CN101969639B - Multi-certificate and multi-certification mode combined access authentication method and system - Google Patents
Multi-certificate and multi-certification mode combined access authentication method and system Download PDFInfo
- Publication number
- CN101969639B CN101969639B CN201010512679.4A CN201010512679A CN101969639B CN 101969639 B CN101969639 B CN 101969639B CN 201010512679 A CN201010512679 A CN 201010512679A CN 101969639 B CN101969639 B CN 101969639B
- Authority
- CN
- China
- Prior art keywords
- certificate
- server
- authentication
- user terminal
- patterns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention relates to the field of wireless LAN authentication and privacy infrastructure(WAPI) and communication access authentication and provides a multi-certificate and multi-certification mode combined access authentication method and a multi-certificate and multi-certification mode combined access authentication system. The system of the invention comprises an authentication server (AS),a WLAN access point (AP), a user terminal STA and a certificate authority (CA). The method of the invention comprises: when the authentication server (AS) receives a certificate authentication request packet from the WLAN access point (AP); analyzing the certificate of the terminal to obtain the name of the issuer of the certificate; determining a trusted server certificate of the user terminal STA; and identifying the legality of the certificate of the user terminal STA according to the name of the issuer of the certificate of the user terminal STA, wherein if the issuer is the certificate authority (CA), a three-certificate mode is determined, and access authentication and roaming are performed in the three-certificate mode; if the issuer is the authentication server (AS), a two-certificate mode is determined, and the access authentication and roaming are performed in the two-certificate mode.
Description
Technical field
The present invention relates to WAPI, communication access authentication field, and more specifically, multistage certificate and the multiple certification mode of authentication document authentication are mixed coexistence access authentication method and system when relating to access network in the communication process.
Background technology
WLAN (Wireless Local Access Network, WLAN (wireless local area network)) provides a kind of wireless data access service of high speed, and WLAN is one of relatively more popular technology of present IT industry.The basic structure of WLAN (wireless local area network) (WLAN) is made of access point (AP), access controller (AC) and user terminal (STA).In conjunction with INTERNET or the existing certificate server of other networks (AS), the user can finally realize the access service of Mobile data by the basic structure of WLAN.
WLAN (wireless local area network) (WLAN) have install convenient, use flexibly, be easy to the characteristics such as expansion, so WLAN (wireless local area network) obtains using more and more widely.Because wireless lan channel is open, when aloft propagating, user data is stolen easily, and malicious modification is also transmitted, so the fail safe of public's wlan network is to need the problem considered in the WLAN development.These safety issues have become and have hindered the biggest obstacle that WLAN enters information-based application.China has proposed WLAN (wireless local area network) standard GB/T 15629.11 in May, 2003, adopt WAPI as WLAN security mechanism.WAPI WAPI (WLAN Authentication and Privacy Infrastructure) is comprised of wireless local area network authentication infrastructure WAI (WLAN Authentication Infrastructure) and wireless local area network security foundation structure WPI (WLAN Privacy Infrastructure).Wherein, WAI adopts the public key certificate system ECC (Elliptic Curve Cryptography) based on elliptic curve, based on the access control method of ternary structural and equity discriminating, wireless client STA and access point AP carry out bidirectional identification by authentication server AS and differentiate.And aspect the transmission of data secret, the symmetric cryptographic algorithm that WPI has adopted office of national commercial cipher administration committee to provide is encrypted and deciphers, and has fully ensured the safety of transfer of data.
WAPI and existing pilot project are only supported wherein a kind of of two certificates or three certificates, can't reach compatible two kinds of modes coexist, can only realize that single higher level's server certificate verifies user certificate simultaneously.
Summary of the invention
When the technical problem to be solved in the present invention provides in a kind of communication process local access network in authentication and the roaming access authentication, can compatible two certificates and two kinds of mode methods of three certificates and system, the common compatible multistage certificate of while the inventive method and system, realize the access authentication that the coexistence of two certificates and three certificates mixes, to solve the authentication compatibling problem of two kinds of certificates and three kinds of certificates, improve the support to each Terminal Type and access network device.
For solving the problems of the technologies described above, technical scheme of the present invention is:
A kind of multistage certificate and multiple certification mode are mixed the coexistence access authentication method, when certificate server AS receives from the grouping of the request of certificate authentication of WLAN access device AP, at first terminal certificate is resolved, obtain the issuer certificate name, judge the server certificate that user terminal STA trusts, according to user terminal STA certificate authority person title, determine the legitimacy of user terminal STA certificate is differentiated; If issuer is the certificate management center CA, be three certificate patterns, access authentication and roaming mode are carried out according to three certificate patterns; If issuer is certificate server AS, be two certificate patterns, access authentication and roaming mode are carried out according to two certificate patterns.
Above-mentioned multistage certificate and multiple certification mode are mixed in the coexistence access authentication method: the certificate authority process under the two certificate patterns is: generate self-signed certificate by certificate server AS first, issue certificate then for WLAN access device AP and user terminal STA.
Above-mentioned multistage certificate and multiple certification mode are mixed in the coexistence access authentication method: the process of issuing of certificate is under the three certificate patterns: be certificate server AS by the certificate management center CA, WLAN access device AP and user terminal STA issue certificate.
The present invention realizes the system of multistage certificate and multiple certification mode mixing coexistence access authentication method, comprise by the interconnected certificate server AS of network, WLAN access device AP, user terminal STA and certificate management center CA, certificate server AS issues certificate to WLAN access device AP and user terminal STA after generating self-signed certificate under the two certificate patterns, the certificate management center CA is certificate server AS under the three certificate patterns, and WLAN access device AP and user terminal STA issue certificate.
The multistage certificate of above-mentioned realization and multiple certification mode are mixed the system of coexistence access authentication method, and certificate server AS comprises:
Be used for receiving and the data communication module that sends with the packet data package of certificate data;
Be used for resolving certificate information, extract the certificate parsing module that data field compares;
Be used for the legitimacy of authentication certificate, realize user certificate is verified, and reach the certification authentication module of purpose of the mutual authentication of user terminal STA and WLAN access device AP identity;
According to the certificate information after resolving, the issuer field contents of certificate is judged which server certificate the user certificate of receiving belong to and issue, judge according to server certificate simultaneously to belong to two certificates or the certificate judge module of three certificate patterns.
The present invention with respect to the beneficial effect of prior art is:
The present invention had both realized the access authentication that two certificates mix with three certificate modes coexist, also realized multistage server certificate authentication, and system of the present invention is simple, convenient, and reliable.
Description of drawings
Fig. 1 application architecture schematic diagram
Fig. 2 two certificate pattern certificate authorities;
Fig. 3 three certificate pattern certificate authorities;
Fig. 4 certificate server AS system framework schematic diagram;
Fig. 5 certificate discrimination process sequence chart;
The flow chart of the proof procedure of the multistage multiple certificate of Fig. 6 and multiple certification mode coexistence access authentication method.
Embodiment
The present invention is further detailed explanation by embodiment below in conjunction with accompanying drawing.
The present invention realizes that the system of multistage certificate and multiple certification mode mixing coexistence access authentication method comprises following equipment:
WLAN access device (AP) is used for sending the request of certificate authentication grouping to certificate server (AS), and this request of certificate authentication grouping comprises the certificate of AP and user terminal (STA).
Certificate server (AS) is used for receiving the certificate discrimination request grouping, differentiates the legitimacy of AP; Whether the certificate of judging STA is local certificate, belongs to which rank certificate and two certificate patterns or three certificate patterns.
User terminal (STA) is equipped with certificate own, and the trust server certificate, is used for initiating Authentication request packet data package to AP, carries out access authentication;
Certificate management center (CA) provides the certificate management functions such as certificate authority, certificate revocation; Exist under three certificate patterns, if belong to two certificate situations, certificate management functions is by certainly management of AS itself.
Referring to Fig. 1, application flow is described below:
1) certificate management system is AS grant a certificate (AS device certificate);
2) certificate management system is WLAN access device grant a certificate (wlan device certificate);
3) certificate management system is user terminal grant a certificate (user terminal certificate);
4) certificate of user terminal and WLAN access device authenticates mutually by AS;
5) user terminal passes through WLAN access device accesses network, and Interface realization data encryption aloft.
Referring to Fig. 2 and Fig. 3, Fig. 2 has provided the certificate authority process under the two certificate patterns, at first generates self-signed certificate by the AS system, issues certificate then for WLAN access device AP and user terminal STA.
Fig. 3 has provided the process of issuing of certificate under the three certificate patterns, is certificate server AS by the certificate management center CA, and WLAN access device AP and user terminal STA issue certificate.
Can find out that by Fig. 2 and the described process of Fig. 3 the AS certificate server of two certificate systems has certificate discriminating and the certificate authority function of the certificate server AS under the three certificate patterns simultaneously.Namely under the two certificate systems, certificate server AS also has the function of management certificate concurrently simultaneously except having the function of differentiating certificate; And under the three certificate systems, certificate server AS only provides the discriminating service function, and the certificate authority function is carried out by certificate management center CA mechanism.
