[go: up one dir, main page]

CN103491540A - Wireless local area network two-way access authentication system and method based on identity certificates - Google Patents

Wireless local area network two-way access authentication system and method based on identity certificates Download PDF

Info

Publication number
CN103491540A
CN103491540A CN201310429993.XA CN201310429993A CN103491540A CN 103491540 A CN103491540 A CN 103491540A CN 201310429993 A CN201310429993 A CN 201310429993A CN 103491540 A CN103491540 A CN 103491540A
Authority
CN
China
Prior art keywords
mobile user
access
identity
access router
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310429993.XA
Other languages
Chinese (zh)
Other versions
CN103491540B (en
Inventor
高天寒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201310429993.XA priority Critical patent/CN103491540B/en
Publication of CN103491540A publication Critical patent/CN103491540A/en
Application granted granted Critical
Publication of CN103491540B publication Critical patent/CN103491540B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a wireless local area network two-way access authentication system and method based on identity certificates. The wireless local area network two-way access authentication system comprises access routers arranged in a safety area and further comprises an identity certificate management server and an authentication server. The identity certificate management server is used for managing the identity certificates of entities in the safety area, namely, issuing the identity certificates and maintaining the identity certificates. The authentication server is used for authenticating access certification application of mobile subscribers and completing shared key negotiation with the mobile subscribers. The access routers are used for controlling whether the mobile subscribers have access to the wireless local area network or not according to the authentication result fed back from the authentication server and receiving and forwarding authentication information between the mobile subscribers and the authentication server. According to the wireless local area network two-way access authentication system and method, in an autonomous security domain, two-way access authentication and secret key negotiation between the mobile subscribers and the accessed network can be achieved, efficient access authentication conducted when the mobile subscribers switch between the different access routers is supported, and the access authentication efficiency is improved.

Description

一种基于身份凭证的无线局域网双向接入认证系统及方法System and method for two-way access authentication of wireless local area network based on identity credential

技术领域technical field

本发明属于无线网络安全领域,特别涉及一种基于身份凭证的无线局域网双向接入认证系统及方法。The invention belongs to the field of wireless network security, and in particular relates to a two-way access authentication system and method for a wireless local area network based on identity certificates.

背景技术Background technique

随着计算机网络和移动通信技术的飞速发展,大量移动设备涌现,人们对无处不在的泛在网络接入需求越发迫切。作为Internet的扩展和延伸,IEEE802.11无线局域网(Wireless LocalArea Network,WLAN)以其部署灵活、异构兼容、低成本、带宽丰富等优势成为“最后一公里”接入领域的最佳解决方案。With the rapid development of computer networks and mobile communication technologies, a large number of mobile devices have emerged, and people's demand for ubiquitous network access is becoming more and more urgent. As the extension and extension of the Internet, IEEE802.11 Wireless Local Area Network (WLAN) has become the best solution for the "last mile" access field due to its advantages of flexible deployment, heterogeneous compatibility, low cost, and rich bandwidth.

然而随着WLAN的广泛部署,其安全性问题开始凸现。下一代无线通信系统要求WLAN能够在开放性环境中为用户提供高效安全的接入服务,接入安全是确保WLAN安全的关键。当移动用户接入WLAN时,访问网络需要认证移动用户的身份以防止其对网络资源的非法使用,另一方面移动用户需认证访问网络从而获得可靠的接入服务。访问网络和移动用户间的双向认证是实现WLAN安全接入的基础。However, with the widespread deployment of WLAN, its security issues began to emerge. The next-generation wireless communication system requires WLAN to provide users with efficient and secure access services in an open environment, and access security is the key to ensuring WLAN security. When a mobile user accesses a WLAN, the access network needs to authenticate the identity of the mobile user to prevent illegal use of network resources. On the other hand, the mobile user needs to authenticate to access the network to obtain reliable access services. Two-way authentication between the visiting network and mobile users is the basis for secure WLAN access.

现有的针对WLAN安全接入的解决方案主要包括:基于802.11i框架的集中式接入认证方法、基于PKI体系的分布式接入认证方法和基于身份密码体制的接入认证方法。(1)在基于802.11i的集中式认证方法中,当移动用户接入访问网络时,首先向接入路由器提出认证请求,接入路由器中转认证请求至中心认证服务器,由中心认证服务器认证移动用户身份并完成移动用户与接入路由器间的密钥协商。集中式认证模式需要认证实体同远程中心认证服务器进行大量消息交互,降低了接入认证效率。(2)在基于PKI的分布式接入认证方法中,数字证书权威(Certificate Authority,CA)分别为移动用户和接入路由器颁发X.509数字证书,当移动用户接入WLAN时,移动用户与接入路由器交换并验证对方数字证书从而实现本地双向接入认证。然而移动用户和接入路由器对数字证书的管理和维护代价限制了相关方案的实用性。(3)基于身份密码体制(IBC)近年兴起并开始被应用到WLAN接入认证领域,以身份作为实体公钥能够减轻PKI体系下的数字证书管理和维护代价。移动用户和接入路由器可以通过验证对方的基于身份的签名实现双向接入认证。但实体的私钥由私钥生成中心(PrivateKey Generator,PKG)分配,导致密钥托管和密钥传输等一系列安全问题产生,使得此类方案仅局限于小范围可信网络内应用。Existing solutions for WLAN secure access mainly include: a centralized access authentication method based on the 802.11i framework, a distributed access authentication method based on the PKI system, and an access authentication method based on an identity password system. (1) In the centralized authentication method based on 802.11i, when a mobile user accesses the access network, he first submits an authentication request to the access router, and the access router forwards the authentication request to the central authentication server, and the central authentication server authenticates the mobile user identity and complete the key negotiation between the mobile user and the access router. The centralized authentication mode requires the authentication entity to exchange a large number of messages with the remote central authentication server, which reduces the efficiency of access authentication. (2) In the PKI-based distributed access authentication method, the digital certificate authority (Certificate Authority, CA) issues X.509 digital certificates for the mobile user and the access router respectively. When the mobile user accesses the WLAN, the mobile user and the Access routers exchange and verify each other's digital certificates to achieve local two-way access authentication. However, the management and maintenance costs of digital certificates for mobile users and access routers limit the practicability of related schemes. (3) Identity-based cryptography (IBC) has emerged in recent years and has begun to be applied to the field of WLAN access authentication. Using identities as entity public keys can reduce the cost of digital certificate management and maintenance under the PKI system. The mobile user and the access router can realize two-way access authentication by verifying each other's identity-based signature. However, the private key of the entity is distributed by the Private Key Generator (PKG), which leads to a series of security issues such as key escrow and key transmission, making such schemes limited to applications in small-scale trusted networks.

可见上述WLAN安全机制在认证消息交互延迟、数字证书维护代价和适用性等方面存在缺陷,更为重要的是当移动用户在访问网络的不同接入路由器间切换时,完整的接入认证过程需重新执行,进一步降低了接入认证效率。It can be seen that the above-mentioned WLAN security mechanism has defects in authentication message exchange delay, digital certificate maintenance cost and applicability, and more importantly, when a mobile user switches between different access routers accessing the network, the complete access authentication process requires Re-execution further reduces the efficiency of access authentication.

发明内容Contents of the invention

针对现有技术存在的不足,本发明提供一种基于身份凭证的无线局域网双向接入认证系统及方法。Aiming at the deficiencies in the prior art, the present invention provides a system and method for two-way access authentication of a wireless local area network based on identity certificates.

本发明的技术方案是:Technical scheme of the present invention is:

一种基于身份凭证的无线局域网双向接入认证系统,包括接入路由器,设置在安全域内,还包括身份凭证管理服务器和认证服务器;A two-way authentication system for wireless local area network access based on identity certificates, including an access router, which is set in a security domain, and also includes an identity certificate management server and an authentication server;

所述身份凭证管理服务器用于对安全域内实体的身份凭证进行管理,包括颁发身份凭证和维护身份凭证;所述身份凭证包括颁发者身份、颁发者公钥、用户身份、用户公钥、用户身份证书和身份凭证有效期;所述安全域内实体包括:移动用户和接入路由器;The identity certificate management server is used to manage the identity certificates of entities in the security domain, including issuing identity certificates and maintaining identity certificates; the identity certificates include issuer identity, issuer public key, user identity, user public key, user identity Valid period of certificate and identity certificate; entities in the security domain include: mobile users and access routers;

所述认证服务器用于验证移动用户的接入认证申请并完成与移动用户间的共享密钥协商;The authentication server is used to verify the mobile user's access authentication application and complete the shared key negotiation with the mobile user;

所述接入路由器用于根据认证服务器返回的验证结果控制移动用户是否接入无线局域网,同时接入路由器接收和转发移动用户与认证服务器间的认证消息。The access router is used to control whether the mobile user accesses the wireless local area network according to the verification result returned by the authentication server, and at the same time, the access router receives and forwards the authentication message between the mobile user and the authentication server.

采用所述的基于身份凭证的无线局域网双向接入认证系统进行无线局域网双向接入认证的方法,包括以下步骤:The method for carrying out the two-way access authentication of the wireless local area network by using the two-way access authentication system of the wireless local area network based on the identity credential comprises the following steps:

步骤1:身份凭证管理服务器根据选择的安全参数生成系统公共参数并发布系统公共参数;Step 1: The identity credential management server generates system public parameters according to the selected security parameters and publishes the system public parameters;

所述系统公共参数包括循环群G1和循环群G2、双线性对e、循环群G1上的基点P和G,字符集至循环群G1的单向哈希函数H1,循环群G2至

Figure BDA00003843955800021
的单向哈希函数H2:
Figure BDA00003843955800022
为1到q-1范围的正整数,q为身份凭证管理服务器选择的安全参数,身份凭证管理服务器的公钥;The system public parameters include cyclic group G1 and cyclic group G2, bilinear pair e, base points P and G on cyclic group G1, one-way hash function H1 from character set to cyclic group G1, cyclic group G2 to
Figure BDA00003843955800021
The one-way hash function H2:
Figure BDA00003843955800022
It is a positive integer ranging from 1 to q-1, q is the security parameter selected by the identity certificate management server, and the public key of the identity certificate management server;

步骤2:身份凭证管理服务器对实体身份进行审核,并为实体颁发身份凭证;Step 2: The identity credential management server reviews the identity of the entity and issues the identity credential to the entity;

步骤2.1:在实体申请身份凭证前,基于系统公共参数生成实体的公钥私钥对,其中,实体的私钥

Figure BDA00003843955800023
由实体随机选择,实体的公钥PKEN=SKEN·P,即循环群G1上的基点P与实体的私钥SKEN的乘积;Step 2.1: Before the entity applies for an identity certificate, generate the entity's public key and private key pair based on the system public parameters, where the entity's private key
Figure BDA00003843955800023
Randomly selected by the entity, the entity's public key PK EN = SK EN · P, that is, the product of the base point P on the cyclic group G1 and the entity's private key SK EN ;

步骤2.2:实体向身份凭证管理服务器发送身份信息和实体的公钥,向身份凭证管理服务器申请身份凭证;Step 2.2: The entity sends the identity information and the entity's public key to the identity certificate management server, and applies for an identity certificate to the identity certificate management server;

所述身份信息为网络地址标识符;The identity information is a network address identifier;

步骤2.3:身份凭证管理服务器在接收到实体的身份凭证申请后,验证该实体身份信息的合法性,如果身份信息合法,则生成身份凭证颁发给该实体,否则不向该实体颁发身份凭证;Step 2.3: After receiving the entity's identity certificate application, the identity certificate management server verifies the validity of the entity's identity information. If the identity information is legal, it generates an identity certificate and issues it to the entity, otherwise it does not issue the identity certificate to the entity;

所述身份凭证包括颁发者身份、颁发者公钥、用户身份、用户公钥、用户身份证书和身份凭证有效期,其中,用户身份证书由基于证书签名算法CBS生成;The identity certificate includes issuer identity, issuer public key, user identity, user public key, user identity certificate and identity certificate validity period, wherein the user identity certificate is generated by a certificate-based signature algorithm CBS;

步骤2.4:实体接收到身份凭证后,使用实体的私钥和身份凭证内的实体身份证书生成实体的签名密钥;Step 2.4: After the entity receives the identity certificate, use the entity's private key and the entity identity certificate in the identity certificate to generate the entity's signature key;

步骤3:当移动用户移动至安全域内,并请求接入某接入路由器时,移动用户、接入路由器和认证服务器之间进行双向接入认证;Step 3: When the mobile user moves into the security domain and requests to access an access router, two-way access authentication is performed between the mobile user, the access router and the authentication server;

步骤3.1:移动用户向接入路由器发送身份凭证出示消息,接入路由器将该消息转发至认证服务器;Step 3.1: The mobile user sends an identity credential presentation message to the access router, and the access router forwards the message to the authentication server;

步骤3.1.1:移动用户发送路由器请求消息以寻找当前所在安全域内的接入路由器;Step 3.1.1: The mobile user sends a router request message to find an access router in the current security domain;

步骤3.1.2:接入路由器收到移动用户发送的路由器请求消息后进行接入认证;Step 3.1.2: The access router performs access authentication after receiving the router request message sent by the mobile user;

步骤3.1.3:接入路由器向移动用户发送路由器应答消息,请求移动用户的身份凭证;Step 3.1.3: The access router sends a router response message to the mobile user, requesting the identity certificate of the mobile user;

步骤3.1.4:移动用户发送身份凭证出示消息给接入路由器,该消息包含移动用户的身份凭证、当前时间戳、移动用户密钥协商参数及基于移动用户的签名密钥使用CBS算法对身份凭证出示消息的CBS签名结果;Step 3.1.4: The mobile user sends an identity credential presentation message to the access router, which contains the mobile user's identity credential, the current timestamp, the key negotiation parameters of the mobile user, and uses the CBS algorithm to verify the identity credential based on the mobile user's signature key. Show the CBS signature result of the message;

所述移动用户密钥协商参数即移动用户的公钥与随机数的乘积;The key negotiation parameter of the mobile user is the product of the public key of the mobile user and a random number;

步骤3.1.5:接入路由器接收到移动用户的身份凭证出示消息后,将该消息转发至认证服务器;步骤3.2:认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证:若验证成功,则执行步骤3.3;若验证失败,则拒绝移动用户接入,并将验证失败消息发送给接入路由器;Step 3.1.5: After the access router receives the mobile user's identity certificate presentation message, it forwards the message to the authentication server; Step 3.2: After the authentication server receives the mobile user's identity certificate presentation message, it checks the mobile user's identity certificate Verification: if the verification is successful, step 3.3 is performed; if the verification fails, the mobile user is denied access, and a verification failure message is sent to the access router;

步骤3.2.1:验证移动用户的身份凭证出示消息中的时间戳的新鲜性以防止重放攻击:如果时间戳新鲜,则认证服务器验证身份凭证的有效期,执行步骤3.2.2,否则验证失败,拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 3.2.1: Verify the freshness of the time stamp in the mobile user's identity certificate presentation message to prevent replay attacks: if the time stamp is fresh, the authentication server verifies the validity period of the identity certificate, and executes step 3.2.2, otherwise the verification fails, Reject the mobile user's access, and send the verification failure message to the access router;

步骤3.2.2:如果身份凭证处于有效期内,则认证服务器对身份凭证出示消息的CBS签名结果进行验证,执行步骤3.2.3,如果身份凭证过期,将验证失败消息发送给接入路由器;Step 3.2.2: If the identity certificate is within the validity period, the authentication server verifies the CBS signature result of the identity certificate presentation message, and executes step 3.2.3. If the identity certificate expires, a verification failure message is sent to the access router;

步骤3.2.3:认证服务器根据身份凭证中的颁发者公钥和用户公钥对身份凭证出示消息的CBS签名结果进行验证:如果验证通过,则认证服务器确认移动用户为合法接入用户;如果验证失败,则拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 3.2.3: The authentication server verifies the CBS signature result of the identity certificate presentation message according to the issuer public key and the user public key in the identity certificate: if the verification is passed, the authentication server confirms that the mobile user is a legal access user; If it fails, the mobile user is denied access, and a verification failure message is sent to the access router;

步骤3.3:认证服务器将对移动用户身份凭证验证成功消息发送给移动用户;Step 3.3: The authentication server sends a message of successful verification of the mobile user's identity certificate to the mobile user;

步骤3.3.1:认证服务器发送验证成功消息给接入路由器,此消息包含认证服务器密钥协商参数;Step 3.3.1: The authentication server sends a verification success message to the access router, and this message includes the key negotiation parameters of the authentication server;

所述认证服务器密钥协商参数即认证服务器的公钥与随机数的乘积;The key negotiation parameter of the authentication server is the product of the public key of the authentication server and a random number;

步骤3.3.2:接入路由器接收到认证服务器发送的验证成功消息后,在消息中插入接入路由器的身份凭证和当前时间戳;Step 3.3.2: After the access router receives the verification success message sent by the authentication server, insert the identity certificate of the access router and the current timestamp into the message;

步骤3.3.3:接入路由器基于接入路由器的签名密钥使用CBS算法对验证成功消息进行CBS签名,接入路由器将验证成功消息和对验证成功消息的CBS签名结果发送给移动用户;Step 3.3.3: The access router uses the CBS algorithm to perform CBS signature on the verification success message based on the signature key of the access router, and the access router sends the verification success message and the CBS signature result of the verification success message to the mobile user;

步骤3.4:移动用户接收到接入路由器的验证成功消息后,对接入路由器的身份凭证进行验证:若验证成功,接入当前接入路由器,完成双向接入认证;若验证失败,则拒绝接入当前接入路由器;Step 3.4: After the mobile user receives the verification success message of the access router, verify the identity certificate of the access router: if the verification is successful, access the current access router and complete the two-way access authentication; if the verification fails, reject the access Enter the current access router;

步骤4:认证服务器与移动用户基于密钥协商参数进行共享密钥协商;Step 4: The authentication server and the mobile user perform shared key negotiation based on key negotiation parameters;

步骤4.1:认证服务器基于移动用户密钥协商参数计算认证服务器与移动用户间的共享密钥;Step 4.1: The authentication server calculates the shared key between the authentication server and the mobile user based on the key negotiation parameters of the mobile user;

步骤4.2:移动用户基于认证服务器密钥协商参数计算移动用户与认证服务器间的共享密钥;Step 4.2: The mobile user calculates the shared key between the mobile user and the authentication server based on the key negotiation parameters of the authentication server;

步骤5:当移动用户在安全域内继续移动并接入新的接入路由器时,利用移动用户与认证服务器之间的共享密钥进行切换接入认证;Step 5: When the mobile user continues to move in the security domain and accesses a new access router, use the shared key between the mobile user and the authentication server to perform handover access authentication;

步骤5.1:当移动用户在安全域内继续移动并接入新的接入路由器时,移动用户向接入路由器发送身份凭证出示消息,接入路由器将该消息转发至认证服务器;Step 5.1: When the mobile user continues to move in the security domain and accesses a new access router, the mobile user sends an identity credential presentation message to the access router, and the access router forwards the message to the authentication server;

步骤5.1.1:移动用户发送路由器请求消息以寻找当前所在安全域内的接入路由器;Step 5.1.1: The mobile user sends a router request message to find an access router in the current security domain;

步骤5.1.2:接入路由器收到移动用户发送的路由器请求消息后进行接入认证;Step 5.1.2: The access router performs access authentication after receiving the router request message sent by the mobile user;

步骤5.1.3:接入路由器向移动用户发送路由器应答消息,请求移动用户的身份凭证;Step 5.1.3: The access router sends a router response message to the mobile user, requesting the identity certificate of the mobile user;

步骤5.1.4:移动用户发送身份凭证出示消息给接入路由器,该消息包含移动用户的身份凭证、当前时间戳和基于移动用户与认证服务器所协商的共享密钥使用HMAC算法对身份凭证出示消息的HMAC认证结果;Step 5.1.4: The mobile user sends an identity credential presentation message to the access router, which contains the mobile user's identity credential, the current time stamp, and the identity credential presentation message using the HMAC algorithm based on the shared key negotiated between the mobile user and the authentication server HMAC authentication result;

步骤5.1.5:接入路由器接收到移动用户的身份凭证出示消息后,将该消息转发至认证服务器;Step 5.1.5: After the access router receives the message of presenting the identity certificate of the mobile user, it forwards the message to the authentication server;

步骤5.2:认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证:若验证成功,则执行步骤5.3;若验证失败,则拒绝移动用户接入,并将验证失败消息发送给接入路由器;Step 5.2: After receiving the mobile user's identity certificate presentation message, the authentication server verifies the mobile user's identity certificate: if the verification is successful, then perform step 5.3; if the verification fails, reject the mobile user's access, and send a verification failure message sent to the access router;

步骤5.3:认证服务器将对移动用户的身份凭证验证成功消息发送给移动用户;Step 5.3: The authentication server sends a message of successful verification of the identity certificate of the mobile user to the mobile user;

步骤5.3.1:认证服务器发送验证成功消息给接入路由器,此消息包含认证服务器通过接入路由器公钥对共享密钥的加密结果;Step 5.3.1: The authentication server sends a verification success message to the access router, which contains the encryption result of the authentication server using the public key of the access router to the shared key;

步骤5.3.2:接入路由器接收到认证服务器发送的验证成功消息后,利用接入路由器私钥对共享密钥进行解密,提取出共享密钥;Step 5.3.2: After receiving the verification success message sent by the authentication server, the access router decrypts the shared key with the private key of the access router, and extracts the shared key;

步骤5.3.3:接入路由器在验证成功消息中插入接入路由器的身份凭证和当前时间戳,接入路由器利用共享密钥使用HMAC算法对验证成功消息进行HAMC认证,接入路由器将验证成功消息和对验证成功消息的HMAC认证结果发送给移动用户;Step 5.3.3: The access router inserts the identity certificate of the access router and the current time stamp in the authentication success message, and the access router uses the shared secret key to use the HMAC algorithm to perform HAMC authentication on the authentication success message, and the access router will verify the success message And the HMAC authentication result of the verification success message is sent to the mobile user;

步骤5.4:移动用户利用其与认证服务器协商的共享密钥验证接入路由器的合法性,若接入路由器合法,则移动用户切换接入该合法接入路由器,完成切换接入认证;若接入路由器不合法,则移动用户拒绝接入该接入路由器。Step 5.4: The mobile user uses the shared key negotiated with the authentication server to verify the legitimacy of the access router. If the access router is legal, the mobile user switches to the legal access router to complete the switch access authentication; If the router is illegal, the mobile user refuses to access the access router.

