CN106101065A - Portable control end equipment and WiFi access remote authentication method, device - Google Patents
Portable control end equipment and WiFi access remote authentication method, device Download PDFInfo
- Publication number
- CN106101065A CN106101065A CN201610365921.7A CN201610365921A CN106101065A CN 106101065 A CN106101065 A CN 106101065A CN 201610365921 A CN201610365921 A CN 201610365921A CN 106101065 A CN106101065 A CN 106101065A
- Authority
- CN
- China
- Prior art keywords
- end equipment
- access point
- authentication
- wifi
- face characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a kind of WiFi and access remote authentication method, comprise the steps: the multicast frame that the communication network set up from WiFi access point apparatus is transmitted is retrieved as the authentication phase during WiFi agreement connection establishment and the face characteristic data to be verified for accessing this communication network that provide;Verify described face characteristic data, obtain the authentication result information characterizing verification success or failure;Frame is utilized to feed back described authentication result information to described WiFi access point apparatus.Additionally, the invention also discloses device corresponding with the method and equipment.The enforcement of the present invention so that the authentication mode of WiFi communication network changes, thus strengthen network security, improve authentication efficiency, and improve user-interaction experience.
Description
Technical field
The present invention relates to secure wireless communication field, connect more particularly, to a kind of portable control end equipment and WiFi
Enter remote authentication method, device.
Background technology
Radio communication, especially relates in the wireless communication technology of computer realm, derives based on IEEE802.11 agreement
WiFi communication technology, its safety is increasingly paid attention to.Realize WiFi communication, according to the function of WiFi chip, and operation system
The support of system, and there is various modes, such as Managed, AP, P2P Group Owner (GO), P2P Client etc..Its
Middle Managed refers to Station i.e. station mode, for accessing the WiFi node being under ap mode.In like manner, P2P GO is used for
Other WiFi equipment for being under P2P pattern build a communication set, in order to realize the communication between group member's equipment.
In order to realize secure communication, in addition to the wide-open network of WiFi protocol specification, it usually needs authenticate,
The pattern of authentication is varied, and common such as modes such as WEP, WPA, the safety coefficient under different modes is different, but it is former
Manage of an identical nature, i.e. user identity is carried out legitimacy certification.In common scene, mobile device is with WiFi work station
The mode of (Station is called for short STA) accesses WiFi access point (AP), and the STA that AP wants desire to access self provides password, and right
Password is verified, when after cryptographic check success, it is allowed to corresponding STA completes to access, otherwise refuses corresponding STA and accesses.
Traditional this authentication mode, owing to attack for WiFi communication now is more and more frequent, safety based on WEP
Mechanism becomes cannot withstand a single blow, security mechanism based on WPA, the most also can by code dictionary or other violence modes in addition
Crack, the appearance of WiFi access point of the most more and more going fishing so that traditional WiFi security function is had too many difficulties to cope with.The opposing party
Face, cryptosecurity based on character mechanism, it is individually present departing from characteristics of human body, therefore password is otherwise stolen and is also
The most universal.
In view of this, improve the code authentication mechanism of WiFi network, be conducive to improving the communication security of WiFi network.
Summary of the invention
In view of the problem of above-mentioned at least one aspect, the present invention provides a kind of WiFi to access remote authentication method and corresponding
Device, in order to realize the user authentication process of WiFi access point apparatus remotely controlling.
Accordingly, the present invention also provides for a kind of portable control end equipment, for implementing aforesaid method or running institute
The device stated.
Accordingly, present invention employs following technical scheme:
A kind of WiFi that the present invention provides accesses remote authentication method, comprises the steps:
The multicast frame that the communication network set up from WiFi access point apparatus is transmitted is retrieved as WiFi agreement connect and build
Authentication phase during Li and the face characteristic data to be verified for accessing this communication network that provide;
Verify described face characteristic data, obtain the authentication result information characterizing verification success or failure;
Frame is utilized to feed back described authentication result information to described WiFi access point apparatus.
In a kind of mode, described face characteristic data are extracted from multicast signal and are obtained.
It is also preferred that the left described face characteristic packet be contained in the multicast frame of described multicast signal can be in edit field.
Disclosed in one embodiment of the present invention, verify in the step of described face characteristic data, by by institute
The face characteristic data obtained compare with feature database, determine that it is the most consistent with the pre-stored characteristics data in feature database, from
And should determine that check results is success or failure mutually.
Further, this method also comprises the steps:
In response to user's acquisition instructions, show image acquisition interface, for gathering the face characteristic data of user as institute
The pre-stored characteristics data stated.
Concrete, in the step in response to user's acquisition instructions display image acquisition interface, by described image acquisition
Interface obtains the facial image of user, and extracts described face characteristic data from this facial image.
It is also preferred that the left institute's pre-stored characteristics data are stored in described feature database in an encrypted form.
Optionally, during described feature database is stored in the machine or cloud server.
It is also preferred that the left set up Trusted channel in the way of WiFi is connected between the machine with described WiFi access point apparatus.
Concrete, described face characteristic Data Source is in incoming end equipment.
Further, this method also comprises the steps:
Manage instruction in response to user, show subscriber administration interface, set for described WiFi access point for being modified for
Standby setting options.
Further, feed back the step of described authentication result information to described WiFi access point apparatus, cause described WiFi to connect
Enter point device allow by sending management frame or stop the incoming end equipment providing described face characteristic data to be verified to access
The communication network that this WiFi access point apparatus is set up.
Disclosed in embodiments of the invention, this method also includes following previous step:
Obtain incoming end equipment and be intended to access the connection request management of the communication network that described WiFi access point apparatus is set up
After frame, feedback authentication performs instruction, in order to the face described to be verified that follow-up acquisition performs instruction in response to this authentication and submits to
Characteristic.
In a kind of embodiment, described access request and described authentication perform instruction and enter via described WiFi access point apparatus
Walking along the street by.
Disclosed in the section Example of the present invention, this method also comprises the steps:
Statistics has the frequency of failure that the described face characteristic data of identical source address are repeatedly authenticated, and works as the frequency of failure
After preset value, shield the face characteristic data of this source address.
According to this section Example, this method also comprises the steps:
Receive the recovery request belonging to described source address, cancel the people shielding this source address in response to user instruction
Face characteristic.
Concrete, described statistics has the frequency of failure that the described face characteristic data of identical source address are repeatedly authenticated
Step in, when the frequency of failure is beyond after preset value, and described source address is added in blacklist, is treated school for transmit
The face characteristic data tested, shield this by carrying out filtering by the face characteristic data of the source address belonged in this blacklist
The face characteristic data of source address.
Disclosed in the section Example of the present invention, this method also comprises the steps:
Statistics has the frequency of failure that the described face characteristic data of identical source address are repeatedly authenticated, and works as the frequency of failure
After preset value, send sign and shield the announcement information of the access request belonging to this source address to described WiFi access point
Equipment.
According to this section Example, this method also comprises the steps:
Receive the recovery request belonging to described source address, send cancellation in response to user instruction and shield this source address
The announcement information of access request give described WiFi access point apparatus.
A kind of WiFi that the present invention provides accesses remote authentication device, comprising:
Acquiring unit, is retrieved as the multicast frame that the communication network for being set up from WiFi access point apparatus is transmitted
Authentication phase during WiFi agreement connection establishment and the face characteristic to be verified for accessing this communication network that provides
Data;
Verification unit, is used for verifying described face characteristic data, obtains the authentication result letter characterizing verification success or failure
Breath;
Feedback unit, is used for utilizing Frame to feed back described authentication result information to described WiFi access point apparatus.
In a kind of mode, described face characteristic data are extracted from multicast signal and are obtained.
It is also preferred that the left described face characteristic packet be contained in the multicast frame of described multicast signal can be in edit field.
Disclosed in one embodiment of the present invention, described verification unit, it is configured to acquired
Face characteristic data compare with feature database, determine that it is the most consistent with the pre-stored characteristics data in feature database, thus accordingly
Determine that check results is success or failure.
Further, this device also includes:
Collecting unit, is configured to respond to user's acquisition instructions, shows image acquisition interface, for gathering the people of user
Face characteristic is as described pre-stored characteristics data.
Concrete, described collecting unit is configured to described image acquisition interface and obtains the facial image of user, and
Described face characteristic data are extracted from this facial image.
It is also preferred that the left institute's pre-stored characteristics data are stored in described feature database in an encrypted form.
Optionally, it is characterised in that described feature database is stored in the machine or cloud server.
It is also preferred that the left set up Trusted channel in the way of WiFi is connected between the machine with described WiFi access point apparatus.
Concrete, described face characteristic Data Source is in incoming end equipment.
Further, this device also includes:
Dispensing unit, is configured to respond to user and manages instruction, shows subscriber administration interface, for be modified for for
The setting options of described WiFi access point apparatus.
Further, the operation of described feedback unit, cause described WiFi access point apparatus by send management frame allow or
The incoming end equipment providing described face characteristic data to be verified is stoped to access the communication that this WiFi access point apparatus is set up
Network.
Disclosed in embodiments of the invention, this device also includes the unit of following preposition operation:
Start unit, is intended to access, for obtaining incoming end equipment, communication network that described WiFi access point apparatus set up
After connection request management frame, feedback authentication performs instruction, in order to described in follow-up acquisition performs instruction in response to this authentication and submits to
Face characteristic data to be verified.
In a kind of embodiment, access request and described authentication that described start unit obtains perform instruction via described
WiFi access point apparatus route.
Disclosed in the section Example of the present invention, this device also includes:
Statistic unit, has, for statistics, the failure time that the described face characteristic data of identical source address are repeatedly authenticated
Number, after the frequency of failure is beyond preset value, shields the face characteristic data of this source address.
According to this section Example, this device also includes:
Calamity is for unit, and for receiving the recovery request belonging to described source address, it cancels screen in response to user instruction
Cover the face characteristic data of this source address.
Concrete, in described statistic unit, after the frequency of failure is beyond preset value, described source address is added to black name
Dan Zhong, for the face characteristic data to be verified transmitted, the face of the source address by belonging in this blacklist is special
Levy data to carry out filtering and shielding the face characteristic data of this source address.
Disclosed in the section Example of the present invention, this device also includes:
Statistic unit, has, for statistics, the failure time that the described face characteristic data of identical source address are repeatedly authenticated
Number, after the frequency of failure is beyond preset value, sends sign and shields the announcement information of the access request belonging to this source address to institute
The WiFi access point apparatus stated.
According to this section Example, this device also includes:
Calamity is for unit, and for receiving the recovery request belonging to described source address, it sends in response to user instruction and takes
The announcement information of the access request shielding this source address that disappears is to described WiFi access point apparatus.
A kind of portable control end equipment that the present invention provides, comprising:
Wireless fidelity module, is used for providing communication network;
Touch-sensitive display, for display interface, it is achieved man-machine interaction;
One or more processors;
Memorizer;
One or more application programs, wherein said one or more application programs are stored in described memorizer and quilt
It is configured to be performed by the one or more processor;
The one or more program is used for driving the one or more processor to be configured to perform and preceding method
The corresponding device of any one embodiment.
A kind of portable control end equipment that the present invention provides, comprising:
Wireless fidelity module, is used for providing communication network;
Touch-sensitive display, for display interface, it is achieved man-machine interaction;
One or more processors;
Memorizer;
One or more application programs, wherein said one or more application programs are stored in described memorizer and quilt
It is configured to be performed by the one or more processor;
The one or more program is used for driving the one or more processor to be configured to perform aforementioned any one
Plant the device that embodiment is realized.
In a possible design, processor that the structure of portable control end equipment includes and memorizer, described
Memorizer is for storing the program supporting that R-T unit performs said method, and described processor is configurable for described in execution depositing
The program of storage in reservoir.Described portable control end equipment can also include communication interface, for portable control end equipment
With other equipment or communication.
Another further aspect, embodiments provides a kind of computer-readable storage medium, is used for saving as above-mentioned portable control
Computer software instructions used by end equipment processed, it comprises for performing above-mentioned journey designed by portable control end equipment
Sequence, or comprise for performing the program designed by above-mentioned method, device.
Relative to prior art, the scheme that the present invention provides so that user can use portable control end equipment to experience
Beneficial effects of the present invention.Concrete manifestation participates in each side of the communication network that WiFi access point apparatus is set up: 1, for portable
Formula control end equipment, by portable control end equipment receive WiFi access point apparatus transmit be used for access its communication network
These face characteristic data are carried out proof of identity by the face characteristic data of network, then feed back whether school to WiFi access point apparatus
Testing successful authentication result information, this measure has substantially been taken over original WiFi access point apparatus by portable control end equipment and has been had
Standby authentication functions, or be at least reinforced (WiFi access point apparatus the most still can retain existing authentication functions,
Face characteristic data authentication function is increased) on the basis of this.Can know, on the one hand, by the authentication functions of WiFi access point apparatus
After transferring to portable control end equipment, log in WiFi access point apparatus relative to needs manager by form web page and carry out
The mode of webpage configuration, utilizes the powerful programing function of portable control end equipment and friendly user interface, and this kind of mode can
With more convenient and efficiently WiFi access point apparatus is carried out authentication management;On the other hand, this pipe-connecting mode makes to depend on people
The checking of body characteristics is possibly realized, and especially this data volume of face characteristic transmits relatively large mode, and WiFi can be made to connect
While entering point device holding weight reducing, moreover it is possible to realize the most powerful and safe authentication functions by portable control terminal;
Another further aspect, portable control end equipment can utilize other approach to access the Internet more conveniently, can be with cloud service
Device combines, and data involved in authentication process, such as face characteristic data etc. are carried out the management of storage and higher level, right
For user safety management, play the most thorough effectiveness.
2, for WiFi access point apparatus, it is responsible for the access request in response to incoming end equipment, and optionally requires to connect
Enter end equipment feedback authentication and perform instruction, thus obtain the face characteristic data of incoming end equipment feedback further, basis at this
On, the face characteristic data of incoming end equipment are submitted to portable control end equipment and authenticates, and determine according to authenticating result
The fixed request allowing or stoping incoming end equipment to access the communication network set up.Can know, WiFi access point apparatus and control
The connection of end equipment processed is trusty, and therefore, the former authentication functions is transferred to the latter at least in part, and the former just can save
Overhead, is realized safety management by the latter.And the latter, namely control end equipment, the most powerful hard owing to himself having
Part is supported and systemic-function, therefore, it is possible to the authentication process of access side equipment is effectively verified.Control end equipment and access
Communication between end equipment, is route by WiFi access point apparatus, it is ensured that communication each other is unimpeded.In theory,
WiFi access point apparatus thus can save its traditional authentication functions based on cryptographic check thus save its hardware spending, and
Its authentication functions carte blanche is controlled end equipment process, but, still can retain its traditional authentication functions, and can consider
Make when its tradition authentication functions is exclusively used in and realizes and set up Trusted channel between WiFi access point apparatus and described control end equipment
With.
3, for portable incoming end equipment, it can initiate the communication setting up WiFi access point apparatus in some way
The access request of network, after WiFi access point apparatus receives this request, just can perform instruction to its feedback authentication, so that its
Startup image acquisition unit is to obtain face characteristic data, then transfers to WiFi access point apparatus to be routed to institute face characteristic data
The control end equipment stated, to the authenticating result of described face characteristic data, final foundation determines whether incoming end equipment self becomes
Communication network described in merit access.It can be seen that want the incoming end equipment of access communications network, its authentication logic is compared to tradition
Authentication mode there occurs change, with the best interactive mode, directly obtain user's head portrait, therefrom extract face characteristic number
According to, just by these face characteristic data, the process accessing communication network can be authenticated.Compared to input password, simplify
User operation, the most also can improve efficiency.Additionally, after incoming end equipment has broken away from the process being manually entered password, it is possible to
It is prevented effectively from fishing software or the illegal monitoring to Password Input implementation Process of other eavesdropping software, thus is greatly improved access
Safety coefficient during end device for communication network access.
In brief, the enforcement of the present invention so that participate in the communication parties of WiFi communication network, specifically include incoming end and set
Standby, control end equipment, WiFi access point apparatus all embody the technological improvement being different from conventional art so that WiFi communication network
Authentication mode change, thus strengthen network security, improve authentication efficiency, and improve user-interaction experience.
The aspects of the invention or other aspects be meeting more straightforward in the following description.
Accompanying drawing explanation
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, in embodiment being described below required for make
Accompanying drawing be briefly described, it should be apparent that, below describe in accompanying drawing be only some embodiments of the present invention, for
From the point of view of those skilled in the art, on the premise of not paying creative work, it is also possible to obtain the attached of other according to these accompanying drawings
Figure.
Fig. 1 illustrates by the portable control end equipment of the present invention, portable incoming end equipment and WiFi access point apparatus
The theory diagram of one network system of structure;
Fig. 2 is the schematic flow sheet of a kind of embodiment of the WiFi access remote authentication method of the present invention.
Fig. 3 is the schematic flow sheet of a kind of embodiment of the WiFi access authentication method of the present invention.
Fig. 4 is the schematic flow sheet of a kind of embodiment of the WiFi access authentication control method of the present invention.
Fig. 5 shows that the WiFi of the present invention accesses the schematic flow sheet of another embodiment of remote authentication method.
Fig. 6 shows that the WiFi of the present invention accesses the schematic flow sheet of the another embodiment of remote authentication method.
Fig. 7 shows that the WiFi of the present invention accesses the schematic flow sheet of the another embodiment of remote authentication method.
Fig. 8 shows the schematic flow sheet of another embodiment of the WiFi access authentication method of the present invention.
Fig. 9 shows the schematic flow sheet of another embodiment of the WiFi access authentication control method of the present invention.
Figure 10 shows the schematic flow sheet of the another embodiment of the WiFi access authentication control method of the present invention.
Figure 11 shows the schematic flow sheet of another embodiment of the WiFi access authentication control method of the present invention.
Figure 12 shows the schematic flow sheet of the another embodiment of the WiFi access authentication control method of the present invention.
Figure 13 shows the schematic flow sheet of the another embodiment of the WiFi access authentication control method of the present invention.
