CN107295510A - The method, equipment and system of Home eNodeB access control are realized based on OCSP - Google Patents

The method, equipment and system of Home eNodeB access control are realized based on OCSP Download PDF

Info

Publication number
CN107295510A
CN107295510A CN201610197304.0A CN201610197304A CN107295510A CN 107295510 A CN107295510 A CN 107295510A CN 201610197304 A CN201610197304 A CN 201610197304A CN 107295510 A CN107295510 A CN 107295510A
Authority
CN
China
Prior art keywords
ocsp
certificate
equipment
access
retractions
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610197304.0A
Other languages
Chinese (zh)
Other versions
CN107295510B (en
Inventor
阎军智
杭小勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201610197304.0A priority Critical patent/CN107295510B/en
Publication of CN107295510A publication Critical patent/CN107295510A/en
Application granted granted Critical
Publication of CN107295510B publication Critical patent/CN107295510B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a kind of method, equipment and system that Home eNodeB access control is realized based on OCSP, it is related to Home eNodeB field of authentication, wherein method includes:The OCSP certificate retractions request that security gateway is sent is received, wherein OCSP certificate retractions request includes base station certificate to be verified, and base station certificate includes the facility information of Home eNodeB to be verified;OCSP certificate retractions are sent to ask to OCSP servers;The facility information in the request of OCSP certificate retractions is parsed, equipment access inquiry request is sent to equipment admission control unit according to facility information;Receive OCSP certificate retractions response message and equipment access inquiry response information;Generate final OCSP certificate retractions response message and send to security gateway.