所述步骤3.4移动用户接收到接入路由器的验证成功消息后,对接入路由器的身份凭证进行验证,具体步骤如下:After the step 3.4 mobile user receives the verification success message of the access router, the identity certificate of the access router is verified, and the specific steps are as follows:

步骤3.4.1:移动用户验证接收到的验证成功消息中的时间戳新鲜性,以防止重放攻击:如果时间戳新鲜,则验证接入路由器身份凭证的有效期,执行步骤3.4.2;否则验证失败,拒绝接入当前接入路由器;Step 3.4.1: The mobile user verifies the freshness of the time stamp in the received verification success message to prevent replay attacks: if the time stamp is fresh, verify the validity period of the access router’s identity certificate, and perform step 3.4.2; otherwise, verify Failed, deny access to the current access router;

步骤3.4.2:如果身份凭证处于有效期内,则移动用户对验证成功消息的CBS签名结果进行验证,执行步骤3.4.3;如果身份凭证过期,则拒绝接入当前接入路由器;Step 3.4.2: If the identity certificate is within the validity period, the mobile user verifies the CBS signature result of the verification success message, and executes step 3.4.3; if the identity certificate expires, then refuse to access the current access router;

步骤3.4.3:移动用户根据身份凭证中的颁发者公钥和用户公钥对验证成功消息的CBS签名结果进行验证:如果验证通过,则移动用户确认接入该合法接入路由器,完成双向接入认证;若验证失败,则移动用户拒绝接入当前接入路由器。Step 3.4.3: The mobile user verifies the CBS signature result of the verification success message according to the issuer's public key and the user's public key in the identity certificate: if the verification is passed, the mobile user confirms access to the legal access router and completes the two-way access Incoming authentication; if the authentication fails, the mobile user refuses to access the current access router.

所述步骤4.1认证服务器基于移动用户密钥协商参数计算认证服务器与移动用户间的共享密钥,具体步骤如下:The step 4.1 authentication server calculates the shared key between the authentication server and the mobile user based on the mobile user key negotiation parameters, and the specific steps are as follows:

步骤4.1.1:认证服务器以移动用户密钥协商参数和循环群G1上的基点G与认证服务器私钥的乘积为输入,利用双线性对e计算认证服务器共享密钥值;Step 4.1.1: The authentication server takes the mobile user key negotiation parameters and the product of the base point G on the cyclic group G1 and the private key of the authentication server as input, and uses bilinear pairing e to calculate the shared key value of the authentication server;

步骤4.1.2:认证服务器以认证服务器共享密钥值为输入,利用单向哈希函数H2计算其与移动用户的共享密钥。Step 4.1.2: The authentication server uses the value of the authentication server's shared key as input, and uses the one-way hash function H2 to calculate its shared key with the mobile user.

所述步骤4.2移动用户基于认证服务器密钥协商参数计算移动用户与认证服务器间的共享密钥,具体步骤如下:The step 4.2 mobile user calculates the shared key between the mobile user and the authentication server based on the authentication server key negotiation parameters, and the specific steps are as follows:

步骤4.2.1:移动用户以认证服务器密钥协商参数和循环群G1上基点G与移动用户私钥的乘积为输入,利用双线性对e计算移动用户共享密钥值;Step 4.2.1: The mobile user takes the key negotiation parameters of the authentication server and the product of the base point G on the cyclic group G1 and the private key of the mobile user as input, and calculates the shared key value of the mobile user by using bilinear pairing e;

步骤4.2.2:移动用户以移动用户共享密钥值为输入,利用单向哈希函数H2计算其与认证服务器的共享密钥。Step 4.2.2: The mobile user takes the mobile user's shared key value as input, and uses the one-way hash function H2 to calculate its shared key with the authentication server.

所述步骤5.2认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证,具体步骤如下:After the step 5.2 authentication server receives the mobile user's identity certificate to show the message, the mobile user's identity certificate is verified, and the specific steps are as follows:

步骤5.2.1:验证移动用户的身份凭证出示消息中时间戳的新鲜性以防止重放攻击:如果时间戳新鲜,则认证服务器验证身份凭证的有效期,执行步骤5.2.2,否则验证失败,拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 5.2.1: Verify the freshness of the time stamp in the mobile user's identity certificate presentation message to prevent replay attacks: if the time stamp is fresh, the authentication server verifies the validity period of the identity certificate, and executes step 5.2.2, otherwise the verification fails and rejects The mobile user accesses, and sends an authentication failure message to the access router;

步骤5.2.2:如果身份凭证处于有效期内,则认证服务器对身份凭证出示消息的HMAC认证结果进行验证,执行步骤5.2.3,如果身份凭证过期,将验证失败消息发送给接入路由器;Step 5.2.2: If the identity certificate is within the validity period, the authentication server verifies the HMAC authentication result of the identity certificate presentation message, and executes step 5.2.3. If the identity certificate expires, send a verification failure message to the access router;

步骤5.2.3:认证服务器根据其与移动用户协商的共享密钥对身份凭证出示消息的HMAC认证结果进行验证:如果验证通过,则认证服务器确认移动用户为合法接入用户;如果验证失败,则拒绝移动用户接入,将验证失败消息发送给接入路由器。Step 5.2.3: The authentication server verifies the HMAC authentication result of the identity credential presentation message according to the shared key negotiated with the mobile user: if the verification is passed, the authentication server confirms that the mobile user is a legitimate access user; if the verification fails, then Deny the access of the mobile user, and send an authentication failure message to the access router.

所述步骤5.4移动用户利用其与认证服务器协商的共享密钥验证接入路由器的合法性,具体步骤如下:In step 5.4, the mobile user utilizes the shared key negotiated with the authentication server to verify the legitimacy of the access router, and the specific steps are as follows:

步骤5.4.1:移动用户验证接收到的验证成功消息中的时间戳新鲜性,以防止重放攻击:如果时间戳新鲜,则验证接入路由器身份凭证的有效期,执行步骤5.4.2;否则验证失败,拒绝接入当前接入路由器;Step 5.4.1: The mobile user verifies the freshness of the time stamp in the received verification success message to prevent replay attacks: if the time stamp is fresh, verify the validity period of the identity certificate of the access router, and perform step 5.4.2; otherwise, verify Failed, deny access to the current access router;

步骤5.4.2:如果身份凭证处于有效期内,则移动用户对验证成功消息的HMAC认证结果进行验证,执行步骤5.4.3;如果身份凭证过期,拒绝接入当前接入路由器;Step 5.4.2: If the identity certificate is within the validity period, the mobile user verifies the HMAC authentication result of the verification success message, and executes step 5.4.3; if the identity certificate expires, refuse to access the current access router;

步骤5.4.3:移动用户根据其与认证服务器协商的共享密钥对验证成功消息的HMAC认证结果进行验证:如果验证通过,则移动用户确认接入该合法接入路由器,完成切换接入认证;若验证失败,则移动用户拒绝接入当前接入路由器。Step 5.4.3: The mobile user verifies the HMAC authentication result of the verification success message according to the shared key negotiated with the authentication server: if the verification is passed, the mobile user confirms access to the legal access router, and completes the handover access authentication; If the verification fails, the mobile user refuses to access the current access router.

有益效果:Beneficial effect:

本发明的系统及方法在一个自治安全域内,既能实现移动用户与访问网络间的双向接入认证和密钥协商,又支持移动用户于不同接入路由器间切换时的高效接入认证,提高了接入认证效率。The system and method of the present invention can not only realize the two-way access authentication and key negotiation between the mobile user and the access network in an autonomous security domain, but also support the efficient access authentication of the mobile user when switching between different access routers, and improve the improved access authentication efficiency.

附图说明Description of drawings

图1为本发明具体实施方式的基于身份凭证的无线局域网双向接入认证系统示意图;Fig. 1 is the schematic diagram of the two-way access authentication system of the wireless local area network based on identity credential according to the specific embodiment of the present invention;

图2为本发明具体实施方式的对实体身份进行审核并为实体颁发身份凭证流程图;Fig. 2 is a flow chart of verifying the identity of an entity and issuing an identity certificate for the entity in a specific embodiment of the present invention;

图3为本发明具体实施方式的移动用户向认证服务器发送身份凭证出示消息过程示意图;Fig. 3 is a schematic diagram of the process of sending an identity credential presentation message from a mobile user to an authentication server according to a specific embodiment of the present invention;

图4为本发明具体实施方式的认证服务器对移动用户认证流程图;Fig. 4 is the flow chart of the mobile user authentication by the authentication server according to the specific embodiment of the present invention;

图5为本发明具体实施方式的认证服务器向移动用户发送验证成功消息过程示意图;FIG. 5 is a schematic diagram of a process in which the authentication server sends a verification success message to a mobile user according to a specific embodiment of the present invention;

图6为本发明具体实施方式的移动用户对接入路由器认证流程图;Fig. 6 is the flow chart of the mobile user's authentication to the access router in the specific embodiment of the present invention;

图7为本发明具体实施方式的切换认证过程示意图;FIG. 7 is a schematic diagram of a handover authentication process according to a specific embodiment of the present invention;

图8为本发明具体实施方式的系统模块通信流程图;Fig. 8 is a flow chart of system module communication in a specific embodiment of the present invention;

图9为本发明具体实施方式的无线局域网双向接入认证的方法流程图。FIG. 9 is a flowchart of a method for two-way access authentication of a wireless local area network according to a specific embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图对本发明的具体实施方式做详细说明。The specific implementation manners of the present invention will be described in detail below in conjunction with the accompanying drawings.

本实施方式是将基于身份凭证的无线局域网双向接入认证系统及方法应用于某无线局域网接入认证环节。实施过程中采用成熟的802.11i认证框架,对于认证消息的承载,移动用户与接入路由器间采用EAP协议,接入路由器与认证服务器间采用RADIUS协议。In this embodiment, the system and method for two-way access authentication of a wireless local area network based on an identity credential are applied to an access authentication link of a wireless local area network. The mature 802.11i authentication framework is used in the implementation process. For the bearer of authentication messages, the EAP protocol is used between the mobile user and the access router, and the RADIUS protocol is used between the access router and the authentication server.

如图1所示,基于身份凭证的无线局域网双向接入认证系统,包括若干接入路由器(包括AR1和AR2),设置在一个自治安全域内,还包括一个身份凭证管理服务器(ICM)和一个认证服务器(AS);As shown in Figure 1, the two-way access authentication system for WLAN based on identity credentials includes several access routers (including AR1 and AR2), set in an autonomous security domain, and also includes an identity credential management server (ICM) and an authentication Server (AS);

身份凭证管理服务器用于对安全域内实体(接入路由器AR和移动用户MN)的身份凭证(Identity Credential,IC)进行管理,包括颁发身份凭证和维护身份凭证;The identity credential management server is used to manage the identity credentials (Identity Credential, IC) of entities (access router AR and mobile user MN) in the security domain, including issuing identity credentials and maintaining identity credentials;

身份凭证是双向接入认证过程中的重要依据,此凭证与PKI体系下的X.509数字证书有着本质区别。X.509数字证书主要实现了用户身份信息与所持公钥的绑定,而本实施方式的身份凭证包括颁发者身份、颁发者公钥、用户身份、用户公钥、用户身份证书和身份凭证有效期;The identity certificate is an important basis in the two-way access authentication process, which is fundamentally different from the X.509 digital certificate under the PKI system. The X.509 digital certificate mainly realizes the binding of the user identity information and the held public key, and the identity certificate in this embodiment includes the issuer identity, the issuer public key, the user identity, the user public key, the user identity certificate and the validity period of the identity certificate ;

认证服务器用于验证移动用户的接入认证申请并完成与移动用户间的共享密钥协商;The authentication server is used to verify the mobile user's access authentication application and complete the shared key negotiation with the mobile user;

接入路由器用于根据认证服务器返回的验证结果控制是否允许移动用户接入无线局域网,同时接入路由器接收和转发移动用户与认证服务器间的认证消息。The access router is used to control whether the mobile user is allowed to access the WLAN according to the verification result returned by the authentication server, and at the same time, the access router receives and forwards the authentication message between the mobile user and the authentication server.

