CN106713222B - Access authentication method, server and authentication system of wireless local area network - Google Patents
Access authentication method, server and authentication system of wireless local area network Download PDFInfo
- Publication number
- CN106713222B CN106713222B CN201510459273.7A CN201510459273A CN106713222B CN 106713222 B CN106713222 B CN 106713222B CN 201510459273 A CN201510459273 A CN 201510459273A CN 106713222 B CN106713222 B CN 106713222B
- Authority
- CN
- China
- Prior art keywords
- user equipment
- server
- access
- information
- access password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an access authentication method of a wireless local area network, which comprises the following steps: the method comprises the steps that a server receives access information sent by first user equipment, wherein the access information carries identity information of the first user equipment; the server sends an access request to second user equipment according to the access information; if the server receives a confirmation instruction sent by the second user equipment aiming at the access request, the server generates a challenge code and generates a first access password according to the challenge code; the server sends the challenge code to the first user equipment so that the first user equipment generates a second access password according to the challenge code; and the server completes EAP authentication with the first user equipment through the first access password. Correspondingly, the invention also discloses a server and an authentication system. By adopting the invention, the problem of dictionary attack can be solved.
Description
Technical Field
The present invention relates to the field of wireless communications technologies, and in particular, to an access authentication method, a server, and an authentication system for a wireless local area network.
Background
The WIFI technology is a technology that can wirelessly connect terminals such as personal computers and handheld devices to each other. With the rapid development of network technology, the WIFI technology has been deeply developed into the aspects of life. On the other hand, the proliferation and popularity of portable communication devices, and more user devices, are engaged in WIFI access. This puts higher demands on the security of wireless communication.
At present, when a portable device (including a card device and a card-less device) performs WIFI access, a user name and a password are generally used as input information to perform identity authentication. Although the method is simple and convenient to use, certain disadvantages exist: if the user name or the password is too complicated, the user name or the password is difficult to remember; if the user name or password is relatively simple, it is vulnerable to dictionary attacks.
The dictionary attack is an attack mode that an intruder lists all password sequences possibly selected by a user and generates a file, the file is a dictionary, and when a password or a key is cracked, words or phrases in the dictionary are tried one by one according to a self-defined dictionary. After the intruder obtains some verification information related to the password, a series of operations can be performed in combination with the dictionary to make guesses, and the obtained information is used to verify the correctness of the guesses.
Disclosure of Invention
The invention provides an access authentication method, a server and an authentication system of a wireless local area network, which can generate a challenge code according to access information of first user equipment in a WIFI access authentication process, and do not use a static password set by a user, so that the problem of dictionary attack is solved.
The first aspect of the present invention provides an access authentication method for a wireless local area network, including:
the method comprises the steps that a server receives access information sent by first user equipment, wherein the access information carries identity information of the first user equipment;
the server sends an access request to second user equipment according to the access information;
if the server receives a confirmation instruction sent by the second user equipment aiming at the access request, the server generates a challenge code according to the identity information of the first user equipment and generates a first access password according to the challenge code;
the server sends the challenge code to the first user equipment so that the first user equipment generates a second access password according to the challenge code;
and the server completes EAP authentication with the first user equipment through the first access password.
In a first possible implementation manner of the first aspect, after the server receives the access information sent by the first user equipment, the method further includes:
the server detects whether a first access password corresponding to the first user equipment exists locally according to the identity information of the first user equipment;
if yes, the server completes EAP authentication with the first user equipment through the detected first access password corresponding to the first user equipment;
and if not, the server executes the step of sending the access request to the second user equipment according to the access information.
In a second possible implementation manner of the first aspect, the identity information of the first user equipment includes an international mobile equipment identity code IMEI of the first user equipment;
the server generating the challenge code according to the identity information of the first user equipment comprises:
the server combines the IMEI of the first user equipment, the current time and the auto-increment value from a certain random number into a character string, and takes the character string as the challenge code.
In a third possible implementation manner of the first aspect, the generating, by the server, the first access password according to the challenge code includes:
the server encrypts the challenge code into a ciphertext through a server public key in a server certificate;
and the server performs one-way hash on the ciphertext through a one-way hash function, and processes the ciphertext subjected to one-way hash through a reduction function to obtain the first access password.
In a fourth possible implementation manner of the first aspect, after the server generates the first access password according to the challenge code, the method further includes:
the server stores the first access password according to the identity information of the first user equipment and starts a timer to time;
and when the timer times to reach a preset time length, the server deletes the first access password.
In a fifth possible implementation manner of the first aspect, after the server completes EAP authentication with the first user equipment through the first access password, the method further includes:
and the server sends the EAP authentication result to the second user equipment.
In a sixth possible implementation manner of the first aspect, the sending, by the server, the access request to the second user equipment according to the access information includes:
the server acquires contact information corresponding to the identity information of the first user equipment according to a preset corresponding relation between the identity information and the contact information, and sends an access request to the second user equipment through the acquired contact information.
In a seventh possible implementation manner of the first aspect, the accessing information further carries contact information, and the sending, by the server, the access request to the second user equipment according to the accessing information includes:
and the server sends an access request to the second user equipment through the contact information carried by the access information.
With reference to the first aspect or any one of the first to the seventh possible implementation manners of the first aspect, in an eighth possible implementation manner, after the server sends the challenge code to the first user equipment, the method further includes:
the server receives the second access password sent by the first user equipment;
the server completing EAP authentication with the first user equipment through the first access password comprises the following steps:
the server judges whether the first access password and the second access password are the same;
if the judgment result is yes, the server judges that the EAP authentication is successful;
and if the judgment result is negative, the server judges that the EAP authentication fails.
