical solution in which an extended server certificate management unit actively transmits a certificate and the extended terminal certificate management module automatically updates the certificate. User no It needs to be operated offline.
  • Extended server certificate management introducing session initiation protocol
  • SIP Session Initiation Protocol
  • users can use the Subscribe message (subscription message) in SIP to complete the subscription of their public key (public key) certificate, when the certificate management unit updates the certificate and reassigns the private key.
  • the certificate and private key (private key) when the user first uses the terminal are still applied offline.
  • the SIP signaling is performed on the encrypted data channel, which avoids the possibility of eavesdropping on the certificate and password.
  • the user does not need to use the offline mode every time the certificate is updated, and does not need active operation, thereby improving the user experience; the certificate maintenance work of the operator can also save a lot of time, and the update process is handed over.
  • the SIP subscription and notification mechanism is automatically completed, which improves processing efficiency.
  • FIG. 2 is a schematic diagram showing the structure of a WAPI authentication server and a WAPI terminal according to an embodiment of the present invention.
  • a certificate management unit is added to a WAPI terminal, and the functional unit implements a SIP client function, a WAPI server and a WAPI.
  • the terminal sends and receives SIP messages through the port 5060, and implements the registration, subscription, and notification processing functions based on the SIP protocol.
  • the WAPI authentication server includes: an authentication request service unit and a server certificate management unit, and a monthly server side certificate management unit as a SIP registration of the terminal ⁇
  • the server implements the SIP server part function, sends and receives SIP messages on the port 5060, receives the SIP-based registration and subscription request of the processing terminal, and sends a SIP-based notification message to the WAPI terminal.
  • the SIP message is transmitted based on the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP).
  • UDP User Datagram Protocol
  • TCP Transmission Control Protocol
  • the AP performs access authentication on the WAPI terminal, and allows the WAPI terminal to access the AP in the case that the WAPI terminal passes the authentication.
  • FIG. 3 is a flowchart of a method for managing a WAPI terminal certificate according to an embodiment of the present invention. Need It is noted that the steps described in the following methods may be performed in a computer system such as a set of computer executable instructions, and although the logical order is illustrated in FIG. 3, in some cases may be different The steps shown or described are performed in the order herein. As shown in FIG. 3, the method includes the following steps: Step S302: The WAPI authentication server and the WAPI terminal negotiate a session key.
  • Step S304 The WAPI authentication server receives a subscription request message from the WAPI terminal, where the subscription request message is used for the first time. Requesting a public key certificate and a private key of the WAPI terminal; Step S306, the WAPI authentication server sends a notification message carrying the encrypted public key certificate and the private key to the WAPI terminal for updating by the WAPI terminal, wherein the session is utilized Key encryption public key certificate and private key. Based on the above processing, the WAPI terminal can perform certificate update in an online manner. Details of each of the above processes are described in detail below.
  • Step S302 the WAPI terminal randomly generates a 128-bit random number rand asue (first random number), and uses the public key and public key algorithm in the public key certificate issued by the WAPI authentication server to encrypt the rand-asue The result is taken as the value of the new header field Cert-Rand in the SIP registration message, and then the terminal sends the SIP registration request message to the WAPI server.
  • the AP forwards the request message to the server certificate management unit on the WAPI server, which receives the registration request message and decrypts the rand-asue in the Cert-Rand field using its private key and public key algorithm; A 128-bit random number rand ca (second random number), and public key encryption operation of rand ca using the public key of the WAPI terminal, and the result is used as the WWW-Authentication header i or medium in the registration rejection message (401) The value of the nonce parameter, the registration rejection message is sent to the WAPI terminal.
  • the WAPI terminal receives the registration rejection message, and extracts the nonce parameter and other parameters from the WWW-Authentication, decrypts the nonce using the private key of the WAPI terminal to obtain rand_ca, and then uses the authentication algorithm shown in the header field to perform the digest ( Digest) Calculate, here the user name can use the user's phone number, the password can be the rand-asue generated by the random number.
  • the Digest calculation result is used to calculate the value of the response parameter in the Authorization header field in the new registration request, and the WAPI terminal sends a new registration request message to the WAPI authentication server. After receiving the new registration request, the WAPI server uses the parameter Digest to calculate and compare the result with the response parameter value.
  • FIG. 4 is a flowchart of a process for generating a session key by a user certificate management unit according to an embodiment of the present invention. As shown in FIG. 4, the process includes:
  • the WAPI terminal completes the access authentication process and negotiates with the unicast key.
  • the WAPI terminal generates a 128-bit random number rand_ asue
  • the WAPI terminal uses the public key force of the WAPI server. ⁇ rand— asue, assigning a value to Cert-Rand;
  • the WAPI terminal sends a SIP registration request.
  • WAPI terminal ⁇ to the registration failure response, using its private key to decrypt the nonce field, to get rand-ca;
  • the WAPI terminal uses the algorithm specified in the failure response to calculate a summary, the user name is a number, and the password is rand asue;
  • the WAPI terminal assigns a response field with a digest and resends the registration request.
  • FIG. 5 is a flowchart of a process for generating a session key by a server certificate management unit according to an embodiment of the present invention. As shown in FIG. 5, the process includes:
  • the WAPI authentication server receives the SIP registration request and decrypts it with its own private key to obtain ruan asue, and generates a random number rand_ca;
  • the WAPI authentication server encrypts rand-ca by using the public key of the terminal user, assigns a value to the WWW-Authenticate header i or the nonce in the registration failure response, and sends back a failure message;
  • WAPI ⁇ another 'J server receives a new registration message, parses the parameters in the Authorization field, calculates the digest, compares the result with the response field, and returns a success or failure message;
  • Steps S304 to S306 After the WAPI terminal successfully completes the SIP registration, the certificate subscription request is initiated, and the SIP Subscribe message is sent to the certificate management unit of the WAPI terminal authentication server, and the server certificate management unit finds its current data according to the identity of the user.
  • the valid public key certificate and private key are sent to the WAPI terminal through the Notify message.
  • the public key certificate and the private key are first combined in an XML format and then encrypted by the session key.
  • the WAPI terminal After decrypting the certificate and the key information, the WAPI terminal compares the local backup certificate with the private key. If it is inconsistent, it initiates the AP de-association operation and re-initiates the AP association. The association process is based on the new certificate authentication process.
  • the Subscriber can indicate the event type through the header field Event.
  • the present invention does not specifically define the event naming, for example, it can be defined as cert-event; the header field Accept indicates the format of the message body in the notification message, and the present invention does not name the format. To be specific, for example, it can be defined as application/cert-info, which is used to define force.
  • FIG. 6 is a flowchart of processing a subscription and notification message by a WAPI terminal according to an embodiment of the present invention. As shown in FIG. 6, the process includes:
  • the WAPI terminal generates a subscription request message and sends the message to the WAPI authentication server; S606, the WAPI terminal receives the subscription success message from the WAPI server (200) OK ) , ready to process the certificate notification message;
  • step S608 the WAPI terminal determines whether the notification message body is empty, if not, then step S610 is performed, otherwise step S614 is performed;
  • the WAPI terminal decrypts the certificate and the key information by using a pre-generated session key by using a conventional encryption algorithm.
  • S612 The WAPI terminal determines whether the certificate has been updated, and re-initiates the access authentication process if the update is performed.
  • FIG. 7 is a diagram of a process for processing a subscription and notification message by a server certificate management unit in an embodiment of the present invention. As shown in FIG. 7, the process includes:
  • the WAPI authentication server receives a subscription request message from the WAPI terminal.
  • the WAPI authentication server encrypts the currently valid certificate and the private key by using the session key, and generates a communication message carrying the strong p-denominated public key certificate and the private key to the WAPI terminal;
  • S708 triggering a notification process when the certificate management unit user certificate is updated or revoked during the subscription validity period;
  • FIG. 8 is a schematic structural diagram of a WAPI authentication server acquiring a WAPI terminal certificate according to an embodiment of the present invention. As shown in FIG.
  • the WAPI authentication server (authentication server 1) sends the public key certificate and private of the currently valid WAPI terminal to the WAPI terminal.
  • the key may be pre-stored by the WAPI authentication server, or may be obtained by the WAPI authentication server and other public authentication centers (CAs) connected thereto by requesting a certificate or responding to a certificate query, or by the WAPI authentication server.
  • CAs public authentication centers
  • a higher level public certification authority requests certificates managed by other WAPI authentication servers (authentication server 2).
  • FIG. 9 is a flowchart of SIP signaling processing according to a method for managing a WAPI terminal certificate according to an embodiment of the present invention. As shown in FIG.
  • Step S902 The WAPI terminal sends a SIP registration request (Register) message to the WAPI, and the Register message carries the first random number generated by the WAPI terminal.
  • Step S904 the WAPI authentication server returns a registration rejection message (401 message) to the WAPI terminal, where the rejection message carries the second random number generated by the WAPI authentication server;
  • Step S906 the WAPI terminal sends a new Register to the WAPI authentication server.
  • step S908 the WAPI authentication server returns a successful registration response message (200 OK) to the WAPI terminal, and after the confirmation succeeds, the WAPI server and the WAPI terminal generate the session key according to the first random number and the second random number;
  • step S910 The WAPI terminal sends a subscription message to the WAPI authentication server.
  • Step S912 The WAPI authentication server returns a success confirmation message to the WAPI terminal (200).
  • Step S914 the WAPI authentication server sends a notification (Notify) message to the WAPI terminal, where the notification message carries the public key certificate and the private key of the WAPI terminal encrypted by the session key; Step S916, WAPI terminal Send a success confirmation message to the WAPI.
  • Step S918 The WAPI authentication server sends a notification (Notify) message to the WAPI terminal, where the message body content is empty, and the length indicates the Content-Length header field. The value is 0.
  • Step S920 After receiving the Notify message, the WAPI terminal no longer maintains the access authentication state, but re-initiates the access authentication process, and returns a success confirmation message to the WAPI authentication server (200). ⁇ ).
  • Apparatus Embodiments According to an embodiment of the present invention, a management apparatus for a WAPI terminal certificate is also provided. The device can be used to implement the management method of the WAPI terminal certificate provided by the foregoing method embodiment. FIG.
  • the management device of the WAPI terminal certificate according to the embodiment of the present invention includes: a negotiation module 110, a receiving module 120, an encryption module 130, and a sending module 140, specifically: a ten-operator module 110, and The WAPI terminal server session key; the receiving module 120 is connected to the negotiation module 110, and configured to receive a subscription request message from the WAPI terminal, where the subscription request message is used for the public key certificate and private secret of the non-first requesting WAPI terminal.
  • the encryption module 130 is connected to the receiving module 120, configured to encrypt the public key certificate and the private key by using the session key; the sending module 140 is connected to the encryption module 130, and configured to send the public secret carrying the encryption to the WAPI terminal.
  • the management device of the WAPI terminal certificate is a certificate management unit in the WAPI authentication server.
  • the apparatus shown in the embodiment of the present invention can also perform the processing shown in FIG. 2 to FIG. 9, and the specific processing procedure is not repeated here.
  • a management system for a WAPI terminal certificate is also provided.
  • the system can be used to implement the management method of the WAPI terminal certificate provided by the foregoing method embodiment.
  • 11 is a block diagram of a management system for a WAPI terminal certificate according to an embodiment of the present invention.
  • the system includes: a WAPI authentication server 10, a WAPI terminal 20, wherein:
  • the WAPI authentication server 10 includes: a first receiving module 120, configured to receive a subscription request message from a WAPI terminal, where the subscription request message is used for a public key certificate and a private key that are not the first requesting WAPI terminal; the encryption module 130, the connection
  • the first receiving module 120 is configured to encrypt the public key certificate and the private key by using the pre-generated session key;
  • the first sending module 140 is connected to the encryption module 130, and configured to send the public secret carrying the encryption to the WAPI terminal.
  • a notification message of the key certificate and the private key for updating by the WAPI terminal;
  • the WAPI terminal 20 includes: a second sending module 210, configured to send a subscription request message to the WAPI authentication server; and a second receiving module 220, configured to receive the notification from the WAPI authentication server that carries the encrypted public key certificate and the private key a decryption module 230, coupled to the second receiving module 220, configured to decrypt the encrypted public key certificate and the private key by using the pre-generated session key; the update module 240 is coupled to the decryption module 230 for utilizing the decrypted
  • the public key certificate and the private key update the public key certificate and private key local to the WAPI terminal.
  • the session key is pre-negotiated and the session key force is utilized.
  • the public key certificate and private key of the secret terminal, and the public key certificate and private key of the WAPI terminal are sent to the WAPI terminal by using the SIP mechanism, thereby achieving the purpose of updating the user certificate in an online manner, and solving the offline application certificate and the private key
  • the resulting inefficient processing problem not only improves work efficiency, but also increases user risk.
  • the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices.
  • the invention may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device, or they may be separately fabricated into individual integrated circuit modules, or they may be Multiple modules or steps Implemented as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalents, and modifications made within the spirit and principles of the present invention. It should be included in the scope of protection of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Description

WAPI终端证书的管理方法、 装置及系统 技术领域 本发明涉及通信领域,具体而言,涉及一种 WAPI终端证书的管理方法、 装置及系统。 背景技术 为了解决无线局域网国际标准 ISO/IEC 802.11 中定义的有线等效保密 ( Wired Equivalent Privacy, 筒称为 WEP ) 安全机制存在的安全漏洞, 我国 颁布了无线局域网国家标准及其第一号修 丈单, 该标准采用无线局域网认证 与保密基础结构 ( WLAN Authentication and Privacy Infrastructure, 筒称为 WAPI ) 替代 WEP, 解决无线局域网的安全问题。
WAPI由无线局 i或网鉴别基础结构( WLAN Authentication Infrastructure , 筒称为 WAI )和无线局 i或网保密基础结构 (WLAN Privacy Infrastructure, 筒 称为 WPI )组成。 其中, WAI采用了公开密钥加密技术, 用于终端与接入点 之间互相身份鉴别; WPI采用国家密码管理委员会办公室批准的用于 WLAN 的对称密码算法实现数据保护, 对 MAC子层的 MAC服务数据单元 ( MAC Service Data Unit , 筒称为 MSDU ) 进行力口、 解密处理。 图 1是根据相关技术的 WAPI基础结构的结构示意图, 如图 1所示, 包 括: 接入点 (Access Point, 筒称为 AP ) 是指任何一个具备站点功能, 通过 无线媒体为关联的站点提供访问分布式服务的实体; 鉴别请求者实体 ( Authentication Supplicant Entity, 筒称为 ASUE )是在接入月 务之前请求进 行鉴别操作的实体, 该实体主要设置在终端内; 鉴别器实体 ( Authenticator Entity , 筒称为 ΑΕ ) 为鉴别请求者在接入服务之前提供鉴别操作的实体, 该 实体主要设置在接入点内; 鉴另' J服务单元( Authentication Service Unit, 筒称 为 ASU )的基本功能是实现对用户证书的管理和用户身份的鉴别等 , 是基于 公开密钥密码技术的 WAI 鉴别基础结构中重要的组成部分; 鉴别服务实体 ( Authentication Service Entity, 筒称为 ASE ) 为鉴别器和鉴别请求者提供身 份鉴别月 务的实体, 该实体驻留在 ASU 中。 其中, 用户证书为公开密钥证 书, 它是 WAI系统构造中重要的环节。公开密钥证书是网络用户的数字身份 凭证, 通过私有密钥验证可以唯一地确定网络用户的身份。 站点通过两类方式支持 WAI鉴别及密码管理, 一是基于证书的方式, 一是基于共享密钥的方式。 两种类型内按照网络类型分为基本服务组(Basic Service Set,筒称为 BSS )下认证与独立基本月 务组( Independent Basic Service Set, 筒称为 IBSS ) 下认证。 当采用基于证书的方式时, 鉴别请求者实体所 在的站点, 即终端在接入鉴别请求中, 需要附带自己的证书, 鉴别器实体会 才艮据请求中字段, 决定是由他自己完成证书验证还是交由鉴别服务单元完成 -险证 , 以 jt匕完成接入点对鉴别请求者的认证。
WAPI 可以看作是无线局域网中的公开密钥基础设施 ( Public Key Infrastructure , 筒称为 ΡΚΙ ) , 鉴别月 务单元起到了 PKI 中的认证中心 ( Certificate Authority, 筒称为 CA ) 的作用 , 当 WAI采用基于 X.509 v3的 证书时, 鉴别服务单元也必须具有 CA有关证书申请、 签发、 定期发布证书 失效列表、 响应用户证书吊销等功能。 一般地, PKI中用户申请或注销证书以及对应的私有密钥都采用离线、 外带的方式进行, 以避免在传输过程中被窃取、 篡改。 证书在有效期满后失 效, 用户也必须主动通过离线方式完成本地证书更新, 非常不方便。 因此,针对用户申请证书及私有密钥必须采用效率较低的离线方式的问 题, 相关技术中尚未提出有效的解决方案。 发明内容 针对相关技术中用户申请证书及私有密钥必须采用离线方式的问题而 提出本发明, 为此, 本发明的主要目的在于提供一种 WAPI终端证书的管理 方法、 装置及系统, 以解决相关技术中存在的上述问题至少之一。 为了实现上述目的 , 根据本发明的一个方面, 提供了一种 WAPI终端证 书的管理方法 , 用于基于 SIP管理 WAPI终端的公开密钥证书。 根据本发明的 WAPI 终端证书的管理方法包括: WAPI 鉴别服务器和 WAPI终端协商会话密钥; WAPI鉴另1 J服务器接收来自 WAPI终端的订阅请求 消息, 其中, 订阅请求消息用于非首次请求 WAPI终端的公开密钥证书和私 有密钥; WAPI鉴别 务器向 WAPI终端发送携带有加密的公开密钥证书和 私有密钥的通知消息, 以供 WAPI终端进行更新, 其中, 利用会话密钥加密 公开密钥证书和私有密钥。 优选地, 在 WAPI鉴另服务器和 WAPI终端协商会话密钥之前, 该方法 还包括: 接入点对 WAPI终端进行接入鉴别 , 并在 WAPI终端通过鉴别的情 况下, 允许 WAPI鉴别服务器和 WAPI终端协商会话密钥。 优选地, WAPI 鉴别服务器和 WAPI 终端协商会话密钥的处理包括: WAPI鉴别服务器接收来自 WAPI终端的注册请求消息, 其中, 注册请求消 息中携带有 WAPI终端生成的第一随机数; WAPI鉴别月 务器向 WAPI终端 发送注册拒绝消息, 其中, 注册拒绝消息中携带有 WAPI鉴别月 务器生成的 第二随机数; WAPI鉴别服务器接收来自 WAPI终端的新的注册请求消息, 在注册成功的情况下, WAPI鉴别 务器和 WAPI终端才艮据第一随机数和第 二随机数计算会话密钥, 其中, 会话密钥为第二随机数与第一随机数做串接 后进行哈希运算得到。 优选地 , WAPI终端发送的第一随机数由 WAPI终端利用 WAPI鉴别月 务器的公开密钥加密。 优选地, WAPI鉴别服务器发送的第二随机数由 WAPI鉴别服务器利用 WAPI终端的公开密钥力口密。 优选地, 在 WAPI鉴另' 务器向 WAPI终端发送通知消息之后, 该方法 进一步包括: WAPI 终端接收通知消息, 利用会话密钥解密公开密钥证书和 私有密钥 , 并利用解密的公开密钥证书和私有密钥更新 WAPI终端本地的公 开密钥证书和私有密钥。 优选地,在 WAPI终端的公开密钥证书为非法或失效的情况下,在 WAPI 鉴别服务器吊销 WAPI终端的公开密钥证书, 具体包括: WAPI鉴别服务器 向 WAPI终端发送用于吊销 WAPI终端的公开密钥证书的通知消息, 以通知 WAPI终端重新进行接入鉴别, 其中, 吊销 WAPI终端的公开密钥证书的通 知消息的消息体的长度被配置为 0。 优选地, 在 WAPI鉴另 务器和 WAPI终端协商会话密钥之前, 该方法 还包括: WAPI鉴别服务器向公共认证中心预先请求获取、 或由 WAPI鉴别 月 务器预先保存公开密钥证书和私有密钥。 才艮据本发明的另一方面 , 还提供了一种 WAPI终端证书的管理装置, 该 装置设置于 WAPI鉴别服务器。 根据本发明的 WAPI终端证书的管理装置包括:协商模块 ,用于和 WAPI 终端协商会话密钥; 接收模块, 用于接收来自 WAPI终端的订阅请求消息, 其中,订阅请求消息用于非首次请求 WAPI终端的公开密钥证书和私有密钥; 加密模块, 用于利用会话密钥加密公开密钥证书和私有密钥; 发送模块, 用 于向 WAPI终端发送携带有加密的公开密钥证书和私有密钥的通知消息, 以 供 WAPI终端进行更新。 根据本发明的再一方面, 还提供了一种 WAPI终端证书的管理系统。 根据本发明的 WAPI 终端证书的管理系统包括: WAPI 鉴别服务器、 WAPI终端。 其中, WAPI鉴别服务器包括: 第一接收模块, 用于接收来自 WAPI终 端的订阅请求消息, 其中, 订阅请求消息用于非首次请求 WAPI终端的公开 密钥证书和私有密钥; 加密模块, 用于利用预先生成的会话密钥加密公开密 钥证书和私有密钥; 第一发送模块, 用于向 WAPI终端发送携带有加密的公 开密钥证书和私有密钥的通知消息, 以供 WAPI终端进行更新。 其中, WAPI终端包括: 第二发送模块, 用于向 WAPI鉴别服务器发送 订阅请求消息; 第二接收模块 , 用于接收来自 WAPI鉴别服务器的携带有加 密的公开密钥证书和私有密钥的通知消息; 解密模块, 用于利用预先生成的 会话密钥解密加密的公开密钥证书和私有密钥; 更新模块, 用于利用解密的 公开密钥证书和私有密钥更新 WAPI终端本地的公开密钥证书和私有密钥。 借助于本发明的上述技术方案,通过预先协商会话密钥并利用该会话密 钥加密终端的公钥证书和私钥, 并将 WAPI终端的公钥证书和私钥使用 SIP 机制发送至 WAPI终端 , 能够采用在线方式更新用户证书 , 解决了离线申请 证书及私有密钥所导致的处理效率低的问题, 提高了工作效率和用户体验。 本发明的其它特征和优点将在随后的说明书中阐述, 并且,部分地从说明 书中变得显而易见, 或者通过实施本发明而了解。 本发明的目的和其他优点可 通过在所写的说明书、 权利要求书、 以及附图中所特别指出的结构来实现和获 得。 附图说明 此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中: 图 1是才艮据相关技术的 WAPI基础结构的结构示意图; 图 2是根据本发明实施例的 WAPI鉴别服务器和 WAPI终端的结构的示 意图; 图 3是才艮据本发明实施例的 WAPI终端证书的管理方法的流程图; 图 4是才艮据本发明实施例的 WAPI终端生成会话密钥流程的流程图; 图 5是根据本发明实施例的 WAPI鉴别服务器生成会话密钥流程的流程 图; 图 6是才艮据本发明实施例的 WAPI终端对订阅及通知消息处理的流程 图; 图 7是根据本发明实施例的 WAPI鉴别服务器对订阅及通知消息处理的 流程图; 图 8是根据本发明实施例的 WAPI鉴别服务器获取 WAPI终端证书的结 构示意图; 图 9是才艮据本发明实施例的 WAPI终端证书的管理方法的 SIP信令处理 的¾¾程图; 图 10是 居本发明实施例的 WAPI终端证书的管理装置的框图; 图 11是才艮据本发明实施例的 WAPI终端证书的管理系统的框图。 具体实施方式 功能相克述 本发明的主要思想是:本发明提出一种由扩展的服务器证书管理单元主 动发送证书, 由扩展的终端证书管理模块自动更新证书的技术方案。 用户无 需通过离线方式进行操作。 扩展的服务器证书管理功能, 引入会话初始协议
( Session Initiation Protocol , 筒称为 SIP ) , 用户可以利用 SIP中的 Subscribe 消息 (订阅消息) 完成对自己公有密钥 (公钥) 证书的订阅, 当证书管理单 元更新证书并重新分配私有密钥时 , 可以才艮据用户订阅 , 通过 SIP的 Notify 消息(通知消息), 发送证书及私有密钥。 用户第一次使用终端时的证书和私 有密钥 (私钥), 仍然是通过离线方式申请。 在终端完成接入鉴别之后, SIP 信令均在已经加密的数据通道上进行, 避免了证书与密码遭窃听的可能。 采 用才艮据本发明实施例的技术方案 , 用户无需在每次更新证书时都采用离线方 式, 无需主动操作, 提高了用户体验; 运营商的证书维护工作也可以节省大 量时间 , 更新过程交由 SIP的订阅及通知机制自动完成, 提高了处理效率。 以下结合附图对本发明的优选实施例进行说明, 应当理解, 此处所描述 的优选实施例仅用于说明和解释本发明, 并不用于限定本发明。如果不冲突, 本发明实施例及实施例中特征可以相互组合。 方法实施例 根据本发明实施例, 提供了一种 WAPI终端证书的管理方法。 图 2是根据本发明实施例的 WAPI鉴别服务器和 WAPI终端的结构的示 意图, 如图 2所示, 在 WAPI终端增加证书管理单元, 此功能单元实现了 SIP 客户端功能, WAPI月 务器和 WAPI终端通过端口 5060收发 SIP消息 , 实现 基于 SIP协议的注册、 订阅与通知处理功能; WAPI鉴别服务器包括: 鉴别请求服务单元和服务器证书管理单元, 月 务器侧证书管理单元作为终端的 SIP注册^^务器, 实现了 SIP 务器部分功 能, 在端口 5060上收发 SIP消息,接收处理终端的基于 SIP协议的注册和订 阅请求、 向 WAPI终端发送基于 SIP协议的通知消息。 SIP消息基于用户数 据 艮协议 ( User Datagram Protocol , 筒称为 UDP ) 或传输控制协议 ( Transmission Control Protocol , 筒称为 TCP ) 的方式传输。 在进行 居本发明实施例所提供的方法之前, AP对 WAPI终端进行接 入鉴别, 在 WAPI终端通过鉴别的情况下, 允许 WAPI终端接入 AP。 AP与 终端之间协商生成单播会话密钥, 此会话密钥能够确保 WAPI终端与 AP之 间的数据传输的安全。 图 3是根据本发明实施例的 WAPI终端证书的管理方法的流程图。需要 说明的是, 在以下方法中描述的步骤可以在诸如一组计算机可执行指令的计 算机系统中执行, 并且, 虽然在图 3中示出了逻辑顺序, 但是在某些情况下, 可以以不同于此处的顺序执行所示出或描述的步骤。 如图 3所示 , 该方法包 括以下处理: 步骤 S302, WAPI鉴别服务器和 WAPI终端协商会话密钥; 步骤 S304, WAPI鉴别服务器接收来自 WAPI终端的订阅请求消息, 其 中 , 订阅请求消息用于非首次请求 WAPI终端的公开密钥证书和私有密钥; 步骤 S306, WAPI鉴别服务器向 WAPI终端发送携带有加密的公开密钥证 书和私有密钥的通知消息, 以供 WAPI终端进行更新, 其中, 利用会话密钥加 密公开密钥证书和私有密钥。 基于上述处理 , WAPI终端可以进行在线方式的证书更新。 下面详细描述上述各处理的细节。 (一) 步骤 S302 首先, WAPI终端随机生成一个 128位随机数 rand asue (第一随机数 ), 利用 WAPI鉴别服务器发布的公开密钥证书中的公开密钥和公开密钥算法, 加密 rand— asue并将结果作为 SIP注册消息中新增头域字段 Cert-Rand的值, 随即终端向 WAPI服务器发送此 SIP注册请求消息。 其次, AP将请求消息转发给 WAPI服务器上的服务器证书管理单元 , 后者接收该注册请求消息,并利用其私有密钥和公开密钥算法解密 Cert-Rand 字段中的 rand— asue; 再随机生成一个 128位随机数 rand ca (第二随机数 ), 并利用 WAPI终端的公开密钥对 rand ca进行公开钥密加密运算, 将结果作 为注册拒绝消息 ( 401 ) 中的 WWW-Authentication头 i或中 nonce参数的值, 将该注册拒绝消息发送 WAPI到 WAPI终端。 之后, WAPI终端接收该注册拒绝消息, 并从 WWW- Authentication中 提取 nonce参数及其他参数, 利用 WAPI终端的私有密钥将 nonce解密得到 rand_ca, 再利用此头域所示鉴权算法, 进行摘要 ( Digest ) 计算, 此处用户 名可以使用用户的电话号码, 密码可以为之前通过随机数生成得到的 rand— asue。 Digest 计算结果用来 I武值新的注册请求中 Authorization 头域中 response参数值 , WAPI终端向 WAPI鉴别服务器发送新的注册请求消息。 WAPI鉴别 务器收到新的注册请求后 , 利用参数 ^故 Digest计算并将结 果与 response参数值比较, 如果结果一致, 则 WAPI鉴别服务器向 WAPI终 端返回 200 OK消息。 注册成功后 WAPI终端的证书管理单元与 WAPI鉴别 服务器上的证书管理单元使用同样的 SHA-128杂凑算法, 以 rand— ca后串接 rand— asue的结果为输入, 计算出 128位长度的会话密钥。 下面结合附图详细描述步骤 S302。 图 4是 居本发明实施例的用户证 书管理单元生成会话密钥流程的流程图, 如图 4所示, 该流程包括:
S402 , WAPI终端完成接入鉴别过程与单播密钥协商;
S404, WAPI终端生成 128位随机数 rand— asue;
S406 , WAPI终端用 WAPI月 务器的公钥力。密 rand— asue, 给 Cert-Rand 赋值;
S408 , WAPI终端发送 SIP注册请求;
S410 , WAPI终端^:到注册失败响应, 利用其私钥解密 nonce字段, 得 到 rand— ca;
S412 , WAPI终端使用失败响应中指定算法计算摘要, 用户名为号码, 密码为 rand asue;
S414, WAPI终端用摘要赋值 response字段并重新发送注册请求;
S416 , WAPI终端接收到注册成功响应后, rand— ca与 rand— asue ^故串接 后进行 SHA-128计算, 生成会话密钥, 此会话密钥用于解密通知消息中加密 的证书与密钥信息。 图 5 是根据本发明实施例的服务器证书管理单元生成会话密钥流程的 流程图, 如图 5所示, 该流程包括:
S502 , WAPI 鉴别服务器接收 SIP 注册请求利用自己的私钥解密得到 ruan asue , 并产生随机数 rand— ca;
S504, WAPI鉴另服务器利用终端用户的公钥加密 rand— ca, 给注册失 败响应中 WWW- Authenticate头 i或中 nonce赋值 , 并回送失败消息; S506, WAPI鉴另' J服务器接收到新的注册消息 , 解析 Authorization字段 中参数, 计算摘要, 将结果与 response字段比较, 返回成功或失败消息;
S508 , 如果成功, 贝' J WAPI鉴另' J服务器将 rand— ca与 rand— asue ^故串接 后进行 SHA-128计算, 生成会话密钥, 此会话密钥用于加密通知消息中携带 的证书与密钥信息。 图 4和图 5所示的流程对应于图 3中的步骤 S302。
(二 ) 步骤 S304至 S306 在 WAPI终端成功完成 SIP注册后 , 随即发起证书订阅请求, 向 WAPI 终端鉴别服务器的证书管理单元发送 SIP Subscribe消息, 服务器证书管理单 元才艮据用户的身份标识找到其当前有效的公开密钥证书和私有密钥, 通过 Notify消息发送至 WAPI终端, 公钥证书与私有密钥先通过 XML格式组合, 再通过会话密钥进行加密。
WAPI终端解密证书及密钥信息后, 对比本地备份证书与私有密钥, 如 果不一致则发起 AP去关联操作并重新发起 AP关联, 关联过程中进行基于 新的证书的鉴别过程。 需要说明, Subscribe可以通过头域字段 Event指示事件类型, 本发明对 事件命名不做具体限定, 例如可定义为 cert-event; 头域字段 Accept指示通 知消息中消息体格式, 本发明对格式命名不做具体限定, 例如此处可以定义 为 application/cert-info, 用于定义力。密后的证书和密钥内容; 本发明对证书与 密码的基于 XML的格式不 ^故具体限定, Notify消息中的头域字段 Event和 Content- Type 4夺分别使用 Subscribe中 Event与 Accept头域 ^所对应的值。用户 证书管理单元在收到 Notify 消息时, 判断这两个头域字段, 并根据 Content-Type类型和具体的证书、 私有密码组合方式解析内容。 下面结合附图详细描述步骤 S304至 S306。 图 6是才艮据本发明实施例的 WAPI终端对订阅及通知消息处理的流程图, 如图 6所示, 该流程包括:
S602 , WAPI终端得到成功注册响应;
S604, WAPI终端生成订阅请求消息并发送至 WAPI鉴别月 务器; S606, WAPI终端接收到来自 WAPI鉴另 ' 务器的订阅成功消息 (200 OK ) , 准备处理证书通知消息;
S608 , WAPI终端判断通知消息体是否为空,如果不是则执行步骤 S610, 否则执行步骤 S614;
S610, WAPI终端利用预先生成的会话密钥通过常规加密算法解密证书 及密钥信息;
S612, WAPI终端判断是否证书已更新, 如更新则重新发起接入鉴别流 程。
S614, WAPI终端的订阅证书已被吊销 , 重新发起接入鉴别流程。 图 7 是 居本发明实施例的服务器证书管理单元对订阅及通知消息处 理的¾¾程图, 如图 7所示, 该¾¾程包括:
S702 , WAPI鉴别服务器接收来自 WAPI终端的订阅请求消息;
S704 , 如果 WAPI鉴别服务器接受订阅 , 则向 WAPI终端返回成功消息 ( 200 OK );
S706 , WAPI 鉴别服务器利用会话密钥加密当前有效的证书及私有密 钥,并生成携带有力 p密的公钥证书及私有密钥的通 消息发送给 WAPI终端;
S708 , 在订阅有效期内,证书管理单元用户证书发生更新或吊销时触发 通知流程;
S710, 证书更新后, 利用之前生成的会话密钥加密证书与私有密钥, 生 成通知消息附带加密后信息发送给客户端; S712, 证书被吊销, 生成通知消息, 头域字段中指示消息长度为 0。 图 6和图 7所示的流程对应于图 3中的步骤 S304至 S306。 在具体实施过程中, WAPI 鉴别服务器中的证书管理单元具体执行 WAPI鉴别 务器的处理工作。 图 8是根据本发明实施例的 WAPI鉴别服务器获取 WAPI终端证书的结 构示意图。 如图 8所示, 在上述的步骤 S706中, WAPI鉴别服务器(鉴别服 务器 1 ) 向 WAPI终端发送的当前有效的 WAPI终端的公有密钥证书及私有 密钥, 可以是该 WAPI鉴别服务器预先保存的, 也可以是由该 WAPI鉴别服 务器和与之相连的其他公共认证中心( CA )通过请求证书或响应证书查询获 取的 , 或者由该 WAPI鉴别服务器通过更高一级的公共认证中心请求其他的 WAPI鉴别服务器 (鉴别服务器 2 ) 上管理的证书。 图 9是才艮据本发明实施例的 WAPI终端证书的管理方法的 SIP信令处理 的流程图。 如图 9所示, 该流程包括以下处理: 步骤 S902 , WAPI终端向 WAPI鉴另' J服务器发送 SIP注册请求( Register ) 消息, 该 Register消息中携带有该 WAPI终端生成的第一随机数; 步骤 S904, WAPI鉴别月 务器向 WAPI终端返回注册拒绝消息( 401消 息 ), 该拒绝消息中携带 WAPI鉴别服务器生成的第二随机数; 步骤 S906, WAPI终端向 WAPI鉴另' J服务器发送新的 Register消息; 步骤 S908 , WAPI鉴别服务器向 WAPI终端返回成功注册响应消息( 200 OK ), 确认成功后 WAPI鉴别 务器和 WAPI终端才艮据第一随机数和第二随 机数生成会话密钥; 步骤 S910 , WAPI终端向 WAPI鉴别服务器发送订阅( Subscribe )消息; 步骤 S912 , WAPI 鉴别月 务器向 WAPI 终端返回成功确认消息 (200
OK ); 步骤 S914, WAPI鉴别月 务器向 WAPI终端发送通知 ( Notify ) 消息, 该通知消息中携带有利用会话密钥加密的 WAPI终端的公开密钥证书和私有 密钥; 步骤 S916 , WAPI 终端向 WAPI 鉴另' j服务器发送成功确认消息 (200
OK ); 在当用户证书被吊销或失效时, 还可以包括以下步骤: 步骤 S918 , WAPI鉴别服务器向 WAPI终端发送通知 ( Notify ) 消息 , 该消息体内容为空 , 长度指示 Content-Length头域的值为 0。 步骤 S920, WAPI终端接收到该 Notify消息后, 不再保持接入鉴别状 态,而重新发起接入鉴别过程,并向 WAPI鉴另服务器返回成功确认消息( 200 οκ )。 装置实施例 才艮据本发明实施例 , 还提供了一种 WAPI终端证书的管理装置。 该装置 可以用于实现上述方法实施例所提供的 WAPI终端证书的管理方法。 图 10是根据本发明实施例的 WAPI终端证书的管理装置的框图 , 该装 置可以设置于 WAPI鉴别服务器。 如图 10所示, 才艮据本发明实施例的 WAPI终端证书的管理装置包括: 协商模块 110, 接收模块 120 , 加密模块 130 , 发送模块 140, 具体地: 十办商模块 110, 用于和 WAPI终端†办商会话密钥; 接收模块 120, 连接至协商模块 110, 用于接收来自 WAPI终端的订阅 请求消息, 其中, 订阅请求消息用于非首次请求 WAPI终端的公开密钥证书 和私有密钥; 加密模块 130, 连接至接收模块 120, 用于利用会话密钥加密公开密钥 证书和私有密钥; 发送模块 140 , 连接至加密模块 130 , 用于向 WAPI终端发送携带有加 密的公开密钥证书和私有密钥的通知消息, 以供 WAPI终端进行更新。 优选地 , WAPI终端证书的管理装置为 WAPI鉴别服务器中的证书管理 单元。 在具体实施过程中, 才艮据本发明实施例提供的装置同样可以完成图 2 至图 9中所示的处理, 具体处理过程此处不再重复描述。 系统实施例 根据本发明实施例 , 还提供了一种 WAPI终端证书的管理系统。 该系统 可以用于实现上述方法实施例所提供的 WAPI终端证书的管理方法。 图 11是才艮据本发明实施例的 WAPI终端证书的管理系统的框图, 如图 11所示, 该系统包括: WAPI鉴别月 务器 10、 WAPI终端 20 , 其中: WAPI鉴别服务器 10包括: 第一接收模块 120 , 用于接收来自 WAPI终端的订阅请求消息, 其中, 订阅请求消息用于非首次请求 WAPI终端的公开密钥证书和私有密钥; 加密模块 130, 连接至第一接收模块 120, 用于利用预先生成的会话密 钥加密公开密钥证书和私有密钥; 第一发送模块 140 , 连接至加密模块 130 , 用于向 WAPI终端发送携带 有加密的公开密钥证书和私有密钥的通知消息, 以供 WAPI终端进行更新;
WAPI终端 20包括: 第二发送模块 210, 用于向 WAPI鉴别服务器发送订阅请求消息; 第二接收模块 220, 用于接收来自 WAPI鉴别服务器的携带有加密的公 开密钥证书和私有密钥的通知消息; 解密模块 230, 连接至第二接收模块 220, 用于利用预先生成的会话密 钥解密加密的公开密钥证书和私有密钥; 更新模块 240, 连接至解密模块 230, 用于利用解密的公开密钥证书和 私有密钥更新 WAPI终端本地的公开密钥证书和私有密钥。 在具体实施过程中, 根据本发明实施例提供的系统同样可以完成图 2 至图 9中所示的处理, 具体处理过程 jt匕处不再重复描述。 综上所述, 借助于本发明的上述技术方案, 通过预先协商会话密钥并利 用该会话密钥力。密终端的公钥证书和私钥 , 并将 WAPI终端的公钥证书和私 钥使用 SIP机制发送至 WAPI终端 , 达到了采用在线方式更新用户证书的目 的, 解决了离线申请证书及私有密钥所导致的处理效率低的问题 , 既提高了 工作效率, 又提高了用户体 -险。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可 以用通用的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布 在多个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程 序代码来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 或 者将它们分别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制 作成单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软 件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和 原则之内, 所作的任何修改、 等同替换、 ?丈进等, 均应包含在本发明的保护 范围之内。

Claims

权 利 要 求 书 一种无线局域网认证与保密基础结构 WAPI终端证书的管理方法, 用于 基于会话初始协议 SIP管理 WAPI终端的公开密钥证书, 其特征在于, 所述方法包括:
WAPI鉴别服务器和所述 WAPI终端协商会话密钥;
所述 WAPI鉴别月 务器接收来自所述 WAPI终端的订阅请求消息, 其中, 所述订阅请求消息用于非首次请求所述 WAPI终端的公开密钥证 书和私有密钥;
所述 WAPI鉴别 务器向所述 WAPI终端发送携带有加密的所述公 开密钥证书和所述私有密钥的通知消息,以供所述 WAPI终端进行更新, 其中, 利用所述会话密钥加密所述公开密钥证书和所述私有密钥。 根据权利要求 1所述的方法, 其特征在于, 在所述 WAPI鉴别服务器和 所述 WAPI终端协商所述会话密钥之前, 所述方法还包括:
接入点对所述 WAPI终端进行接入鉴别, 并在所述 WAPI终端通过 鉴别的情况下, 允许所述 WAPI鉴别服务器和所述 WAPI终端协商所述 会话密钥。 根据权利要求 1所述的方法, 其特征在于, 所述 WAPI鉴别服务器和所 述 WAPI终端协商所述会话密钥的处理包括:
所述 WAPI鉴别 务器接收来自所述 WAPI终端的注册请求消息, 其中, 所述注册请求消息中携带有所述 WAPI终端生成的第一随机数; 所述 WAPI鉴另服务器向所述 WAPI终端发送注册拒绝消息,其中, 所述注册拒绝消息中携带有所述 WAPI鉴别服务器生成的第二随机数; 所述 WAPI鉴别 务器接收来自所述 WAPI终端的新的注册请求消 息, 在注册成功的情况下, 所述 WAPI鉴别 务器和所述 WAPI终端才艮 据所述第一随机数和所述第二随机数计算所述会话密钥, 其中, 所述会 话密钥为所述第二随机数与所述第一随机数 ^故串接后进行哈希运算得 到。
4. -据权利要求 3所述的方法, 其特征在于, 所述 WAPI终端发送的所述 第一随机数由所述 WAPI终端利用所述 WAPI鉴另J服务器的公开密钥加 密。
5. 根据权利要求 3所述的方法, 其特征在于, 所述 WAPI鉴别服务器发送 的所述第二随机数由所述 WAPI鉴另1 J服务器利用所述 WAPI终端的公开 密钥加密。
6. 根据权利要求 1所述的方法, 其特征在于, 在所述 WAPI鉴别服务器向 所述 WAPI终端发送所述通知消息之后 , 所述方法进一步包括:
所述 WAPI终端接收所述通知消息 , 利用所述会话密钥解密所述公 开密钥证书和所述私有密钥, 并利用解密的所述公开密钥证书和所述私 有密钥更新所述 WAPI终端本地的公开密钥证书和私有密钥。
7. 根据权利要求 1所述的方法, 其特征在于, 在所述 WAPI终端的公开密 钥证书为非法或失效的情况下,在所述 WAPI鉴别服务器吊销所述 WAPI 终端的公开密钥证书, 具体包括:
所述 WAPI鉴另J服务器向所述 WAPI终端发送用于吊销所述 WAPI 终端的公开密钥证书的通知消息, 以通知所述 WAPI终端重新进行接入 鉴别, 其中, 所述吊销所述 WAPI终端的公开密钥证书的通 消息的消 息体的长度被配置为 0。
8. 根据权利要求 1至 Ί 中任一项所述的方法, 其特征在于, 在所述 WAPI 鉴别服务器和所述 WAPI终端协商所述会话密钥之前,所述方法还包括: 所述 WAPI 鉴别服务器向公共认证中心预先请求获取、 或由所述 WAPI鉴别服务器预先保存所述公开密钥证书和所述私有密钥。
9. 一种 WAPI终端证书的管理装置, 设置于 WAPI鉴别服务器, 其特征在 于, 所述装置包括:
协商模块 , 用于和 WAPI终端协商会话密钥;
接收模块 , 用于接收来自所述 WAPI终端的订阅请求消息, 其中, 所述订阅请求消息用于非首次请求所述 WAPI终端的公开密钥证书和私 有密钥; 力口密模块,用于利用所述会话密钥加密所述公开密钥证书和所述私 有密钥;
发送模块, 用于向所述 WAPI终端发送携带有加密的所述公开密钥 证书和所述私有密钥的所述通知消息 , 以供所述 WAPI终端进行更新。 一种 WAPI终端证书的管理系统 , 其特征在于 , 包括: WAPI鉴别服务 器、 WAPI终端, 其中,
所述 WAPI鉴别服务器包括:
第一接收模块 , 用于接收来自所述 WAPI终端的订阅请求消 息, 其中, 所述订阅请求消息用于非首次请求所述 WAPI 终端的 公开密钥证书和私有密钥;
加密模块, 用于利用预先生成的会话密钥加密所述公开密钥 证书和所述私有密钥;
第一发送模块 , 用于向所述 WAPI终端发送携带有加密的所 述公开密钥证书和所述私有密钥的所述通知消息, 以供所述 WAPI 终端进行更新;
WAPI终端包括:
第二发送模块 , 用于向所述 WAPI鉴别服务器发送所述订阅 请求消息;
第二接收模块, 用于接收来自所述 WAPI鉴别服务器的携带 有加密的所述公开密钥证书和所述私有密钥的所述通知消息; 解密模块, 用于利用预先生成的会话密钥解密加密的所述公 开密钥证书和所述私有密钥;
更新模块, 用于利用解密的所述公开密钥证书和所述私有密 钥更新所述 WAPI终端本地的公开密钥证书和私有密钥。
PCT/CN2009/072692 2009-02-11 2009-07-08 Wapi终端证书的管理方法、装置及系统 WO2010091563A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910006284.4 2009-02-11
CN2009100062844A CN101483866B (zh) 2009-02-11 2009-02-11 Wapi终端证书的管理方法、装置及系统

Publications (1)

Publication Number Publication Date
WO2010091563A1 true WO2010091563A1 (zh) 2010-08-19

Family

ID=40880753

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/072692 WO2010091563A1 (zh) 2009-02-11 2009-07-08 Wapi终端证书的管理方法、装置及系统

Country Status (2)

Country Link
CN (1) CN101483866B (zh)
WO (1) WO2010091563A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016041374A1 (zh) * 2014-09-18 2016-03-24 中兴通讯股份有限公司 Sip信令解密参数的获取方法及装置

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483866B (zh) * 2009-02-11 2011-03-16 中兴通讯股份有限公司 Wapi终端证书的管理方法、装置及系统
CN102035797B (zh) * 2009-09-29 2013-06-05 中兴通讯股份有限公司 一种基于wapi的媒体传输系统及方法
CN101895884B (zh) * 2010-06-29 2012-12-12 北京星网锐捷网络技术有限公司 一种wapi证书更新的方法、系统及装置
CN101902371A (zh) * 2010-07-26 2010-12-01 华为技术有限公司 安全监控方法、签名密钥发送方法、终端、服务器及系统
US9338159B2 (en) * 2012-03-19 2016-05-10 Nokia Technologies Oy Method and apparatus for sharing wireless network subscription services
CN107517184A (zh) * 2016-06-16 2017-12-26 中兴通讯股份有限公司 报文传输方法、装置及系统
EP3282638A1 (en) * 2016-08-11 2018-02-14 Gemalto Sa A method for provisioning a first communication device by using a second communication device
CN107404476B (zh) * 2017-06-20 2020-11-10 北京东方棱镜科技有限公司 一种大数据云环境中数据安全的保护方法与装置
EP3518489A1 (de) * 2018-01-26 2019-07-31 Siemens Aktiengesellschaft Verfahren und system zur offenlegung mindestens eines kryptographischen schlüssels
CN108494733B (zh) * 2018-02-11 2021-10-29 上海全程玖玖健康服务有限公司 一种健康管理系统间通讯的消息队列订阅方法
CN110247884B (zh) * 2018-11-21 2023-05-19 浙江大华技术股份有限公司 一种更新证书的方法、装置、系统及计算机可读存储介质
CN109743176B (zh) * 2018-12-28 2020-07-28 百富计算机技术(深圳)有限公司 一种pos终端的证书更新方法、服务器及pos终端
CN112312395B (zh) * 2019-07-17 2023-03-31 中国电信股份有限公司 Wapi证书集中分发方法和系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1996841A (zh) * 2006-12-29 2007-07-11 中国移动通信集团设计院有限公司 采用一张终端证书实现基于wapi的wlan运营的方法
CN101039182A (zh) * 2007-03-07 2007-09-19 广东南方信息安全产业基地有限公司 认证系统及用户标识证书发放方法
KR20070106055A (ko) * 2006-04-28 2007-11-01 박영수 지역적인 공개키 기반 구조를 갖는 지역분포형 로컬 씨에이시스템
CN101123501A (zh) * 2006-08-08 2008-02-13 西安电子科技大学 一种wapi认证和密钥协商方法和系统
JP2008219787A (ja) * 2007-03-07 2008-09-18 Toshiba Corp 鍵管理システム、鍵管理プログラムおよびicカード
CN101483866A (zh) * 2009-02-11 2009-07-15 中兴通讯股份有限公司 Wapi终端证书的管理方法、装置及系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070106055A (ko) * 2006-04-28 2007-11-01 박영수 지역적인 공개키 기반 구조를 갖는 지역분포형 로컬 씨에이시스템
CN101123501A (zh) * 2006-08-08 2008-02-13 西安电子科技大学 一种wapi认证和密钥协商方法和系统
CN1996841A (zh) * 2006-12-29 2007-07-11 中国移动通信集团设计院有限公司 采用一张终端证书实现基于wapi的wlan运营的方法
CN101039182A (zh) * 2007-03-07 2007-09-19 广东南方信息安全产业基地有限公司 认证系统及用户标识证书发放方法
JP2008219787A (ja) * 2007-03-07 2008-09-18 Toshiba Corp 鍵管理システム、鍵管理プログラムおよびicカード
CN101483866A (zh) * 2009-02-11 2009-07-15 中兴通讯股份有限公司 Wapi终端证书的管理方法、装置及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016041374A1 (zh) * 2014-09-18 2016-03-24 中兴通讯股份有限公司 Sip信令解密参数的获取方法及装置
US10419482B2 (en) 2014-09-18 2019-09-17 Zte Corporation Method and apparatus for acquiring SIP signaling decryption parameters

Also Published As

Publication number Publication date
CN101483866A (zh) 2009-07-15
CN101483866B (zh) 2011-03-16

Similar Documents

Publication Publication Date Title
CN110035433B (zh) 采用共享密钥、公钥和私钥的验证方法及装置
WO2010091563A1 (zh) Wapi终端证书的管理方法、装置及系统
US11228442B2 (en) Authentication method, authentication apparatus, and authentication system
CN109699031B (zh) 采用共享密钥、公钥和私钥的验证方法及装置
CN109428875B (zh) 基于服务化架构的发现方法及装置
EP3726797B1 (en) Key distribution method, device and system
US8468353B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
JP5106682B2 (ja) マシン・ツー・マシン通信のための方法及び装置
KR100759489B1 (ko) 이동통신망에서 공개키 기반구조를 이용한 아이피보안터널의 보안 방법 및 장치
JP4634612B2 (ja) 改良された加入者認証プロトコル
KR100704675B1 (ko) 무선 휴대 인터넷 시스템의 인증 방법 및 관련 키 생성방법
EP1933498B1 (en) Method, system and device for negotiating about cipher key shared by ue and external equipment
CN109075973B (zh) 一种使用基于id的密码术进行网络和服务统一认证的方法
WO2010078755A1 (zh) 电子邮件的传送方法、系统及wapi终端
WO2010020186A1 (zh) 基于单播会话密钥的组播密钥分发方法、更新方法及基站
WO2006137625A1 (en) Device for realizing security function in mac of portable internet system and authentication method using the device
WO2008006312A1 (en) A realizing method for push service of gaa and a device
CN110493272B (zh) 使用多重密钥的通信方法和通信系统
WO2007022731A1 (fr) Procede, systeme et equipement de negociation de cle de cryptage dans une trame de verification universelle amelioree
WO2007134547A1 (fr) Procédé et système pour créer et distribuer une clé de sécurité ip mobile après réauthentification
WO2007041933A1 (fr) Procédé de mise à jour de clés secrètes contrôlées et appareil idoine
US11838428B2 (en) Certificate-based local UE authentication
WO2007025484A1 (fr) Procede de negociation de mise a jour pour cle d'autorisation et dispositif associe
JP6609212B2 (ja) 暗号化通信チャネル確立システム、方法、プログラム及びコンピュータ読取り可能なプログラム記録媒体
Harney et al. RFC 4535: GSAKMP: Group Secure Association Key Management Protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09839886

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09839886

Country of ref document: EP

Kind code of ref document: A1