Description

The method, equipment and system of Home eNodeB access control are realized based on OCSP
Technical field
Home eNodeB is realized based on OCSP the invention mainly relates to Home eNodeB field of authentication, especially one kind Method, equipment and the system of access control.
Background technology
Home eNodeB, also known as HeNB (Home evolved Node B, home evolved node B), are a kind of Miniaturization, low-power cellular technology, by fixed network broadband access to mobile core network, provide the user including Fixed estropia business including legacy cellular based mobile communication business.Current 3GPP HeNB safety Specification TS 33.320 has been defined for HeNB authentication mode, and number is used between HeNB and security gateway Word certificate carries out equipment two-way authentication.
Internet Key exchange-certification the IKE_AUTH for receiving the transmission of HeNB base stations in security gateway disappears After breath, security gateway verifies the validity of device certificate, only when equipment holds the legal certificate of oneself, peace Full gateway just allows base station to access.Under normal circumstances, as long as base station is held legal device certificate and can succeeded Complete the certification between security gateway.And whether the program is revoked the access control for realizing certificate by certificate System, as long as being to have issued legal certificate to base station to mean that the base station possesses access authority, and if desired Base station access is limited, then needs to revoke the certificate that base station is held.
In the case of due to some other reasons base station may being caused to access in part, for example certain base station is set It is standby invade or during frequent attacking network, it is necessary to prevent the equipment access network, according to such scheme, it is necessary to The certificate of base station equipment is carried out revoking processing to prevent it to be linked into mobile core network, due to certificate revocation it It is irrecoverable afterwards, therefore after base station equipment is repaired, base station is needed again to certificate authorization center CA Shen Please device certificate, especially in the case of CA mechanisms not holding equipment online application digital certificate, in addition it is also necessary to Manpower intervention carries out device certificate configuration, and flow is complicated, inefficiency.And access control is being carried out to base station When, often due also to such as rate other factors do not allow it to access, set in the case of such similar It is apparently not a kind of rational solution, existing Home eNodeB access control that its access is prevented for certificate revocation Scheme processed can not flexibly realize equipment access control, limit the application scale of equipment.
The content of the invention
The present invention provides a kind of method, equipment and system that Home eNodeB access control is realized based on OCSP, Equipment access control can not be flexibly realized for solving existing Home eNodeB access control scheme, limiting device The problem of using scale.
In order to solve the above-mentioned technical problem, the present invention is adopted the following technical scheme that:
On the one hand, family's base is realized based on online certificate status vlan query protocol VLAN OCSP the invention provides one kind Stand the method for access control, applied to OCSP proxy servers, methods described includes:
The OCSP certificate retractions request that security gateway is sent is received, wherein the OCSP certificate status Inquiry request includes base station certificate to be verified, and the base station certificate includes setting for Home eNodeB to be verified Standby information;
The OCSP certificate retractions are sent to ask to OCSP servers;
The facility information in the OCSP certificate retractions request is parsed, according to the facility information Equipment access inquiry request is sent to equipment admission control unit;
Receive the OCSP servers and obtain the OCSP issued after the OCSP certificate retractions request Certificate retraction response message and the reception equipment admission control unit obtain the equipment access inquiry The equipment access inquiry response information issued after request;
It is raw according to the OCSP certificate retractions response message and the equipment access inquiry response information Into final OCSP certificate retractions response message and send to the security gateway.
Alternatively, it is described to be inquired about according to the OCSP certificate retractions response message and the equipment access Response message, generates final OCSP certificate retractions response message, including:
The equipment access inquiry response information is parsed, equipment access Query Result is obtained;
The equipment access Query Result is added to the OCSP certificate retractions response message, according to The signing certificate that the application of certificate authorization center CA mechanism is obtained, replaces the OCSP certificate retractions and rings The signing messages for answering information is a new signing messages, obtains final OCSP certificate retractions response message.
Alternatively, after the step of acquisition equipment access Query Result, methods described also includes:
Whether judge the equipment access Query Result is not allow access;
When judged result for when being, according to the equipment access inquiry response information, obtaining does not allow access Producing cause;
Wherein, responded in the addition equipment access Query Result to the OCSP certificate retractions In the step of information, while adding the producing cause into the OCSP certificate retractions response message.
Alternatively, the facility information at least includes:Device name and equipment Serial Number.
On the other hand, man is realized based on online certificate status vlan query protocol VLAN OCSP present invention also offers one kind The method of front yard base station access control, applied to security gateway, methods described includes:
Send OCSP certificate retractions to ask to OCSP proxy servers, wherein the OCSP certificates Status query request includes base station certificate to be verified, and the base station certificate includes Home eNodeB to be verified Facility information;
The final OCSP certificate retractions response message that the OCSP proxy servers are issued is received, its Described in final OCSP certificate retractions response message be the OCSP proxy servers according to from described What the certificate retraction response message and slave unit admission control unit that OCSP servers are received were received sets Standby access inquiry response information generation;
According to the final OCSP certificate retractions response message, judge whether Home eNodeB to be verified is full Sufficient entry criteria.
Alternatively, it is described according to the final OCSP certificate retractions response message, judge family to be verified Whether front yard base station meets entry criteria, including:
At the base station certificate to be verified recorded in the final OCSP certificate retractions response message In effective status and equipment access Query Result to allow during access, to judge that the Home eNodeB meets access bar Part.
On the other hand, man is realized based on online certificate status vlan query protocol VLAN OCSP present invention also offers one kind The method of front yard base station access control, applied to equipment admission control unit, methods described includes:
Receive the equipment access inquiry request that OCSP proxy servers are sent, the equipment access inquiry request Include:The facility information of Home eNodeB to be verified;
According to the facility information, by default admittable regulation, equipment is carried out to the Home eNodeB to be verified Access is inquired about and generates equipment access inquiry response information;
The equipment access inquiry response information is sent to the OCSP proxy servers.
Alternatively, it is described according to the facility information, by default admittable regulation, to the family to be verified Base station carries out the inquiry of equipment access and generates equipment access inquiry response information, including:
According to the facility information, according to the blacklist or white list set according to the default admittable regulation, Equipment access inquiry is carried out to the Home eNodeB to be verified;
When the facility information is not present in the blacklist or the facility information is present in the white list When middle, generation allows the equipment access inquiry response information of access;
When the facility information is present in the blacklist or the facility information is not present in the white list When middle, generation does not allow the equipment access inquiry response information of access.