With reference to the first aspect or any one of the first to seventh possible implementation manners of the first aspect, in a ninth possible implementation manner, the completing, by the server, EAP authentication with the first user equipment through the first access password includes:
the server generates a random number, generates a first expected response value according to the first access password and the random number, and sends the random number to the first user equipment;
the first user equipment generates a second expected response value according to the random number and the second access password, and sends the second expected response value to the server;
the server judges whether the first expected response value and the second expected response value are the same;
if the judgment result is yes, the server judges that the EAP authentication is successful;
and if the judgment result is negative, the server judges that the EAP authentication fails.
A second aspect of the present invention provides a server, comprising:
the information receiving module is used for receiving access information sent by first user equipment, wherein the access information carries identity information of the first user equipment;
an access request sending module, configured to send an access request to a second user equipment according to the access information;
the instruction receiving module is used for receiving a confirmation instruction sent by the second user equipment aiming at the access request;
the challenge code generating module is used for generating a challenge code according to the identity information of the first user equipment;
the access password generating module is used for generating a first access password according to the challenge code;
the information sending module is used for sending the challenge code to the first user equipment so that the first user equipment generates a second access password according to the challenge code;
and the authentication module is used for completing EAP authentication with the first user equipment through the first access password.
In a first possible implementation manner of the second aspect, the method further includes:
the detection module is used for detecting whether a first access password corresponding to the first user equipment exists locally or not according to the identity information of the first user equipment, and if the first access password corresponding to the first user equipment does not exist locally, the access request sending module is triggered to send an access request to second user equipment according to the access information;
the authentication module is further to:
if the detection module detects that the first access password corresponding to the first user equipment exists locally, the EAP authentication is completed through the first access password corresponding to the first user equipment and the first user equipment.
In a second possible implementation manner of the second aspect, the identity information of the first user equipment includes an international mobile equipment identity code IMEI of the first user equipment;
the challenge code generation module is specifically configured to:
and combining the IMEI of the first user equipment, the current time and a self-increment value from a certain random number into a character string, and taking the character string as the challenge code.
In a third possible implementation manner of the second aspect, the access password generation module is specifically configured to:
encrypting the challenge code into a ciphertext through a server public key in a server certificate;
and performing one-way hash on the ciphertext through a one-way hash function, and processing the ciphertext subjected to one-way hash through a reduction function to obtain the first access password.
In a fourth possible implementation manner of the second aspect, the method further includes:
the storage module is used for storing the first access password according to the identity information of the first user equipment and starting a timer to time;
and the deleting module is used for deleting the first access password when the timer reaches a preset time length.
In a fifth possible implementation manner of the second aspect, the method further includes:
and the notification module is used for sending the EAP authentication result to the second user equipment.
In a sixth possible implementation manner of the second aspect, the access request sending module is specifically configured to:
and acquiring contact information corresponding to the identity information of the first user equipment according to a preset corresponding relation between the identity information and the contact information, and sending an access request to the second user equipment through the acquired contact information.
In a seventh possible implementation manner of the second aspect, the access information further carries contact information, and the access request sending module is specifically configured to:
and sending an access request to the second user equipment through the contact information carried by the access information.
With reference to the second aspect or any one of the first to the seventh possible implementation manners of the second aspect, in an eighth possible implementation manner, the information receiving module is further configured to:
receiving the second access password sent by the first user equipment;
the authentication module is specifically configured to:
judging whether the first access password and the second access password are the same;
if the judgment result is yes, the EAP authentication is judged to be successful;
if the judgment result is negative, the EAP authentication is judged to fail.
With reference to the second aspect or any one of the first to fifth possible implementation manners of the second aspect, in a ninth possible implementation manner, the authentication module is specifically configured to:
generating a random number, generating a first expected response value according to the first access password and the random number, and sending the random number to the first user equipment, so that the first user equipment generates a second expected response value according to the random number and the second access password;
receiving the second expected response value sent by the first user equipment;
judging whether the first expected response value and the second expected response value are the same;
if the judgment result is yes, the EAP authentication is judged to be successful;
if the judgment result is negative, the EAP authentication is judged to fail.
The third aspect of the present invention further provides an access authentication system for a wireless local area network, including a first user equipment, an access point device, a server, and a second user equipment, where:
the first user equipment is used for sending access information to the server through the access point equipment, and the access information carries identity information of the first user equipment;
the server is used for sending an access request to the second user equipment according to the access information;
the second user equipment is used for verifying the access request;
the server is further configured to generate a challenge code if the server receives a confirmation instruction sent by the second user equipment for the access request, and generate a first access password according to the challenge code;
the server is further configured to send the challenge code to the first user equipment through the access point device;
the first user equipment is also used for generating a second access password according to the challenge code;
the server is further configured to complete EAP authentication with the first user equipment through the first access password.
By adopting the embodiment of the invention, the following beneficial effects are achieved:
the server sends an access request to a second user device according to contact information of the second user device carried by the access information when receiving the access information sent by the first user device, generates a challenge code and sends the challenge code to the first user device if receiving a confirmation instruction sent by the second user device aiming at the access request, and the server and the first user device complete EAP authentication through a password generated by the challenge code.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of an access authentication method for a wireless local area network according to an embodiment of the present invention;
fig. 2 is a flowchart of another method for authenticating access to a wireless local area network according to an embodiment of the present invention;
fig. 3 is a flowchart of an access authentication method for a wireless local area network according to another embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an authentication system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this section, some basic concepts that may be involved in various embodiments are described.
The Extensible Authentication Protocol (EAP) is an Authentication framework, provides some public functions, allows negotiation of a desired Authentication mechanism, and is called an EAP method, including EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP, etc., and the present invention introduces the content of the invention by taking the more commonly used EAP-TTLS as an example. The invention is also applicable to other EAP authentication methods using user name-password authentication.
