CN101568116B - Method for obtaining certificate state information and certificate state management system - Google Patents

Method for obtaining certificate state information and certificate state management system Download PDF

Info

Publication number
CN101568116B
CN101568116B CN2009101405004A CN200910140500A CN101568116B CN 101568116 B CN101568116 B CN 101568116B CN 2009101405004 A CN2009101405004 A CN 2009101405004A CN 200910140500 A CN200910140500 A CN 200910140500A CN 101568116 B CN101568116 B CN 101568116B
Authority
CN
China
Prior art keywords
certificate
terminal
module
state information
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009101405004A
Other languages
Chinese (zh)
Other versions
CN101568116A (en
Inventor
康望星
施元庆
梁洁辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN2009101405004A priority Critical patent/CN101568116B/en
Publication of CN101568116A publication Critical patent/CN101568116A/en
Priority to PCT/CN2009/075526 priority patent/WO2010133073A1/en
Application granted granted Critical
Publication of CN101568116B publication Critical patent/CN101568116B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a method for obtaining the certificate state information and a certificate state management system, wherein the method comprises the following steps: transmitting the subscription request of WAPI certificate state information by a terminal to an authentication server of a wireless local area network for obtaining the state information of the WAPI certificate; and after the subscription request is received, if the authentication server determines that the terminal has the right for obtaining the state information of the WAPI certificate, the following procedures are executed: including the state information of the WAPI certificate obtained by enquiry when the subscription request is received in the informing information for transmitting to the terminal, and/orin the effective period of subscription, when the state of the WAPI certificate changes, including the state information of the WAPI certificate in the informing information for transmitting to the t erminal. According to the invention, through initializing the subscription of the WAPI certificate state information, the terminal can obtain the WAPI certificate state information real-time actively.Furthermore the operations of certificate updating, etc. can be executed according to the certificate state information for facilitating the user.