为便于后续描述,给出如表1所示的标识及说明。For the convenience of subsequent description, the identification and description shown in Table 1 are given.

表1 标识及说明Table 1 Identification and description

Figure BDA00003843955800071
Figure BDA00003843955800071

Figure BDA00003843955800081
Figure BDA00003843955800081

采用所述的基于身份凭证的无线局域网双向接入认证系统进行无线局域网双向接入认证的方法,如图9所示,包括以下步骤:The method for carrying out the two-way access authentication of the wireless local area network by using the two-way access authentication system of the wireless local area network based on the identity certificate, as shown in Figure 9, includes the following steps:

步骤1:身份凭证管理服务器ICM根据选择的安全参数生成系统公共参数并发布系统公共参数;Step 1: The identity credential management server ICM generates system public parameters according to the selected security parameters and publishes the system public parameters;

ICM为安全域内的可信第三方,生成系统公共参数并发布系统公共参数;As a trusted third party in the security domain, ICM generates and publishes system public parameters;

系统公共参数{G1,G2,e,P,G,H1,H2,PKICM},包括循环群G1和循环群G2、双线性对e、循环群G1上的基点P和G,字符集至循环群G1的单向哈希函数H1,循环群G2至

Figure BDA00003843955800082
的单向哈希函数H2(H1:{0,1}*→G1,为1到q-1范围的正整数,q为身份凭证管理服务器选择的安全参数),身份凭证管理服务器的公钥PKICM=SKICM·P,身份凭证管理服务器私钥
Figure BDA00003843955800084
由身份凭证管理服务器随机选择;System public parameters {G1, G2, e, P, G, H1, H2, PK ICM }, including cyclic group G1 and cyclic group G2, bilinear pair e, base points P and G on cyclic group G1, character set to The one-way hash function H1 of the cyclic group G1, the cyclic group G2 to
Figure BDA00003843955800082
The one-way hash function H2(H1:{0,1} * →G1, is a positive integer ranging from 1 to q-1, q is the security parameter selected by the identity certificate management server), the public key of the identity certificate management server PK ICM = SK ICM P, the private key of the identity certificate management server
Figure BDA00003843955800084
Randomly selected by the identity certificate management server;

步骤2:身份凭证管理服务器对实体身份进行审核,并为实体颁发身份凭证,如图2所示;Step 2: The identity credential management server reviews the identity of the entity and issues the identity credential to the entity, as shown in Figure 2;

步骤2.1:在实体申请身份凭证前,基于系统公共参数生成实体的公钥私钥对,其中,实体的私钥

Figure BDA00003843955800085
由实体随机选择,实体的公钥PKEN=SKEN·P,即循环群G1上的基点P与实体的私钥SKEN的乘积;Step 2.1: Before the entity applies for an identity certificate, generate the entity's public key and private key pair based on the system public parameters, where the entity's private key
Figure BDA00003843955800085
Randomly selected by the entity, the entity's public key PK EN = SK EN · P, that is, the product of the base point P on the cyclic group G1 and the entity's private key SK EN ;

步骤2.2:实体向身份凭证管理服务器发送身份信息和实体的公钥,向身份凭证管理服务器申请身份凭证;Step 2.2: The entity sends the identity information and the entity's public key to the identity certificate management server, and applies for an identity certificate to the identity certificate management server;

所述身份信息为网络地址标识符,如EntityDomain;The identity information is a network address identifier, such as EntityDomain;

步骤2.3:身份凭证管理服务器在接收到实体的身份凭证申请后,验证该实体身份信息的合法性,如果身份信息合法,则生成身份凭证颁发给该实体,否则不向该实体颁发身份凭证;Step 2.3: After receiving the entity's identity certificate application, the identity certificate management server verifies the validity of the entity's identity information. If the identity information is legal, it generates an identity certificate and issues it to the entity, otherwise it does not issue the identity certificate to the entity;

身份凭证包括颁发者身份、颁发者公钥、用户身份、用户公钥、用户身份证书和身份凭证有效期,其中,用户身份证书由基于证书签名算法CBS生成;The identity certificate includes the identity of the issuer, the public key of the issuer, the identity of the user, the public key of the user, the user identity certificate and the validity period of the identity certificate, wherein the user identity certificate is generated by the certificate-based signature algorithm CBS;

身份凭证中的实体身份证书为:The entity identity certificate in the identity certificate is:

CertEN=SKICM·PEN,PEN=H1(PKICM||PKEN||IDEN)∈G1.Cert EN =SK ICM P EN ,P EN =H 1 (PK ICM ||PK EN ||ID EN )∈G1.

步骤2.4:实体接收到身份凭证后,使用实体的私钥和身份凭证内的实体身份证书生成实体的签名密钥;Step 2.4: After the entity receives the identity certificate, use the entity's private key and the entity identity certificate in the identity certificate to generate the entity's signature key;

实体的签名密钥为:The entity's signing key is:

SignKeyEN=CertEN+SKEN·PEN.SignKey EN =Cert EN +SK EN P EN .

步骤3:当移动用户移动至安全域内,并请求接入某接入路由器AR时,移动用户MN、接入路由器AR和认证服务器AS之间进行双向接入认证;Step 3: When the mobile user moves into the security domain and requests to access an access router AR, two-way access authentication is performed between the mobile user MN, the access router AR and the authentication server AS;

步骤3.1:移动用户向接入路由器发送身份凭证出示消息,接入路由器AR将该消息转发至认证服务器,如图3所示;Step 3.1: The mobile user sends an identity credential presentation message to the access router, and the access router AR forwards the message to the authentication server, as shown in Figure 3;

步骤3.1.1:移动用户发送路由器请求消息以寻找当前所在安全域内的接入路由器;Step 3.1.1: The mobile user sends a router request message to find an access router in the current security domain;

MN以EAP协议发送数据包(EAP-Start)寻找安全域内某AR,发送的EAP组播帧中只有EAP包含帧的必需字段;The MN sends a data packet (EAP-Start) using the EAP protocol to find an AR in the security domain, and only the EAP contains the necessary fields of the frame in the sent EAP multicast frame;

步骤3.1.2:接入路由器收到移动用户发送的路由器请求消息后进行接入认证;Step 3.1.2: The access router performs access authentication after receiving the router request message sent by the mobile user;

步骤3.1.3:接入路由器向移动用户发送路由器应答消息,请求移动用户的身份凭证;Step 3.1.3: The access router sends a router response message to the mobile user, requesting the identity certificate of the mobile user;

AR在接收到MN的EAP-Start后,向MN发送EAP数据包(EAP-Request-Credential),请求MN的身份凭证信息;After receiving the EAP-Start of the MN, the AR sends an EAP data packet (EAP-Request-Credential) to the MN, requesting the identity credential information of the MN;

步骤3.1.4:移动用户发送身份凭证后示消息给接入路由器,该消息包含移动用户的身份凭证、当前时间戳(Ts1)、移动用户密钥协商参数及基于移动用户的签名密钥使用CBS算法对身份凭证后示消息的CBS签名结果σ;Step 3.1.4: The mobile user sends an identity credential post message to the access router, which includes the mobile user's identity credential, the current timestamp (Ts1), the key negotiation parameters of the mobile user and the use of CBS based on the signature key of the mobile user. The CBS signature result σ of the message displayed by the algorithm to the identity certificate;

移动用户通过EAP数据包(EAP-Response)发送身份凭证后示消息给接入路由器;The mobile user sends an identity credential display message to the access router through the EAP data packet (EAP-Response);

移动用户密钥协商参数即移动用户的公钥与随机数的乘积,

Figure BDA00003843955800091
The key negotiation parameter of the mobile user is the product of the public key of the mobile user and the random number,
Figure BDA00003843955800091

基于移动用户的签名密钥使用CBS算法对身份凭证后示消息的CBS签名结果σ=(U,V),U=r·PMN,h=H2(m,U),V=(r+h)·SignKeyMN,m为身份凭证后示消息;Based on the signature key of the mobile user, use the CBS algorithm to sign the CBS signature result of the post-display message of the identity credential σ=(U,V), U=r·P MN ,h=H2(m,U),V=(r+h )·SignKey MN , m is the post-display message of the identity certificate;

步骤3.1.5:接入路由器接收到移动用户的身份凭证后示消息后,将该消息转发至认证服务器;Step 3.1.5: After the access router receives the post-disclosure message of the mobile user's identity certificate, it forwards the message to the authentication server;

AR接收到MN的身份凭证出示消息后,从EAP协议中的数据部分获取相应数据,然后重新封装到RADIUS协议之中,通过RADIUS数据包(RADIUS-Access-Request)转发身份凭证出示消息至AS;After receiving the MN's identity credential presentation message, the AR obtains the corresponding data from the data part of the EAP protocol, repackages it into the RADIUS protocol, and forwards the identity credential presentation message to the AS through a RADIUS packet (RADIUS-Access-Request);

步骤3.2:认证服务器接收到移动用户的身份凭证出示消息后,如图4所示,对移动用户的身份凭证进行验证:若验证成功,则执行步骤3.3;若验证失败,则拒绝移动用户接入,并将验证失败消息发送给接入路由器;Step 3.2: After receiving the mobile user's identity certificate presentation message, the authentication server verifies the mobile user's identity certificate as shown in Figure 4: if the verification is successful, then perform step 3.3; if the verification fails, reject the mobile user's access , and send an authentication failure message to the access router;

步骤3.2.1:验证移动用户的身份凭证出示消息中的时间戳Ts1的新鲜性以防止重放攻击:如果时间戳Ts1新鲜,则认证服务器验证身份凭证的有效期,执行步骤3.2.2,否则验证失败,拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 3.2.1: Verify the freshness of the time stamp Ts1 in the mobile user's identity certificate presentation message to prevent replay attacks: if the time stamp Ts1 is fresh, the authentication server verifies the validity period of the identity certificate, and executes step 3.2.2, otherwise verifies Fail, deny the mobile user access, and send the verification failure message to the access router;

步骤3.2.2:如果身份凭证处于有效期内,则认证服务器对身份凭证出示消息的CBS签名结果进行验证,执行步骤3.2.3,如果身份凭证过期,将验证失败消息发送给接入路由器;Step 3.2.2: If the identity certificate is within the validity period, the authentication server verifies the CBS signature result of the identity certificate presentation message, and executes step 3.2.3. If the identity certificate expires, a verification failure message is sent to the access router;

步骤3.2.3:认证服务器根据身份凭证中的颁发者公钥和用户公钥对身份凭证出示消息的CBS签名结果进行验证:如果验证通过,则认证服务器确认移动用户为合法接入用户;如果验证失败,则拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 3.2.3: The authentication server verifies the CBS signature result of the identity certificate presentation message according to the issuer public key and the user public key in the identity certificate: if the verification is passed, the authentication server confirms that the mobile user is a legal access user; If it fails, the mobile user is denied access, and a verification failure message is sent to the access router;

认证服务器对身份凭证出示消息的CBS签名结果σ进行如下验证:The authentication server verifies the CBS signature result σ of the identity credential presentation message as follows:

e(PKICM+PKMN,U+hPMN)=?e(P,V).e(PK ICM +PK MN ,U+hP MN )=? e(P,V).