Referring to fig. 1, fig. 1 is a flowchart illustrating an access authentication method for a wireless local area network according to an embodiment of the present invention; embodiments of the present invention are described from a server perspective. The method as shown in fig. 1 comprises:
step S101, a server receives access information sent by first user equipment, wherein the access information carries identity information of the first user equipment.
When a first user equipment needs to access a certain wireless local area network, sending an EAP-Start message to an access point equipment of the wireless local area network to request to access the wireless local area network; the first user equipment may be card-equipped equipment (that is, the equipment itself is equipped with a wireless network card), or may be card-free equipment (that is, the equipment itself is not equipped with a wireless network card), and the present invention is not limited;
when the access point equipment receives the EAP-Start message, sending an identity request message to the first user equipment;
and when receiving the identity request message, the first user equipment sends access information to the access point equipment, wherein the access information carries the identity information of the first user equipment and the contact information of the second user equipment, the access point equipment sends the access information to a server, and the server further receives the access information sent by the first user equipment.
The Identity information of the first user Equipment may at least include an International Mobile Equipment Identity (IMEI) of the first user Equipment, and in addition, the Identity information of the first user Equipment may further include a media access Control address (MAC), a device model, a device name, or the like of the first user Equipment.
It will be appreciated that the interaction between the first user device and the server is mediated through the access point device.
And step S102, the server sends an access request to second user equipment according to the access information.
The second user equipment is used for carrying out access authentication on the first user equipment. The second user equipment and the first user equipment may be the same user equipment or different user equipment, which is not limited in the present invention; if the second user equipment and the first user equipment are the same user equipment, the traffic cost which is equivalent to the traffic cost generated by the first user equipment accessing the wireless local area network is borne by the user equipment of the first user equipment; if the second user equipment and the first user equipment are not the same user equipment, the second user equipment supports the traffic cost which is equivalent to the traffic cost generated when the first user equipment is accessed into the wireless local area network.
In an optional implementation manner, the server obtains contact information corresponding to the identity information of the first user equipment according to a preset correspondence between the identity information and the contact information, and sends an access request to the second user equipment through the obtained contact information.
In another optional implementation manner, the access information further carries contact information, and the server sends an access request to the second user equipment through the contact information carried by the access information.
The contact information of the second user equipment can be a mobile phone number of the second user equipment or a mailbox number associated with the second user equipment; preferably, the contact information of the second user equipment is a mobile phone number of the second user equipment.
Preferably, the server may send an access request to the second user equipment in a short message manner, where the access request carries identity information of the second user equipment.
Further, the first user equipment may also authenticate the server.
In a specific implementation, the server may further send an EAP-TTLS message to the first user equipment when receiving the access information, and when receiving the EAP-TTLS message, the first user equipment sends a client Hello message to the server to start a handshake process, where the client Hello message includes a TTLS version, a session ID, an RC, and an encryption mode supported by the first user equipment, and when receiving the client Hello message, the server first determines whether the session ID in the client Hello message matches a locally pre-stored session ID, and if the determination result is yes, the server sends a confirmation message to the first user equipment, where the confirmation message carries a server Hello, a server certificate, key switching, and a session-lo Hello message; when the first user equipment receives the confirmation message, judging whether a server Hello and a server certificate in the confirmation message are legal or not, and if so, passing the authentication by the server; when the server passes the authentication, the first user equipment can randomly generate a character string, encrypt the character string through a server public key in the server certificate, and send the character string and a modified password specification (full name: Change Cipher Spec, CCS for short) to the server; the server executes the step of step S102 upon receiving the character string and the CCS.
When a client (i.e. a first user device) requests a session object for the first time, a server creates a session for the client, calculates an ID of the session through a special algorithm to identify the session object, and when a browser of the client requests another resource next time (when the session is valid), the browser places the session ID in a request header, the server receives the request to obtain the session ID of the request, and the server finds the session of the ID and returns the session to a requester (Servlet).
Step S103, if the server receives a confirmation instruction sent by the second user equipment for the access request, the server generates a challenge code according to the identity information of the first user equipment, and generates a first access password according to the challenge code.
When receiving the access request, the second user equipment may prompt a user according to the access request, for example, display a message that the first user equipment accesses a wireless local area network, and if the user allows the first user equipment to access the wireless local area network, the second user equipment may send a confirmation instruction for the access request to the server in a short message manner.
The server generates a challenge code when receiving a confirmation instruction for the access request. In a specific implementation, the server may combine the IMEI of the first user equipment, the current time, and a self-increment value from a certain random number into a character string, and use the character string as the challenge code.
And the server generates a first access password according to the challenge code. In a specific implementation, the server encrypts the challenge code into a ciphertext through a server public key in a server certificate, performs one-way hash on the ciphertext through a one-way hash function, and processes the ciphertext subjected to one-way hash through a reduction function to obtain the first access password.
Step S104, the server sends the challenge code to the first user equipment, so that the first user equipment generates a second access password according to the challenge code.
Similarly, the first user equipment may encrypt the received challenge code into a ciphertext through a server public key in a server certificate, perform one-way hash on the ciphertext through a one-way hash function, and process the ciphertext subjected to one-way hash through a reduction function to obtain the second access password.
In this embodiment of the present invention, the server generates the first access password according to the challenge code, and then sends the challenge code to the first user equipment, in other optional embodiments, the server may first send the challenge code to the first user equipment, and then generate the first access password according to the challenge code, or the server simultaneously performs generating the first access password according to the challenge code and sending the challenge code to the first user equipment, which is not limited in the present invention.
Step S105, the server completes EAP authentication with the first user equipment through the first access password.
