WO2011009268A1 - Wapi (wlan authentication and privacy infrastructure) -based authentication system and method - Google Patents

Wapi (wlan authentication and privacy infrastructure) -based authentication system and method Download PDF

Info

Publication number
WO2011009268A1
WO2011009268A1 PCT/CN2009/075687 CN2009075687W WO2011009268A1 WO 2011009268 A1 WO2011009268 A1 WO 2011009268A1 CN 2009075687 W CN2009075687 W CN 2009075687W WO 2011009268 A1 WO2011009268 A1 WO 2011009268A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
certificate
access point
mobile terminal
access
Prior art date
Application number
PCT/CN2009/075687
Other languages
French (fr)
Chinese (zh)
Inventor
周伟
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011009268A1 publication Critical patent/WO2011009268A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • Line LAN authentication and privacy infrastructure technology specifically related to a WAPI-based authentication system and method. Background technique
  • WAPI is a security protocol applied to WLAN (Wireless Local Network). It is a standard of innovative technology proposed by China, which solves the existing vulnerabilities and hidden dangers of wireless local area network security mechanisms.
  • the WAPI security mechanism consists of two parts: WAI (WLAN Authentication Infrastructure) and WPI (WLAN Privacy Infrastructure).
  • WAI is used to authenticate the user's identity, ensuring that legitimate users access the legitimate network; WPI is used to encrypt the transmitted data, ensuring the confidentiality of the communication.
  • WAI uses the public key cryptosystem to use the digital certificate to perform mutual authentication between the MT (Mobile Terminal) and the AP (Access Point) of the WLAN system.
  • WAI defines a type called ASU (Authentication).
  • ASU Authentication
  • the entity of the Service Unit which is used to manage the certificates required by the parties involved in the information exchange, including the generation, issuance, revocation and update of certificates.
  • the certificate is the digital identity certificate of the network device terminal MT, and its content package uses the WAPI-specific elliptic curve digital signature algorithm.
  • the specific implementation of the WAPI protocol includes the following processes:
  • Authentication activation When the MT logs in to the AP, the AP sends an authentication activation to the MT to start the authentication process.
  • Access authentication request The MT sends an authentication request to the AP, and sends its own certificate and access authentication request time to the AP.
  • Certificate authentication request After receiving the MT access authentication request, the AP sends an authentication request to the ASU.
  • the ASU After receiving the AP authentication request, the ASU verifies the signature of the AP and the legality of the AP and MT certificates. After the verification is completed, the ASU will verify the result of the MT certificate (including the MT certificate, the authentication result, the access authentication request time, and the signature of the ASU), and the AP certificate authentication result information (including the AP certificate, the authentication result, the access authentication request time, and The ASU signs their signatures and sends a certificate response message back to the AP.
  • the result of the MT certificate including the MT certificate, the authentication result, the access authentication request time, and the signature of the ASU
  • the AP certificate authentication result information including the AP certificate, the authentication result, the access authentication request time, and The ASU signs their signatures and sends a certificate response message back to the AP.
  • the AP verifies the certificate response returned by the ASU, and obtains the MT certificate authentication result.
  • the AP sends the MT certificate authentication information, the AP certificate authentication result information, and the AP's signature to form an access authentication response message to the MT.
  • the MT verifies the signature of the ASU, the AP certificate is obtained, and the MT determines whether to access the AP according to the authentication result.
  • the technical problem to be solved by the present invention is to provide a WAPI-based authentication system and method, which improves the security and efficiency of the WAPI authentication mechanism.
  • the present invention provides an authentication method based on a wireless local area network authentication and privacy infrastructure, including: when accessing an access point and a mobile terminal to implement certificate authentication, the access point selects one or more The authentication server completes the authentication of the certificate.
  • the access point stores a current usage list of the authentication server, where the usage table records the current load status of each authentication server and whether the status is available;
  • the access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.
  • the access point when the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends the certificate authentication request message to each selected authentication server, and the authentication server authenticates the certificate of the mobile terminal. And constituting a certificate authentication response message is sent to the access point;
  • the access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.
  • the method for determining the authentication result of the authentication server to the mobile terminal certificate is: if each authentication server has the same certificate authentication result for the mobile terminal, it is considered that each authentication server has correct authentication results for the mobile terminal certificate, and if there is an inconsistency, it is considered There is a spoofing behavior, the access point sends the authentication result of the mobile terminal certificate to each trusted server to the trusted center, and the trusted center verifies the authentication result of each authentication server to the mobile terminal certificate, and detects the authentication server that has the spoofing behavior. , and notify the access point. Further, the access point performs mobile terminal certificate authentication result information, access point certificate authentication result information, and access point information of the access terminal to the mobile terminal certificate authentication result and access generated by the authentication server without fraudulent behavior.
  • the signature of the access point certificate authentication result information constitutes an access authentication response message, and the access authentication response message is sent to the mobile terminal; after receiving the access authentication response message, the mobile terminal verifies the packet
  • the signature of the access point and the signature of the authentication server are obtained, and the certificate verification result of the access point is obtained, and it is determined whether the authentication result of the access point certificate is correct, and then the access point is determined to be accessed, otherwise the access point is not connected. Enter the access point.
  • the access point divides the security level of the mobile terminal according to the number of the authentication server, and the number of levels of the security level of the mobile terminal is consistent with the number of the authentication server; when the authentication server that performs certificate authentication is selected, The access point selects the number of authentication servers that complete the certificate authentication according to the security level of the mobile terminal.
  • the security level of the mobile terminal is ⁇
  • n authentication servers are selected for certificate authentication, and if the currently available authentication server is less than ⁇ , the selection is performed. All available authentication servers perform certificate authentication.
  • the present invention also provides an authentication system based on a wireless local area network authentication and privacy infrastructure, including an access point, a mobile terminal, and an authentication server;
  • the one or more authentication servers are selected to complete the authentication of the certificate
  • the authentication server is configured to authenticate the access point certificate and the mobile terminal certificate. Further, the access point is further configured to store an authentication server current usage table, where the usage table records a current load status of each authentication server and a status of availability;
  • the access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.
  • the access point when the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends the certificate authentication request message to each selected authentication server, each authentication service.
  • the server authenticates the certificate of the mobile terminal, and forms a certificate authentication response to be sent to the access point;
  • the access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.
  • system further includes a trusted center
  • the determining whether the authentication server corrects the result of the certificate authentication of the mobile terminal means that the access point determines whether the authentication results of the authentication certificates of the mobile terminal are consistent with each other, and if they are consistent, it is considered that the authentication results of the authentication certificates of the mobile terminal are correct; If the inconsistency is inconsistent, the access point is sent to the trusted center by the authentication server, and the trusted center verifies the authentication result of the authentication certificate of the mobile terminal, and detects the fraudulent behavior. The authentication server, and notify the access point.
  • the access point is further configured to: use the mobile terminal certificate authentication result information generated by the authentication server that does not have fraudulent behavior, access the access point certificate authentication result information, and access the access point to the mobile terminal certificate authentication result.
  • the information and the signature of the access point certificate authentication result information constitute an access authentication response message, and the access authentication response message is sent to the mobile terminal;
  • the mobile terminal After receiving the access authentication response message, the mobile terminal is configured to verify the signature of the access point and the signature of the authentication server, obtain the certificate verification result of the access point, and determine the access point certificate. If the authentication result is correct, it is decided to access the access point, otherwise the access point is not accessed.
  • the present invention proposes a WAPI-based authentication system and method, and the authentication of the certificate can be flexibly selected according to the actual situation to be completed by a single ASU or multiple ASUs.
  • the AP selects the ASU participating in the certificate authentication according to the ASU current usage table maintained by the AP, and the multiple ASUs are overcome to overcome the shortcomings of the single ASU authentication, and can effectively detect the fraudulent ASU.
  • the efficiency of authentication is improved because load sharing can be achieved.
  • FIG. 1 is a schematic structural diagram of a certificate authentication system of the present invention
  • the present invention provides a WAPI-based authentication system.
  • the authentication system includes an AP, an MT, a TC (Trust Center), and a plurality of ASUs.
  • the MT After receiving the authentication activation message sent by the AP, the MT sends an authentication request to the AP, and carries the MT certificate and the MT access authentication request time;
  • the MT is further configured to: after receiving the access authentication response message sent by the AP, verifying the signature of the AP and the signature of the ASU to obtain the certificate verification result of the AP, and determining whether to access the AP according to the verification result of the AP certificate;