步骤3.3:认证服务器将对移动用户身份凭证验证成功消息发送给移动用户,如图5所示;Step 3.3: The authentication server sends a message of successful verification of the mobile user's identity certificate to the mobile user, as shown in Figure 5;

步骤3.3.1:认证服务器发送验证成功消息给接入路由器,此消息包含认证服务器密钥协商参数;Step 3.3.1: The authentication server sends a verification success message to the access router, and this message includes the key negotiation parameters of the authentication server;

认证服务器通过RADIUS数据包(RADIUS-Access-Success)发送验证成功消息给接入路由器;The authentication server sends an authentication success message to the access router through a RADIUS packet (RADIUS-Access-Success);

所述认证服务器密钥协商参数即认证服务器的公钥与随机数的乘积,

Figure BDA00003843955800101
The key negotiation parameter of the authentication server is the product of the public key of the authentication server and a random number,
Figure BDA00003843955800101

步骤3.3.2:接入路由器接收到认证服务器发送的验证成功消息后,在消息中插入接入路由器的身份凭证和当前时间戳(Ts2);Step 3.3.2: After the access router receives the verification success message sent by the authentication server, insert the identity certificate of the access router and the current timestamp (Ts2) into the message;

接入路由器接收到认证服务器的验证成功消息后,从RADIUS协议中的数据部分获取相应数据,插入接入路由器的身份凭证和当前时间戳(Ts2),然后重新封装到EAP协议之中;After the access router receives the verification success message from the authentication server, it obtains the corresponding data from the data part in the RADIUS protocol, inserts the identity certificate and the current timestamp (Ts2) of the access router, and then re-encapsulates it into the EAP protocol;

步骤3.3.3:接入路由器基于接入路由器的签名密钥使用CBS算法对验证成功消息进行CBS签名,接入路由器将验证成功消息和对验证成功消息的CBS签名结果发送给移动用户;Step 3.3.3: The access router uses the CBS algorithm to perform CBS signature on the verification success message based on the signature key of the access router, and the access router sends the verification success message and the CBS signature result of the verification success message to the mobile user;

基于接入路由器的签名密钥使用CBS算法对验证成功消息的CBS签名结果σ′=(U′,V′),U′=r′·PAR,h′=H2(m′,U′),V′=(r′+h′)·SignKeyAR,其中,m’为验证成功消息;Based on the signature key of the access router, use the CBS algorithm to verify the CBS signature result of the successful message σ′=(U′,V′), U′=r′·P AR ,h′=H2(m′,U′) , V′=(r′+h′)·SignKey AR , where, m' is the verification success message;

接入路由器通过EAP数据包(EAP-Success)转发验证成功消息和CBS签名结果至移动用户;The access router forwards the verification success message and the CBS signature result to the mobile user through the EAP packet (EAP-Success);

步骤3.4:如图6所示,移动用户接收到接入路由器的验证成功消息后,对接入路由器的身份凭证进行验证:若验证成功,接入当前接入路由器,完成双向接入认证;若验证失败,则拒绝接入当前接入路由器;Step 3.4: As shown in Figure 6, after the mobile user receives the verification success message of the access router, he verifies the identity certificate of the access router: if the verification is successful, he accesses the current access router and completes two-way access authentication; if If the verification fails, the access to the current access router is rejected;

所述移动用户接收到接入路由器的验证成功消息后,对接入路由器的身份凭证进行验证,具体步骤如下:After the mobile user receives the verification success message of the access router, the identity certificate of the access router is verified, and the specific steps are as follows:

步骤3.4.1:移动用户验证接收到的验证成功消息中的时间戳(Ts2)新鲜性,以防止重放攻击:如果时间戳(Ts2)新鲜,则验证接入路由器身份凭证的有效期,执行步骤3.4.2;否则验证失败,拒绝接入当前接入路由器;Step 3.4.1: The mobile user verifies the freshness of the time stamp (Ts2) in the received verification success message to prevent replay attacks: if the time stamp (Ts2) is fresh, then verify the validity period of the access router identity certificate, and perform the steps 3.4.2; Otherwise, the verification fails and the access to the current access router is rejected;

步骤3.4.2:如果身份凭证处于有效期内,则移动用户对验证成功消息的CBS签名结果进行验证,执行步骤3.4.3;如果身份凭证过期,则拒绝接入当前接入路由器;Step 3.4.2: If the identity certificate is within the validity period, the mobile user verifies the CBS signature result of the verification success message, and executes step 3.4.3; if the identity certificate expires, then refuse to access the current access router;

步骤3.4.3:移动用户根据身份凭证中的颁发者公钥和用户公钥对验证成功消息的CBS签名结果进行验证:如果验证通过,则移动用户确认接入该合法接入路由器,完成双向接入认证;若验证失败,则移动用户拒绝接入当前接入路由器。Step 3.4.3: The mobile user verifies the CBS signature result of the verification success message according to the issuer's public key and the user's public key in the identity certificate: if the verification is passed, the mobile user confirms access to the legal access router and completes the two-way access Incoming authentication; if the authentication fails, the mobile user refuses to access the current access router.

移动用户对验证成功消息的CBS签名结果σ′进行如下验证:The mobile user performs the following verification on the CBS signature result σ' of the successful verification message:

e(PKICM+PKAR,U′+h′PAR)=?e(P,V′).e(PK ICM +PK AR , U′+h′P AR )=? e(P,V').

步骤4:认证服务器与移动用户基于密钥协商参数进行共享密钥协商;Step 4: The authentication server and the mobile user perform shared key negotiation based on key negotiation parameters;

步骤4.1:认证服务器基于移动用户密钥协商参数计算认证服务器与移动用户间的共享密钥;Step 4.1: The authentication server calculates the shared key between the authentication server and the mobile user based on the key negotiation parameters of the mobile user;

步骤4.1.1:认证服务器以移动用户密钥协商参数和循环群G1上的基点G与认证服务器私钥的乘积为输入,利用双线性对e计算认证服务器共享密钥值;Step 4.1.1: The authentication server takes the mobile user key negotiation parameters and the product of the base point G on the cyclic group G1 and the private key of the authentication server as input, and uses bilinear pairing e to calculate the shared key value of the authentication server;

ShareKey_ValueAS-MN=e(b·Ta,SKAS·G),

Figure BDA00003843955800111
ShareKey_Value AS-MN = e(b T a , SK AS G),
Figure BDA00003843955800111

其中,ShareKey_ValueAS-MN为AS与MN间的共享密钥值,b为AS随机选择参数;Among them, ShareKey_Value AS-MN is the shared key value between AS and MN, and b is the random selection parameter of AS;

步骤4.1.2:认证服务器以认证服务器共享密钥值为输入,利用单向哈希函数H2计算认证服务器与移动用户的共享密钥。Step 4.1.2: The authentication server takes the value of the shared key of the authentication server as input, and uses the one-way hash function H2 to calculate the shared key of the authentication server and the mobile user.

ShareKeyAS-MN=H2(ShareKey_ValueAS-MN).ShareKey AS-MN =H2(ShareKey_Value AS-MN ).

其中,ShareKeyAS-MN为AS与MN间的共享密钥;Among them, ShareKey AS-MN is the shared key between AS and MN;

步骤4.2:移动用户基于认证服务器密钥协商参数计算移动用户与认证服务器间的共享密钥;Step 4.2: The mobile user calculates the shared key between the mobile user and the authentication server based on the key negotiation parameters of the authentication server;

步骤4.2.1:移动用户以认证服务器密钥协商参数和循环群G1上基点G与移动用户私钥的乘积为输入,利用双线性对e计算移动用户共享密钥值;Step 4.2.1: The mobile user takes the key negotiation parameters of the authentication server and the product of the base point G on the cyclic group G1 and the private key of the mobile user as input, and calculates the shared key value of the mobile user by using bilinear pairing e;

ShareKey_ValueMN-AS=e(a·Tb,SKMN·G),

Figure BDA00003843955800112
ShareKey_Value MN-AS = e(a T b , SK MN G),
Figure BDA00003843955800112

其中,ShareKey_ValueMN-AS为MN与AS间的共享密钥值,a为MN随机选择参数;Among them, ShareKey_Value MN-AS is the shared key value between MN and AS, and a is the parameter randomly selected by MN;

步骤4.2.2:移动用户以移动用户共享密钥值为输入,利用单向哈希函数H2计算其与认证服务器的共享密钥。Step 4.2.2: The mobile user takes the mobile user's shared key value as input, and uses the one-way hash function H2 to calculate its shared key with the authentication server.

ShareKeyMN-AS=H2(ShareKey_ValueMN-AS)ShareKey MN-AS =H2(ShareKey_Value MN-AS )

其中,ShareKeyMN-AS为MN与AS间的共享密钥;Among them, ShareKey MN-AS is the shared key between MN and AS;

步骤5:如图7所示,当移动用户在安全域内继续移动并接入新的接入路由器时,利用移动用户与认证服务器之间的共享密钥进行切换接入认证;Step 5: As shown in Figure 7, when the mobile user continues to move in the security domain and accesses a new access router, use the shared key between the mobile user and the authentication server to perform handover access authentication;

步骤5.1:当移动用户在安全域内继续移动并接入新的接入路由器AR′时,移动用户向接入路由器发送身份凭证出示消息,接入路由器将该消息转发至认证服务器;Step 5.1: When the mobile user continues to move in the security domain and accesses a new access router AR', the mobile user sends an identity credential presentation message to the access router, and the access router forwards the message to the authentication server;

步骤5.1.1:移动用户发送路由器请求消息以寻找当前所在安全域内的接入路由器;Step 5.1.1: The mobile user sends a router request message to find an access router in the current security domain;

步骤5.1.2:接入路由器收到移动用户发送的路由器请求消息后进行接入认证;Step 5.1.2: The access router performs access authentication after receiving the router request message sent by the mobile user;

步骤5.1.3:接入路由器向移动用户发送路由器应答消息,请求移动用户的身份凭证;Step 5.1.3: The access router sends a router response message to the mobile user, requesting the identity certificate of the mobile user;

步骤5.1.4:移动用户发送身份凭证出示消息给接入路由器,该消息包含移动用户的身份凭证、当前时间戳Ts3和基于移动用户与认证服务器所协商的共享密钥使用HMAC算法对身份凭证出示消息的HMAC认证结果

Figure BDA00003843955800125
Step 5.1.4: The mobile user sends an identity credential presentation message to the access router, which contains the mobile user's identity credential, the current time stamp Ts3 and uses the HMAC algorithm to present the identity credential based on the shared key negotiated between the mobile user and the authentication server HMAC authentication result of the message
Figure BDA00003843955800125

Figure BDA00003843955800121
的生成过程如下:
Figure BDA00003843955800121
The generation process is as follows:

∂∂ == HMACHMAC MNMN (( CredCred MNMN || || TsTs 33 || || SS hareKeyhareKey MNMN -- ASAS ))

步骤5.1.5:接入路由器接收到移动用户的身份凭证出示消息后,将该消息转发至认证服务器;Step 5.1.5: After the access router receives the message of presenting the identity certificate of the mobile user, it forwards the message to the authentication server;