Alternatively, in the step of generation equipment access inquiry response information, the equipment generated is accurate Entering inquiry response information includes:Query responding time, equipment access Query Result and when the equipment access is looked into It is producing cause when not allowing access to ask result.
On the other hand, man is realized based on online certificate status vlan query protocol VLAN OCSP present invention also offers one kind The equipment of front yard base station access control, the equipment includes:
First receiving module, the OCSP certificate retractions request for receiving security gateway transmission, wherein The OCSP certificate retractions request includes base station certificate to be verified, and the base station certificate includes The facility information of Home eNodeB to be verified;
First sending module, is asked to OCSP servers for sending the OCSP certificate retractions;
Second sending module, for parsing the facility information in the OCSP certificate retractions request, Equipment access inquiry request is sent to equipment admission control unit according to the facility information;
Second receiving module, the OCSP certificate retractions are obtained for receiving the OCSP servers The OCSP certificate retractions response message and the reception equipment admission control unit issued after request is obtained Take the equipment access inquiry response information issued after the equipment access inquiry request;
Generation module, for being looked into according to the OCSP certificate retractions response message and the equipment access Response message is ask, final OCSP certificate retractions response message is generated and sends to the security gateway.
Alternatively, the generation module, is used for:
The equipment access inquiry response information is parsed, equipment access Query Result is obtained;
The equipment access Query Result is added to the OCSP certificate retractions response message, according to The signing certificate that the application of certificate authorization center CA mechanism is obtained, replaces the OCSP certificate retractions and rings The signing messages for answering information is a new signing messages, obtains final OCSP certificate retractions response message.
Alternatively, the generation module is additionally operable to:
Whether judge the equipment access Query Result is not allow access;
When judged result for when being, according to the equipment access inquiry response information, obtaining does not allow access Producing cause;
Wherein, responded in the addition equipment access Query Result to the OCSP certificate retractions In the step of information, while adding the producing cause into the OCSP certificate retractions response message.
Alternatively, the facility information at least includes:Device name and equipment Serial Number.
On the other hand, man is realized based on online certificate status vlan query protocol VLAN OCSP present invention also offers one kind The equipment of front yard base station access control, the equipment includes:
3rd sending module, is asked to OCSP proxy servers for sending OCSP certificate retractions, Wherein described OCSP certificate retractions request is included in base station certificate to be verified, and the base station certificate Include the facility information of Home eNodeB to be verified;
3rd receiving module, for receiving the final OCSP certificates shape that the OCSP proxy servers are issued State inquiry response information, wherein the final OCSP certificate retractions response message is the OCSP generations Reason server is accurate according to the certificate retraction response message and slave unit received from the OCSP servers Enter the equipment access inquiry response information generation of control unit reception;
Judge module, for according to the final OCSP certificate retractions response message, judging to be verified Whether Home eNodeB meets entry criteria.
Alternatively, the judge module, is used for:
At the base station certificate to be verified recorded in the final OCSP certificate retractions response message In effective status and equipment access Query Result to allow during access, to judge that the Home eNodeB meets access bar Part.
On the other hand, man is realized based on online certificate status vlan query protocol VLAN OCSP present invention also offers one kind The equipment of front yard base station access control, the equipment includes:
4th receiving module, the equipment access inquiry request for receiving the transmission of OCSP proxy servers, institute Stating equipment access inquiry request includes:The facility information of Home eNodeB to be verified;
Query processing module, for according to the facility information, by default admittable regulation, to described to be tested Card Home eNodeB carries out the inquiry of equipment access and generates equipment access inquiry response information;
4th sending module, for sending the equipment access inquiry response information to OCSP agency's clothes Business device.
Alternatively, the query processing module, is used for:
According to the facility information, according to the blacklist or white list set according to the default admittable regulation, Equipment access inquiry is carried out to the Home eNodeB to be verified;
When the facility information is not present in the blacklist or the facility information is present in the white list When middle, generation allows the equipment access inquiry response information of access;
When the facility information is present in the blacklist or the facility information is not present in the white list When middle, generation does not allow the equipment access inquiry response information of access.
Alternatively, the equipment access inquiry response information that the query processing module is generated includes:Look into Ask the response time, equipment access Query Result and when the equipment access Query Result be do not allow access when Producing cause.
On the other hand, man is realized based on online certificate status vlan query protocol VLAN OCSP present invention also offers one kind The system of front yard base station access control, the system includes:Home eNodeB is realized based on OCSP as described above The equipment of access control, another equipment that Home eNodeB access control is realized based on OCSP as described above And another as described above equipment that Home eNodeB access control is realized based on OCSP.
The beneficial effects of the invention are as follows:
Such scheme with reference to OCSP certificate retractions response message and equipment access inquiry response, it is necessary to believe The aspect of breath two calculates the final OCSP query response message of generation, and the final response message is returned into safety Gateway, the process is combining original OCSP server lookups processing procedure, and OCSP certificate status is looked into Ask request to carry out adding equipment access query process during query processing, effective certification of base station certificate is controlled The equipment access control related to equipment other factors itself combines, and comprehensive both carry out standard to base station Enter control, without frequent certificate revocation, it is to avoid the substantial amounts of process for applying for certificate again, realize flexible Equipment access control, and OCSP servers are not required to make a change, it is only necessary to prior art specification is followed, Easily implement.
Brief description of the drawings
Fig. 1 represents the schematic flow sheet in first embodiment of the invention;
Fig. 2 represents the schematic flow sheet in second embodiment of the invention;
Fig. 3 represents the schematic flow sheet in third embodiment of the invention;
Fig. 4 represents the schematic block diagram in fourth embodiment of the invention;
Fig. 5 represents the schematic block diagram in fifth embodiment of the invention;
Fig. 6 represents the schematic block diagram in sixth embodiment of the invention;
Fig. 7 represents to realize the overall timing diagram of Home eNodeB access control in the present invention based on OCSP.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although being shown in accompanying drawing The exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure without should be by Embodiments set forth here is limited.It is opposite to be able to be best understood from this there is provided these embodiments It is open, and can by the scope of the present disclosure completely convey to those skilled in the art.
First embodiment
As shown in Figure 1, Figure 7 shows, it is based on online certificate status vlan query protocol VLAN OCSP the invention discloses one kind The method for realizing Home eNodeB access control, applied to OCSP proxy servers.This method includes:
