WO2017008556A1 - Authentication method and device for wireless access point and management platform - Google Patents

Authentication method and device for wireless access point and management platform Download PDF

Info

Publication number
WO2017008556A1
WO2017008556A1 PCT/CN2016/080767 CN2016080767W WO2017008556A1 WO 2017008556 A1 WO2017008556 A1 WO 2017008556A1 CN 2016080767 W CN2016080767 W CN 2016080767W WO 2017008556 A1 WO2017008556 A1 WO 2017008556A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
wireless access
key
key information
information
Prior art date
Application number
PCT/CN2016/080767
Other languages
French (fr)
Chinese (zh)
Inventor
王意军
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017008556A1 publication Critical patent/WO2017008556A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • This application relates to, but is not limited to, the field of wireless networks.
  • the scale of wireless networks the management methods of wireless access points are more and more, especially the evolution of current wireless networks.
  • Many wireless access points access the management platform through the Internet. Based on the security problems of access devices, they have to Consider the authentication management between the wireless access point and the management platform.
  • the wireless access point In the wireless network management, in order to ensure the security of the device, when registering to the management platform, the wireless access point needs to determine the connection wireless access according to the MAC (Media Access Control) address of the device or the serial number of the device.
  • the legality of the point is generally configured by pre-configuring the MAC address or serial number of the device on the network management platform.
  • the present invention provides a method and device for authenticating a wireless access point and a management platform, which solves the problem of legality verification of an access point device and a network management platform, and provides a more secure and reliable access for devices in the network.
  • the embodiment of the invention provides a method for authenticating a wireless access point and a management platform, which is applied to the management platform side, and includes:
  • the wireless access point Receiving, by the wireless access point, the first authentication information, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information, where the first key information is For the office Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
  • the method further includes:
  • the method further includes:
  • the wireless access point sends second authentication information to the wireless access point, so that the wireless access point verifies the second authentication information by using a key stored by the wireless access point, the second The right information includes an identification number of the wireless access point, a second random challenge word, and third key information.
  • the identifier of the wireless access point includes one or more of the following:
  • the media is involved in the control layer MAC address, serial number, unique identifier.
  • verifying the first authentication information by using a key corresponding to the wireless access point includes:
  • encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point includes:
  • determining that the first key information corresponds to the second key information includes:
  • the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
  • the embodiment of the invention further provides a method for authenticating a wireless access point and a management platform, which is applied to a wireless access point side, and includes:
  • the management platform Transmitting the first authentication information to the management platform, so that the management platform checks the first authentication information by using a key corresponding to the wireless access point, where the first authentication information includes the The identification number of the wireless access point, the first random challenge word, and the first key information.
  • the method further includes:
  • the management platform obtains the identifier of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
  • the method further includes:
  • the identifier of the wireless access point includes one or more of the following:
  • the media is involved in the control layer MAC address, serial number, unique identifier.
  • encrypting the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point includes:
  • the private key signs the first hash value.
  • verifying the second authentication information by using a key stored by the wireless access point includes:
  • the management platform When the third key information is used by the management platform to hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point, And obtaining the third hash value by using a private key stored by the management platform, and decrypting the third key information by using a public key corresponding to the management platform, Obtaining a second decrypted hash value; and hashing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point to obtain a fourth hash value.
  • determining that the third key information corresponds to the fourth key information includes:
  • the embodiment of the invention further provides a method for authenticating a wireless access point and a management platform, including:
  • the wireless access point generates a first random challenge word
  • the wireless access point encrypts the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point to obtain first key information
  • the wireless access point sends the first authentication information to the management platform, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information;
  • the management platform performs verification on the first authentication information by using a key corresponding to the wireless access point to obtain second key information
  • the management platform determines that the first key information corresponds to the second key information, it is determined that the wireless access point is legal.
  • the method further includes:
  • the management platform determines that the first key information does not correspond to the second key information, it is determined that the wireless access point is illegal.
  • the method further includes:
  • the management platform generates a second random challenge word
  • the management platform encrypts the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information;
  • the management platform sends the second authentication information to the wireless access point;
  • the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information;
  • the wireless access point performs verification on the second authentication information by using a key stored by the wireless access point to obtain fourth key information
  • the wireless access point determines that the third key information corresponds to the fourth key information, it is determined that the management platform is legal.
  • the wireless access point determines that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
  • the encrypting, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point including:
  • the private key signs the first hash value.
  • the verifying, by the management platform, the first authentication information by using a key corresponding to the wireless access point includes:
  • Decrypting the first key information by using a public key corresponding to the wireless access point to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to connect the wireless connection
  • the identification number of the in point and the first random challenge word are hashed to obtain a second hash value.
  • determining that the first key information corresponds to the second key information includes:
  • the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
  • the managing platform encrypts the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point, including:
  • the verifying, by the wireless access point, the second authentication information by using a key stored by the wireless access point includes:
  • the identification number and the second random challenge word are hashed to obtain a fourth hash value.
  • determining that the third key information corresponds to the fourth key information includes:
  • the embodiment of the invention further provides a wireless access point and a management platform authentication device, which are disposed on the management platform side, and includes:
  • the first receiving module is configured to: receive first authentication information sent by the wireless access point, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information.
  • the first key information is obtained by the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
  • the first authentication module is configured to: perform verification on the first authentication information by using a key corresponding to the wireless access point, to obtain second key information;
  • the first determining module is configured to: when it is determined that the first key information corresponds to the second key information, determine that the wireless access point is legal.
  • the first determining module is further configured to: when it is determined that the first key information does not correspond to the second key information, determine that the wireless access point is illegal.
  • the device further includes:
  • a first generating module configured to: generate a second random challenge word
  • the first encryption module is configured to: encrypt the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point, to obtain third key information;
  • the first sending module is configured to: send second authentication information to the wireless access point, so that the wireless access point performs the second authentication information by using a key stored by the wireless access point. Verifying that the second authentication information includes an identification number of the wireless access point, a second random challenge word, and third key information.
  • the first authentication module comprises a first dissolving unit and/or a first decrypting unit, wherein:
  • the first dissolving unit is configured to: when the first key information is an identifier number of the wireless access point shared by the wireless access point by using the shared key stored by the wireless access point, Obtaining, by using a shared key corresponding to the wireless access point, hashing the identification number of the wireless access point and the first random challenge word, and obtaining the first random challenge word. Second decryption information;
  • the first decryption unit is configured to: when the first key information is an identifier number of the wireless access point shared by the wireless access point by using the shared key stored by the wireless access point, The first random challenge word is hashed to obtain a first hash value, and the first hash value is obtained by using a private key stored by the wireless access point, and the wireless access point is utilized Decrypting the first key information by the corresponding public key to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the The first random challenge word performs a hash operation to obtain a second hash value.
  • the first encryption module comprises a first hash unit and/or a first signature unit, wherein:
  • the first hashing unit is configured to: hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point; or
  • the first signature unit is configured to: perform a hash operation on the identifier of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash And signing the third hash value with a value and using a private key stored by the management platform.
  • the first determining module includes a first direct corresponding unit and/or a first indirect corresponding unit, where:
  • the first direct correspondence unit is configured to: when the first key information and the second decryption information are the same, determine that the first key information corresponds to the second key information; or
  • the first indirect corresponding unit is configured to: when the first decrypted hash value and the second hash value are the same, determine that the first key information corresponds to the second key information.
  • the embodiment of the present invention further provides a wireless access point and a management platform authentication device, which are disposed on the wireless access point side, and includes:
  • a second generation module configured to: generate a first random challenge word
  • the second encryption module is configured to: encrypt the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point, to obtain first key information;
  • the second sending module is configured to: send the first authentication information to the management platform, so that the management platform performs verification on the first authentication information by using a key corresponding to the wireless access point, where
  • the first authentication information includes an identification number of the wireless access point, a first random challenge word, and first key information.
  • the device further includes:
  • the second receiving module is configured to: receive second authentication information sent by the management platform, where the second authentication information includes an identifier number, a second random challenge word, and a third key information of the wireless access point, where The third key information is obtained by the management platform encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
  • the second authentication module is configured to: perform verification on the second authentication information by using a key stored by the wireless access point, to obtain fourth key information;
  • the second determining module is configured to: when it is determined that the third key information corresponds to the fourth key information, determine that the management platform is legal.
  • the second determining module is further configured to:
  • the second encryption module comprises a second hash unit and/or a second signature unit, wherein:
  • the second hashing unit is configured to: hash the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
  • the second signature unit is configured to perform a hash operation on the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value. And signing the first hash value with a private key stored by the wireless access point.
  • the second authentication module comprises a second dissolving unit and/or a second decrypting unit, wherein:
  • the second dissolving unit is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the Obtaining, by using the shared key stored by the wireless access point, hashing the identification number of the wireless access point and the second random challenge word to obtain a fourth Decrypt information;
  • the second decryption unit is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the The second random challenge word is hashed to obtain a third hash value, and the third hash value is obtained by using the private key stored by the management platform, and the public key pair corresponding to the management platform is utilized. Decrypting the third key information to obtain a second decrypted hash value; and performing, by using a shared key stored by the wireless access point, the identification number of the wireless access point and the second random challenge word The hash operation obtains a fourth hash value.
  • the second determining module includes a second direct corresponding unit and/or a second indirect corresponding unit, where:
  • the second direct correspondence unit is configured to: when the third key information is the same as the fourth decryption information, determine that the third key information corresponds to the fourth key information; or
  • the second indirect corresponding unit is configured to: when the second decrypted hash value is the same as the fourth hash value, determine that the third key information corresponds to the fourth key information.
  • the authentication method and device provided by the embodiments of the present invention can verify the mutuality of the legality of the access point device and the network management platform, ensure the legality of the wireless access point, and provide more secure and reliable access for the devices in the network. .
  • FIG. 1 is a flowchart of a method for authenticating a wireless access point and a management platform applied to a management platform side according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for authenticating a wireless access point and a management platform applied to a wireless access point side according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for authenticating a wireless access point and a management platform according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a wireless access point and a management platform authentication device disposed on a management platform side according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a wireless access point and a management platform device disposed on a wireless access point side according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram 1 of wireless access point encryption according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram 2 of wireless access point encryption according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram 1 of a management platform authentication according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram 2 of a management platform authentication according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram 1 of a management platform encryption according to an embodiment of the present invention.
  • FIG. 11 is a schematic diagram 2 of a management platform encryption according to an embodiment of the present invention.
  • Figure 12 is a schematic diagram 1 of wireless access point authentication according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram 2 of wireless access point authentication according to an embodiment of the present invention.
  • FIG. 15 is a flowchart of authentication of a wireless access point and a management platform according to Embodiment 2 of the present invention.
  • an embodiment of the present invention provides a method for authenticating a wireless access point and a management platform, which is applied to a management platform side.
  • the management platform authenticates a wireless access point
  • the method includes:
  • S101 Receive first authentication information that is sent by the wireless access point, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information, where the first secret is
  • the key information is obtained by the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
  • S102 Perform verification on the first authentication information by using a key corresponding to the wireless access point, to obtain second key information.
  • the method when requesting the wireless access point to authenticate the management platform, the method includes:
  • the second authentication information includes an identification number of the wireless access point, a second random challenge word, and third key information.
  • the identifier of the wireless access point includes one or more of the following:
  • the media is involved in the control layer MAC address, serial number, unique identifier.
  • Step S102 includes:
  • the wireless access point Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point by the wireless access point And obtaining, by using a private key stored by the wireless access point, the first hash value by using a private key stored by the wireless access point (as shown in FIG. 7 ), using a public corresponding to the wireless access point Decrypting the first key information to obtain a first decrypted hash value; and using an shared key corresponding to the wireless access point to identify an identifier of the wireless access point and the first random number