In an optional implementation manner, if the server receives the second access password sent by the first user equipment, the server determines whether the first access password and the second access password are the same; if the judgment result is yes, the server judges that the EAP authentication is successful; and if the judgment result is negative, the server judges that the EAP authentication fails.
In another alternative embodiment, the server may generate a random number, generate a first expected response value according to the first access password and the random number, and send the random number to the first user equipment; the first user equipment generates a second expected response value according to the random number and the second access password, and sends the second expected response value to the server; the server judges whether the first expected response value and the second expected response value are the same; if the judgment result is yes, the server judges that the EAP authentication is successful; and if the judgment result is negative, the server judges that the EAP authentication fails.
In the embodiment shown in fig. 1, when receiving access information sent by a first user equipment, a server sends an access request to a second user equipment according to the access information, and if receiving a confirmation instruction sent by the second user equipment for the access request, the server generates a challenge code and sends the challenge code to the first user equipment, and the server and the first user equipment complete EAP authentication through a password generated by the challenge code.
Referring to fig. 2, fig. 2 is a block diagram illustrating another method for access authentication of a wireless local area network according to an embodiment of the present invention; the embodiments of the present invention are described from a server perspective; the method as shown in fig. 2 may include:
step S201, a server receives access information sent by a first user equipment, where the access information carries identity information of the first user equipment and contact information of a second user equipment.
When a first user equipment needs to access a certain wireless local area network, sending an EAP-Start message to an access point equipment of the wireless local area network to request to access the wireless local area network;
when the access point equipment receives the EAP-Start message, sending an identity request message to the first user equipment;
and when receiving the identity request message, the first user equipment sends access information to the access point equipment, wherein the access information carries the identity information of the first user equipment and the contact information of the second user equipment, the access point equipment sends the access information to a server, and the server further receives the access information sent by the first user equipment.
It will be appreciated that the interaction between the first user device and the server is mediated through the access point device.
Step S202, the server detects whether a first access password corresponding to the first user equipment exists locally according to the identity information of the first user equipment; if detecting that a first access password corresponding to the first user equipment exists locally, executing step S203; otherwise, executing step S204;
the identity information of the first user equipment may include at least an IMEI of the first user equipment, and in addition, the identity information of the first user equipment may further include a MAC address, a device model or a device name of the first user equipment.
The server may locally store the generated first access password for a period of time, and if the server receives the access information sent by the first user equipment within the period of time, the server may directly complete EAP authentication with the first user equipment through the first access password, so that authentication efficiency is further improved, and WIFI access efficiency is further improved.
Step S203, the server completes EAP authentication with the first user equipment through the detected first access password corresponding to the first user equipment.
In an optional implementation manner, the server may request the first user equipment to send a second access password, and when the server receives the second access password sent by the first user equipment, the server determines whether the first access password and the second access password are the same; if the judgment result is yes, the server judges that the EAP authentication is successful; and if the judgment result is negative, the server judges that the EAP authentication fails.
In another alternative embodiment, the server may generate a random number, generate a first expected response value according to the first access password and the random number, and send the random number to the first user equipment; the first user equipment generates a second expected response value according to the random number and the second access password, and sends the second expected response value to the server; the server judges whether the first expected response value and the second expected response value are the same; if the judgment result is yes, the server judges that the EAP authentication is successful; and if the judgment result is negative, the server judges that the EAP authentication fails.
Step S204, the server sends an access request to the second user equipment according to the contact information of the second user equipment.
Preferably, the server may send an access request to the second user equipment in a short message manner, where the access request carries identity information of the second user equipment.
Further, the first user equipment may also authenticate the server.
In a specific implementation, the server may further send an EAP-TTLS message to the first user equipment when receiving the access information, and when receiving the EAP-TTLS message, the first user equipment sends a client Hello message to the server to start a handshake process, where the client Hello message includes a TTLS version, a session ID, an RC, and an encryption mode supported by the first user equipment, and when receiving the client Hello message, the server first determines whether the session ID in the client Hello message matches a locally pre-stored session ID, and if the determination result is yes, the server sends a confirmation message to the first user equipment, where the confirmation message carries a server Hello, a server certificate, key switching, and a session-Hello-done message; when the first user equipment receives the confirmation message, judging whether a server Hello and a server certificate in the confirmation message are legal or not, and if so, passing the authentication by the server; when the server passes the authentication, the first user equipment can randomly generate a character string, encrypt the character string through a server public key in the server certificate, and send the character string and a modified password specification (full name: Change Cipher Spec, CCS for short) to the server; the server executes the step of step S204 upon receiving the character string and the CCS.
Step S205, if the server receives a confirmation instruction sent by the second user equipment for the access request, the server generates a challenge code according to the identity information of the first user equipment.
When receiving the access request, the second user equipment may prompt a user according to the access request, for example, display a message that the first user equipment accesses a wireless local area network, and if the user allows the first user equipment to access the wireless local area network, the second user equipment may send a confirmation instruction for the access request to the server in a short message manner.
The server generates a challenge code when receiving a confirmation instruction for the access request. In a specific implementation, the server may combine the IMEI of the first user equipment, the current time, and a self-increment value from a certain random number into a character string, and use the character string as the challenge code.
Step S206, the server generates a first access password according to the challenge code.
In a specific implementation, the server encrypts the challenge code into a ciphertext through a server public key in a server certificate, performs one-way hash on the ciphertext through a one-way hash function, and processes the ciphertext subjected to one-way hash through a reduction function to obtain the first access password.
Step S207, the server sends the challenge code to the first user equipment, so that the first user equipment generates a second access password according to the challenge code.