Step 101, the OCSP certificate retractions request that security gateway is sent is received.
Wherein, OCSP certificate retractions request includes base station certificate to be verified, and the base station is demonstrate,proved Book includes the facility information of Home eNodeB to be verified.
Step 102, the OCSP certificate retractions are sent to ask to OCSP servers.
In the step, after the inquiry request that security gateway is sent is received, the inquiry request is transmitted to OCSP servers, are mainly inquired about the effective status of Home eNodeB certificate, particular content bag herein Include the inquiry to information such as the titles, purposes, the term of validity of base station certificate.
Step 103, the facility information in the OCSP certificate retractions request is parsed, according to institute State facility information and send equipment access inquiry request to equipment admission control unit.
In the step, after the inquiry request that security gateway is sent is received, OCSP certificate status is looked into The facility information in request is ask to parse and send equipment access inquiry request to setting according to the facility information Standby admission control unit, is mainly the knot for whether allowing Home eNodeB to enter to taking into account other factors herein Fruit is inquired about.The facility information can be such as device name, equipment Serial Number information.
Wherein, the other factors include but is not limited to be that the security of household base station device, the rate of equipment are paid Receive situation, access time limit situation etc..
Step 104, under receiving after the OCSP servers acquisition OCSP certificate retractions request The OCSP certificate retractions response message and the reception equipment admission control unit of hair are set described in obtaining The equipment access inquiry response information issued after standby access inquiry request.
In the step, the request of OCSP certificate retractions is being sent, to equipment to OCSP servers respectively Admission control unit is sent after equipment access inquiry request, accordingly, receives OCSP server feedbacks The equipment access inquiry response of OCSP certificate retractions response message and equipment admission control unit feedback Response contents of both information.
Step 105, rung according to the OCSP certificate retractions response message and equipment access inquiry Information is answered, final OCSP certificate retractions response message is generated and sends to the security gateway.
In the step, according to the OCSP certificate retraction response messages in step 104, acquired And equipment access inquiry response information, two information are integrated, a final OCSP card is got Book-like state inquiry response information, sends it to security gateway, with the final OCSP realized to security gateway Certificate retraction request is responded.Wherein, it is specially in OCSP certificate retraction response messages Certificate retraction result and equipment access inquiry response information in access inquiry be packaged integration shape Cheng Yixin response message.
, it is necessary to send inquiry request to OCSP servers and equipment admission control unit respectively in the above method, And receive and processing inquiry response result, it is final to calculate generation one with reference to both sides inquiry response information OCSP query response message, and the final response message is returned into security gateway, the procedure construction one The proxy role of individual OCSP servers, is asked with the OCSP certificate retractions for responding security gateway, should Process combine original OCSP server lookups processing procedure, OCSP certificate retractions are asked into Equipment access query process is added during row query processing, by effective certification control of base station certificate and to equipment The related equipment access control of other factors itself combines, and comprehensive both carry out access control to base station, Without frequent certificate revocation, it is to avoid the substantial amounts of process for applying for certificate again, flexible equipment access is realized Control, and OCSP servers are not required to make a change, it is only necessary to prior art specification is followed, is easily implemented.
Further, here to according to OCSP certificate retractions response message and equipment access inquiry response Information, the process that is preferable to carry out for generating final OCSP certificate retractions response message makes description.
Wherein, according to OCSP certificate retractions response message and equipment access inquiry response information, generation Final OCSP certificate retraction response messages, including:
Analyzing device access inquiry response information, obtains equipment access Query Result;The equipment access is added to look into Result is ask to OCSP certificate retraction response messages, is obtained according to the application of certificate authorization center CA mechanism The signing certificate arrived, the signing messages for replacing the OCSP certificate retraction response messages is a new signature Information, obtains final OCSP certificate retractions response message.
During being somebody's turn to do, the equipment access Query Result from equipment admission control unit need to be combined with coming from The OCSP certificate retraction response messages of OCSP servers, recalculate and are rung with producing final inquiry Answer information.Wherein, recalculate generate final OCSP query response message process it is as follows:Firstly the need of To one signing certificate of CA mechanisms application, for signing and issuing OCSP query response, signing certificate is entered herein Row is once applied, equipment access Query Result is added in OCSP certificate retraction response messages, It is carried out to Reseal integration.Wherein, in encapsulation integration process, the equipment access Query Result can To be indicated using 0,1, specifically can using 0 represent equipment access Query Result as do not allow access, 1 Equipment access Query Result is represented to allow access, after signing certificate is obtained, you can request for utilization is obtained Signing certificate to encapsulation integrate after new OCSP certificate retraction response messages sign, replacement Original signing messages, the signing messages includes the attributes such as signature main body, signature algorithm, final to obtain OCSP certificate retraction response messages.
Further, wherein, the step of above-mentioned acquisition equipment access Query Result after, this method Also include:Whether judge equipment access Query Result is not allow access;When judged result is to be, according to Equipment access inquiry response information, obtaining does not allow the producing cause of access;Wherein, in addition equipment access The producing cause is added to OCSP certificates while Query Result to OCSP certificate retraction response messages In status inquiry response message.When the equipment access Query Result in equipment access inquiry response information is not When allowing access, the reason for not allowing access is carried simultaneously in final certificate retraction response message, with Prompting is made to security gateway side and Home eNodeB side.
Specifically, above-mentioned facility information at least includes:Device name and equipment Serial Number, in this, as setting Standby admission control unit carries out the keyword and inquiry foundation of equipment access inquiry.
Second embodiment
As shown in Fig. 2, Fig. 7, online certificate status vlan query protocol VLAN is based on present embodiment discloses another The method that OCSP realizes Home eNodeB access control, applied to security gateway.This method includes:
Step 201:OCSP certificate retractions are sent to ask to OCSP proxy servers.
Wherein OCSP certificate retractions request includes base station certificate to be verified, and the base station to be verified Certificate includes the facility information of Home eNodeB to be verified.
Before the step, security gateway needs first to receive the IKE_AUTH messages of Home eNodeB transmission, from Base station certificate is parsed in message, is asked according to base station certificates constructing OCSP certificate retractions.
During step 201, the address information of OCSP proxy servers will be used by sending inquiry request, OCSP server address would generally be carried in the certificate of base station, but not carries OCSP proxy server addresses. Security gateway can be pre-configured with the address of OCSP proxy servers, if not carrying OCSP generations in the certificate of base station Server address is managed, then using the OCSP proxy server addresses being pre-configured with.Receiving Home eNodeB After the IKE_AUTH messages of transmission, base station certificate is parsed from message, then acts on behalf of and takes to OCSP Business device initiates the request of OCSP certificate retractions.Wherein needed in the certificate of base station containing facility information, such as equipment Title, equipment Serial Number etc..