Figure 14 is the principle schematic of an embodiment of the WiFi access remote authentication device of the present invention.
Figure 15 is the principle schematic of another embodiment of the WiFi access remote authentication device of the present invention.
Figure 16 is the principle schematic of another embodiment of the WiFi access remote authentication device of the present invention.
Figure 17 is the principle schematic of another embodiment of the WiFi access remote authentication device of the present invention.
Figure 18 is the principle schematic of the another embodiment of the WiFi access remote authentication device of the present invention.
Figure 19 is the principle schematic of an embodiment of the WiFi access authentication device of the present invention.
Figure 20 is the principle schematic of another embodiment of the WiFi access authentication device of the present invention.
Figure 21 is the principle schematic of an embodiment of the WiFi access authentication control device of the present invention.
Figure 22 is the principle schematic of another embodiment of the WiFi access authentication control device of the present invention.
Figure 23 is the principle schematic of another embodiment of the WiFi access authentication control device of the present invention.
Figure 24 is the principle schematic of another embodiment of the WiFi access authentication control device of the present invention.
Figure 25 is the principle schematic of another embodiment of the WiFi access authentication control device of the present invention.
Figure 26 is the principle schematic of the another embodiment of the WiFi access authentication control device of the present invention.
Figure 27 is that the portable control end equipment of the present invention, portable incoming end equipment and WiFi access point apparatus can
The schematic diagram of the structure being suitable for.
Detailed description of the invention
In order to make those skilled in the art be more fully understood that the present invention program, below in conjunction with in the embodiment of the present invention
Accompanying drawing, is clearly and completely described the technical scheme in the embodiment of the present invention.
In some flow processs of description in description and claims of this specification and above-mentioned accompanying drawing, contain according to
Particular order occur multiple operations, but it should be clearly understood that these operation can not according to its occur in this article suitable
Sequence performs or executed in parallel, the sequence number of operation such as 101,102 etc., is only used for distinguishing each different operation, sequence number
Itself does not represent any execution sequence.It addition, these flow processs can include more or less of operation, and these operations can
To perform in order or executed in parallel.It should be noted that " first ", " second " herein etc. describe, it is for distinguishing not
Message together, equipment, module etc., do not represent sequencing, and not limiting " first " and " second " is different types.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on
Embodiment in the present invention, the every other enforcement that those skilled in the art are obtained under not making creative work premise
Example, broadly falls into the scope of protection of the invention.
Face characteristic data alleged by the present invention, refer to carry out data obtained by feature extraction, wherein based on facial image
Facial image, generally obtain by starting the image acquisition unit of one or more photographic head etc.If desired, image obtains
Take unit and can be compared confirmation by a frame or multiframe real time imaging, be to meet to ensure its acquired facial image
The effective image of specification, to avoiding unauthorized user to carry out forged identity by the facial image of validated user.Described face
Characteristic, in transmission and storing process, can be presented as certain encrypted form, for example with data summarization, signature, PKI
The multi-forms such as encryption, symmetric cryptography, only need to be when using it, it is possible to use reverse algorithm to solve its encrypted form
Close, thus realize correct data operation.The pre-stored characteristics data being stored in feature database alleged by the present invention, are in advance
The described face characteristic data generated after collection, also can be presented as above-mentioned encrypted form when storage, carry out at follow-up needs
During authentication verification, can be called for comparing.
Communication network alleged by the present invention, refer to by IEEE 802.11 and serial protocols institute specification thereof for realizing
The network of WiFi access service, in the environment of this network, has a WiFi access point apparatus as alleged by the present invention, its
Launch and include the WiFi signal of service set and realize the erection of described communication network, and allow the access of validated user;
Having the incoming end equipment alleged by a such as present invention, it is configured with WiFi chip module, in order to may search for described communication
The beacon frame of network and determine the service set of this communication network, or after initiating actively inquiry, the services set described in acquisition
Mark, thus initiate to access the access request of the communication network representated by this service set, at this access point apparatus by it
After access request, complete WiFi establishment of connection.Generally, this communication network can be via the further road of WiFi access point apparatus
By and be connected in internal-external network, in order to access same LAN or the Internet or other kinds of wide area network.In the present invention,
Permission one is controlled end equipment and sets up Trusted channel with WiFi access point apparatus, and access by controlling end equipment adapter WiFi
The authentication services that other are intended to access the incoming end equipment of its communication network by point device, and the present invention is realized relative to tradition
Scheme realizes technology and strengthens.
Equipment alleged by the present invention, the control end equipment that specifically will disclose and access point apparatus, it is often referred to such as
Panel computer, mobile phone, intelligent wristwatch etc can the movement of portable ground, be configured with the mobile device of intellectualized operation system, this
A little operating systems can the most also may be used to be the mobile terminal operating system of Windows Phone, Android, IOS or other forms
Be such as Windows system desktop series, as long as the equipment used possess portable, intelligent, there is WiFi communication function
Feature, its mesh can be the corresponding portable set alleged by this area by those skilled in the art.
In the WiFi connection procedure of IEEE 802.11 protocol specification, WiFi establishment of connection typically requires goes through connection
Request (Probe Request/Response), authentication processing (Authentication), foundation association (Association) etc.
Process.Preliminary being mutually distinguishable is set up between connection request stage, incoming end equipment and access point apparatus, in authentication phase,
Then allow both two-way interactives to complete authentication, finally, utilize the confirmation realizing alternately connecting of the management frame setting up association.This
The various methods of invention, various aspects, improve based on this, and accordingly, some concepts have been also carried out simplifying and have described.Example
As, the process of connection request may be reduced to an access request in the present invention, and the process of authentication processing may be at this
It is broken down into multiple interactive step in bright, even includes the difference step participating in realizing between the multi-terminal devices of certification, and described
Set up association process, then may be reduced in the present invention set up the company between incoming end equipment and access point apparatus
Connect.Therefore, even if those skilled in the art are it is to be understood that description of the invention may not adopt IEEE 802.11 completely assists
Specification in view describes, but still can be according to the explanation of the present invention with the key technical feature of IEEE802.11 and the present invention as base
Plinth, is implemented various concrete scheme and is done the understanding of technical rationalization the present invention.Especially, should be because of single term or feature
Simplify and describe and misread or twist the Reasonable Protection scope implementing to be intended to and contain of the basis of the present invention.
For the ease of understanding the present invention, a kind of running environment of the present invention introduced below, it is possible to be considered as the one of the present invention
Application scenarios.
As it is shown in figure 1, the present invention is set up and opens a WiFi communication network, common AP by WiFi access point apparatus
(Access Point) can realize this function, or have AP function and with the addition of the similar devices of routing function, all
Can be used for setting up the communication network of the present invention.
Having a portable control end equipment, such as one smart mobile phone including WiFi chip module equally, to close
Method user identity accesses the configuration to this communication network of this communication network the application program that can be installed by this smart mobile phone
Management is implemented with authentication functions.Control end equipment suitably with set up the trust company being connected based on WiFi between WiFi access point apparatus
Connecing relation, a kind of mode is to make both carry out hard affinity, namely when WiFi access point apparatus dispatches from the factory, just by the letter of its management interface
Breath solidification, as long as being thus mounted with that the application program of the present invention and grasp have the smart machine of the information of its management interface, just
Described control end equipment can be become;Another way is that WiFi access point apparatus provides authentication functions in a conventional manner, permits
Permitted smart machine to be accessed therewith by authentication modes such as such as WEP, WPA, and allow smart machine to call its administration interface, will
Smart machine self is appointed as controlling end equipment, can be realized based on face characteristic number by this control end equipment further
According to the control carrying out the serviceable condition of function authenticated.No matter which kind of mode, control end equipment all can monopolize or non-solely
The mode accounted for, becomes the management terminal of WiFi access point apparatus.
There is at least one smart machine being intended to access described communication network can serve as the incoming end equipment of the present invention, certainly
Ground, is configured with the image acquisition unit of WiFi chip module and photographic head etc, and it detects the beacon frame of described communication network
After (beacon frame), connection request can be initiated, it is desirable to complete the access to this communication network.When next stepping enters verification process
When being required to provide authorization data, can require and obtain corresponding authorization data to user, the most also can be reduced to access
The automatization of end equipment provides the process of authorization data and the mode of nonessential employing response realizes, and is submitted to WiFi
Access point apparatus, finally regards WiFi access point apparatus authentication in the stage setting up association and determines self by whether the most successfully
Communication network described in access.These authorization datas can be close to include or not include the checking of traditional such as WEP, WPA mode
Code, but in the present invention, emphasis needs the face characteristic data including being obtained by described image acquisition unit.
Described incoming end equipment, control end equipment and WiFi access point apparatus can be respectively mounted different operation systems
System, if the identical agreement realized in accordance with the solution of the present invention between each equipment or communication interface standard, just can be accessible
Ground coordinates the running environment building the present invention.It should be noted that described control end equipment can be one or more, and institute
State incoming end equipment can also there is one or more simultaneously, the essence creative spirit of the present invention should not limited with its quantity.
The working mechanism running structure shown in Fig. 1 is: after described WiFi access point apparatus starts, complete according to default setting
Become the configuration of communication network, start its WiFi access service.Control end equipment start after, can be traditional such as based on WPA
Password authentification mode accesses the communication network of WiFi access point apparatus, accesses the control end equipment of this communication network, can give tacit consent to
For having manager's qualification, or enjoy this qualification with the some like authentication mechanism in manager's login.There is this kind of pipe
The control end equipment of reason person's qualification, can read the config option of WiFi access point apparatus, in its touch-sensitive display with manager's identity
The user interface that screen provides shows the configuration page, and after user completes the amendment of setting options, is submitted to WiFi and accesses
Point device completes amendment and comes into force.Additionally, WiFi access point apparatus is for the equipment to be accessed outside control end equipment, all
Can be considered incoming end equipment, it is desirable to it provides face characteristic data, and face characteristic data are submitted to controls end equipment carry out
Checking, after being verified, it is allowed to this incoming end equipment accesses own net, otherwise forbids that it logs in.Incoming end equipment is submitted to
Face characteristic data, be substantially that one treats authorization data, by WiFi access point apparatus according to acquiescence logic be routed to control
End equipment processed, the authentication result information controlling the generation of end equipment is then transferred to WiFi access point apparatus to process according to this, thus is completed
One core authentication access procedure.
About implementing of each concrete equipment, will be disclosed one by one in multiple embodiments of the follow-up present invention.
Refer to Fig. 2, in an embodiment of the present invention, the WiFi that a kind of portable control end equipment of the present invention is used
Accessing remote authentication method, comprise the steps: step S12, the communication network set up from WiFi access point apparatus is transmitted
Multicast frame in be retrieved as the authentication phase during WiFi agreement connection establishment and provide for accessing this communication network
Face characteristic data to be verified;Step S13, verifies described face characteristic data, obtains and characterizes recognizing of verification success or failure
Card object information;Step S14, utilizes Frame to feed back described authentication result information to described WiFi access point apparatus.
Obviously, control end equipment to have accessed described WiFi access point apparatus based on WiFi Trusted channel in advance and set up
Communication network, thus, once the incoming end equipment of the present invention provides to WiFi access point apparatus and is used for asking accessing its communication
The face characteristic data of the authentication of network, these face characteristic data are just routed to control end equipment by WiFi access point apparatus,
Control end equipment just face characteristic data to be verified, authentication output object information, and authentication result information is sent to
WiFi access point apparatus.After WiFi access point apparatus obtains this authentication result information, if authentication result information representation verifies into
Merit, then allowing incoming end equipment to access this communication network, otherwise, verifying unsuccessfully if characterized, then refusal incoming end equipment accesses
This communication network.Refusal incoming end equipment accesses the mode of this network, can be not to respond its face characteristic data, it is possible to
Be feedback one characterize failed authentication management frame to incoming end equipment.The enforcement of the method, can be connect by controlling end equipment
Pipe WiFi access point apparatus is to being intended to access the authentication process of the incoming end equipment of its communication network.
Referring to Fig. 3, in a kind of embodiment of the present invention, a kind of portable incoming end equipment of the present invention is used
WiFi access authentication method, comprises the steps: step S21, initiates access request to WiFi access point apparatus;Step S22, rings
Instruction should be performed in the authentication after this access request, start image acquisition unit and obtain face characteristic data;Step S23, to
WiFi access point apparatus feeds back these face characteristic data and performs instruction with authentication described in response;Step S24, when this face characteristic number
After by authentication, it is achieved the access to the communication network that described WiFi access point apparatus is set up.
Obviously, by starting, after performing instruction in the authentication receiving WiFi access point apparatus, the figure that incoming end equipment has
As acquiring unit obtains face characteristic data, and face characteristic data are submitted to WiFi access point apparatus, can be accessed by WiFi
It is routed to control end equipment implementing authentication by point device, passes through as obtained authentication, i.e. accessible described communication network, thus,
This process enhances the authentication logic of portable incoming end equipment so that the process of incoming end device for communication network access is more
Convenient and efficient, and be mode based on characteristics of human body owing to changing authentication mode based on password, thus safer.
Refer to Fig. 4, in a kind of embodiment of the present invention, the WiFi that a kind of WiFi access point apparatus of the present invention is used
Access authentication control method, comprises the steps: step S31, receives the access request of incoming end equipment;Step S32, responds institute
State access request and feed back authentication and perform instruction;Step S33, receives and authenticates the face characteristic performing instruction and feed back described in response
Data, request controls end equipment and is authenticated;Step 34, authenticates recognizing of success or failure according to controlling characterizing of end equipment feedback
Card object information, allows accordingly or stops described incoming end equipment to access the communication network preset.
After WiFi access point apparatus listens to the access request of incoming end equipment, just can source send out one authentication perform instruction or
The authentication of route test end equipment performs instruction to described incoming end equipment, in order to incoming end equipment starts acquisition face characteristic
The operation of data.After incoming end equipment feedback face characteristic data, WiFi access point apparatus just can be by this face characteristic number
End equipment is controlled, in order to request controls end equipment and authenticated, finally, according to the result of client device feedback, accordingly according to giving
Control to allow or stop the communication network described in the access of incoming end equipment.During this, WiFi access point apparatus is from advancing
Row authentication, but play route effect, authentication functions is transferred to controls end equipment actual, and its authenticating result is utilized,
According to the request of control incoming end equipment.Thus, WiFi access point apparatus can improve according to this method and strengthen its WiFi core
The function of sheet module so that on the one hand it increase the cooperation support to face characteristic data check process according to this method, another
Aspect can ensure that again normal network routing function.
Visible, between above-mentioned control end equipment, incoming end equipment and WiFi access point apparatus, it is associated with by access point
The same communication network that equipment sets up, respectively executes its duty, works in coordination, make authentication effect more effectively.
The present invention is applicable to the WiFi access remote authentication method of described portable control end equipment and has various embodiments,
Hereinafter based on previous embodiment, will launch to illustrate the relevant content of remaining various alternate embodiment with regard to its each step.Please depend on
So refering to Fig. 2 and combine following word and understood:
In the case of acquiescence controls end equipment and the foundation of WiFi access point apparatus has Trusted channel, described WiFi accesses
Remote authentication method generally performs according to the process of step S12 to step S14.About setting up the process of Trusted channel the most here
Disclosed: in a kind of embodiment, control end equipment and set up in the way of WiFi is connected with between WiFi access point apparatus in advance
Playing Trusted channel, specifically, controlling end equipment can set with the WiFi access point that STA mode startup access is under ap mode
Standby.Then, it is common to each embodiment but situation not necessarily as the present invention, step S10 can be set and (do not scheme
Show), it manages instruction in response to user, shows subscriber administration interface, for being modified for for described WiFi access point apparatus
Setting options.By performing step S10, control end equipment and just can call the setting of WiFi access point apparatus according to pre-agreement
These setting options are shown on subscriber administration interface by option, show at touch-sensitive display.User is controlling end equipment tune
Play described subscriber administration interface, be to manage instruction by triggering user on control end equipment, or triggered user by with acquiescence
The mode of management instruction is initiated.And described subscriber administration interface, managed the triggering of instruction by this user and show, thereon
The various setting options of display WiFi access point apparatus, it is allowed to user revises these and acts on WiFi access point apparatus (especially
Refer to the setting options of its communication network) setting options, to realize management to WiFi access point apparatus by controlling end equipment
The adapter at interface, thus more convenient management operation is provided.The SSID name of described setting options, such as communication network,
DHCP function setting item, channel number, authentication mode selection etc., varied, all belong to the option that WiFi network function is relevant, its
Change causing WiFi access point apparatus generation allocative effect to change, all can be considered this.Especially can not be by described " choosing
" word is interpreted as " alternative ", the limitation situation of " multiselect one ", this should be known by those skilled in the art.
Described step S12, is retrieved as the multicast frame that the communication network set up from WiFi access point apparatus is transmitted
Authentication phase during WiFi agreement connection establishment and the face characteristic to be verified for accessing this communication network that provides
Data, its specific implementation is as follows:
In a kind of embodiment, control that end equipment can directly process that incoming end equipment sends comprises described people to be verified
The multicast signal of face characteristic obtains described face characteristic data.Specifically, the most successfully connect due to incoming end equipment
Enter the communication network that WiFi access point apparatus provides, thus, it is impossible to send face characteristic by Frame, but can make
It is total to multiple multicast frames with one group and transmits its data.Face characteristic data are converted to binary code by incoming end equipment, then add
Be downloaded to multiple multicast frame can edit field, specifically refer to, in its address field, then send the plurality of multicast frame.Control end
Equipment directly receives those multicast frames, then from extracting by the binary code edit field, is reconverted into face characteristic number
According to.
In another embodiment, the multicast signal of above-mentioned access side equipment extracts the operation of face characteristic data and is connect by WiFi
Enter point device to complete, by WiFi access point apparatus it is loaded in Frame the most again and is sent to control end equipment, control end
Equipment directly extracts face characteristic data from Frame.
After obtaining described face characteristic data, according to agreement, if it is encryption data, it should it is decrypted,
Otherwise, it is used directly for follow-up verification.