  • the AP After receiving the access authentication request sent by the MT, the AP selects the number of ASUs for certificate authentication according to the security level of the MT. When the security level of the MT is low, only one ASU can be selected for certificate authentication. When the security level is high, multiple ASUs can be selected for certificate authentication. Specifically, the AP can classify the security level of the MT according to the number of ASUs, such as, but not limited to, the number of security levels of the MT and the number of ASUs. Consistently, when the security level of the MT is 1, select 1 ASU for certificate authentication. When the security level of the MT is 2, select
  • Two ASUs perform certificate authentication.
  • the security level of the MT is n
  • n ASUs are selected for certificate authentication.
  • the security level of the MT is n
  • the currently available ASU is insufficient. In this case, all available ones can be selected.
  • ASU performs certificate authentication; of course, there are many other
  • the manner of division is not limited by the present invention.
  • the AP is further configured to use the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and send the certificate authentication request message to the selected M ASUs for certificate authentication;
  • the m authentication response packets are signed and verified, and m certificate authentication results are obtained for the MT, and it is determined whether the m authentication results are correct. If at least one of the authentication results is correct, the MT is allowed to access, and if the m authentication results are not correct, the MT is not allowed to access;
  • the AP compares the m authentication results first. If they are consistent, the ASU does not have fraudulent behavior, that is, the m authentication results are correct. If the m authentication results are not completely consistent. And sending the m authentication results to the TC, and determining whether the correct authentication result exists according to the feedback information of the TC;
  • the AP is further configured to form the correct MT certificate authentication result information, the AP certificate authentication result information, and the signature of the AP on the foregoing information (including the MT certificate authentication result information and the AP certificate authentication result information) to form an access authentication response message, and the AP is configured to The access authentication response packet is sent to the MT.
  • the TC After receiving the m authentication results sent by the AP, the TC verifies the m authentication results in turn, detects the ASU with the deceptive behavior, and the ASU with the fraudulent behavior is the ASU corresponding to the incorrect authentication result, and the fraudulent behavior is present.
  • the ASU (or incorrect authentication result) is sent to the AP.
  • the present invention also provides a WAPI-based authentication method, as shown in FIG. 2, including the following steps:
  • the AP selects the number of ASUs according to the security level of the network.
  • the maintainer in the AP has an ASU current usage table. According to the current usage table of the ASU, the one or more ASUs with the lowest load are selected. Identification.
  • Step 201 After receiving the MT access authentication request, the AP selects according to the security level of the MT. For the number of ASUs for certificate authentication, when the security level of the MT is low, only one ASU can be selected for certificate authentication. When the security level of the MT is high, multiple ASUs can be selected for certificate authentication. Specifically, the AP can follow The number of ASUs is divided into the security level of the MT. For example, but not limited to, the number of security levels of the MT is the same as the number of ASUs. When the security level of the MT is 1, select one ASU for certificate authentication. When the security level is 2, select 2 ASUs for certificate authentication. When the security level of the MT is n, select n ASUs for certificate authentication.
  • the AP selects the m ASUs with the smallest current load from all available ASUs;
  • the AP uses the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and sends the certificate authentication request message to the selected m ASUs.
  • Step 202 The ASU that receives the certificate authentication request message verifies the legality of the AP signature, the AP certificate, and the MT certificate according to the public key and the verification information on the trusted center TC. After the verification is completed, the m ASUs will authenticate the MT certificate. The result information and the AP certificate authentication result information form a certificate authentication response message to be sent to the AP;
  • the MT certificate authentication result information includes an MT certificate, an authentication result, an access authentication request time, and an ASU signature on the foregoing information.
  • the AP certificate authentication result information includes an AP certificate, an authentication result, an access authentication request time, and an ASU signature on the foregoing information;
  • Step 203 After receiving the certificate authentication response message of the M ASUs, the AP performs signature verification on each authentication response packet to obtain the MT certificate authentication result of each ASU, and determines whether the correct MT certificate authentication result exists. Step 204 is performed, otherwise step 208 is performed;
  • the method for judging whether the m authentication results are correct is that the AP first compares the m authentication results. If the two are consistent, the ASU does not have the spoofing behavior, that is, the m authentication results are correct. If the m authentication results are not completely consistent, the m authentication results are sent to the TC, and the TC sequentially verifies the m authentication results. The ASU with the spoofing behavior is detected, that is, the incorrect authentication result, and the ASU (or the incorrect authentication result) with the spoofing behavior is sent to the AP.
  • Step 204 The AP allows the MT to access the network.
  • Step 205 The AP forms an access authentication response by using the MT certificate authentication result information, the AP certificate authentication result information, and the AP's signature on the information (including the MT certificate authentication result information and the AP certificate authentication result information) generated by the ASU that does not have the spoofing behavior.
  • the packet is sent to the MT.
  • each MT certificate authentication result information and the AP certificate authentication result information correspond to the signature of one AP, that is, multiple access authentication response messages exist.
  • step 206 after receiving the access authentication response message sent by the AP, the MT verifies the signature of the AP and the signature of the ASU, and obtains the verification result of the AP certificate (when multiple access authentication responses are received, the MT will obtain If the verification result of the AP certificate is correct, and it is determined whether the verification result of the AP certificate is correct, if yes, go to step 207, otherwise go to step 209;
  • Step 207 determining to access the AP
  • Step 208 The AP does not allow the MT to access the network.
  • Step 209 determining not to access the AP.
  • the AP selects the number of authentication servers according to the actual situation, and selects the ASU with the lowest load and good working condition to complete the authentication according to the current usage table of the ASU maintained, and improves the authentication. effectiveness. It is authenticated by multiple ASUs, which overcomes the authoritative fraud behavior of ASU authentication in the prior art and improves security. In the case of a large number of wireless LAN MTs, a single ASU authentication is selected, and the efficiency of the authentication is improved due to the presence of multiple ASUs.
  • the method of the present invention is further illustrated by an application example, taking 5 ASUs as an example.
  • the AP can select one to five servers to complete certificate authentication.
  • the AP maintains one.
  • ASU current usage table according to the current usage table to select the server with the lowest load to complete the authentication of the certificate. Let's take the example of selecting two ASUs.
  • Step 1 The authentication is activated; the MT logs in to the AP, and the AP sends an authentication activation to the MT; to initiate the authentication process;
  • Step 2 Access the authentication request; the MT sends an authentication request to the AP, and sends the MT certificate and the MT access authentication request time to the AP;
  • Step 3 After receiving the MT access authentication request, the AP needs to select two ASUs to perform certificate authentication according to the security level of the MT. As shown in Table 1, ASU2 is currently unavailable, so only the remaining 4 ASUs can be obtained. Select two ASUs with the lowest current load (that is, the minimum number of authentications to be processed) for certificate authentication, namely ASU1 and ASU5;
  • the AP uses the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and sends the certificate authentication request message to ASU1 and ASU5.
  • Table 1 ASU current usage table stored by AP
  • Step 4 After receiving the certificate authentication request packet of the AP, the ASU1 and the ASU5 verify the legality of the AP signature, the AP certificate, and the MT certificate.
  • ASU1 and ASU5 respectively obtain the MT certificate authentication result information (including the MT certificate, the authentication result, the access authentication request time, and the signatures of ASU1 and ASU5 respectively) and the AP certificate authentication result information (including the AP certificate and the authentication result).
  • access authentication request time and ASU1 and ASU5 respectively send a certificate authentication response message to the AP.
  • Step 5 After receiving the authentication response message from ASU1 and ASU5, the AP performs signature verification on the authentication response packet to obtain ASU1 and ASU5 to MT. Certificate authentication result information;
  • Step 6 After obtaining the authentication result information of the MT certificate by the ASU1 and the ASU5, the AP compares the authentication result of the certificate. If the two authentication results are the same, the AP considers that there is no fraudulent behavior, and performs step 8; if the two authentication results are inconsistent, it is considered that There is a spoofing behavior, and the authentication results of the MT certificate are sent to the TC by ASU1 and ASU5;
  • Step 7 the trusted center TC verifies the authentication result of the MT certificate by ASU1 and ASU5, puts the fraudulent ASU into the bad record table for auditing, and notifies the AP of the fraudulent ASU to the AP; and then performs step 8;
  • Step 8 The AP determines whether to allow the MT to access the network according to the authentication result of the MT certificate by the ASU1 and the ASU5. Specifically, when at least one of the authentication results of the MT certificate by the ASU 1 and the ASU 5 is correct, the AP allows the MT to access the network. If the authentication results of the MT certificate are incorrect by the ASU1 and the ASU5, the AP does not allow the MT to access the network.
  • the AP sends the correct MT certificate authentication result information, the AP certificate authentication result information, and the signature of the AP (including the MT certificate authentication result information and the AP certificate authentication result information) to form an access authentication response message to the MT;
  • Step 9 After receiving the access authentication response packet sent by the AP, the MT verifies the signature of the AP and the signature of the ASU, and obtains the certificate verification result of the AP, and determines whether to access the AP according to the verification result of the AP certificate. If the verification result is correct, the access is decided, otherwise it is not accessed;);
  • Step 10 If the certificate authentication is passed, the AP and the MT perform key negotiation, and the negotiated key is used for communication.

Abstract

A WAPI (WLAN Authentication and Privacy Infrastructure) -based authentication system and method are provided by the present invention. The method includes the following steps: when an authentication for a certificate is implemented between an access point and a mobile terminal, said access point selects one or more than one authentication server to implement the authentication for the certificate. By using the technical solution of the present invention, the authentication for the certificate can be implemented by flexibly selecting a single authentication server or a plurality of authentication servers according to the actual instance, and according to a current using state table of the authentication servers, which is maintained by the access point, said access point selects the authentication servers which participate in the authentication for the certificate. The authentication with a plurality of authentication servers overcomes the disadvantages of the authentication with a single authentication server, and the authentication server in which a deception occurs can be detected effectively, and the efficiency of authentication is improved.

Description

一种基于 WAPI的认证系统及方法  WAPI-based authentication system and method
Figure imgf000003_0001
Figure imgf000003_0001
线局域网鉴别与保密基础架构)技术, 具体涉及一种基于 WAPI 的认证系 统及方法。 背景技术 Line LAN authentication and privacy infrastructure technology, specifically related to a WAPI-based authentication system and method. Background technique
WAPI是一种应用于 WLAN ( Wireless Local Network, 无线局域网)的 安全协议, 是由中国提出的具有创新性技术的标准, 解决了目前无线局域 网安全机制存在的漏洞和隐患。  WAPI is a security protocol applied to WLAN (Wireless Local Network). It is a standard of innovative technology proposed by China, which solves the existing vulnerabilities and hidden dangers of wireless local area network security mechanisms.
WAPI 安全机制由两个部分组成: WAI(WLAN Authentication Infrastructure , 无线局域网鉴别基础结构)和 WPI ( WLAN Privacy Infrastructure, 无线局域网保密基础架构)。 WAI 用于对用户身份的鉴别, 保证了合法用户访问合法的网络; WPI 用于对传输数据的加密, 保证了通 信的保密性。 WAI利用公钥密码体制, 利用数字证书来完成 WLAN系统的 MT(Mobile Terminal , 移动终端)和 AP (Access Point , 访问接入点)之间的相 互认证, WAI定义了一种名为 ASU( Authentication Service Unit, 鉴别服务 器)的实体, 用于管理参与信息交换各方所需要的证书, 包括证书的产生、 颁发、 吊销和更新。 证书是网络设备终端 MT的数字身份凭证, 其内容包 采用的是 WAPI特有的椭圆曲线数字签名算法,。  The WAPI security mechanism consists of two parts: WAI (WLAN Authentication Infrastructure) and WPI (WLAN Privacy Infrastructure). WAI is used to authenticate the user's identity, ensuring that legitimate users access the legitimate network; WPI is used to encrypt the transmitted data, ensuring the confidentiality of the communication. WAI uses the public key cryptosystem to use the digital certificate to perform mutual authentication between the MT (Mobile Terminal) and the AP (Access Point) of the WLAN system. WAI defines a type called ASU (Authentication). The entity of the Service Unit, which is used to manage the certificates required by the parties involved in the information exchange, including the generation, issuance, revocation and update of certificates. The certificate is the digital identity certificate of the network device terminal MT, and its content package uses the WAPI-specific elliptic curve digital signature algorithm.
WAPI协议具体的实现包括以下几个过程:  The specific implementation of the WAPI protocol includes the following processes:
(1)认证激活; 当 MT登陆到 AP时, AP向 MT发送认证激活, 以启 动认证过程。 (2)接入认证请求; MT向 AP发出认证请求, 将自己的证书和接入认 证请求时间发往 AP。 (1) Authentication activation; When the MT logs in to the AP, the AP sends an authentication activation to the MT to start the authentication process. (2) Access authentication request; The MT sends an authentication request to the AP, and sends its own certificate and access authentication request time to the AP.
(3)证书认证请求; AP收到 MT接入认证请求后, 向 ASU发出认证请 求。 将 MT证书、 接入认证请求时间和 AP的证书以及利用 AP私钥对它们 的签名构成证书认证请求报文信息发送给 ASU。  (3) Certificate authentication request; After receiving the MT access authentication request, the AP sends an authentication request to the ASU. The MT certificate, the access authentication request time, and the AP's certificate, and the certificate authentication request message information, which are signed by the AP private key, are sent to the ASU.
(4)证书认证响应; ASU收到 AP的认证请求后, 验证 AP的签名以及 AP和 MT证书的合法性。 验证完毕后 ASU将 MT证书认证结果信息 (包 括 MT证书、 认证结果、 接入认证请求时间和 ASU对它们的签名)、 AP证 书认证结果信息 (包括 AP证书、 认证结果、 接入认证请求时间和 ASU对 它们的签名 )构成证书响应报文发回给 AP。  (4) Certificate authentication response; After receiving the AP authentication request, the ASU verifies the signature of the AP and the legality of the AP and MT certificates. After the verification is completed, the ASU will verify the result of the MT certificate (including the MT certificate, the authentication result, the access authentication request time, and the signature of the ASU), and the AP certificate authentication result information (including the AP certificate, the authentication result, the access authentication request time, and The ASU signs their signatures and sends a certificate response message back to the AP.
(5)接入认证响应; AP对 ASU返回的证书响应进行验证, 得到 MT证 书认证结果。 AP将 MT证书认证信息、 AP证书认证结果信息以及 AP对它 们的签名构成接入认证响应报文发送至 MT。 MT验证 ASU的签名后, 得 到 AP证书的认证结果, MT根据认证结果决定是否接入该 AP。  (5) Access authentication response; The AP verifies the certificate response returned by the ASU, and obtains the MT certificate authentication result. The AP sends the MT certificate authentication information, the AP certificate authentication result information, and the AP's signature to form an access authentication response message to the MT. After the MT verifies the signature of the ASU, the AP certificate is obtained, and the MT determines whether to access the AP according to the authentication result.
(6) 密钥协商; 当 MT和 AP的证书都鉴别成功之后, 双方将会进行密 钥协商, 然后用协商的密钥进行通信。  (6) Key negotiation; After the authentication of both the MT and the AP is successful, the two parties will perform key agreement and then communicate with the negotiated key.
在 WAPI中采用了集中化的管理, 由单一 ASU统一完成证书有效性验 证, 同时还担任了权威中心的角色, 完成对 MT、 AP等实体证书的发放、 撤销和管理等, 没有考虑到 ASU在认证过程中发生欺骗的行为和 ASU可 能会成为系统的瓶颈问题。 现有技术证书的认证由单个 ASU完成。 在一次 认证过程中, ASU需要进行 3次签名验证和 2次签名, 在 MT数量比较大 的情况下, 会成为系统认证的瓶颈。 如果 ASU被攻击者控制或者变的不可 信, ASU使非法的 MT通过认证接入网络, 而合法的 MT无法接入网络。 ASU进行恶意的认证响应行为, 任何 MT都无法接入网络, 从而使网络陷 入瘫痪。 发明内容 In WAPI, centralized management is adopted, and the validity verification of the certificate is completed by a single ASU. At the same time, it also assumes the role of an authoritative center, and completes the issuance, cancellation, and management of entities such as MT and AP, without considering the ASU. Deceptions and ASUs in the authentication process can become system bottlenecks. Certification of prior art certificates is done by a single ASU. In an authentication process, ASU needs to perform 3 signature verifications and 2 signatures. In the case of a large number of MTs, it will become a bottleneck for system authentication. If the ASU is controlled by the attacker or becomes untrustworthy, the ASU enables the illegal MT to access the network through authentication, and the legitimate MT cannot access the network. The ASU performs malicious authentication response behavior, and no MT can access the network, which causes the network to fall into paralysis. Summary of the invention
本发明要解决的技术问题是提供一种基于 WAPI 的认证系统及方法, 提高了 WAPI认证机制的安全性和效率。  The technical problem to be solved by the present invention is to provide a WAPI-based authentication system and method, which improves the security and efficiency of the WAPI authentication mechanism.
为了解决上述问题, 本发明提供了一种基于无线局域网鉴别与保密基 础架构的认证方法, 包括: 当访问接入点和移动终端之间实现证书认证时, 所述访问接入点选择一个或多个鉴别服务器完成证书的鉴别。  In order to solve the above problem, the present invention provides an authentication method based on a wireless local area network authentication and privacy infrastructure, including: when accessing an access point and a mobile terminal to implement certificate authentication, the access point selects one or more The authentication server completes the authentication of the certificate.
进一步地, 所述访问接入点存储鉴别服务器当前使用情况表, 该使用 情况表记录各鉴别服务器的当前负载状况及是否可用的状态;  Further, the access point stores a current usage list of the authentication server, where the usage table records the current load status of each authentication server and whether the status is available;
所述访问接入点从可用的鉴别服务器中选择当前负载最小的一个或多 个鉴别服务器完成证书的鉴别。  The access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.
进一步地, 当所述访问接入点选择多个鉴别服务器完成证书的鉴别时, 访问接入点将证书认证请求报文发送至选择的每个鉴别服务器, 鉴别服务 器均对移动终端的证书进行认证, 并构成证书认证响应报文发送给访问接 入点;  Further, when the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends the certificate authentication request message to each selected authentication server, and the authentication server authenticates the certificate of the mobile terminal. And constituting a certificate authentication response message is sent to the access point;
所述访问接入点对接收的各证书认证响应报文进行签名验证, 得到各 鉴别服务器对移动终端证书认证结果, 若各鉴别服务器对移动终端证书认 证结果中至少一个正确则允许所述移动终端接入该访问接入点, 若各鉴别 服务器对移动终端证书认证结果均不正确则不允许所述移动终端接入该访 问接入点。  The access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.