Description

A kind of acquisition methods of certificate status information and certificate status management system
Technical field
The present invention relates to the wireless LAN communication field, relate in particular to the acquisition methods and the certificate status management system of a kind of WAPI (WLANAuthentication and Privacy Infrastructure, WAPI) certificate status information.
Background technology
WAPI is to be the wireless LAN safety standard on basis with IEEE (Institute of Electrical and Electronics Engineers, Institute of Electrical and Electric Engineers) 802.11 wireless protocols.The WAPI agreement is made of two parts: WAI (WLAN Authentication Infrastructure, wireless local area network authentication infrastructure) and WPI (WLAN Privacy Infrastructure, wireless local area network security foundation structure).WAI is the safety approach that is used for discriminating of WLAN (wireless local area network) identity and key management.WPI is the safety approach that is used for the protection of WLAN (wireless local area network) transfer of data, comprises functions such as data encryption, data discriminating and the protection of resetting.
Typical WAPI system is mainly by discriminator entity (Authenticator Entity, abbreviation AE), identification requester entity (Authentication Supplicant Entity, be called for short ASUE) and differentiate service entities (Authentication Service Entity is called for short ASE) composition.Wherein, identification requester entity is the entity that operation is differentiated in request before inserting WLAN (wireless local area network), resides among the STA (STAtion, wireless site, i.e. terminal); The discriminator entity is used to identification requester entity to provide identity to differentiate operation before inserting WLAN (wireless local area network), generally resides among AP (Access Point, access point) or the STA; The service that service entities is used to discriminator entity and identification requester entity to provide certificate to differentiate is provided, is generally resided in the asu (authentication service unit) (Authentication Service Unit is called for short ASU, also can be called authentication server).
When terminal inserts WLAN (wireless local area network), at first need to carry out with AP the link negotiation of 802.11 agreements, the AP WAI identity that triggers this terminal is differentiated and cipher key management procedures afterwards, cooperate authentication server finish and terminal between bidirectional identity authentication; After authentication was passed through, AP can carry out session key agreement with terminal, and used the session key that negotiates to provide link layer encryption and decryption services based on WPI as terminal.
The discriminating of WAI and key management comprise two types, a kind of mode that is based on certificate, and another kind is based on the mode of wildcard.When the mode that adopts based on certificate, the wireless site at identification requester entity place (being terminal) is differentiated in access and is asked to carry the WAPI certificate of oneself, discriminator entity (being generally AP) is according to the information or the local policy that insert in the request of discriminating, decision is to finish the checking of certificate in this locality or transfer to the checking that asu (authentication service unit) (authentication server) is finished certificate, finishes the authentication of discriminator entity (AP) to identification requester (terminal) with this.
When adopting based on the discriminating of certificate and key management mode, WAPI (WAPI) has made up the Public Key Infrastructure in the WLAN (wireless local area network) (Public keyInfrastructure is called for short PKI); Wherein, asu (authentication service unit) (authentication server) has played the effect of (Certificate Authority is called for short CA) of the authentication center among the PKI.When the certificate that adopts v3 form X.509 during as the WAPI certificate, function that asu (authentication service unit) must have also and have certificate request, sign and issue, regularly publish that certificate certificate revocation list, response user certificate are revoked etc.
In general, the issue of the application of WAPI certificate, cancellation and corresponding private cipher key all is to adopt off-line, mode in addition to carry out, and is stolen in transmission course, distorts avoiding.The WAPI certificate promptly lost efficacy after exhaustion of effect, and the user must initiatively finish the renewal of certificate by offline mode.But, because the user can't know when certificate can lose efficacy, also can't the active detecting certificate status, therefore only can know that just certificate lost efficacy after differentiating failure inserting, and then carry out the renewal of certificate.
Summary of the invention
Technical problem to be solved by this invention is, overcome the deficiencies in the prior art, a kind of acquisition methods and certificate status management system of certificate status information are provided, make terminal can in time obtain the state information of WAPI certificate, so that in time carry out the operations such as renewal of WAPI certificate according to the state information of WAPI certificate.
In order to address the above problem, the invention provides a kind of acquisition methods of certificate status information, this method comprises:
Terminal is to the subscribe request of the state information of the authentication server transmission WAPI WAPI of WLAN (wireless local area network) certificate, to obtain the state information of its WAPI certificate;
After receiving described subscribe request,, authentication server has the right to obtain the state information of WAPI certificate if judging described terminal, then:
The state information of the described WAPI certificate that receive described subscribe request time inquiry is obtained be included in send in the notification message described terminal and/or
In the term of validity of subscribing to, when the state of described WAPI certificate changes, the state information of this WAPI certificate is included in and sends to described terminal in the notification message.
In addition, comprise in the described WAPI certificate: the address information of obtain manner indication information, described authentication server;
Described terminal uses specified state information acquisition mode of described obtain manner indication information and described address information to send described subscribe request to described authentication server;
Described state information acquisition mode comprises: initial session protocol SIP signaling method and/or short message mode.
In addition, if the state information acquisition mode of described obtain manner indication information appointment is the SIP signaling method, sip address and port numbers that then described address information is described authentication server;
Described terminal uses described sip address and port numbers after described authentication server is successfully registered, and just sends described subscribe request with the SIP signaling method.
In addition, terminal adopts following steps to register to described authentication server:
Terminal uses described sip address and port numbers to send the login request message of SIP to described authentication server;
After receiving described login request message, described authentication server returns 401 response messages of SIP to terminal, comprises the authentication field in this message;
After receiving described 401 response messages, terminal uses described authentication field to calculate authentication information, and it is included in the login request message of SIP sends to authentication server;
After receiving the described login request message that comprises authentication information, described authentication server is judged described terminal according to described authentication information, and whether authentication is successful, if the authentication success is then returned the response message of endpoint registration success, otherwise is returned the response message of registration failure to terminal to terminal.
In addition, if the state information acquisition mode of described obtain manner indication information appointment is a short message mode, the note receiving number that then described address information is described authentication server;
Described terminal uses described note receiving number to send described subscribe request with short message mode to described authentication server; Described authentication server sends the described notification message that comprises state information with short message mode to described terminal.
The present invention also provides a kind of certificate status management system, and this system comprises: terminal, communications platform and authentication server; Be provided with the certificate status acquisition module and first communication unit in the described terminal; Be provided with certificate status administration module and second communication unit in the described authentication server; Described communications platform is used for carrying out information interaction between described first communication unit and described second communication unit; Wherein,
Described certificate status acquisition module is used for sending by described first communication unit subscribe request of the state information of WAPI certificate;
Described first communication unit is used for described subscribe request is sent to described second communication unit by described communications platform;
Described certificate status administration module is used for judging whether described terminal has the right to obtain the state information of WAPI certificate after receiving described subscribe request by described second communication unit, has the right to obtain the state information of WAPI certificate if judge described terminal, then:
The state information of the described WAPI certificate that inquiry obtained when described certificate status administration module will receive described subscribe request is included in the notification message, successively by described second communication unit, communications platform and first communication unit send to described certificate status acquisition module and/or
In the term of validity of subscribing to, when the state of described WAPI certificate changes, described certificate status administration module is included in the state information of this WAPI certificate in the notification message, sends to described certificate status acquisition module by described second communication unit, communications platform and first communication unit successively.
In addition, comprise in described first communication unit: a SIP module; Described second communication comprises in the unit: the 2nd SIP module; Comprise in the described communications platform: access point AP;
Described certificate status acquisition module sends to described certificate status administration module by a described SIP module, described AP and described the 2nd SIP module with described subscribe request successively.
In addition, described certificate status administration module sends to described certificate status acquisition module by described the 2nd SIP module, described AP and a described SIP module with described notification message successively.
In addition, also comprise in described first communication unit: first SMS module; Described second communication also comprises in the unit: second SMS module; Also comprise in the described communications platform: sms center;
Described certificate status administration module sends to described certificate status acquisition module by described second SMS module, described sms center and described first SMS module with described notification message successively.
In addition, comprise in described first communication unit: first SMS module; Described second communication comprises in the unit: second SMS module; Comprise in the described communications platform: sms center;
Described certificate status acquisition module sends to described certificate status administration module by described first SMS module, described sms center and described second SMS module with described subscribe request successively;
Described certificate status administration module sends to described certificate status acquisition module by described second SMS module, described sms center and described first SMS module with described notification message successively.
In sum, the subscription of the state information of the present invention by initiating the WAPI certificate makes terminal can obtain the state information of WAPI certificate initiatively, in real time, and can in time carry out operation such as certificate update according to certificate status information, has made things convenient for the user.
Description of drawings
Fig. 1 is the schematic diagram of the certificate status managerial structure body of embodiment of the invention WAPI certificate;
Fig. 2 is the structural representation of embodiment of the invention certificate status management system;
Fig. 3 is the acquisition methods flow chart of first embodiment of the invention certificate status;
Fig. 4 is the data structure schematic diagram of embodiment of the invention certificate status information;
Fig. 5 is the acquisition methods flow chart of second embodiment of the invention certificate status.
Embodiment
Core concept of the present invention is that terminal sends the certificate status subscribe request to asu (authentication service unit) (hereinafter referred to as authentication server), to obtain the state information of WAPI certificate; After authentication server receives the certificate status subscribe request, the state information of the WAPI certificate of this terminal is included in sends to terminal in the notification message and/or in the term of validity of subscribing to, when the state of the WAPI of this terminal certificate changes, the state information of correspondence is included in and sends to terminal in the notification message.
Know the state information that whether can obtain the WAPI certificate in order to make terminal, and the employed address of the state information of obtaining the WAPI certificate (being the address of authentication server), the present invention has increased certificate status managerial structure body in the extended field of providing the WAPI certificate of giving the user.As shown in Figure 1, comprise in the certificate status managerial structure body: certificate status management sign, state obtain manner, address information.Wherein:
Certificate status management identification field is used to represent the WAPI certificate whether manage by status of support, promptly whether can obtain the state information of WAPI certificate; For example, this ident value is 1 o'clock, and the expression terminal can be obtained the state information of WAPI certificate; This ident value is to represent to obtain the state information of WAPI certificate at 0 o'clock.
State obtain manner field is used to represent to obtain the mode that the state information of WAPI certificate can adopt; For example, this field value is 0 o'clock, and expression can be obtained the state information of WAPI certificate by short message mode; This field value is 1 o'clock, and expression can be passed through SIP (Session Initial Protocol, initial session protocol) signaling method and obtain the state information of WAPI certificate; This field value is 2 o'clock, and above-mentioned two states information obtain manner is supported in expression simultaneously.If also have other to obtain the mode of the state information of WAPI certificate, can further expand the value of this field.
The address information field is used to represent to obtain the employed address of state information of WAPI certificate; When adopting short message mode to obtain the state information of WAPI certificate, store the note receiving number of authentication server in the address information field; When adopting the SIP signaling method to obtain the state information of WAPI certificate, store the sip address and the port numbers of authentication server in the address information field.If support the mode of the state information of the multiple WAPI of obtaining certificate simultaneously, then need to comprise the pairing address information of multiple obtain manner in the address information field.
Describe the present invention below in conjunction with drawings and Examples.
Fig. 2 is the structural representation of embodiment of the invention certificate status management system; As shown in Figure 2, this system comprises: terminal, communications platform and authentication server.
Be provided with in the terminal: the certificate status acquisition module and first communication unit; In order to support different certificate status information obtain manners, can comprise in first communication unit: first SMS module and a SIP module.
Described certificate status acquisition module is used for knowing whether can obtain certificate status information, obtain the mode that certificate status information adopts and obtaining the required address information of certificate status information from the certificate status managerial structure body of WAPI certificate; And by the subscribe request of first communication unit (first SMS module or a SIP module) to authentication server transmission certificate status information; Behind the notification message that receives the authentication server transmission by first communication unit (first SMS module or a SIP module), from this notification message, parse the certificate status information of WAPI certificate, and handle accordingly according to this information.
If the WAPI certificate is supported two kinds of certificate status information obtain manners simultaneously, which kind of mode the certificate status acquisition module can select to adopt obtain certificate status information according to the priority that whether is provided with a SIP module and first SMS module and terminal acquiescence in the terminal.
In addition, if adopt the SIP signaling method to send above-mentioned subscribe request, the certificate status acquisition module needs at first to register to authentication server by first communication unit (a SIP module), just sends above-mentioned subscribe request after succeeding in registration.
Be provided with in the authentication server: certificate status administration module and second communication unit; In order to support different certificate status information obtain manners, can comprise in the second communication unit: second SMS module and the 2nd SIP module.
The certificate status administration module is used for the subscribe request by the certificate status information of second communication unit (second SMS module or the 2nd SIP module) receiving terminal transmission, and judge whether counterpart terminal has the right to send this subscribe request, if terminal has the right to send this subscribe request, then the certificate status information with correspondence is included in the notification message, sends to terminal by second communication unit (second SMS module or the 2nd SIP module).
In addition, before the subscribe request that receives the transmission of terminal employing SIP signaling method, authentication server also needs the register requirement that terminal sends is handled, to finish the registration process of terminal.
At different certificate status information obtain manners, communications platform can comprise: AP and/or sms center are used for carrying out the mutual of information in (promptly between first communication unit and the second communication unit) between terminal and the authentication server.Wherein, AP is used for carrying out the mutual of SIP signaling in (promptly between a SIP module and the 2nd SIP module) between terminal and the authentication server, and sms center is used for carrying out short message interacting in (promptly between first SMS module and second SMS module) between terminal and the authentication server.
Below in conjunction with method embodiment of the present invention the concrete function of said system is described in detail.
The first method embodiment
Fig. 3 is the acquisition methods flow chart of first embodiment of the invention certificate status, and in the present embodiment, terminal is obtained the state information (abbreviation certificate status information) of WAPI certificate by the SIP signaling method; As shown in Figure 3, this method comprises:
301: terminal is resolved the certificate status managerial structure body in the WAPI certificate, certificate status management identification field by this structure is known the certificate status information that can obtain this WAPI certificate, know by the state obtain manner field of this structure and can adopt the SIP signaling method to obtain certificate status information, know by the address information field of this structure and obtain required sip address of certificate status information and port numbers.
302: at first need to register when obtaining certificate status information to authentication server owing to employing SIP signaling method, therefore terminal is differentiated in the identity of finishing WAPI, success inserts after the WLAN (wireless local area network), uses above-mentioned sip address and port numbers to send register requirement (REGISTER) message of SIP to authentication server by WLAN (wireless local area network) (promptly passing through AP).
303: after receiving above-mentioned login request message, authentication server returns 401 response messages by WLAN (wireless local area network) to terminal, requires this user is carried out the authentication of operation layer; Wherein, comprise authentication field (its value can be the random number that authentication server generates) in 401 response messages.
304: after receiving 401 response messages, terminal calculates corresponding authentication information according to the authentication field that comprises in this message, and it is included in the login request message of SIP issues authentication server by WLAN (wireless local area network).
305: after receiving the above-mentioned login request message that comprises authentication information, authentication server is judged this user according to the authentication information that comprises in this message, and whether authentication is successful, if subscription authentication success, then return the 200 OK message of SIP to terminal, the success of expression endpoint registration by WLAN (wireless local area network); If subscription authentication failure is then returned the response message (not shown) of registration failure by WLAN (wireless local area network) to terminal, this flow process finishes.
306: after succeeding in registration, terminal is by the subscribe request (for example, the SUBSCRIBE of SIP (subscription) request) of WLAN (wireless local area network) to authentication server transmission certificate status information, and the segment of this request message is as follows:
SUBSCRIBE?sip:[email protected]?SIP/2.0
…?…
Accept:application/cert-status
Expires:3600
Event:cert-status
…?…
Wherein, the request row of the first behavior sip message of above-mentioned subscribe message; The Accept field indicates the form of message body in the notification message after subscribing to successfully, and (in the present embodiment, the name of form is called: application/cert-status); The Expires field is represented effective duration of this subscription; The Event field is represented this events subscribed type.The value of these three fields can be done concrete definition as required.
The concrete implication of each field and form please refer to corresponding document in the sip message.