Step 202:Receive the final OCSP certificate retractions sound that the OCSP proxy servers are issued Answer information.
Wherein the final OCSP certificate retractions response message be OCSP proxy servers according to from What the certificate retraction response message and slave unit admission control unit that OCSP servers are received were received sets Standby access inquiry response information generation.Base station is combined in the final OCSP certificate retractions response message The effective status of certificate and by other factors determine whether permission base station access of both information.
Step 203:According to the final OCSP certificate retractions response message, family to be verified is judged Whether base station meets entry criteria.
Security gateway sends OCSP certificate retractions to OCSP proxy servers and asked, and receives final OCSP certificate retraction response messages, according to two in final OCSP certificate retractions response message Aspect content determines whether that equipment is accessed, and object information is sent into Home eNodeB, device authentication flow Terminate.
The state of general base station certificate is divided into " effective ", " unknown ", three kinds of " revoking ", in this method, pacifies Full gateway no longer just for Home eNodeB base station certificate effective status, come to Home eNodeB carry out access sentence It is disconnected and control, therefore need not realize the control process for forbidding base station access network network always by certificate revocation, When because other factors cause base station not allow access network, without repeating certificate request, during saving Between and resource.
Specifically, wherein according to final OCSP certificate retractions response message, judging family's base to be verified Stand and whether meet entry criteria, including:When treating for being recorded in final OCSP certificate retractions response message The base station certificate of checking is in effective status and equipment access Query Result is when allowing access, to judge the family Base station meets entry criteria.
Security gateway can know Home eNodeB certificate according to final OCSP certificate retractions response message Status information, and equipment admission control unit equipment access information, if base station certificate effectively, and Equipment admission control unit allows equipment to access, then security gateway continues with and IKE_AUTH is reported Text is responded, certification success, and otherwise device authentication fails, terminate identifying procedure.
3rd embodiment
As shown in Fig. 3, Fig. 7, online certificate status vlan query protocol VLAN is based on present embodiment discloses another The method that OCSP realizes Home eNodeB access control, applied to equipment admission control unit.This method includes:
Step 301:Receive the equipment access inquiry request that OCSP proxy servers are sent.
The equipment access inquiry request includes:The facility information of Home eNodeB to be verified.
Step 302:According to the facility information, by default admittable regulation, to family's base to be verified Stand and progress equipment access inquiry and generate equipment access inquiry response information.
In the step, according to the facility information in the equipment access inquiry request received, by default access Rule carries out inquiry judging, obtains equipment access Query Result, and generate equipment access inquiry response information. Wherein default admittable regulation can be according to the white list of such as set meal, rate equipment access information formulation or Blacklist pattern, but it is not limited to both patterns.
Here, looking into for the admittance restriction caused by other factors related to household base station device is mainly carried out Management is ask, the other factors include but is not limited to be that the security of household base station device, the rate of equipment are paid Situation, access time limit situation etc..Wherein, when base station equipment is invaded or frequently attacking network when, that is, think The base station security is poor, is recorded by the facility information to the Home eNodeB, passes through equipment access control The inquiry of unit obtains related access Query Result and limits its entrance.
Step 303:The equipment access inquiry response information is sent to the OCSP proxy servers.
This method, can reduce certificate revocation demand, when base station equipment invaded or frequently attacking network when or money When taking deficiency, in addition to base station certificate is stolen situation, without certificate revocation, it is only necessary to which corresponding equipment is believed Breath is synchronized to equipment admission control unit, then equipment will be denied access in access authentication;If set It is standby to permit access by repairing, then only the facility information of reparation need to be synchronized to equipment admission control unit, Equipment can be successfully accessed in access authentication, and flexible equipment access control can be achieved.Base station equipment need not Transformation, it is only necessary to follow existing standard.
Further, according to facility information, by default admittable regulation, Home eNodeB to be verified is set Standby access is inquired about and generates equipment access inquiry response information, including:According to the facility information, according to basis Blacklist or white list that default admittable regulation is set, equipment access inquiry is carried out to Home eNodeB to be verified. When facility information is not present in the blacklist or facility information is present in the white list, generation allows access Equipment access inquiry response information;When facility information is present in blacklist or facility information is not present in white name When in list, generation does not allow the equipment access inquiry response information of access.
Wherein, if using white list mode, every record is effective containing facility information, equipment in white list Phase, equipment add the data such as the time of white list, if the facility information in equipment access inquiry request is in white name Dan Zhong, then allow equipment to access, otherwise do not allow equipment to access.If using blacklist mode, blacklist In every record time and the data such as reason of blacklist are added containing facility information, equipment, if inquiry request In facility information in blacklist, then do not allow equipment to access, otherwise allow equipment access.The white list Or blacklist can carry out maintenance renewal according to the concrete condition of Home eNodeB, the updating maintenance can be by managing Member carries out or synchronized by information interface.
Specifically, in the step of generating equipment access inquiry response information, the equipment access inquiry generated Response message includes:Query responding time, equipment access Query Result and when the equipment access Query Result Not allow producing cause during access.
Specifically, above-mentioned facility information at least includes:Device name and equipment Serial Number, in this, as setting Standby admission control unit carries out the keyword and inquiry foundation of equipment access inquiry.
Fourth embodiment
As shown in figure 4, disclosing a kind of real based on online certificate status vlan query protocol VLAN OCSP in the present embodiment The equipment of existing Home eNodeB access control, the equipment includes:First receiving module 401, the first sending module 402nd, the second sending module 403, the second receiving module 404 and generation module 405.
First receiving module 401, the OCSP certificate retractions request for receiving security gateway transmission, Wherein described OCSP certificate retractions request is included in base station certificate to be verified, and the base station certificate Include the facility information of Home eNodeB to be verified.
First sending module 402, asks to OCSP to service for sending the OCSP certificate retractions Device.
Second sending module 403, for parsing the equipment in the OCSP certificate retractions request Information, equipment access inquiry request is sent according to the facility information to equipment admission control unit.
Second receiving module 404, the OCSP certificate status is obtained for receiving the OCSP servers The OCSP certificate retractions response message and the reception equipment access control list issued after inquiry request Member obtains the equipment access inquiry response information issued after the equipment access inquiry request.