  • the challenge word performs a hash operation to obtain a second hash value (as shown in Figure 9).
  • the management platform may determine, according to the protocol agreement, that the wireless access point obtains the encryption method of the first key information, and does not necessarily have to pass the judgment.
  • Step S106 includes:
  • Step S103 includes:
  • the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
  • an embodiment of the present invention provides a method for authenticating a wireless access point and a management platform, which is applied to a wireless access point side, and when the request management platform authenticates the wireless access point, the method includes:
  • the first authentication information is sent to the management platform, so that the management platform checks the first authentication information by using a key corresponding to the wireless access point, where the first authentication information includes The identification number of the wireless access point, the first random challenge word, and the first key information.
  • the method further includes:
  • S204 Receive second authentication information that is sent by the management platform, where the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information, where the third key information is Obtaining, by the management platform, the identifier of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
  • the identifier of the wireless access point includes one or more of the following:
  • the media is involved in the control layer MAC address, serial number, unique identifier.
  • Step S202 includes:
  • Step S205 includes:
  • the management platform When the third key information is used by the management platform to hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point, And obtaining the third hash value by using a private key stored by the management platform, as shown in FIG. 11 , by using a public key corresponding to the management platform Decrypting the third key information to obtain a second decrypted hash value; and hashing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point A fourth hash value is obtained (as shown in Figure 13).
  • Step S206 includes:
  • an embodiment of the present invention provides a wireless access point and a management platform authentication method, where a wireless access point performs encryption by using a stored key, and requests the management platform to authenticate the wireless access point, including:
  • the wireless access point generates a first random challenge word.
  • the wireless access point encrypts the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point to obtain first key information.
  • the wireless access point sends the first authentication information to the management platform, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information.
  • the management platform uses the key corresponding to the wireless access point to perform the first authentication.
  • the information is verified to obtain the second key information;
  • the key stored by the wireless access point is the same as or corresponds to the key corresponding to the wireless access point stored by the management platform, and the authentication may pass if the wireless access point It is illegal. For example, if the wireless access point is masquerading, the key stored by the wireless access point is different from or different from the key corresponding to the wireless access point stored by the management platform. At this time, the authentication cannot pass.
  • the management platform encrypts by using the key corresponding to the wireless access point, and requests the wireless access point to authenticate the management platform (if the authentication is not required, the following steps are not required), including:
  • the management platform generates a second random challenge word.
  • the management platform encrypts the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information.
  • the management platform sends second authentication information to the wireless access point.
  • the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information.
  • the wireless access point performs verification on the second authentication information by using a key stored by the wireless access point to obtain fourth key information.
  • the key stored by the wireless access point is the same as or corresponds to the key corresponding to the wireless access point stored by the management platform, and the authentication may be passed if the management platform is If the authentication platform is spoofed, the key stored by the wireless access point is different from or different from the key corresponding to the wireless access point stored by the management platform. In this case, the authentication cannot pass.
  • Step S302 includes:
  • Step S304 includes:
  • Decrypting the first key information by using a public key corresponding to the wireless access point to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to connect the wireless connection
  • the identification number of the in point and the first random challenge word are hashed to obtain a second hash value (as shown in FIG. 9).
  • Step S305 includes:
  • the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
  • Step S308 includes:
  • Step S310 includes:
  • the second random challenge word is hashed (as shown in FIG. 12) to obtain the fourth decrypted information
  • the identification number and the second random challenge word are hashed to obtain a fourth hash value (as shown in FIG. 13).
  • Step S311 includes:
  • the shared key of each wireless access point is different from that of other wireless access points.
  • the shared wireless access point and the legitimate management platform both store the shared key, and both parties use the shared key to authenticate the key information.
  • the wireless access point stores the signed private key and the public key corresponding to the management platform.
  • the management platform stores the private key of the platform and the public key corresponding to the wireless access point, and the two parties use the corresponding public key or private key to perform key information. Authentication.
  • the present invention further provides a wireless access point and management platform authentication device, which is disposed on the management platform side, and includes:
  • the first receiving module 401 is configured to: receive first authentication information sent by the wireless access point, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and a first key Information, the first key information is obtained by the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
  • the first authentication module 402 is configured to: perform verification on the first authentication information by using a key corresponding to the wireless access point, to obtain second key information;
  • the first determining module 403 is configured to: when determining the first key information and the second key When the information corresponds, it is determined that the wireless access point is legal.
  • the first determining module 403 is further configured to: when it is determined that the first key information does not correspond to the second key information, determine that the wireless access point is illegal.
  • the above device also includes:
  • the first generating module 404 is configured to: generate a second random challenge word
  • the first encryption module 405 is configured to: encrypt the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point, to obtain third key information;
  • the first sending module 406 is configured to: send second authentication information to the wireless access point, so that the wireless access point uses the key stored by the wireless access point to the second authentication information.
  • the second authentication information includes an identification number of the wireless access point, a second random challenge word, and third key information.
  • the first authentication module 402 includes a first dissolving unit 4021 and/or a first decrypting unit 4022:
  • the first dissolving unit 4021 is configured to: when the first key information is an identifier number of the wireless access point and the number of the wireless access point using a shared key stored by the wireless access point Obtaining a random challenge word by performing a hash operation, and hashing the identification number of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point to obtain a first Second decryption information;
  • the first decrypting unit 4022 is configured to: when the first key information is an identifier number of the wireless access point and the number of the wireless access point using a shared key stored by the wireless access point And a random challenge word is obtained by performing a hash operation to obtain a first hash value, and signing the first hash value by using a private key stored by the wireless access point, and using the wireless access point
  • the public key decrypts the first key information to obtain a first decrypted hash value; and uses the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the A random challenge word performs a hash operation to obtain a second hash value.
  • the first encryption module 405 includes a first hash unit 4051 and/or a first signature unit 4052, where:
  • the first hash unit 4051 is configured to: utilize a shared key corresponding to the wireless access point Hashing the identification number of the wireless access point and the second random challenge word; or
  • the first signature unit 4052 is configured to: hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value. And signing the third hash value with a private key stored by the management platform.
  • the first determining module 403 includes a first direct corresponding unit 4031 and/or a first indirect corresponding unit 4032, where:
  • the first direct correspondence unit 4031 is configured to: when the first key information is the same as the second decryption information, determine that the first key information corresponds to the second key information; or
  • the first indirect corresponding unit 4032 is configured to: when the first decrypted hash value is the same as the second hash value, determine that the first key information corresponds to the second key information.
  • an embodiment of the present invention further provides a wireless access point and a management platform authentication device, which are disposed on a wireless access point side, and includes:
  • the second generating module 501 is configured to: generate a first random challenge word
  • the second encryption module 502 is configured to: encrypt the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point, to obtain first key information;
  • the second sending module 503 is configured to: send the first authentication information to the management platform, so that the management platform performs verification on the first authentication information by using a key corresponding to the wireless access point, where
  • the first authentication information includes an identification number of the wireless access point, a first random challenge word, and first key information.
  • the above device also includes:
  • the second receiving module 504 is configured to: receive second authentication information sent by the management platform, where the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information, where The third key information is obtained by the management platform encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
  • the second authentication module 505 is configured to: perform verification on the second authentication information by using a key stored by the wireless access point, to obtain fourth key information;
  • the second determining module 506 is configured to: when it is determined that the third key information corresponds to the fourth key information, determine that the management platform is legal.
  • the second determining module 506 is further configured to:
  • the second encryption module 502 includes a second hash unit 5021 and/or a second signature unit 5022:
  • the second hashing unit 5021 is configured to: hash the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
  • the second signature unit 5022 is configured to: hash the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, And signing the first hash value with a private key stored by the wireless access point.
  • the second authentication module 505 includes a second dissolving unit 5051 and/or a second decrypting unit 5052, wherein:
  • the second dissolving unit 5051 is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the second Obtaining, by using a shared key stored by the wireless access point, hashing the identification number of the wireless access point and the second random challenge word to obtain a fourth decryption. information;
  • the second decryption unit 5052 is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the second The random challenge word is hashed to obtain a third hash value, and the third hash value is obtained by using the private key stored by the management platform, and the public key pair corresponding to the management platform is utilized. Deciphering the third key information to obtain a second decrypted hash value; and dispersing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point The column operation obtains a fourth hash value.
  • the second determining module 506 includes a second direct corresponding unit 5061 and/or a second indirect corresponding unit 5062, wherein:
  • the second direct correspondence unit 5061 is configured to: when the third key information is the same as the fourth decryption information, determine that the third key information corresponds to the fourth key information; or
  • the second indirect correspondence unit 5062 is configured to: when the second decrypted hash value is the same as the fourth hash value, determine that the third key information corresponds to the fourth key information.
  • the shared key in the embodiment of the present invention refers to a shared key used for performing hash operations on a certain hash algorithm (such as SHA-256). As shown in Figure 14, the steps are as follows:
  • the wireless access point uses its own NodeID (the NodeID can be the MAC address, serial number, or other unique identifier of the wireless access point), and a randomly generated challenge word X, which is stored using the shared key. Hash operation, get the hash value A (see Figure 6);
  • the packet carries the NodeID, the challenge word, and the hash value A;
  • the management platform After receiving the connection request of the wireless access point, the management platform uses the shared key of the wireless access point to perform a hash algorithm on the received NodeID and the challenge word X to obtain a hash value AA (see FIG. 8). .
  • A AA
  • the management platform determines that the wireless access point is legal, otherwise it is illegal.
  • the management platform randomly generates a challenge word Y, and for receiving the NodeID, hashing is performed by using the shared key corresponding to the wireless access point to obtain a hash value B (see FIG. 10);
  • the management platform carries the NodeID, the challenge word, and the encrypted hash value B of the wireless access point in the response message sent to the wireless access point (see FIG. 10);
  • the wireless access point After receiving the response message, the wireless access point performs a hash operation on the received NodeID and the challenge word Y using the stored shared key to obtain a hash value BB;
  • the hash value can be further cryptographically signed (such as the RSA algorithm). As shown in Figure 15, the steps are as follows:
  • the wireless access point with its own NodeID can be the wireless access point's MAC address, serial number, or other unique identifier
  • a randomly generated challenge word X use the storage shared key to spread them Column operation, get the hash value A, use RSA signature of the private key stored by the wireless access point to obtain the RSA signature ciphertext AAA (see Figure 7);
  • the packet carries the NodeID, the challenge string, and the RSA signature ciphertext AAA;
  • the management platform After receiving the connection request of the wireless access point, the management platform uses the public key corresponding to the wireless access point to perform RSA decryption on the signature result AAA, obtains the original text of the RSA signature, and obtains the decrypted hash value AAAA, and then uses The wireless access point performs a hash operation on the NodeID and the challenge word X corresponding to the shared key to obtain a hash result AA (see FIG. 9);
  • the management platform compares the RSA signature decryption hash value AAAA with the calculated hash value AA result. If the agreement is consistent, the wireless access point is legal, otherwise it is illegal.
  • the management platform randomly generates a challenge word Y, and receives the NodeID, and uses the shared key corresponding to the wireless access point to perform a hash operation to obtain a hash value B;
  • Ciphertext BBB Ciphertext BBB.
  • the wireless access point After receiving the response message, the wireless access point uses the public key corresponding to the pre-stored management platform to perform RSA decryption on the received signature result BBB, and obtains the original text of the RSA signature, and obtains the decrypted hash value BBBB. Hashing the BB with the NodeID and the challenge word using the shared key stored by the wireless access point (see Figure 13);
  • the wireless access point compares the RSA signature decryption hash value BBBB with the calculated hash value BB. If the two results are consistent, the management platform is legal, otherwise illegal.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • the device/function module/functional unit in the above embodiment When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the authentication method and device provided by the embodiments of the present invention can verify the mutual legality of the access point device and the network management platform, ensure the legality of the wireless access point, and provide a more secure and reliable connection for the devices in the network. In.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the field of wireless networks, and discloses an authentication method and device for a wireless access point and a management platform. The method comprises: generating, by a wireless access point, a first random challenge word; utilizing, by the wireless access point, a key stored by the wireless access point to encrypt an identifier number of the wireless access point and the first random challenge word, so as to obtain first key information; sending, by the wireless access point, to a management platform first authentication information comprising the identifier number of the wireless access point, the first random challenge word and the first key information; utilizing, by the management platform, a key corresponding to the wireless access point to verify the first authentication information, so as to obtain second key information; and if the management platform determines the first key information as corresponding to the second key information, then determining the wireless access point to be legitimate. The present application can ensure the legitimacy of a wireless access point and thus provide a more secure and reliable access for a device in a network.

Description

一种无线接入点和管理平台鉴权的方法和装置Method and device for wireless access point and management platform authentication 技术领域Technical field
本申请涉及但不限于无线网络领域。This application relates to, but is not limited to, the field of wireless networks.
背景技术Background technique
无线网络的规模发展,无线接入点的管理方法越来越多,尤其是当前无线网络的演进,众多的无线接入点通过互联网接入到管理平台,基于接入设备的安全问题,不得不要考虑无线接入点和管理平台之间的鉴权管理。The scale of wireless networks, the management methods of wireless access points are more and more, especially the evolution of current wireless networks. Many wireless access points access the management platform through the Internet. Based on the security problems of access devices, they have to Consider the authentication management between the wireless access point and the management platform.
在无线网络管理中,为确保设备的安全性,无线接入点在注册到管理平台时,需要根据设备的MAC(Media Access Control,媒体介入控制层)地址或者设备的序列号判断连接无线接入点的合法性,一般预先将设备的MAC地址或者序列号配置到在网络管理平台上。In the wireless network management, in order to ensure the security of the device, when registering to the management platform, the wireless access point needs to determine the connection wireless access according to the MAC (Media Access Control) address of the device or the serial number of the device. The legality of the point is generally configured by pre-configuring the MAC address or serial number of the device on the network management platform.
但是,在当今的安全领域中,改写MAC地址,仿冒无线接入点都是容易实现的的事情,仅靠MAC地址和序列号的识别,无法保证无线接入点的合法性,一旦仿冒的无线接入点接入到网络管理平台后,将从网络管理平台获取到数据,势必会威胁到用户信息的安全。However, in today's security field, rewriting MAC addresses and counterfeiting wireless access points are easy to implement. The identification of MAC addresses and serial numbers alone cannot guarantee the legitimacy of wireless access points. After the access point accesses the network management platform, data will be obtained from the network management platform, which will inevitably threaten the security of user information.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本文提供一种无线接入点和管理平台鉴权的方法和装置,解决了接入点设备和网络管理平台的合法性校验的问题,为网络中的设备提供更加安全可靠的接入。The present invention provides a method and device for authenticating a wireless access point and a management platform, which solves the problem of legality verification of an access point device and a network management platform, and provides a more secure and reliable access for devices in the network.
本发明实施例提供了一种无线接入点和管理平台鉴权方法,应用于管理平台侧,包括:The embodiment of the invention provides a method for authenticating a wireless access point and a management platform, which is applied to the management platform side, and includes:
接收无线接入点发送的第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息,所述第一密钥信息为所 述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密获得的;Receiving, by the wireless access point, the first authentication information, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information, where the first key information is For the office Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;And verifying the first authentication information by using a key corresponding to the wireless access point to obtain second key information;
当确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。When it is determined that the first key information corresponds to the second key information, it is determined that the wireless access point is legal.
可选地,获得第二密钥信息之后还包括:Optionally, after obtaining the second key information, the method further includes:
当确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。When it is determined that the first key information does not correspond to the second key information, it is determined that the wireless access point is illegal.
可选地,所述判定所述无线接入点合法之后还包括:Optionally, after the determining that the wireless access point is legal, the method further includes:
生成第二随机挑战字;Generating a second random challenge word;
利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;Encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information;
向所述无线接入点发送第二鉴权信息,以使所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息。Sending second authentication information to the wireless access point, so that the wireless access point verifies the second authentication information by using a key stored by the wireless access point, the second The right information includes an identification number of the wireless access point, a second random challenge word, and third key information.
可选地,所述无线接入点的标识号包括以下一项或者多项:Optionally, the identifier of the wireless access point includes one or more of the following:
媒体介入控制层MAC地址、序列号、唯一性标识。The media is involved in the control layer MAC address, serial number, unique identifier.
可选地,利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验包括:Optionally, verifying the first authentication information by using a key corresponding to the wireless access point includes:
当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得的,则利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算,获得第二解密信息;Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point by the wireless access point And performing a hash operation on the identifier of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point, to obtain second decryption information;
当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签 名获得的,则利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值。Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point by the wireless access point First hash value, and signing the first hash value with a private key stored by the wireless access point And obtaining, by using a public key corresponding to the wireless access point, decrypting the first key information to obtain a first decrypted hash value; and using a shared key corresponding to the wireless access point Hashing the identification number of the wireless access point and the first random challenge word to obtain a second hash value.
可选地,利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密包括:Optionally, encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point includes:
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point; or
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名。Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value and storing the data by using the management platform The private key signs the third hash value.
可选地,确定所述第一密钥信息与所述第二密钥信息对应包括:Optionally, determining that the first key information corresponds to the second key information includes:
当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,When the first key information is the same as the second decryption information, determining that the first key information corresponds to the second key information; or
当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。When the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
本发明实施例还提供一种无线接入点和管理平台鉴权方法,应用于无线接入点侧,包括:The embodiment of the invention further provides a method for authenticating a wireless access point and a management platform, which is applied to a wireless access point side, and includes:
生成第一随机挑战字;Generating a first random challenge word;
利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息;Encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point to obtain first key information;
向管理平台发送第一鉴权信息,以使所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息。Transmitting the first authentication information to the management platform, so that the management platform checks the first authentication information by using a key corresponding to the wireless access point, where the first authentication information includes the The identification number of the wireless access point, the first random challenge word, and the first key information.
可选地,向管理平台发送第一鉴权信息之后还包括:Optionally, after the first authentication information is sent to the management platform, the method further includes:
接收管理平台发送的第二鉴权信息,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息,所述第三密钥信息为所述 管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密获得的;Receiving, by the management platform, second authentication information, where the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information, where the third key information is Description The management platform obtains the identifier of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;And verifying the second authentication information by using a key stored by the wireless access point to obtain fourth key information;
当确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。When it is determined that the third key information corresponds to the fourth key information, it is determined that the management platform is legal.
可选地,获得第四密钥信息之后还包括:Optionally, after obtaining the fourth key information, the method further includes:
当确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。When it is determined that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
可选地,所述无线接入点的标识号包括以下一项或者多项:Optionally, the identifier of the wireless access point includes one or more of the following:
媒体介入控制层MAC地址、序列号、唯一性标识。The media is involved in the control layer MAC address, serial number, unique identifier.
可选地,利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密包括:Optionally, encrypting the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point includes:
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名。Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, and storing by using the wireless access point The private key signs the first hash value.
可选地,利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验包括:Optionally, verifying the second authentication information by using a key stored by the wireless access point includes:
当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得的,则利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算,获得第四解密信息;And obtaining, by the management platform, a hash operation of the identifier of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point by the management platform. And performing a hash operation on the identifier of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point to obtain fourth decryption information;
当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名获得的,则利用与所述管理平台对应的公钥对所述第三密钥信息进行解密, 获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值。When the third key information is used by the management platform to hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point, And obtaining the third hash value by using a private key stored by the management platform, and decrypting the third key information by using a public key corresponding to the management platform, Obtaining a second decrypted hash value; and hashing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point to obtain a fourth hash value.
可选地,确定所述第三密钥信息与所述第四密钥信息对应包括:Optionally, determining that the third key information corresponds to the fourth key information includes:
当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者,When the third key information is the same as the fourth decryption information, determining that the third key information corresponds to the fourth key information; or
当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。When the second decrypted hash value is the same as the fourth hash value, it is determined that the third key information corresponds to the fourth key information.
本发明实施例还提供一种无线接入点和管理平台鉴权方法,包括:The embodiment of the invention further provides a method for authenticating a wireless access point and a management platform, including:
无线接入点生成第一随机挑战字;The wireless access point generates a first random challenge word;
所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息;The wireless access point encrypts the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point to obtain first key information;
所述无线接入点向管理平台发送第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息;The wireless access point sends the first authentication information to the management platform, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information;
所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;The management platform performs verification on the first authentication information by using a key corresponding to the wireless access point to obtain second key information;
当所述管理平台确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。When the management platform determines that the first key information corresponds to the second key information, it is determined that the wireless access point is legal.
可选地,所述方法还包括:Optionally, the method further includes:
当所述管理平台确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。When the management platform determines that the first key information does not correspond to the second key information, it is determined that the wireless access point is illegal.
可选地,所述判定所述无线接入点合法之后还包括:Optionally, after the determining that the wireless access point is legal, the method further includes:
所述管理平台生成第二随机挑战字;The management platform generates a second random challenge word;
所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;The management platform encrypts the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information;
所述管理平台向所述无线接入点发送第二鉴权信息;所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息; The management platform sends the second authentication information to the wireless access point; the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information;
所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;The wireless access point performs verification on the second authentication information by using a key stored by the wireless access point to obtain fourth key information;
当所述无线接入点确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。When the wireless access point determines that the third key information corresponds to the fourth key information, it is determined that the management platform is legal.
可选地,当所述无线接入点确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。Optionally, when the wireless access point determines that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
可选地,所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密包括:Optionally, the encrypting, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point, including:
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名。Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, and storing by using the wireless access point The private key signs the first hash value.
可选地,所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验包括:Optionally, the verifying, by the management platform, the first authentication information by using a key corresponding to the wireless access point includes:
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算,获得第二解密信息;或者,And performing a hash operation on the identifier of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point to obtain second decryption information; or
利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值。Decrypting the first key information by using a public key corresponding to the wireless access point to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to connect the wireless connection The identification number of the in point and the first random challenge word are hashed to obtain a second hash value.
可选地,确定所述第一密钥信息与所述第二密钥信息对应包括:Optionally, determining that the first key information corresponds to the second key information includes:
当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,When the first key information is the same as the second decryption information, determining that the first key information corresponds to the second key information; or
当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。When the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
可选地,所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密包括: Optionally, the managing platform encrypts the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point, including:
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point; or
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名。Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value and storing the data by using the management platform The private key signs the third hash value.
可选地,所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验包括:Optionally, the verifying, by the wireless access point, the second authentication information by using a key stored by the wireless access point includes:
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算,获得第四解密信息;或者,And hashing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point to obtain fourth decryption information; or
利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值。Decrypting the third key information by using a public key corresponding to the management platform to obtain a second decrypted hash value; and using the shared key stored by the wireless access point to access the wireless access point The identification number and the second random challenge word are hashed to obtain a fourth hash value.