307: after authentication server is received above-mentioned subscription request message, search user information corresponding according to the user account number that comprises in this message (being " username " in the request row of sip message), whether opened certificate status management service (judging promptly whether this user has the right to subscribe to/obtain certificate status information) to determine respective user: if this user does not open the certificate status management service, then return the response message (not shown) of subscribing to failure by WLAN (wireless local area network) to terminal, this flow process finishes; If this user has opened the certificate status management service, then return the 200 OK message of SIP to terminal by WLAN (wireless local area network), this user's subscribe request (promptly subscribing to successfully) is accepted in expression.
308: authentication server returns NOTIFY (notice) message of SIP to terminal after the subscribe request of having accepted the terminal use, notify the user current certificate status; The segment of notification message is as follows:
NOTIFY?sip:[email protected]?SIP/2.0
Event:cert-status
Subscription-Status:active
Content-Type:application/cert-status
Content-Length:...
<cert?id=12345678>
<cert-status>
active
</cert-status>
</cert>
Wherein, the Event field is identical with Event field in the subscription request message; The Content-Type field is identical with Accept field in the subscribe request; The Centent-Length field is represented the length of NOTIFY body; Subscription-status represents the pairing subscription status of NOTIFY, if its value is for " active " then the corresponding subscription of expression is still effective; Otherwise the subscription of expression correspondence is invalid, and this NOTIFY is corresponding last notification message of subscribing to.
The state information that in the message body of NOTIFY, comprises certificate.As shown in Figure 4, certificate status information can comprise: certificate ID (identifier), certificate current state, validity period of certificate, certification authority and extended field.
The certificate current state can be divided into: effective, out of date and be about to expired etc.
Certificate ID:12345678 and certificate current state: active (effectively) have only schematically been comprised in the message body of above-mentioned NOTIFY.
309: after terminal receives above-mentioned NOTIFY, extract and resolve the certificate status information that comprises in the message body; If it is soon expired that certificate status information shows the WAPI certificate, then point out the user WAPI certificate that upgrades in time; If it is expired that state information shows the WAPI certificate, then disconnect current wireless LAN communication link, insert WLAN (wireless local area network) behind the certificate update more again.
After this, in the term of validity of subscribing to, when the state of this WAPI certificate changed, authentication server can send the NOTIFY that comprises certificate status information to terminal.In this case, can only comprise the state information that changes in the certificate status information.For example, the term of validity of WAPI certificate is extended or when shortening, authentication server can only send to terminal with the validity period of certificate field that changes.
The second method embodiment
Fig. 5 is the acquisition methods flow chart of second embodiment of the invention certificate status, and in the present embodiment, terminal is obtained certificate status information by short message mode; As shown in Figure 5, this method comprises:
501: terminal is resolved the certificate status managerial structure body in the WAPI certificate, certificate status management identification field by this structure is known the certificate status information that can obtain this certificate, know by the state obtain manner field of this structure and can adopt short message mode to obtain certificate status information, know the note receiving number of authentication server by the address information field of this structure.
502: terminal uses the note receiving number of authentication server to send the note that is used to subscribe to certificate status information to authentication server by sms center.
503: after receiving the note of subscribing to certificate status information, authentication server is at first searched user information corresponding according to the sender number of this note, whether opened certificate status management service (judging promptly whether this user has the right to subscribe to/obtain certificate status information) to determine respective user: if this user does not open the certificate status management service, then send to terminal and comprise the note (not shown) of subscribing to the failure response message, the end of this flow process by sms center; If this user has opened the certificate status management service, then send the note that comprises subscription successful respond information to terminal by sms center.
504: the authentication server inquiry obtains the state information of the WAPI certificate of respective user, it is included in the note sends to terminal by sms center;
In the present embodiment, certificate status information also can adopt data format shown in Figure 4.
505: after terminal receives the note that comprises certificate status information, from this note, parse the state information of certificate, expired or expired if state information shows that the WAPI certificate is about to, then point out the user certificate that upgrades in time.
After this, in the term of validity of subscribing to, when the state of corresponding certificate changed, authentication server can send the note that comprises certificate status information to terminal.
According to basic principle of the present invention, the foregoing description can also have multiple mapping mode, for example:
Terminal sends subscribe request with the SIP signaling method, and authentication server can send the notification message that comprises certificate status information with short message mode to terminal.In this case, need to store in advance the note receiving number of user/terminal correspondence in the authentication server.

Claims (10)

1. the acquisition methods of a certificate status information is characterized in that, this method comprises:
Terminal is to the subscribe request of the state information of the authentication server transmission WAPI WAPI of WLAN (wireless local area network) certificate, to obtain the state information of its WAPI certificate;
After receiving described subscribe request,, authentication server has the right to obtain the state information of WAPI certificate if judging described terminal, then:
The state information of the described WAPI certificate that receive described subscribe request time inquiry is obtained be included in send in the notification message described terminal and/or
In the term of validity of subscribing to, when the state of described WAPI certificate changes, the state information of this WAPI certificate is included in and sends to described terminal in the notification message.
2. the method for claim 1 is characterized in that,
Comprise in the described WAPI certificate: the address information of obtain manner indication information, described authentication server;
Described terminal uses specified state information acquisition mode of described obtain manner indication information and described address information to send described subscribe request to described authentication server;
Described state information acquisition mode comprises: initial session protocol SIP signaling method and/or short message mode.
3. method as claimed in claim 2 is characterized in that,
If the state information acquisition mode of described obtain manner indication information appointment is the SIP signaling method, sip address and port numbers that then described address information is described authentication server;
Described terminal uses described sip address and port numbers after described authentication server is successfully registered, and just sends described subscribe request with the SIP signaling method.
4. method as claimed in claim 3 is characterized in that,
Terminal adopts following steps to register to described authentication server:
Terminal uses described sip address and port numbers to send the login request message of SIP to described authentication server;
After receiving described login request message, described authentication server returns 401 response messages of SIP to terminal, comprises the authentication field in this message;
After receiving described 401 response messages, terminal uses described authentication field to calculate authentication information, and it is included in the login request message of SIP sends to authentication server;
After receiving the described login request message that comprises authentication information, described authentication server is judged described terminal according to described authentication information, and whether authentication is successful, if the authentication success is then returned the response message of endpoint registration success, otherwise is returned the response message of registration failure to terminal to terminal.
5. method as claimed in claim 2 is characterized in that,
If the state information acquisition mode of described obtain manner indication information appointment is a short message mode, the note receiving number that then described address information is described authentication server;
Described terminal uses described note receiving number to send described subscribe request with short message mode to described authentication server; Described authentication server sends the described notification message that comprises state information with short message mode to described terminal.
6. certificate status management system, this system comprises: terminal, communications platform and authentication server; Be provided with the certificate status acquisition module and first communication unit in the described terminal; Be provided with certificate status administration module and second communication unit in the described authentication server; Described communications platform is used for carrying out information interaction between described first communication unit and described second communication unit; Wherein,
Described certificate status acquisition module is used for sending by described first communication unit subscribe request of the state information of WAPI certificate;
Described first communication unit is used for described subscribe request is sent to described second communication unit by described communications platform;
Described certificate status administration module is used for judging whether described terminal has the right to obtain the state information of WAPI certificate after receiving described subscribe request by described second communication unit, has the right to obtain the state information of WAPI certificate if judge described terminal, then:
The state information of the described WAPI certificate that inquiry obtained when described certificate status administration module will receive described subscribe request is included in the notification message, successively by described second communication unit, communications platform and first communication unit send to described certificate status acquisition module and/or
In the term of validity of subscribing to, when the state of described WAPI certificate changes, described certificate status administration module is included in the state information of this WAPI certificate in the notification message, sends to described certificate status acquisition module by described second communication unit, communications platform and first communication unit successively.
7. system as claimed in claim 6 is characterized in that,
Comprise in described first communication unit: a SIP module; Described second communication comprises in the unit: the 2nd SIP module; Comprise in the described communications platform: access point AP;
Described certificate status acquisition module sends to described certificate status administration module by a described SIP module, described AP and described the 2nd SIP module with described subscribe request successively.
8. system as claimed in claim 7 is characterized in that,
Described certificate status administration module sends to described certificate status acquisition module by described the 2nd SIP module, described AP and a described SIP module with described notification message successively.
9. system as claimed in claim 7 is characterized in that,
Also comprise in described first communication unit: first SMS module; Described second communication also comprises in the unit: second SMS module; Also comprise in the described communications platform: sms center;
Described certificate status administration module sends to described certificate status acquisition module by described second SMS module, described sms center and described first SMS module with described notification message successively.
10. system as claimed in claim 6 is characterized in that,
Comprise in described first communication unit: first SMS module; Described second communication comprises in the unit: second SMS module; Comprise in the described communications platform: sms center;
Described certificate status acquisition module sends to described certificate status administration module by described first SMS module, described sms center and described second SMS module with described subscribe request successively;
Described certificate status administration module sends to described certificate status acquisition module by described second SMS module, described sms center and described first SMS module with described notification message successively.
CN2009101405004A 2009-05-19 2009-05-19 Method for obtaining certificate state information and certificate state management system Expired - Fee Related CN101568116B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2009101405004A CN101568116B (en) 2009-05-19 2009-05-19 Method for obtaining certificate state information and certificate state management system
PCT/CN2009/075526 WO2010133073A1 (en) 2009-05-19 2009-12-11 Method for obtaining certificate state information and system for managing certificate state