Described step S13, verifies described face characteristic data, obtains the authentication result letter characterizing verification success or failure
Breath, its specific implementation is as follows:
Specifically, control end equipment and feature that a storage have the face characteristic data of validated user can be obtained ahead of time
Storehouse, this feature database can be stored in control end equipment local storage, it is also possible to being stored in can be with controlled terminal equipment
Carried out in the cloud server utilized by remote request.Face characteristic data in feature database, namely pre-stored characteristics data, can
Exist in an encrypted form to strengthen its Information Security.When verifying described face characteristic data, controlling end equipment can be suitable for
Feature database storage position is different and performs the most different processes:
It is applicable to locally stored feature database, controls end equipment by pre-with feature database of face characteristic data to be verified
Deposit characteristic to compare, if it is confirmed that there are the pre-stored characteristics data with this face characteristic data consistent, this people i.e. visual
The content that face characteristic provides for validated user identity, otherwise, is considered as the content that disabled user's identity provides, according to both
Situation, just can generate the authentication result information characterizing verification success or failure respectively.Face characteristic data designated herein are with pre-
Deposit the consistent of characteristic, should not be confined on data representation form or its data content the most completely the same, for example, it may be
Refer to that both degrees of approximation arrive the degree preset, or be in the range of permission, i.e. can be considered that both are consistent.
It is applicable to be stored in the feature database of cloud server, controls end equipment by described face characteristic data to be verified
It is encapsulated in verification request, is sent to cloud server, these face characteristic data of server by utilizing perform all schools described above
Testing process, finally the authentication result information described in cloud server generates feeds back to control end equipment.
Could be aware that, either verify in this locality, be still submitted to cloud server and verify, control end equipment
All can get described authentication result information by verification.
In order to construct this feature storehouse, in a kind of embodiment, control the WiFi performed by end equipment and access remote authentication method
Start and perform steps S18 (not shown), in response to user's acquisition instructions, show image acquisition interface, be used for gathering use
The face characteristic data at family are as described pre-stored characteristics data.
Generally, control end equipment can construct and be specifically designed to the application program realizing the method, when this application program runs,
Image acquisition interface described in can being activated by virtual key or certain gestures and show, with this image acquisition interface quilt
Activate, carry out shooting image preview, when user determines one by starting the image acquisition unit such as photographic head controlling end equipment
After facial expression, another confirmation instruction realized by the form of such as voice, gesture, virtual key etc, Image Acquisition list
Unit just can shoot a width facial image for it, and is processed this facial image, to extract face characteristic data therein,
Then these face characteristic data are stored in described local feature database as described pre-stored characteristics data, or are submitted to
Described high in the clouds feature database stores.Time really it has been observed that stored these face characteristic data, can show in feature database
For certain encrypted form, in order to strengthen its Information Security.
Described step S14, utilizes Frame to feed back described authentication result information to described WiFi access point apparatus, its tool
Body implementation is as follows:
First, feed back described authentication result information to described WiFi access point apparatus, its object is to cause described WiFi
Access point apparatus (realizing control to incoming end equipment advantageously by sending management frame) allows or stops offer described to be verified
The incoming end equipment of face characteristic data access the communication network that this WiFi access point apparatus is set up, but this to access
Communication network carries out the function allowing or stoping, and is to be realized by described WiFi access point apparatus.Therefore, WiFi access point
Equipment is by after receiving described authentication result information, and the content characterized according to authentication result information, to corresponding initiation
The incoming end equipment of access communications network request is made whether to allow the response of its access communications network, such that it is able at incoming end
Confirm to authenticate by inspecting it whether to be successfully accessed communication network at equipment and whether pass through.In a kind of embodiment, described recognizes
Card object information can be sent to WiFi access point apparatus with Frame for carrier by controlling end equipment.
What above various alternate embodiment did not all consider that access side equipment initiates is intended to access connecing of described communication network
Enter the process of request, and only consider the face characteristic data of its follow-up submission are processed, therefore, adapt to above-mentioned enforcement
Example, for described access request, is based particularly on the beacon frame of tradition WiFi agreement and the handshake request initiated, will be connect by WiFi
Enter point device to process according to its traditional protocol logic, and the people described in its further requirement incoming end equipment is submitted to
Face characteristic, is routed to control the process that end equipment does in the respective embodiments described above by WiFi access point apparatus the most again, this
Sample, for controlling for end equipment, just have ignored the link that the access request of access side equipment carries out processing, only considers people
The functional realiey that face characteristic is considered as request and is verified, thus simplify overhead.
But, in the embodiment that the present invention improves further, as it is shown in figure 5, the method farther includes previous step
S11, after obtaining the connection request management frame that incoming end equipment is intended to access the communication network that described WiFi access point apparatus is set up
Feedback authentication performs instruction, in order to the face characteristic described to be verified that follow-up acquisition performs instruction in response to this authentication and submits to
Data.
Specifically, incoming end equipment detects the beacon frame (beacon) of the communication network that WiFi access point apparatus sets up
Or determined the SSID of communication network by Probe Request (returning Probe Response frame) after, just can connect to WiFi
Enter point device and initiate access request, do not consider the first kind above-mentioned of this access request at aforesaid various control end equipment
In embodiment, this access request directly will be processed by WiFi access point apparatus;And in the present embodiment, WiFi access point apparatus can
To route this access request to controlling end equipment, or the form after changing with certain sends control end equipment to, no matter which kind of
Form, controls to be accordingly to be regarded as incoming end equipment after end equipment receives and is intended to access the communication network that described WiFi access point apparatus is set up
Access request.In certain embodiments, manage frame with Probe Request for connection request, be considered as an access request.Response
In this access request, control end equipment and feedback one authentication execution instruction is set to described incoming end in WiFi access point apparatus
Standby, or it is converted into certain form to this incoming end equipment by WiFi access point apparatus, and implement in the aforesaid first kind
In example, described authentication performs instruction will be sent to incoming end equipment by WiFi access point apparatus source with sending out.Incoming end equipment is received
After performing instruction to described authentication (or by incoming end equipment, the Probe Response frame received is considered as authenticating execution and refers to
Make), just can perform instruction in response to this authentication according to pre-set programs and start its image acquisition unit and obtain human body to be verified
Characteristic carries out feedback and submits to, thus performs aforesaid subsequent step S12-S14.
Each embodiment of remote authentication method is accessed it can be seen that part controlling the WiFi that end equipment realizes in conjunction with above-mentioned
In embodiment, the access request of described incoming end equipment and the authentication in response to this request perform instruction, can be set by controlling end
Standby process also route through WiFi access point.In another part embodiment, then without controlling to connect described in end equipment participation process
Enter request and authentication performs instruction.In comparison, if processed the access request for it of incoming end by WiFi access point apparatus
Feedback authentication performs instruction, then can simplify communication process, reduces the load controlling end equipment;If connect by controlling the process of end equipment
Enter to hold equipment access request and by its source send out feedback authentication perform instruction, then the centralized management energy of the end equipment that can tighten control
Power, promotes communications network security energy further.Further in improved procedure, implement to connect at WiFi access point apparatus and ask
During asking, for confirming a management frame such as Request Response frame of this connection request process, just can be considered
Described authentication performs instruction.
As shown in Figure 6, in the most perfect a kind of embodiment, control the WiFi performed by end equipment and access remote authentication
Method also includes that step S15, statistics have the frequency of failure that the described face characteristic data of identical source address are repeatedly authenticated,
After the frequency of failure is beyond preset value, shield the face characteristic data of this source address.
The face characteristic data described to be verified repeatedly submitted same source address to are by the failure of repeatedly failed authentication
Number of times is tracked management, is favorably improved the safety of communication network, so, control the people that it can be received by end equipment
Face characteristic is added up.No matter WiFi access point apparatus is the described face characteristic data of direct routing incoming end equipment,
Or with the data message form of these face characteristic data of self Reconfiguration of form, when it is sent to described control end equipment, all
The uniqueness characteristic of described incoming end equipment, such as its MAC Address, UUID or host name can be comprised in the packet submitted to
Claim.So, a uniqueness characteristic just characterizes a source address, and controlling end equipment can be to having identical source address
The face characteristic data check frequency of failure add up, preferably in the case of, such as half an hour or five points can be set
The measurement period of clock, when, in this cycle, the accumulative of the face characteristic data that same source address is repeatedly submitted to suffers appointment time
After the verification failure of number (preset value), or claim, beyond after this preset value, to cause controlling end equipment and this source address be considered as
Malicious attack source place, or at least it is considered as disabled user's intrusion behavior.In this case, end equipment is controlled by this source of shielding
The face characteristic data of this source address follow-up no longer will be verified and feed back by the face characteristic data of address, it is to avoid this
The most whole communication network of machine suffers malicious attack.
The easiest and to achieve a kind of mode of effectively management be to add the above-mentioned source address to be shielded to one
In blacklist, follow-up for the face characteristic data to be verified transmitted, first whether inquiry blacklist exists its source place
Location, if it is present directly filter these face characteristic data to realize the shielding of the face characteristic data to this source address, if
Do not exist, then process according to normal step.
Adapt to the setting of step S15, it is also possible to step S16 is set the most further, receives and belong to described next
The recovery request of source address, cancels the face characteristic data shielding this source address in response to user instruction.
Incoming end equipment may preset when the face characteristic data that self provides are shielded, and request shield side gives extensive
The disaster tolerance means of multiple its subsequent check request, implement particular by sending a recovery request to communication network.To this end, control
End equipment processed, by this recovery request of reception, also comprises the source address of this incoming end equipment in this recovery request, this request will
It is reviewed, thus, controlling end equipment may not necessarily release the shielding to this source address in the very first time.Release shielding generally with hands
Dynamic mode realizes, and manager can know described recovery request by controlling the subscriber administration interface of end equipment, and
Decide whether to agree to this recovery request.After this recovery request is agreed, controlling end equipment just can be by described source address from it
Deleting in blacklist, follow-up the most no longer shielding has the face characteristic data of this source address, incoming end equipment access communication network
The probability of network is thus lifted a ban.Although it is pointed out that and employing subscriber administration interface, but the setting of subscriber administration interface
Put option may also comprise be stored in control end equipment option, the most above-mentioned blacklist and the content of above-mentioned recovery request, permissible
It is stored in the memorizer controlling end equipment, and as the setting options of WiFi access point apparatus, in described user's management
Interface shows.
As it is shown in fig. 7, in the another kind of embodiment improved further, control the WiFi performed by end equipment and access remotely mirror
Power method also includes step S15 ', statistics has the failure time that the described face characteristic data of identical source address are repeatedly authenticated
Number, after the frequency of failure is beyond preset value, sends sign and shields the announcement information of the access request belonging to this source address to institute
The WiFi access point apparatus stated.
It can be seen that identical with previous perfect embodiment, controlling end equipment can be to face characteristic data by many
The number of times of secondary failed authentication is added up, and follow-up how to achieve a butt joint into the shielding of end equipment.In the present embodiment, when
The frequency of failure, beyond after preset value, is sent to WiFi access point apparatus by generating an announcement information, the content table of this announcement information
Levy shielding and belong to the access request of this source address.It is to say, control the end equipment form with announcement information, notice WiFi connects
Enter point device the access request specifying source address is shielded.Accordingly, WiFi access point apparatus just can be according to this notice
Information no longer responds to the access request of source address therein or directly transmits the network frame that refusal accesses, so that this source
The corresponding incoming end equipment in address cannot access the communication network of WiFi access point apparatus.Obviously, being different from precedent, shielding comes
The function of source address will be realized by WiFi access point apparatus, and its shield effectiveness is faster and direct, and WiFi access point apparatus is very
To without reprocessing the face characteristic data of this source address.
In like manner, step S15 is adapted to ', it is also possible to step S16 is set the most further ', receive and belong to described next
The recovery request of source address, send in response to user instruction cancel shield this source address access request announcement information to
Described WiFi access point apparatus.
Incoming end equipment may preset when the face characteristic data that self provides are shielded, and request shield side gives extensive
The disaster tolerance means of multiple its subsequent check request, implement particular by sending a recovery request to communication network.To this end, control
End equipment processed, by this recovery request of reception, also comprises the source address of this incoming end equipment in this recovery request, this request will
It is reviewed, thus, controlling end equipment may not necessarily release the shielding to this source address in the very first time.Release shielding generally with hands
Dynamic mode realizes, and manager can know described recovery request by controlling the subscriber administration interface of end equipment, and
Decide whether to agree to this recovery request.After this recovery request is agreed, controls end equipment and just can encapsulate an announcement information, be used for
Characterize and cancel the access request shielding this source address, this announcement information is sent to WiFi access point apparatus.WiFi access point
After equipment receives this announcement information, just described source address is deleted from the data (may show as blacklist form) recorded
Removing, follow-up the most no longer shielding has the access request of this source address, and the probability of incoming end device for communication network access is thus
Lifted a ban.It is pointed out that the setting options of subscriber administration interface may also comprise and be stored in WiFi access point end equipment
The data of the described source address to be shielded being recorded, blacklist as escribed above, manager is at described subscriber administration interface
After recovery request described in middle permission, subscriber administration interface just can show and deletes the source address corresponding to this recovery request
List.
The most detailed and disclose the WiFi that the portable control end equipment of the present invention implemented fully and access remotely mirror
The various embodiments of power method, therefrom could be aware that, controlling end equipment can realize WiFi communication based on face characteristic data
The authentication management of network, thus strengthen the safety of this communication network.
The present invention is applicable to the WiFi access authentication method of described portable incoming end equipment and has various embodiments, below
Based on previous embodiment, will launch to illustrate the relevant content of remaining various alternate embodiment with regard to its each step.The most still join
Read Fig. 3 and combine following word and understood:
Described step S21, initiates access request to WiFi access point apparatus, and its specific implementation is as follows:
Described WiFi access point apparatus is configured with communication network as AP, radiates WiFi signal in the air.A kind of enforcement
In example, WiFi its beacon frame of access point apparatus fixed time broadcast (Beacon frame, when not hiding SSID), the portable access of the present invention
End equipment, by scanning, finds this beacon frame, just can initiate described access request;In another kind of embodiment, especially for
Hiding the situation of SSID, incoming end equipment can be by initiating Probe Request frame and from WiFi access point apparatus feedback
Probe Response frame obtains network configuration information, the most also can initiate access request.
Generally, user can be initiated attached by the WiFi switch option arranging the page of incoming end device operating system
The scanning of nearly WiFi communication network a, it is thus achieved that ssid list, is then clicked the SSID of corresponding communication network by user and connects
Enter corresponding communication network.Incoming end equipment also can store the configuration information of the communication network that user once accessed, in this case,
User only need to open WiFi switch option, it is possible to is automatically accessed preferably WiFi communication net by system according to default preference strategy
Network.Therefore, it is possible to be considered as by user mutual, the user that instruction incoming end equipment accesses the communication network of the present invention can be produced
Instruction, this communication network is initiated access request in response to this user instruction by incoming end equipment.
Described step S22, performs instruction in response to the authentication after this access request, starts image acquisition unit and obtains
Face characteristic data.
Described authentication can be produced by numerous embodiments and perform instruction:
In one embodiment, after described access request is sent to WiFi access point apparatus, WiFi access point set
Standby directly or through the control end equipment as described in routing to after certain frame format conversion (being loaded in Frame), thus cause
Control end equipment feedback one authentication and performs instruction, then by WiFi access point apparatus, this authentication performed instruction and route to incoming end and set
Standby.
In another embodiment, after described access request is sent to WiFi access point apparatus, WiFi access point set
For being directly acted upon, and fed back authentication by WiFi access point apparatus source with sending out perform instruction to incoming end equipment.
In another enforcement, described authentication performs instruction and can have sent by incoming end equipment according to pre-set programs logic
Trigger voluntarily after described access request, specifically, can be by its protocol procedures traditionally, complete connection request
Stage, receive such as Probe Response frame (at this just be considered authentication performs instruction) triggering following the most voluntarily and walk
Suddenly, and avoid relying in external equipment, simplify operation flow.
Which kind of no matter use mode to come described access request feedback authentication to perform instruction, the most do not affect incoming end equipment
The execution of subsequent step.But there is exception, if the instruction that i.e. this access request is comprised is to this incoming end equipment
Source address is shielded by WiFi access point apparatus, then incoming end equipment can be caused cannot to receive described authentication and perform instruction, from
And terminate the execution of subsequent step.
After incoming end equipment obtains described authentication execution instruction, this authentication performs instruction and can trigger in incoming end equipment
The startup of image acquisition unit.The startup of accompanying image acquiring unit, can activate one scan interface, shows in this scanning interface
The preview image of image acquisition unit.As user by the camera lens of image acquisition unit towards face, by voice, gesture, button
Just can obtain a corresponding facial image when applying shooting instruction Deng any-mode, and facial image is carried out face characteristic
The extraction of data.Or, image acquisition unit is exempted from through user instruction effect, and automatically with the arbitrary frame content in preview image
As facial image, then this facial image is extracted face characteristic data.After successfully getting described face characteristic data,
Just described scanning interface can be exited controlled or voluntarily.
Described step S23, feeds back these face characteristic data to WiFi access point apparatus and refers to authentication execution described in response
Order, its specific implementation is as follows:
After incoming end equipment completes described face characteristic data acquisition, just need to submit to these face characteristic data
WiFi access point apparatus, in order to the authentication to these face characteristic data completely, as the response that described authentication performs instruction.
Incoming end equipment is connected owing to not setting up WiFi with WiFi access point apparatus, it is impossible to transmit institute as a data frame
The face characteristic data stated, to this end, incoming end equipment uses one group to be total to multiple multicast frames to transmit face characteristic.Concrete and
Speech, face characteristic data are converted to binary code by incoming end equipment, segmentation be loaded into multiple multicast frame can edit field, tool
Body refers to, in its address field, then send the plurality of multicast frame.
It is responsible for processing the equipment of face characteristic data, with reference to the corresponding embodiment in front announcement, the most described WiFi
Access point apparatus, it is possible to for described control end equipment, after receiving those multicast frames, from each multicast frame can be edit field
Extracting the binary code of loaded face characteristic data, and assemble by striping order, then corresponding conversion is face
Characteristic.