The multistage certificate of the present invention and multiple certification mode are mixed the coexistence access authentication method: when certificate server AS receives request of certificate authentication grouping from WLAN access device AP, at first terminal certificate is resolved, obtain the issuer certificate name, judge the server certificate that user terminal STA trusts, according to user terminal STA certificate authority person title, determine the legitimacy of user terminal STA certificate is differentiated; If issuer is the certificate management center CA, be three certificate patterns, access authentication and roaming mode are carried out according to three certificate patterns; If issuer is certificate server AS, be two certificate patterns, access authentication and roaming mode are carried out according to two certificate patterns.
Fig. 4 is the system framework figure of AS server of the present invention, comprises data communication module 401, certificate parsing module 402, certification authentication module 403, certificate judge module 404.
Data communication module 401 is used for receiving and the packet data package that sends with certificate data;
Certificate parsing module 402 is used for resolving certificate information, extracts data field and compares;
Certification authentication module 403 is used for the legitimacy of authentication certificate, realizes user certificate is verified, and reaches the purpose of the mutual authentication of STA terminal use and WLAN access device identity;
Certificate judge module 404 judges that to the issuer field contents of certificate which server certificate the user certificate of receiving belong to and issue according to the certificate information after resolving, and judges according to server certificate simultaneously to belong to two certificates or three certificate patterns.
Referring to Fig. 5,
1, certificate discrimination process, wherein, asu (authentication service unit) ASU is based on important part in the WAI authentication infrastructure of public key cryptography technology, and its basic function is the effective discriminating that realizes the user terminal certificate, finishes the bidirectional identification discriminating of STA and AP by ASU.The port that AP provides STA to be connected to ASU guarantees to only have the FPDP accesses network of differentiating that successful STA could use AP to provide, and STA provides the port that is connected to ASU by AP, guarantees to only have AP to differentiate successfully, and STA could usage data port transceiving data.
Such as Fig. 5, AP sends " differentiate and activate " to user terminal STA, user terminal STA sends to AP with oneself certificate and current time, when AP finds " the Authentication request " of STA submission, the certificate that AP submits STA to, time and the certificate of oneself add in the message, and sign as " request of certificate authentication " with the private key of oneself, send to ASU, mutually authenticate the other side by ASU.The STA certificate that wherein STA end need authentication storage server A S certificate under the two certificate patterns, and certificate server AS is issued; The AP certificate that the AP end needs authentication storage server A S certificate and certificate server AS to issue; STA end Store Credentials is issued the center CA certificate under the three certificate patterns, and the certificate server AS certificate that CA issues reaches the STA certificate that CA issues; The AP end needs Store Credentials to issue the center CA certificate, and certificate server AS certificate reaches the AP certificate that CA issues.Such as the need roaming, ASU then sends roaming certificate discriminating request to roaming AS or directly trusting AS, roams processing.
ASU receives " request of certificate authentication ", after ASU " cert services affirmation " confirms, carry out " certification authentication ", if be proved to be successful, then proceed " pattern affirmation ", be confirmed to be two certificates or three certificate patterns, the most backward AP sends " certificate is differentiated response ", comprising: the identification result of the identification result of user terminal STA certificate, WLAN access device certificate, and add the ASU signature.Proof procedure need to start digital signature to STA except the legitimacy of certificate is verified.
If the AP request is by the ASU checking, ASU then sends " certificate is differentiated response " to the WLAN access device.Comprising: the identification result of user terminal certificate, the identification result of AP certificate, the signature of ASU.
AP receives that " certificate is differentiated response, and " backward STA sends " Authentication response ", comprises too: the identification result of user terminal certificate, the identification result of AP certificate, the signature of ASU.This moment, STA terminal and WLAN access device AP mutual authentication process were finished, and carried out key agreement on the basis of mutual authentication success.The fail safe meeting that certificate is differentiated directly is extended to cipher key agreement process, so the certificate discriminating is most important.
2, unicast key agreement process: key agreement is that the certificate that is based upon previous step is differentiated on the basis.
WLAN access device AP sends " unicast key agreement request " to the STA terminal, waits for the response of STA terminal.Initiate key negotiation request by WLAN access device AP, the waste of having avoided to a certain extent personation STA terminal that the WLAN resource is caused.
The STA terminal is sent " unicast key agreement response " to the WLAN access device, waits for the wlan device affirmation.
WLAN access device AP sends " unicast key agreement affirmation " signal to the STA terminal, is used for already-existing session key between STA terminal and the WLAN access device is confirmed.
3, on the basis of above-mentioned unicast key agreement process, carry out the multicast key notification process:
After the unicast key agreement success, AP initiates " multicast key notification " to STA, waits for the response of multicast user STA.
Multicast user STA sends " multicast key response ".
Referring to Fig. 6, the proof procedure of multistage multiple certificate and multiple certification mode coexistence access authentication method:
1) Authentication devices AS receives the request of certificate authentication packet data package.What this packet comprised is certificate information.Form with packet is sent to the authentication server end.
2) checking end AS resolution data bag extracts terminal certificate.In this step the certificate in the packet is extracted.
3) adopt the mode of resolving certificate to resolve every certificate, read and record the issuer field.The issuer field is that certificate server AS then is referred to certificate under the two certification authentication patterns; Issuer is that Certificate Authority CA then is referred to certificate under the three certification authentication patterns.
4) according to 3) identification result that obtains, confirm access authentication server rank, namely be confirmed to be and belong to two certificate systems or three certificate systems.
5) certificate that distinguishes is put into respectively corresponding certificate differentiate with roaming system under differentiate processing.Being proved to be successful then provides access and roaming service, and authentication failed is denial of service then.
Two kinds of certification authentication patterns (two certificates and three certificate systems) are all stored corresponding root certificate before receiving the authentication certificate packet.What namely store under the two certificate patterns is AS root certificate, and what store under the three certificate patterns is CA root certificate.
Claims (3)
1. a multistage certificate and multiple certification mode are mixed the coexistence access authentication method, it is characterized in that: when certificate server AS receives from the grouping of the request of certificate authentication of WLAN access device AP, at first terminal certificate is resolved, obtain the issuer certificate name, judge the server certificate that user terminal STA trusts, according to user terminal STA certificate authority person title, determine the legitimacy of user terminal STA certificate is differentiated; If issuer is the certificate management center CA, be three certificate patterns, access authentication and roaming mode are carried out according to three certificate patterns; If issuer is certificate server AS, be two certificate patterns, access authentication and roaming mode are carried out according to two certificate patterns, certificate authority process under the described two certificate patterns is: generate self-signed certificate by certificate server AS first, issue certificate then for WLAN access device AP and user terminal STA; The process of issuing of certificate is under the described three certificate patterns: be certificate server AS by the certificate management center CA, WLAN access device AP and user terminal STA issue certificate.
2. a realization multistage certificate claimed in claim 1 and multiple certification mode are mixed the system of coexistence access authentication method, it is characterized in that: comprise by the interconnected certificate server AS of network, WLAN access device AP, user terminal STA and certificate management center CA, certificate server AS issues certificate to WLAN access device AP and user terminal STA after generating self-signed certificate under the two certificate patterns, the certificate management center CA is certificate server AS under the three certificate patterns, and WLAN access device AP and user terminal STA issue certificate.
3. the multistage certificate of realization according to claim 2 and multiple certification mode are mixed the system of coexistence access authentication method, and it is characterized in that: certificate server AS comprises
Be used for receiving and the data communication module (401) that sends with the packet data package of certificate data;
Be used for resolving certificate information, extract the certificate parsing module (402) that data field compares;
Be used for the legitimacy of authentication certificate, realize user certificate is verified, and reach the certification authentication module (403) of purpose of the mutual authentication of user terminal STA and WLAN access device AP identity;
According to the certificate information after resolving, the issuer field contents of certificate is judged which server certificate the user certificate of receiving belong to and issue, judge according to server certificate simultaneously to belong to two certificates or the certificate judge module (404) of three certificate patterns.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010512679.4A CN101969639B (en) | 2010-10-19 | 2010-10-19 | Multi-certificate and multi-certification mode combined access authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010512679.4A CN101969639B (en) | 2010-10-19 | 2010-10-19 | Multi-certificate and multi-certification mode combined access authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101969639A CN101969639A (en) | 2011-02-09 |
| CN101969639B true CN101969639B (en) | 2013-02-06 |
Family
ID=43548708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010512679.4A Expired - Fee Related CN101969639B (en) | 2010-10-19 | 2010-10-19 | Multi-certificate and multi-certification mode combined access authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101969639B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376259B (en) * | 2015-12-15 | 2019-06-28 | 上海斐讯数据通信技术有限公司 | The verification method and system of the multi-party server certificate of Time-sharing control |
| CN107360572B (en) * | 2016-05-10 | 2019-11-12 | 普天信息技术有限公司 | A kind of safety enhancing authentication method and device based on WIFI |
| CN107517475A (en) * | 2016-06-16 | 2017-12-26 | 艾默生网络能源有限公司 | A kind of method for monitoring power supply and device |
| EP3537323A1 (en) * | 2018-03-09 | 2019-09-11 | Siemens Aktiengesellschaft | Project-related certificate management |
| WO2019221738A1 (en) * | 2018-05-17 | 2019-11-21 | Nokia Technologies Oy | Facilitating residential wireless roaming via vpn connectivity over public service provider networks |
| CN112312395B (en) * | 2019-07-17 | 2023-03-31 | 中国电信股份有限公司 | WAPI certificate centralized distribution method and system |
| CN114363073A (en) * | 2022-01-07 | 2022-04-15 | 中国联合网络通信集团有限公司 | TLS encrypted traffic analysis method and device, terminal device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1691582A (en) * | 2004-04-24 | 2005-11-02 | 华为技术有限公司 | Method for implementing compatibility between WAPI protocol and 802.1X protocol |
| CN1805441A (en) * | 2005-11-23 | 2006-07-19 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| WO2010102493A1 (en) * | 2009-03-11 | 2010-09-16 | 西安西电捷通无线网络通信股份有限公司 | Method for providing special access process to different terminals in wlan |
-
2010
- 2010-10-19 CN CN201010512679.4A patent/CN101969639B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1691582A (en) * | 2004-04-24 | 2005-11-02 | 华为技术有限公司 | Method for implementing compatibility between WAPI protocol and 802.1X protocol |
| CN1805441A (en) * | 2005-11-23 | 2006-07-19 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| WO2010102493A1 (en) * | 2009-03-11 | 2010-09-16 | 西安西电捷通无线网络通信股份有限公司 | Method for providing special access process to different terminals in wlan |
Non-Patent Citations (2)
| Title |
|---|
| 宋宇波等.无线接入点WAPI认证机制的研究与实现.《中国工程科学》.2005,(第09期),第65-69页. |
| 无线接入点WAPI认证机制的研究与实现;宋宇波等;《中国工程科学》;20050930(第09期);第65-69页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101969639A (en) | 2011-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101969639B (en) | Multi-certificate and multi-certification mode combined access authentication method and system | |
| KR100832893B1 (en) | A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely | |
| US9392453B2 (en) | Authentication | |
| CN101212297B (en) | WEB-based WLAN access authentication method and system | |
| US7734280B2 (en) | Method and apparatus for authentication of mobile devices | |
| US8635444B2 (en) | System and method for distributing keys in a wireless network | |
| CN101527908B (en) | Method for pre-identifying wireless local area network terminal and wireless local area network system | |
| CN101616410B (en) | Access method and access system for cellular mobile communication network | |
| US20110320802A1 (en) | Authentication method, key distribution method and authentication and key distribution method | |
| WO2011076008A1 (en) | System and method for transmitting files between wapi teminal and application sever | |
| WO2008083628A1 (en) | A authentication server and a method,a system,a device for bi-authenticating in a mesh network | |
| WO2017185450A1 (en) | Method and system for authenticating terminal | |
| WO2008080351A1 (en) | Wireless local network operation method based on wapi | |
| WO2014110877A1 (en) | Mobile terminal device and user authentication method based on pki technology | |
| CN101552986A (en) | Access authentication method and system of streaming media service | |
| WO2015100974A1 (en) | Terminal authentication method, device and system | |
| WO2011009268A1 (en) | Wapi (wlan authentication and privacy infrastructure) -based authentication system and method | |
| CN100370772C (en) | Method for switching in radio local-area network mobile terminal | |
| CN100544253C (en) | The safe re-authentication method of mobile terminal of wireless local area network | |
| CN101527907B (en) | Wireless local area network access authentication method and wireless local area network system | |
| WO2010088812A1 (en) | Transmission method, system and wapi terminal for instant message | |
| CN115038084A (en) | Decentralized trusted access method for cellular base station | |
| CN101282215A (en) | Method and apparatus for distinguishing certificate | |
| CN112399407B (en) | 5G network authentication method and system based on DH ratchet algorithm | |
| CN1697370A (en) | Method for mobile terminal in WLAN to apply for certificate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130206 Termination date: 20201019 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |