CN1299526C - A method of wireless local area network terminal user authentication based on user identifying module - Google Patents
A method of wireless local area network terminal user authentication based on user identifying module Download PDFInfo
- Publication number
- CN1299526C CN1299526C CNB2003101189775A CN200310118977A CN1299526C CN 1299526 C CN1299526 C CN 1299526C CN B2003101189775 A CNB2003101189775 A CN B2003101189775A CN 200310118977 A CN200310118977 A CN 200310118977A CN 1299526 C CN1299526 C CN 1299526C
- Authority
- CN
- China
- Prior art keywords
- wlan
- information
- identification module
- subscriber identification
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 9
- 230000003993 interaction Effects 0.000 claims abstract description 7
- 230000004044 response Effects 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 6
- 238000010295 mobile communication Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present invention relates to an identification method for wireless local network terminal users on the basis of a user identification module. The method comprises: the configuration information of a WLAN network is stored in a WLAN user identification module, and a central processing algorithm of EAP SIM identification is realized in the WLAN user identification module. By the information interaction between the WLAN user identification module and a WLAN terminal entity, the identification flow path of EAP SIM is completed, and the WLAN network parameters of a user terminal device are automatically configured; the realization of the EAPSIM client terminal identification algorithm in the WLAN user identification module solves safety problem existing in user information and EAPSIM identification algorithm, lays the foundation for the diversify of a WLAN terminal and the extensive use of the WLAN, and provides technological guarantee for the public operation of the WLAN.
Description
Technical field
The present invention relates to the subscriber terminal equipment of wireless communication field, particularly a kind of WLAN (Wireless Local Access Network: the WLAN (wireless local area network)) user authen method of terminal equipment that supports EAP SIM (Extended Authentication Protocol Subscriber Identity Mode :) based on the Extensible Authentication Protocol of subscriber identification module.
Background technology
The increasingly extensive develop rapidly that promotes the wireless data access technology that the development of Internet technology and data are used, aspect the solution wireless data access, adopting wireless local area network technology is a kind of fine approach that realizes that mobile data inserts.
Utilize WLAN to carry out the public operation of wireless data, can provide high-speed wideband wireless access service cheap, that easily implement for the client.Particularly operator is when utilizing wlan technologies to provide the wireless access service for the user, often in conjunction with the existing mobile communication network resource, as WLAN (wireless local area network) is combined with global mobile communication system/general grouping wireless service GSM/GPRS (Global System for MobileCommunications/General Packet Radio Service :) mobile network, utilize the authentification of user of GSM/GPRS mobile network maturation, resources such as charging realize WLAN user's authentication, charge and user management, promptly pass through to use authentication and the management of subscriber identification module SIM (SubscriberIdentity the Model :) realization of mobile network user to the WLAN user, this process realizes by EAP SIM agreement.
In the WLAN terminal equipment that the existing EAP of support SIM authenticates, integrated SIM card card-reading apparatus, the user realizes authentication to the WLAN user by the SIM card of inserting the Mobile Network Operator granting in the WLAN terminal equipment, this authentication is mainly realized by two important steps: the one, and SIM card provides user's original identity information for WLAN and EAP SIM authentication mechanism, required many groups random number in authenticating with EAP SIM as international mobile subscriber identifier IMSI (International Mobile Equipment Identifier), original identity information such as key; The 2nd, the WLAN terminal equipment is finished EAPSIM client algorithm, realizes the authentication of network to the user.
At present this method by WLAN terminal realization authentification of user has following drawback:
1, EAP SIM client algorithm is realized by WLAN terminal equipment producer, can cause the interior EAP SIM server of different manufacturers WLAN terminal equipment and network incompatible;
2, EAP SIM algorithm is realized outside SIM card, and in EAP SIM client algorithm implementation procedure, need SIM card that the random number and the key of many groups are provided, make that like this hacker can be than the important information that is easier to just to obtain in user's SIM card, this can serious threat to the fail safe of WLAN and whole mobile communications network;
3, EAP SIM algorithm separates with SIM card in the realization of client, cause separating of User Identity and checking easily, mobile communications network is caused confusion to WLAN user's management, occur the disabled user easily and pretend to be the validated user accessing mobile communication network;
4, the WLAN terminal equipment will insert the WLAN operate as normal and need carry out many professional parameter configuration, and this personage that need possess certain professional knowledge just can finish.This also brings difficulty for operator's extended wireless business with regard to for the use of domestic consumer brings difficulty, has limited the operation and the development of WLAN.