AR接收到MN的身份凭证出示消息后,从EAP协议中的数据部分获取相应数据,然后重新封装到RADIUS协议之中,通过RADIUS数据包(RADIUS-Access-Request)转发身份凭出示消息至AS;After receiving the MN's identity credential presentation message, the AR obtains the corresponding data from the data part of the EAP protocol, repackages it into the RADIUS protocol, and forwards the identity credential presentation message to the AS through a RADIUS packet (RADIUS-Access-Request);

步骤5.2:认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证:若验证成功,则执行步骤5.3;若验证失败,则拒绝移动用户接入,并将验证失败消息发送给接入路由器;Step 5.2: After receiving the mobile user's identity certificate presentation message, the authentication server verifies the mobile user's identity certificate: if the verification is successful, then perform step 5.3; if the verification fails, reject the mobile user's access, and send a verification failure message sent to the access router;

所述认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证,具体步骤如下:After the authentication server receives the mobile user's identity certificate presentation message, it verifies the mobile user's identity certificate, and the specific steps are as follows:

步骤5.2.1:验证移动用户的身份凭证出示消息中时间戳Ts3的新鲜性以防止重放攻击:如果时间戳Ts3新鲜,则认证服务器验证身份凭证的有效期,执行步骤5.2.2,否则验证失败,拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 5.2.1: Verify the freshness of the time stamp Ts3 in the mobile user’s identity certificate presentation message to prevent replay attacks: if the time stamp Ts3 is fresh, the authentication server verifies the validity period of the identity certificate, and execute step 5.2.2, otherwise the verification fails , rejecting the access of the mobile user, and sending an authentication failure message to the access router;

步骤5.2.2:如果身份凭证处于有效期内,则认证服务器对身份凭证出示消息的HMAC认证结果进行验证,执行步骤5.2.3,如果身份凭证过期,将验证失败消息发送给接入路由器;Step 5.2.2: If the identity certificate is within the validity period, the authentication server verifies the HMAC authentication result of the identity certificate presentation message, and executes step 5.2.3. If the identity certificate expires, send a verification failure message to the access router;

步骤5.2.3:认证服务器根据其与移动用户协商的共享密钥对身份凭证出示消息的HMAC认证结果进行验证:如果验证通过,则认证服务器确认移动用户为合法接入用户;如果验证失败,则拒绝移动用户接入,将验证失败消息发送给接入路由器。Step 5.2.3: The authentication server verifies the HMAC authentication result of the identity credential presentation message according to the shared key negotiated with the mobile user: if the verification is passed, the authentication server confirms that the mobile user is a legitimate access user; if the verification fails, then Deny the access of the mobile user, and send an authentication failure message to the access router.

认证服务器对身份凭证出示消息的HMAC认证结果

Figure BDA00003843955800123
进行如下验证:The HMAC authentication result of the message presented by the authentication server to the identity certificate
Figure BDA00003843955800123
Verify as follows:

Figure BDA00003843955800126
Figure BDA00003843955800126

步骤5.3:认证服务器将对移动用户的身份凭证验证成功消息发送给移动用户;Step 5.3: The authentication server sends a message of successful verification of the identity certificate of the mobile user to the mobile user;

步骤5.3.1:认证服务器发送验证成功消息给接入路由器,此消息包含认证服务器通过接入路由器公钥对共享密钥的加密结果;Step 5.3.1: The authentication server sends a verification success message to the access router, which contains the encryption result of the authentication server using the public key of the access router to the shared key;

步骤5.3.2:接入路由器接收到认证服务器发送的验证成功消息后,利用接入路由器私钥对共享密钥进行解密,提取出共享密钥;Step 5.3.2: After receiving the verification success message sent by the authentication server, the access router decrypts the shared key with the private key of the access router, and extracts the shared key;

步骤5.3.3:接入路由器在验证成功消息中插入接入路由器的身份凭证和当前时间戳,接入路由器利用共享密钥使用HMAC算法对验证成功消息进行HAMC认证,接入路由器将验证成功消息和对验证成功消息的HMAC认证结果发送给移动用户;Step 5.3.3: The access router inserts the identity certificate of the access router and the current time stamp in the authentication success message, and the access router uses the shared secret key to use the HMAC algorithm to perform HAMC authentication on the authentication success message, and the access router will verify the success message And the HMAC authentication result of the verification success message is sent to the mobile user;

对验证成功消息的HMAC认证结果

Figure BDA00003843955800131
如下:HMAC authentication result for successful authentication message
Figure BDA00003843955800131
as follows:

∂∂ ′′ == HMACHMAC ASAS (( CredCred ASAS || || TsTs 44 || || SS hareKeyhareKey ASAS -- MNMN ))

步骤5.4:移动用户利用其与认证服务器协商的共享密钥验证接入路由器的合法性,若接入路由器合法,则移动用户切换接入该合法接入路由器,完成切换接入认证;若接入路由器不合法,则移动用户拒绝接入该接入路由器。Step 5.4: The mobile user uses the shared key negotiated with the authentication server to verify the legitimacy of the access router. If the access router is legal, the mobile user switches to the legal access router to complete the switch access authentication; If the router is illegal, the mobile user refuses to access the access router.

所述移动用户利用其与认证服务器协商的共享密钥验证接入路由器的合法性,具体步骤如下:The mobile user uses the shared key negotiated with the authentication server to verify the legitimacy of the access router, and the specific steps are as follows:

步骤5.4.1:移动用户验证接收到的验证成功消息中的时间戳Ts4新鲜性,以防止重放攻击:如果时间戳Ts4新鲜,则验证接入路由器身份凭证的有效期,执行步骤5.4.2;否则验证失败,拒绝接入当前接入路由器;Step 5.4.1: The mobile user verifies the freshness of the time stamp Ts4 in the received verification success message to prevent replay attacks: if the time stamp Ts4 is fresh, verify the validity period of the access router identity certificate, and perform step 5.4.2; Otherwise, the verification fails and the access to the current access router is rejected;

步骤5.4.2:如果身份凭证处于有效期内,则移动用户对验证成功消息的HMAC认证结果进行验证,执行步骤5.4.3;如果身份凭证过期,拒绝接入当前接入路由器;Step 5.4.2: If the identity certificate is within the validity period, the mobile user verifies the HMAC authentication result of the verification success message, and executes step 5.4.3; if the identity certificate expires, refuse to access the current access router;

步骤5.4.3:移动用户根据其与认证服务器协商的共享密钥对验证成功消息的HMAC认证结果进行验证:如果验证通过,则移动用户确认接入该合法接入路由器,完成切换接入认证;若验证失败,则移动用户拒绝接入当前接入路由器。Step 5.4.3: The mobile user verifies the HMAC authentication result of the verification success message according to the shared key negotiated with the authentication server: if the verification is passed, the mobile user confirms access to the legal access router, and completes the handover access authentication; If the verification fails, the mobile user refuses to access the current access router.

移动用户对验证成功消息的HMAC认证结果

Figure BDA00003843955800133
进行如下验证:The mobile user's HMAC authentication result for the successful authentication message
Figure BDA00003843955800133
Verify as follows:

基于上述描述过程,对基于身份凭证的无线局域网双向接入认证系统进行设计与实现。系统在Windows平台上开发实现,编程语言是C++,开发工具为Visual Studio,使用到的库函数有Winpcap,网络层通信协议为UDP。Based on the above described process, the two-way access authentication system for WLAN based on identity credentials is designed and implemented. The system is developed on the Windows platform, the programming language is C++, the development tool is Visual Studio, the library function used is Winpcap, and the network layer communication protocol is UDP.

MN模块主要功能是:发现AR、出示凭证和验证凭证。在MN模块中设计初始化类、示证类、验证类和加解密类。初始化类主要对系统进行初始化,然后监听网络适配器数据;根据接收到的数据调用示证类发送身份凭证出示消息;最后调用验证类和加解密类对接收到的验证成功消息进行双向验证。MN模块类设计如表2所示。The main functions of the MN module are: discovering AR, presenting credentials and verifying credentials. Design initialization class, demonstration class, verification class and encryption and decryption class in MN module. The initialization class mainly initializes the system, and then monitors the data of the network adapter; calls the demonstration class according to the received data to send the identity certificate presentation message; finally calls the verification class and the encryption and decryption class to perform two-way verification on the received verification success message. The MN module class design is shown in Table 2.

表2 MN模块的类设计Table 2 Class design of MN module

Figure BDA00003843955800135
Figure BDA00003843955800135

Figure BDA00003843955800141
Figure BDA00003843955800141

AR模块的主要功能是:从MN接收身份凭证出示消息并转发至AS、从AS接收验证成功消息、解密共享密钥、HMAC认证、转发相应消息至MN。在AR模块中设计初始化类、数据分析处理类和加解密类。初始化类主要负责系统初始化及从MN和AS接收数据;在接收到数据后调用数据分析处理类和加解密类对接收到的数据进行分析和处理,并对相应的数据进行协议封装;最后在认证完成后控制MN的接入。AR模块类设计如表3所示。The main functions of the AR module are: receive identity credential presentation message from MN and forward it to AS, receive verification success message from AS, decrypt shared key, HMAC authentication, and forward corresponding message to MN. Design the initialization class, data analysis and processing class and encryption and decryption class in the AR module. The initialization class is mainly responsible for system initialization and receiving data from MN and AS; after receiving the data, call the data analysis and processing class and the encryption and decryption class to analyze and process the received data, and perform protocol encapsulation on the corresponding data; finally in the authentication After completion, control the access of the MN. The AR module class design is shown in Table 3.

表3 AR模块的类设计Table 3 Class design of AR module

Figure BDA00003843955800142
Figure BDA00003843955800142

Figure BDA00003843955800151
Figure BDA00003843955800151

AS模块的主要功能是:对MN进行接入认证、与MN协商共享密钥。在AS模块中设计初始化类、数据分析处理类、验证类、示证类和加解密类。初始化类主要负责系统初始化及接收数据;数据分析处理类则负责对接收到的数据进行分析和处理;然后调用验证类对MN进行验证;验证通过后调用示证类返回验证成功消息给AR。AS模块类设计如表4所示。The main functions of the AS module are: performing access authentication on the MN, and negotiating a shared key with the MN. Design the initialization class, data analysis and processing class, verification class, demonstration class and encryption and decryption class in the AS module. The initialization class is mainly responsible for system initialization and receiving data; the data analysis and processing class is responsible for analyzing and processing the received data; then call the verification class to verify the MN; after the verification is passed, call the demonstration class to return a verification success message to AR. AS module class design is shown in Table 4.

表4 AS模块的类设计Table 4 Class design of AS module

Figure BDA00003843955800152
Figure BDA00003843955800152

结合上述模块和类设计,可以按图8所示流程对接入认证所涉及的MN模块、AR模块和AS模块进行编程实现。Combining the above module and class design, the MN module, AR module and AS module involved in the access authentication can be programmed and implemented according to the flow shown in Figure 8 .

Claims (7)

1.一种基于身份凭证的无线局域网双向接入认证系统,包括接入路由器,设置在安全域内,其特征在于:还包括身份凭证管理服务器和认证服务器;1. A wireless local area network two-way access authentication system based on identity credentials, comprising an access router, arranged in a security domain, characterized in that: it also includes an identity credentials management server and an authentication server; 所述身份凭证管理服务器用于对安全域内实体的身份凭证进行管理,包括颁发身份凭证和维护身份凭证;所述身份凭证包括颁发者身份、颁发者公钥、用户身份、用户公钥、用户身份证书和身份凭证有效期;所述安全域内实体包括:移动用户和接入路由器;The identity certificate management server is used to manage the identity certificates of entities in the security domain, including issuing identity certificates and maintaining identity certificates; the identity certificates include issuer identity, issuer public key, user identity, user public key, user identity Valid period of certificate and identity certificate; entities in the security domain include: mobile users and access routers; 所述认证服务器用于验证移动用户的接入认证申请并完成与移动用户间的共享密钥协商;The authentication server is used to verify the mobile user's access authentication application and complete the shared key negotiation with the mobile user; 所述接入路由器用于根据认证服务器返回的验证结果控制移动用户是否接入无线局域网,同时接入路由器接收和转发移动用户与认证服务器间的认证消息。The access router is used to control whether the mobile user accesses the wireless local area network according to the verification result returned by the authentication server, and at the same time, the access router receives and forwards the authentication message between the mobile user and the authentication server. 2.采用权利要求1所述的基于身份凭证的无线局域网双向接入认证系统进行无线局域网双向接入认证的方法,其特征在于:包括以下步骤:2. adopt the method for the two-way access authentication of wireless local area network based on the wireless local area network two-way access authentication system of claim 1, it is characterized in that: comprise the following steps: 步骤1:身份凭证管理服务器根据选择的安全参数生成系统公共参数并发布系统公共参数;Step 1: The identity credential management server generates system public parameters according to the selected security parameters and publishes the system public parameters; 所述系统公共参数包括循环群G1和循环群G2、双线性对e、循环群G1上的基点P和G,字符集至循环群G1的单向哈希函数H1,循环群G2至
Figure FDA00003843955700011
的单向哈希函数H2:
Figure FDA00003843955700012
为1到q-1范围的正整数,q为身份凭证管理服务器选择的安全参数,身份凭证管理服务器的公钥;The system public parameters include cyclic group G1 and cyclic group G2, bilinear pair e, base points P and G on cyclic group G1, one-way hash function H1 from character set to cyclic group G1, cyclic group G2 to
Figure FDA00003843955700011
The one-way hash function H2:
Figure FDA00003843955700012
It is a positive integer ranging from 1 to q-1, q is the security parameter selected by the identity certificate management server, and the public key of the identity certificate management server; 步骤2:身份凭证管理服务器对实体身份进行审核,并为实体颁发身份凭证;Step 2: The identity credential management server reviews the identity of the entity and issues the identity credential to the entity; 步骤2.1:在实体申请身份凭证前,基于系统公共参数生成实体的公钥私钥对,其中,实体的私钥
Figure FDA00003843955700013
由实体随机选择,实体的公钥PKEN=SKEN·P,即循环群G1上的基点P与实体的私钥SKEN的乘积;Step 2.1: Before the entity applies for an identity certificate, generate the entity's public key and private key pair based on the system public parameters, where the entity's private key
Figure FDA00003843955700013
Randomly selected by the entity, the entity's public key PK EN = SK EN · P, that is, the product of the base point P on the cyclic group G1 and the entity's private key SK EN ; 步骤2.2:实体向身份凭证管理服务器发送身份信息和实体的公钥,向身份凭证管理服务器申请身份凭证;Step 2.2: The entity sends the identity information and the entity's public key to the identity certificate management server, and applies for an identity certificate to the identity certificate management server; 所述身份信息为网络地址标识符;The identity information is a network address identifier; 步骤2.3:身份凭证管理服务器在接收到实体的身份凭证申请后,验证该实体身份信息的合法性,如果身份信息合法,则生成身份凭证颁发给该实体,否则不向该实体颁发身份凭证;Step 2.3: After receiving the entity's identity certificate application, the identity certificate management server verifies the validity of the entity's identity information. If the identity information is legal, it generates an identity certificate and issues it to the entity, otherwise it does not issue the identity certificate to the entity; 所述身份凭证包括颁发者身份、颁发者公钥、用户身份、用户公钥、用户身份证书和身份凭证有效期,其中,用户身份证书由基于证书签名算法CBS生成;The identity certificate includes issuer identity, issuer public key, user identity, user public key, user identity certificate and identity certificate validity period, wherein the user identity certificate is generated by a certificate-based signature algorithm CBS; 步骤2.4:实体接收到身份凭证后,使用实体的私钥和身份凭证内的实体身份证书生成实体的签名密钥;Step 2.4: After the entity receives the identity certificate, use the entity's private key and the entity identity certificate in the identity certificate to generate the entity's signature key; 步骤3:当移动用户移动至安全域内,并请求接入某接入路由器时,移动用户、接入路由器和认证服务器之间进行双向接入认证;Step 3: When the mobile user moves into the security domain and requests to access an access router, two-way access authentication is performed between the mobile user, the access router and the authentication server; 步骤3.1:移动用户向接入路由器发送身份凭证出示消息,接入路由器将该消息转发至认证服务器;Step 3.1: The mobile user sends an identity credential presentation message to the access router, and the access router forwards the message to the authentication server; 步骤3.1.1:移动用户发送路由器请求消息以寻找当前所在安全域内的接入路由器;Step 3.1.1: The mobile user sends a router request message to find an access router in the current security domain; 步骤3.1.2:接入路由器收到移动用户发送的路由器请求消息后进行接入认证;Step 3.1.2: The access router performs access authentication after receiving the router request message sent by the mobile user; 步骤3.1.3:接入路由器向移动用户发送路由器应答消息,请求移动用户的身份凭证;Step 3.1.3: The access router sends a router response message to the mobile user, requesting the identity certificate of the mobile user; 步骤3.1.4:移动用户发送身份凭证出示消息给接入路由器,该消息包含移动用户的身份凭证、当前时间戳、移动用户密钥协商参数及基于移动用户的签名密钥使用CBS算法对身份凭证出示消息的CBS签名结果;Step 3.1.4: The mobile user sends an identity credential presentation message to the access router, which contains the mobile user's identity credential, the current timestamp, the key negotiation parameters of the mobile user, and uses the CBS algorithm to verify the identity credential based on the mobile user's signature key. Show the CBS signature result of the message; 所述移动用户密钥协商参数即移动用户的公钥与随机数的乘积;The key negotiation parameter of the mobile user is the product of the public key of the mobile user and a random number; 步骤3.1.5:接入路由器接收到移动用户的身份凭证出示消息后,将该消息转发至认证服务器;Step 3.1.5: After the access router receives the message of presenting the identity certificate of the mobile user, it forwards the message to the authentication server; 步骤3.2:认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证:若验证成功,则执行步骤3.3;若验证失败,则拒绝移动用户接入,并将验证失败消息发送给接入路由器;Step 3.2: After receiving the mobile user's identity certificate presentation message, the authentication server verifies the mobile user's identity certificate: if the verification is successful, then perform step 3.3; if the verification fails, then reject the mobile user's access, and send a verification failure message sent to the access router; 步骤3.2.1:验证移动用户的身份凭证出示消息中的时间戳的新鲜性以防止重放攻击:如果时间戳新鲜,则认证服务器验证身份凭证的有效期,执行步骤3.2.2,否则验证失败,拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 3.2.1: Verify the freshness of the time stamp in the mobile user's identity certificate presentation message to prevent replay attacks: if the time stamp is fresh, the authentication server verifies the validity period of the identity certificate, and executes step 3.2.2, otherwise the verification fails, Reject the mobile user's access, and send the verification failure message to the access router; 步骤3.2.2:如果身份凭证处于有效期内,则认证服务器对身份凭证出示消息的CBS签名结果进行验证,执行步骤3.2.3,如果身份凭证过期,将验证失败消息发送给接入路由器;Step 3.2.2: If the identity credential is within the validity period, the authentication server verifies the CBS signature result of the identity credential presentation message, execute step 3.2.3, if the identity credential expires, send a verification failure message to the access router; 步骤3.2.3:认证服务器根据身份凭证中的颁发者公钥和用户公钥对身份凭证出示消息的CBS签名结果进行验证:如果验证通过,则认证服务器确认移动用户为合法接入用户;如果验证失败,则拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 3.2.3: The authentication server verifies the CBS signature result of the identity certificate presentation message according to the issuer public key and the user public key in the identity certificate: if the verification is passed, the authentication server confirms that the mobile user is a legal access user; If it fails, the mobile user is denied access, and a verification failure message is sent to the access router; 步骤3.3:认证服务器将对移动用户身份凭证验证成功消息发送给移动用户;Step 3.3: The authentication server sends a message of successful verification of the mobile user's identity certificate to the mobile user; 步骤3.3.1:认证服务器发送验证成功消息给接入路由器,此消息包含认证服务器密钥协商参数;Step 3.3.1: The authentication server sends a verification success message to the access router, and this message includes the key negotiation parameters of the authentication server; 所述认证服务器密钥协商参数即认证服务器的公钥与随机数的乘积;The key negotiation parameter of the authentication server is the product of the public key of the authentication server and a random number; 步骤3.3.2:接入路由器接收到认证服务器发送的验证成功消息后,在消息中插入接入路由器的身份凭证和当前时间戳;Step 3.3.2: After the access router receives the verification success message sent by the authentication server, insert the identity certificate of the access router and the current timestamp into the message; 步骤3.3.3:接入路由器基于接入路由器的签名密钥使用CBS算法对验证成功消息进行CBS签名,接入路由器将验证成功消息和对验证成功消息的CBS签名结果发送给移动用户;Step 3.3.3: The access router uses the CBS algorithm to perform CBS signature on the verification success message based on the signature key of the access router, and the access router sends the verification success message and the CBS signature result of the verification success message to the mobile user; 步骤3.4:移动用户接收到接入路由器的验证成功消息后,对接入路由器的身份凭证进行验证:若验证成功,接入当前接入路由器,完成双向接入认证;若验证失败,则拒绝接入当前接入路由器;Step 3.4: After the mobile user receives the verification success message of the access router, verify the identity certificate of the access router: if the verification is successful, access the current access router and complete the two-way access authentication; if the verification fails, reject the access Enter the current access router; 步骤4:认证服务器与移动用户基于密钥协商参数进行共享密钥协商;Step 4: The authentication server and the mobile user perform shared key negotiation based on key negotiation parameters; 步骤4.1:认证服务器基于移动用户密钥协商参数计算认证服务器与移动用户间的共享密钥;Step 4.1: The authentication server calculates the shared key between the authentication server and the mobile user based on the key negotiation parameters of the mobile user; 步骤4.2:移动用户基于认证服务器密钥协商参数计算移动用户与认证服务器间的共享密钥;Step 4.2: The mobile user calculates the shared key between the mobile user and the authentication server based on the key negotiation parameters of the authentication server; 步骤5:当移动用户在安全域内继续移动并接入新的接入路由器时,利用移动用户与认证服务器之间的共享密钥进行切换接入认证;Step 5: When the mobile user continues to