可选地,确定所述第三密钥信息与所述第四密钥信息对应包括:Optionally, determining that the third key information corresponds to the fourth key information includes:
当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者,When the third key information is the same as the fourth decryption information, determining that the third key information corresponds to the fourth key information; or
当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。When the second decrypted hash value is the same as the fourth hash value, it is determined that the third key information corresponds to the fourth key information.
本发明实施例还提供一种无线接入点和管理平台鉴权装置,设置于管理平台侧,包括:The embodiment of the invention further provides a wireless access point and a management platform authentication device, which are disposed on the management platform side, and includes:
第一接收模块,设置为:接收无线接入点发送的第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息,所述第一密钥信息为所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密获得的;The first receiving module is configured to: receive first authentication information sent by the wireless access point, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information. The first key information is obtained by the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
第一鉴权模块,设置为:利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;The first authentication module is configured to: perform verification on the first authentication information by using a key corresponding to the wireless access point, to obtain second key information;
第一判断模块,设置为:当确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。 The first determining module is configured to: when it is determined that the first key information corresponds to the second key information, determine that the wireless access point is legal.
可选地,所述第一判断模块,还用于当确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。Optionally, the first determining module is further configured to: when it is determined that the first key information does not correspond to the second key information, determine that the wireless access point is illegal.
可选地,所述装置还包括:Optionally, the device further includes:
第一生成模块,设置为:生成第二随机挑战字;a first generating module, configured to: generate a second random challenge word;
第一加密模块,设置为:利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;The first encryption module is configured to: encrypt the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point, to obtain third key information;
第一发送模块,设置为:向所述无线接入点发送第二鉴权信息,以使所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息。The first sending module is configured to: send second authentication information to the wireless access point, so that the wireless access point performs the second authentication information by using a key stored by the wireless access point. Verifying that the second authentication information includes an identification number of the wireless access point, a second random challenge word, and third key information.
可选地,所述第一鉴权模块包括第一解散单元和/或第一解密单元,其中:Optionally, the first authentication module comprises a first dissolving unit and/or a first decrypting unit, wherein:
所述第一解散单元,设置为:当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得的,则利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算,获得第二解密信息;The first dissolving unit is configured to: when the first key information is an identifier number of the wireless access point shared by the wireless access point by using the shared key stored by the wireless access point, Obtaining, by using a shared key corresponding to the wireless access point, hashing the identification number of the wireless access point and the first random challenge word, and obtaining the first random challenge word. Second decryption information;
所述第一解密单元,设置为:当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名获得的,则利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值。The first decryption unit is configured to: when the first key information is an identifier number of the wireless access point shared by the wireless access point by using the shared key stored by the wireless access point, The first random challenge word is hashed to obtain a first hash value, and the first hash value is obtained by using a private key stored by the wireless access point, and the wireless access point is utilized Decrypting the first key information by the corresponding public key to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the The first random challenge word performs a hash operation to obtain a second hash value.
可选地,所述第一加密模块包括第一散列单元和/或第一签名单元,其中:Optionally, the first encryption module comprises a first hash unit and/or a first signature unit, wherein:
所述第一散列单元,设置为:利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算;或者, The first hashing unit is configured to: hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point; or
所述第一签名单元,设置为:利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名。The first signature unit is configured to: perform a hash operation on the identifier of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash And signing the third hash value with a value and using a private key stored by the management platform.
可选地,所述第一判断模块包括第一直接对应单元和/或第一间接对应单元,其中:Optionally, the first determining module includes a first direct corresponding unit and/or a first indirect corresponding unit, where:
所述第一直接对应单元,设置为:当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,The first direct correspondence unit is configured to: when the first key information and the second decryption information are the same, determine that the first key information corresponds to the second key information; or
所述第一间接对应单元,设置为:当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。The first indirect corresponding unit is configured to: when the first decrypted hash value and the second hash value are the same, determine that the first key information corresponds to the second key information.
本发明实施例还提供一种无线接入点和管理平台鉴权装置,设置于无线接入点侧,包括:The embodiment of the present invention further provides a wireless access point and a management platform authentication device, which are disposed on the wireless access point side, and includes:
第二生成模块,设置为:生成第一随机挑战字;a second generation module, configured to: generate a first random challenge word;
第二加密模块,设置为:利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息;The second encryption module is configured to: encrypt the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point, to obtain first key information;
第二发送模块,设置为:向管理平台发送第一鉴权信息,以使所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息。The second sending module is configured to: send the first authentication information to the management platform, so that the management platform performs verification on the first authentication information by using a key corresponding to the wireless access point, where The first authentication information includes an identification number of the wireless access point, a first random challenge word, and first key information.
可选地,所述装置还包括:Optionally, the device further includes:
第二接收模块,设置为:接收管理平台发送的第二鉴权信息,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息,所述第三密钥信息为所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密获得的;The second receiving module is configured to: receive second authentication information sent by the management platform, where the second authentication information includes an identifier number, a second random challenge word, and a third key information of the wireless access point, where The third key information is obtained by the management platform encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
第二鉴权模块,设置为:利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;The second authentication module is configured to: perform verification on the second authentication information by using a key stored by the wireless access point, to obtain fourth key information;
第二判断模块,设置为:当确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。 The second determining module is configured to: when it is determined that the third key information corresponds to the fourth key information, determine that the management platform is legal.
可选地,所述第二判断模块还用于:Optionally, the second determining module is further configured to:
当确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。When it is determined that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
可选地,所述第二加密模块包括第二散列单元和/或第二签名单元,其中:Optionally, the second encryption module comprises a second hash unit and/or a second signature unit, wherein:
所述第二散列单元,设置为:利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算;或者,The second hashing unit is configured to: hash the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
所述第二签名单元,设置为:利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名。The second signature unit is configured to perform a hash operation on the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value. And signing the first hash value with a private key stored by the wireless access point.
可选地,所述第二鉴权模块包括第二解散单元和/或第二解密单元,其中:Optionally, the second authentication module comprises a second dissolving unit and/or a second decrypting unit, wherein:
所述第二解散单元,设置为:当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得的,则利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算,获得第四解密信息;The second dissolving unit is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the Obtaining, by using the shared key stored by the wireless access point, hashing the identification number of the wireless access point and the second random challenge word to obtain a fourth Decrypt information;
所述第二解密单元,设置为:当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名获得的,则利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值。The second decryption unit is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the The second random challenge word is hashed to obtain a third hash value, and the third hash value is obtained by using the private key stored by the management platform, and the public key pair corresponding to the management platform is utilized. Decrypting the third key information to obtain a second decrypted hash value; and performing, by using a shared key stored by the wireless access point, the identification number of the wireless access point and the second random challenge word The hash operation obtains a fourth hash value.
可选地,所述第二判断模块包括第二直接对应单元和/或第二间接对应单元,其中:Optionally, the second determining module includes a second direct corresponding unit and/or a second indirect corresponding unit, where:
所述第二直接对应单元,设置为:当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者, The second direct correspondence unit is configured to: when the third key information is the same as the fourth decryption information, determine that the third key information corresponds to the fourth key information; or
所述第二间接对应单元,设置为:当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。The second indirect corresponding unit is configured to: when the second decrypted hash value is the same as the fourth hash value, determine that the third key information corresponds to the fourth key information.
本发明实施例提供的鉴权方法和装置,能够实现接入点设备和网络管理平台的合法性相互校验,保证无线接入点的合法性,为网络中的设备提供更加安全可靠的接入。The authentication method and device provided by the embodiments of the present invention can verify the mutuality of the legality of the access point device and the network management platform, ensure the legality of the wireless access point, and provide more secure and reliable access for the devices in the network. .
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1是本发明实施例的应用于管理平台侧的无线接入点和管理平台鉴权方法的流程图;1 is a flowchart of a method for authenticating a wireless access point and a management platform applied to a management platform side according to an embodiment of the present invention;
图2是本发明实施例的应用于无线接入点侧的无线接入点和管理平台鉴权方法的流程图;2 is a flowchart of a method for authenticating a wireless access point and a management platform applied to a wireless access point side according to an embodiment of the present invention;
图3是本发明实施例的一种无线接入点和管理平台鉴权方法的流程图;3 is a flowchart of a method for authenticating a wireless access point and a management platform according to an embodiment of the present invention;
图4是本发明实施例的设置于管理平台侧的无线接入点和管理平台鉴权装置的结构示意图;4 is a schematic structural diagram of a wireless access point and a management platform authentication device disposed on a management platform side according to an embodiment of the present invention;
图5是本发明实施例的设置于无线接入点侧的无线接入点和管理平台装置的结构示意图;FIG. 5 is a schematic structural diagram of a wireless access point and a management platform device disposed on a wireless access point side according to an embodiment of the present invention; FIG.
图6是本发明实施例的无线接入点加密示意图1;6 is a schematic diagram 1 of wireless access point encryption according to an embodiment of the present invention;
图7是本发明实施例的无线接入点加密示意图2;7 is a schematic diagram 2 of wireless access point encryption according to an embodiment of the present invention;
图8是本发明实施例的管理平台鉴权示意图1;8 is a schematic diagram 1 of a management platform authentication according to an embodiment of the present invention;
图9是本发明实施例的管理平台鉴权示意图2;9 is a schematic diagram 2 of a management platform authentication according to an embodiment of the present invention;
图10是本发明实施例的管理平台加密示意图1;Figure 10 is a schematic diagram 1 of a management platform encryption according to an embodiment of the present invention;
图11是本发明实施例的管理平台加密示意图2;11 is a schematic diagram 2 of a management platform encryption according to an embodiment of the present invention;
图12是本发明实施例的无线接入点鉴权示意图1;Figure 12 is a schematic diagram 1 of wireless access point authentication according to an embodiment of the present invention;
图13是本发明实施例的无线接入点鉴权示意图2; FIG. 13 is a schematic diagram 2 of wireless access point authentication according to an embodiment of the present invention; FIG.
图14是本发明实施例1的无线接入点和管理平台鉴权的流程图;14 is a flowchart of authentication of a wireless access point and a management platform according to Embodiment 1 of the present invention;
图15是本发明实施例2的无线接入点和管理平台鉴权的流程图。15 is a flowchart of authentication of a wireless access point and a management platform according to Embodiment 2 of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
下面结合附图对本发明的实施方式进行描述。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的各种方式可以相互组合。Embodiments of the present invention will be described below with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the various manners in the embodiments may be combined with each other without conflict.
如图1所示,本发明实施例提供一种无线接入点和管理平台鉴权方法,应用于管理平台侧,在管理平台对无线接入点鉴权时,包括:As shown in FIG. 1 , an embodiment of the present invention provides a method for authenticating a wireless access point and a management platform, which is applied to a management platform side. When the management platform authenticates a wireless access point, the method includes:
S101、接收无线接入点发送的第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息,所述第一密钥信息为所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密获得的;S101. Receive first authentication information that is sent by the wireless access point, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information, where the first secret is The key information is obtained by the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
S102、利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;S102: Perform verification on the first authentication information by using a key corresponding to the wireless access point, to obtain second key information.
S103、当确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。S103. When it is determined that the first key information corresponds to the second key information, determine that the wireless access point is legal.
S104、当确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。S104. When it is determined that the first key information does not correspond to the second key information, determine that the wireless access point is illegal.
优选地,在请求无线接入点对管理平台鉴权时,包括:Preferably, when requesting the wireless access point to authenticate the management platform, the method includes:
S105、生成第二随机挑战字;S105. Generate a second random challenge word.
S106、利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;S106. Encrypt the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information.
S107、向所述无线接入点发送第二鉴权信息,以使所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息。S107. Send second authentication information to the wireless access point, so that the wireless access point performs verification on the second authentication information by using a key stored by the wireless access point. The second authentication information includes an identification number of the wireless access point, a second random challenge word, and third key information.
其中,所述无线接入点的标识号包括以下一项或者多项: The identifier of the wireless access point includes one or more of the following:
媒体介入控制层MAC地址、序列号、唯一性标识。The media is involved in the control layer MAC address, serial number, unique identifier.
步骤S102包括:Step S102 includes:
当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得的(如图6所示),则利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算(如图8所示),获得第二解密信息;Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point by the wireless access point (As shown in FIG. 6), hashing the identification number of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point (as shown in FIG. 8 Show) obtaining the second decrypted information;
当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名获得的(如图7所示),则利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值(如图9所示)。Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point by the wireless access point And obtaining, by using a private key stored by the wireless access point, the first hash value by using a private key stored by the wireless access point (as shown in FIG. 7 ), using a public corresponding to the wireless access point Decrypting the first key information to obtain a first decrypted hash value; and using an shared key corresponding to the wireless access point to identify an identifier of the wireless access point and the first random number The challenge word performs a hash operation to obtain a second hash value (as shown in Figure 9).
上述步骤S102中,管理平台可以根据协议约定而确定无线接入点得到第一密钥信息的加密方式,并不一定要通过判断。In the foregoing step S102, the management platform may determine, according to the protocol agreement, that the wireless access point obtains the encryption method of the first key information, and does not necessarily have to pass the judgment.
步骤S106包括:Step S106 includes:
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算(如图10所示);或者,Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point (as shown in FIG. 10); or
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名(如图11所示)。Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value and storing the data by using the management platform The private key signs the third hash value (as shown in Figure 11).
步骤S103包括:Step S103 includes:
当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,When the first key information is the same as the second decryption information, determining that the first key information corresponds to the second key information; or
当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。 When the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
如图2所示,本发明实施例提供一种无线接入点和管理平台鉴权方法,应用于无线接入点侧,在请求管理平台对无线接入点鉴权时,包括:As shown in FIG. 2, an embodiment of the present invention provides a method for authenticating a wireless access point and a management platform, which is applied to a wireless access point side, and when the request management platform authenticates the wireless access point, the method includes:
S201、生成第一随机挑战字;S201. Generate a first random challenge word.
S202、利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息;S202. Encrypt the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point to obtain first key information.
S203、向管理平台发送第一鉴权信息,以使所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息。S203. The first authentication information is sent to the management platform, so that the management platform checks the first authentication information by using a key corresponding to the wireless access point, where the first authentication information includes The identification number of the wireless access point, the first random challenge word, and the first key information.
优选地,在无线接入点对管理平台鉴权时,还包括:Preferably, when the wireless access point authenticates the management platform, the method further includes:
S204、接收管理平台发送的第二鉴权信息,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息,所述第三密钥信息为所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密获得的;S204: Receive second authentication information that is sent by the management platform, where the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information, where the third key information is Obtaining, by the management platform, the identifier of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
S205、利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;S205. Verify the second authentication information by using a key stored by the wireless access point to obtain fourth key information.
S206、当确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。S206. When it is determined that the third key information corresponds to the fourth key information, determine that the management platform is legal.
S207、当确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。S207. When it is determined that the third key information does not correspond to the fourth key information, determine that the management platform is illegal.
其中,所述无线接入点的标识号包括以下一项或者多项:The identifier of the wireless access point includes one or more of the following:
媒体介入控制层MAC地址、序列号、唯一性标识。The media is involved in the control layer MAC address, serial number, unique identifier.
步骤S202包括:Step S202 includes:
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算(如图6所示);或者,Omitting the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point (as shown in FIG. 6); or
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名(如图7所示)。 Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, and storing by using the wireless access point The private key signs the first hash value (as shown in Figure 7).
步骤S205包括:Step S205 includes:
当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得的(如图10所示),则利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算(如图12所示),获得第四解密信息;And obtaining, by the management platform, a hash operation of the identifier of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point by the management platform. (As shown in FIG. 10), the identification number of the wireless access point and the second random challenge word are hashed by using the shared key stored by the wireless access point (as shown in FIG. 12). Obtaining fourth decryption information;
当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名获得的(如图11所示),则利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值(如图13所示)。When the third key information is used by the management platform to hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point, And obtaining the third hash value by using a private key stored by the management platform, as shown in FIG. 11 , by using a public key corresponding to the management platform Decrypting the third key information to obtain a second decrypted hash value; and hashing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point A fourth hash value is obtained (as shown in Figure 13).
步骤S206包括:Step S206 includes:
当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者,When the third key information is the same as the fourth decryption information, determining that the third key information corresponds to the fourth key information; or
当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。When the second decrypted hash value is the same as the fourth hash value, it is determined that the third key information corresponds to the fourth key information.
如图3所示,本发明实施例提供一种无线接入点和管理平台鉴权方法,无线接入点利用存储的密钥进行加密,并请求管理平台对无线接入点鉴权,包括:As shown in FIG. 3, an embodiment of the present invention provides a wireless access point and a management platform authentication method, where a wireless access point performs encryption by using a stored key, and requests the management platform to authenticate the wireless access point, including:
S301、无线接入点生成第一随机挑战字;S301. The wireless access point generates a first random challenge word.
S302、所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息;S302. The wireless access point encrypts the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point to obtain first key information.
S303、所述无线接入点向管理平台发送第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息;S303. The wireless access point sends the first authentication information to the management platform, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information.
S304、所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权 信息进行校验,获得第二密钥信息;S304. The management platform uses the key corresponding to the wireless access point to perform the first authentication. The information is verified to obtain the second key information;
S305、当所述管理平台确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。S305. When the management platform determines that the first key information corresponds to the second key information, determine that the wireless access point is legal.
S306、当所述管理平台确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。S306. When the management platform determines that the first key information does not correspond to the second key information, determine that the wireless access point is illegal.
如果无线接入点是合法的,则无线接入点存储的密钥与管理平台存储的与所述无线接入点对应的密钥相同或者对应,此时鉴权可以通过,如果无线接入点是非法的,例如无线接入点是伪装,则无线接入点存储的密钥与管理平台存储的与无线接入点对应的密钥不同或者对应不上,此时鉴权无法通过。If the wireless access point is legal, the key stored by the wireless access point is the same as or corresponds to the key corresponding to the wireless access point stored by the management platform, and the authentication may pass if the wireless access point It is illegal. For example, if the wireless access point is masquerading, the key stored by the wireless access point is different from or different from the key corresponding to the wireless access point stored by the management platform. At this time, the authentication cannot pass.
管理平台利用与无线接入点对应的密钥进行加密,并请求无线接入点对管理平台鉴权(如果不需此鉴权,则无需下列步骤),包括:The management platform encrypts by using the key corresponding to the wireless access point, and requests the wireless access point to authenticate the management platform (if the authentication is not required, the following steps are not required), including:
S307、所述管理平台生成第二随机挑战字;S307. The management platform generates a second random challenge word.
S308、所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;S308. The management platform encrypts the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information.
S309、所述管理平台向所述无线接入点发送第二鉴权信息;所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息;S309. The management platform sends second authentication information to the wireless access point. The second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information.
S310、所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;S310. The wireless access point performs verification on the second authentication information by using a key stored by the wireless access point to obtain fourth key information.
S311、当所述无线接入点确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。S311. When the wireless access point determines that the third key information corresponds to the fourth key information, determine that the management platform is legal.
S312、当所述无线接入点确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。S312. When the wireless access point determines that the third key information does not correspond to the fourth key information, determine that the management platform is illegal.
相似的,如果管理平台是合法的,则无线接入点存储的密钥与管理平台存储的与所述无线接入点对应的密钥相同或者对应,此时鉴权可以通过,如果管理平台是非法的,例如管理平台是伪装的,则无线接入点存储的密钥与管理平台存储的与无线接入点对应的密钥不同或者对应不上,此时鉴权无法通过。 Similarly, if the management platform is legal, the key stored by the wireless access point is the same as or corresponds to the key corresponding to the wireless access point stored by the management platform, and the authentication may be passed if the management platform is If the authentication platform is spoofed, the key stored by the wireless access point is different from or different from the key corresponding to the wireless access point stored by the management platform. In this case, the authentication cannot pass.
步骤S302包括:Step S302 includes:
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算(如图6所示);或者,Omitting the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point (as shown in FIG. 6); or
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名(如图7所示)。Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, and storing by using the wireless access point The private key signs the first hash value (as shown in Figure 7).
步骤S304包括:Step S304 includes:
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算(如图8所示),获得第二解密信息;或者,And hashing the identification number of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point (as shown in FIG. 8), to obtain second decryption information; or ,
利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值(如图9所示)。Decrypting the first key information by using a public key corresponding to the wireless access point to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to connect the wireless connection The identification number of the in point and the first random challenge word are hashed to obtain a second hash value (as shown in FIG. 9).
步骤S305包括:Step S305 includes:
当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,When the first key information is the same as the second decryption information, determining that the first key information corresponds to the second key information; or
当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。When the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
步骤S308包括:Step S308 includes:
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算(如图10所示);或者,Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point (as shown in FIG. 10); or
利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名(如图11所示)。Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value and storing the data by using the management platform The private key signs the third hash value (as shown in Figure 11).
步骤S310包括:Step S310 includes:
利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所 述第二随机挑战字进行散列运算(如图12所示),获得第四解密信息;或者,Identifying the identification number and location of the wireless access point by using a shared key stored by the wireless access point The second random challenge word is hashed (as shown in FIG. 12) to obtain the fourth decrypted information; or,
利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值(如图13所示)。Decrypting the third key information by using a public key corresponding to the management platform to obtain a second decrypted hash value; and using the shared key stored by the wireless access point to access the wireless access point The identification number and the second random challenge word are hashed to obtain a fourth hash value (as shown in FIG. 13).
步骤S311包括:Step S311 includes:
当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者,When the third key information is the same as the fourth decryption information, determining that the third key information corresponds to the fourth key information; or
当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。When the second decrypted hash value is the same as the fourth hash value, it is determined that the third key information corresponds to the fourth key information.
每一个无线接入点的共享密钥,不同于其它无线接入点的。合法的无线接入点与合法的管理平台均保存此共享密钥,双方使用此共享密钥对关键信息进行鉴权。The shared key of each wireless access point is different from that of other wireless access points. The shared wireless access point and the legitimate management platform both store the shared key, and both parties use the shared key to authenticate the key information.
为防止共享密钥泄密,可进一步做加密签名(如RSA算法)。To prevent shared key compromise, you can further do cryptographic signatures (such as the RSA algorithm).
无线接入点保存有签名的私钥和管理平台对应的公钥,管理平台保存有平台的私钥和无线接入点对应的公钥,双方使用此对应的公钥或者私钥对关键信息进行鉴权。The wireless access point stores the signed private key and the public key corresponding to the management platform. The management platform stores the private key of the platform and the public key corresponding to the wireless access point, and the two parties use the corresponding public key or private key to perform key information. Authentication.
如图4所示,本发明还提供一种无线接入点和管理平台鉴权装置,设置于管理平台侧,包括:As shown in FIG. 4, the present invention further provides a wireless access point and management platform authentication device, which is disposed on the management platform side, and includes:
第一接收模块401,设置为:接收无线接入点发送的第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息,所述第一密钥信息为所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密获得的;The first receiving module 401 is configured to: receive first authentication information sent by the wireless access point, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and a first key Information, the first key information is obtained by the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
第一鉴权模块402,设置为:利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;The first authentication module 402 is configured to: perform verification on the first authentication information by using a key corresponding to the wireless access point, to obtain second key information;
第一判断模块403,设置为:当确定所述第一密钥信息与所述第二密钥 信息对应时,则判定所述无线接入点合法。The first determining module 403 is configured to: when determining the first key information and the second key When the information corresponds, it is determined that the wireless access point is legal.
所述第一判断模块403,还用于当确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。The first determining module 403 is further configured to: when it is determined that the first key information does not correspond to the second key information, determine that the wireless access point is illegal.
上述装置还包括:The above device also includes:
第一生成模块404,设置为:生成第二随机挑战字;The first generating module 404 is configured to: generate a second random challenge word;
第一加密模块405,设置为:利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;The first encryption module 405 is configured to: encrypt the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point, to obtain third key information;
第一发送模块406,设置为:向所述无线接入点发送第二鉴权信息,以使所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息。The first sending module 406 is configured to: send second authentication information to the wireless access point, so that the wireless access point uses the key stored by the wireless access point to the second authentication information. Performing verification, the second authentication information includes an identification number of the wireless access point, a second random challenge word, and third key information.
其中,所述第一鉴权模块402包括第一解散单元4021和/或第一解密单元4022:The first authentication module 402 includes a first dissolving unit 4021 and/or a first decrypting unit 4022:
第一解散单元4021,设置为:当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得的,则利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算,获得第二解密信息;The first dissolving unit 4021 is configured to: when the first key information is an identifier number of the wireless access point and the number of the wireless access point using a shared key stored by the wireless access point Obtaining a random challenge word by performing a hash operation, and hashing the identification number of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point to obtain a first Second decryption information;
第一解密单元4022,设置为:当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名获得的,则利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值。The first decrypting unit 4022 is configured to: when the first key information is an identifier number of the wireless access point and the number of the wireless access point using a shared key stored by the wireless access point And a random challenge word is obtained by performing a hash operation to obtain a first hash value, and signing the first hash value by using a private key stored by the wireless access point, and using the wireless access point The public key decrypts the first key information to obtain a first decrypted hash value; and uses the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the A random challenge word performs a hash operation to obtain a second hash value.
所述第一加密模块405包括第一散列单元4051和/或第一签名单元4052,其中:The first encryption module 405 includes a first hash unit 4051 and/or a first signature unit 4052, where:
第一散列单元4051,设置为:利用与所述无线接入点对应的共享密钥 对所述无线接入点的标识号和所述第二随机挑战字进行散列运算;或者,The first hash unit 4051 is configured to: utilize a shared key corresponding to the wireless access point Hashing the identification number of the wireless access point and the second random challenge word; or
第一签名单元4052,设置为:利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名。The first signature unit 4052 is configured to: hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value. And signing the third hash value with a private key stored by the management platform.
所述第一判断模块403包括第一直接对应单元4031和/或第一间接对应单元4032,其中:The first determining module 403 includes a first direct corresponding unit 4031 and/or a first indirect corresponding unit 4032, where:
第一直接对应单元4031,设置为:当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,The first direct correspondence unit 4031 is configured to: when the first key information is the same as the second decryption information, determine that the first key information corresponds to the second key information; or
第一间接对应单元4032,设置为:当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。The first indirect corresponding unit 4032 is configured to: when the first decrypted hash value is the same as the second hash value, determine that the first key information corresponds to the second key information.
如图5所示,本发明实施例还提供一种无线接入点和管理平台鉴权装置,设置于无线接入点侧,包括:As shown in FIG. 5, an embodiment of the present invention further provides a wireless access point and a management platform authentication device, which are disposed on a wireless access point side, and includes:
第二生成模块501,设置为:生成第一随机挑战字;The second generating module 501 is configured to: generate a first random challenge word;
第二加密模块502,设置为:利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息;The second encryption module 502 is configured to: encrypt the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point, to obtain first key information;
第二发送模块503,设置为:向管理平台发送第一鉴权信息,以使所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息。The second sending module 503 is configured to: send the first authentication information to the management platform, so that the management platform performs verification on the first authentication information by using a key corresponding to the wireless access point, where The first authentication information includes an identification number of the wireless access point, a first random challenge word, and first key information.
上述装置还包括:The above device also includes:
第二接收模块504,设置为:接收管理平台发送的第二鉴权信息,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息,所述第三密钥信息为所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密获得的;The second receiving module 504 is configured to: receive second authentication information sent by the management platform, where the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information, where The third key information is obtained by the management platform encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
第二鉴权模块505,设置为:利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;The second authentication module 505 is configured to: perform verification on the second authentication information by using a key stored by the wireless access point, to obtain fourth key information;
第二判断模块506,设置为:当确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。 The second determining module 506 is configured to: when it is determined that the third key information corresponds to the fourth key information, determine that the management platform is legal.
所述第二判断模块506还用于:The second determining module 506 is further configured to:
当确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。When it is determined that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
其中,所述第二加密模块502包括第二散列单元5021和/或第二签名单元5022:The second encryption module 502 includes a second hash unit 5021 and/or a second signature unit 5022:
第二散列单元5021,设置为:利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算;或者,The second hashing unit 5021 is configured to: hash the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
第二签名单元5022,设置为:利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名。The second signature unit 5022 is configured to: hash the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, And signing the first hash value with a private key stored by the wireless access point.
所述第二鉴权模块505包括第二解散单元5051和/或第二解密单元5052,其中:The second authentication module 505 includes a second dissolving unit 5051 and/or a second decrypting unit 5052, wherein:
第二解散单元5051,设置为:当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得的,则利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算,获得第四解密信息;The second dissolving unit 5051 is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the second Obtaining, by using a shared key stored by the wireless access point, hashing the identification number of the wireless access point and the second random challenge word to obtain a fourth decryption. information;
第二解密单元5052,设置为:当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名获得的,则利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值。The second decryption unit 5052 is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the second The random challenge word is hashed to obtain a third hash value, and the third hash value is obtained by using the private key stored by the management platform, and the public key pair corresponding to the management platform is utilized. Deciphering the third key information to obtain a second decrypted hash value; and dispersing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point The column operation obtains a fourth hash value.
所述第二判断模块506包括第二直接对应单元5061和/或第二间接对应单元5062,其中:The second determining module 506 includes a second direct corresponding unit 5061 and/or a second indirect corresponding unit 5062, wherein:
第二直接对应单元5061,设置为:当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者, The second direct correspondence unit 5061 is configured to: when the third key information is the same as the fourth decryption information, determine that the third key information corresponds to the fourth key information; or
第二间接对应单元5062,设置为:当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。The second indirect correspondence unit 5062 is configured to: when the second decrypted hash value is the same as the fourth hash value, determine that the third key information corresponds to the fourth key information.
实施例1Example 1
本发明实施例中的共享密钥,是指用来针对某种约定的散列算法(如SHA-256)进行散列运算的共享密钥。如图14所示,步骤如下:The shared key in the embodiment of the present invention refers to a shared key used for performing hash operations on a certain hash algorithm (such as SHA-256). As shown in Figure 14, the steps are as follows:
11、无线接入点以自己的NodeID(NodeID可以是无线接入点的MAC地址、序列号,或其他唯一性标识)、及随机产生的一个挑战字X,使用存储的共享密钥对它们做散列运算,得到散列值A(见图6);11. The wireless access point uses its own NodeID (the NodeID can be the MAC address, serial number, or other unique identifier of the wireless access point), and a randomly generated challenge word X, which is stored using the shared key. Hash operation, get the hash value A (see Figure 6);
12、无线接入点在请求连接到管理平台时,报文携带NodeID、挑战字和散列值A;12. When the wireless access point requests to connect to the management platform, the packet carries the NodeID, the challenge word, and the hash value A;
13、管理平台在接收到无线接入点的连接请求后,使用该无线接入点对应共享密钥对接收到的NodeID和挑战字X做散列算法,得到散列值AA(见图8)。After receiving the connection request of the wireless access point, the management platform uses the shared key of the wireless access point to perform a hash algorithm on the received NodeID and the challenge word X to obtain a hash value AA (see FIG. 8). .
14、若A=AA,则管理平台判定该无线接入点合法,否则非法。14. If A=AA, the management platform determines that the wireless access point is legal, otherwise it is illegal.
以下四个步骤为无线接入点对管理平台的鉴权,是本发明实施例进一步的功能。如果不需此鉴权,则无需这四个步骤:The following four steps are the authentication of the management platform by the wireless access point, which is a further function of the embodiment of the present invention. If you do not need this authentication, you do not need these four steps:
15、若判定无线接入点合法,管理平台随机产生一个挑战字Y,对接收到NodeID,使用该无线接入点对应的共享密钥进行散列运算得到散列值B(见图10);15. If it is determined that the wireless access point is legal, the management platform randomly generates a challenge word Y, and for receiving the NodeID, hashing is performed by using the shared key corresponding to the wireless access point to obtain a hash value B (see FIG. 10);
16、管理平台在发往无线接入点的响应报文中,携带无线接入点的NodeID、挑战字和加密的散列值B(见图10);The management platform carries the NodeID, the challenge word, and the encrypted hash value B of the wireless access point in the response message sent to the wireless access point (see FIG. 10);
17、无线接入点接收到响应报文后,使用存储的共享密钥对接收到的NodeID和挑战字Y做散列运算,得到散列值BB;After receiving the response message, the wireless access point performs a hash operation on the received NodeID and the challenge word Y using the stored shared key to obtain a hash value BB;
18、若B=BB,则该管理平台点合法,否则非法(见图3)。18. If B=BB, the management platform is legal, otherwise it is illegal (see Figure 3).
实施例2 Example 2
为防止共享密钥泄密,可进一步对散列值做加密签名(如RSA算法)。如图15所示,步骤如下:To prevent the shared key from being compromised, the hash value can be further cryptographically signed (such as the RSA algorithm). As shown in Figure 15, the steps are as follows:
21、无线接入点以自己的NodeID(NodeID可以是无线接入点的MAC地址、序列号,或其他唯一性标识)、及随机产生的一个挑战字X,使用存储共享密钥对它们做散列运算,得到散列值A,使用无线接入点存储的私钥对A做RSA签名,得出RSA签名密文AAA(见图7);21, the wireless access point with its own NodeID (NodeID can be the wireless access point's MAC address, serial number, or other unique identifier), and a randomly generated challenge word X, use the storage shared key to spread them Column operation, get the hash value A, use RSA signature of the private key stored by the wireless access point to obtain the RSA signature ciphertext AAA (see Figure 7);
22、无线接入点在请求连接到管理平台时,报文携带NodeID、挑战字符串和RSA签名密文AAA;22. When the wireless access point requests to connect to the management platform, the packet carries the NodeID, the challenge string, and the RSA signature ciphertext AAA;
23、管理平台在接收到无线接入点的连接请求后,使用无线接入点对应的公钥对签名结果AAA进行RSA解密,得到RSA的签名原文,得出解密散列值AAAA,然后再用该无线接入点对应共享密钥对NodeID、挑战字X做散列运算,得到散列结果AA(见图9);After receiving the connection request of the wireless access point, the management platform uses the public key corresponding to the wireless access point to perform RSA decryption on the signature result AAA, obtains the original text of the RSA signature, and obtains the decrypted hash value AAAA, and then uses The wireless access point performs a hash operation on the NodeID and the challenge word X corresponding to the shared key to obtain a hash result AA (see FIG. 9);
24、管理平台比较RSA签名解密散列值AAAA和计算的散列值AA结果,如果一致,则该无线接入点合法,否则非法。24. The management platform compares the RSA signature decryption hash value AAAA with the calculated hash value AA result. If the agreement is consistent, the wireless access point is legal, otherwise it is illegal.
以下四个步骤为无线接入点对管理平台的鉴权,是本发明实施例进一步的功能。如果不需此鉴权,则无需这四个步骤:The following four steps are the authentication of the management platform by the wireless access point, which is a further function of the embodiment of the present invention. If you do not need this authentication, you do not need these four steps:
25、若判定无线接入点合法,管理平台随机产生一个挑战字Y,对接收到NodeID,使用该无线接入点对应的共享密钥进行散列运算得到散列值B;25. If it is determined that the wireless access point is legal, the management platform randomly generates a challenge word Y, and receives the NodeID, and uses the shared key corresponding to the wireless access point to perform a hash operation to obtain a hash value B;
26、使用管理平台存储的私钥对散列值B做RSA签名,得出RSA签名密文BBB(见图11),并在响应报文中携带无线接入点的NodeID、挑战字和RSA签名密文BBB。26, using the private key stored by the management platform to perform RSA signature on the hash value B, and obtain the RSA signature ciphertext BBB (see FIG. 11), and carry the NodeID, challenge word and RSA signature of the wireless access point in the response message. Ciphertext BBB.
27、无线接入点接收到响应报文后,使用预先保存的管理平台对应的公钥对收到的签名结果BBB做RSA解密,得出RSA的签名原文,得出解密散列值BBBB,再用无线接入点存储的共享密钥对NodeID和挑战字做散列运算BB(见图13);27. After receiving the response message, the wireless access point uses the public key corresponding to the pre-stored management platform to perform RSA decryption on the received signature result BBB, and obtains the original text of the RSA signature, and obtains the decrypted hash value BBBB. Hashing the BB with the NodeID and the challenge word using the shared key stored by the wireless access point (see Figure 13);
28、无线接入点比较RSA签名解密散列值BBBB和计算的散列值BB,如果两个结果一致,则该管理平台合法,否则非法。 28. The wireless access point compares the RSA signature decryption hash value BBBB with the calculated hash value BB. If the two results are consistent, the management platform is legal, otherwise illegal.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
上述实施例中的装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
通过本发明实施例提供的鉴权方法和装置,能够实现接入点设备和网络管理平台的合法性相互校验,保证无线接入点的合法性,为网络中的设备提供更加安全可靠的接入。 The authentication method and device provided by the embodiments of the present invention can verify the mutual legality of the access point device and the network management platform, ensure the legality of the wireless access point, and provide a more secure and reliable connection for the devices in the network. In.