For the consideration of the Information Security strengthened in transmitting procedure, after obtaining described face characteristic data, Ke Yiyi
According to the agreement with the equipment of responsible process face characteristic data, encrypt for face characteristic, the most again by the face after encryption
Characteristic is encoded in described multicast frame.Corresponding, the equipment being responsible for processing should also be as being decrypted it.
It is responsible for processing the equipment of face characteristic data, in conjunction with aforesaid a kind of embodiment, can be that described WiFi accesses
Point device, it obtains, by resolving, the face characteristic data received, then is encoded in Frame, is transferred to described control end
Equipment, then from Frame, extracted described face characteristic data by controlling end equipment;In conjunction with another embodiment aforesaid, permissible
Directly obtained the multicast frame through WiFi access point apparatus route by described control end equipment, resolve and obtain face characteristic number therein
According to.
Control end equipment then its face characteristic data received to be authenticated.The section Example of aforementioned announcement
In, if controlled containing pointing to the source address of described incoming end equipment in the blacklist of end equipment, this source address can be with
Described face characteristic data provide in case identifying in the lump, then, controlling end equipment may not make described face characteristic data
Response, although or respond, but cause these face characteristic data to be rejected authentication the most at last.If controlling end equipment not exist
Its blacklist finds to provide the source address of the incoming end equipment of these face characteristic data, then special to this face by normal processes
Levy data to authenticate.According to aforementioned different embodiment, control end equipment by the face characteristic data of incoming end equipment and basis
Pre-stored characteristics data in the feature database of machine or cloud server compare, when finding to exist in feature database and described face spy
When levying the pre-stored characteristics data of data consistent, i.e. can be considered and authenticate successfully, be otherwise considered as failed authentication, accordingly generate authentication result
Information, is sent to WiFi access point apparatus.Face characteristic data designated herein are consistent with pre-stored characteristics data, should not limit to
In data representation form or its data content the most completely the same, for example, it is possible to refer to both the degree of approximation arrive preset
Degree, or it is in the range of permission, i.e. can be considered that both are consistent.
In the most perfect embodiment, described WiFi access point apparatus can cache or store and described source address
The corresponding pre-stored characteristics data belonging to described feature database, even cache or store whole feature database, in this case, when connecing
When entering end equipment arrival WiFi access point apparatus, the feature database that WiFi access point apparatus can cache with it in advance compares,
To determine whether to authenticate successfully, and generate authentication result information voluntarily according to authenticating result, and make this to face characteristic data
The process of authentication is not necessarily dependent on the participation controlling end equipment.When WiFi access point apparatus with caching formal layout described in pre-
When depositing characteristic or its whole feature database, it is suitably these pre-stored characteristics data or feature database arranges an effect duration, to ensure
The promptness that data update.Obviously, can by control end equipment control WiFi access point apparatus cache or storage prestore
Characteristic or the long-range renewal of whole feature database.
Described step S24, after these face characteristic data are by authentication, it is achieved to described WiFi access point apparatus institute frame
If the access of communication network, its specific implementation is as follows:
Either control end equipment and send the described authentication result characterizing authentication success or failure to WiFi access point apparatus
Information, or generated described authentication result information voluntarily by WiFi access point apparatus, described WiFi access point apparatus all can
According to authenticating result, the access request of described incoming end equipment is made last response.Specifically, WiFi access point apparatus
Following any one or the response of any various ways can be made, to reach described access request according to authentication result information
The purpose finally responded:
Mode one, according to IEEE 802.11 agreement, according to described authentication result information representation authentication success or failure not
Same situation, characterizes to correspondingly incoming end equipment feedback and allows or stop it to access the management frame of described communication network, it is common that
A kind of management frame, completes authentication phase.After incoming end equipment receives this management frame, just can from the content check of management frame whether
By authentication, thus correspondingly set up or terminate the connection of communication network with WiFi access point apparatus, authentication by time, open
Dynamic association phase, it is achieved the access to the communication network that described WiFi access point apparatus is set up.
Mode two, according to the different situations of described authentication result information representation authentication success or failure, when it characterizes authentication
During success, WiFi access point apparatus i.e. allows the association request of incoming end equipment to make it access described communication network, it is achieved
Described signal network is successfully accessed by incoming end equipment;When characterizing failed authentication, the most the association of access side equipment please not
Ask and respond, thus cause incoming end equipment to be considered as request timed out and be considered as failed authentication.
Mode three, described authentication result information is sent to described incoming end as response and sets by WiFi access point apparatus
Standby, self then operates according to IEEE 802.11 agreement, after incoming end equipment receives and parses through this authentication result information, works as sign
When authenticating successfully, i.e. initiate association request according to agreement and confirm to realize the access to described communication network;When characterizing failed authentication
Time, then can make the subsequent job of request etc the most again accordingly.
Certainly, broad sense is treated, the management frame described in mode one, itself also can be considered described authentication result information.Ability
Field technique personnel can with use flexibly above-mentioned various modes realize flexibly face characteristic data by authentication after, at incoming end equipment
Middle foundation connects or carries out the process warned.In a kind of blanket embodiment, when incoming end equipment confirms that authentication is lost
After losing, to notify that user makes subsequent treatment, man-machine interaction can be improved in user interface display alarm information.And when accessing
After end equipment confirms to authenticate successfully, the most this connection is confirmed to be Trusted channel, and after Trusted channel is set up, incoming end equipment is permissible
Certain agreement preengage with WiFi access point apparatus, storage is for the connection letter of the follow-up communication network exempted from described in authenticated login
Breath, so that this link information of incoming end equipment utilization is exempted from easily to access described communication network through any authentication procedure.
Referring to Fig. 8, as in the embodiment that the present invention further enhances, the present invention is applicable to portable incoming end equipment
WiFi access authentication method also include step S25, statistics initiates the described communication network of unsuccessful access after described access request
Number of times, after this number of times reaches predetermined value, it is determined that the machine is in the state that access request is shielded, and sends out in response to user instruction
Acting the recovery request recovering to allow its access request, its specific implementation is as follows:
On the premise of foregoing control end equipment or WiFi access point apparatus support disaster tolerance means, incoming end equipment
The number of times of connection failure can be added up, in order to shield access at self controlled terminal equipment or WiFi access point apparatus
In the case of, can be recovered self by technological means and access the possibility of described communication network.
As it was previously stated, when, after failed authentication, described WiFi access point apparatus being set up by causing incoming end equipment
The connection of communication network, face characteristic data repeatedly failed authentication that equipment provides because of it and to suffer permanent mask be not conform to
Reason.For reaching the purpose of reasonable benefit/risk, the number of times that self is accessed described communication network failed by incoming end equipment is added up,
And provide a preset value for it, after this statistics number exceedes this preset value, i.e. can determine that the machine is in access request and is shielded
The state covered, therefore and open one of user interface controls parts, and these control parts can be a virtual key, in order to passes through
Communication network described in this control component request recovers the response to its access request.As a kind of equivalent means, also can set
Put an effect duration, only when statistics at the beginning of to this effect duration duration arrive time, could open described in control parts.
Then, user can trigger its user instruction by the control parts described in triggering, thus, incoming end equipment rings
Should initiate to recover the recovery request of the access request of permission self in this user instruction to described communication network.Accordingly,
To realize by controlling end equipment or WiFi access point apparatus depending on shielding mechanism, this recovery request by arrivals control end equipment or
WiFi access point apparatus, the equipment receiving this recovery request can notify that manager responds, when manager is by this recovery
After request, the follow-up access request of incoming end equipment just can be by described communication network normal process.
The most detailed and disclose the WiFi access authentication side that the portable incoming end equipment of the present invention is implemented fully
The various embodiments of method, therefrom could be aware that, the requirement of the communication network that incoming end equipment can be accessed, in the machine collection
Face characteristic data, it is provided that authenticate to communication network, thus coordinate the safety strengthening communication network.
The present invention is applicable to the WiFi access authentication control method of WiFi access point apparatus and has various embodiments, below will
Based on previous embodiment, launch to illustrate the relevant content of remaining various alternate embodiment with regard to its each step.The most still refer to
Fig. 4 also combines following word and is understood:
Described WiFi access point apparatus, generally also makes WiFi router, traditional WiFi router have WiFi chip
Module, and achieved by bottom layer driving and manage function accordingly, these management functions with IEEE 802.11 agreement are generally
Basis is developed.In at least part of embodiment that the present invention relates to, it is found that with the base in IEEE 802.11 agreement
On plinth, need the function that realized according to the corresponding embodiment of the present invention and the bottom layer driving function of abundant WiFi chip pattern,
Making it be conducive to assisting to realize the function that at least part of embodiment of the present invention to be realized, these functions are described by being embodied in
During the different step of the multiple alternate embodiment of WiFi access authentication control method describes.
Described step S31, receives the access request of incoming end equipment, and in like manner, described access request is that incoming end sets
The standby early stage request initiated afterwards in the service set (SSID) detecting the present invention.According to aforementioned announcement control end equipment with
The difference of the role's relations of distribution between WiFi access point apparatus, the process of the access request described in reception can be presented as difference
The change of embodiment.
Be applicable to a kind of embodiment of the management that by WiFi access point apparatus, access request is carried out traditional approach, WiFi
After access point apparatus receives access request, will voluntarily this access request be responded, so it is not route or
Conversion output, especially need not be sent to described control end equipment.On the contrary, in another embodiment improved, WiFi access point sets
Standby receive request after, this access request can be transmitted to institute with self form such as certain Frame, the form that manages frame
The control end equipment stated, is responsible for response by controlling end equipment, the most also this access request of direct routing can enter to control end equipment
Row response.Specifically, described access request should arrive this request is carried out directly in response to equipment in.
A kind of embodiment of situation about access request can be shielded be applicable to described WiFi access point apparatus,
After WiFi incoming end equipment receives this access request, from this request, extract the incoming end equipment of this access request of initiation
Source address, inquires about its blacklist, when confirming that this source address is contained in blacklist, just terminates the sound to this access request
Should, or correspond directly to this access request and feed back the management frame that a sign refusal accesses, thus strengthen the peace of communication network
Full management.As source address does not appears in blacklist, then can continue other steps according to normal process.
Described step S32, responds described access request and feeds back authentication and perform instruction, and its specific implementation is as follows:
Understanding in conjunction with the aforementioned different embodiments about controlling end equipment, described authentication performs instruction both can be by controlling
End equipment sources processed is sent out and is route through WiFi access point apparatus, it is possible to sent out by WiFi access point apparatus source, thus, designated herein is anti-
Feedback authentication performs instruction, both can refer to that the authentication that control end equipment sources is sent out is performed instruction is routed to the enforcement of described incoming end equipment
Mode, it is possible to for being sent to the embodiment of described incoming end equipment by the WiFi access point apparatus source property sent out, in conjunction with before take off
The embodiment shown, after described access request is initiated, completes the connection request stage of IEEE 802.11 agreement, then to certification rank
After Duan Faqi certification request, and produce the management frame of the certification response asked in response to this certification, it is possible to regard reflects as a kind of
Power performs instruction.Concrete which kind of mode of employing, still needs to distribute pass depending on the managerial roles controlling end equipment and WiFi access point apparatus
Depending on system.
It can be deduced that after a certain access request is implemented masking operation according to blacklist by WiFi access point apparatus, will
It is no longer respond to this access request and feeds back described authentication and perform instruction.
Described step S33, receives and authenticates the face characteristic data performing instruction and feed back described in response, and request controls end
Equipment is authenticated, and its detailed description of the invention shows as following various situation of change:
As disclosed in front, portable incoming end equipment will be responsive to the described authentication execution of WiFi access point apparatus transmission and refers to
Make and gather face characteristic data, and by face characteristic data feedback to communication network, direct controlled terminal equipment receives, or such as
The present embodiment, arrives WiFi access point apparatus in advance.
With reference in a kind of embodiment as disclosed in front, WiFi access point apparatus can be voluntarily to the face characteristic received
Data authenticate, WiFi access point apparatus storage or be cached with the described feature database needed for authentication or or many therein
Bar pre-stored characteristics data, WiFi access point is by the face characteristic data received and described (in feature database) pre-stored characteristics number
According to mating, when matching consistent face characteristic data, just it is considered as authenticating successfully;Otherwise it is considered as authentication to lose
Lose.About the subsequent treatment of the present embodiment, the most comprehensively disclose in the aforementioned corresponding method of incoming end equipment, follow-up general
Based on latter embodiment, introduce.
In another embodiment, the not responsible face characteristic data to being received of WiFi access point apparatus authenticate, but
Face characteristic data route to described control end equipment or encapsulate voluntarily after these face characteristic data become Frame be sent to
Described control end equipment, request controls end equipment and authenticates it, by described control end equipment by described face characteristic number
Compare according to the pre-stored characteristics data with the feature database in the feature database or cloud server of its this locality, confirm both whether one
Causing, and authentication result information feeds back to WiFi access point apparatus, WiFi access point apparatus is according to authentication result information representation
Content and confirm to authenticate successfully or failure.
Certainly, during multiple device transmission, face characteristic data both can be in plain text, it is also possible to is encryption
, cipher mode also can set flexibly.Only between the individual devices the transmission of this information need to be carried out agreement in advance, mutual when working
Match.
It is pointed out that incoming end equipment is connected owing to not setting up WiFi with WiFi access point apparatus, it is impossible to data
The face characteristic data described in form transmission of frame, to this end, incoming end equipment uses one group to be total to multiple multicast frames to transmit face
Characteristic.Specifically, face characteristic data are converted to binary code by incoming end equipment, and segmentation is loaded into multiple multicast frame
Can edit field, specifically refer to, in its address field, then send the plurality of multicast frame.In the present embodiment, described
After WiFi access point apparatus is responsible for receiving those multicast frames, edit field can extract loaded people from each multicast frame
The binary code of face characteristic, and assemble by striping order, then corresponding conversion is face characteristic.
Control end equipment then its face characteristic data received to be authenticated.The section Example of aforementioned announcement
In, if controlled containing pointing to the source address of described incoming end equipment in the blacklist of end equipment, this source address can be with
Described face characteristic data provide in case identifying in the lump, then, controlling end equipment may not make described face characteristic data
Response, although or respond, but finally inform that these face characteristic data are rejected authentication.If controlling end equipment not at it
Blacklist finds to provide the source address of the incoming end equipment of these face characteristic data, then by normal processes to this face characteristic
Data authenticate.According to aforementioned different embodiment, control end equipment by the face characteristic data of incoming end equipment and the machine
Or the pre-stored characteristics data in the feature database of cloud server compare, when finding that feature database exists and described face characteristic
During the pre-stored characteristics data of data consistent, i.e. can be considered and authenticate successfully, be otherwise considered as failed authentication, accordingly generate authentication result letter
Breath, is sent to WiFi access point apparatus.It is emphasized that the one of face characteristic data designated herein and pre-stored characteristics data
Cause, should not be confined on data representation form or its data content the most completely the same, for example, it is possible to refer to both degrees of approximation
Arrive the degree preset, or be in the range of permission, i.e. can be considered that both are consistent.
Described step S34, according to the authentication result information of the sign authentication success or failure controlling end equipment feedback, phase
Should allow or stop described incoming end equipment to access the communication network preset, its concrete multiple implementation is as follows:
As it was previously stated, in typical a kind of embodiment, described authentication result information comes from described control end equipment,
After WiFi access point apparatus receives the authentication result information of described control end equipment feedback, resolve this authentication result information,
To determine the particular content that this authentication result information is characterized, it is common that refer to authenticate success or failed authentication is two kinds of interior
Hold.
Additionally, in another embodiment of the invention, WiFi access point apparatus can control according to its controlled terminal equipment
And the feature database (or specific to its pre-stored characteristics data) realizing caching or the storage updated supplies described face to be verified special
Levy data to mate, and by the authentication result information described in matching result also alignment processing one-tenth, thus WiFi access point apparatus
Just can generate described authentication result information primaryly.
Embodiments disclosed herein apparently more close to the tradition realization of IEEE 802.11 agreement, is advised according to this agreement
The process setting up connection of model, in authentication phase face characteristic data described in incoming end equipment is submitted to for authentication, is controlling
After end equipment or WiFi access point apparatus are to its authentication success or failure, WiFi access point apparatus the certification generated according to authentication
Object information feeds back a certification acknowledgement frame, concretely characterizes certification and successfully manages frame or characterize the management frame of authentification failure,
From the visual angle of incoming end equipment, this certification acknowledgement frame also can broadly be considered as it and have received authentication result information.
Certainly, it is possible to then make improvement by a larger margin, specifically: WiFi access point apparatus also can not directly process
Control the authentication result information of end equipment, and give described incoming end equipment by its direct routing.Or, even if WiFi access point
Face characteristic data are authenticated by equipment voluntarily, it is possible to generate the authentication result letter being different from IEEE 802.11 protocol specification
Breath.In this kind of embodiment, the form of described authentication result information and content all can be differently configured from IEEE 802.11 agreement,
As long as can agreement in advance between incoming end equipment and WiFi access point apparatus.
Therefore, in any case, though non-abundant steps necessary, WiFi access point apparatus can be sent out to incoming end equipment sources
Or forward authentication result information, incoming end equipment can resolve this authentication result information, according to the follow-up of decision self connected
Journey.
But, as basic function, WiFi access point apparatus can resolve the described authentication result information under self vision.
After WiFi access point apparatus resolves described authentication result information, the content that can characterize according to it, i.e. authenticate successfully or lose
Losing, the association request that equipment follow-up expectation in access side completes to connect responds, it is determined whether allow to set up described access
WiFi Trusted channel between end equipment.In conjunction with the various situations above disclosed, WiFi access point apparatus can be recognized according to described
The difference of card object information, the described access request of access side equipment is made following result and is controlled, as follows:
When authentication result information representation authenticates successfully, send sign certification to incoming end equipment and successfully manage frame, with
Allow incoming end equipment to access the communication network set up, according to IEEE 802.11 agreement, table is being received for incoming end equipment
Levy the association request initiated voluntarily after certification successfully manages frame and subsequent communications gives normal response, in response to this association request
And feed back the management frame being successfully associated to described incoming end equipment to show confirmation, thus set up incoming end equipment and WiFi access point
WiFi between equipment connects.
When authentication result information representation failed authentication, send the management frame characterizing authentification failure to incoming end equipment, with
Stop incoming end equipment to access the communication network set up, according to IEEE802.11 agreement, sign is being received for incoming end equipment
The association request initiated voluntarily after the management frame of authentification failure, WiFi access point apparatus or not response, or in response to this pass
Connection is asked and is fed back the failed management frame of association to described incoming end equipment to show alarm.
Certainly, according to the section Example of aforementioned announcement, incoming end equipment receives described authentication result information
Afterwards, the face characteristic data that just knowing self provides authenticate successfully or failure, and therefore, incoming end equipment can depend on voluntarily
The connection procedure of follow-up IEEE 802.11 agreement institute specification is decided whether to continue according to authentication result information.When authentication result information
Characterize when authenticating successfully (as described sign certification successfully manages frame), then can initiate association request, receive WiFi access point
After the acknowledgement frame being successfully associated of equipment feedback, complete the access to described communication network.When authentication result information representation reflects
(such as the management frame of described sign authentification failure) when weighing unsuccessfully, then can terminate follow-up connection procedure, as necessary by user circle
Face display alarm information.
It will be appreciated that according to above-mentioned each embodiment, at incoming end equipment, from its visual angle, the authentication result received
Information, both can be primary by WiFi access point apparatus or the communication format including pre-agreement custom content of route, also
The content that WiFi access point apparatus can be characterized according to its authentication result information received and according to IEEE 802.11 agreement
The management frame characterizing certification success or failure sent.
For convenience of management and operation, after incoming end equipment is successfully accessed the communication network of WiFi access point apparatus,
The information of incoming end equipment can be saved in this locality by WiFi access point apparatus, and it is considered as Trusted channel, and follow-up incoming end sets
For when again accessing, based on trusting relationship, the execution process of its authentication phase can be removed from, thus simplify follow-up access.
Refer to Fig. 9, in the embodiment of a further materialization, performed by the WiFi access point apparatus of the present invention
WiFi access authentication control method also includes previous step S30, based on the pre-established the machine of WiFi connected mode and described control end
The Trusted channel of equipment, its specific implementation refer to aforementioned relevant introduction.
Refer to Figure 10, in the most perfect embodiment, the present invention the WiFi performed by WiFi access point apparatus
Access authentication control method also includes step S35, in response to reading instruction and/or the configuration-direct of described control end equipment, instead
The configuration parameter of the communication network of feedback and/or amendment the machine, its specific implementation can be in conjunction with being previously with regard to control end equipment
Numerous embodiments, as follows:
Foregoing control end equipment, can read the configuration ginseng of described communication network from WiFi access point apparatus
Number, and show a subscriber administration interface for it, subscriber administration interface is stated relevant setting options, it is provided that carry out to user as
Amendment, when user submits amendment to, then submits to WiFi access point apparatus and carries out parameter modification, thus change described communication network
The configuration of at least some of parameter.
Accordingly, showing WiFi access point apparatus side, it can receive the reading instruction controlling end equipment, and calls
Relate to the configuration file of described communication network, and relate to described communication network in the control end equipment described configuration file of feedback
Configuration parameter.In like manner, WiFi access point apparatus can also receive control end equipment to be have modified described configuration parameter by user (right
Should be in the setting options in user interface) post package formed configuration-direct, from configuration-direct, read the configuration being modified
The data of relevant configured parameter are modified according to configuration-direct, and are made it come into force by parameter and data thereof, thus realize and control
End equipment processed matches, and provides the user better remote maintenance and experiences.
As it was previously stated, the present invention can increase the control at WiFi access point apparatus for the consideration improving safety
Function, to this end, refer to the content disclosed in various improved procedures of lower section:
It is adapted to controlling an embodiment of realization at end equipment, as shown in figure 11, performed by WiFi access point apparatus
WiFi access authentication control method also set up step S36, its receive from described control end equipment sign shield belong to finger
Determine the announcement information of the access request of source address, terminate the incoming end equipment specifying source address contained by this announcement information
The response (the most not feeding back Probe Response frame) of access request, or feed back, to it, the management frame that cannot connect.Thus, connect
Enter end equipment to will be regarded as to be connected with described communication network.
Further in improved procedure, after receiving this announcement information to, this source address is added the blacklist held
In list, thus, WiFi access point apparatus can by by the source address in the access request of the access terminal received with
Record in blacklist mates, and sees whether this source address is present in this blacklist, when present the most directly by it
Access request shields;If not existing, then press normal rule and process.
For improving the management function to WiFi access point apparatus, in the embodiment further enhanced, refering to Figure 12, previous
On the basis of embodiment, the WiFi access authentication control method of the present invention also includes step S37, receives the cancellation controlling end equipment
Shield the announcement information of the access request of this source address, recover the access of the incoming end equipment corresponding to described source address
The response of request.With reference to previous embodiment, can be embodied according to described announcement information, extract in this announcement information
The source address of shielding to be cancelled, then delete from its blacklist.
In the embodiment increased further, it is adaptable to the user interface management function that described control end realizes, see Figure 13,
WiFi access authentication control method performed by WiFi access point apparatus also sets up step S38, receives the recovery of incoming end equipment
Request, route this request and cancels the face characteristic to this incoming end equipment to the described end equipment that controls with request control end equipment
The shielding of data.This step and aforementioned control terminal equipment are implemented the embodiment of shielding face characteristic data and are adapted, when described control
After face characteristic data are shielded by end equipment processed, it is allowed to the recovery request described in the initiation of incoming end equipment, this recovery please
Ask and sent by described communication network, just routed to described control end equipment by WiFi access point apparatus.Described control
After end equipment receives this announcement information, can alert to user in user interface, user enters user's pipe according to warning information instruction
The private pages at reason interface, whether examination & verification allows this recovery request, when it allows, controls end equipment and just eliminates described
The shielding of the face characteristic data of incoming end equipment, namely again opened authentication functions for described incoming end equipment.Thus
And a kind of effective technology disaster relief means are provided after incoming end equipment controlled terminal device mask.
The most detailed and disclose the WiFi that the portable WiFi access point apparatus of the present invention implemented fully and access mirror
The various embodiments of power control method, therefrom could be aware that, WiFi access point apparatus can set with control end equipment and incoming end
For matching, improve the authentication functions of its open communication network, improve safety coefficient and administrative convenience degree.
According to the modular design concept of computer program, the present invention also provides corresponding device for above-mentioned each method, with
Under describe in detail:
A kind of WiFi that the present invention is applicable to described portable control end equipment and provides accesses remote authentication device to be had
Various embodiments, below by the way of adapting with described WiFi access remote authentication method, launches this device is described
The relevant content of various alternate embodiment.
Refer to Figure 14, WiFi access remote authentication device and include acquiring unit 12, verification unit 13 and feedback unit
14, the function that each unit is realized is understood incorporated by reference to accompanying drawing and following word:
In the case of acquiescence controls end equipment and the foundation of WiFi access point apparatus has Trusted channel, described WiFi accesses
Remote authentication device generally runs according to the order of its acquiring unit 12, verification unit 13, feedback unit 14 and performs.About building
The process of vertical Trusted channel is the most here disclosed: in a kind of embodiment, control end equipment in advance with WiFi access point apparatus
Between by WiFi connection in the way of set up Trusted channel, specifically, control end equipment can with STA mode start access be in
WiFi access point apparatus under ap mode, then, is common to each embodiment but situation not necessarily as the present invention, can
To arrange a dispensing unit 10 as shown in figure 15, be configured to respond to user and manage instruction, show subscriber administration interface, with
In being modified for the setting options for described WiFi access point apparatus.By running this dispensing unit 10, control end equipment and just may be used
Call the setting options of WiFi access point apparatus according to pre-agreement, these setting options shown on subscriber administration interface,
Show at touch-sensitive display.User has adjusted described subscriber administration interface at control end equipment, is by controlling on end equipment
Trigger user and manage instruction, or initiated in the way of user manages instruction by triggering by acquiescence.And described user's management field
Face, is managed the triggering of instruction by this user and shows, show the various setting options of WiFi access point apparatus thereon, it is allowed to use
These setting options acting on WiFi access point apparatus (referring in particular to the setting options of its communication network) are revised at family, pass through
Control end equipment and realize the adapter of the administration interface to WiFi access point apparatus, thus more convenient management operation is provided.Described
Setting options, the SSID name of such as communication network, DHCP function setting item, channel number, authentication mode selection etc., multiple many
Sample, all belongs to the option that WiFi network function is relevant, and its change will cause WiFi access point apparatus generation allocative effect to change,
All can be considered this.Described " option " word can not be interpreted as " alternative ", the limitation situation of " multiselect one ", ability especially
This should be known by field technique personnel.
Described acquiring unit 12, the multicast frame that the communication network for being set up from WiFi access point apparatus is transmitted
The people to be verified for accessing this communication network being retrieved as the authentication phase during WiFi agreement connection establishment and provide
Face characteristic, its specific implementation is as follows:
In a kind of embodiment, control that end equipment can directly process that incoming end equipment sends comprises described people to be verified
The multicast signal of face characteristic obtains described face characteristic data.Specifically, the most successfully connect due to incoming end equipment
Enter the communication network that WiFi access point apparatus provides, thus, it is impossible to send face characteristic by Frame, but can make
It is total to multiple multicast frames with one group and transmits its data.Face characteristic data are converted to binary code by incoming end equipment, then add
Be downloaded to multiple multicast frame can edit field, specifically refer to, in its address field, then send the plurality of multicast frame.Control end
Equipment directly receives those multicast frames, then from extracting by the binary code edit field, is reconverted into face characteristic number
According to.
In another embodiment, the multicast signal of above-mentioned access side equipment extracts the operation of face characteristic data and is connect by WiFi
Enter point device to complete, by WiFi access point apparatus it is loaded in Frame the most again and is sent to control end equipment, control end
Equipment directly extracts face characteristic data from Frame.
After acquiring unit 12 obtains described face characteristic data, according to agreement, if it is encryption data, it should to it
It is decrypted, otherwise, is used directly for follow-up verification.
Described verification unit 13, is used for verifying described face characteristic data, obtains and characterizes recognizing of verification success or failure
Card object information, its specific implementation is as follows:
Specifically, control end equipment and feature that a storage have the face characteristic data of validated user can be obtained ahead of time
Storehouse, this feature database can be stored in control end equipment local storage, it is also possible to being stored in can be with controlled terminal equipment
Carried out in the cloud server utilized by remote request.Face characteristic data in feature database, namely pre-stored characteristics data, can
Exist in an encrypted form to strengthen its Information Security.When verifying described face characteristic data, controlling end equipment can be suitable for
Feature database storage position is different and performs the most different processes:
It is applicable to locally stored feature database, controls end equipment and pass through verification unit 13, by face characteristic number to be verified
Compare according to the pre-stored characteristics data in feature database, if it is confirmed that there is the pre-stored characteristics with this face characteristic data consistent
Data, the content that these face characteristic data i.e. visual provide for validated user identity, otherwise, it is considered as what disabled user's identity provided
Content, according to both of these case, just can generate the authentication result information characterizing verification success or failure respectively.People designated herein
Face characteristic is consistent with pre-stored characteristics data, should not be confined on data representation form or its data content the most complete one
Cause, for example, it is possible to refer to that both degrees of approximation arrive the degree preset, or be in the range of permission, i.e. can be considered both
Unanimously.
It is applicable to be stored in the feature database of cloud server, controls end equipment by verification unit 13 by described to be verified
Face characteristic data be encapsulated in verification request in, be sent to cloud server, these face characteristic data of server by utilizing hold
The all checking procedures described above of row, finally the authentication result information described in cloud server generates feeds back to control end equipment.
Could be aware that, either verify in this locality, be still submitted to cloud server and verify, control end equipment
All can get described authentication result information by verification unit 13.
In order to construct this feature storehouse, in a kind of embodiment, control the WiFi performed by end equipment and access remote authentication device
Start and perform its collecting unit 18 farther included, be configured to respond to user's acquisition instructions, show image acquisition interface,
For gathering the face characteristic data of user as described pre-stored characteristics data.
Generally, control end equipment can construct to be specifically designed to and realize this device and the application program of this collecting unit 18, when this
When application program runs, can be activated by virtual key or certain gestures and show described in image acquisition interface, adjoint
This image acquisition interface is activated, and the image acquisition unit such as photographic head starting control end equipment is carried out shoot image pre-
Looking at, after user determines a facial expression, another by the form realization of such as voice, gesture, virtual key etc is true
Recognizing instruction, image acquisition unit just can shoot a width facial image for it, and is processed this facial image, to extract it
In face characteristic data, then these face characteristic data are stored in described local special as described pre-stored characteristics data
Levy in storehouse, or be submitted to described high in the clouds feature database and store.Time really it has been observed that stored these face characteristic data,
Certain encrypted form can be shown as, in order to strengthen its Information Security in feature database.
Described feedback unit 14, is used for utilizing Frame to feed back described authentication result letter to described WiFi access point apparatus
Breath, its specific implementation is as follows:
First, feedback unit 14 feeds back described authentication result information to described WiFi access point apparatus, its object is to lead
Cause described WiFi access point apparatus (advantageously by sending management frame to incoming end equipment to realize control) allow or offer is provided
The incoming end equipment of described face characteristic data to be verified accesses the communication network that this WiFi access point apparatus is set up, but
This to accessing the function that communication network allows or stops, it is to be realized by described WiFi access point apparatus.Therefore,
WiFi access point apparatus by after receiving described authentication result information, the content characterized according to authentication result information, right
The corresponding incoming end equipment initiating the request of access communications network is made whether to allow the response of its access communications network, thus can
Whether pass through to confirm to authenticate by inspecting it whether to be successfully accessed communication network at incoming end equipment.A kind of embodiment
In, described authentication result information can be sent to WiFi access point apparatus with Frame for carrier by controlling end equipment.
What above various alternate embodiment did not all consider that access side equipment initiates is intended to access connecing of described communication network
Enter the process of request, and only consider the face characteristic data of its follow-up submission are processed, therefore, adapt to above-mentioned enforcement
Example, for described access request, is based particularly on the beacon frame of tradition WiFi agreement and the handshake request initiated, will be connect by WiFi
Enter point device to process according to its traditional protocol logic, and the people described in its further requirement incoming end equipment is submitted to
Face characteristic, is routed to control the process that end equipment does in the respective embodiments described above by WiFi access point apparatus the most again, this
Sample, for controlling for end equipment, just have ignored the link that the access request of access side equipment carries out processing, only considers people
The functional realiey that face characteristic is considered as request and is verified, thus simplify overhead.
But, in the embodiment that the present invention improves further, as shown in figure 16, WiFi accesses remote authentication device and enters one
Step includes the start unit 11 of preposition operation, is intended to access what described WiFi access point apparatus was set up for obtaining incoming end equipment
After the connection request management frame of communication network, feedback authentication performs instruction, in order to follow-up acquisition is in response to the execution instruction of this authentication
The face characteristic data described to be verified submitted to.
Specifically, incoming end equipment detects the beacon frame (beacon) of the communication network that WiFi access point apparatus sets up
Or determined the SSID of communication network by Probe Request (returning Probe Response frame) after, just can connect to WiFi
Enter point device and initiate access request, do not consider the first kind above-mentioned of this access request at aforesaid various control end equipment
In embodiment, this access request directly will be processed by WiFi access point apparatus;And in the present embodiment, WiFi access point apparatus can
To route this access request to controlling end equipment, or the form after changing with certain sends control end equipment to, no matter which kind of
Form, controls to be accordingly to be regarded as incoming end equipment after end equipment receives and is intended to access the communication network that described WiFi access point apparatus is set up
Access request.In certain embodiments, manage frame with Probe Request for connection request, be considered as an access request.Response
In this access request, control end equipment will feed back an authentication execution instruction by start unit 11 and arrive in WiFi access point apparatus
Described incoming end equipment, or it is converted into certain form to this incoming end equipment by WiFi access point apparatus, and front
In the first kind embodiment stated, described authentication execution instruction will be sent to incoming end with sending out by WiFi access point apparatus source and set
Standby.After incoming end equipment receives described authentication execution instruction (or the Probe Response that will be received by incoming end equipment
Frame is considered as authentication and performs instruction), just can perform instruction in response to this authentication according to pre-set programs and start its image acquisition unit
Obtain physical characteristic data to be verified and carry out feedback submission, so that it is guaranteed that this device remaining element is properly functioning.
Each embodiment of remote authentication device is accessed it can be seen that part controlling the WiFi that end equipment realizes in conjunction with above-mentioned
In embodiment, the access request of described incoming end equipment and the authentication in response to this request perform instruction, can be set by controlling end
Standby process also route through WiFi access point.In another part embodiment, then without controlling to connect described in end equipment participation process
Enter request and authentication performs instruction.In comparison, if processed the access request for it of incoming end by WiFi access point apparatus
Feedback authentication performs instruction, then can simplify communication process, reduces the load controlling end equipment;If connect by controlling the process of end equipment
Enter to hold equipment access request and by its source send out feedback authentication perform instruction, then the centralized management energy of the end equipment that can tighten control
Power, promotes communications network security energy further.Further in improved procedure, implement to connect at WiFi access point apparatus and ask
During asking, for confirming a management frame such as Request Response frame of this connection request process, just can be considered
Described authentication performs instruction.
As shown in figure 17, in the most perfect a kind of embodiment, control the WiFi performed by end equipment and access remotely mirror
Power device also includes statistic unit 15, for adding up what the described face characteristic data with identical source address were repeatedly authenticated
The frequency of failure, after the frequency of failure is beyond preset value, shields the face characteristic data of this source address.