Summary of the invention
The purpose of this invention is to provide a kind of subscriber identification module WSIM (Wireless Subscriber Identity Mode that supports WLAN, the WLAN subscriber identification module), solve the problem that EAP SIM algorithm separates with SIM card in the existing WLAN terminal, make EAP SIM algorithm in the WSIM card, realize and in the WLAN user terminal, not realize; With the interface mode of a kind of WSIM to solve WSIM and WLAN terminal information interaction problems; In addition, solve the netconfig problem of the WLAN (wireless local area network) of WLAN terminal equipment by the user profile memory function of WSIM.
For achieving the above object, the invention provides and a kind ofly support that it comprises based on the WLAN (wireless local area network) WLAN terminal installation of the Extensible Authentication Protocol of subscriber identification module:
1, WLAN WLAN end entity S1, can finish functions such as the sound relevant with WLAN itself, transfer of data and be used to support workflow and the interface S4 of EAP SIM, S1 can comprise wireless LAN card, GPRS/ WLAN bimodulus network interface card, WLAN handheld device, based on WLAN end entity such as the voice of wlan technologies or data equipments;
2, WSIM S3 is used to support the sim module of WLAN network authentication, realizes core processing algorithm, the storage WLAN network configuration information function of EAP SIM;
3, the interface S4 between WALN terminal equipment S1 and WSIM S3.
The present invention relates to a kind of WLAN user terminal network method of automatic configuration based on EAP SIM authentication.The principal character of this method is: the core processing algorithm of EAP SIM is realized in the WSIM that has stored the WLAN configuration information.WSIM carries out information interaction by interface S4 of the present invention and WLAN end entity, and the WLAN end entity is finished the flow process of EAP SIM and carried out the network configuration of subscriber terminal equipment automatically.
The invention still further relates to a kind of subscriber identification module WSIM that supports wireless lan network authentication protocol EAP SIM, it is characterized in that in WSIM, realizing the identifying algorithm of EAP SIM client and storing the network configuration information of WLAN.
The invention still further relates to the interface operation mode between a kind of WLAN end entity and WSIM, provide command information and response message to realize information interaction between WSIM module and WLAN end entity by this interface, its principal character provides following command information to realize the support of EAP SIM identifying procedure and the read-write of WLAN network configuration information: obtain the current version order, the WLAN end entity is ordered the version number and the version number of WSIM itself that obtains the EAP SIM agreement that WSIM supports with this, and obtains the version number of EAP SIM agreement of current WSIM support and the version number of WSIM itself by feedback response information; Obtain first-selected identity order, the WLAN end entity is ordered the first-selected subscriber identity information that obtains this WSIM correspondence with this, obtains the first-selected subscriber identity information of this WSIM correspondence by feedback response information; Select the identity order, the WLAN end entity is with the subscriber identity information that defines in this command selection EAP SIM agreement, and by the desired subscriber identity information of feedback response information acquisition EAP SIM server; Obtain the random number order, the WLAN end entity is ordered with this and is obtained random number required in the EAPSIM verification process, obtains required random number in the EAP SIM verification process by feedback response information; EAP SIM processing command, the WLAN end entity is ordered the EAP SIM client algorithm that starts in the WSIM with this, and obtains EAP SIM client certificate result and master session key by feedback response information; Obtain the order of WLAN network configuration, the WLAN end entity is ordered the WLAN network configuration information that obtains the WSIM stored with this, automatically carrying out the WLAN network configuration for the WLAN terminal provides foundation, and obtains the configuration parameter of WLAN network by feedback response information.
The present invention also comprises the interface workflow between a kind of WLAN end entity and WSIM, WLAN end entity and WSIM finish the defined client functionality of EAP SIM agreement according to this workflow, its interface workflow has following feature: after WLAN end entity S1 receives the request identity order that WLAN webserver S2 sends, WLAN end entity S1 obtains user's first-selected identity information corresponding information in the WSIM by " obtaining first-selected identity order ", and with this identity information respond to WLAN webserver S3 with the judgement user identity legitimacy, as be validated user, then WLAN webserver S3 initiates EAP SIM authentication start information to WLAN end entity S1; After WLAN end entity S1 receives EAP SIM authentication start information, obtain the required authenticated subscriber identity information of WLAN webserver S3 by " selecting the identity order " from WSIM, by using " obtaining the current version order " to obtain the WSIM current version, in WSIM, obtain the required random number of EAP SIM authentication by using " obtaining the random number order " from WSIM card S3.WLAN end entity S1 sends to WLAN webserver S3 with subscriber identity information, version number, random number; WLAN webserver S3 starts prescribed server end algorithm in the EAP SIM agreement according to the subscriber identity information that obtains, version number, random number, and give WLAN end entity S1 with the EAP SIM authentication challenge feedback information that calculates, WLAN end entity S1 passes to WSIM by " EAP SIM processing command ", start EAP SIM client algorithm, and result of calculation is fed back to WLAN end entity S1 by feedback response information; WLAN end entity S1 reaches WLAN webserver S3 with WSIM client algorithm process result, and S3 handles this result by the WLAN webserver, and sends EAP SIM authentication result information to WLAN terminal S1.
By the present invention, solved the safety issue that user profile and EAP SIM identifying algorithm exist, for the extensive use of WLAN terminal variation with WLAN provides the foundation, also the public operation for WLAN provides technical assurance.
Description of drawings
Fig. 1 is WLAN end entity and its system applies networking figure
Fig. 2 is a WLAN end entity workflow diagram
Fig. 3 is interface operation order and a workflow diagram between WLAN end entity and the WSIM
Embodiment
An embodiment of WLAN terminal equipment and information authentication method thereof is described below, and in conjunction with the embodiments content of the present invention is further described.
Following example is the WLAN network card equipment supporting EAP SIM authentication, meet content of the present invention.This network interface card supports that (Personal Computer Memory Card InternationalAssociation: interface personal computer machine RAM (random access memory) card international association) is connected on the notebook computer by pcmcia interface PCMCIA.This network interface card is supported the WLAN standard of IEEE 802.11b (Institute of Electrical andElectronic Engineers: international electric engineering association, 802.11b are a kind of WLAN standard that IEEE formulates).The built-in reader device of subscriber identification module WSIM in this network interface card.
Insert WSIM at the WSIM deck, form the WLAN interface cards terminal equipment of a complete support EAP SIM authentication, as shown in Figure 2, the operation principle and the flow process of this WLAN network interface card are as follows:
The A1 start, the WLAN network interface card starts;
A2 WLAN network interface card is obtained the configuration information of WLAN network in the WSIM by " obtaining the order of WLAN network configuration ", and the WLAN network interface card disposes automatically according to the parameter of these parameters to the WLAN network interface card;
A3 can use if detect WLAN in to WLAN network interface card layoutprocedure, and end entity network interface card waiting system starts the order of EAP SIM, otherwise system is out of service;
After the configuration of A4 WLAN network interface card is finished automatically, obtain user version information and identity information from WSIM;
A5 WLAN end entity is mutual according to workflow and the WLAN certificate server of EAP SIM, finishes WLAN user's authentication by interface S4 as shown in Figure 1.
WSIM and WLAN network interface card cooperatively interact according to above-mentioned workflow and interface operation mode and finish authentication processing based on EAP SIM.
Wherein, the regulation of the interface conforms ISO7816 standard of WSIM and WLAN network interface card adopts the defined message structure of ISO7816 standard, and message structure has two kinds: the one, and the command information structure; The 2nd, the response message structure.WSIM and WLAN network interface card are undertaken alternately by adopting the order and the mode of response, and the WLAN network interface card is given an order, and WSIM handles this order, provides the response to this order.
In conjunction with top described, this WLAN network card equipment realizes that the information interactive process example of WLAN network interface card and WSIM is as follows in the once complete EAP SIM identifying procedure:
P1: the WLAN network interface card uses " obtaining first-selected identity " order to obtain AID (application program identification) information of WSIM in the WSIM.The parameter of this order is obtained the AID information of WSIM for " 1 " expression;
P2: response message is returned AID, and whether AID has identified this card and used as the EAP SIM authentication of WALN network;
The WLAN network interface card responds above-mentioned first-selected identity information to the WLAN webserver, server is adjudicated the legitimacy of this user identity, if be validated user, then initiate EAP SIM authentication start information, in this information, have the EAP SIM version number information that server wants authenticated subscriber identity type information and server to support to the WLAN network interface card.
P3: after the WLAN network interface card is received the request identity order that the WLAN webserver sends, obtain user's identity information in the WSIM by " selecting the identity order ";
P4:WISM returns the response message of selecting the identity order to the WLAN network interface card;
P5: after the WLAN network interface card is received WLAN webserver EAP SIM authentication start information, use " obtaining the current version order " in WSIM, to obtain version information; The data segment content that " obtains the current version order " is the EAP SIM version number information that server is supported;
P6: subscriber identification module is returned the response message of current version order to the WLAN network interface card;
P7: after the WLAN network interface card is received WLAN webserver EAP SIM authentication start information, use " obtaining the random number order " in WSIM, to obtain the required random number N ONCE MT of EAP SIM authentication.
P8: subscriber identification module is returned the random number response message to the WLAN network interface card;
The WLAN network interface card will be from identity information, version information and the random number information feedback WLAN server of subscriber identification module, the algorithm of prescribed server end in the operation EAP SIM agreement, produce EAP SIM authentication challenge information, and challenge information is dealt into the WLAN network interface card.
P9: the WLAN network interface card will be addressed inquires to letter and be passed to WSIM by " EAP SIM processing command ", start the EAP SIM client algorithm in the WSIM;
Result after the P10:WSIM process EAP SIM client algorithm process feeds back to the WLAN network interface card by response message.The master session that also comprises the WSIM generation in this response message is close, and the key used as the subsequent user information encryption uses.
The WLAN network interface card feeds back to server with this result, the authentication result of EAP SIM client is embodied in the return state sign indicating number and response message grouping of response message, can be denoted as EAP-RESPONSE, the EAP SIM customer end A T_SRES that obtains for the WSIM computing.Server is AT_SRES and original own SRES comparison of calculating, if identical then send EAP SIM successful information to the WLAN network interface card, the user just can insert the internet.
When enforcement is of the present invention, the WLAN terminal equipment is not limited to the described WLAN network interface card of the foregoing description, also can be other WLAN equipment, as: the multimode network interface card of supporting WLAN capability, support cell phone apparatus or other voice of supporting WLAN capability, the data equipment etc. of WLAN, also be not limited to adopt simultaneously the WLAN equipment of IEEE 802.11b standard.Take to use subscriber identification module to realize the WLAN equipment of EAP SIM authentication, all do not break away from thought of the present invention; When enforcement is of the present invention, also can not take the mode of described WSIM of the foregoing description and WLAN terminal interface.
Claims (4)
1, a kind of WLAN terminal user authen method based on subscriber identification module is characterized in that may further comprise the steps at least:
After WLAN end entity (S1) is received the request identity order that the WLAN webserver (S2) sends, network terminal entity (S1) is from the interior first-selected identity information that obtains the user of WLAN subscriber identification module (S3), and this identity information responded to the webserver (S2) to judge the legitimacy of user identity, if validated user, then the webserver (S2) is initiated the authentication start information to network terminal entity (S1); After network terminal entity (S1) was received the authentication start information, network terminal entity (S1) carried out information interaction with WLAN subscriber identification module (S3), obtained user profile from WLAN subscriber identification module (S3); Network terminal entity (S1) sends to the webserver (S2) with above-mentioned information; The webserver (S2) is according to the above-mentioned information that obtains, start the server end algorithm, and give network terminal entity (S1) with the authentication challenge feedback information that calculates, pass to WLAN subscriber identification module (S3) by network terminal entity (S1), WLAN subscriber identification module (S3) starts the client algorithm, and result of calculation is fed back to network terminal entity (S1) by response message; Network terminal entity (S1) reaches the webserver (S2) with WLAN subscriber identification module (S3) client algorithm process result, sends authentication result information by the webserver (S2) processing and to network terminal entity (S1).
2, the WLAN terminal user authen method based on subscriber identification module according to claim 1, it is characterized in that, described WLAN subscriber identification module (S3) stores the WLAN configuration information, and network terminal entity (S1) carries out the network configuration that information interaction is obtained above-mentioned configuration information and finished subscriber terminal equipment with WLAN subscriber identification module (S3).
3, the WLAN terminal user authen method based on subscriber identification module according to claim 1 and 2, it is characterized in that described network terminal entity (S1) and WLAN subscriber identification module (S3) are carried out information interaction and comprised at least: obtain the order of WLAN network configuration, obtain first-selected identity order, select the identity order, obtain the current version order, obtain the response message of random number order, processing command and mentioned order.
4, the WLAN terminal user authen method based on subscriber identification module according to claim 1 is characterized in that described user profile comprises: subscriber identity information, version information and random number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101189775A CN1299526C (en) | 2003-12-10 | 2003-12-10 | A method of wireless local area network terminal user authentication based on user identifying module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101189775A CN1299526C (en) | 2003-12-10 | 2003-12-10 | A method of wireless local area network terminal user authentication based on user identifying module |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1547405A CN1547405A (en) | 2004-11-17 |
| CN1299526C true CN1299526C (en) | 2007-02-07 |
Family
ID=34338097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101189775A Expired - Lifetime CN1299526C (en) | 2003-12-10 | 2003-12-10 | A method of wireless local area network terminal user authentication based on user identifying module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1299526C (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8380167B2 (en) | 2005-05-10 | 2013-02-19 | Network Equipment Technologies, Inc. | LAN-based UMA network controller with proxy connection |
| KR100770928B1 (en) | 2005-07-02 | 2007-10-26 | 삼성전자주식회사 | Authentication system and method thereofin a communication system |
| CN101141354B (en) * | 2007-10-11 | 2010-09-29 | 中兴通讯股份有限公司 | Terminal of selecting access to mobile network or wireless LAN |
| CN101510853B (en) * | 2009-04-09 | 2011-11-09 | 杭州华三通信技术有限公司 | Method and apparatus for implementing WLAN wireless bridge, and wireless access client terminal |
| CN101621801B (en) * | 2009-08-11 | 2012-11-28 | 华为终端有限公司 | Method, system, server and terminal for authenticating wireless local area network |
| CN103415012A (en) * | 2013-08-15 | 2013-11-27 | 惠州Tcl移动通信有限公司 | Authentication method and authentication device of wireless router |
| CN105430651A (en) * | 2015-11-02 | 2016-03-23 | 上海斐讯数据通信技术有限公司 | Method and system used for detecting illegal wireless access points |
| JP7070318B2 (en) * | 2018-10-16 | 2022-05-18 | 株式会社デンソー | SIM router device and communication terminal device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1286767A (en) * | 1997-11-19 | 2001-03-07 | 艾利森电话股份有限公司 | Method, and associated apparatus, for selectively permitting access by mobile terminal to packet data network |
| CN1453953A (en) * | 2002-04-23 | 2003-11-05 | 华为技术有限公司 | Fusion method between radio LAN and mobile network |
-
2003
- 2003-12-10 CN CNB2003101189775A patent/CN1299526C/en not_active Expired - Lifetime
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1286767A (en) * | 1997-11-19 | 2001-03-07 | 艾利森电话股份有限公司 | Method, and associated apparatus, for selectively permitting access by mobile terminal to packet data network |
| CN1453953A (en) * | 2002-04-23 | 2003-11-05 | 华为技术有限公司 | Fusion method between radio LAN and mobile network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1547405A (en) | 2004-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101867929B (en) | Authentication method, system, authentication server and terminal equipment | |
| CN106910057B (en) | Mobile terminal and security authentication method and device on mobile terminal side | |
| CN1601958B (en) | HRPD network access authentication method based on CAVE algorithm | |
| DK2924944T3 (en) | Presence authentication | |
| CN1941009A (en) | Method for realizing fee payment by mobile telecommunication terminal | |
| WO2008060820A2 (en) | System and method for authenticating remote server access | |
| CN101662768B (en) | Authenticating method and equipment based on user identification module of personal handy phone system | |
| EP3675541B1 (en) | Authentication method and device | |
| CN1662092A (en) | Access authentication method and equipment in data packet network at high speed | |
| CN101079703A (en) | System and method for user ID card authentication via Internet | |
| CN109523672A (en) | A kind of Door-access control method and device | |
| CN1299526C (en) | A method of wireless local area network terminal user authentication based on user identifying module | |
| CN101895831B (en) | Realization method for wireless local area network (WLAN) verification and communication terminal | |
| CN103023727A (en) | Portal performance testing system and Portal performance testing method | |
| CN1643536A (en) | Method of managing data stored on a chip card that can be read by mobile telephone | |
| CN107172194B (en) | Virtual SIM card management method and device and communication terminal | |
| EP2890170A1 (en) | Method and system for barcode and link initiated hotspot auto-login in WLANs | |
| CN101867912A (en) | Authentication method of access network and terminal | |
| KR100610872B1 (en) | Method and apparatus for authenticating user service of Wi-Fi terminal | |
| US7650139B2 (en) | Method for ensuring security of subscriber card | |
| CN103138935A (en) | Identity authentication system based on telecom operators | |
| CN105991619A (en) | Safety authentication method and device | |
| CN1595948A (en) | A method for acquiring one-off secret code via handset | |
| CN108282784B (en) | Wireless network access method, MiFi terminal, mobile terminal and storage medium | |
| CN1929370A (en) | Method and system for confirming identification using key when user accessing identification proxy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20070207 |
|
| CX01 | Expiry of patent term |