Similarly, the first user equipment may encrypt the received challenge code into a ciphertext through a server public key in a server certificate, perform one-way hash on the ciphertext through a one-way hash function, and process the ciphertext subjected to one-way hash through a reduction function to obtain the second access password.
Step S208, the server completes EAP authentication with the first user equipment through the first access password.
In an optional implementation manner, if the server receives the second access password sent by the first user equipment, the server determines whether the first access password and the second access password are the same; if the judgment result is yes, the server judges that the EAP authentication is successful; and if the judgment result is negative, the server judges that the EAP authentication fails.
In another alternative embodiment, the server may generate a random number, generate a first expected response value according to the first access password and the random number, and send the random number to the first user equipment; the first user equipment generates a second expected response value according to the random number and the second access password, and sends the second expected response value to the server; the server judges whether the first expected response value and the second expected response value are the same; if the judgment result is yes, the server judges that the EAP authentication is successful; and if the judgment result is negative, the server judges that the EAP authentication fails.
Step S209, the server stores the first access password according to the identity information of the first user equipment, and starts a timer to time.
It should be noted that steps S206, S207, and S209 may not be in strict sequence, or may be executed simultaneously.
Step S210, when the timer reaches a preset time, the server deletes the first access password.
In the embodiment shown in fig. 2, the server may locally store the first access password generated according to the first user equipment for a period of time, and if the server receives the access information sent by the first user equipment again within the period of time, the server may directly complete EAP authentication with the first user equipment through the first access password, so that the authentication efficiency is further improved, and further, the WIFI access efficiency is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating another method for access authentication of a wireless local area network according to an embodiment of the present invention; embodiments of the present invention are described from the perspective of an authentication system; for convenience of description, in the embodiment of the present invention, the first user equipment is simply referred to as "STA 1", the second user equipment is simply referred to as "STA 2", the access point device is simply referred to as "AP", and the Server is simply referred to as "Server". The method as shown in fig. 3 may include:
at step S301, the STA1 sends an EAP-Start message to an AP in the wireless local area network.
When STA1 needs to access a wireless local area network, an EAP-Start message may be sent to an AP in the wireless local area network.
At step S302, the AP sends an identity request message to STA 1.
Step S303, STA1 sends access information to the AP, where the access information carries identity information of STA1 and contact information of STA 2.
Step S304, the AP sends the access information to the Server.
Certainly, the AP may also perform format conversion on the received access information to convert the access information into a message format that can be recognized by the Server.
In step S305, the Server sends an EAP-TTLS message to the AP.
At step S306, the AP sends an EAP-TTLS message to the STA 1.
Of course, the AP may also perform format conversion on the received EAP-TTLS message into a message format that the STA1 can recognize.
Step S307, the STA1 sends a client Hello message to the AP, where the client Hello message includes the TTLS version, the session ID, the RC, and the encryption mode supported by the STA 1.
Step S308, the AP sends the client Hello message to the Server.
Step S309, the Server judges whether the session ID in the client Hello message is matched with the locally pre-stored session ID; if yes, go to step S310.
Step S310, the Server sends a confirmation message to the AP, wherein the confirmation message carries the Server Hello, the Server certificate, the key switching and the Server-Hello-done message.
In step S311, the AP sends the acknowledgment message to the STA 1.
In step S312, the STA1 determines whether the server Hello and the server certificate in the confirmation message are valid, and if the determination result is yes, it indicates that the server authentication is passed, then step S313 is executed.
In step S313, the STA1 randomly generates a character string, encrypts the character string by using the server public key in the server certificate, and sends the encrypted character string and CCS to the AP.
In step S314, the AP sends the encrypted character string and CCS to the Server.
In step S315, the Server sends an access request to the STA2 according to the contact information of the STA 2.
In step S316, the Server receives the confirmation instruction sent by the STA2 for the access request, and generates a challenge code according to the confirmation instruction.
And step S317, the Server generates a first access password according to the challenge code.
Step S318, the Server sends the challenge code to the AP.
In step S319, the AP sends the challenge code to the STA 1.
In step S320, the STA1 generates a second access password according to the challenge code.
In step S321, the STA1 sends the second access password to the AP.
Step S322, the AP sends the second access password to the Server.
Step S323, the Server determines whether the second access password is the same as the first access password, and if so, indicates that the EAP authentication is successful.
In the embodiment shown in fig. 3, when receiving access information sent by the STA1, the Server sends an access request to the STA2 according to the contact information of the STA2 carried in the access information, if receiving an acknowledgement instruction sent by the STA2 for the access request, the Server generates a challenge code, generates a first access password according to the challenge code, and sends the challenge code to the STA1, the STA1 generates a second access password according to the challenge code, and sends the second access password to the Server, and the Server completes EAP authentication through the first access password and the second access password.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a server according to an embodiment of the present invention. As shown in fig. 4, the server 4 may include at least: an information receiving module 401, an access request sending module 402, an instruction receiving module 403, a challenge code generating module 404, an access password generating module 405, an information sending module 406, and an authentication module 407, wherein:
the information receiving module 401 is configured to receive access information sent by a first user equipment, where the access information carries identity information of the first user equipment.
An access request sending module 402, configured to send an access request to the second user equipment according to the access information.
In an optional implementation manner, the access request sending module 402 is specifically configured to:
and acquiring contact information corresponding to the identity information of the first user equipment according to a preset corresponding relation between the identity information and the contact information, and sending an access request to the second user equipment through the acquired contact information.
In another optional implementation manner, the access information further carries contact information, and the access request sending module 402 is specifically configured to:
and sending an access request to the second user equipment through the contact information carried by the access information.
An instruction receiving module 403, configured to receive a confirmation instruction sent by the second user equipment for the access request.