The face characteristic data described to be verified that same source address is repeatedly submitted to by statistic unit 15 repeatedly authenticate mistake
The frequency of failure lost is tracked management, is favorably improved the safety of communication network, so, controlling end equipment can connect it
The face characteristic data received are added up.No matter WiFi access point apparatus is that the described face of direct routing incoming end equipment is special
Levy data, or the data message form with these face characteristic data of self Reconfiguration of form, set when it is sent to described control end
Time standby, all can comprise the uniqueness characteristic of described incoming end equipment, such as its MAC Address, UUID in the packet submitted to
Or Hostname etc..So, a uniqueness characteristic just characterizes a source address, and controlling end equipment can be identical to having
The face characteristic data check frequency of failure of source address is added up, preferably in the case of, can arrange one such as half little
Time or the measurement period of five minutes, when in this cycle, the accumulative of the face characteristic data that same source address is repeatedly submitted to meets with
After the verification failure of predetermined number of times (preset value), or claim, beyond after this preset value, will cause controlling end equipment by this source
Address is considered as malicious attack source place, or is at least considered as disabled user's intrusion behavior.In this case, controlling end equipment will screen
Cover the face characteristic data of this source address, follow-up no longer face characteristic data to this source address are carried out verification and anti-
Feedback, it is to avoid the most whole communication network of the machine suffers malicious attack.
The easiest and to achieve a kind of mode of effectively management be to add the above-mentioned source address to be shielded to one
In blacklist, follow-up for the face characteristic data to be verified transmitted, first whether inquiry blacklist exists its source place
Location, if it is present directly filter these face characteristic data to realize the shielding of the face characteristic data to this source address, if
Do not exist, then process according to normal processes.
Adapt to the setting of statistic unit 15, it is also possible to a calamity is set the most further for unit 16, is used for receiving
Belong to the recovery request of described source address, cancel the face characteristic data shielding this source address in response to user instruction.
Incoming end equipment may preset when the face characteristic data that self provides are shielded, and request shield side gives extensive
The disaster tolerance means of multiple its subsequent check request, implement particular by sending a recovery request to communication network.To this end, control
End equipment processed, by this recovery request of reception, also comprises the source address of this incoming end equipment in this recovery request, this request will
It is reviewed, thus, controlling end equipment may not necessarily release the shielding to this source address in the very first time.Release shielding generally with hands
Dynamic mode realizes, and manager can know described recovery request by controlling the subscriber administration interface of end equipment, and
Decide whether to agree to this recovery request.After this recovery request is agreed, controlling end equipment just can be by described source address from it
Deleting in blacklist, follow-up the most no longer shielding has the face characteristic data of this source address, incoming end equipment access communication network
The probability of network is thus lifted a ban.Although it is pointed out that and employing subscriber administration interface, but the setting of subscriber administration interface
Put option may also comprise be stored in control end equipment option, the most above-mentioned blacklist and the content of above-mentioned recovery request, permissible
It is stored in the memorizer controlling end equipment, and as the setting options of WiFi access point apparatus, in described user's management
Interface shows.
As shown in figure 18, in the another kind of embodiment improved further, control the WiFi performed by end equipment and access remotely
Authentication device also includes statistic unit 15 ', and the described face characteristic data for statistics with identical source address are repeatedly reflected
The frequency of failure of power, after the frequency of failure is beyond preset value, transmission sign shielding belongs to the logical of the access request of this source address
Know that information is to described WiFi access point apparatus.
It can be seen that identical with previous perfect embodiment, controlling end equipment can be to face characteristic data by many
The number of times of secondary failed authentication is added up, and follow-up how to achieve a butt joint into the shielding of end equipment.In the present embodiment, when
The frequency of failure is beyond after preset value, and statistic unit 15 ' is sent to WiFi access point apparatus by generating an announcement information, and this notice is believed
The content of breath characterizes shielding and belongs to the access request of this source address.It is to say, control the end equipment form with announcement information,
The access request specifying source address is shielded by notice WiFi access point apparatus.Accordingly, WiFi access point apparatus just may be used
According to this announcement information, the access request of source address therein is no longer responded or is directly transmitted the network frame of refusal access,
So that the corresponding incoming end equipment of this source address cannot access the communication network of WiFi access point apparatus.Obviously, it is different from
Precedent, the function of shielding source address will be realized by WiFi access point apparatus, and its shield effectiveness is faster and direct, and WiFi connects
Enter point device even without the face characteristic data reprocessing this source address.
In like manner, statistic unit 15 ' is adapted to, it is also possible to a calamity is set the most further for unit 16 ', is used for receiving
Belong to the recovery request of described source address, send the access request of cancellation this source address of shielding in response to user instruction
Announcement information gives described WiFi access point apparatus.
Incoming end equipment may preset when the face characteristic data that self provides are shielded, and request shield side gives extensive
The disaster tolerance means of multiple its subsequent check request, implement particular by sending a recovery request to communication network.To this end, control
End equipment processed, by this recovery request of reception, also comprises the source address of this incoming end equipment in this recovery request, this request will
It is reviewed, thus, controlling end equipment may not necessarily release the shielding to this source address in the very first time.Release shielding generally with hands
Dynamic mode realizes, and manager can know described recovery request by controlling the subscriber administration interface of end equipment, and
Decide whether to agree to this recovery request.After this recovery request is agreed, controls end equipment and just can encapsulate an announcement information, be used for
Characterize and cancel the access request shielding this source address, this announcement information is sent to WiFi access point apparatus.WiFi access point
After equipment receives this announcement information, just described source address is deleted from the data (may show as blacklist form) recorded
Removing, follow-up the most no longer shielding has the access request of this source address, and the probability of incoming end device for communication network access is thus
Lifted a ban.It is pointed out that the setting options of subscriber administration interface may also comprise and be stored in WiFi access point end equipment
The data of the described source address to be shielded being recorded, blacklist as escribed above, manager is at described subscriber administration interface
After recovery request described in middle permission, subscriber administration interface just can show and deletes the source address corresponding to this recovery request
List.
The most detailed and disclose the WiFi that the portable control end equipment of the present invention implemented fully and access remotely mirror
The various embodiments of power method, therefrom could be aware that, controlling end equipment can realize WiFi communication based on face characteristic data
The authentication management of network, thus strengthen the safety of this communication network.
The WiFi access authentication device that the present invention provides for described portable incoming end equipment has various embodiments, this dress
Put and include request unit 21, elementary area 22, response unit 23 and access unit 24, below will be with previous embodiment as base
Plinth, launches to illustrate the relevant content of remaining various alternate embodiment with regard to its each unit.Refer to Figure 19 and combine following word and add
To understand:
Described request unit 21, for initiating access request to WiFi access point apparatus, its specific implementation is as follows:
Described WiFi access point apparatus is configured with communication network as AP, radiates WiFi signal in the air.A kind of enforcement
In example, WiFi its beacon frame of access point apparatus fixed time broadcast (Beacon frame, when not hiding SSID), the portable access of the present invention
End equipment, by scanning, finds this beacon frame, just can initiate described access request;In another kind of embodiment, especially for
Hiding the situation of SSID, incoming end equipment can be by initiating Probe Request frame and from WiFi access point apparatus feedback
Probe Response frame obtains network configuration information, the most also can initiate access request.
Generally, user can be initiated attached by the WiFi switch option arranging the page of incoming end device operating system
The scanning of nearly WiFi communication network a, it is thus achieved that ssid list, is then clicked the SSID of corresponding communication network by user and connects
Enter corresponding communication network.Incoming end equipment also can store the configuration information of the communication network that user once accessed, in this case,
User only need to open WiFi switch option, it is possible to is automatically accessed preferably WiFi communication net by system according to default preference strategy
Network.Therefore, it is possible to be considered as by user mutual, the user that instruction incoming end equipment accesses the communication network of the present invention can be produced
Instruction, this communication network is initiated access request in response to this user instruction by incoming end equipment.
Described elementary area 22, the authentication after being configured to respond to this access request performs instruction, starts image
Acquiring unit obtains face characteristic data.
This elementary area 22 can produce described authentication by numerous embodiments and perform instruction:
In one embodiment, after described access request is sent to WiFi access point apparatus, WiFi access point set
Standby directly or through the control end equipment as described in routing to after certain frame format conversion (being loaded in Frame), thus cause
Control end equipment feedback one authentication and performs instruction, then by WiFi access point apparatus, this authentication performed instruction and route to incoming end and set
Standby.
In another embodiment, after described access request is sent to WiFi access point apparatus, WiFi access point set
For being directly acted upon, and fed back authentication by WiFi access point apparatus source with sending out perform instruction to incoming end equipment.
In another enforcement, described authentication performs instruction and can have sent by incoming end equipment according to pre-set programs logic
Trigger voluntarily after described access request, specifically, can be by its protocol procedures traditionally, complete connection request
Stage, receive such as Probe Response frame (at this just be considered authentication performs instruction) triggering following the most voluntarily and walk
Suddenly, and avoid relying in external equipment, simplify operation flow.
Which kind of no matter use mode to come described access request feedback authentication to perform instruction, the most do not affect incoming end equipment
The execution of subsequent step.But there is exception, if the instruction that i.e. this access request is comprised is to this incoming end equipment
Source address is shielded by WiFi access point apparatus, then incoming end equipment can be caused cannot to receive described authentication and perform instruction, from
And terminate the execution of subsequent step.
After incoming end equipment obtains described authentication execution instruction, this authentication performs instruction and can trigger in incoming end equipment
The startup of image acquisition unit.The startup of accompanying image acquiring unit, can activate one scan interface, shows in this scanning interface
The preview image of image acquisition unit.As user by the camera lens of image acquisition unit towards face, by voice, gesture, button
Just can obtain a corresponding facial image when applying shooting instruction Deng any-mode, and facial image is carried out face characteristic
The extraction of data.Or, image acquisition unit is exempted from through user instruction effect, and automatically with the arbitrary frame content in preview image
As facial image, then this facial image is extracted face characteristic data.After successfully getting described face characteristic data,
Just described scanning interface can be exited controlled or voluntarily.
Described response unit 23, for feeding back these face characteristic data to authenticate described in response to WiFi access point apparatus
Performing instruction, its specific implementation is as follows:
After incoming end equipment completes described face characteristic data acquisition, just need to submit to these face characteristic data
WiFi access point apparatus, in order to the authentication to these face characteristic data completely, as the response that described authentication performs instruction.
Incoming end equipment is connected owing to not setting up WiFi with WiFi access point apparatus, it is impossible to transmit institute as a data frame
The face characteristic data stated, to this end, incoming end equipment uses one group to be total to multiple multicast frames to transmit face characteristic.Concrete and
Speech, face characteristic data are converted to binary code by incoming end equipment, segmentation be loaded into multiple multicast frame can edit field, tool
Body refers to, in its address field, then send the plurality of multicast frame.
It is responsible for processing the equipment of face characteristic data, with reference to the corresponding embodiment in front announcement, the most described WiFi
Access point apparatus, it is possible to for described control end equipment, after receiving those multicast frames, from each multicast frame can be edit field
Extracting the binary code of loaded face characteristic data, and assemble by striping order, then corresponding conversion is face
Characteristic.
For the consideration of the Information Security strengthened in transmitting procedure, after obtaining described face characteristic data, Ke Yiyi
According to the agreement with the equipment of responsible process face characteristic data, encrypt for face characteristic, the most again by the face after encryption
Characteristic is encoded in described multicast frame.Corresponding, the equipment being responsible for processing should also be as being decrypted it.
It is responsible for processing the equipment of face characteristic data, in conjunction with aforesaid a kind of embodiment, can be that described WiFi accesses
Point device, it obtains, by resolving, the face characteristic data received, then is encoded in Frame, is transferred to described control end
Equipment, then from Frame, extracted described face characteristic data by controlling end equipment;In conjunction with another embodiment aforesaid, permissible
Directly obtained the multicast frame through WiFi access point apparatus route by described control end equipment, resolve and obtain face characteristic number therein
According to.
Control end equipment then its face characteristic data received to be authenticated.The section Example of aforementioned announcement
In, if controlled containing pointing to the source address of described incoming end equipment in the blacklist of end equipment, this source address can be with
Described face characteristic data provide in case identifying in the lump, then, controlling end equipment may not make described face characteristic data
Response, although or respond, but cause these face characteristic data to be rejected authentication the most at last.If controlling end equipment not exist
Its blacklist finds to provide the source address of the incoming end equipment of these face characteristic data, then special to this face by normal processes
Levy data to authenticate.According to aforementioned different embodiment, control end equipment by the face characteristic data of incoming end equipment and basis
Pre-stored characteristics data in the feature database of machine or cloud server compare, when finding to exist in feature database and described face spy
When levying the pre-stored characteristics data of data consistent, i.e. can be considered and authenticate successfully, be otherwise considered as failed authentication, accordingly generate authentication result
Information, is sent to WiFi access point apparatus.Face characteristic data designated herein are consistent with pre-stored characteristics data, should not limit to
In data representation form or its data content the most completely the same, for example, it is possible to refer to both the degree of approximation arrive preset
Degree, or it is in the range of permission, i.e. can be considered that both are consistent.
In the most perfect embodiment, described WiFi access point apparatus can cache or store and described source address
The corresponding pre-stored characteristics data belonging to described feature database, even cache or store whole feature database, in this case, when connecing
When entering end equipment arrival WiFi access point apparatus, the feature database that WiFi access point apparatus can cache with it in advance compares,
To determine whether to authenticate successfully, and generate authentication result information voluntarily according to authenticating result, and make this to face characteristic data
The process of authentication is not necessarily dependent on the participation controlling end equipment.When WiFi access point apparatus with caching formal layout described in pre-
When depositing characteristic or its whole feature database, it is suitably these pre-stored characteristics data or feature database arranges an effect duration, to ensure
The promptness that data update.Obviously, can by control end equipment control WiFi access point apparatus cache or storage prestore
Characteristic or the long-range renewal of whole feature database.
Described access unit 24, be configured as these face characteristic data by authentication after, it is achieved described WiFi is connect
Entering the access of the communication network that point device is set up, its specific implementation is as follows:
Either control end equipment and send the described authentication result characterizing authentication success or failure to WiFi access point apparatus
Information, or generated described authentication result information voluntarily by WiFi access point apparatus, described WiFi access point apparatus all can
According to authenticating result, the access request of described incoming end equipment is made last response.Specifically, WiFi access point apparatus
Following any one or the response of any various ways can be made, to reach described access request according to authentication result information
The purpose finally responded:
Mode one, according to IEEE 802.11 agreement, according to described authentication result information representation authentication success or failure not
Same situation, characterizes to correspondingly incoming end equipment feedback and allows or stop it to access the management frame of described communication network, it is common that
A kind of management frame, completes authentication phase.After incoming end equipment receives this management frame, just can from the content check of management frame whether
By authentication, thus correspondingly set up or terminate the connection of communication network with WiFi access point apparatus, authentication by time, open
Dynamic association phase, it is achieved the access to the communication network that described WiFi access point apparatus is set up.
Mode two, according to the different situations of described authentication result information representation authentication success or failure, when it characterizes authentication
During success, WiFi access point apparatus i.e. allows the association request of incoming end equipment to make it access described communication network, it is achieved
Described signal network is successfully accessed by incoming end equipment;When characterizing failed authentication, the most the association of access side equipment please not
Ask and respond, thus cause incoming end equipment to be considered as request timed out and be considered as failed authentication.
Mode three, described authentication result information is sent to described incoming end as response and sets by WiFi access point apparatus
Standby, self then operates according to IEEE 802.11 agreement, after incoming end equipment receives and parses through this authentication result information, works as sign
When authenticating successfully, i.e. initiate association request according to agreement and confirm to realize the access to described communication network;When characterizing failed authentication
Time, then can make the subsequent job of request etc the most again accordingly.
Certainly, broad sense is treated, the management frame described in mode one, itself also can be considered described authentication result information.Ability
Field technique personnel can with use flexibly above-mentioned various modes realize flexibly face characteristic data by authentication after, at incoming end equipment
Middle foundation connects or carries out the process warned.In a kind of blanket embodiment, when incoming end equipment confirms that authentication is lost
After losing, to notify that user makes subsequent treatment, man-machine interaction can be improved in user interface display alarm information.And when accessing
After end equipment confirms to authenticate successfully, the most this connection is confirmed to be Trusted channel, and after Trusted channel is set up, incoming end equipment is permissible
Certain agreement preengage with WiFi access point apparatus, storage is for the connection letter of the follow-up communication network exempted from described in authenticated login
Breath, so that this link information of incoming end equipment utilization is exempted from easily to access described communication network through any authentication procedure.
Referring to Figure 20, as in the embodiment that the present invention further enhances, the present invention is applicable to portable incoming end and sets
Standby WiFi access authentication device also includes recovery unit 25, is used for adding up after the described access request of initiation described in unsuccessful access
The number of times of communication network, after this number of times reaches predetermined value, it is determined that the machine is in the state that access request is shielded, in response to
The recovery request recovering to allow its access request is initiated in family instruction, and its specific implementation is as follows:
On the premise of foregoing control end equipment or WiFi access point apparatus support disaster tolerance means, incoming end equipment
The number of times of connection failure can be added up, in order to shield access at self controlled terminal equipment or WiFi access point apparatus
In the case of, can be recovered self by technological means and access the possibility of described communication network.
As it was previously stated, when, after failed authentication, described WiFi access point apparatus being set up by causing incoming end equipment
The connection of communication network, face characteristic data repeatedly failed authentication that equipment provides because of it and to suffer permanent mask be not conform to
Reason.For reaching the purpose of reasonable benefit/risk, the number of times that self is accessed described communication network failed by incoming end equipment is added up,
And provide a preset value for it, after this statistics number exceedes this preset value, i.e. can determine that the machine is in access request and is shielded
The state covered, therefore and open one of user interface controls parts, and these control parts can be a virtual key, in order to passes through
Communication network described in this control component request recovers the response to its access request.As a kind of equivalent means, also can set
Put an effect duration, only when statistics at the beginning of to this effect duration duration arrive time, could open described in control parts.
Then, user can trigger its user instruction by the control parts described in triggering, thus, incoming end equipment rings
Should initiate to recover the recovery request of the access request of permission self in this user instruction to described communication network.Accordingly,
To realize by controlling end equipment or WiFi access point apparatus depending on shielding mechanism, this recovery request by arrivals control end equipment or
WiFi access point apparatus, the equipment receiving this recovery request can notify that manager responds, when manager is by this recovery
After request, the follow-up access request of incoming end equipment just can be by described communication network normal process.
The most detailed and disclose the WiFi access authentication side that the portable incoming end equipment of the present invention is implemented fully
The various embodiments of method, therefrom could be aware that, the requirement of the communication network that incoming end equipment can be accessed, in the machine collection
Face characteristic data, it is provided that authenticate to communication network, thus coordinate the safety strengthening communication network.
The present invention is applicable to the WiFi access authentication control device of WiFi access point apparatus and has various embodiments, this device
Including receiving unit 31, response unit 32, routing unit 33 and performance element 34, below will based on previous embodiment,
Launch to illustrate the relevant content of remaining various alternate embodiment with regard to its each unit.Refer to Figure 21 and combine following word and managed
Solve:
Described WiFi access point apparatus, generally also makes WiFi router, traditional WiFi router have WiFi chip
Module, and achieved by bottom layer driving and manage function accordingly, these management functions with IEEE 802.11 agreement are generally
Basis is developed.In at least part of embodiment that the present invention relates to, it is found that with the base in IEEE 802.11 agreement
On plinth, need the function that realized according to the corresponding embodiment of the present invention and the bottom layer driving function of abundant WiFi chip pattern,
Making it be conducive to assisting to realize the function that at least part of embodiment of the present invention to be realized, these functions are described by being embodied in
In the description of the different units that WiFi access authentication controls the multiple alternate embodiment of device.
Described reception unit 31, for receiving the access request of incoming end equipment, in like manner, described access request is to connect
Enter the early stage request that end equipment is initiated afterwards in the service set (SSID) detecting the present invention.Control end according to aforementioned announcement
Role's relations of distribution between equipment from WiFi access point apparatus different, the process of the access request described in reception can embody
Change for different embodiments.
Be applicable to a kind of embodiment of the management that by WiFi access point apparatus, access request is carried out traditional approach, WiFi
After access point apparatus receives access request, will voluntarily this access request be responded, so it is not route or
Conversion output, especially need not be sent to described control end equipment.On the contrary, in another embodiment improved, WiFi access point sets
Standby receive request after, this access request can be transmitted to institute with self form such as certain Frame, the form that manages frame
The control end equipment stated, is responsible for response by controlling end equipment, the most also this access request of direct routing can enter to control end equipment
Row response.Specifically, described access request should arrive this request is carried out directly in response to equipment in.
A kind of embodiment of situation about access request can be shielded be applicable to described WiFi access point apparatus,
After WiFi incoming end equipment receives this access request, from this request, extract the incoming end equipment of this access request of initiation
Source address, inquires about its blacklist, when confirming that this source address is contained in blacklist, just terminates the sound to this access request
Should, or correspond directly to this access request and feed back the management frame that a sign refusal accesses, thus strengthen the peace of communication network
Full management.As source address does not appears in blacklist, then can continue other unit according to normal process.
Described response unit 32, is used for responding described access request and feeds back authentication and perform instruction, its side of implementing
Formula is as follows:
Understanding in conjunction with the aforementioned different embodiments about controlling end equipment, described authentication performs instruction both can be by controlling
End equipment sources processed is sent out and is route through WiFi access point apparatus, it is possible to sent out by WiFi access point apparatus source, thus, designated herein is anti-
Feedback authentication performs instruction, both can refer to that the authentication that control end equipment sources is sent out is performed instruction is routed to the enforcement of described incoming end equipment
Mode, it is possible to for being sent to the embodiment of described incoming end equipment by the WiFi access point apparatus source property sent out, in conjunction with before take off
The embodiment shown, after described access request is initiated, completes the connection request stage of IEEE 802.11 agreement, then to certification rank
After Duan Faqi certification request, and produce the management frame of the certification response asked in response to this certification, it is possible to regard reflects as a kind of
Power performs instruction.Concrete which kind of mode of employing, still needs to distribute pass depending on the managerial roles controlling end equipment and WiFi access point apparatus
Depending on system.
It can be deduced that after a certain access request is implemented masking operation according to blacklist by WiFi access point apparatus, will
It is no longer respond to this access request and feeds back described authentication and perform instruction.
Described routing unit 33, the face characteristic data fed back for receiving authentication execution instruction described in response, please
Asking control end equipment to be authenticated, its detailed description of the invention shows as following various situation of change:
As disclosed in front, portable incoming end equipment will be responsive to the described authentication execution of WiFi access point apparatus transmission and refers to
Make and gather face characteristic data, and by face characteristic data feedback to communication network, direct controlled terminal equipment receives, or such as
The present embodiment, arrives WiFi access point apparatus in advance.
With reference in a kind of embodiment as disclosed in front, WiFi access point apparatus can be voluntarily to the face characteristic received
Data authenticate, WiFi access point apparatus storage or be cached with the described feature database needed for authentication or or many therein
Bar pre-stored characteristics data, WiFi access point is by the face characteristic data received and described (in feature database) pre-stored characteristics number
According to mating, when matching consistent face characteristic data, just it is considered as authenticating successfully;Otherwise it is considered as authentication to lose
Lose.About the subsequent treatment of the present embodiment, the most comprehensively disclose in the aforementioned corresponding method of incoming end equipment, follow-up general
Based on latter embodiment, introduce.
In another embodiment, the not responsible face characteristic data to being received of WiFi access point apparatus authenticate, but
Face characteristic data route to described control end equipment or encapsulate voluntarily after these face characteristic data become Frame be sent to
Described control end equipment, request controls end equipment and authenticates it, by described control end equipment by described face characteristic number
Compare according to the pre-stored characteristics data with the feature database in the feature database or cloud server of its this locality, confirm both whether one
Causing, and authentication result information feeds back to WiFi access point apparatus, WiFi access point apparatus is according to authentication result information representation
Content and confirm to authenticate successfully or failure.
Certainly, during multiple device transmission, face characteristic data both can be in plain text, it is also possible to is encryption
, cipher mode also can set flexibly.Only between the individual devices the transmission of this information need to be carried out agreement in advance, mutual when working
Match.
It is pointed out that incoming end equipment is connected owing to not setting up WiFi with WiFi access point apparatus, it is impossible to data
The face characteristic data described in form transmission of frame, to this end, incoming end equipment uses one group to be total to multiple multicast frames to transmit face
Characteristic.Specifically, face characteristic data are converted to binary code by incoming end equipment, and segmentation is loaded into multiple multicast frame
Can edit field, specifically refer to, in its address field, then send the plurality of multicast frame.In the present embodiment, described
After WiFi access point apparatus is responsible for receiving those multicast frames, edit field can extract loaded people from each multicast frame
The binary code of face characteristic, and assemble by striping order, then corresponding conversion is face characteristic.
Control end equipment then its face characteristic data received to be authenticated.The section Example of aforementioned announcement
In, if controlled containing pointing to the source address of described incoming end equipment in the blacklist of end equipment, this source address can be with
Described face characteristic data provide in case identifying in the lump, then, controlling end equipment may not make described face characteristic data
Response, although or respond, but finally inform that these face characteristic data are rejected authentication.If controlling end equipment not at it
Blacklist finds to provide the source address of the incoming end equipment of these face characteristic data, then by normal processes to this face characteristic
Data authenticate.According to aforementioned different embodiment, control end equipment by the face characteristic data of incoming end equipment and the machine
Or the pre-stored characteristics data in the feature database of cloud server compare, when finding that feature database exists and described face characteristic
During the pre-stored characteristics data of data consistent, i.e. can be considered and authenticate successfully, be otherwise considered as failed authentication, accordingly generate authentication result letter
Breath, is sent to WiFi access point apparatus.It is emphasized that the one of face characteristic data designated herein and pre-stored characteristics data
Cause, should not be confined on data representation form or its data content the most completely the same, for example, it is possible to refer to both degrees of approximation
Arrive the degree preset, or be in the range of permission, i.e. can be considered that both are consistent.
Described performance element 34, for according to the authentication result characterizing authentication success or failure controlling end equipment feedback
Information, allows accordingly or stops described incoming end equipment to access the communication network preset, and its concrete multiple implementation is as follows:
As it was previously stated, in typical a kind of embodiment, described authentication result information comes from described control end equipment,
After WiFi access point apparatus receives the authentication result information of described control end equipment feedback, resolve this authentication result information,
To determine the particular content that this authentication result information is characterized, it is common that refer to authenticate success or failed authentication is two kinds of interior
Hold.
Additionally, in another embodiment of the invention, WiFi access point apparatus can control according to its controlled terminal equipment
And the feature database (or specific to its pre-stored characteristics data) realizing caching or the storage updated supplies described face to be verified special
Levy data to mate, and by the authentication result information described in matching result also alignment processing one-tenth, thus WiFi access point apparatus
Just can generate described authentication result information primaryly.
Embodiments disclosed herein apparently more close to the tradition realization of IEEE 802.11 agreement, is advised according to this agreement
The process setting up connection of model, in authentication phase face characteristic data described in incoming end equipment is submitted to for authentication, is controlling
After end equipment or WiFi access point apparatus are to its authentication success or failure, WiFi access point apparatus the certification generated according to authentication
Object information feeds back a certification acknowledgement frame, concretely characterizes certification and successfully manages frame or characterize the management frame of authentification failure,
From the visual angle of incoming end equipment, this certification acknowledgement frame also can broadly be considered as it and have received authentication result information.
Certainly, it is possible to then make improvement by a larger margin, specifically: WiFi access point apparatus also can not directly process
Control the authentication result information of end equipment, and give described incoming end equipment by its direct routing.Or, even if WiFi access point
Face characteristic data are authenticated by equipment voluntarily, it is possible to generate the authentication result letter being different from IEEE 802.11 protocol specification
Breath.In this kind of embodiment, the form of described authentication result information and content all can be differently configured from IEEE 802.11 agreement,
As long as can agreement in advance between incoming end equipment and WiFi access point apparatus.
Therefore, in any case, though non-abundant necessity, WiFi access point apparatus can be sent out to incoming end equipment sources or turn
Sending out authentication result information, incoming end equipment can resolve this authentication result information, according to the follow-up connection procedure of decision self.
But, as basic function, WiFi access point apparatus can resolve the described authentication result information under self vision.
After WiFi access point apparatus resolves described authentication result information, the content that can characterize according to it, i.e. authenticate successfully or lose
Losing, the association request that equipment follow-up expectation in access side completes to connect responds, it is determined whether allow to set up described access
WiFi Trusted channel between end equipment.In conjunction with the various situations above disclosed, WiFi access point apparatus can be recognized according to described
The difference of card object information, the described access request of access side equipment is made following result and is controlled, as follows:
When authentication result information representation authenticates successfully, send sign certification to incoming end equipment and successfully manage frame, with
Allow incoming end equipment to access the communication network set up, according to IEEE 802.11 agreement, table is being received for incoming end equipment
Levy the association request initiated voluntarily after certification successfully manages frame and subsequent communications gives normal response, in response to this association request
And feed back the management frame being successfully associated to described incoming end equipment to show confirmation, thus set up incoming end equipment and WiFi access point
WiFi between equipment connects.
When authentication result information representation failed authentication, send the management frame characterizing authentification failure to incoming end equipment, with
Stop incoming end equipment to access the communication network set up, according to IEEE802.11 agreement, sign is being received for incoming end equipment
The association request initiated voluntarily after the management frame of authentification failure, WiFi access point apparatus or not response, or in response to this pass
Connection is asked and is fed back the failed management frame of association to described incoming end equipment to show alarm.
Certainly, according to the section Example of aforementioned announcement, incoming end equipment receives described authentication result information
Afterwards, the face characteristic data that just knowing self provides authenticate successfully or failure, and therefore, incoming end equipment can depend on voluntarily
The connection procedure of follow-up IEEE 802.11 agreement institute specification is decided whether to continue according to authentication result information.When authentication result information
Characterize when authenticating successfully (as described sign certification successfully manages frame), then can initiate association request, receive WiFi access point
After the acknowledgement frame being successfully associated of equipment feedback, complete the access to described communication network.When authentication result information representation reflects
(such as the management frame of described sign authentification failure) when weighing unsuccessfully, then can terminate follow-up connection procedure, as necessary by user circle
Face display alarm information.
It will be appreciated that according to above-mentioned each embodiment, at incoming end equipment, from its visual angle, the authentication result received
Information, both can be primary by WiFi access point apparatus or the communication format including pre-agreement custom content of route, also
The content that WiFi access point apparatus can be characterized according to its authentication result information received and according to IEEE 802.11 agreement
The management frame characterizing certification success or failure sent.
For convenience of management and operation, after incoming end equipment is successfully accessed the communication network of WiFi access point apparatus,
The information of incoming end equipment can be saved in this locality by WiFi access point apparatus, and it is considered as Trusted channel, and follow-up incoming end sets
For when again accessing, based on trusting relationship, the execution process of its authentication phase can be removed from, thus simplify follow-up access.
Refer to Figure 22, in the embodiment of a further materialization, performed by the WiFi access point apparatus of the present invention
WiFi access authentication control device and also include the connection unit 30 of preposition operation, be configured to build in advance based on WiFi connected mode
Vertical the machine and the Trusted channel of described control end equipment, its specific implementation refer to aforementioned relevant introduction.
Refer to Figure 23, in the most perfect embodiment, the present invention the WiFi performed by WiFi access point apparatus
Access authentication control device also include unit 35 of being interviewed, be configured to respond to described control end equipment reading instruction and/or
Configuration-direct, feeds back and/or revises the configuration parameter of communication network of the machine, and its specific implementation can be in conjunction with being previously with regard to
Control the numerous embodiments of end equipment, as follows:
Foregoing control end equipment, can read the configuration ginseng of described communication network from WiFi access point apparatus
Number, and show a subscriber administration interface for it, subscriber administration interface is stated relevant setting options, it is provided that carry out to user as
Amendment, when user submits amendment to, then submits to WiFi access point apparatus and carries out parameter modification, thus change described communication network
The configuration of at least some of parameter.
Accordingly, showing WiFi access point apparatus side, it can receive the reading instruction controlling end equipment, and calls
Relate to the configuration file of described communication network, and relate to described communication network in the control end equipment described configuration file of feedback
Configuration parameter.In like manner, WiFi access point apparatus can also receive control end equipment to be have modified described configuration parameter by user (right
Should be in the setting options in user interface) post package formed configuration-direct, from configuration-direct, read the configuration being modified
The data of relevant configured parameter are modified according to configuration-direct, and are made it come into force by parameter and data thereof, thus realize and control
End equipment processed matches, and provides the user better remote maintenance and experiences.
As it was previously stated, the present invention can increase the control at WiFi access point apparatus for the consideration improving safety
Function, to this end, refer to the content disclosed in various improved procedures of lower section:
It is adapted to controlling an embodiment of realization at end equipment, as shown in figure 24, performed by WiFi access point apparatus
WiFi access authentication control device also set up limiting unit 36, for receive from described control end equipment sign shield belong to
In the announcement information of the access request specifying source address, terminate specifying the incoming end of source address to set contained by this announcement information
The response (the most not feeding back Probe Response frame) of standby access request, or feed back, to it, the management frame that cannot connect.By
This, incoming end equipment will be regarded as to be connected with described communication network.
Further in improved procedure, after receiving this announcement information to, this source address is added the blacklist held
In list, thus, WiFi access point apparatus can by by the source address in the access request of the access terminal received with
Record in blacklist mates, and sees whether this source address is present in this blacklist, when present the most directly by it
Access request shields;If not existing, then press normal rule and process.
For improving the management function to WiFi access point apparatus, in the embodiment further enhanced, refering to Figure 25, previous
On the basis of embodiment, the WiFi access authentication of the present invention controls device and also includes lifting a ban unit 37, is used for receiving control end and sets
The standby announcement information cancelling the access request shielding this source address, recovers to set the incoming end that described source address is corresponding
The response of standby access request.With reference to previous embodiment, can be embodied according to described announcement information, extract this and lead to
Know the source address of shielding to be cancelled in information, then delete from its blacklist.
In the embodiment increased further, it is adaptable to the user interface management function that described control end realizes, refer to figure
WiFi access authentication control device performed by 26, WiFi access point apparatus also sets up lifts a ban unit 37 ', is used for receiving incoming end
The recovery request of equipment, route this request and controls the cancellation of end equipment to this incoming end equipment to described control end equipment with request
The shielding of face characteristic data.This unit and aforementioned control terminal equipment are implemented the embodiment of shielding face characteristic data and are fitted mutually
Should, after face characteristic data are shielded by described control end equipment, it is allowed to the recovery described in the initiation of incoming end equipment please
Asking, this recovery request is sent by described communication network, is just routed to described control end equipment by WiFi access point apparatus.
After described control end equipment receives this announcement information, can alert to user in user interface, user indicates according to warning information
Entering the private pages of subscriber administration interface, whether examination & verification allows this recovery request, when it allows, controls end equipment and just cancels
Shielding to the face characteristic data of described incoming end equipment, namely again opened authentication for described incoming end equipment
Function.A kind of effective technology disaster relief means are provided therefrom after incoming end equipment controlled terminal device mask.
The most detailed and disclose the WiFi that the portable WiFi access point apparatus of the present invention implemented fully and access mirror
The various embodiments of power control method, therefrom could be aware that, WiFi access point apparatus can set with control end equipment and incoming end
For matching, improve the authentication functions of its open communication network, improve safety coefficient and administrative convenience degree.
The embodiment of the present invention additionally provides a kind of portable control end equipment and one portable incoming end equipment, can regard
For same class mobile terminal, and allow the structure with such as follow-up with reference to present invention introduction.As shown in figure 27, in order to just
In explanation, illustrate only the part relevant to the embodiment of the present invention, concrete ins and outs do not disclose, and refer to the present invention and implement
Example method part.This terminal can be to include mobile phone, panel computer, PDA (Personal Digital Assistant, individual
Digital assistants), POS (Point of Sales, point-of-sale terminal), the arbitrarily terminal unit such as vehicle-mounted computer, with terminal for mobile phone be
Example:
Figure 27 is illustrated that the block diagram of the part-structure of the mobile phone relevant to the terminal of embodiment of the present invention offer.With reference to figure
27, mobile phone includes: radio frequency (Radio Frequency, RF) circuit 1510, memorizer 1520, input block 1530, display unit
1540, sensor 1550, voicefrequency circuit 1560, Wireless Fidelity (wireless fidelity, WiFi) module 1570 (namely
WiFi chip module), the parts such as processor 1580 and power supply 1590.It will be understood by those skilled in the art that shown in Figure 27
Handset structure be not intended that the restriction to mobile phone, can include that ratio illustrates more or less of parts, or combine some portion
Part, or different parts layouts.
Below in conjunction with Figure 27 each component parts of mobile phone carried out concrete introduction:
RF circuit 1510 can be used for receiving and sending messages or in communication process, the reception of signal and transmission, especially, by base station
After downlink information receives, process to processor 1580;It addition, be sent to base station by designing up data.Generally, RF circuit
1510 include but not limited to antenna, at least one amplifier, transceiver, bonder, low-noise amplifier (Low Noise
Amplifier, LNA), duplexer etc..Additionally, RF circuit 1510 can also be led to network and other equipment by radio communication
Letter.Above-mentioned radio communication can use arbitrary communication standard or agreement, includes but not limited to global system for mobile communications (Global
System of Mobile communication, GSM), general packet radio service (General Packet Radio
Service, GPRS), CDMA (Code Division Multiple Access, CDMA), WCDMA
(Wideband Code Division Multiple Access, WCDMA), Long Term Evolution (Long Term Evolution,
LTE), Email, Short Message Service (Short Messaging Service, SMS) etc..
Memorizer 1520 can be used for storing software program and module, and processor 1580 is stored in memorizer by operation
The software program of 1520 and module, thus perform the application of various functions and the data process of mobile phone.Memorizer 1520 can be led
Including storage program area and storage data field, wherein, needed for storage program area can store operating system, at least one function
Application program (such as sound-playing function, image player function etc.) etc.;Storage data field can store the use institute according to mobile phone
The data (such as voice data, phone directory etc.) etc. created.Additionally, memorizer 1520 can include that high random access stores
Device, it is also possible to include nonvolatile memory, for example, at least one disk memory, flush memory device or other volatibility are solid
State memory device.
Input block 1530 can be used for receiving numeral or the character information of input, and produce with the user setup of mobile phone with
And function controls relevant key signals input.Specifically, input block 1530 can include contact panel 1531 and other inputs
Equipment 1532.Contact panel 1531, also referred to as touch screen, can collect user thereon or neighbouring touch operation (such as user
Use any applicable object such as finger, stylus or adnexa behaviour on contact panel 1531 or near contact panel 1531
Make), and drive corresponding attachment means according to formula set in advance.Optionally, contact panel 1531 can include touching detection
Device and two parts of touch controller.Wherein, the touch orientation of touch detecting apparatus detection user, and detect touch operation band
The signal come, transmits a signal to touch controller;Touch controller receives touch information from touch detecting apparatus, and by it
It is converted into contact coordinate, then gives processor 1580, and order that processor 1580 sends can be received and performed.Additionally,
The polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave can be used to realize contact panel 1531.Except touch surface
Plate 1531, input block 1530 can also include other input equipments 1532.Specifically, other input equipments 1532 can include
But it is not limited in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, action bars etc.
One or more.
Display unit 1540 can be used for each of the information that inputted by user of display or the information being supplied to user and mobile phone
Plant menu.Display unit 1540 can include display floater 1541, optionally, can use liquid crystal display (Liquid
Crystal Display, LCD), the form such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED)
Configure display floater 1541.Further, contact panel 1531 can cover display floater 1541, when contact panel 1531 detects
Arrive thereon or after neighbouring touch operation, send processor 1580 to determine the type of touch event, with preprocessor
1580 provide corresponding visual output according to the type of touch event on display floater 1541.Although in figure 27, touch surface
Plate 1531 and display floater 1541 are to realize input and the input function of mobile phone as two independent parts, but at some
In embodiment, can be by integrated to contact panel 1531 and display floater 1541 and realize input and the output function of mobile phone.
Mobile phone may also include at least one sensor 1550, such as optical sensor, motion sensor and other sensors.
Specifically, optical sensor can include ambient light sensor and proximity transducer, and wherein, ambient light sensor can be according to ambient light
Light and shade regulate the brightness of display floater 1541, proximity transducer can cut out display floater when mobile phone moves in one's ear
1541 and/or backlight.As the one of motion sensor, accelerometer sensor can detect (generally three axles) in all directions and add
The size of speed, can detect that size and the direction of gravity time static, can be used for identifying application (the such as horizontal/vertical screen of mobile phone attitude
Switching, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, percussion) etc.;As for mobile phone also
Other sensors such as configurable gyroscope, barometer, drimeter, thermometer, infrared ray sensor, do not repeat them here.
Voicefrequency circuit 1560, speaker 1561, microphone 1562 can provide the audio interface between user and mobile phone.Audio frequency
The signal of telecommunication after the voice data conversion that circuit 1560 can will receive, is transferred to speaker 1561, speaker 1561 changes
Export for acoustical signal;On the other hand, the acoustical signal of collection is converted to the signal of telecommunication by microphone 1562, by voicefrequency circuit 1560
Voice data is converted to after reception, then after voice data output processor 1580 is processed, through RF circuit 1510 to be sent to ratio
Such as another mobile phone, or voice data is exported to memorizer 1520 to process further.
WiFi belongs to short range wireless transmission technology, and mobile phone can help user's transceiver electronics postal by WiFi module 1570
Part, browsing webpage and access streaming video etc., it has provided the user wireless broadband internet and has accessed.Although Figure 27 shows
WiFi module 1570, but it is understood that, it is also not belonging to must be configured into of mobile phone, can not change as required completely
Omit in the scope of the essence becoming invention.
Processor 1580 is the control centre of mobile phone, utilizes various interface and the various piece of the whole mobile phone of connection,
It is stored in the software program in memorizer 1520 and/or module by running or performing, and calls and be stored in memorizer 1520
Interior data, perform the various functions of mobile phone and process data, thus mobile phone is carried out integral monitoring.Optionally, processor
1580 can include one or more processing unit;Preferably, processor 1580 can integrated application processor and modulation /demodulation process
Device, wherein, application processor mainly processes operating system, user interface and application program etc., and modem processor is mainly located
Reason radio communication.It is understood that above-mentioned modem processor can not also be integrated in processor 1580.
Mobile phone also includes the power supply 1590 (such as battery) powered to all parts, it is preferred that power supply can pass through power supply
Management system is logically contiguous with processor 1580, thus realizes management charging, electric discharge and power consumption pipe by power-supply management system
The functions such as reason.
Although not shown, mobile phone can also include photographic head, bluetooth module etc., does not repeats them here.
It is adapted to described portable control end equipment, in embodiments of the present invention, the processor included by this terminal
1580 also have WiFi as the aforementioned accesses the function that the multiple different embodiments of remote authentication method, device are realized.
It is adapted to described portable incoming end equipment, in an embodiment of the present invention, the processor that this terminal includes
The function that the 1580 multiple different embodiments also with WiFi as the aforementioned access authentication method/device are realized.
In like manner, the embodiment of the present invention additionally provides a kind of WiFi access point apparatus, and it is with portable control end equipment and just
Take formula incoming end equipment in like manner, the necessary parts such as wireless fidelity module 1570, memorizer 1520, processor 1580 can be included,
Running application program, application program is called in internal memory and runs it by processor, so that processor 1580 presents WiFi as the aforementioned
The function that the multiple different embodiments of access authentication control method/device are realized.
Those skilled in the art is it can be understood that arrive, for convenience and simplicity of description, and the system of foregoing description,
The specific works process of device and unit, is referred to the corresponding process in preceding method embodiment, does not repeats them here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method are permissible
Realize by another way.Such as, device embodiment described above is only schematically, such as, and described unit
Dividing, be only a kind of logic function and divide, actual can have other dividing mode, the most multiple unit or assembly when realizing
Can in conjunction with or be desirably integrated into another system, or some features can be ignored, or does not performs.Another point, shown or
The coupling each other discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit
Close or communication connection, can be electrical, machinery or other form.
The described unit illustrated as separating component can be or may not be physically separate, shows as unit
The parts shown can be or may not be physical location, i.e. may be located at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected according to the actual needs to realize the mesh of the present embodiment scheme
's.
It addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it is also possible to
It is that unit is individually physically present, it is also possible to two or more unit are integrated in a unit.Above-mentioned integrated list
Unit both can realize to use the form of hardware, it would however also be possible to employ the form of SFU software functional unit realizes.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
Completing instructing relevant hardware by program, this program can be stored in a computer-readable recording medium, storage
Medium may include that read only memory (ROM, Read Only Memory), random access memory (RAM, Random
Access Memory), disk or CD etc..
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method is permissible
Instructing relevant hardware by program to complete, described program can be stored in a kind of computer-readable recording medium, on
Stating the storage medium mentioned can be read only memory, disk or CD etc..
Above series scheme provided by the present invention is described in detail, for one of ordinary skill in the art,
According to the thought of the embodiment of the present invention, the most all will change, in sum, this theory
Bright book content should not be construed as limitation of the present invention.
Claims (10)
1. a WiFi accesses remote authentication method, it is characterised in that comprise the steps:
The multicast frame that the communication network set up from WiFi access point apparatus is transmitted is retrieved as WiFi agreement connection establishment mistake
Authentication phase in journey and the face characteristic data to be verified for accessing this communication network that provide;
Verify described face characteristic data, obtain the authentication result information characterizing verification success or failure;
Frame is utilized to feed back described authentication result information to described WiFi access point apparatus.
Method the most according to claim 1, it is characterised in that verify in the step of described face characteristic data, by inciting somebody to action
Acquired face characteristic data compare with feature database, determine that it is the most consistent with the pre-stored characteristics data in feature database,
Thus should determine that check results is success or failure mutually.
Method the most according to claim 2, it is characterised in that this method also comprises the steps:
In response to user's acquisition instructions, show image acquisition interface, for gathering the face characteristic data of user as described
Pre-stored characteristics data.
Method the most according to claim 3, it is characterised in that showing image acquisition interface in response to user's acquisition instructions
Step in, obtained the facial image of user by described image acquisition interface, and from this facial image, extract described people
Face characteristic.
5. a WiFi accesses remote authentication device, it is characterised in that including:
Acquiring unit, is retrieved as WiFi association from WiFi access point apparatus the multicast frame that the communication network for being set up is transmitted
The face characteristic data to be verified for accessing this communication network discussing the authentication phase during connection establishment and provide;
Verification unit, is used for verifying described face characteristic data, obtains the authentication result information characterizing verification success or failure;
Feedback unit, is used for utilizing Frame to feed back described authentication result information to described WiFi access point apparatus.
Device the most according to claim 5, it is characterised in that described verification unit, is configured to acquired
Face characteristic data compare with feature database, determine that it is the most consistent with the pre-stored characteristics data in feature database, thus phase
Should determine that check results is success or failure.
Device the most according to claim 6, it is characterised in that this device also includes:
Collecting unit, is configured to respond to user's acquisition instructions, shows image acquisition interface, special for gathering the face of user
Levy data as described pre-stored characteristics data.
Device the most according to claim 7, it is characterised in that described collecting unit is configured to described image acquisition
Interface obtains the facial image of user, and extracts described face characteristic data from this facial image.
9. a portable control end equipment, it is characterised in that comprising:
Wireless fidelity module, for access communications network;
Touch-sensitive display, for display interface, it is achieved man-machine interaction;
One or more processors;
Memorizer;
One or more application programs, wherein said one or more application programs are stored in described memorizer and are configured
For being performed by the one or more processor;
The one or more program is used for driving the one or more processor to be configured to perform in claim 1 to 4
The device of the method described in any one.
10. a portable control end equipment, it is characterised in that comprising:
Wireless fidelity module, for access communications network;
Touch-sensitive display, for display interface, it is achieved man-machine interaction;
One or more processors;
Memorizer;
One or more application programs, wherein said one or more application programs are stored in described memorizer and are configured
For being performed by the one or more processor;
The one or more program is used for driving the one or more processor to be configured to perform claim 5 to 8 times
Anticipate a described device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610365921.7A CN106101065A (en) | 2016-05-27 | 2016-05-27 | Portable control end equipment and WiFi access remote authentication method, device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610365921.7A CN106101065A (en) | 2016-05-27 | 2016-05-27 | Portable control end equipment and WiFi access remote authentication method, device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106101065A true CN106101065A (en) | 2016-11-09 |
Family
ID=57230180
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610365921.7A Pending CN106101065A (en) | 2016-05-27 | 2016-05-27 | Portable control end equipment and WiFi access remote authentication method, device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106101065A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107969005A (en) * | 2017-11-28 | 2018-04-27 | 新华三技术有限公司 | A kind of access authentication method, device, equipment and system |
| CN111787527A (en) * | 2020-07-15 | 2020-10-16 | 太仓市同维电子有限公司 | HTTPS-based WiFi rapid networking method and intelligent terminal device thereof |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070239991A1 (en) * | 2006-04-10 | 2007-10-11 | Mitac International Corporation | Fingerprint authentication method for accessing wireless network systems |
| CN101174948A (en) * | 2006-11-02 | 2008-05-07 | 上海银晨智能识别科技有限公司 | Network login system and method with face authentication |
| CN101227468A (en) * | 2007-01-20 | 2008-07-23 | 国际商业机器公司 | Method, device and system for authenticating user to network |
| CN104159228A (en) * | 2014-08-20 | 2014-11-19 | 广东欧珀移动通信有限公司 | A Wi-Fi display and connecting method and system |
| CN104601835A (en) * | 2015-01-16 | 2015-05-06 | 四川联友电讯技术有限公司 | Face recognition based teleconference and conventioneer identification system and method |
| CN104902477A (en) * | 2015-06-26 | 2015-09-09 | 努比亚技术有限公司 | Authentication terminal, wireless router, wireless router connection method and wireless router connection system |
| CN105101349A (en) * | 2015-05-12 | 2015-11-25 | 中兴通讯股份有限公司 | Access control method, device and terminal for wireless local area network |
-
2016
- 2016-05-27 CN CN201610365921.7A patent/CN106101065A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070239991A1 (en) * | 2006-04-10 | 2007-10-11 | Mitac International Corporation | Fingerprint authentication method for accessing wireless network systems |
| CN101174948A (en) * | 2006-11-02 | 2008-05-07 | 上海银晨智能识别科技有限公司 | Network login system and method with face authentication |
| CN101227468A (en) * | 2007-01-20 | 2008-07-23 | 国际商业机器公司 | Method, device and system for authenticating user to network |
| CN104159228A (en) * | 2014-08-20 | 2014-11-19 | 广东欧珀移动通信有限公司 | A Wi-Fi display and connecting method and system |
| CN104601835A (en) * | 2015-01-16 | 2015-05-06 | 四川联友电讯技术有限公司 | Face recognition based teleconference and conventioneer identification system and method |
| CN105101349A (en) * | 2015-05-12 | 2015-11-25 | 中兴通讯股份有限公司 | Access control method, device and terminal for wireless local area network |
| CN104902477A (en) * | 2015-06-26 | 2015-09-09 | 努比亚技术有限公司 | Authentication terminal, wireless router, wireless router connection method and wireless router connection system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107969005A (en) * | 2017-11-28 | 2018-04-27 | 新华三技术有限公司 | A kind of access authentication method, device, equipment and system |
| CN111787527A (en) * | 2020-07-15 | 2020-10-16 | 太仓市同维电子有限公司 | HTTPS-based WiFi rapid networking method and intelligent terminal device thereof |
| CN111787527B (en) * | 2020-07-15 | 2023-11-21 | 太仓市同维电子有限公司 | WiFi rapid networking method based on HTTPS and intelligent terminal device thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220330029A1 (en) | Method for mutual recognition or mutual trust between bluetooth devices | |
| CN105898750A (en) | WiFi access point equipment and WiFi access authentication method and device | |
| CN105848151A (en) | WiFi access point equipment, WiFi access authentication control method and WiFi access authentication control device | |
| CN108476226A (en) | application program authorization method, terminal and server | |
| CN111818100B (en) | Method for configuring channel across networks, related equipment and storage medium | |
| CN109033801B (en) | Method for verifying user identity by application program, mobile terminal and storage medium | |
| CN107040543B (en) | Single sign-on method, terminal and storage medium | |
| CN109416800B (en) | Authentication method of mobile terminal and mobile terminal | |
| CN105974802A (en) | Method of controlling intelligent equipment, device and system thereof | |
| CN104836664A (en) | Method for executing business processing, device for executing business processing and system for executing business processing | |
| CN107437009A (en) | Authority control method and related product | |
| CN108881103B (en) | Network access method and device | |
| US11017066B2 (en) | Method for associating application program with biometric feature, apparatus, and mobile terminal | |
| CN104580167A (en) | Data transmission method, device and system | |
| CN106912048A (en) | Access-in point information sharing method and device | |
| CN103179100A (en) | Method and device for preventing the attack on a domain name system tunnel | |
| CN104639354B (en) | Router administration method and apparatus | |
| CN109274635B (en) | Security management method, client device, server, communication system, and storage medium | |
| CN106488453A (en) | A kind of method and system of portal certification | |
| CN105898749A (en) | Portable access end equipment and WiFi access authentication method and device | |
| CN109102297A (en) | A kind of voidable method of payment and device | |
| CN106453589A (en) | Method and apparatus for synchronizing backup data | |
| CN108901020A (en) | Method, mobile terminal and the server of network insertion | |
| CN106934607A (en) | A kind of method of payment, payment system service end and payment devices | |
| CN108810833B (en) | Mobile phone number binding information management method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161109 |
|
| RJ01 | Rejection of invention patent application after publication |