进一步地, 所述判断鉴别服务器对移动终端证书认证结果的方法为, 若各鉴别服务器对移动终端证书认证结果一致, 则认为各鉴别服务器对移 动终端证书认证结果均正确, 若存在不一致, 则认为存在欺骗行为, 所述 访问接入点将各鉴别服务器对移动终端证书认证结果发送至可信中心, 所 述可信中心验证各鉴别服务器对移动终端证书认证结果, 检测出存在欺骗 行为的鉴别服务器, 并通知给访问接入点。 进一步地, 所述访问接入点将不存在欺骗行为的鉴别服务器产生的移 动终端证书认证结果信息、 访问接入点证书认证结果信息以及访问接入点 对所述移动终端证书认证结果信息及访问接入点证书认证结果信息的签名 构成接入认证响应报文, 并将所述接入认证响应报文发送给移动终端; 所述移动终端收到所述接入认证响应报文后, 验证其中的访问接入点 的签名及鉴别服务器的签名, 得到访问接入点的证书验证结果, 并判断访 问接入点证书认证结果是否均正确, 是则决定接入该访问接入点, 否则不 接入该访问接入点。 Further, the method for determining the authentication result of the authentication server to the mobile terminal certificate is: if each authentication server has the same certificate authentication result for the mobile terminal, it is considered that each authentication server has correct authentication results for the mobile terminal certificate, and if there is an inconsistency, it is considered There is a spoofing behavior, the access point sends the authentication result of the mobile terminal certificate to each trusted server to the trusted center, and the trusted center verifies the authentication result of each authentication server to the mobile terminal certificate, and detects the authentication server that has the spoofing behavior. , and notify the access point. Further, the access point performs mobile terminal certificate authentication result information, access point certificate authentication result information, and access point information of the access terminal to the mobile terminal certificate authentication result and access generated by the authentication server without fraudulent behavior. The signature of the access point certificate authentication result information constitutes an access authentication response message, and the access authentication response message is sent to the mobile terminal; after receiving the access authentication response message, the mobile terminal verifies the packet The signature of the access point and the signature of the authentication server are obtained, and the certificate verification result of the access point is obtained, and it is determined whether the authentication result of the access point certificate is correct, and then the access point is determined to be accessed, otherwise the access point is not connected. Enter the access point.
进一步地, 所述访问接入点按照鉴别服务器的数量对移动终端的安全 级别进行划分, 移动终端的安全级别的等级数与鉴别服务器的数量一致; 当选择进行证书鉴别的鉴别服务器时, 所述访问接入点根据移动终端 的安全级别选择完成证书鉴别的鉴别服务器的数量, 当移动终端的安全级 别为 η时, 选择 η个鉴别服务器进行证书鉴别, 若当前可用的鉴别服务器 小于 η , 则选择所有可用的鉴别服务器进行证书鉴别。  Further, the access point divides the security level of the mobile terminal according to the number of the authentication server, and the number of levels of the security level of the mobile terminal is consistent with the number of the authentication server; when the authentication server that performs certificate authentication is selected, The access point selects the number of authentication servers that complete the certificate authentication according to the security level of the mobile terminal. When the security level of the mobile terminal is η, n authentication servers are selected for certificate authentication, and if the currently available authentication server is less than η, the selection is performed. All available authentication servers perform certificate authentication.
本发明还提供一种基于无线局域网鉴别与保密基础架构的认证系统, 包括访问接入点、 移动终端及鉴别服务器;  The present invention also provides an authentication system based on a wireless local area network authentication and privacy infrastructure, including an access point, a mobile terminal, and an authentication server;
所述访问接入点用于和移动终端实现证书认证时, 选择一个或多个鉴 别服务器完成证书的鉴别;  When the access point is used to implement certificate authentication with the mobile terminal, the one or more authentication servers are selected to complete the authentication of the certificate;
所述鉴别服务器用于对访问接入点证书及移动终端证书进行认证。 进一步地, 所述访问接入点还用于存储一鉴别服务器当前使用情况表, 该使用情况表记录各鉴别服务器的当前负载状况及是否可用的状态;  The authentication server is configured to authenticate the access point certificate and the mobile terminal certificate. Further, the access point is further configured to store an authentication server current usage table, where the usage table records a current load status of each authentication server and a status of availability;
所述访问接入点从可用的鉴别服务器中选择当前负载最小的一个或多 个鉴别服务器完成证书的鉴别。  The access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.
进一步地, 当所述访问接入点选择多个鉴别服务器完成证书的鉴别时, 访问接入点将证书认证请求报文发送至选择的每个鉴别服务器, 各鉴别服 务器均对移动终端的证书进行认证, 并构成证书认证响应 ^艮文发送给访问 接入点; Further, when the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends the certificate authentication request message to each selected authentication server, each authentication service. The server authenticates the certificate of the mobile terminal, and forms a certificate authentication response to be sent to the access point;
所述访问接入点对接收的各证书认证响应报文进行签名验证, 得到各 鉴别服务器对移动终端证书认证结果, 若各鉴别服务器对移动终端证书认 证结果中至少一个正确则允许所述移动终端接入该访问接入点, 若各鉴别 服务器对移动终端证书认证结果均不正确则不允许所述移动终端接入该访 问接入点。  The access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.
进一步地, 所述系统还包括可信中心;  Further, the system further includes a trusted center;
所述判断鉴别服务器对移动终端证书认证结果是否正确是指, 访问接 入点判断各鉴别服务器对移动终端证书认证结果是否一致, 若一致则认为 各鉴别服务器对移动终端证书认证结果均正确; 若不一致则认为存在欺骗 行为, 所述访问接入点将各鉴别服务器对移动终端证书认证结果发送至可 信中心, 所述可信中心验证各鉴别服务器对移动终端证书认证结果, 检测 出存在欺骗行为的鉴别服务器, 并通知给访问接入点。  The determining whether the authentication server corrects the result of the certificate authentication of the mobile terminal means that the access point determines whether the authentication results of the authentication certificates of the mobile terminal are consistent with each other, and if they are consistent, it is considered that the authentication results of the authentication certificates of the mobile terminal are correct; If the inconsistency is inconsistent, the access point is sent to the trusted center by the authentication server, and the trusted center verifies the authentication result of the authentication certificate of the mobile terminal, and detects the fraudulent behavior. The authentication server, and notify the access point.
进一步地, 所述访问接入点还用于将不存在欺骗行为的鉴别服务器产 生的移动终端证书认证结果信息、 访问接入点证书认证结果信息以及访问 接入点对所述移动终端证书认证结果信息及访问接入点证书认证结果信息 的签名构成接入认证响应报文, 并将所述接入认证响应报文发送给移动终 端;  Further, the access point is further configured to: use the mobile terminal certificate authentication result information generated by the authentication server that does not have fraudulent behavior, access the access point certificate authentication result information, and access the access point to the mobile terminal certificate authentication result. The information and the signature of the access point certificate authentication result information constitute an access authentication response message, and the access authentication response message is sent to the mobile terminal;
所述移动终端用于收到所述接入认证响应报文后, 验证其中的访问接 入点的签名及鉴别服务器的签名, 得到访问接入点的证书验证结果, 并判 断访问接入点证书认证结果是否均正确, 是则决定接入该访问接入点, 否 则不接入该访问接入点。  After receiving the access authentication response message, the mobile terminal is configured to verify the signature of the access point and the signature of the authentication server, obtain the certificate verification result of the access point, and determine the access point certificate. If the authentication result is correct, it is decided to access the access point, otherwise the access point is not accessed.
综上所述, 本发明提出了一种基于 WAPI 的认证系统及方法, 证书的 鉴别可以根据实际情况灵活的选择由单个 ASU完成还是有多个 ASU完成, AP根据其维护的 ASU 当前使用情况表选择参与证书鉴别的 ASU, 多个 ASU鉴别克服了单个 ASU鉴别的缺点,而且可以有效的检测出发生欺骗的 ASU。 选择单个 ASU鉴别时, 由于可以实现负载分担, 因此提高了鉴别的 效率。 附图说明 In summary, the present invention proposes a WAPI-based authentication system and method, and the authentication of the certificate can be flexibly selected according to the actual situation to be completed by a single ASU or multiple ASUs. The AP selects the ASU participating in the certificate authentication according to the ASU current usage table maintained by the AP, and the multiple ASUs are overcome to overcome the shortcomings of the single ASU authentication, and can effectively detect the fraudulent ASU. When a single ASU authentication is selected, the efficiency of authentication is improved because load sharing can be achieved. DRAWINGS
图 1是本发明证书认证系统结构示意图;  1 is a schematic structural diagram of a certificate authentication system of the present invention;
图 2是本发明的证书认证方法的流程图。 具体实施方式  2 is a flow chart of a certificate authentication method of the present invention. detailed description
本发明提供一种基于 WAPI的认证系统, 如图 1所示, 该认证系统包 括 AP、 MT、 TC ( Trust Center, 可信中心)及多个 ASU;  The present invention provides a WAPI-based authentication system. As shown in FIG. 1, the authentication system includes an AP, an MT, a TC (Trust Center), and a plurality of ASUs.
MT用于收到 AP发来的认证激活消息后向 AP发送认证请求, 携带 MT证书和 MT接入认证请求时间;  After receiving the authentication activation message sent by the AP, the MT sends an authentication request to the AP, and carries the MT certificate and the MT access authentication request time;
MT还用于在收到 AP发来的接入认证响应报文后, 验证 AP的签名及 ASU的签名得到 AP的证书验证结果,根据对 AP证书的验证结果决定是否 接入该 AP;  The MT is further configured to: after receiving the access authentication response message sent by the AP, verifying the signature of the AP and the signature of the ASU to obtain the certificate verification result of the AP, and determining whether to access the AP according to the verification result of the AP certificate;
AP用于收到 MT发来的接入认证请求后, 根据 MT的安全级别选择进 行证书鉴别的 ASU数量,当该 MT的安全级别较低时可以只选择 1个 ASU 进行证书鉴别,当该 MT的安全级别较高时可选择多个 ASU进行证书鉴别; 具体地, AP可以按照 ASU的数量对 MT的安全级别进行划分, 如可以但 不限于是, MT的安全级别的等级数与 ASU的数量一致, 当 MT的安全级 别为 1时, 选择 1个 ASU进行证书鉴别, 当 MT的安全级别为 2时, 选择 After receiving the access authentication request sent by the MT, the AP selects the number of ASUs for certificate authentication according to the security level of the MT. When the security level of the MT is low, only one ASU can be selected for certificate authentication. When the security level is high, multiple ASUs can be selected for certificate authentication. Specifically, the AP can classify the security level of the MT according to the number of ASUs, such as, but not limited to, the number of security levels of the MT and the number of ASUs. Consistently, when the security level of the MT is 1, select 1 ASU for certificate authentication. When the security level of the MT is 2, select
2个 ASU进行证书鉴别 当 MT的安全级别为 n时,选择 n个 ASU进行 证书鉴别, 有可能存在 MT的安全级别为 n, 但当前可用的 ASU不足 n的 情形, 此时可以选择所有可用的 ASU进行证书鉴别; 当然还存在其它多种 划分方式, 本发明对此不作限制。 Two ASUs perform certificate authentication. When the security level of the MT is n, n ASUs are selected for certificate authentication. There may be a case where the security level of the MT is n, but the currently available ASU is insufficient. In this case, all available ones can be selected. ASU performs certificate authentication; of course, there are many other The manner of division is not limited by the present invention.
当需要选择 m个 ASU时, 从所有可用 ASU中选择当前负载最小的 m 个 ASU;  When it is necessary to select m ASUs, select the m ASUs with the smallest current load from all available ASUs;
AP还用于利用 AP私钥对 MT证书、 接入认证请求时间和 AP证书进 行签名构成证书认证请求报文, 并将该证书认证请求报文发送给所选择的 m个进行证书鉴别的 ASU; 在收到该 m个 ASU返回的证书认证响应报文 后对这 m个认证响应报文进行签名验证,得到 m个对 MT的证书认证结果, 并判断这 m个认证结果是否正确, 若这 m个认证结果中至少一个正确则允 许该 MT接入, 若这 m个认证结果均不正确则不允许该 MT接入;  The AP is further configured to use the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and send the certificate authentication request message to the selected M ASUs for certificate authentication; After receiving the certificate authentication response message returned by the m ASUs, the m authentication response packets are signed and verified, and m certificate authentication results are obtained for the MT, and it is determined whether the m authentication results are correct. If at least one of the authentication results is correct, the MT is allowed to access, and if the m authentication results are not correct, the MT is not allowed to access;
判断这 m个认证结果是否正确这指, AP先比较这 m个认证结果是否 一致, 若均一致则认为 ASU不存在欺骗行为, 即 m个认证结果均正确, 若 这 m个认证结果不完全一致, 则将这 m个认证结果发送至 TC, 以及根据 TC的反馈信息判断是否存在正确的认证结果;  To determine whether the m authentication results are correct, the AP compares the m authentication results first. If they are consistent, the ASU does not have fraudulent behavior, that is, the m authentication results are correct. If the m authentication results are not completely consistent. And sending the m authentication results to the TC, and determining whether the correct authentication result exists according to the feedback information of the TC;
AP还用于将正确的 MT证书认证结果信息、 AP证书认证结果信息以 及 AP对上述信息 (包括 MT证书认证结果信息及 AP证书认证结果信息) 的签名构成接入认证响应报文, 并将该接入认证响应报文发送给 MT;  The AP is further configured to form the correct MT certificate authentication result information, the AP certificate authentication result information, and the signature of the AP on the foregoing information (including the MT certificate authentication result information and the AP certificate authentication result information) to form an access authentication response message, and the AP is configured to The access authentication response packet is sent to the MT.
TC用于收到 AP发来的 m个认证结果后依次验证 m个认证结果,检测 出存在欺骗行为的 ASU,存在欺骗行为的 ASU即不正确的认证结果对应的 ASU, 并将存在欺骗行为的 ASU (或不正确的认证结果 )发送至 AP。  After receiving the m authentication results sent by the AP, the TC verifies the m authentication results in turn, detects the ASU with the deceptive behavior, and the ASU with the fraudulent behavior is the ASU corresponding to the incorrect authentication result, and the fraudulent behavior is present. The ASU (or incorrect authentication result) is sent to the AP.
本发明还提供一种基于 WAPI的认证方法, 如图 2所示, 包括以下步 骤:  The present invention also provides a WAPI-based authentication method, as shown in FIG. 2, including the following steps:
在证书认证请求阶段, AP根据网络的安全级别选择鉴别 ASU的个数, AP中维护者一个 ASU当前使用情况表, 根据 ASU当前使用情况表来选择 当前负载最小的一个或多个 ASU完成证书的鉴别。  During the certificate authentication request phase, the AP selects the number of ASUs according to the security level of the network. The maintainer in the AP has an ASU current usage table. According to the current usage table of the ASU, the one or more ASUs with the lowest load are selected. Identification.
步骤 201 , AP收到 MT接入认证请求后, 根据 MT的安全级别选择进 行证书鉴别的 ASU数量,当该 MT的安全级别较低时可以只选择 1个 ASU 进行证书鉴别,当该 MT的安全级别较高时可选择多个 ASU进行证书鉴别; 具体地, AP可以按照 ASU的数量对 MT的安全级别进行划分, 如可 以但不限于是, MT的安全级别的等级数与 ASU的数量一致, 当 MT的安 全级别为 1时, 选择 1个 ASU进行证书鉴别, 当 MT的安全级别为 2时, 选择 2个 ASU进行证书鉴别 当 MT的安全级别为 n时,选择 n个 ASU 进行证书鉴别, 有可能存在 MT的安全级别为 n, 但当前可用的 ASU不足 n的情形, 此时可以选择所有可用的 ASU进行证书鉴别; 当然还存在其它 多种划分方式, 本发明对此不作限制。 Step 201: After receiving the MT access authentication request, the AP selects according to the security level of the MT. For the number of ASUs for certificate authentication, when the security level of the MT is low, only one ASU can be selected for certificate authentication. When the security level of the MT is high, multiple ASUs can be selected for certificate authentication. Specifically, the AP can follow The number of ASUs is divided into the security level of the MT. For example, but not limited to, the number of security levels of the MT is the same as the number of ASUs. When the security level of the MT is 1, select one ASU for certificate authentication. When the security level is 2, select 2 ASUs for certificate authentication. When the security level of the MT is n, select n ASUs for certificate authentication. There may be a case where the security level of the MT is n, but the currently available ASU is insufficient. At this time, all available ASUs can be selected for certificate authentication; of course, there are other multiple division manners, which are not limited by the present invention.
若需要选择 m个 ASU时, AP从所有可用 ASU中选择当前负载最小的 m个 ASU;  If you need to select m ASUs, the AP selects the m ASUs with the smallest current load from all available ASUs;
之后 AP利用 AP私钥对 MT证书、 接入认证请求时间和 AP证书进行 签名构成证书认证请求报文, 并将该证书认证请求报文发送给选择的 m个 ASU;  The AP then uses the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and sends the certificate authentication request message to the selected m ASUs.
步骤 202, 收到证书认证请求报文的 ASU,根据公钥和可信中心 TC上 的验证信息验证 AP签名、 AP证书以及 MT证书的合法性, 验证完毕后, 该 m个 ASU将 MT证书认证结果信息和 AP证书认证结果信息构成证书认 证响应报文发送给 AP;  Step 202: The ASU that receives the certificate authentication request message verifies the legality of the AP signature, the AP certificate, and the MT certificate according to the public key and the verification information on the trusted center TC. After the verification is completed, the m ASUs will authenticate the MT certificate. The result information and the AP certificate authentication result information form a certificate authentication response message to be sent to the AP;
MT证书认证结果信息包括 MT证书、认证结果、接入认证请求时间及 ASU对上述信息的签名, AP证书认证结果信息包括 AP证书、 认证结果、 接入认证请求时间及 ASU对上述信息的签名;  The MT certificate authentication result information includes an MT certificate, an authentication result, an access authentication request time, and an ASU signature on the foregoing information. The AP certificate authentication result information includes an AP certificate, an authentication result, an access authentication request time, and an ASU signature on the foregoing information;
步骤 203 , AP收到 m个 ASU的证书认证响应报文后对每个认证响应 报文进行签名验证得到每个 ASU对 MT证书认证结果, 并判断是否存在正 确的 MT证书认证结果, 若存在则执行步骤 204, 否则执行步骤 208;  Step 203: After receiving the certificate authentication response message of the M ASUs, the AP performs signature verification on each authentication response packet to obtain the MT certificate authentication result of each ASU, and determines whether the correct MT certificate authentication result exists. Step 204 is performed, otherwise step 208 is performed;
判断这 m个认证结果是否正确的方法为, AP先比较这 m个认证结果 是否一致,若均一致则认为 ASU不存在欺骗行为,即 m个认证结果均正确, 若这 m个认证结果不完全一致, 则将这 m个认证结果发送至 TC, TC依次 验证 m个认证结果, 检测出存在欺骗行为的 ASU, 即不正确的认证结果, 并将存在欺骗行为的 ASU (或不正确的认证结果)发送至 AP。 The method for judging whether the m authentication results are correct is that the AP first compares the m authentication results. If the two are consistent, the ASU does not have the spoofing behavior, that is, the m authentication results are correct. If the m authentication results are not completely consistent, the m authentication results are sent to the TC, and the TC sequentially verifies the m authentication results. The ASU with the spoofing behavior is detected, that is, the incorrect authentication result, and the ASU (or the incorrect authentication result) with the spoofing behavior is sent to the AP.
步骤 204 , AP允许 MT接入网络;  Step 204: The AP allows the MT to access the network.
步骤 205 , AP将不存在欺骗行为的 ASU产生的 MT证书认证结果信息、 AP证书认证结果信息以及 AP对上述信息 (包括 MT证书认证结果信息及 AP证书认证结果信息) 的签名构成接入认证响应报文发送给 MT , 当有多 个 ASU不存在欺骗时, 则每个 MT证书认证结果信息及 AP证书认证结果 信息均对应一个 AP的签名, 即存在多个接入认证响应报文;  Step 205: The AP forms an access authentication response by using the MT certificate authentication result information, the AP certificate authentication result information, and the AP's signature on the information (including the MT certificate authentication result information and the AP certificate authentication result information) generated by the ASU that does not have the spoofing behavior. The packet is sent to the MT. When there are multiple ASUs without spoofing, each MT certificate authentication result information and the AP certificate authentication result information correspond to the signature of one AP, that is, multiple access authentication response messages exist.
步骤 206, MT收到 AP发来的接入认证响应报文后, 验证 AP的签名 及 ASU的签名, 得到 AP证书的验证结果(当收到多个接入认证响应 4艮文 时, 将得到多个 AP证书的验证结果), 并判断 AP证书的验证结果是否均 正确, 是则执行步骤 207, 否则执行步骤 209;  In step 206, after receiving the access authentication response message sent by the AP, the MT verifies the signature of the AP and the signature of the ASU, and obtains the verification result of the AP certificate (when multiple access authentication responses are received, the MT will obtain If the verification result of the AP certificate is correct, and it is determined whether the verification result of the AP certificate is correct, if yes, go to step 207, otherwise go to step 209;
步骤 207, 决定接入该 AP;  Step 207, determining to access the AP;
步骤 208 , AP不允许该 MT接入网络;  Step 208: The AP does not allow the MT to access the network.
步骤 209, 决定不接入该 AP。  Step 209, determining not to access the AP.
与现有技术比较, 本发明在认证阶段, AP根据实际情况选择认证服务 器的个数, 根据其维护的 ASU当前使用情况表, 选择当前负载最小且工作 状态良好的 ASU完成认证, 提高了认证的效率。 由多个 ASU进行认证, 克服了现有技术中 ASU认证存在的权威欺诈行为, 提高了安全性。 在无线 局域网 MT数量比较大的情况下,选择单个 ASU认证,由于存在多个 ASU, 提高了认证的效率。  Compared with the prior art, in the authentication phase, the AP selects the number of authentication servers according to the actual situation, and selects the ASU with the lowest load and good working condition to complete the authentication according to the current usage table of the ASU maintained, and improves the authentication. effectiveness. It is authenticated by multiple ASUs, which overcomes the authoritative fraud behavior of ASU authentication in the prior art and improves security. In the case of a large number of wireless LAN MTs, a single ASU authentication is selected, and the efficiency of the authentication is improved due to the presence of multiple ASUs.
下面通过应用实例进一步说明本发明方法, 以 5个 ASU为例  The method of the present invention is further illustrated by an application example, taking 5 ASUs as an example.
AP可以任意的选择 1至 5个服务器来完成证书鉴别, AP中维护着一 个 ASU当前使用情况表, 根据当前使用情况表来选择当前负载最小的服务 器完成证书的鉴别。 下面以选择两个 ASU为例。 The AP can select one to five servers to complete certificate authentication. The AP maintains one. ASU current usage table, according to the current usage table to select the server with the lowest load to complete the authentication of the certificate. Let's take the example of selecting two ASUs.
步骤 1 , 认证激活; MT登陆到 AP, AP向 MT发送认证激活; 以启动 认证过程;  Step 1: The authentication is activated; the MT logs in to the AP, and the AP sends an authentication activation to the MT; to initiate the authentication process;
步骤 2, 接入认证请求; MT向 AP发出认证请求, 将 MT证书和 MT 接入认证请求时间发往 AP;  Step 2: Access the authentication request; the MT sends an authentication request to the AP, and sends the MT certificate and the MT access authentication request time to the AP;
步骤 3, AP收到 MT接入认证请求后, 根据该 MT的安全级别确定需 要选择 2个 ASU进行证书的鉴别, 如表 1所示, ASU2当前不可用, 因此 只能从剩余的 4个 ASU中选择当前负载最小 (即待处理的认证数量最少) 的 2个 ASU进行证书鉴别, 即 ASU1和 ASU5;  Step 3: After receiving the MT access authentication request, the AP needs to select two ASUs to perform certificate authentication according to the security level of the MT. As shown in Table 1, ASU2 is currently unavailable, so only the remaining 4 ASUs can be obtained. Select two ASUs with the lowest current load (that is, the minimum number of authentications to be processed) for certificate authentication, namely ASU1 and ASU5;
之后 AP利用 AP私钥对 MT证书、 接入认证请求时间和 AP证书进行 签名构成证书认证请求报文, 并将该证书认证请求报文发送给 ASU1 和 ASU5;  The AP then uses the AP private key to sign the MT certificate, the access authentication request time, and the AP certificate to form a certificate authentication request message, and sends the certificate authentication request message to ASU1 and ASU5.
表 1:AP存储的 ASU当前使用情况表  Table 1: ASU current usage table stored by AP
Figure imgf000012_0001
Figure imgf000012_0001
步骤 4, ASU1和 ASU5收到 AP的证书认证请求报文后, 验证 AP签 名、 AP证书以及 MT证书的合法性;  Step 4: After receiving the certificate authentication request packet of the AP, the ASU1 and the ASU5 verify the legality of the AP signature, the AP certificate, and the MT certificate.
验证完毕后, ASU1和 ASU5分别将 MT证书认证结果信息(包括 MT 证书、 认证结果、 接入认证请求时间及 ASU1和 ASU5分别对它们的签名) 和 AP证书认证结果信息(包括 AP证书、 认证结果、 接入认证请求时间及 ASU1和 ASU5分别对它们的签名)构成证书认证响应报文发送给 AP; 步骤 5 , AP收到 ASU1和 ASU5的认证响应报文后, 对认证响应报文 进行签名验证, 得到 ASU1和 ASU5对 MT证书认证结果信息; After the verification is completed, ASU1 and ASU5 respectively obtain the MT certificate authentication result information (including the MT certificate, the authentication result, the access authentication request time, and the signatures of ASU1 and ASU5 respectively) and the AP certificate authentication result information (including the AP certificate and the authentication result). , access authentication request time and ASU1 and ASU5 respectively send a certificate authentication response message to the AP. Step 5: After receiving the authentication response message from ASU1 and ASU5, the AP performs signature verification on the authentication response packet to obtain ASU1 and ASU5 to MT. Certificate authentication result information;
步骤 6, AP得到 ASU1和 ASU5对 MT证书的认证结果信息后对证书 的认证结果进行比较, 若两个认证结果一致则认为不存在欺骗行为, 执行 步骤 8; 若两个认证结果不一致, 则认为存在欺骗行为, 将 ASU1和 ASU5 对 MT证书的认证结果发送至 TC;  Step 6: After obtaining the authentication result information of the MT certificate by the ASU1 and the ASU5, the AP compares the authentication result of the certificate. If the two authentication results are the same, the AP considers that there is no fraudulent behavior, and performs step 8; if the two authentication results are inconsistent, it is considered that There is a spoofing behavior, and the authentication results of the MT certificate are sent to the TC by ASU1 and ASU5;
步骤 7, 可信中心 TC验证 ASU1和 ASU5对 MT证书的认证结果, 将 存在欺骗行为的 ASU放入不良记录表进行审计,并将存在欺骗行为的 ASU 通知给 AP; 然后执行步骤 8;  Step 7, the trusted center TC verifies the authentication result of the MT certificate by ASU1 and ASU5, puts the fraudulent ASU into the bad record table for auditing, and notifies the AP of the fraudulent ASU to the AP; and then performs step 8;
步骤 8 , AP根据 ASU1和 ASU5对 MT证书的认证结果来决定是否允 许 MT接入网络, 具体地, 当 ASU 1和 ASU5对 MT证书的认证结果中至 少一个正确时, AP允许 MT接入网络, 若 ASU1和 ASU5对 MT证书的认 证结果均不正确时, 则 AP不允许 MT接入网络;  Step 8: The AP determines whether to allow the MT to access the network according to the authentication result of the MT certificate by the ASU1 and the ASU5. Specifically, when at least one of the authentication results of the MT certificate by the ASU 1 and the ASU 5 is correct, the AP allows the MT to access the network. If the authentication results of the MT certificate are incorrect by the ASU1 and the ASU5, the AP does not allow the MT to access the network.
AP将正确的 MT证书认证结果信息、 AP证书认证结果信息以及 AP 对上述信息(包括 MT证书认证结果信息及 AP证书认证结果信息)的签名 构成接入认证响应报文发送给 MT;  The AP sends the correct MT certificate authentication result information, the AP certificate authentication result information, and the signature of the AP (including the MT certificate authentication result information and the AP certificate authentication result information) to form an access authentication response message to the MT;
步骤 9, MT收到 AP发来的接入认证响应报文后, 验证 AP的签名及 ASU的签名,得到 AP的证书验证结果,根据对 AP证书的验证结果决定是 否接入该 AP ( AP证书的验证结果均正确时决定接入, 否则不接入;);  Step 9: After receiving the access authentication response packet sent by the AP, the MT verifies the signature of the AP and the signature of the ASU, and obtains the certificate verification result of the AP, and determines whether to access the AP according to the verification result of the AP certificate. If the verification result is correct, the access is decided, otherwise it is not accessed;);
步骤 10, 如果证书认证通过, 则 AP和 MT之间进行密钥协商, 使用 协商的密钥进行通信。  Step 10: If the certificate authentication is passed, the AP and the MT perform key negotiation, and the negotiated key is used for communication.

Claims

权利要求书 Claim
1、一种基于无线局域网鉴别与保密基础架构的认证方法,其特征在于, 包括: 当访问接入点和移动终端之间实现证书认证时, 所述访问接入点选 择一个或多个鉴别服务器完成证书的鉴别。  What is claimed is: 1. An authentication method based on a wireless local area network authentication and privacy infrastructure, comprising: selecting one or more authentication servers when a certificate authentication is implemented between an access point and a mobile terminal; Complete the identification of the certificate.
2、 如权利要求 1所述的方法, 其特征在于: 该方法进一步包括: 所述访问接入点存储鉴别服务器当前使用情况表, 所述使用情况表记 录各鉴别服务器的当前负载状况及是否可用的状态;  2. The method according to claim 1, wherein: the method further comprises: the access point storing a current usage list of the authentication server, wherein the usage table records the current load status of each authentication server and whether it is available. status;
所述访问接入点从可用的鉴别服务器中选择当前负载最小的一个或多 个鉴别服务器完成证书的鉴别。  The access point selects one or more authentication servers having the smallest current load from the available authentication servers to complete the authentication of the certificate.
3、 如权利要求 1所述的方法, 其特征在于:  3. The method of claim 1 wherein:
当所述访问接入点选择多个鉴别服务器完成证书的鉴别时, 访问接入 点将证书认证请求报文发送至所选择的每个鉴别服务器, 每个鉴别服务器 均对移动终端的证书进行认证, 并构成证书认证响应报文发送给访问接入 点;  When the access point selects multiple authentication servers to complete the authentication of the certificate, the access point sends a certificate authentication request message to each selected authentication server, and each authentication server authenticates the certificate of the mobile terminal. And constituting a certificate authentication response message is sent to the access point;
所述访问接入点对接收的各证书认证响应报文进行签名验证, 得到各 鉴别服务器对移动终端证书认证结果, 若各鉴别服务器对移动终端证书认 证结果中至少一个正确则允许所述移动终端接入该访问接入点, 若各鉴别 服务器对移动终端证书认证结果均不正确则不允许所述移动终端接入该访 问接入点。  The access point performs signature verification on each received certificate authentication response message, and obtains a result of the authentication of the mobile terminal certificate by each authentication server. If each authentication server corrects at least one of the mobile terminal certificate authentication results, the mobile terminal is allowed. Accessing the access point, if each authentication server incorrectly verifies the result of the mobile terminal certificate authentication, the mobile terminal is not allowed to access the access point.
4、 如权利要求 3所述的方法, 其特征在于: 所述访问接入点判断所选 鉴别服务器对移动终端证书认证结果是否正确的方法为:  4. The method according to claim 3, wherein: the method for the access point to determine whether the authentication server of the selected authentication server is correct for the mobile terminal certificate is:
判断各鉴别服务器对移动终端证书认证结果是否一致, 若一致则认为 各鉴别服务器对移动终端证书认证结果均正确; 若不一致, 则认为存在欺 骗行为, 所述访问接入点将各鉴别服务器对移动终端证书认证结果发送至 可信中心, 所述可信中心验证各鉴别服务器对移动终端证书认证结果, 检 测出存在欺骗行为的鉴别服务器, 并将检测结果通知给所述访问接入点。Determining whether the authentication server has the same certificate authentication result for the mobile terminal. If the authentication is consistent, it is considered that each authentication server has the correct authentication result for the mobile terminal certificate; if not, the spoofing behavior is considered to exist, and the access point moves the authentication server pair. The terminal certificate authentication result is sent to the trusted center, and the trusted center verifies the authentication result of each authentication server to the mobile terminal, and checks An authentication server having fraudulent behavior is detected, and the detection result is notified to the access point.
5、 如权利要求 1所述的方法, 其特征在于: 该方法进一步包括: 所述访问接入点将不存在欺骗行为的鉴别服务器产生的移动终端证书 认证结果信息、 访问接入点证书认证结果信息以及访问接入点对所述移动 终端证书认证结果信息及访问接入点证书认证结果信息的签名构成接入认 证响应报文, 并将所述接入认证响应报文发送给移动终端; The method according to claim 1, wherein the method further comprises: the access point to the access point to the mobile terminal certificate authentication result information generated by the authentication server without fraudulent behavior, and the access point certificate authentication result. The information and the access point of the access point to the mobile terminal certificate authentication result information and the access point certificate authentication result information constitute an access authentication response message, and the access authentication response message is sent to the mobile terminal;
所述移动终端收到所述接入认证响应报文后, 验证其中的访问接入点 的签名及鉴别服务器的签名, 得到访问接入点的证书验证结果, 并判断访 问接入点证书认证结果是否正确, 若正确则决定接入该访问接入点, 否则 不接入该访问接入点。  After receiving the access authentication response message, the mobile terminal verifies the signature of the access point and the signature of the authentication server, obtains the certificate verification result of the access point, and determines the access point certificate authentication result. Whether it is correct, if it is correct, it is decided to access the access point, otherwise it will not access the access point.
6、 如权利要求 1所述的方法, 其特征在于: 该方法进一步包括: 所述访问接入点按照鉴别服务器的数量对移动终端的安全级别进行划 分, 移动终端的安全级别的等级数与鉴别服务器的数量一致;  The method according to claim 1, wherein the method further comprises: the accessing access point dividing the security level of the mobile terminal according to the number of the authentication server, the number of the security level of the mobile terminal, and the authentication The number of servers is the same;
当选择进行证书鉴别的鉴别服务器时, 所述访问接入点根据移动终端 的安全级别选择完成证书鉴别的鉴别服务器的数量, 当移动终端的安全级 别为 n时, 选择 n个鉴别服务器进行证书鉴别, 若当前可用的鉴别服务器 小于 n , 则选择所有可用的鉴别服务器进行证书鉴别。  When selecting an authentication server for certificate authentication, the access point selects the number of authentication servers that complete certificate authentication according to the security level of the mobile terminal, and when the security level of the mobile terminal is n, selects n authentication servers for certificate authentication. If the currently available authentication server is less than n, select all available authentication servers for certificate authentication.
7、 一种基于无线局域网鉴别与保密基础架构的认证系统, 包括访问接 入点、 移动终端及鉴别服务器; 其特征在于:  7. An authentication system based on a wireless local area network authentication and privacy infrastructure, comprising an access point, a mobile terminal, and an authentication server;
所述访问接入点, 用于与移动终端实现证书认证时, 选择一个或多个 鉴别服务器完成证书的鉴别;  The access point is configured to select one or more authentication servers to complete the authentication of the certificate when the certificate is authenticated with the mobile terminal;
所述鉴别服务器, 用于对访问接入点证书及移动终端证书进行认证。 The authentication server is configured to authenticate the access point certificate and the mobile terminal certificate.
8、 如权利要求 7所述的系统, 其特征在于: 8. The system of claim 7 wherein:
所述访问接入点, 还用于存储鉴别服务器当前使用情况表, 所述使用 情况表记录各鉴别服务器的当前负载状况及是否可用的状态; 所述访问接入点, 还用于从可用的鉴别服务器中选择当前负载最小的 一个或多个鉴别服务器完成证书的鉴别。 The access point is further configured to store a current usage list of the authentication server, where the usage table records a current load status of each authentication server and a status of availability; The access point is further configured to select one or more authentication servers with the smallest current load from the available authentication servers to complete the authentication of the certificate.
9、 如权利要求 7所述的系统, 其特征在于:  9. The system of claim 7 wherein:
当所述访问接入点选择多个鉴别服务器完成证书的鉴别时, 所述访问 接入点, 还用于将证书认证请求报文发送至选择的每个鉴别服务器, 各鉴 别服务器均对移动终端的证书进行认证, 并构成证书认证响应报文发送给 访问接入点;  When the access point selects multiple authentication servers to complete authentication of the certificate, the access point is further configured to send a certificate authentication request message to each selected authentication server, and each authentication server is configured to the mobile terminal. The certificate is authenticated, and a certificate authentication response message is sent to the access point;
所述访问接入点, 还用于对接收的各证书认证响应报文进行签名验证, 得到各鉴别服务器对移动终端证书认证结果, 若各鉴别服务器对移动终端 证书认证结果中至少一个正确则允许所述移动终端接入该访问接入点, 若 各鉴别服务器对移动终端证书认证结果均不正确则不允许所述移动终端接 入该访问接入点。  The access point is further configured to perform signature verification on each received certificate authentication response message, and obtain a certificate authentication result of each mobile terminal by the authentication server, and if each authentication server corrects at least one of the mobile terminal certificate authentication results, the permission is allowed. The mobile terminal accesses the access point, and if the authentication server fails to authenticate the mobile terminal certificate, the mobile terminal is not allowed to access the access point.
10、 如权利要求 9所述的系统, 其特征在于:  10. The system of claim 9 wherein:
所述访问接入点, 还用于判断各鉴别服务器对移动终端证书认证结果 是否一致, 若一致则认证各鉴别服务器对移动终端证书认证结果均正确; 否则将各鉴别服务器对移动终端证书认证结果发送至可信中心;  The access point is further configured to determine whether the authentication results of the authentication commands of the mobile terminal are consistent. If the authentication is consistent, the authentication servers verify that the authentication results of the mobile terminal are correct; otherwise, the authentication server authenticates the mobile terminal. Send to a trusted center;
所述系统还包括可信中心, 用于验证各鉴别服务器对移动终端证书认 证结果, 检测出存在欺骗行为的鉴别服务器, 并通知给访问接入点。  The system further includes a trusted center for verifying the authentication result of each authentication server to the mobile terminal certificate, detecting the authentication server having the fraudulent behavior, and notifying the access point.
11、 如权利要求 7所述的系统, 其特征在于:  11. The system of claim 7 wherein:
所述访问接入点, 还用于将不存在欺骗行为的鉴别服务器产生的移动 终端证书认证结果信息、 访问接入点证书认证结果信息以及访问接入点对 所述移动终端证书认证结果信息及访问接入点证书认证结果信息的签名构 成接入认证响应报文, 并将所述接入认证响应报文发送给移动终端;  The access point is further configured to: use the mobile terminal certificate authentication result information generated by the authentication server that does not have fraudulent behavior, access the access point certificate authentication result information, and access the access point to the mobile terminal certificate authentication result information and The signature of the access point certificate authentication result information constitutes an access authentication response message, and the access authentication response message is sent to the mobile terminal;
所述移动终端, 用于收到所述接入认证响应报文后, 验证其中的访问 接入点的签名及鉴别服务器的签名, 得到访问接入点的证书验证结果, 并 判断访问接入点证书认证结果是否正确, 若正确则决定接入该访问接入点, 否则不接入该访问接入点。 After receiving the access authentication response message, the mobile terminal is configured to verify the signature of the access point and the signature of the authentication server, and obtain the certificate verification result of the access point, and Determine whether the authentication result of the access point certificate is correct. If it is correct, decide to access the access point. Otherwise, the access point is not accessed.
PCT/CN2009/075687 2009-07-22 2009-12-17 Wapi (wlan authentication and privacy infrastructure) -based authentication system and method WO2011009268A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910160652.0 2009-07-22
CNA2009101606520A CN101610515A (en) 2009-07-22 2009-07-22 A kind of Verification System and method based on WAPI

Publications (1)

Publication Number Publication Date
WO2011009268A1 true WO2011009268A1 (en) 2011-01-27

Family

ID=41484045

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075687 WO2011009268A1 (en) 2009-07-22 2009-12-17 Wapi (wlan authentication and privacy infrastructure) -based authentication system and method

Country Status (2)

Country Link
CN (1) CN101610515A (en)
WO (1) WO2011009268A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404736A (en) * 2011-12-28 2012-04-04 西安西电捷通无线网络通信股份有限公司 Method and device for WAI Certificate authentication

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 A kind of Verification System and method based on WAPI
CN101783753B (en) * 2010-02-09 2012-04-25 工业和信息化部电信传输研究所 Method and system for analyzing wireless local area network authentication and privacy infrastructure protocol
CN101795463B (en) * 2010-02-09 2012-10-31 工业和信息化部电信传输研究所 Method and system for analyzing WLAN authentication and privacy infrastructure protocol
CN101795239B (en) * 2010-04-14 2012-10-17 杭州华三通信技术有限公司 Authentication method and equipment
CN103795694A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 License control method and license control system
CN106330828B (en) * 2015-06-25 2020-02-18 联芯科技有限公司 Network security access method and terminal equipment
CN107360572B (en) * 2016-05-10 2019-11-12 普天信息技术有限公司 A kind of safety enhancing authentication method and device based on WIFI
CN111669756B (en) * 2020-07-24 2023-07-04 广西电网有限责任公司 System and method for transmitting access network information in WAPI network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1356812A (en) * 2002-01-08 2002-07-03 广东省电信科学技术研究院 Distributed authentication/charge server system and its implementation method
CN1444386A (en) * 2001-12-31 2003-09-24 西安西电捷通无线网络通信有限公司 Safe inserting method of wide-band wireless IP system mobile terminal
CN1802839A (en) * 2003-01-13 2006-07-12 摩托罗拉公司(在特拉华州注册的公司) Method and apparatus for providing network service information to a mobile station by a wireless local area network
CN101243438A (en) * 2005-08-22 2008-08-13 微软公司 Distributed single sign-on service
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 A kind of Verification System and method based on WAPI

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1444386A (en) * 2001-12-31 2003-09-24 西安西电捷通无线网络通信有限公司 Safe inserting method of wide-band wireless IP system mobile terminal
CN1356812A (en) * 2002-01-08 2002-07-03 广东省电信科学技术研究院 Distributed authentication/charge server system and its implementation method
CN1802839A (en) * 2003-01-13 2006-07-12 摩托罗拉公司(在特拉华州注册的公司) Method and apparatus for providing network service information to a mobile station by a wireless local area network
CN101243438A (en) * 2005-08-22 2008-08-13 微软公司 Distributed single sign-on service
CN101610515A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 A kind of Verification System and method based on WAPI

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404736A (en) * 2011-12-28 2012-04-04 西安西电捷通无线网络通信股份有限公司 Method and device for WAI Certificate authentication

Also Published As

Publication number Publication date
CN101610515A (en) 2009-12-23

Similar Documents

Publication Publication Date Title
WO2011009268A1 (en) Wapi (wlan authentication and privacy infrastructure) -based authentication system and method
KR101158956B1 (en) Method for distributing certificates in a communication system
CN104145465B (en) The method and apparatus of bootstrapping based on group in machine type communication
JP5688087B2 (en) Method and apparatus for reliable authentication and logon
US20100037293A1 (en) Systems and Methods for Security in a Wireless Utility Network
EP1536609A2 (en) Systems and methods for authenticating communications in a network
US20110107104A1 (en) METHOD, SYSTEM, AND DEVICE FOR NEGOTIATING SA ON IPv6 NETWORK
CN107396350B (en) SDN-5G network architecture-based security protection method between SDN components
WO2011038620A1 (en) Access authentication method, apparatus and system in mobile communication network
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
WO2017185913A1 (en) Method for improving wireless local area network authentication mechanism
WO2011020274A1 (en) Security access control method and system for wired local area network
CN101552986B (en) Access authentication method and system of streaming media service
WO2010012203A1 (en) Authentication method, re-certification method and communication device
WO2017185450A1 (en) Method and system for authenticating terminal
WO2013004112A1 (en) Method and device for data transmission
WO2011009317A1 (en) Authentication method, authentication system and authentication server
WO2011017924A1 (en) Method, system, server, and terminal for authentication in wireless local area network
WO2009152749A1 (en) A binding authentication method, system and apparatus
WO2012058896A1 (en) Method and system for single sign-on
WO2009074050A1 (en) A method, system and apparatus for authenticating an access point device
WO2011022915A1 (en) Method and system for pre-shared-key-based network security access control
GB2598669A (en) Server-based setup for connecting a device to a local area newwork
WO2011063744A1 (en) Method, system and device for identity authentication in extensible authentication protocol (eap) authentication
CN101969639B (en) Multi-certificate and multi-certification mode combined access authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09847503

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09847503

Country of ref document: EP

Kind code of ref document: A1