A challenge code generating module 404, configured to generate a challenge code according to the identity information of the first user equipment;
the identity information of the first user equipment comprises the IMEI of the first user equipment;
the challenge code generating module 404 may specifically be configured to:
and combining the IMEI of the first user equipment, the current time and a self-increment value from a certain random number into a character string, and taking the character string as the challenge code.
An access password generating module 405, configured to generate a first access password according to the challenge code;
optionally, the access password generating module 405 may be specifically configured to:
encrypting the challenge code into a ciphertext through a server public key in a server certificate;
and performing one-way hash on the ciphertext through a one-way hash function, and processing the ciphertext subjected to one-way hash through a reduction function to obtain the first access password.
An information sending module 406, configured to send the challenge code to the first user equipment, so that the first user equipment generates a second access password according to the challenge code.
An authentication module 407, configured to complete EAP authentication with the first user equipment through the first access password;
in an optional implementation manner, the information receiving module 401 is further configured to:
receiving the second access password sent by the first user equipment;
the authentication module 407 is further specifically configured to:
judging whether the first access password and the second access password are the same;
if the judgment result is yes, the EAP authentication is judged to be successful;
if the judgment result is negative, the EAP authentication is judged to fail.
In another optional implementation manner, the authentication module 407 may be specifically configured to:
generating a random number, generating a first expected response value according to the first access password and the random number, and sending the random number to the first user equipment, so that the first user equipment generates a second expected response value according to the random number and the second access password;
receiving the second expected response value sent by the first user equipment;
judging whether the first expected response value and the second expected response value are the same;
if the judgment result is yes, the EAP authentication is judged to be successful;
if the judgment result is negative, the EAP authentication is judged to fail.
Further, the server 4 may further include a detecting module 408, configured to detect whether a first access password corresponding to the first user equipment exists locally according to the identity information of the first user equipment, and if it is detected that the first access password corresponding to the first user equipment does not exist locally, trigger the access request sending module 402 to send an access request to a second user equipment according to the access information;
accordingly, the authentication module 407 is further configured to:
if the detecting module 408 detects that the first access password corresponding to the first user equipment exists locally, the EAP authentication is completed through the first access password corresponding to the first user equipment and the first user equipment.
Still further, the server 4 may further include a storage module 409 and a deletion module 410, wherein:
a storage module 409, configured to store the first access password according to the identity information of the first user equipment, and start a timer to time;
a deleting module 410, configured to delete the first access password stored in the storage module 409 when the timer reaches a preset duration.
Still further, the server 4 may further include a notification module 411, configured to send the EAP authentication result to the second user equipment.
It can be understood that the functions of the functional modules of the server 4 in this embodiment can be implemented according to the method in the foregoing method embodiment, and reference may be made to the related description of the method embodiment in fig. 1 or fig. 3 for details, which is not repeated herein.
Referring to fig. 5, fig. 5 is a schematic diagram of an authentication system according to an embodiment of the present invention. The authentication system as shown in fig. 5 comprises a first user equipment 51, an access point device 52, a server 53 and a second user equipment 54, wherein:
the first user equipment 51 is configured to send access information to the server 53 through the access point device 52, where the access information carries identity information of the first user equipment 51;
the server 53 is configured to send an access request to the second user equipment 54 according to the access information; the server 53 may be the server described in fig. 4.
The second user equipment 54 is configured to verify the access request;
the server 53 is further configured to generate a challenge code according to the identity information of the first user equipment and generate a first access password according to the challenge code if the server 53 receives a confirmation instruction sent by the second user equipment 54 for the access request;
the server 53 is further configured to send the challenge code to the first user equipment 51 through the access point device 52;
the first user equipment 51 is further configured to generate a second access password according to the challenge code;
the server 53 is further configured to complete EAP authentication with the first user equipment 51 through the first access password.
Further, after receiving the access information, the server 53 may further perform the following operations:
detecting whether a first access password corresponding to the first user equipment 51 exists locally according to the identity information of the first user equipment 51;
if yes, the EAP authentication is completed through the detected first access password corresponding to the first user equipment 51 and the first user equipment 51;
if not, the step of sending an access request to the second user equipment 54 according to the access information is executed.
Still further, after the server 53 generates the first access password according to the challenge code, the following operations may be further performed:
the server 53 stores the first access password according to the identity information of the first user equipment 51, and starts a timer to time;
and when the timer reaches a preset time, deleting the first access password.
Still further, after the server 53 completes EAP authentication with the first user equipment 51 through the first access password, the following operations may be further performed:
sending the EAP authentication result to the second user equipment 54.
The server sends an access request to a second user device according to contact information of the second user device carried by the access information when receiving the access information sent by the first user device, generates a challenge code and sends the challenge code to the first user device if receiving a confirmation instruction sent by the second user device aiming at the access request, and the server and the first user device complete EAP authentication through a password generated by the challenge code.
It should be noted that, in the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to relevant descriptions of other embodiments for parts that are not described in detail in a certain embodiment. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that acts and modules referred to are not necessarily required to practice embodiments of the invention.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs.
The modules in the device provided by the embodiment of the invention can be combined, divided and deleted according to actual needs.
The module in the embodiment of the present invention may be implemented by a general-purpose integrated circuit, such as a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC).
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.
Claims (17)
1. An access authentication method for a wireless local area network, comprising:
the method comprises the steps that a server receives access information sent by first user equipment, wherein the access information carries identity information of the first user equipment;
the server sends an access request to second user equipment according to the access information;
if the server receives a confirmation instruction sent by the second user equipment aiming at the access request, the server generates a challenge code according to the identity information of the first user equipment and generates a first access password according to the challenge code;
the server sends the challenge code to the first user equipment so that the first user equipment generates a second access password according to the challenge code;
the server completes EAP authentication with the first user equipment through the first access password;
wherein the server generating a first access password according to the challenge code comprises: the server encrypts the challenge code into a ciphertext through a server public key in a server certificate; the server performs one-way hash on the ciphertext through a one-way hash function, and processes the ciphertext subjected to one-way hash through a reduction function to obtain the first access password;
the server stores the first access password according to the identity information of the first user equipment and starts a timer to time;
and when the timer times to reach a preset time length, the server deletes the first access password.
2. The method of claim 1, wherein after the server receives the access information sent by the first user device, the method further comprises:
the server detects whether a first access password corresponding to the first user equipment exists locally according to the identity information of the first user equipment;
if yes, the server completes EAP authentication with the first user equipment through the detected first access password corresponding to the first user equipment;
and if not, the server executes the step of sending the access request to the second user equipment according to the access information.
3. The method of claim 1, wherein the identity information of the first user equipment comprises an International Mobile Equipment Identity (IMEI) code of the first user equipment;
the server generating the challenge code according to the identity information of the first user equipment comprises:
the server combines the IMEI of the first user equipment, the current time and the auto-increment value from a certain random number into a character string, and takes the character string as the challenge code.
4. The method of claim 1, wherein after the server completes EAP authentication with the first user device through the first access password, the method further comprises:
and the server sends the EAP authentication result to the second user equipment.
5. The method of claim 1, wherein the server sending an access request to a second user device based on the access information comprises:
the server acquires contact information corresponding to the identity information of the first user equipment according to a preset corresponding relation between the identity information and the contact information, and sends an access request to the second user equipment through the acquired contact information.
6. The method of claim 1, wherein the access information further carries contact information, and the server sending an access request to a second user equipment according to the access information comprises:
and the server sends an access request to the second user equipment through the contact information carried by the access information.
7. The method of any one of claims 1-6, wherein after the server sends the challenge code to the first user device, the method further comprises:
the server receives the second access password sent by the first user equipment;
the server completing EAP authentication with the first user equipment through the first access password comprises the following steps:
the server judges whether the first access password and the second access password are the same;
if the judgment result is yes, the server judges that the EAP authentication is successful;
and if the judgment result is negative, the server judges that the EAP authentication fails.
8. The method of any one of claims 1-6, wherein the server completing EAP authentication with the first user device through the first access password comprises:
the server generates a random number, generates a first expected response value according to the first access password and the random number, and sends the random number to the first user equipment;
the first user equipment generates a second expected response value according to the random number and the second access password, and sends the second expected response value to the server;
the server judges whether the first expected response value and the second expected response value are the same;
if the judgment result is yes, the server judges that the EAP authentication is successful;
and if the judgment result is negative, the server judges that the EAP authentication fails.
9. A server, comprising:
the information receiving module is used for receiving access information sent by first user equipment, wherein the access information carries identity information of the first user equipment; an access request sending module, configured to send an access request to a second user equipment according to the access information;
the instruction receiving module is used for receiving a confirmation instruction sent by the second user equipment aiming at the access request;
the challenge code generating module is used for generating a challenge code according to the identity information of the first user equipment;
the access password generating module is used for generating a first access password according to the challenge code;
the information sending module is used for sending the challenge code to the first user equipment so that the first user equipment generates a second access password according to the challenge code;
the authentication module is used for completing EAP authentication with the first user equipment through the first access password;
the storage module is used for storing the first access password according to the identity information of the first user equipment and starting a timer to time;
the deleting module is used for deleting the first access password when the timer reaches a preset time length;
wherein the access password generation module is specifically configured to: encrypting the challenge code into a ciphertext through a server public key in a server certificate; and performing one-way hash on the ciphertext through a one-way hash function, and processing the ciphertext subjected to one-way hash through a reduction function to obtain the first access password.
10. The server of claim 9, further comprising:
the detection module is used for detecting whether a first access password corresponding to the first user equipment exists locally or not according to the identity information of the first user equipment, and if the first access password corresponding to the first user equipment does not exist locally, the access request sending module is triggered to send an access request to second user equipment according to the access information;
the authentication module is further to:
if the detection module detects that the first access password corresponding to the first user equipment exists locally, the EAP authentication is completed through the first access password corresponding to the first user equipment and the first user equipment.
11. The server of claim 9, wherein the identity information of the first user equipment comprises an international mobile equipment identity, IMEI, of the first user equipment;
the challenge code generation module is specifically configured to:
and combining the IMEI of the first user equipment, the current time and a self-increment value from a certain random number into a character string, and taking the character string as the challenge code.
12. The server of claim 9, further comprising:
and the notification module is used for sending the EAP authentication result to the second user equipment.
13. The server according to claim 9,
the access request sending module is specifically configured to:
and acquiring contact information corresponding to the identity information of the first user equipment according to a preset corresponding relation between the identity information and the contact information, and sending an access request to the second user equipment through the acquired contact information.
14. The server according to claim 9, wherein the access information further carries contact information, and the access request sending module is specifically configured to:
and sending an access request to the second user equipment through the contact information carried by the access information.
15. The server according to any one of claims 9-14,
the information receiving module is further configured to:
receiving the second access password sent by the first user equipment;
the authentication module is specifically configured to:
judging whether the first access password and the second access password are the same;
if the judgment result is yes, the EAP authentication is judged to be successful;
if the judgment result is negative, the EAP authentication is judged to fail.
16. The server according to any one of claims 9-14,
the authentication module is specifically configured to:
generating a random number, generating a first expected response value according to the first access password and the random number, and sending the random number to the first user equipment, so that the first user equipment generates a second expected response value according to the random number and the second access password;
receiving the second expected response value sent by the first user equipment;
judging whether the first expected response value and the second expected response value are the same;
if the judgment result is yes, the EAP authentication is judged to be successful;
if the judgment result is negative, the EAP authentication is judged to fail.