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101405004A CN101568116B (en) 2009-05-19 2009-05-19 Method for obtaining certificate state information and certificate state management system

Publications (2)

Publication Number Publication Date
CN101568116A CN101568116A (en) 2009-10-28
CN101568116B true CN101568116B (en) 2011-03-02

Family

ID=41284004

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101405004A Expired - Fee Related CN101568116B (en) 2009-05-19 2009-05-19 Method for obtaining certificate state information and certificate state management system

Country Status (2)

Country Link
CN (1) CN101568116B (en)
WO (1) WO2010133073A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101568116B (en) * 2009-05-19 2011-03-02 中兴通讯股份有限公司 Method for obtaining certificate state information and certificate state management system
CN101895884B (en) * 2010-06-29 2012-12-12 北京星网锐捷网络技术有限公司 Method, system and device for updating WAPI certificate
CN102131185A (en) * 2011-03-16 2011-07-20 宇龙计算机通信科技(深圳)有限公司 Method and device for updating wireless local area network (WLAN) authentication and privacy infrastructure (WAPI) certificate of authorization
US9338159B2 (en) * 2012-03-19 2016-05-10 Nokia Technologies Oy Method and apparatus for sharing wireless network subscription services
CN107766716B (en) * 2016-08-16 2021-08-31 阿里巴巴集团控股有限公司 Certificate detection method and device and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805441A (en) * 2005-11-23 2006-07-19 西安电子科技大学 Integrated WLAN authentication architecture and method of implementing structural layers
CN1953445A (en) * 2005-10-21 2007-04-25 北京中电华大电子设计有限责任公司 A method and installation to resolve the safety problem for certificate cancellation in WAPI
CN101282215A (en) * 2008-05-29 2008-10-08 杭州华三通信技术有限公司 Method and apparatus for distinguishing certificate

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1672380B (en) * 2002-03-20 2010-08-18 捷讯研究有限公司 System and method for checking digital certificate status
CN100365981C (en) * 2004-05-17 2008-01-30 华为技术有限公司 A charging method based on WLAN authentication and privacy infrastructure certificate
US20090113543A1 (en) * 2007-10-25 2009-04-30 Research In Motion Limited Authentication certificate management for access to a wireless communication device
CN101568116B (en) * 2009-05-19 2011-03-02 中兴通讯股份有限公司 Method for obtaining certificate state information and certificate state management system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1953445A (en) * 2005-10-21 2007-04-25 北京中电华大电子设计有限责任公司 A method and installation to resolve the safety problem for certificate cancellation in WAPI
CN1805441A (en) * 2005-11-23 2006-07-19 西安电子科技大学 Integrated WLAN authentication architecture and method of implementing structural layers
CN101282215A (en) * 2008-05-29 2008-10-08 杭州华三通信技术有限公司 Method and apparatus for distinguishing certificate

Also Published As

Publication number Publication date
WO2010133073A1 (en) 2010-11-25
CN101568116A (en) 2009-10-28

Similar Documents

Publication Publication Date Title
US8559633B2 (en) Method and device for generating local interface key
CN101521883B (en) Method and system for renewing and using digital certificate
US8559642B2 (en) Cryptographic communication with mobile devices
JP5392879B2 (en) Method and apparatus for authenticating a communication device
EP1713289B1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
EP2530963B1 (en) Authentication method for machine type communication device, machine type communication gateway and related devices
CN101616410B (en) Access method and access system for cellular mobile communication network
CN1764107B (en) Method of authenticating a mobile network node in establishing a peer-to-peer secure context
CN104145465B (en) The method and apparatus of bootstrapping based on group in machine type communication
CN101483866B (en) WAPI terminal certificate managing method, apparatus and system
KR102094216B1 (en) Security supporting method and system for proximity based service device to device discovery and communication in mobile telecommunication system environment
CN101635710B (en) Pre-shared-key-based method for controlling secure access to networks and system thereof
JP4824086B2 (en) Authentication method for wireless distributed system
US20110300828A1 (en) Un-ciphered network operation solution
CN101990202B (en) Method for updating user policy and application server
CN102318386A (en) Service-based authentication to a network
CN101568116B (en) Method for obtaining certificate state information and certificate state management system
US10382955B2 (en) Security method and system for supporting prose group communication or public safety in mobile communication
US9143482B1 (en) Tokenized authentication across wireless communication networks
KR20090002328A (en) Method for joining new device in wireless sensor network
CN101540679B (en) Method for acquiring WLAN authentication and privacy infrastructure certificate and system thereof
CN102056168A (en) Access method and device
CN105592433B (en) method, device and system for broadcasting and monitoring device-to-device restriction discovery service
KR101431214B1 (en) Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication
US20130145434A1 (en) Unattended Authentication in a Secondary Authentication Service for Wireless Carriers

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110302

Termination date: 20210519