WO2010133073A1 - Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat - Google Patents

Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat Download PDF

Info

Publication number
WO2010133073A1
WO2010133073A1 PCT/CN2009/075526 CN2009075526W WO2010133073A1 WO 2010133073 A1 WO2010133073 A1 WO 2010133073A1 CN 2009075526 W CN2009075526 W CN 2009075526W WO 2010133073 A1 WO2010133073 A1 WO 2010133073A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
module
terminal
authentication server
status
Prior art date
Application number
PCT/CN2009/075526
Other languages
English (en)
Chinese (zh)
Inventor
康望星
施元庆
梁洁辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2010133073A1 publication Critical patent/WO2010133073A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • the present invention relates to the field of wireless local area network communication, and in particular, to a method for acquiring status information of a wireless local area network authentication and privacy infrastructure (WAPI, WL AN Authentication and Privacy Infrastructure) and a certificate status management system.
  • WAPI wireless local area network authentication and privacy infrastructure
  • WL AN Authentication and Privacy Infrastructure a wireless local area network authentication and privacy infrastructure
  • certificate status management system a certificate status management system.
  • WAPI is a wireless LAN security standard based on the IEEE, Institute of Electrical and Electronics Engineers 802.11 wireless protocol.
  • the WAPI protocol consists of two parts: the wireless office i or the network authentication infrastructure (WAI) and the WLAN Privacy Infrastructure (WPI).
  • WAI is a security solution for wireless LAN identity authentication and key management.
  • WPI is a security solution for wireless LAN data transmission protection, including data encryption, data authentication and playback protection.
  • a typical WAPI system consists mainly of a discriminator entity (AE, Authenticator Entity), an Authentication Supplicant Entity (ASUE), and an Authentication Service Entity (ASE).
  • the authentication requester entity is an entity that requests an authentication operation before accessing the wireless local area network, and resides in a wireless station (STA, STAtion), and the STA may also be called a terminal; the discriminator entity is used to identify the requester.
  • the entity provides an identity authentication operation before accessing the wireless local area network, and generally resides in an access point (AP, Access Point) or STA; the authentication service entity is used to provide a certificate authentication service for the discriminator entity and the authentication requester entity, generally Residing in an Authentication Service Unit (ASU), the ASU can also be called an authentication server.
  • AP Access Point
  • STA Access Point
  • ASU Authentication Service Unit
  • the 802.11 protocol link negotiation with the AP is required first.
  • the AP then triggers the WAI identity authentication and key management process of the terminal, and cooperates with the authentication server to complete the two-way identity authentication with the terminal.
  • the AP performs session key negotiation with the terminal, and uses the negotiated session secret.
  • the key provides WPI-based link layer encryption and decryption services for the terminal.
  • WAI authentication and key management There are two types of WAI authentication and key management, one is based on certificate and the other is based on pre-shared key.
  • the STA where the authenticator of the requester entity is located carries the WAPI certificate in the access authentication request, and the authenticator entity (usually the AP) decides to be local according to the information in the access authentication request or the local policy.
  • the verification of the certificate is completed or the authentication server completes the verification of the certificate, thereby completing the identity authentication of the authenticator by the discriminator entity.
  • WAPI When using certificate-based authentication and key management, WAPI builds a public key infrastructure (PKI) in a wireless LAN; where the authentication server acts as a certificate authority in the PKI (CA, Certificate Authority) The role of ).
  • PKI public key infrastructure
  • CA Certificate Authority
  • the authentication server When using the X.509 v3 format certificate as the WAPI certificate, the authentication server must also have the functions of certificate application, issuance, periodic release of the certificate invalidation list, and response user certificate revocation.
  • the application, cancellation, and corresponding private key of the WAPI certificate are issued in an offline or external manner to avoid being stolen or tampered with during transmission.
  • the WAPI certificate expires after the expiration of the validity period, and the user must actively update the certificate by offline. However, since the user cannot know when the certificate will be invalid, and the status of the certificate cannot be detected actively, the certificate can be known to be invalid only after the access authentication fails, and then the certificate is updated. Summary of the invention
  • the technical problem to be solved by the present invention is to overcome the deficiencies of the prior art, and provide a method for acquiring certificate status information and a certificate status management system, so that the terminal can obtain status information of the WAPI certificate in time, so as to timely status information according to the WAPI certificate. Perform operations such as updating the WAPI certificate.
  • the present invention provides a method for obtaining certificate status information, where the method includes:
  • the terminal sends a wireless local area network authentication and privacy infrastructure to the authentication server of the wireless local area network
  • WAPI a subscription request for status information of the certificate, requesting to obtain status information of the terminal WAPI certificate
  • the authentication server After the authentication server receives the subscription request, and determines that the terminal has the right to obtain the status information of the WAPI certificate, the status information of the WAPI certificate obtained by the query when the subscription request is received is included in the notification message. Sending to the terminal, and/or during the validity period of the subscription, when the status of the WAPI certificate changes, the status information of the WAPI certificate is included in the notification message and sent to the terminal.
  • the WAPI certificate includes: obtaining mode indication information, and address information of the authentication server;
  • the terminal sends the subscription request to the authentication server by using the state information obtaining manner specified by the obtaining manner indication information and the address information;
  • the status information acquisition manner includes: an initial session protocol (SIP) signaling mode, and/or a short message mode.
  • SIP initial session protocol
  • the address information of the authentication server is the SIP address and the port number of the authentication server; and the terminal is based on the SIP address and the port number. Registering with the authentication server, and after the registration is successful, sending the subscription request by using SIP signaling;
  • the authentication server sends a notification message including status information to the terminal in a SIP signaling manner or in a short message manner.
  • the terminal registers with the authentication server, specifically:
  • the authentication server After receiving the registration request message, the authentication server returns a SIP 401 response message to the terminal, where the response message includes an authentication field;
  • the terminal After receiving the 401 response message, the terminal calculates the authentication information according to the authentication field, and the authentication information is included in the SIP registration request message and sent to the authentication server; and the received authentication information is received.
  • the authentication server determines whether the terminal is successfully authenticated according to the authentication information. If the authentication is successful, the terminal returns a response message indicating that the terminal is successfully registered, otherwise, the response message of the registration failure is returned to the terminal. .
  • the address information of the authentication server is the short message receiving number of the authentication server
  • the terminal sends the subscription request to the authentication server by using a short message manner by using the short message receiving number; the authentication server sends a notification message including status information to the terminal by using a short message.
  • the present invention also provides a certificate status management system, the system comprising: a terminal, a communication platform, and an authentication server, wherein
  • the terminal configured to send, by using the communication platform, a subscription request for status information of a WAPI certificate to the authentication server, requesting to acquire status information of the WAPI certificate of the terminal;
  • the authentication server is configured to receive the subscription request, and when determining that the terminal has the right to obtain the status information of the WAPI certificate, include the status information of the WAPI certificate obtained by the query when the subscription request is received in the notification Transmitting, by the communication platform, the terminal to the terminal, and/or during the validity period of the subscription, when the state of the WAPI certificate changes, the status information of the WAPI certificate is included in the notification message, and is passed Sending to the terminal by the communication platform;
  • the communication platform is configured to perform information interaction between the terminal and the authentication server.
  • the terminal includes: a certificate status obtaining module and a first communication module,
  • the certificate status obtaining module is configured to send a WAPI certificate by using the first communication module Subscription request for status information;
  • the first communication module is configured to send the subscription request to the authentication server by using the communication platform, and is further configured to receive the notification message sent by the authentication server by using the communication platform, and receive the The notification message is forwarded to the certificate status acquisition module.
  • the authentication server includes: a certificate status management module and a second communication module,
  • the second communication module is configured to receive a subscription request sent by the first communication module by using a communication platform, and forward the subscription request to the certificate status management module;
  • the certificate status management module is configured to determine, after receiving the subscription request, whether the terminal has the right to obtain status information of the WAPI certificate, and when determining that the right is acquired, the query is obtained when the subscription request is received.
  • the status information of the WAPI certificate is included in the notification message, and is sent to the certificate status obtaining module by the second communication module, the communication platform, and the first communication module, and/or during the validity period of the subscription, when When the status of the WAPI certificate is changed, the status information of the WAPI certificate is included in the notification message, and is sent to the certificate status obtaining module by the second communication module, the communication platform, and the first communication module.
  • the first communication module further includes: a first short message sub-module; the second communication module further includes: a second short message sub-module; the communication platform includes: a short message center;
  • the certificate status obtaining module sends the subscription request to the certificate status management module by using the first short message sub-module, the short message center, and the second short message sub-module in a short message manner;
  • the certificate status management module sends the notification message to the certificate status acquisition module by using the second short message sub-module, the short message center, and the first short message sub-module.
  • the first communication module further includes: a first SIP submodule; the second communication module further includes: a second SIP submodule; the communication platform includes: an access point (AP); the certificate status obtaining module Adopting SIP signaling mode, sequentially passing the first SIP submodule The block, the AP, and the second SIP sub-module send the subscription request to the certificate status management module; the certificate status management module adopts a SIP signaling manner, and sequentially passes the second SIP sub-module, the AP, and the first The SIP submodule sends the notification message to the certificate status obtaining module.
  • AP access point
  • Adopting SIP signaling mode sequentially passing the first SIP submodule The block, the AP, and the second SIP sub-module send the subscription request to the certificate status management module
  • the certificate status management module adopts a SIP signaling manner, and sequentially passes the second SIP sub-module, the AP, and the first The SIP submodule sends the notification message to the certificate status
  • the certificate status obtaining module sends the subscription request to the certificate status management module by using the first SIP sub-module, the AP, and the second SIP sub-module in a SIP signaling manner; the certificate status management module
  • the notification message is sent to the certificate status acquisition module by using the second short message sub-module, the short message center, and the first short message sub-module.
  • the present invention enables the terminal to obtain the status information of the WAPI certificate in an active and real-time manner by initiating the subscription of the status information of the WAPI certificate, and can perform the certificate update and other operations in time according to the certificate status information, thereby facilitating the user.
  • FIG. 1 is a schematic diagram of a certificate state management structure of a WAPI certificate according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a state management system of an embodiment of the present invention
  • FIG. 3 is a flow chart of a method for acquiring a state of the first embodiment of the present invention
  • FIG. 4 is a schematic diagram showing the data structure of state information of an exemplary embodiment of the present invention.
  • Fig. 5 is a flow chart showing the method of acquiring the state of the second embodiment of the present invention. detailed description
  • the terminal sends a certificate status subscription request to the authentication server to obtain status information of the WAPI certificate; after receiving the certificate status subscription request, the authentication server sends the status information of the WAPI certificate of the terminal to the notification message.
  • the terminal sends a certificate status subscription request to the authentication server to obtain status information of the WAPI certificate; after receiving the certificate status subscription request, the authentication server sends the status information of the WAPI certificate of the terminal to the notification message.
  • the terminal sends a certificate status subscription request to the authentication server to obtain status information of the WAPI certificate
  • the authentication server sends the status information of the WAPI certificate of the terminal to the notification message.
  • the invention adds a certificate status management structure to the extension field of the WAPI certificate issued to the user.
  • the certificate status management structure includes: a certificate status management identifier, a status acquisition method, and address information. among them:
  • the certificate status management identifier field is used to indicate whether the WAPI certificate supports the status management, that is, whether the status information of the WAPI certificate can be obtained. For example, when the identifier value is 1, the terminal can obtain the status information of the WAPI certificate; Indicates that the status information of the WAPI certificate cannot be obtained.
  • the status acquisition mode field is written with the acquisition mode indication information, which is used to indicate that the status information of the WAPI certificate can be obtained. For example, if the value of the field is 0, it indicates that the acquisition mode indication information indicates that the WAPI can be obtained by using the short message mode. Status information of the certificate; when the value of the field is 1, it indicates that the status information of the WAPI certificate can be obtained by using the initial session protocol (SIP), and the value of the field is 2, The mode indication information indicates that the two state information acquisition modes are supported at the same time. If there are other ways to get status information for the WAPI certificate, you can further extend the value of this field.
  • SIP initial session protocol
  • the address information field is used to indicate the address used to obtain the status information of the WAPI certificate.
  • the short message receiving number of the authentication server is stored in the address information field;
  • the SIP address and port number of the authentication server are stored in the address information field. If the status information of the WAPI certificate is supported at the same time, the address information field needs to include address information corresponding to multiple acquisition methods.
  • FIG. 2 is a schematic structural diagram of an embodiment state management system according to an embodiment of the present invention; as shown in FIG. 2, the system includes: a terminal, a communication platform, and an authentication server.
  • a terminal configured to send status information of the WAPI certificate to the authentication server through the communication platform Subscribe to the request and request status information of the terminal WAPI certificate.
  • the authentication server is configured to receive the subscription request, and when determining that the terminal has the right to obtain the status information of the WAPI certificate, the status information of the WAPI certificate obtained by the query when the subscription request is received is included in the notification message, and is sent to the terminal through the communication platform. And/or during the validity period of the subscription, when the status of the WAPI certificate changes, the status information of the WAPI certificate is included in the notification message, and is sent to the terminal through the communication platform.
  • the communication platform is configured to perform information interaction between the terminal and the authentication server.
  • the terminal is provided with: a certificate status obtaining module and a first communication module; the first communication module may include: a first short message sub-module and a first SIP sub-module, in order to support different manners of obtaining the certificate status information.
  • the certificate status obtaining module is configured to learn, from the certificate status management structure of the WAPI certificate, whether the certificate status information can be obtained, the manner in which the certificate status information is obtained, and the address information required to obtain the certificate status information; and the first short message submodule is obtained. Or the first SIP sub-module sends a subscription request for the certificate status information to the authentication server; after receiving the notification message sent by the authentication server by using the first short message sub-module or the first SIP sub-module, the certificate status obtaining module is from the notification message.
  • the certificate status information of the WAPI certificate is parsed, and corresponding processing is performed according to the information.
  • the certificate status obtaining module may select the method to obtain the certificate status according to whether the first SIP sub-module, the first short message sub-module, and the default priority of the terminal are set in the terminal. information.
  • the certificate status obtaining module needs to register with the authentication server through the first SIP sub-module, and the subscription request is sent after the registration is successful.
  • the authentication server is provided with: a certificate status management module and a second communication module.
  • the second communication module may include: a second short message sub-module and a second SIP sub-module.
  • the certificate status management module is configured to receive a subscription request of the certificate status information sent by the terminal by using the second short message submodule or the second SIP submodule, and determine whether the corresponding terminal has the right to send the subscription request, and if the terminal has the right to send the subscription request, Then, the corresponding certificate status information is included in the notification message, and is sent to the terminal by using the second short message submodule or the second SIP submodule.
  • the authentication server before receiving the subscription request sent by the terminal by using the SIP signaling manner, the authentication server also needs to process the registration request sent by the terminal to complete the registration process of the terminal.
  • the communication platform may include: an AP and/or a short message center, configured to exchange information between the terminal and the authentication server.
  • the AP is configured to perform SIP signaling interaction between the first SIP sub-module and the second SIP sub-module
  • the short message center is configured to perform short message interaction between the first short message sub-module and the second short message sub-module.
  • the interaction between the certificate status obtaining module and the certificate status management module may include the following three methods:
  • the certificate status obtaining module adopts a short message mode, and sequentially sends a subscription request to the certificate status management module through the first short message sub-module, the short message center, and the second short message sub-module; the certificate status management module uses the short message mode, and sequentially passes the second short message.
  • the submodule, the short message center, and the first short message submodule send a notification message to the certificate status acquisition module.
  • the certificate status obtaining module uses the SIP signaling method to sequentially send the subscription request to the certificate status management module through the first SIP sub-module, the AP, and the second SIP sub-module; the certificate status management module adopts the SIP signaling method, in turn The notification message is sent to the certificate status acquisition module by the second SIP sub-module, the AP, and the first SIP sub-module.
  • the certificate status obtaining module adopts the SIP signaling mode, and sequentially sends the subscription request to the certificate status management module through the first SIP sub-module, the AP, and the second SIP sub-module; the certificate status management module adopts the short message mode, and sequentially passes the second The short message sub-module, the short message center and the first short message sub-module send a notification message to the certificate status acquisition module.
  • FIG. 3 is a flowchart of a method for acquiring a state of the first embodiment of the present invention.
  • the terminal obtains state information of the WAPI certificate by using SIP signaling, which is referred to as certificate status information.
  • the method includes:
  • Step 301 The terminal parses the certificate status management structure in the WAPI certificate, and obtains the certificate status information of the WAPI certificate by using the certificate status management identifier field of the structure, and the status acquisition mode field of the structure can be used.
  • the SIP signaling method obtains the certificate status information, and obtains the SIP address and port number required to obtain the certificate status information through the address information field of the structure.
  • Step 302 When the certificate status information is obtained by using the SIP signaling method, the authentication server needs to be registered first. Therefore, after completing the WAPI identity authentication and successfully accessing the wireless local area network, the terminal uses the SIP address and the port number to pass the wireless local area network. Through the AP, a SIP registration request (REGISTER) message is sent to the authentication server.
  • REGISTER SIP registration request
  • Step 303 After receiving the registration request message, the authentication server returns a 401 response message to the terminal through the wireless local area network, and requests the user to perform authentication of the service layer.
  • the 401 response message includes an authentication field, and the value of the authentication field. It can be a random number generated by the authentication server.
  • Step 304 After receiving the 401 response message, the terminal calculates corresponding authentication information according to the authentication field included in the message, and the authentication information is included in the SIP registration request message and sent to the authentication server through the wireless local area network.
  • Step 305 After receiving the foregoing registration request message that includes the authentication information, the authentication server determines whether the user is successfully authenticated according to the authentication information included in the message. If the user authentication succeeds, the SIP is returned to the terminal through the wireless local area network. The 200 OK message indicates that the terminal registration is successful. If the user authentication fails, the response message (not shown) of the registration failure is returned to the terminal through the wireless local area network, and the process ends.
  • Step 306 After the registration is successful, the terminal sends a certificate to the authentication server through the wireless local area network.
  • a subscription request for information for example, a SIP subscription (SUBSCRIBE) request, the fragment of the request message is as follows:
  • the format name is: application/cert- Status; Expires field indicates the effective duration of this subscription; Event field indicates the event type of this subscription. The values of these three fields can be specifically defined as needed.
  • Step 307 After receiving the subscription request message, the authentication server searches for the corresponding user information according to the user account included in the message, that is, the "username" in the request line of the SIP message, to determine whether the corresponding user has opened the certificate status management.
  • the service that is, whether the user has the right to subscribe/acquire the certificate status information: If the user does not open the certificate status management service, return a response message of the subscription failure to the terminal through the wireless local area network (not shown), and the process ends; If the user has opened the certificate status management service, the SIP 200 OK message is returned to the terminal through the wireless local area network, indicating that the user's subscription request is accepted, that is, the subscription is successful.
  • Step 308 After accepting the subscription request of the terminal user, the authentication server returns a SIP NOTIFY message to the terminal to notify the user of the current certificate status; the fragment of the notification message is as follows:
  • Subscription-Status active Content- Type: application/cert- statu s
  • the Event field is the same as the Event field in the subscription request message; the Content-Type field is the same as the Accept field in the subscription request; the Centent-Length field indicates the length of the NOTIFY message body; and the Subscription-status field indicates the subscription status corresponding to the NOTIFY message. If the value is "active", the corresponding subscription is still valid, otherwise the corresponding subscription is invalid, and the NOTIFY message is the last notification message of the corresponding subscription.
  • the status information of the certificate is included in the message body of the NOTIFY message.
  • the certificate status information can include: a certificate identifier (ID), a current status of the certificate, a certificate validity period, a certificate authority, and an extension field.
  • the current status of the certificate can be divided into: valid, expired, and soon to expire.
  • the message body of the above NOTIFY message only contains the certificate ID: 12345678 and the current status of the certificate: active.
  • Step 309 After receiving the NOTIFY message, the terminal extracts and parses the certificate status information contained in the message body. If the certificate status information indicates that the WAPI certificate is about to expire, the user is prompted to update the WAPI certificate in time; if the status information indicates that the WAPI certificate has expired, Then disconnect the current wireless LAN communication link, and then re-access the wireless LAN after the certificate is updated.
  • the authentication server sends a NOTIFY message containing the certificate status information to the terminal.
  • the certificate status information may contain only status information that has changed. For example, when the validity period of a WAPI certificate is extended or shortened, the authentication server can only send the changed certificate validity period to the end. End.
  • FIG. 5 is a flowchart of a method for acquiring a state of the second embodiment of the present invention.
  • the terminal acquires certificate status information by using a short message.
  • the method includes:
  • Step 501 The terminal parses the certificate status management structure in the WAPI certificate, and obtains the certificate status information of the certificate by using the certificate status management identifier field of the structure, and obtains the short message by using the status acquisition mode field of the structure.
  • the method obtains the certificate status information, and obtains the short message receiving number of the authentication server by using the address information field of the structure.
  • Step 502 The terminal uses the short message receiving number of the authentication server to send a short message for subscribing to the certificate status information to the authentication server through the short message center.
  • Step 503 After receiving the short message of the subscription certificate status information, the authentication server first searches for the corresponding user information according to the sender number of the short message to determine whether the corresponding user has opened the certificate status management service, that is, whether the user has the right to subscribe/ Obtaining certificate status information: If the user does not open the certificate status management service, send a short message (not shown) containing the subscription failure response message to the terminal through the short message center, and the process ends; if the user has opened the certificate status management service Send a text message containing the subscription success response message to the terminal through the SMS center.
  • Step 504 The authentication server queries the status information of the WAPI certificate of the corresponding user, and the status information is included in the short message and sent to the terminal through the short message center.
  • the certificate status information may also adopt the data format shown in FIG.
  • Step 505 After receiving the short message including the certificate status information, the terminal parses the status information of the certificate from the short message. If the status information indicates that the WAPI certificate is about to expire or has expired, the terminal prompts the user to update the certificate in time.
  • the authentication server sends a short message containing the certificate status information to the terminal.
  • the foregoing embodiment may also have multiple transformation manners, for example: the terminal sends a subscription request by using SIP signaling, and the authentication server may send the message to the short message.
  • the terminal sends a notification message containing the certificate status information.
  • the authentication server needs to store in advance a short message receiving number corresponding to the user/terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention porte sur un procédé d'obtention d'informations d'état de certificat, le procédé comprenant les étapes suivantes : un terminal envoie une requête d'abonnement à l'état de certificat à un serveur d'authentification afin d'obtenir les informations d'état de certificat d'infrastructure d'authentification et de confidentialité de réseau local sans fil (WAPI); les informations d'état de certificat WAPI du terminal sont incluses dans un message de notification et envoyées au terminal lorsque le serveur d'authentification a reçu la requête d'abonnement à l'état de certificat; et/ou dans la période valide d'abonnement, les informations d'état correspondantes sont incluses dans un message de notification et envoyées au terminal lorsque l'état de certificat WAPI du terminal change. L'invention porte également sur un système de gestion d'état de certificat. Grâce au procédé et au système de l'invention, le terminal peut obtenir les informations d'état de certificat WAPI de façon active et en temps réel, et effectuer les opérations telles qu'une mise à jour de certificat à temps conformément aux informations d'état de certificat, offrant ainsi des avantages de commoditié aux utilisateurs.
PCT/CN2009/075526 2009-05-19 2009-12-11 Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat WO2010133073A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009101405004A CN101568116B (zh) 2009-05-19 2009-05-19 一种证书状态信息的获取方法及证书状态管理系统
CN200910140500.4 2009-05-19

Publications (1)

Publication Number Publication Date
WO2010133073A1 true WO2010133073A1 (fr) 2010-11-25

Family

ID=41284004

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075526 WO2010133073A1 (fr) 2009-05-19 2009-12-11 Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat

Country Status (2)

Country Link
CN (1) CN101568116B (fr)
WO (1) WO2010133073A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101568116B (zh) * 2009-05-19 2011-03-02 中兴通讯股份有限公司 一种证书状态信息的获取方法及证书状态管理系统
CN101895884B (zh) * 2010-06-29 2012-12-12 北京星网锐捷网络技术有限公司 一种wapi证书更新的方法、系统及装置
CN102131185A (zh) * 2011-03-16 2011-07-20 宇龙计算机通信科技(深圳)有限公司 Wapi授权证书更新的方法及装置
US9338159B2 (en) * 2012-03-19 2016-05-10 Nokia Technologies Oy Method and apparatus for sharing wireless network subscription services
CN107766716B (zh) * 2016-08-16 2021-08-31 阿里巴巴集团控股有限公司 证书检测方法及装置、电子设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1672380A (zh) * 2002-03-20 2005-09-21 捷讯研究有限公司 用于检验数字证书状态的系统和方法
CN1700649A (zh) * 2004-05-17 2005-11-23 华为技术有限公司 一种基于无线局域网鉴别与保密基础结构证书的计费方法
WO2009052637A1 (fr) * 2007-10-25 2009-04-30 Research In Motion Limited Gestion de certificat avec indication des conséquences
CN101568116A (zh) * 2009-05-19 2009-10-28 中兴通讯股份有限公司 一种证书状态信息的获取方法及证书状态管理系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1953445A (zh) * 2005-10-21 2007-04-25 北京中电华大电子设计有限责任公司 解决wapi中证书吊销安全问题的方法和装置
CN1805441B (zh) * 2005-11-23 2011-01-05 西安电子科技大学 Wlan网络集成认证体系结构及实现结构层的方法
CN101282215A (zh) * 2008-05-29 2008-10-08 杭州华三通信技术有限公司 证书鉴别方法和设备

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1672380A (zh) * 2002-03-20 2005-09-21 捷讯研究有限公司 用于检验数字证书状态的系统和方法
CN1700649A (zh) * 2004-05-17 2005-11-23 华为技术有限公司 一种基于无线局域网鉴别与保密基础结构证书的计费方法
WO2009052637A1 (fr) * 2007-10-25 2009-04-30 Research In Motion Limited Gestion de certificat avec indication des conséquences
CN101568116A (zh) * 2009-05-19 2009-10-28 中兴通讯股份有限公司 一种证书状态信息的获取方法及证书状态管理系统

Also Published As

Publication number Publication date
CN101568116A (zh) 2009-10-28
CN101568116B (zh) 2011-03-02

Similar Documents

Publication Publication Date Title
US8468353B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
EP1713289B1 (fr) Pprocédé d'etablissement d'une association de securité entre l'abonne itinerant et le serveur du réseau visité
KR101819556B1 (ko) 클라우드 컴퓨팅 시스템에서 패밀리 클라우드를 지원하기 위한 장치 및 방법
US8555345B2 (en) User authentication and authorisation in a communications system
JP5143125B2 (ja) ドメイン間情報通信のための認証方法、システム、およびその装置
US8769647B2 (en) Method and system for accessing 3rd generation network
JP4768720B2 (ja) ネットワークにアクセスするユーザ端末に対してジェネリック認証アーキテクチャーを応用して管理する方法及びシステム
US20140007207A1 (en) Method and device for generating local interface key
WO2019017837A1 (fr) Procédé de gestion de sécurité de réseau et appareil
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
WO2011020274A1 (fr) Procédé et système de commande d'accès de sécurité pour réseau local filaire
WO2010111964A1 (fr) Procédé, dispositif, entité de réseau et système de communication pour sélectionner et traiter un algorithme de sécurité
WO2010081313A1 (fr) Procédé et système de gestion de la sécurité pour un terminal wapi accédant à un réseau ims
US20110035592A1 (en) Authentication method selection using a home enhanced node b profile
WO2020253736A1 (fr) Procédé, appareil et système d'authentification
WO2008000192A1 (fr) Procédé d'accès au réseau de terminaux, système d'accès au réseau et équipement de passerelle
WO2007097101A1 (fr) Systeme d'acces radio et procede d'acces radio
WO2010127539A1 (fr) Procédé et système pour l'authentification de l'accès à un service multimédia à diffusion en flux
WO2010133073A1 (fr) Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat
US9143482B1 (en) Tokenized authentication across wireless communication networks
WO2007147354A1 (fr) Procédé et système pour extraire une clé de messagerie instantanée
WO2011063658A1 (fr) Procédé et système d'authentification de sécurité unifiée
WO2011050660A1 (fr) Procédé et équipement d'accès
WO2010124490A1 (fr) Procédé et système d'obtention de certificat d'infrastructure d'authentification et de confidentialité de réseau local sans fil
WO2010102497A1 (fr) Procédé d'authentification d'itinérance et d'autorisation de service basé sur une infrastructure d'authentification de réseau local sans fil et de sécurité (wapi)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09844825

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09844825

Country of ref document: EP

Kind code of ref document: A1