17. An access authentication system of a wireless local area network, comprising a first user equipment, an access point device, a server and a second user equipment, wherein:
the first user equipment is used for sending access information to the server through the access point equipment, and the access information carries identity information of the first user equipment;
the server is used for sending an access request to the second user equipment according to the access information;
the server is further used for sending an access request to the second user equipment according to the contact information of the second user equipment;
the second user equipment is used for verifying the access request;
the server is further configured to generate a challenge code according to the identity information of the first user equipment and generate a first access password according to the challenge code if the server receives a confirmation instruction sent by the second user equipment for the access request;
the server is further configured to send the challenge code to the first user equipment through the access point device;
the first user equipment is also used for generating a second access password according to the challenge code;
the server is further configured to complete EAP authentication with the first user equipment through the first access password;
wherein the generating a first access password according to the challenge code comprises: encrypting the challenge code into a ciphertext through a server public key in a server certificate; performing one-way hash on the ciphertext through a one-way hash function, and processing the ciphertext subjected to one-way hash through a reduction function to obtain the first access password;
the server is further used for storing the first access password according to the identity information of the first user equipment and starting a timer to time; and when the timer reaches a preset time length, deleting the first access password.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510459273.7A CN106713222B (en) | 2015-07-30 | 2015-07-30 | Access authentication method, server and authentication system of wireless local area network |
| PCT/CN2016/090439 WO2017016415A1 (en) | 2015-07-30 | 2016-07-19 | Access authentication method, server and authentication system of wireless local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510459273.7A CN106713222B (en) | 2015-07-30 | 2015-07-30 | Access authentication method, server and authentication system of wireless local area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106713222A CN106713222A (en) | 2017-05-24 |
| CN106713222B true CN106713222B (en) | 2020-10-09 |
Family
ID=57884098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510459273.7A Active CN106713222B (en) | 2015-07-30 | 2015-07-30 | Access authentication method, server and authentication system of wireless local area network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN106713222B (en) |
| WO (1) | WO2017016415A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110324287B (en) * | 2018-03-31 | 2020-10-23 | 华为技术有限公司 | Access authentication method, device and server |
| CN111049640B (en) * | 2019-12-25 | 2022-07-08 | 安腾网信(北京)科技有限公司 | Internet of things authentication method based on hardware fingerprint and AES encryption and decryption algorithm |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937498A (en) * | 2006-10-09 | 2007-03-28 | 网之易信息技术(北京)有限公司 | Dynamic cipher authentication method, system and device |
| WO2013050738A2 (en) * | 2011-10-03 | 2013-04-11 | Barclays Bank Plc | User authentication |
| CN103607712A (en) * | 2013-11-29 | 2014-02-26 | 深圳Tcl新技术有限公司 | Access method and device for wireless network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090063850A1 (en) * | 2007-08-29 | 2009-03-05 | Sharwan Kumar Joram | Multiple factor user authentication system |
-
2015
- 2015-07-30 CN CN201510459273.7A patent/CN106713222B/en active Active
-
2016
- 2016-07-19 WO PCT/CN2016/090439 patent/WO2017016415A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937498A (en) * | 2006-10-09 | 2007-03-28 | 网之易信息技术(北京)有限公司 | Dynamic cipher authentication method, system and device |
| WO2013050738A2 (en) * | 2011-10-03 | 2013-04-11 | Barclays Bank Plc | User authentication |
| CN103607712A (en) * | 2013-11-29 | 2014-02-26 | 深圳Tcl新技术有限公司 | Access method and device for wireless network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106713222A (en) | 2017-05-24 |
| WO2017016415A1 (en) | 2017-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11451614B2 (en) | Cloud authenticated offline file sharing | |
| US10530582B2 (en) | Method and device for information system access authentication | |
| US8594632B1 (en) | Device to-device (D2D) discovery without authenticating through cloud | |
| TW201914256A (en) | Identity verification method and device, electronic equipment | |
| US8429405B2 (en) | System and method for human assisted secure information exchange | |
| WO2015154488A1 (en) | Method and device for accessing router | |
| WO2012042775A1 (en) | Biometric authentication system, communication terminal device, biometric authentication device, and biometric authentication method | |
| US20110219427A1 (en) | Smart Device User Authentication | |
| CN105898743B (en) | A kind of method for connecting network, apparatus and system | |
| JP2012530311A5 (en) | ||
| US9344896B2 (en) | Method and system for delivering a command to a mobile device | |
| US20170085561A1 (en) | Key storage device and method for using same | |
| WO2015043131A1 (en) | Wireless network authentication method and wireless network authentication apparatus | |
| WO2015188426A1 (en) | Method, device, system, and related device for identity authentication | |
| CN105634737B (en) | Data transmission method, terminal and system | |
| CN109413010B (en) | Terminal authentication method, device and system | |
| EP2879421A1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
| CN107454035B (en) | Identity authentication method and device | |
| CN108134787A (en) | A kind of identity identifying method and authentication device | |
| WO2022111187A1 (en) | Terminal authentication method and apparatus, computer device, and storage medium | |
| CN106713222B (en) | Access authentication method, server and authentication system of wireless local area network | |
| WO2019085659A1 (en) | Information interaction method and device | |
| CN107733645B (en) | Encrypted communication authentication method and system | |
| CN110830264B (en) | Service data verification method, server, client and readable storage medium | |
| Huseynov et al. | Context-aware multifactor authentication survey |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210427 Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040 Patentee after: Honor Device Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |