WO2011009268A1 - Wapi (wlan authentication and privacy infrastructure) -based authentication system and method - Google Patents

Wapi (wlan authentication and privacy infrastructure) -based authentication system and method Download PDF

Info

Publication number
WO2011009268A1
WO2011009268A1 PCT/CN2009/075687 CN2009075687W WO2011009268A1 WO 2011009268 A1 WO2011009268 A1 WO 2011009268A1 CN 2009075687 W CN2009075687 W CN 2009075687W WO 2011009268 A1 WO2011009268 A1 WO 2011009268A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
certificate
access point
mobile terminal
access
Prior art date
Application number
PCT/CN2009/075687
Other languages
French (fr)
Chinese (zh)
Inventor
周伟
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN200910160652.0 priority Critical
Priority to CNA2009101606520A priority patent/CN101610515A/en
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011009268A1 publication Critical patent/WO2011009268A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/06Authentication
    • H04W12/0609Authentication using certificates or pre-shared keys

Abstract

A WAPI (WLAN Authentication and Privacy Infrastructure) -based authentication system and method are provided by the present invention. The method includes the following steps: when an authentication for a certificate is implemented between an access point and a mobile terminal, said access point selects one or more than one authentication server to implement the authentication for the certificate. By using the technical solution of the present invention, the authentication for the certificate can be implemented by flexibly selecting a single authentication server or a plurality of authentication servers according to the actual instance, and according to a current using state table of the authentication servers, which is maintained by the access point, said access point selects the authentication servers which participate in the authentication for the certificate. The authentication with a plurality of authentication servers overcomes the disadvantages of the authentication with a single authentication server, and the authentication server in which a deception occurs can be detected effectively, and the efficiency of authentication is improved.

Description

 WAPI-based authentication system and method

Line LAN authentication and privacy infrastructure technology, specifically related to a WAPI-based authentication system and method. Background technique

 WAPI is a security protocol applied to WLAN (Wireless Local Network). It is a standard of innovative technology proposed by China, which solves the existing vulnerabilities and hidden dangers of wireless local area network security mechanisms.

 The WAPI security mechanism consists of two parts: WAI (WLAN Authentication Infrastructure) and WPI (WLAN Privacy Infrastructure). WAI is used to authenticate the user's identity, ensuring that legitimate users access the legitimate network; WPI is used to encrypt the transmitted data, ensuring the confidentiality of the communication. WAI uses the public key cryptosystem to use the digital certificate to perform mutual authentication between the MT (Mobile Terminal) and the AP (Access Point) of the WLAN system. WAI defines a type called ASU (Authentication). The entity of the Service Unit, which is used to manage the certificates required by the parties involved in the information exchange, including the generation, issuance, revocation and update of certificates. The certificate is the digital identity certificate of the network device terminal MT, and its content package uses the WAPI-specific elliptic curve digital signature algorithm.

 The specific implementation of the WAPI protocol includes the following processes:

(1) Authentication activation; When the MT logs in to the AP, the AP sends an authentication activation to the MT to start the authentication process. (2) Access authentication request; The MT sends an authentication request to the AP, and sends its own certificate and access authentication request time to the AP.

 (3) Certificate authentication request; After receiving the MT access authentication request, the AP sends an authentication request to the ASU. The MT certificate, the access authentication request time, and the AP's certificate, and the certificate authentication request message information, which are signed by the AP private key, are sent to the ASU.

 (4) Certificate authentication response; After receiving the AP authentication request, the ASU verifies the signature of the AP and the legality of the AP and MT certificates. After the verification is completed, the ASU will verify the result of the MT certificate (including the MT certificate, the authentication result, the access authentication request time, and the signature of the ASU), and the AP certificate authentication result information (including the AP certificate, the authentication result, the access authentication request time, and The ASU signs their signatures and sends a certificate response message back to the AP.

 (5) Access authentication response; The AP verifies the certificate response returned by the ASU, and obtains the MT certificate authentication result. The AP sends the MT certificate authentication information, the AP certificate authentication result information, and the AP's signature to form an access authentication response message to the MT. After the MT verifies the signature of the ASU, the AP certificate is obtained, and the MT determines whether to access the AP according to the authentication result.

 (6) Key negotiation; After the authentication of both the MT and the AP is successful, the two parties will perform key agreement and then communicate with the negotiated key.

In WAPI, centralized management is adopted, and the validity verification of the certificate is completed by a single ASU. At the same time, it also assumes the role of an authoritative center, and completes the issuance, cancellation, and management of entities such as MT and AP, without considering the ASU. Deceptions and ASUs in the authentication process can become system bottlenecks. Certification of prior art certificates is done by a single ASU. In an authentication process, ASU needs to perform 3 signature verifications and 2 signatures. In the case of a large number of MTs, it will become a bottleneck for system authentication. If the ASU is controlled by the attacker or becomes untrustworthy, the ASU enables the illegal MT to access the network through authentication, and the legitimate MT cannot access the network. The ASU performs malicious authentication response behavior, and no MT can access the network, which causes the network to fall into paralysis. Summary of the invention

 The technical problem to be solved by the present invention is to provide a WAPI-based authentication system and method, which improves the security and efficiency of the WAPI authentication mechanism.

 In order to solve the above problem, the present invention provides an authentication method based on a wireless local area network authentication and privacy infrastructure, including: when accessing an access point and a mobile terminal to implement certificate authentication, the access point selects one or more The authentication server completes the authentication of the certificate.

 Further, the access point stores a current usage list of the authentication server, where the usage table records the current load status of each authentication server and whether the status is available;

 The access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.

 Further, when the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends the certificate authentication request message to each selected authentication server, and the authentication server authenticates the certificate of the mobile terminal. And constituting a certificate authentication response message is sent to the access point;

 The access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.

Further, the method for determining the authentication result of the authentication server to the mobile terminal certificate is: if each authentication server has the same certificate authentication result for the mobile terminal, it is considered that each authentication server has correct authentication results for the mobile terminal certificate, and if there is an inconsistency, it is considered There is a spoofing behavior, the access point sends the authentication result of the mobile terminal certificate to each trusted server to the trusted center, and the trusted center verifies the authentication result of each authentication server to the mobile terminal certificate, and detects the authentication server that has the spoofing behavior. , and notify the access point. Further, the access point performs mobile terminal certificate authentication result information, access point certificate authentication result information, and access point information of the access terminal to the mobile terminal certificate authentication result and access generated by the authentication server without fraudulent behavior. The signature of the access point certificate authentication result information constitutes an access authentication response message, and the access authentication response message is sent to the mobile terminal; after receiving the access authentication response message, the mobile terminal verifies the packet The signature of the access point and the signature of the authentication server are obtained, and the certificate verification result of the access point is obtained, and it is determined whether the authentication result of the access point certificate is correct, and then the access point is determined to be accessed, otherwise the access point is not connected. Enter the access point.

 Further, the access point divides the security level of the mobile terminal according to the number of the authentication server, and the number of levels of the security level of the mobile terminal is consistent with the number of the authentication server; when the authentication server that performs certificate authentication is selected, The access point selects the number of authentication servers that complete the certificate authentication according to the security level of the mobile terminal. When the security level of the mobile terminal is η, n authentication servers are selected for certificate authentication, and if the currently available authentication server is less than η, the selection is performed. All available authentication servers perform certificate authentication.

 The present invention also provides an authentication system based on a wireless local area network authentication and privacy infrastructure, including an access point, a mobile terminal, and an authentication server;

 When the access point is used to implement certificate authentication with the mobile terminal, the one or more authentication servers are selected to complete the authentication of the certificate;

 The authentication server is configured to authenticate the access point certificate and the mobile terminal certificate. Further, the access point is further configured to store an authentication server current usage table, where the usage table records a current load status of each authentication server and a status of availability;

 The access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.

Further, when the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends the certificate authentication request message to each selected authentication server, each authentication service. The server authenticates the certificate of the mobile terminal, and forms a certificate authentication response to be sent to the access point;

 The access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.

 Further, the system further includes a trusted center;

 The determining whether the authentication server corrects the result of the certificate authentication of the mobile terminal means that the access point determines whether the authentication results of the authentication certificates of the mobile terminal are consistent with each other, and if they are consistent, it is considered that the authentication results of the authentication certificates of the mobile terminal are correct; If the inconsistency is inconsistent, the access point is sent to the trusted center by the authentication server, and the trusted center verifies the authentication result of the authentication certificate of the mobile terminal, and detects the fraudulent behavior. The authentication server, and notify the access point.

 Further, the access point is further configured to: use the mobile terminal certificate authentication result information generated by the authentication server that does not have fraudulent behavior, access the access point certificate authentication result information, and access the access point to the mobile terminal certificate authentication result. The information and the signature of the access point certificate authentication result information constitute an access authentication response message, and the access authentication response message is sent to the mobile terminal;

 After receiving the access authentication response message, the mobile terminal is configured to verify the signature of the access point and the signature of the authentication server, obtain the certificate verification result of the access point, and determine the access point certificate. If the authentication result is correct, it is decided to access the access point, otherwise the access point is not accessed.

In summary, the present invention proposes a WAPI-based authentication system and method, and the authentication of the certificate can be flexibly selected according to the actual situation to be completed by a single ASU or multiple ASUs. The AP selects the ASU participating in the certificate authentication according to the ASU current usage table maintained by the AP, and the multiple ASUs are overcome to overcome the shortcomings of the single ASU authentication, and can effectively detect the fraudulent ASU. When a single ASU authentication is selected, the efficiency of authentication is improved because load sharing can be achieved. DRAWINGS

 1 is a schematic structural diagram of a certificate authentication system of the present invention;

 2 is a flow chart of a certificate authentication method of the present invention. detailed description

 The present invention provides a WAPI-based authentication system. As shown in FIG. 1, the authentication system includes an AP, an MT, a TC (Trust Center), and a plurality of ASUs.

 After receiving the authentication activation message sent by the AP, the MT sends an authentication request to the AP, and carries the MT certificate and the MT access authentication request time;

 The MT is further configured to: after receiving the access authentication response message sent by the AP, verifying the signature of the AP and the signature of the ASU to obtain the certificate verification result of the AP, and determining whether to access the AP according to the verification result of the AP certificate;

 After receiving the access authentication request sent by the MT, the AP selects the number of ASUs for certificate authentication according to the security level of the MT. When the security level of the MT is low, only one ASU can be selected for certificate authentication. When the security level is high, multiple ASUs can be selected for certificate authentication. Specifically, the AP can classify the security level of the MT according to the number of ASUs, such as, but not limited to, the number of security levels of the MT and the number of ASUs. Consistently, when the security level of the MT is 1, select 1 ASU for certificate authentication. When the security level of the MT is 2, select

Two ASUs perform certificate authentication. When the security level of the MT is n, n ASUs are selected for certificate authentication. There may be a case where the security level of the MT is n, but the currently available ASU is insufficient. In this case, all available ones can be selected. ASU performs certificate authentication; of course, there are many other The manner of division is not limited by the present invention.

 When it is necessary to select m ASUs, select the m ASUs with the smallest current load from all available ASUs;

 The AP is further configured to use the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and send the certificate authentication request message to the selected M ASUs for certificate authentication; After receiving the certificate authentication response message returned by the m ASUs, the m authentication response packets are signed and verified, and m certificate authentication results are obtained for the MT, and it is determined whether the m authentication results are correct. If at least one of the authentication results is correct, the MT is allowed to access, and if the m authentication results are not correct, the MT is not allowed to access;

 To determine whether the m authentication results are correct, the AP compares the m authentication results first. If they are consistent, the ASU does not have fraudulent behavior, that is, the m authentication results are correct. If the m authentication results are not completely consistent. And sending the m authentication results to the TC, and determining whether the correct authentication result exists according to the feedback information of the TC;

 The AP is further configured to form the correct MT certificate authentication result information, the AP certificate authentication result information, and the signature of the AP on the foregoing information (including the MT certificate authentication result information and the AP certificate authentication result information) to form an access authentication response message, and the AP is configured to The access authentication response packet is sent to the MT.

 After receiving the m authentication results sent by the AP, the TC verifies the m authentication results in turn, detects the ASU with the deceptive behavior, and the ASU with the fraudulent behavior is the ASU corresponding to the incorrect authentication result, and the fraudulent behavior is present. The ASU (or incorrect authentication result) is sent to the AP.

 The present invention also provides a WAPI-based authentication method, as shown in FIG. 2, including the following steps:

 During the certificate authentication request phase, the AP selects the number of ASUs according to the security level of the network. The maintainer in the AP has an ASU current usage table. According to the current usage table of the ASU, the one or more ASUs with the lowest load are selected. Identification.

Step 201: After receiving the MT access authentication request, the AP selects according to the security level of the MT. For the number of ASUs for certificate authentication, when the security level of the MT is low, only one ASU can be selected for certificate authentication. When the security level of the MT is high, multiple ASUs can be selected for certificate authentication. Specifically, the AP can follow The number of ASUs is divided into the security level of the MT. For example, but not limited to, the number of security levels of the MT is the same as the number of ASUs. When the security level of the MT is 1, select one ASU for certificate authentication. When the security level is 2, select 2 ASUs for certificate authentication. When the security level of the MT is n, select n ASUs for certificate authentication. There may be a case where the security level of the MT is n, but the currently available ASU is insufficient. At this time, all available ASUs can be selected for certificate authentication; of course, there are other multiple division manners, which are not limited by the present invention.

 If you need to select m ASUs, the AP selects the m ASUs with the smallest current load from all available ASUs;

 The AP then uses the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and sends the certificate authentication request message to the selected m ASUs.

 Step 202: The ASU that receives the certificate authentication request message verifies the legality of the AP signature, the AP certificate, and the MT certificate according to the public key and the verification information on the trusted center TC. After the verification is completed, the m ASUs will authenticate the MT certificate. The result information and the AP certificate authentication result information form a certificate authentication response message to be sent to the AP;

 The MT certificate authentication result information includes an MT certificate, an authentication result, an access authentication request time, and an ASU signature on the foregoing information. The AP certificate authentication result information includes an AP certificate, an authentication result, an access authentication request time, and an ASU signature on the foregoing information;

 Step 203: After receiving the certificate authentication response message of the M ASUs, the AP performs signature verification on each authentication response packet to obtain the MT certificate authentication result of each ASU, and determines whether the correct MT certificate authentication result exists. Step 204 is performed, otherwise step 208 is performed;

The method for judging whether the m authentication results are correct is that the AP first compares the m authentication results. If the two are consistent, the ASU does not have the spoofing behavior, that is, the m authentication results are correct. If the m authentication results are not completely consistent, the m authentication results are sent to the TC, and the TC sequentially verifies the m authentication results. The ASU with the spoofing behavior is detected, that is, the incorrect authentication result, and the ASU (or the incorrect authentication result) with the spoofing behavior is sent to the AP.

 Step 204: The AP allows the MT to access the network.

 Step 205: The AP forms an access authentication response by using the MT certificate authentication result information, the AP certificate authentication result information, and the AP's signature on the information (including the MT certificate authentication result information and the AP certificate authentication result information) generated by the ASU that does not have the spoofing behavior. The packet is sent to the MT. When there are multiple ASUs without spoofing, each MT certificate authentication result information and the AP certificate authentication result information correspond to the signature of one AP, that is, multiple access authentication response messages exist.

 In step 206, after receiving the access authentication response message sent by the AP, the MT verifies the signature of the AP and the signature of the ASU, and obtains the verification result of the AP certificate (when multiple access authentication responses are received, the MT will obtain If the verification result of the AP certificate is correct, and it is determined whether the verification result of the AP certificate is correct, if yes, go to step 207, otherwise go to step 209;

 Step 207, determining to access the AP;

 Step 208: The AP does not allow the MT to access the network.

 Step 209, determining not to access the AP.

 Compared with the prior art, in the authentication phase, the AP selects the number of authentication servers according to the actual situation, and selects the ASU with the lowest load and good working condition to complete the authentication according to the current usage table of the ASU maintained, and improves the authentication. effectiveness. It is authenticated by multiple ASUs, which overcomes the authoritative fraud behavior of ASU authentication in the prior art and improves security. In the case of a large number of wireless LAN MTs, a single ASU authentication is selected, and the efficiency of the authentication is improved due to the presence of multiple ASUs.

 The method of the present invention is further illustrated by an application example, taking 5 ASUs as an example.

The AP can select one to five servers to complete certificate authentication. The AP maintains one. ASU current usage table, according to the current usage table to select the server with the lowest load to complete the authentication of the certificate. Let's take the example of selecting two ASUs.

 Step 1: The authentication is activated; the MT logs in to the AP, and the AP sends an authentication activation to the MT; to initiate the authentication process;

 Step 2: Access the authentication request; the MT sends an authentication request to the AP, and sends the MT certificate and the MT access authentication request time to the AP;

 Step 3: After receiving the MT access authentication request, the AP needs to select two ASUs to perform certificate authentication according to the security level of the MT. As shown in Table 1, ASU2 is currently unavailable, so only the remaining 4 ASUs can be obtained. Select two ASUs with the lowest current load (that is, the minimum number of authentications to be processed) for certificate authentication, namely ASU1 and ASU5;

 The AP then uses the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and sends the certificate authentication request message to ASU1 and ASU5.

 Table 1: ASU current usage table stored by AP

 Step 4: After receiving the certificate authentication request packet of the AP, the ASU1 and the ASU5 verify the legality of the AP signature, the AP certificate, and the MT certificate.

After the verification is completed, ASU1 and ASU5 respectively obtain the MT certificate authentication result information (including the MT certificate, the authentication result, the access authentication request time, and the signatures of ASU1 and ASU5 respectively) and the AP certificate authentication result information (including the AP certificate and the authentication result). , access authentication request time and ASU1 and ASU5 respectively send a certificate authentication response message to the AP. Step 5: After receiving the authentication response message from ASU1 and ASU5, the AP performs signature verification on the authentication response packet to obtain ASU1 and ASU5 to MT. Certificate authentication result information;

 Step 6: After obtaining the authentication result information of the MT certificate by the ASU1 and the ASU5, the AP compares the authentication result of the certificate. If the two authentication results are the same, the AP considers that there is no fraudulent behavior, and performs step 8; if the two authentication results are inconsistent, it is considered that There is a spoofing behavior, and the authentication results of the MT certificate are sent to the TC by ASU1 and ASU5;

 Step 7, the trusted center TC verifies the authentication result of the MT certificate by ASU1 and ASU5, puts the fraudulent ASU into the bad record table for auditing, and notifies the AP of the fraudulent ASU to the AP; and then performs step 8;

 Step 8: The AP determines whether to allow the MT to access the network according to the authentication result of the MT certificate by the ASU1 and the ASU5. Specifically, when at least one of the authentication results of the MT certificate by the ASU 1 and the ASU 5 is correct, the AP allows the MT to access the network. If the authentication results of the MT certificate are incorrect by the ASU1 and the ASU5, the AP does not allow the MT to access the network.

 The AP sends the correct MT certificate authentication result information, the AP certificate authentication result information, and the signature of the AP (including the MT certificate authentication result information and the AP certificate authentication result information) to form an access authentication response message to the MT;

 Step 9: After receiving the access authentication response packet sent by the AP, the MT verifies the signature of the AP and the signature of the ASU, and obtains the certificate verification result of the AP, and determines whether to access the AP according to the verification result of the AP certificate. If the verification result is correct, the access is decided, otherwise it is not accessed;);

 Step 10: If the certificate authentication is passed, the AP and the MT perform key negotiation, and the negotiated key is used for communication.

Claims

Claim
 What is claimed is: 1. An authentication method based on a wireless local area network authentication and privacy infrastructure, comprising: selecting one or more authentication servers when a certificate authentication is implemented between an access point and a mobile terminal; Complete the identification of the certificate.
 2. The method according to claim 1, wherein: the method further comprises: the access point storing a current usage list of the authentication server, wherein the usage table records the current load status of each authentication server and whether it is available. status;
 The access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.
 3. The method of claim 1 wherein:
 When the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends a certificate authentication request message to each selected authentication server, and each authentication server authenticates the certificate of the mobile terminal. And constituting a certificate authentication response message is sent to the access point;
 The access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.
 4. The method according to claim 3, wherein: the method for the access point to determine whether the authentication server of the selected authentication server is correct for the mobile terminal certificate is:
Determining whether the authentication server has the same certificate authentication result for the mobile terminal. If the authentication is consistent, it is considered that each authentication server has the correct authentication result for the mobile terminal certificate; if not, the spoofing behavior is considered to exist, and the access point moves the authentication server pair. The terminal certificate authentication result is sent to the trusted center, and the trusted center verifies the authentication result of each authentication server to the mobile terminal, and checks An authentication server having fraudulent behavior is detected, and the detection result is notified to the access point.
The method according to claim 1, wherein the method further comprises: the access point to the access point to the mobile terminal certificate authentication result information generated by the authentication server without fraudulent behavior, and the access point certificate authentication result. The information and the access point of the access point to the mobile terminal certificate authentication result information and the access point certificate authentication result information constitute an access authentication response message, and the access authentication response message is sent to the mobile terminal;
 After receiving the access authentication response message, the mobile terminal verifies the signature of the access point and the signature of the authentication server, obtains the certificate verification result of the access point, and determines the access point certificate authentication result. Whether it is correct, if it is correct, it is decided to access the access point, otherwise it will not access the access point.
 The method according to claim 1, wherein the method further comprises: the accessing access point dividing the security level of the mobile terminal according to the number of the authentication server, the number of the security level of the mobile terminal, and the authentication The number of servers is the same;
 When selecting an authentication server for certificate authentication, the access point selects the number of authentication servers that complete certificate authentication according to the security level of the mobile terminal, and when the security level of the mobile terminal is n, selects n authentication servers for certificate authentication. If the currently available authentication server is less than n, select all available authentication servers for certificate authentication.
 7. An authentication system based on a wireless local area network authentication and privacy infrastructure, comprising an access point, a mobile terminal, and an authentication server;
 The access point is configured to select one or more authentication servers to complete the authentication of the certificate when the certificate is authenticated with the mobile terminal;
 The authentication server is configured to authenticate the access point certificate and the mobile terminal certificate.
8. The system of claim 7 wherein:
The access point is further configured to store a current usage list of the authentication server, where the usage table records a current load status of each authentication server and a status of availability; The access point is further configured to select one or more authentication servers with the smallest current load from the available authentication servers to complete the authentication of the certificate.
 9. The system of claim 7 wherein:
 When the access point selects multiple authentication servers to complete authentication of the certificate, the access point is further configured to send a certificate authentication request message to each selected authentication server, and each authentication server is configured to the mobile terminal. The certificate is authenticated, and a certificate authentication response message is sent to the access point;
 The access point is further configured to perform signature verification on each received certificate authentication response message, and obtain a certificate authentication result of each mobile terminal by the authentication server, and if each authentication server corrects at least one of the mobile terminal certificate authentication results, the permission is allowed. The mobile terminal accesses the access point, and if the authentication server fails to authenticate the mobile terminal certificate, the mobile terminal is not allowed to access the access point.
 10. The system of claim 9 wherein:
 The access point is further configured to determine whether the authentication results of the authentication commands of the mobile terminal are consistent. If the authentication is consistent, the authentication servers verify that the authentication results of the mobile terminal are correct; otherwise, the authentication server authenticates the mobile terminal. Send to a trusted center;
 The system further includes a trusted center for verifying the authentication result of each authentication server to the mobile terminal certificate, detecting the authentication server having the fraudulent behavior, and notifying the access point.
 11. The system of claim 7 wherein:
 The access point is further configured to: use the mobile terminal certificate authentication result information generated by the authentication server that does not have fraudulent behavior, access the access point certificate authentication result information, and access the access point to the mobile terminal certificate authentication result information and The signature of the access point certificate authentication result information constitutes an access authentication response message, and the access authentication response message is sent to the mobile terminal;
After receiving the access authentication response message, the mobile terminal is configured to verify the signature of the access point and the signature of the authentication server, and obtain the certificate verification result of the access point, and Determine whether the authentication result of the access point certificate is correct. If it is correct, decide to access the access point. Otherwise, the access point is not accessed.
PCT/CN2009/075687 2009-07-22 2009-12-17 Wapi (wlan authentication and privacy infrastructure) -based authentication system and method WO2011009268A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200910160652.0 2009-07-22
CNA2009101606520A CN101610515A (en) 2009-07-22 2009-07-22 A kind of Verification System and method based on WAPI

Publications (1)

Publication Number Publication Date
WO2011009268A1 true WO2011009268A1 (en) 2011-01-27

Family

ID=41484045

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075687 WO2011009268A1 (en) 2009-07-22 2009-12-17 Wapi (wlan authentication and privacy infrastructure) -based authentication system and method

Country Status (2)

Country Link
CN (1) CN101610515A (en)
WO (1) WO2011009268A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404736A (en) * 2011-12-28 2012-04-04 西安西电捷通无线网络通信股份有限公司 Method and device for WAI Certificate authentication

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 A kind of Verification System and method based on WAPI
CN101783753B (en) * 2010-02-09 2012-04-25 工业和信息化部电信传输研究所 Method and system for analyzing wireless local area network authentication and privacy infrastructure protocol
CN101795463B (en) * 2010-02-09 2012-10-31 工业和信息化部电信传输研究所 Method and system for analyzing WLAN authentication and privacy infrastructure protocol
CN101795239B (en) * 2010-04-14 2012-10-17 杭州华三通信技术有限公司 Authentication method and equipment
CN103795694A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 License control method and license control system
CN106330828B (en) * 2015-06-25 2020-02-18 联芯科技有限公司 Network security access method and terminal equipment
CN107360572B (en) * 2016-05-10 2019-11-12 普天信息技术有限公司 A kind of safety enhancing authentication method and device based on WIFI

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1356812A (en) * 2002-01-08 2002-07-03 广东省电信科学技术研究院 Distributed authentication/charge server system and its implementation method
CN1444386A (en) * 2001-12-31 2003-09-24 西安西电捷通无线网络通信有限公司 Safe inserting method of wide-band wireless IP system mobile terminal
CN1802839A (en) * 2003-01-13 2006-07-12 摩托罗拉公司(在特拉华州注册的公司) Method and apparatus for providing network service information to a mobile station by a wireless local area network
CN101243438A (en) * 2005-08-22 2008-08-13 微软公司 Distributed single sign-on service
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 A kind of Verification System and method based on WAPI

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1444386A (en) * 2001-12-31 2003-09-24 西安西电捷通无线网络通信有限公司 Safe inserting method of wide-band wireless IP system mobile terminal
CN1356812A (en) * 2002-01-08 2002-07-03 广东省电信科学技术研究院 Distributed authentication/charge server system and its implementation method
CN1802839A (en) * 2003-01-13 2006-07-12 摩托罗拉公司(在特拉华州注册的公司) Method and apparatus for providing network service information to a mobile station by a wireless local area network
CN101243438A (en) * 2005-08-22 2008-08-13 微软公司 Distributed single sign-on service
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 A kind of Verification System and method based on WAPI

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404736A (en) * 2011-12-28 2012-04-04 西安西电捷通无线网络通信股份有限公司 Method and device for WAI Certificate authentication

Also Published As

Publication number Publication date
CN101610515A (en) 2009-12-23

Similar Documents

Publication Publication Date Title
US20170054707A1 (en) Method and Apparatus for Trusted Authentication and Logon
US9313033B2 (en) Derived certificate based on changing identity
US8635444B2 (en) System and method for distributing keys in a wireless network
Wang et al. A smart card based efficient and secured multi-server authentication scheme
US8635445B2 (en) Method for digital identity authentication
EP2859700B1 (en) Using neighbor discovery to create trust information for other applications
US20160205067A1 (en) Client and server group sso with local openid
KR101485230B1 (en) Secure multi-uim authentication and key exchange
EP2098006B1 (en) Authentication delegation based on re-verification of cryptographic evidence
EP2180632B1 (en) A method for trusted network connect based on tri-element peer authentication
Mishra Security and quality of service in ad hoc wireless networks
EP2317445B1 (en) Information processing apparatus and method, recording medium and program
RU2414086C2 (en) Application authentication
JP4847322B2 (en) Double-factor authenticated key exchange method, authentication method using the same, and recording medium storing program including the method
EP1886438B1 (en) Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
CN101371550B (en) Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service
JP4746333B2 (en) Efficient and secure authentication of computing systems
US7246236B2 (en) Method and apparatus for providing peer authentication for a transport layer session
US7269730B2 (en) Method and apparatus for providing peer authentication for an internet key exchange
EP2290895B1 (en) Method, system and device for negotiating security association (sa) in ipv6 network
Li et al. Group-based authentication and key agreement with dynamic policy updating for MTC in LTE-A networks
CN1124759C (en) Safe access method of mobile terminal to radio local area network
CN103427992B (en) The method and system of secure communication is set up between node in a network
US7734280B2 (en) Method and apparatus for authentication of mobile devices
CA2463034C (en) Method and system for providing client privacy when requesting content from a public server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09847503

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09847503

Country of ref document: EP

Kind code of ref document: A1