Generation module 405, for accurate according to the OCSP certificate retractions response message and the equipment Enter inquiry response information, generate final OCSP certificate retractions response message and send to the safety net Close.
Wherein, the generation module 405, is used for:The equipment access inquiry response information is parsed, acquisition is set Standby access Query Result;The equipment access Query Result to the OCSP certificate retractions are added to respond Information, according to the signing certificate obtained to the application of certificate authorization center CA mechanism, replaces the OCSP cards The signing messages of book-like state inquiry response information is a new signing messages, obtains final OCSP certificate status Inquiry response information.
Wherein, the generation module 405, is additionally operable to:Whether judge the equipment access Query Result is not fair Perhaps access;When judged result for when being, according to the equipment access inquiry response information, acquisition does not allow to connect The producing cause entered;Wherein, in the addition equipment access Query Result to the OCSP certificates shape In the step of state inquiry response information, while adding the producing cause to the OCSP certificate retractions In response message.
Wherein, the facility information at least includes:Device name and equipment Serial Number.
The said equipment, it is necessary to send inquiry request to OCSP servers and equipment admission control unit respectively, And receive and processing inquiry response result, it is final to calculate generation one with reference to both sides inquiry response information OCSP query response message, and the final response message is returned into security gateway, the procedure construction one The proxy role of individual OCSP servers, is asked with the OCSP certificate retractions for responding security gateway, should Equipment combine original OCSP server lookups processing procedure, OCSP certificate retractions are asked into Equipment access query process is added during row query processing, by effective certification control of base station certificate and to equipment The related equipment access control of other factors itself combines, and comprehensive both carry out access control to base station, Without frequent certificate revocation, it is to avoid the substantial amounts of process for applying for certificate again, flexible equipment access is realized Control, and OCSP servers are not required to make a change, it is only necessary to prior art specification is followed, is easily implemented.
Realize that the equipment of Home eNodeB access control is specially based on OCSP involved by the present embodiment OCSP proxy servers.
It is apparent to those skilled in the art that, for convenience and simplicity of description, foregoing description Equipment specific work process, may be referred to the corresponding process of first embodiment in preceding method embodiment, It will not be repeated here.
5th embodiment
As shown in figure 5, disclosing a kind of real based on online certificate status vlan query protocol VLAN OCSP in the present embodiment The equipment of existing Home eNodeB access control, the equipment includes:3rd sending module 501, the 3rd receiving module 502 and judge module 503.
3rd sending module 501, is asked to OCSP agency services for sending OCSP certificate retractions Device, wherein OCSP certificate retractions request includes base station certificate to be verified, and the base station is demonstrate,proved Book includes the facility information of Home eNodeB to be verified.
3rd receiving module 502, for receiving the final OCSP cards that the OCSP proxy servers are issued Book-like state inquiry response information, wherein the final OCSP certificate retractions response message is described OCSP proxy servers according to the certificate retraction response message received from the OCSP servers and from The equipment access inquiry response information generation that equipment admission control unit is received.
Judge module 503, for according to the final OCSP certificate retractions response message, judging to treat Whether checking Home eNodeB meets entry criteria.
Wherein, the judge module 503, is used for:When the final OCSP certificate retractions response message The base station certificate to be verified of middle record is in effective status and equipment access Query Result is allows during access, Judge that the Home eNodeB meets entry criteria.
Realize that the equipment of Home eNodeB access control is specially peace based on OCSP involved by the present embodiment Full gateway.
It is apparent to those skilled in the art that, for convenience and simplicity of description, foregoing description Equipment specific work process, may be referred to the corresponding process of second embodiment in preceding method embodiment, It will not be repeated here.
Sixth embodiment
As shown in fig. 6, disclosing a kind of real based on online certificate status vlan query protocol VLAN OCSP in the present embodiment The equipment of existing Home eNodeB access control, the equipment includes:4th receiving module 601, query processing module 602 and the 4th sending module 603.
4th receiving module 601, the equipment access inquiry request for receiving the transmission of OCSP proxy servers, The equipment access inquiry request includes:The facility information of Home eNodeB to be verified.
Query processing module 602, for according to the facility information, by default admittable regulation, to described Home eNodeB to be verified carries out the inquiry of equipment access and generates equipment access inquiry response information.
4th sending module 603, for sending the equipment access inquiry response information to the OCSP generations Manage server.
Wherein, the query processing module 602, is used for:According to the facility information, according to according to described pre- If the admittable regulation blacklist or white list that set, equipment access is carried out to the Home eNodeB to be verified and looked into Ask;When the facility information is not present in the blacklist or the facility information is present in the white list When, generation allows the equipment access inquiry response information of access;When the facility information is present in the black name When single or described facility information is not present in the white list, generation does not allow the equipment access inquiry of access Response message.
Wherein, the equipment access inquiry response information that query processing module 602 is generated includes:Inquiry response Time, equipment access Query Result and the generation original when the equipment access Query Result is not allow access Cause.
Realize that the equipment of Home eNodeB access control is specially to set based on OCSP involved by the present embodiment Standby admission control unit.
It is apparent to those skilled in the art that, for convenience and simplicity of description, foregoing description Equipment specific work process, may be referred to the corresponding process of 3rd embodiment in preceding method embodiment, It will not be repeated here.
Realize that Home eNodeB is accurate based on online certificate status vlan query protocol VLAN OCSP the invention also discloses one kind Enter the system of control, the system includes:Home eNodeB is realized based on OCSP as described in the fourth embodiment The equipment of access control, Home eNodeB access control is realized based on OCSP as described in the fifth embodiment Equipment and the equipment that Home eNodeB access control is realized based on OCSP as set forth in the present embodiment.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms are only Only be used for by an entity or operation with another entity or operate make a distinction, and not necessarily require or Imply between these entities or operation there is any this actual relation or order.Moreover, term " bag Include ", "comprising" or any other variant thereof is intended to cover non-exclusive inclusion so that including one Process, method, article or the terminal device of list of elements not only include those key elements, but also including not There are other key elements being expressly recited, or also include being this process, method, article or terminal device Intrinsic key element.In the absence of more restrictions, by wanting that sentence "including a ..." is limited Element, it is not excluded that also exist in addition in the process including the key element, method, article or terminal device Identical element.
Above-described is the preferred embodiment of the present invention, it should be pointed out that for the ordinary people of the art For member, some improvements and modifications can also be made under the premise of principle of the present invention is not departed from, these Improvements and modifications are also within the scope of the present invention.

Claims (19)

1. a kind of method that Home eNodeB access control is realized based on online certificate status vlan query protocol VLAN OCSP, Applied to OCSP proxy servers, it is characterised in that methods described includes:
The OCSP certificate retractions request that security gateway is sent is received, wherein the OCSP certificate status Inquiry request includes base station certificate to be verified, and the base station certificate includes setting for Home eNodeB to be verified Standby information;
The OCSP certificate retractions are sent to ask to OCSP servers;
The facility information in the OCSP certificate retractions request is parsed, according to the facility information Equipment access inquiry request is sent to equipment admission control unit;
Receive the OCSP servers and obtain the OCSP issued after the OCSP certificate retractions request Certificate retraction response message and the reception equipment admission control unit obtain the equipment access inquiry The equipment access inquiry response information issued after request;
It is raw according to the OCSP certificate retractions response message and the equipment access inquiry response information Into final OCSP certificate retractions response message and send to the security gateway.
2. according to the method described in claim 1, it is characterised in that described according to the OCSP certificates Status inquiry response message and the equipment access inquiry response information, generate final OCSP certificate status and look into Response message is ask, including:
The equipment access inquiry response information is parsed, equipment access Query Result is obtained;
The equipment access Query Result is added to the OCSP certificate retractions response message, according to The signing certificate that the application of certificate authorization center CA mechanism is obtained, replaces the OCSP certificate retractions and rings The signing messages for answering information is a new signing messages, obtains final OCSP certificate retractions response message.
3. method according to claim 2, it is characterised in that the acquisition equipment access inquiry knot After the step of fruit, methods described also includes:
Whether judge the equipment access Query Result is not allow access;
When judged result for when being, according to the equipment access inquiry response information, obtaining does not allow access Producing cause;
Wherein, responded in the addition equipment access Query Result to the OCSP certificate retractions In the step of information, while adding the producing cause into the OCSP certificate retractions response message.
4. according to the method described in claim 1, it is characterised in that the facility information at least includes: Device name and equipment Serial Number.
5. a kind of method that Home eNodeB access control is realized based on online certificate status vlan query protocol VLAN OCSP, Applied to security gateway, it is characterised in that methods described includes:
Send OCSP certificate retractions to ask to OCSP proxy servers, wherein the OCSP certificates Status query request includes base station certificate to be verified, and the base station certificate includes Home eNodeB to be verified Facility information;
The final OCSP certificate retractions response message that the OCSP proxy servers are issued is received, its Described in final OCSP certificate retractions response message be the OCSP proxy servers according to from described What the certificate retraction response message and slave unit admission control unit that OCSP servers are received were received sets Standby access inquiry response information generation;
According to the final OCSP certificate retractions response message, judge whether Home eNodeB to be verified is full Sufficient entry criteria.
6. method according to claim 5, it is characterised in that described according to the final OCSP Certificate retraction response message, judges whether Home eNodeB to be verified meets entry criteria, including:
At the base station certificate to be verified recorded in the final OCSP certificate retractions response message In effective status and equipment access Query Result to allow during access, to judge that the Home eNodeB meets access bar Part.
7. a kind of method that Home eNodeB access control is realized based on online certificate status vlan query protocol VLAN OCSP, Applied to equipment admission control unit, it is characterised in that methods described includes:
Receive the equipment access inquiry request that OCSP proxy servers are sent, the equipment access inquiry request Include:The facility information of Home eNodeB to be verified;
According to the facility information, by default admittable regulation, equipment is carried out to the Home eNodeB to be verified Access is inquired about and generates equipment access inquiry response information;
The equipment access inquiry response information is sent to the OCSP proxy servers.
8. method according to claim 7, it is characterised in that described according to the facility information, By default admittable regulation, the inquiry of equipment access is carried out to the Home eNodeB to be verified and equipment access is generated Inquiry response information, including:
According to the facility information, according to the blacklist or white list set according to the default admittable regulation, Equipment access inquiry is carried out to the Home eNodeB to be verified;
When the facility information is not present in the blacklist or the facility information is present in the white list When middle, generation allows the equipment access inquiry response information of access;
When the facility information is present in the blacklist or the facility information is not present in the white list When middle, generation does not allow the equipment access inquiry response information of access.
9. method according to claim 7, it is characterised in that the generation equipment access inquiry rings In the step of answering information, the equipment access inquiry response information generated includes:Query responding time, Equipment access Query Result and the producing cause when the equipment access Query Result is not allow access.
10. a kind of equipment that Home eNodeB access control is realized based on online certificate status vlan query protocol VLAN OCSP, Characterized in that, the equipment includes:
First receiving module, the OCSP certificate retractions request for receiving security gateway transmission, wherein The OCSP certificate retractions request includes base station certificate to be verified, and the base station certificate includes The facility information of Home eNodeB to be verified;
First sending module, is asked to OCSP servers for sending the OCSP certificate retractions;
Second sending module, for parsing the facility information in the OCSP certificate retractions request, Equipment access inquiry request is sent to equipment admission control unit according to the facility information;
Second receiving module, the OCSP certificate retractions are obtained for receiving the OCSP servers The OCSP certificate retractions response message and the reception equipment admission control unit issued after request is obtained Take the equipment access inquiry response information issued after the equipment access inquiry request;
Generation module, for being looked into according to the OCSP certificate retractions response message and the equipment access Response message is ask, final OCSP certificate retractions response message is generated and sends to the security gateway.
11. equipment according to claim 10, it is characterised in that the generation module, is used for:
The equipment access inquiry response information is parsed, equipment access Query Result is obtained;
The equipment access Query Result is added to the OCSP certificate retractions response message, according to The signing certificate that the application of certificate authorization center CA mechanism is obtained, replaces the OCSP certificate retractions and rings The signing messages for answering information is a new signing messages, obtains final OCSP certificate retractions response message.
12. equipment according to claim 11, it is characterised in that the generation module is additionally operable to:
Whether judge the equipment access Query Result is not allow access;
When judged result for when being, according to the equipment access inquiry response information, obtaining does not allow access Producing cause;
Wherein, responded in the addition equipment access Query Result to the OCSP certificate retractions In the step of information, while adding the producing cause into the OCSP certificate retractions response message.
13. equipment according to claim 10, it is characterised in that the facility information at least includes: Device name and equipment Serial Number.
14. a kind of equipment that Home eNodeB access control is realized based on online certificate status vlan query protocol VLAN OCSP, Characterized in that, the equipment includes:
3rd sending module, is asked to OCSP proxy servers for sending OCSP certificate retractions, Wherein described OCSP certificate retractions request is included in base station certificate to be verified, and the base station certificate Include the facility information of Home eNodeB to be verified;
3rd receiving module, for receiving the final OCSP certificates shape that the OCSP proxy servers are issued State inquiry response information, wherein the final OCSP certificate retractions response message is the OCSP generations Reason server is accurate according to the certificate retraction response message and slave unit received from the OCSP servers Enter the equipment access inquiry response information generation of control unit reception;
Judge module, for according to the final OCSP certificate retractions response message, judging to be verified Whether Home eNodeB meets entry criteria.
15. equipment according to claim 14, it is characterised in that the judge module, is used for:
At the base station certificate to be verified recorded in the final OCSP certificate retractions response message In effective status and equipment access Query Result to allow during access, to judge that the Home eNodeB meets access bar Part.
16. a kind of equipment that Home eNodeB access control is realized based on online certificate status vlan query protocol VLAN OCSP, Characterized in that, the equipment includes:
4th receiving module, the equipment access inquiry request for receiving the transmission of OCSP proxy servers, institute Stating equipment access inquiry request includes:The facility information of Home eNodeB to be verified;
Query processing module, for according to the facility information, by default admittable regulation, to described to be tested Card Home eNodeB carries out the inquiry of equipment access and generates equipment access inquiry response information;
4th sending module, for sending the equipment access inquiry response information to OCSP agency's clothes Business device.
17. equipment according to claim 16, it is characterised in that the query processing module, is used In:
According to the facility information, according to the blacklist or white list set according to the default admittable regulation, Equipment access inquiry is carried out to the Home eNodeB to be verified;
When the facility information is not present in the blacklist or the facility information is present in the white list When middle, generation allows the equipment access inquiry response information of access;
When the facility information is present in the blacklist or the facility information is not present in the white list When middle, generation does not allow the equipment access inquiry response information of access.
18. equipment according to claim 16, it is characterised in that the query processing module is given birth to Into the equipment access inquiry response information include:Query responding time, equipment access Query Result and work as The equipment access Query Result is producing cause when not allowing access.
19. a kind of system that Home eNodeB access control is realized based on online certificate status vlan query protocol VLAN OCSP, Characterized in that, the system includes:Being realized based on OCSP as described in claim any one of 10-13 The equipment of Home eNodeB access control, as described in claim any one of 14-15 man is realized based on OCSP The equipment of front yard base station access control and family is realized based on OCSP as described in claim any one of 16-18 The equipment of base station access control.
CN201610197304.0A 2016-03-31 2016-03-31 Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) Active CN107295510B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610197304.0A CN107295510B (en) 2016-03-31 2016-03-31 Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610197304.0A CN107295510B (en) 2016-03-31 2016-03-31 Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol)

Publications (2)

Publication Number Publication Date
CN107295510A true CN107295510A (en) 2017-10-24
CN107295510B CN107295510B (en) 2020-01-03

Family

ID=60086763

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610197304.0A Active CN107295510B (en) 2016-03-31 2016-03-31 Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol)

Country Status (1)

Country Link
CN (1) CN107295510B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019149151A1 (en) * 2018-02-01 2019-08-08 华为技术有限公司 Network security access method and home network device
TWI718033B (en) * 2020-03-18 2021-02-01 中華電信股份有限公司 System and method for online certificate status query responder
CN112994897A (en) * 2021-03-22 2021-06-18 杭州迪普科技股份有限公司 Certificate query method, device, equipment and computer readable storage medium
CN114640467A (en) * 2022-03-15 2022-06-17 微位(深圳)网络科技有限公司 Service-based digital certificate query method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020184182A1 (en) * 2001-05-31 2002-12-05 Nang Kon Kwan Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL)
CN101002420A (en) * 2003-12-19 2007-07-18 摩托罗拉公司(在特拉华州注册的公司) Mobile device and method for providing certificate based cryptography

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020184182A1 (en) * 2001-05-31 2002-12-05 Nang Kon Kwan Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL)
CN101002420A (en) * 2003-12-19 2007-07-18 摩托罗拉公司(在特拉华州注册的公司) Mobile device and method for providing certificate based cryptography

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019149151A1 (en) * 2018-02-01 2019-08-08 华为技术有限公司 Network security access method and home network device
TWI718033B (en) * 2020-03-18 2021-02-01 中華電信股份有限公司 System and method for online certificate status query responder
CN112994897A (en) * 2021-03-22 2021-06-18 杭州迪普科技股份有限公司 Certificate query method, device, equipment and computer readable storage medium
CN114640467A (en) * 2022-03-15 2022-06-17 微位(深圳)网络科技有限公司 Service-based digital certificate query method and system

Also Published As

Publication number Publication date
CN107295510B (en) 2020-01-03

Similar Documents

Publication Publication Date Title
CN108270571B (en) Internet of Things identity authorization system and its method based on block chain
Chen et al. Lightweight and provably secure user authentication with anonymity for the global mobility network
DE112005002651B4 (en) Method and device for authentication of mobile devices
CN103780397B (en) A kind of multi-screen multiple-factor convenient WEB identity authentication method
DE60029217T2 (en) METHOD AND DEVICE FOR INITIALIZING SAFE CONNECTIONS BETWEEN AND BETWEEN ONLY CUSTOMIZED CORDLESS EQUIPMENT
CN110267270B (en) Identity authentication method for sensor terminal access edge gateway in transformer substation
JP4808348B2 (en) Arrangements and methods in communication networks
CN101645900B (en) Cross-domain rights management system and method
CN108537046A (en) A kind of online contract signature system and method based on block chain technology
CN1842993B (en) Providing credentials
CN101207613A (en) Method, system and apparatus for authentication of striding network area information communication
CN100561919C (en) A kind of broadband access user authentication method
CN103281305B (en) The connection control method of the wisdom city system based on security gateway
CN108347729A (en) Method for authenticating, slice authentication agent entity and session management entity in network slice
CN109981287A (en) A kind of code signature method and its storage medium
CN101960814A (en) IP address delegation
CN107295510A (en) The method, equipment and system of Home eNodeB access control are realized based on OCSP
CN108900484A (en) A kind of generation method and device of access authority information
CN108347353A (en) Network collocating method, apparatus and system
CN101119197B (en) Contracting method and system
CN108011873A (en) A kind of illegal connection determination methods based on set covering
CN106127888A (en) Smart lock operational approach and smart lock operating system
Jøsang Identity management and trusted interaction in Internet and mobile computing
CN107888582A (en) The system and method that a kind of APP softwares penetrate railway Intranet
CN109548022A (en) Method for mobile terminal user to remotely access local network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant