[go: up one dir, main page]

CN100512110C - The method for realizing WAPI-based WLAN operation via a terminal certificate - Google Patents

The method for realizing WAPI-based WLAN operation via a terminal certificate Download PDF

Info

Publication number
CN100512110C
CN100512110C CNB2006101053779A CN200610105377A CN100512110C CN 100512110 C CN100512110 C CN 100512110C CN B2006101053779 A CNB2006101053779 A CN B2006101053779A CN 200610105377 A CN200610105377 A CN 200610105377A CN 100512110 C CN100512110 C CN 100512110C
Authority
CN
China
Prior art keywords
mobile terminal
authentication
certificate
access point
wireless access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2006101053779A
Other languages
Chinese (zh)
Other versions
CN1996841A (en
Inventor
马奔腾
曹军
张变玲
赖晓龙
马向辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Iwncomm Co Ltd
China Mobile Group Design Institute Co Ltd
Original Assignee
China Iwncomm Co Ltd
China Mobile Group Design Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co Ltd, China Mobile Group Design Institute Co Ltd filed Critical China Iwncomm Co Ltd
Priority to CNB2006101053779A priority Critical patent/CN100512110C/en
Publication of CN1996841A publication Critical patent/CN1996841A/en
Priority to PCT/CN2007/071371 priority patent/WO2008080352A1/en
Application granted granted Critical
Publication of CN100512110C publication Critical patent/CN100512110C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明涉及一种采用一张终端证书实现基于WAPI的无线局域网运营的方法。该方法包括以下步骤:1)服务器为所有移动终端颁发同一个证书,为每个无线接入点颁发证书,安装服务器颁发的证书;2)当移动终端需要访问网络时,建立链路连接;3)启动认证过程;4)根据国标规定,进行证书认证;5)如果证书认证成功,无线接入点向移动终端通告组播密钥;6)无线接入点允许移动终端接入;7)接入控制器对移动终端的帐户信息进行认证;8)服务器根据帐户信息认证的结果给出移动终端鉴权信息,移动终端可以访问网络。本发明为解决背景技术中的技术问题,而提供一种符合国家标准并支持目前使用的多种认证、计费方法的基于证书的WAPI标准运营的方法。The invention relates to a method for realizing WAPI-based wireless local area network operation by using a terminal certificate. The method comprises the following steps: 1) the server issues the same certificate for all mobile terminals, issues a certificate for each wireless access point, and installs the certificate issued by the server; 2) establishes a link connection when the mobile terminal needs to access the network; 3) ) start the authentication process; 4) perform certificate authentication according to the national standard; 5) if the certificate authentication is successful, the wireless access point notifies the mobile terminal of the multicast key; 6) the wireless access point allows the mobile terminal to access; 7) connects The access controller authenticates the account information of the mobile terminal; 8) The server gives the mobile terminal authentication information according to the result of account information authentication, and the mobile terminal can access the network. In order to solve the technical problems in the background technology, the present invention provides a certificate-based WAPI standard operation method that conforms to national standards and supports multiple authentication and accounting methods currently used.

Description

采用一张终端证书实现基于WAPI的WLAN运营的方法 Method for Realizing WLAN Operation Based on WAPI Using One Terminal Certificate

技术领域 technical field

本发明涉及无线局域网领域,尤其是一种采用一张终端证书实现基于WAPI的WLAN运营的方法。The invention relates to the field of wireless local area networks, in particular to a method for realizing WLAN operation based on WAPI by using a terminal certificate.

背景技术 Background technique

无线局域网WLAN(Wireless Local Area Network)以其构架的灵活性、快捷性及可扩展性,近几年发展迅速,已经广泛应用于热点地区运营、企业、行业和家庭领域。WLAN (Wireless Local Area Network) has developed rapidly in recent years due to the flexibility, speed and scalability of its architecture, and has been widely used in hotspot area operations, enterprises, industries and homes.

对于无线局域网来说,安全至关重要。2003年5月份我国颁布了无线局域网国家标准GB15629.11和GB15629.1102,这是我国在无线局域网领域首批颁布的标准。2006年,无线局域网国家标准第1号修改单GB15629.11-2003/XG1-2006及其他相关子项标准GB15629.1101、GB/T15629.1103和GB15629.1104也颁布实施,初步形成了无线局域网国家标准体系。标准体系中包含了全新的WAPI(WLAN Authentication and PrivacyInfrastructure)安全机制,这种安全机制由WAI(WLAN AuthenticationInfrastructure)和WPI(WLAN Privacy Infrastructure)两部分组成。For wireless LANs, security is of paramount importance. In May 2003, my country promulgated the national standards for wireless LAN GB15629.11 and GB15629.1102, which are the first batch of standards promulgated by my country in the field of wireless LAN. In 2006, GB15629.11-2003/XG1-2006 and other relevant sub-standards GB15629.1101, GB/T15629.1103 and GB15629.1104 were promulgated and implemented in the No. standard system. The standard system includes a new WAPI (WLAN Authentication and Privacy Infrastructure) security mechanism, which consists of two parts: WAI (WLAN Authentication Infrastructure) and WPI (WLAN Privacy Infrastructure).

WAPI提供了基于证书的认证及密钥协商方法,该方法可以提供很高的安全性,保证合法的用户接入合法的网络,保护无线链路上的数据安全。WAPI provides certificate-based authentication and key negotiation methods, which can provide high security, ensure legitimate users to access legal networks, and protect data security on wireless links.

当WLAN在运营环境下应用时,认证和计费有非常密切的关系。计费是在认证的基础上进行,目前运营商们已经有各自成熟的认证计费方式,但这些方式不一定可以和国家标准GB 15629.11及其第1号修改单中定义的证书认证融合,如何匹配这些成熟的认证计费方式和国家标准GB 15629.11及其第1号修改单中定义的证书认证,是WLAN运营的关键问题之一。When WLAN is applied in the operating environment, authentication and accounting have a very close relationship. Billing is based on authentication. At present, operators have their own mature authentication and billing methods, but these methods may not be able to integrate with the certificate authentication defined in the national standard GB 15629.11 and its No. 1 Amendment. How to Matching these mature authentication and billing methods with the certificate authentication defined in the national standard GB 15629.11 and its No. 1 Amendment is one of the key issues in WLAN operations.

目前的认证机制(如Radius)仅实现网络对用户的单向认证,在认证的基础上实现计费等功能,该认证计费方式在链路比较安全的情况下是有效的,即在有线环境下比较适合。但无线局域网链路由于其开放特征而非常不安全,这些认证计费方式直接应用在无线局域网中会出现较大的安全问题。The current authentication mechanism (such as Radius) only realizes one-way authentication of users by the network, and implements functions such as accounting on the basis of authentication. This authentication and accounting method is effective when the link is relatively secure, that is, in a wired environment. The next is more suitable. However, the wireless LAN link is very insecure due to its openness, and these authentication and accounting methods will cause serious security problems when directly applied to the wireless LAN.

发明内容 Contents of the invention

本发明为解决背景技术中运营商用于无线局域网运营的认证和计费的方法和国家标准GB 15629.11及其第1号修改单中规定的认证方法不兼容的技术问题,而提供一种符合国家标准并支持目前使用的多种认证、计费方法的基于证书的WAPI标准运营的方法。The present invention aims to solve the technical problem that the authentication and billing method used by the operator for wireless local area network operation in the background technology is incompatible with the authentication method stipulated in the national standard GB 15629.11 and its No. 1 amendment, and provides a method that meets the national standard. It also supports the certificate-based WAPI standard operation method of various authentication and billing methods currently in use.

本发明的技术解决方案是:本发明为一种采用一张终端证书实现基于WAPI的WLAN运营的方法,其特殊之处在于:该方法包括链路级认证步骤和帐户信息认证步骤,所述链路级认证步骤如下:The technical solution of the present invention is: the present invention is a method for implementing WAPI-based WLAN operation using a terminal certificate, and its special feature is that the method includes a link-level authentication step and an account information authentication step. The road-level certification steps are as follows:

1)服务器为所有移动终端颁发同一个证书,为每个无线接入点颁发证书,移动终端和无线接入点安装服务器颁发的证书;1) The server issues the same certificate for all mobile terminals, issues a certificate for each wireless access point, and installs the certificate issued by the server on the mobile terminal and wireless access point;

2)当移动终端需要访问网络时,首先由移动终端关联至无线接入点,建立链路连接;2) When the mobile terminal needs to access the network, the mobile terminal first associates with the wireless access point and establishes a link connection;

3)移动终端关联至无线接入点后,无线接入点向移动终端发送鉴别激活帧,启动认证过程;3) After the mobile terminal is associated with the wireless access point, the wireless access point sends an authentication activation frame to the mobile terminal to start the authentication process;

4)根据国标GB 15629.11及其第1号修改单规定,移动终端和无线接入点通过服务器进行证书认证;4) According to the national standard GB 15629.11 and its No. 1 amendment, mobile terminals and wireless access points are authenticated by the server;

5)如果证书认证成功,移动终端和无线接入点进行会话密钥协商,无线接入点向移动终端通告组播密钥;5) If the certificate authentication is successful, the mobile terminal and the wireless access point negotiate a session key, and the wireless access point notifies the mobile terminal of the multicast key;

6)无线接入点允许移动终端接入;6) The wireless access point allows mobile terminals to access;

所述帐户信息认证步骤如下:The account information authentication steps are as follows:

7)接入控制器对移动终端的帐户信息进行认证;7) The access controller authenticates the account information of the mobile terminal;

8)服务器根据帐户信息认证的结果给出移动终端鉴权信息,移动终端与网络进行信息数据的交换,即移动终端可以访问网络。8) The server gives the mobile terminal authentication information according to the result of the account information authentication, and the mobile terminal exchanges information data with the network, that is, the mobile terminal can access the network.

上述步骤4)中证书认证的具体步骤如下:The specific steps of certificate authentication in the above step 4) are as follows:

4.1)移动终端向无线接入点发送接入鉴别请求,其中包含移动终端的证书;4.1) The mobile terminal sends an access authentication request to the wireless access point, which includes the certificate of the mobile terminal;

4.2)无线接入点向服务器发送证书鉴别请求,其中包含移动终端和无线接入点的证书;4.2) The wireless access point sends a certificate authentication request to the server, which includes the certificates of the mobile terminal and the wireless access point;

4.3)服务器对移动终端和无线接入点的证书进行验证,并向无线接入点返回证书鉴别响应,其中包含移动终端和无线接入点证书的鉴别结果;4.3) The server verifies the certificates of the mobile terminal and the wireless access point, and returns a certificate identification response to the wireless access point, which includes the identification results of the mobile terminal and the wireless access point certificates;

4.4)无线接入点根据服务器返回的移动终端证书鉴别结果确定是否允许该移动终端接入,并向移动终端发送接入鉴别响应;4.4) The wireless access point determines whether to allow the mobile terminal to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal;

4.5)移动终端根据接入鉴别响应中服务器对无线接入点的证书鉴别结果确定是否接入该无线接入点,若是则进至步骤5),否则结束。4.5) The mobile terminal determines whether to access the wireless access point according to the server's certificate authentication result of the wireless access point in the access authentication response, and if so, proceeds to step 5), otherwise ends.

上述步骤7)中接入控制器对移动终端的帐户信息按如下步骤进行认证:当证书认证阶段完成,用户浏览网络时,系统自动弹出网页,提示用户输入用户名和密码,服务器根据用户名和密码验证用户的身份,并根据认证结果控制网络的访问,如果认证成功,移动终端可访问网络。In the above-mentioned step 7), the access controller authenticates the account information of the mobile terminal according to the following steps: when the certificate authentication stage is completed, when the user browses the network, the system automatically pops up a web page, prompting the user to input the user name and password, and the server verifies the account information according to the user name and password. The identity of the user, and the access to the network is controlled according to the authentication result. If the authentication is successful, the mobile terminal can access the network.

上述步骤7)中接入控制器对移动终端的帐户信息按如下步骤进行认证:当证书认证阶段完成,移动终端利用SIM卡中的信息,通过认证服务器与无线接入点进行身份认证和会话密钥协商,并根据认证结果控制网络的访问,如果认证成功,移动终端可以访问网络。In the above step 7), the access controller authenticates the account information of the mobile terminal according to the following steps: when the certificate authentication phase is completed, the mobile terminal uses the information in the SIM card to perform identity authentication and session encryption with the wireless access point through the authentication server. Key negotiation, and control network access according to the authentication result, if the authentication is successful, the mobile terminal can access the network.

本发明通过分离链路级认证和用户级身份鉴别为两个相互独立的过程,链路级认证用于保护无线链路接入的安全,用户级身份鉴别用于授权以及计费等管理服务,使得无线局域网可作为原来运营网络的扩展,并且使无线局域网的运营管理和原来的运营网络相一致,因此本发明具有以下优点:The present invention separates link-level authentication and user-level identity authentication into two mutually independent processes. Link-level authentication is used to protect the security of wireless link access, and user-level identity authentication is used for management services such as authorization and billing. The wireless local area network can be used as an extension of the original operation network, and the operation management of the wireless local area network is consistent with the original operation network, so the present invention has the following advantages:

1、符合国家标准。本发明在链路级认证过程采用符合国家标准的安全接入技术,即可实现用户和网络之间双向身份鉴别,又可与原来的授权、计费等管理系统兼容,其完全符合国标GB15629.11-2003、GB15629.11-2003/XG1-2006及其子项标准的规定。1. Conform to national standards. The invention adopts the security access technology conforming to the national standard in the link-level authentication process, which can realize the two-way identity authentication between the user and the network, and is compatible with the original authorization, billing and other management systems, which fully complies with the national standard GB15629. 11-2003, GB15629.11-2003/XG1-2006 and its sub-standards.

2、安全性高。本发明在链路级认证过程采用符合国家标准的安全接入技术,利用基于公钥密码体系的证书机制,真正实现了移动终端(MT)与无线接入点(AP)间的双向认证,完全满足运营商对安全接入的要求,使得无线链路的安全性得到保证;并且其等同于有线链路,除了保护无线链路的安全接入和数据通信外,还可以有效地保护后续的用户帐户认证阶段的信息,在用户帐户信息认证阶段,网络对移动终端的用户身份进行进一步验证,控制移动终端是否可以访问网络,并根据认证的结果控制访问网络以及对用户访问网络进行计费,因此本发明安全性高。2. High security. In the link-level authentication process, the present invention adopts the security access technology conforming to the national standard, utilizes the certificate mechanism based on the public key cryptography system, and truly realizes the two-way authentication between the mobile terminal (MT) and the wireless access point (AP), completely Satisfy the operator's requirements for secure access, so that the security of the wireless link is guaranteed; and it is equivalent to the wired link, in addition to protecting the secure access and data communication of the wireless link, it can also effectively protect subsequent users Information in the account authentication stage. In the stage of user account information authentication, the network further verifies the user identity of the mobile terminal, controls whether the mobile terminal can access the network, and controls access to the network and bills the user's access to the network according to the authentication result. The invention has high safety.

3、本发明可以继续使用目前已有的用户认证计费方式,灵活性好,无线接入点设置好证书后,无需再对后台的AAA服务器进行设置,安装、组网便捷,可用于大规模的热点等地区的运营,同时用户只需安装一张证书就可在覆盖WLAN的不同地区漫游,方便用户使用。3. The present invention can continue to use the current existing user authentication and billing method, and has good flexibility. After the wireless access point has set the certificate, there is no need to set the AAA server in the background. The installation and networking are convenient and can be used on a large scale At the same time, users only need to install a certificate to roam in different areas covered by WLAN, which is convenient for users.

4、本发明在保证安全接入的基础上,采用同一个终端证书,使运营维护操作和流程简化,大大降低了成本。4. On the basis of ensuring safe access, the present invention adopts the same terminal certificate, which simplifies the operation and maintenance process and greatly reduces the cost.

具体实施方式 Detailed ways

本发明包括链路级认证步骤和帐户信息认证步骤,其中链路级认证步骤如下:The present invention includes a link-level authentication step and an account information authentication step, wherein the link-level authentication step is as follows:

1)服务器为所有移动终端颁发同一个证书,为每个无线接入点颁发证书,其中不同的无线接入点颁发不同的证书,移动终端和无线接入点安装服务器颁发的证书;1) The server issues the same certificate for all mobile terminals, and issues a certificate for each wireless access point, wherein different wireless access points issue different certificates, and the mobile terminal and the wireless access point install the certificate issued by the server;

2)当移动终端需要访问网络时,首先由移动终端关联至无线接入点,建立链路连接;2) When the mobile terminal needs to access the network, the mobile terminal first associates with the wireless access point and establishes a link connection;

3)移动终端关联至无线接入点后,无线接入点向移动终端发送鉴别激活帧,启动认证过程;3) After the mobile terminal is associated with the wireless access point, the wireless access point sends an authentication activation frame to the mobile terminal to start the authentication process;

4)根据国标GB 15629.11及其第1号修改单规定,移动终端和无线接入点通过服务器进行证书认证;4) According to the national standard GB 15629.11 and its No. 1 amendment, mobile terminals and wireless access points are authenticated by the server;

4.1)移动终端向无线接入点发送接入鉴别请求,其中包含移动终端的证书;4.1) The mobile terminal sends an access authentication request to the wireless access point, which includes the certificate of the mobile terminal;

4.2)无线接入点向服务器发送证书鉴别请求,其中包含移动终端和无线接入点的证书;4.2) The wireless access point sends a certificate authentication request to the server, which includes the certificates of the mobile terminal and the wireless access point;

4.3)服务器对移动终端和无线接入点的证书进行验证,验证移动终端的证书是否是为网络中所有移动终端颁发的统一合法证书,验证无线接入点的证书是否为合法的证书(无线接入点的证书不能与网络中为移动终端颁发的证书相同)。并向无线接入点返回证书鉴别响应,其中包含移动终端和无线接入点证书的鉴别结果;4.3) The server verifies the certificates of the mobile terminal and the wireless access point, verifies whether the certificate of the mobile terminal is a unified legal certificate issued for all mobile terminals in the network, and verifies whether the certificate of the wireless access point is a legal certificate (wireless access point The certificate of the entry point cannot be the same as the certificate issued for the mobile terminal in the network). And return a certificate authentication response to the wireless access point, which includes the authentication result of the mobile terminal and the wireless access point certificate;

4.4)无线接入点根据服务器返回的移动终端证书鉴别结果确定是否允许该移动终端接入,并向移动终端发送接入鉴别响应;4.4) The wireless access point determines whether to allow the mobile terminal to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal;

4.5)移动终端根据接入鉴别响应中服务器对无线接入点的证书鉴别结果确定是否接入该无线接入点,若是则进至步骤5),否则结束。4.5) The mobile terminal determines whether to access the wireless access point according to the server's certificate authentication result of the wireless access point in the access authentication response, and if so, proceeds to step 5), otherwise ends.

5)如果证书认证成功,移动终端和无线接入点进行会话密钥协商,无线接入点向移动终端通告组播密钥;5) If the certificate authentication is successful, the mobile terminal and the wireless access point negotiate a session key, and the wireless access point notifies the mobile terminal of the multicast key;

6)无线接入点允许移动终端接入;6) The wireless access point allows mobile terminals to access;

帐户信息认证步骤如下:Account information verification steps are as follows:

7)接入控制器对移动终端的帐户信息进行认证;7) The access controller authenticates the account information of the mobile terminal;

8)服务器根据帐户信息认证的结果给出移动终端鉴权信息,移动终端与网络进行信息数据的交换,即移动终端可以访问网络。8) The server gives the mobile terminal authentication information according to the result of the account information authentication, and the mobile terminal exchanges information data with the network, that is, the mobile terminal can access the network.

其中步骤7)中接入控制器对移动终端的帐户信息按如下步骤进行认证:当证书认证阶段完成,用户浏览网络时,系统自动弹出网页,提示用户输入用户名和密码,服务器根据用户名和密码验证用户的身份,并根据认证结果控制网络的访问,如果认证成功,移动终端可访问网络。Wherein in step 7), the access controller authenticates the account information of the mobile terminal according to the following steps: when the certificate authentication stage is completed, when the user browses the network, the system automatically pops up a web page, prompting the user to input a user name and password, and the server verifies according to the user name and password The identity of the user, and the access to the network is controlled according to the authentication result. If the authentication is successful, the mobile terminal can access the network.

步骤7)中接入控制器对移动终端的帐户信息还可按如下步骤进行认证:当证书认证阶段完成,移动终端利用SIM卡中的信息,通过认证服务器与无线接入点进行身份认证和会话密钥协商,并根据认证结果控制网络的访问,如果认证成功,移动终端可以访问网络。In step 7), the access controller can also authenticate the account information of the mobile terminal according to the following steps: when the certificate authentication stage is completed, the mobile terminal uses the information in the SIM card to perform identity authentication and session with the wireless access point through the authentication server Negotiate the key and control the access to the network according to the authentication result. If the authentication is successful, the mobile terminal can access the network.

名词解释:Glossary:

1、移动终端(MT):安装有无线网络适配器的终端。1. Mobile terminal (MT): a terminal installed with a wireless network adapter.

2、无线接入点(AP):为移动终端提供网络接入服务的设备。2. Wireless Access Point (AP): A device that provides network access services for mobile terminals.

3、服务器(AS):提供身份鉴别服务和证书管理功能的网络实体。3. Server (AS): A network entity that provides identity authentication services and certificate management functions.

4、接入控制器(AC):对用户访问网络提供接入控制的网络设备。4. Access controller (AC): A network device that provides access control for users to access the network.

5、SIM:用户识别模块。5. SIM: Subscriber Identity Module.

Claims (4)

1、一种采用一张终端证书实现基于WAPI的无线局域网运营的方法,其特征在于:该方法包括链路级认证步骤和帐户信息认证步骤,所述链路级认证步骤如下:1, a kind of method that adopts a terminal certificate to realize the wireless local area network operation based on WAPI, it is characterized in that: the method comprises link-level authentication step and account information authentication step, and described link-level authentication step is as follows: 1)服务器为所有移动终端颁发同一个证书,为每个无线接入点颁发不同证书,移动终端和无线接入点安装服务器颁发的证书;1) The server issues the same certificate for all mobile terminals, and issues different certificates for each wireless access point, and the mobile terminal and wireless access point install the certificate issued by the server; 2)当移动终端访问网络时,首先由移动终端关联至无线接入点,建立链路连接;2) When the mobile terminal accesses the network, the mobile terminal first associates with the wireless access point and establishes a link connection; 3)移动终端关联至无线接入点后,无线接入点向移动终端发送鉴别激活帧,启动认证过程;3) After the mobile terminal is associated with the wireless access point, the wireless access point sends an authentication activation frame to the mobile terminal to start the authentication process; 4)移动终端和无线接入点根据国标GB 15629.11及其第1号修改单的规定,通过服务器进行证书认证;4) The mobile terminal and wireless access point shall perform certificate authentication through the server according to the provisions of the national standard GB 15629.11 and its No. 1 amendment; 5)如果证书认证成功,移动终端和无线接入点进行会话密钥协商,无线接入点向移动终端通告组播密钥;5) If the certificate authentication is successful, the mobile terminal and the wireless access point negotiate a session key, and the wireless access point notifies the mobile terminal of the multicast key; 6)无线接入点允许移动终端接入,移动终端选择该无线接入点访问网络;6) The wireless access point allows the mobile terminal to access, and the mobile terminal selects the wireless access point to access the network; 所述帐户信息认证步骤如下:The account information authentication steps are as follows: 7)接入控制器对移动终端的帐户信息进行认证;7) The access controller authenticates the account information of the mobile terminal; 8)服务器根据帐户信息认证的结果给出移动终端鉴权信息,移动终端与网络进行信息数据的交换,即移动终端可以访问网络。8) The server gives the mobile terminal authentication information according to the result of the account information authentication, and the mobile terminal exchanges information data with the network, that is, the mobile terminal can access the network. 2、根据权利要求1所述的采用一张终端证书实现基于WAPI的无线局域网运营的方法,其特征在于:所述步骤4)中证书认证的具体步骤如下:2. The method for implementing a WAPI-based WLAN operation using a terminal certificate according to claim 1, characterized in that: the specific steps of certificate authentication in the step 4) are as follows: 4.1)移动终端向无线接入点发送接入鉴别请求,其中包含移动终端的证书;4.1) The mobile terminal sends an access authentication request to the wireless access point, which includes the certificate of the mobile terminal; 4.2)无线接入点向服务器发送证书鉴别请求,其中包含移动终端和无线接入点的证书;4.2) The wireless access point sends a certificate authentication request to the server, which includes the certificates of the mobile terminal and the wireless access point; 4.3)服务器对移动终端和无线接入点的证书进行验证,并向无线接入点返回证书鉴别响应,其中包含移动终端和无线接入点证书的鉴别结果;4.3) The server verifies the certificates of the mobile terminal and the wireless access point, and returns a certificate identification response to the wireless access point, which includes the identification results of the mobile terminal and the wireless access point certificates; 4.4)无线接入点根据服务器返回的移动终端证书鉴别结果确定是否允许该移动终端接入,并向移动终端发送接入鉴别响应;4.4) The wireless access point determines whether to allow the mobile terminal to access according to the mobile terminal certificate authentication result returned by the server, and sends an access authentication response to the mobile terminal; 4.5)移动终端根据接入鉴别响应中服务器对无线接入点的证书鉴别结果确定是否接入该无线接入点,若是则进至步骤5),否则结束。4.5) The mobile terminal determines whether to access the wireless access point according to the server's certificate authentication result of the wireless access point in the access authentication response, and if so, proceeds to step 5), otherwise ends. 3、根据权利要求1或2所述的采用一张终端证书实现基于WAPI的无线局域网运营的方法,其特征在于:所述步骤7)中接入控制器对移动终端的帐户信息按如下步骤进行认证:当证书认证阶段完成,用户浏览网络时,系统自动弹出网页,提示用户输入用户名和密码,服务器根据用户名和密码验证用户的身份,并根据认证结果控制网络的访问,如果认证成功,移动终端可访问网络。3. The method for implementing a WAPI-based WLAN operation using a terminal certificate according to claim 1 or 2, wherein the access controller performs the following steps on the account information of the mobile terminal in the step 7) Authentication: When the certificate authentication stage is completed, when the user browses the network, the system will automatically pop up a web page, prompting the user to enter the user name and password, the server verifies the user's identity according to the user name and password, and controls the network access according to the authentication result. If the authentication is successful, the mobile terminal Internet access is available. 4、根据权利要求1或2所述的采用一张终端证书实现基于WAPI的无线局域网运营的方法,其特征在于:所述步骤7)中接入控制器对移动终端的帐户信息按如下步骤进行认证:当证书认证阶段完成,移动终端利用SIM卡中的信息,通过认证服务器与无线接入点进行身份认证和会话密钥协商,并根据认证结果控制网络的访问,如果认证成功,移动终端可以访问网络。4. The method for implementing a WAPI-based WLAN operation using a terminal certificate according to claim 1 or 2, wherein the access controller performs the following steps on the account information of the mobile terminal in the step 7) Authentication: When the certificate authentication phase is completed, the mobile terminal uses the information in the SIM card to perform identity authentication and session key negotiation with the wireless access point through the authentication server, and controls network access according to the authentication result. If the authentication is successful, the mobile terminal can access the web.
CNB2006101053779A 2006-12-29 2006-12-29 The method for realizing WAPI-based WLAN operation via a terminal certificate Expired - Fee Related CN100512110C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2006101053779A CN100512110C (en) 2006-12-29 2006-12-29 The method for realizing WAPI-based WLAN operation via a terminal certificate
PCT/CN2007/071371 WO2008080352A1 (en) 2006-12-29 2007-12-28 A wlan authentication charging method based on wapi

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101053779A CN100512110C (en) 2006-12-29 2006-12-29 The method for realizing WAPI-based WLAN operation via a terminal certificate

Publications (2)

Publication Number Publication Date
CN1996841A CN1996841A (en) 2007-07-11
CN100512110C true CN100512110C (en) 2009-07-08

Family

ID=38251796

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101053779A Expired - Fee Related CN100512110C (en) 2006-12-29 2006-12-29 The method for realizing WAPI-based WLAN operation via a terminal certificate

Country Status (2)

Country Link
CN (1) CN100512110C (en)
WO (1) WO2008080352A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100512110C (en) * 2006-12-29 2009-07-08 中国移动通信集团设计院有限公司 The method for realizing WAPI-based WLAN operation via a terminal certificate
CN101483866B (en) * 2009-02-11 2011-03-16 中兴通讯股份有限公司 WAPI terminal certificate managing method, apparatus and system
CN102104857B (en) * 2009-12-16 2013-10-02 华为技术有限公司 Charging method and communication system
CN102571792A (en) * 2012-01-06 2012-07-11 西安润基投资控股有限公司 Identity authentication method allowing intelligent mobile wireless terminal to access cloud server

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100463479C (en) * 2001-12-25 2009-02-18 中兴通讯股份有限公司 Wide-band network authentication, authorization and accounting method
CN1124759C (en) * 2002-08-15 2003-10-15 西安西电捷通无线网络通信有限公司 Safe access method of mobile terminal to radio local area network
CN1564524A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Method of radio terminal charging fee in radio LAN
CN100512110C (en) * 2006-12-29 2009-07-08 中国移动通信集团设计院有限公司 The method for realizing WAPI-based WLAN operation via a terminal certificate

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WAPI证书鉴别与密钥管理协议. 铁满霞,黄振海,张变玲,庞辽军.移动通信. 2006
无线局域网鉴别与保密基础结构WAPI综述. 黄振海,铁满霞,张变玲,庞辽军.移动通信. 2006

Also Published As

Publication number Publication date
WO2008080352A1 (en) 2008-07-10
CN1996841A (en) 2007-07-11

Similar Documents

Publication Publication Date Title
CN100448196C (en) A WAPI-based WLAN Operation Method
CN101371550B (en) Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service
US8522025B2 (en) Authenticating an application
JP5313200B2 (en) Key generation method and apparatus in communication system
KR101068424B1 (en) Inter-working function for a communication system
US20090063851A1 (en) Establishing communications
KR20040102175A (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
CN1859098A (en) Method for realizing EAP identification relay in radio cut-in system
WO2009135445A1 (en) Roaming authentication method based on wapi
CN101635923A (en) EAP authentication method and system supporting fast switching
WO2008101426A1 (en) A roaming authentication method based on wapi certificate
CN106790274A (en) A kind of method that disposal password logs in WLAN
CN100512111C (en) The method for realizing WAPI-based WLAN operation via the classified terminal certificate
CN101272379A (en) An Improved Method Based on IEEE802.1x Security Authentication Protocol
CN100512110C (en) The method for realizing WAPI-based WLAN operation via a terminal certificate
CN104518874A (en) Network access control method and system
WO2013170814A2 (en) Mobile terminal with built-in pppoe dialing function and dialing method thereof
CN104168566A (en) Network accessing method and device
CN102905258B (en) Own service authentication method and system
CN102271125B (en) Method for carrying out 802.1X authentication cross equipment, access equipment and access control equipment
WO2010124569A1 (en) Method and system for user access control
CN101272297B (en) EAP authentication method of WiMAX network user
WO2012113225A1 (en) Method, device and system for securely accessing wapi network
CN104244210A (en) Emergency communication method, mobile terminal, authentication server and wireless access point
CN102724665A (en) Security certificate method of femtocell base station and femtocell wireless communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee
CP01 Change in the name or title of a patent holder

Address after: 100035 No. 126, inner main street, Xicheng District, Beijing, Xizhimen

Co-patentee after: CHINA IWNCOMM Co.,Ltd.

Patentee after: CHINA MOBILE GROUP DESIGN INSTITUTE Co.,Ltd.

Address before: 100035 No. 126, inner main street, Xicheng District, Beijing, Xizhimen

Co-patentee before: CHINA IWNCOMM Co.,Ltd.

Patentee before: CHINA MOBILE GROUP DESIGN INSTITUTE Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090708

Termination date: 20211229