Claims (36)

  1. 一种无线接入点和管理平台鉴权方法,应用于管理平台侧,其中,包括:A wireless access point and management platform authentication method is applied to the management platform side, wherein:
    接收无线接入点发送的第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息,所述第一密钥信息为所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密获得的;Receiving, by the wireless access point, the first authentication information, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information, where the first key information is Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
    利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;And verifying the first authentication information by using a key corresponding to the wireless access point to obtain second key information;
    当确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。When it is determined that the first key information corresponds to the second key information, it is determined that the wireless access point is legal.
  2. 如权利要求1所述的方法,其中:获得第二密钥信息之后还包括:The method of claim 1 wherein after obtaining the second key information further comprises:
    当确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。When it is determined that the first key information does not correspond to the second key information, it is determined that the wireless access point is illegal.
  3. 如权利要求1所述的方法,其中:所述判定所述无线接入点合法之后还包括:The method of claim 1, wherein: after the determining that the wireless access point is legal, the method further comprises:
    生成第二随机挑战字;Generating a second random challenge word;
    利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;Encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information;
    向所述无线接入点发送第二鉴权信息,以使所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息。Sending second authentication information to the wireless access point, so that the wireless access point verifies the second authentication information by using a key stored by the wireless access point, the second The right information includes an identification number of the wireless access point, a second random challenge word, and third key information.
  4. 如权利要求1所述的方法,其中,所述无线接入点的标识号包括以下一项或者多项:The method of claim 1 wherein the identification number of the wireless access point comprises one or more of the following:
    媒体介入控制层MAC地址、序列号、唯一性标识。The media is involved in the control layer MAC address, serial number, unique identifier.
  5. 如权利要求1-4中任一所述的方法,其中:利用与所述无线接入点 对应的密钥对所述第一鉴权信息进行校验包括:The method of any of claims 1-4, wherein: utilizing the wireless access point The verifying the first authentication information by the corresponding key includes:
    当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得的,则利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算,获得第二解密信息;Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point by the wireless access point And performing a hash operation on the identifier of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point, to obtain second decryption information;
    当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名获得的,则利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值。Obtaining, by the wireless access point, the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point by the wireless access point And obtaining, by the first hash value, the first hash value by using a private key stored by the wireless access point, using the public key corresponding to the wireless access point to the first secret Decrypting the key information to obtain a first decrypted hash value; and hashing the identification number of the wireless access point and the first random challenge word by using a shared key corresponding to the wireless access point The second hash value.
  6. 如权利要求3所述的方法,其中,利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密包括:The method of claim 3, wherein encrypting the identification number of the wireless access point and the second random challenge word with a key corresponding to the wireless access point comprises:
    利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point; or
    利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名。Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value and storing the data by using the management platform The private key signs the third hash value.
  7. 如权利要求5所述的方法,其中,确定所述第一密钥信息与所述第二密钥信息对应包括:The method of claim 5, wherein determining that the first key information corresponds to the second key information comprises:
    当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,When the first key information is the same as the second decryption information, determining that the first key information corresponds to the second key information; or
    当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。When the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
  8. 一种无线接入点和管理平台鉴权方法,应用于无线接入点侧,其中,包括:A wireless access point and management platform authentication method is applied to a wireless access point side, wherein:
    生成第一随机挑战字;Generating a first random challenge word;
    利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第 一随机挑战字进行加密,获得第一密钥信息;Identifying an identification number of the wireless access point and the number by using a key stored by the wireless access point Encrypting a random challenge word to obtain the first key information;
    向管理平台发送第一鉴权信息,以使所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息。Transmitting the first authentication information to the management platform, so that the management platform checks the first authentication information by using a key corresponding to the wireless access point, where the first authentication information includes the The identification number of the wireless access point, the first random challenge word, and the first key information.
  9. 如权利要求8所述的方法,其中:向管理平台发送第一鉴权信息之后还包括:The method of claim 8, wherein after the sending the first authentication information to the management platform, the method further comprises:
    接收管理平台发送的第二鉴权信息,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息,所述第三密钥信息为所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密获得的;Receiving, by the management platform, second authentication information, where the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information, where the third key information is The management platform obtains the identifier of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
    利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;And verifying the second authentication information by using a key stored by the wireless access point to obtain fourth key information;
    当确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。When it is determined that the third key information corresponds to the fourth key information, it is determined that the management platform is legal.
  10. 如权利要求9所述的方法,其中,获得第四密钥信息之后还包括:The method of claim 9, wherein after obtaining the fourth key information, the method further comprises:
    当确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。When it is determined that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
  11. 如权利要求8所述的方法,其中:所述无线接入点的标识号包括以下一项或者多项:The method of claim 8 wherein: the identification number of the wireless access point comprises one or more of the following:
    媒体介入控制层MAC地址、序列号、唯一性标识。The media is involved in the control layer MAC address, serial number, unique identifier.
  12. 如权利要求8所述的方法,其中:利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密包括:The method of claim 8 wherein: encrypting the identification number of the wireless access point and the first random challenge word using a key stored by the wireless access point comprises:
    利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
    利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名。 Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, and storing by using the wireless access point The private key signs the first hash value.
  13. 如权利要求9所述的方法,其中:利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验包括:The method of claim 9 wherein: verifying said second authentication information using a key stored by said wireless access point comprises:
    当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得的,则利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算,获得第四解密信息;And obtaining, by the management platform, a hash operation of the identifier of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point by the management platform. And performing a hash operation on the identifier of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point to obtain fourth decryption information;
    当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名获得的,则利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值。When the third key information is used by the management platform to hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point, And obtaining the third hash value by using a private key stored by the management platform, and decrypting the third key information by using a public key corresponding to the management platform, Obtaining a second decrypted hash value; and hashing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point to obtain a fourth hash value.
  14. 如权利要求13所述的方法,其中:确定所述第三密钥信息与所述第四密钥信息对应包括:The method of claim 13, wherein: determining that the third key information corresponds to the fourth key information comprises:
    当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者,When the third key information is the same as the fourth decryption information, determining that the third key information corresponds to the fourth key information; or
    当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。When the second decrypted hash value is the same as the fourth hash value, it is determined that the third key information corresponds to the fourth key information.
  15. 一种无线接入点和管理平台鉴权方法,其中,包括:A wireless access point and management platform authentication method, including:
    无线接入点生成第一随机挑战字;The wireless access point generates a first random challenge word;
    所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息;The wireless access point encrypts the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point to obtain first key information;
    所述无线接入点向管理平台发送第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息;The wireless access point sends the first authentication information to the management platform, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information;
    所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;The management platform performs verification on the first authentication information by using a key corresponding to the wireless access point to obtain second key information;
    当所述管理平台确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。 When the management platform determines that the first key information corresponds to the second key information, it is determined that the wireless access point is legal.
  16. 如权利要求15所述的方法,其中:还包括:The method of claim 15 further comprising:
    当所述管理平台确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。When the management platform determines that the first key information does not correspond to the second key information, it is determined that the wireless access point is illegal.
  17. 如权利要求15所述的方法,其中:所述判定所述无线接入点合法之后还包括:The method of claim 15, wherein: after the determining that the wireless access point is legal, the method further comprises:
    所述管理平台生成第二随机挑战字;The management platform generates a second random challenge word;
    所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;The management platform encrypts the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point to obtain third key information;
    所述管理平台向所述无线接入点发送第二鉴权信息;所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息;The management platform sends the second authentication information to the wireless access point; the second authentication information includes an identifier of the wireless access point, a second random challenge word, and third key information;
    所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;The wireless access point performs verification on the second authentication information by using a key stored by the wireless access point to obtain fourth key information;
    当所述无线接入点确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。When the wireless access point determines that the third key information corresponds to the fourth key information, it is determined that the management platform is legal.
  18. 如权利要求17所述的方法,其中:当所述无线接入点确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。The method of claim 17, wherein: when the wireless access point determines that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
  19. 如权利要求15所述的方法,其中:所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密包括:The method of claim 15, wherein: the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point comprises:
    利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
    利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名。Hashing the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value, and storing by using the wireless access point The private key signs the first hash value.
  20. 如权利要求19所述的方法,其中:所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验包括:The method of claim 19, wherein the verifying, by the management platform, the first authentication information by using a key corresponding to the wireless access point comprises:
    利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和 所述第一随机挑战字进行散列运算,获得第二解密信息;或者,Identifying an identification number of the wireless access point with a shared key corresponding to the wireless access point Performing a hash operation on the first random challenge word to obtain second decryption information; or
    利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值。Decrypting the first key information by using a public key corresponding to the wireless access point to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to connect the wireless connection The identification number of the in point and the first random challenge word are hashed to obtain a second hash value.
  21. 如权利要求20所述的方法,其中:确定所述第一密钥信息与所述第二密钥信息对应包括:The method of claim 20, wherein: determining that the first key information corresponds to the second key information comprises:
    当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,When the first key information is the same as the second decryption information, determining that the first key information corresponds to the second key information; or
    当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。When the first decrypted hash value is the same as the second hash value, it is determined that the first key information corresponds to the second key information.
  22. 如权利要求17所述的方法,其中:所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密包括:The method of claim 17, wherein: the managing platform encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point comprises:
    利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算;或者,Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point; or
    利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名。Hashing the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash value and storing the data by using the management platform The private key signs the third hash value.
  23. 如权利要求22所述的方法,其中:所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验包括:The method of claim 22, wherein the verifying, by the wireless access point, the second authentication information by using a key stored by the wireless access point comprises:
    利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算,获得第四解密信息;或者,And hashing the identification number of the wireless access point and the second random challenge word by using a shared key stored by the wireless access point to obtain fourth decryption information; or
    利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值。Decrypting the third key information by using a public key corresponding to the management platform to obtain a second decrypted hash value; and using the shared key stored by the wireless access point to access the wireless access point The identification number and the second random challenge word are hashed to obtain a fourth hash value.
  24. 如权利要求23所述的方法,其中:确定所述第三密钥信息与所述第四密钥信息对应包括:The method of claim 23, wherein: determining that the third key information corresponds to the fourth key information comprises:
    当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信 息与所述第四密钥信息对应;或者,Determining the third key letter when the third key information is the same as the fourth decryption information Corresponding to the fourth key information; or
    当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。When the second decrypted hash value is the same as the fourth hash value, it is determined that the third key information corresponds to the fourth key information.
  25. 一种无线接入点和管理平台鉴权装置,设置于管理平台侧,其中,包括:A wireless access point and management platform authentication device is disposed on the management platform side, and includes:
    第一接收模块,设置为:接收无线接入点发送的第一鉴权信息,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息,所述第一密钥信息为所述无线接入点利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密获得的;The first receiving module is configured to: receive first authentication information sent by the wireless access point, where the first authentication information includes an identifier of the wireless access point, a first random challenge word, and first key information. The first key information is obtained by the wireless access point encrypting the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point;
    第一鉴权模块,设置为:利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,获得第二密钥信息;The first authentication module is configured to: perform verification on the first authentication information by using a key corresponding to the wireless access point, to obtain second key information;
    第一判断模块,设置为:当确定所述第一密钥信息与所述第二密钥信息对应时,则判定所述无线接入点合法。The first determining module is configured to: when it is determined that the first key information corresponds to the second key information, determine that the wireless access point is legal.
  26. 如权利要求25所述的装置,其中:所述第一判断模块,还用于当确定所述第一密钥信息与所述第二密钥信息不对应时,则判定所述无线接入点非法。The device of claim 25, wherein: the first determining module is further configured to: when determining that the first key information does not correspond to the second key information, determine the wireless access point illegal.
  27. 如权利要求25所述的装置,其中:还包括:The apparatus of claim 25, further comprising:
    第一生成模块,设置为:生成第二随机挑战字;a first generating module, configured to: generate a second random challenge word;
    第一加密模块,设置为:利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密,获得第三密钥信息;The first encryption module is configured to: encrypt the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point, to obtain third key information;
    第一发送模块,设置为:向所述无线接入点发送第二鉴权信息,以使所述无线接入点利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息。The first sending module is configured to: send second authentication information to the wireless access point, so that the wireless access point performs the second authentication information by using a key stored by the wireless access point. Verifying that the second authentication information includes an identification number of the wireless access point, a second random challenge word, and third key information.
  28. 如权利要求25所述的装置,其中:所述第一鉴权模块包括第一解散单元和/或第一解密单元,其中:The apparatus of claim 25 wherein: said first authentication module comprises a first dissolving unit and/or a first decrypting unit, wherein:
    所述第一解散单元,设置为:当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一 随机挑战字进行散列运算获得的,则利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算,获得第二解密信息;The first dissolving unit is configured to: when the first key information is an identifier number of the wireless access point shared by the wireless access point by using the shared key stored by the wireless access point, the first If the random challenge word is obtained by performing a hash operation, the identifier of the wireless access point and the first random challenge word are hashed by using a shared key corresponding to the wireless access point to obtain a second Decrypt information;
    所述第一解密单元,设置为:当所述第一密钥信息为所述无线接入点利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名获得的,则利用与所述无线接入点对应的公钥对所述第一密钥信息进行解密,获得第一解密散列值;并利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第二散列值。The first decryption unit is configured to: when the first key information is an identifier number of the wireless access point shared by the wireless access point by using the shared key stored by the wireless access point, The first random challenge word is hashed to obtain a first hash value, and the first hash value is obtained by using a private key stored by the wireless access point, and the wireless access point is utilized Decrypting the first key information by the corresponding public key to obtain a first decrypted hash value; and using the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the The first random challenge word performs a hash operation to obtain a second hash value.
  29. 如权利要求27所述的装置,其中,所述第一加密模块包括第一散列单元和/或第一签名单元,其中:The apparatus of claim 27, wherein the first encryption module comprises a first hash unit and/or a first signature unit, wherein:
    所述第一散列单元,设置为:利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算;或者,The first hashing unit is configured to: hash the identification number of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point; or
    所述第一签名单元,设置为:利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名。The first signature unit is configured to: perform a hash operation on the identifier of the wireless access point and the second random challenge word by using a shared key corresponding to the wireless access point to obtain a third hash And signing the third hash value with a value and using a private key stored by the management platform.
  30. 如权利要求29所述的装置,其中,所述第一判断模块包括第一直接对应单元和/或第一间接对应单元,其中:The apparatus of claim 29, wherein the first determining module comprises a first direct corresponding unit and/or a first indirect corresponding unit, wherein:
    所述第一直接对应单元,设置为:当所述第一密钥信息与所述第二解密信息相同时,确定所述第一密钥信息与所述第二密钥信息对应;或者,The first direct correspondence unit is configured to: when the first key information and the second decryption information are the same, determine that the first key information corresponds to the second key information; or
    所述第一间接对应单元,设置为:当所述第一解密散列值与第二散列值相同时,确定所述第一密钥信息与所述第二密钥信息对应。The first indirect corresponding unit is configured to: when the first decrypted hash value and the second hash value are the same, determine that the first key information corresponds to the second key information.
  31. 一种无线接入点和管理平台鉴权装置,设置于无线接入点侧,其中,包括:A wireless access point and management platform authentication device is disposed on the wireless access point side, and includes:
    第二生成模块,设置为:生成第一随机挑战字;a second generation module, configured to: generate a first random challenge word;
    第二加密模块,设置为:利用所述无线接入点存储的密钥对所述无线接入点的标识号和所述第一随机挑战字进行加密,获得第一密钥信息; The second encryption module is configured to: encrypt the identification number of the wireless access point and the first random challenge word by using a key stored by the wireless access point, to obtain first key information;
    第二发送模块,设置为:向管理平台发送第一鉴权信息,以使所述管理平台利用与所述无线接入点对应的密钥对所述第一鉴权信息进行校验,所述第一鉴权信息包括所述无线接入点的标识号、第一随机挑战字和第一密钥信息。The second sending module is configured to: send the first authentication information to the management platform, so that the management platform performs verification on the first authentication information by using a key corresponding to the wireless access point, where The first authentication information includes an identification number of the wireless access point, a first random challenge word, and first key information.
  32. 如权利要求31所述的装置,其中:还包括:The apparatus of claim 31, further comprising:
    第二接收模块,设置为:接收管理平台发送的第二鉴权信息,所述第二鉴权信息包括所述无线接入点的标识号、第二随机挑战字和第三密钥信息,所述第三密钥信息为所述管理平台利用与所述无线接入点对应的密钥对所述无线接入点的标识号和所述第二随机挑战字进行加密获得的;The second receiving module is configured to: receive second authentication information sent by the management platform, where the second authentication information includes an identifier number, a second random challenge word, and a third key information of the wireless access point, where The third key information is obtained by the management platform encrypting the identification number of the wireless access point and the second random challenge word by using a key corresponding to the wireless access point;
    第二鉴权模块,设置为:利用所述无线接入点存储的密钥对所述第二鉴权信息进行校验,获得第四密钥信息;The second authentication module is configured to: perform verification on the second authentication information by using a key stored by the wireless access point, to obtain fourth key information;
    第二判断模块,设置为:当确定所述第三密钥信息与所述第四密钥信息对应时,则判定所述管理平台合法。The second determining module is configured to: when it is determined that the third key information corresponds to the fourth key information, determine that the management platform is legal.
  33. 如权利要求32所述的装置,其中,所述第二判断模块还用于:The apparatus of claim 32, wherein the second determining module is further configured to:
    当确定所述第三密钥信息与所述第四密钥信息不对应时,则判定所述管理平台非法。When it is determined that the third key information does not correspond to the fourth key information, it is determined that the management platform is illegal.
  34. 如权利要求31所述的装置,其中:所述第二加密模块包括第二散列单元和/或第二签名单元,其中:The apparatus of claim 31 wherein: said second encryption module comprises a second hash unit and/or a second signature unit, wherein:
    所述第二散列单元,设置为:利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算;或者,The second hashing unit is configured to: hash the identification number of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point; or
    所述第二签名单元,设置为:利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第一随机挑战字进行散列运算获得第一散列值、并利用所述无线接入点存储的私钥对所述第一散列值进行签名。The second signature unit is configured to perform a hash operation on the identifier of the wireless access point and the first random challenge word by using a shared key stored by the wireless access point to obtain a first hash value. And signing the first hash value with a private key stored by the wireless access point.
  35. 如权利要求32所述的装置,其中:所述第二鉴权模块包括第二解散单元和/或第二解密单元,其中:The apparatus of claim 32 wherein: said second authentication module comprises a second dissolving unit and/or a second decrypting unit, wherein:
    所述第二解散单元,设置为:当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得的,则利用所述无线接入点存储的共享密钥对 所述无线接入点的标识号和所述第二随机挑战字进行散列运算,获得第四解密信息;The second dissolving unit is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the If the two random challenge words are obtained by a hash operation, the shared key pair stored by the wireless access point is utilized. The identification number of the wireless access point and the second random challenge word are hashed to obtain fourth decryption information;
    所述第二解密单元,设置为:当所述第三密钥信息为所述管理平台利用与所述无线接入点对应的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第三散列值、并利用所述管理平台存储的私钥对所述第三散列值进行签名获得的,则利用与所述管理平台对应的公钥对所述第三密钥信息进行解密,获得第二解密散列值;并利用所述无线接入点存储的共享密钥对所述无线接入点的标识号和所述第二随机挑战字进行散列运算获得第四散列值。The second decryption unit is configured to: when the third key information is the management platform, use the shared key corresponding to the wireless access point to identify the identification number of the wireless access point and the The second random challenge word is hashed to obtain a third hash value, and the third hash value is obtained by using the private key stored by the management platform, and the public key pair corresponding to the management platform is utilized. Decrypting the third key information to obtain a second decrypted hash value; and performing, by using a shared key stored by the wireless access point, the identification number of the wireless access point and the second random challenge word The hash operation obtains a fourth hash value.
  36. 如权利要求35所述的装置,其中:所述第二判断模块包括第二直接对应单元和/或第二间接对应单元,其中:The apparatus of claim 35, wherein: said second determining module comprises a second direct corresponding unit and/or a second indirect corresponding unit, wherein:
    所述第二直接对应单元,设置为:当所述第三密钥信息与所述第四解密信息相同时,确定所述第三密钥信息与所述第四密钥信息对应;或者,The second direct correspondence unit is configured to: when the third key information is the same as the fourth decryption information, determine that the third key information corresponds to the fourth key information; or
    所述第二间接对应单元,设置为:当所述第二解密散列值与第四散列值相同时,确定所述第三密钥信息与所述第四密钥信息对应。 The second indirect corresponding unit is configured to: when the second decrypted hash value is the same as the fourth hash value, determine that the third key information corresponds to the fourth key information.
PCT/CN2016/080767 2015-07-13 2016-04-29 Authentication method and device for wireless access point and management platform WO2017008556A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510410310.5A CN106714156A (en) 2015-07-13 2015-07-13 Wireless access point and management platform authentication method and device
CN201510410310.5 2015-07-13

Publications (1)

Publication Number Publication Date
WO2017008556A1 true WO2017008556A1 (en) 2017-01-19

Family

ID=57756810

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/080767 WO2017008556A1 (en) 2015-07-13 2016-04-29 Authentication method and device for wireless access point and management platform

Country Status (2)

Country Link
CN (1) CN106714156A (en)
WO (1) WO2017008556A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111107551A (en) * 2018-10-29 2020-05-05 杭州海康威视数字技术股份有限公司 Wireless network bridge networking method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019153118A1 (en) * 2018-02-06 2019-08-15 福建联迪商用设备有限公司 Method for transmitting key, receiving terminal, and distribution terminal
CN110493272B (en) * 2019-09-25 2020-10-02 北京风信科技有限公司 Communication method and communication system using multiple keys

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685745A (en) * 2012-04-23 2012-09-19 深圳市江波龙电子有限公司 Wireless access point (AP) equipment authentication method and system
WO2013012878A1 (en) * 2011-07-18 2013-01-24 Microsoft Corporation Distributing network identifiers using a hash function
CN103096301A (en) * 2011-10-31 2013-05-08 华为技术有限公司 Method for verifying wireless local area network access point and station for the same
CN104125568A (en) * 2014-08-11 2014-10-29 醴陵恒茂电子科技有限公司 Wireless access point safe authentication method and system
US20140337633A1 (en) * 2013-05-07 2014-11-13 Futurewei Technologies, Inc. System and Method for Indicating a Service Set Identifier
CN104581727A (en) * 2015-02-03 2015-04-29 福州瑞芯微电子有限公司 Equipment connecting method and device and AP (access point) end electronic equipment

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ITRM20030100A1 (en) * 2003-03-06 2004-09-07 Telecom Italia Mobile Spa TECHNIQUE OF MULTIPLE ACCESS TO THE NETWORK BY USER TERMINAL INTERCONNECTED TO A LAN AND RELATED REFERENCE ARCHITECTURE.
CN1753361A (en) * 2004-09-20 2006-03-29 华为技术有限公司 Right identification method
US20080134306A1 (en) * 2006-12-04 2008-06-05 Telefonaktiebolaget Lm Ericsson (Publ) Method for fast handover and authentication in a packet data network
CN101640886B (en) * 2008-07-29 2012-04-25 上海华为技术有限公司 Authentication method, re-authentication method and communication device
CN101764693B (en) * 2009-12-24 2013-01-30 福建星网锐捷网络有限公司 Authentication method, system, client and network equipment
CN102625307B (en) * 2011-01-31 2014-07-09 电信科学技术研究院 Wireless network access system
CN103634170B (en) * 2012-08-21 2018-12-18 中兴通讯股份有限公司 A kind of home network interconnection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013012878A1 (en) * 2011-07-18 2013-01-24 Microsoft Corporation Distributing network identifiers using a hash function
CN103096301A (en) * 2011-10-31 2013-05-08 华为技术有限公司 Method for verifying wireless local area network access point and station for the same
CN102685745A (en) * 2012-04-23 2012-09-19 深圳市江波龙电子有限公司 Wireless access point (AP) equipment authentication method and system
US20140337633A1 (en) * 2013-05-07 2014-11-13 Futurewei Technologies, Inc. System and Method for Indicating a Service Set Identifier
CN104125568A (en) * 2014-08-11 2014-10-29 醴陵恒茂电子科技有限公司 Wireless access point safe authentication method and system
CN104581727A (en) * 2015-02-03 2015-04-29 福州瑞芯微电子有限公司 Equipment connecting method and device and AP (access point) end electronic equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111107551A (en) * 2018-10-29 2020-05-05 杭州海康威视数字技术股份有限公司 Wireless network bridge networking method and device

Also Published As

Publication number Publication date
CN106714156A (en) 2017-05-24

Similar Documents

Publication Publication Date Title
US11323276B2 (en) Mutual authentication of confidential communication
CN111010410B (en) Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
US20190089527A1 (en) System and method of enforcing a computer policy
WO2018076365A1 (en) Key negotiation method and device
US7392393B2 (en) Content distribution system
TWI487359B (en) Secure key generation
JP4599852B2 (en) Data communication apparatus and method, and program
US8327143B2 (en) Techniques to provide access point authentication for wireless network
US8285989B2 (en) Establishing a secured communication session
CA2551113A1 (en) Authentication system for networked computer applications
CN106790261B (en) Distributed file system and method for authenticating communication between its interior joint
CN105471833A (en) Safe communication method and device
US20080010242A1 (en) Device authentication method using broadcast encryption (BE)
US20130312072A1 (en) Method for establishing secure communication between nodes in a network, network node, key manager, installation device and computer program product
US20130019093A1 (en) Certificate authority
US20160352702A1 (en) System and Method for Resetting Passwords on Electronic Devices
JP5380583B1 (en) Device authentication method and system
JP2020530726A (en) NFC tag authentication to remote servers with applications that protect supply chain asset management
US7243368B2 (en) Access control system and method for a networked computer system
JP2005276122A (en) Access source authentication method and system
WO2017008556A1 (en) Authentication method and device for wireless access point and management platform
CN111314269B (en) Address automatic allocation protocol security authentication method and equipment
CN106656499A (en) Terminal equipment dependable authentication method and system in digital copyright protection system
CN110912685A (en) Establishing a protected communication channel
US10764065B2 (en) Admissions control of a device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16823703

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16823703

Country of ref document: EP

Kind code of ref document: A1