move in the security domain and accesses a new access router, use the shared key between the mobile user and the authentication server to perform handover access authentication; 步骤5.1:当移动用户在安全域内继续移动并接入新的接入路由器时,移动用户向接入路由器发送身份凭证出示消息,接入路由器将该消息转发至认证服务器;Step 5.1: When the mobile user continues to move in the security domain and accesses a new access router, the mobile user sends an identity credential presentation message to the access router, and the access router forwards the message to the authentication server; 步骤5.1.1:移动用户发送路由器请求消息以寻找当前所在安全域内的接入路由器;Step 5.1.1: The mobile user sends a router request message to find an access router in the current security domain; 步骤5.1.2:接入路由器收到移动用户发送的路由器请求消息后进行接入认证;Step 5.1.2: The access router performs access authentication after receiving the router request message sent by the mobile user; 步骤5.1.3:接入路由器向移动用户发送路由器应答消息,请求移动用户的身份凭证;Step 5.1.3: The access router sends a router response message to the mobile user, requesting the identity certificate of the mobile user; 步骤5.1.4:移动用户发送身份凭证出示消息给接入路由器,该消息包含移动用户的身份凭证、当前时间戳和基于该移动用户与认证服务器所协商的共享密钥使用HMAC算法对身份凭证出示消息的HMAC认证结果;Step 5.1.4: The mobile user sends an identity credential presentation message to the access router, which contains the mobile user's identity credential, the current timestamp, and uses the HMAC algorithm to present the identity credential based on the shared secret key negotiated between the mobile user and the authentication server. HMAC authentication result of the message; 步骤5.1.5:接入路由器接收到移动用户的身份凭证出示消息后,将该消息转发至认证服务器;Step 5.1.5: After the access router receives the message of presenting the identity certificate of the mobile user, it forwards the message to the authentication server; 步骤5.2:认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证:若验证成功,则执行步骤5.3;若验证失败,则拒绝移动用户接入,并将验证失败消息发送给接入路由器;Step 5.2: After receiving the mobile user's identity certificate presentation message, the authentication server verifies the mobile user's identity certificate: if the verification is successful, then perform step 5.3; if the verification fails, reject the mobile user's access, and send a verification failure message sent to the access router; 步骤5.3:认证服务器将对移动用户的身份凭证验证成功消息发送给移动用户;Step 5.3: The authentication server sends a message of successful verification of the identity certificate of the mobile user to the mobile user; 步骤5.3.1:认证服务器发送验证成功消息给接入路由器,此消息包含认证服务器通过接入路由器公钥对共享密钥的加密结果;Step 5.3.1: The authentication server sends a verification success message to the access router, which contains the encryption result of the authentication server using the public key of the access router to the shared key; 步骤5.3.2:接入路由器接收到认证服务器发送的验证成功消息后,利用接入路由器私钥对共享密钥进行解密,提取出共享密钥;Step 5.3.2: After receiving the verification success message sent by the authentication server, the access router decrypts the shared key with the private key of the access router, and extracts the shared key; 步骤5.3.3:接入路由器在验证成功消息中插入接入路由器的身份凭证和当前时间戳,接入路由器利用共享密钥使用HMAC算法对验证成功消息进行HAMC认证,接入路由器将验证成功消息和对验证成功消息的HMAC认证结果发送给移动用户;Step 5.3.3: The access router inserts the identity certificate of the access router and the current time stamp in the authentication success message, and the access router uses the shared secret key to use the HMAC algorithm to perform HAMC authentication on the authentication success message, and the access router will verify the success message And the HMAC authentication result of the verification success message is sent to the mobile user; 步骤5.4:移动用户利用其与认证服务器协商的共享密钥验证接入路由器的合法性,若接入路由器合法,则移动用户切换接入该合法接入路由器,完成切换接入认证;若接入路由器不合法,则移动用户拒绝接入该接入路由器。Step 5.4: The mobile user uses the shared key negotiated with the authentication server to verify the legitimacy of the access router. If the access router is legal, the mobile user switches to the legal access router to complete the switch access authentication; If the router is illegal, the mobile user refuses to access the access router. 3.根据权利要求2所述的基于身份凭证的无线局域网双向接入认证方法,其特征在于:所述步骤3.4移动用户接收到接入路由器的验证成功消息后,对接入路由器的身份凭证进行验证,具体步骤如下:3. The two-way access authentication method for wireless local area network based on identity credentials according to claim 2, characterized in that: after the step 3.4 mobile user receives the verification success message of the access router, the identity credentials of the access router are checked. Verification, the specific steps are as follows: 步骤3.4.1:移动用户验证接收到的验证成功消息中的时间戳新鲜性,以防止重放攻击:如果时间戳新鲜,则验证接入路由器身份凭证的有效期,执行步骤3.4.2;否则验证失败,拒绝接入当前接入路由器;Step 3.4.1: The mobile user verifies the freshness of the time stamp in the received verification success message to prevent replay attacks: if the time stamp is fresh, verify the validity period of the access router’s identity certificate, and perform step 3.4.2; otherwise, verify Failed, deny access to the current access router; 步骤3.4.2:如果身份凭证处于有效期内,则移动用户对验证成功消息的CBS签名结果进行验证,执行步骤3.4.3;如果身份凭证过期,则拒绝接入当前接入路由器;Step 3.4.2: If the identity certificate is within the validity period, the mobile user verifies the CBS signature result of the verification success message, and executes step 3.4.3; if the identity certificate expires, then refuse to access the current access router; 步骤3.4.3:移动用户根据身份凭证中的颁发者公钥和用户公钥对验证成功消息的CBS签名结果进行验证:如果验证通过,则移动用户确认接入该合法接入路由器,完成双向接入认证;若验证失败,则移动用户拒绝接入当前接入路由器。Step 3.4.3: The mobile user verifies the CBS signature result of the verification success message according to the issuer's public key and the user's public key in the identity certificate: if the verification is passed, the mobile user confirms access to the legal access router and completes the two-way access Incoming authentication; if the authentication fails, the mobile user refuses to access the current access router. 4.根据权利要求2所述的基于身份凭证的无线局域网双向接入认证方法,其特征在于:所述步骤4.1认证服务器基于移动用户密钥协商参数计算认证服务器与移动用户间的共享密钥,具体步骤如下:4. The two-way access authentication method for wireless local area network based on identity credentials according to claim 2, characterized in that: said step 4.1 authentication server calculates the shared key between the authentication server and the mobile user based on the mobile user key negotiation parameters, Specific steps are as follows: 步骤4.1.1:认证服务器以移动用户密钥协商参数和循环群G1上的基点G与认证服务器私钥的乘积为输入,利用双线性对e计算认证服务器共享密钥值;Step 4.1.1: The authentication server takes the mobile user key negotiation parameters and the product of the base point G on the cyclic group G1 and the private key of the authentication server as input, and uses bilinear pairing e to calculate the shared key value of the authentication server; 步骤4.1.2:认证服务器以认证服务器共享密钥值为输入,利用单向哈希函数H2计算其与移动用户的共享密钥。Step 4.1.2: The authentication server uses the value of the authentication server's shared key as input, and uses the one-way hash function H2 to calculate its shared key with the mobile user. 5.根据权利要求2所述的基于身份凭证的无线局域网双向接入认证方法,其特征在于:所述步骤4.2移动用户基于认证服务器密钥协商参数计算移动用户与认证服务器间的共享密钥,具体步骤如下:5. The two-way access authentication method for wireless local area network based on identity credentials according to claim 2, characterized in that: said step 4.2 mobile user calculates the shared key between the mobile user and the authentication server based on the authentication server key negotiation parameters, Specific steps are as follows: 步骤4.2.1:移动用户以认证服务器密钥协商参数和循环群G1上基点G与移动用户私钥的乘积为输入,利用双线性对e计算移动用户共享密钥值;Step 4.2.1: The mobile user takes the key negotiation parameters of the authentication server and the product of the base point G on the cyclic group G1 and the private key of the mobile user as input, and calculates the shared key value of the mobile user by using bilinear pairing e; 步骤4.2.2:移动用户以移动用户共享密钥值为输入,利用单向哈希函数H2计算其与认证服务器的共享密钥。Step 4.2.2: The mobile user takes the mobile user's shared key value as input, and uses the one-way hash function H2 to calculate its shared key with the authentication server. 6.根据权利要求2所述的基于身份凭证的无线局域网双向接入认证方法,其特征在于:所述步骤5.2认证服务器接收到移动用户的身份凭证出示消息后,对移动用户的身份凭证进行验证,具体步骤如下:6. The two-way access authentication method for wireless local area network based on identity credentials according to claim 2, characterized in that: after said step 5.2 authentication server receives the identity credentials of the mobile user to show the message, the identity credentials of the mobile user are verified ,Specific steps are as follows: 步骤5.2.1:验证移动用户的身份凭证出示消息中时间戳的新鲜性以防止重放攻击:如果时间戳新鲜,则认证服务器验证身份凭证的有效期,执行步骤5.2.2,否则验证失败,拒绝移动用户接入,将验证失败消息发送给接入路由器;Step 5.2.1: Verify the freshness of the time stamp in the mobile user's identity certificate presentation message to prevent replay attacks: if the time stamp is fresh, the authentication server verifies the validity period of the identity certificate, and executes step 5.2.2, otherwise the verification fails and rejects The mobile user accesses, and sends an authentication failure message to the access router; 步骤5.2.2:如果身份凭证处于有效期内,则认证服务器对身份凭证出示消息的HMAC认证结果进行验证,执行步骤5.2.3,如果身份凭证过期,将验证失败消息发送给接入路由器;Step 5.2.2: If the identity certificate is within the validity period, the authentication server verifies the HMAC authentication result of the identity certificate presentation message, and executes step 5.2.3. If the identity certificate expires, send a verification failure message to the access router; 步骤5.2.3:认证服务器根据其与移动用户协商的共享密钥对身份凭证出示消息的HMAC认证结果进行验证:如果验证通过,则认证服务器确认移动用户为合法接入用户;如果验证失败,则拒绝移动用户接入,将验证失败消息发送给接入路由器。Step 5.2.3: The authentication server verifies the HMAC authentication result of the identity credential presentation message according to the shared key negotiated with the mobile user: if the verification is passed, the authentication server confirms that the mobile user is a legitimate access user; if the verification fails, then Deny the access of the mobile user, and send an authentication failure message to the access router. 7.根据权利要求2所述的基于身份凭证的无线局域网双向接入认证方法,其特征在于:所述步骤5.4移动用户利用其与认证服务器协商的共享密钥验证接入路由器的合法性,具体步骤如下:7. The two-way access authentication method for wireless local area network based on identity credentials according to claim 2, characterized in that: said step 5.4 mobile user utilizes its shared key negotiated with the authentication server to verify the legitimacy of the access router, specifically Proceed as follows: 步骤5.4.1:移动用户验证接收到的验证成功消息中的时间戳新鲜性,以防止重放攻击:如果时间戳新鲜,则验证接入路由器身份凭证的有效期,执行步骤5.4.2;否则验证失败,拒绝接入当前接入路由器;Step 5.4.1: The mobile user verifies the freshness of the time stamp in the received verification success message to prevent replay attacks: if the time stamp is fresh, verify the validity period of the identity certificate of the access router, and perform step 5.4.2; otherwise, verify Failed, deny access to the current access router; 步骤5.4.2:如果身份凭证处于有效期内,则移动用户对验证成功消息的HMAC认证结果进行验证,执行步骤5.4.3;如果身份凭证过期,拒绝接入当前接入路由器;Step 5.4.2: If the identity certificate is within the validity period, the mobile user verifies the HMAC authentication result of the verification success message, and executes step 5.4.3; if the identity certificate expires, refuse to access the current access router; 步骤5.4.3:移动用户根据其与认证服务器协商的共享密钥对验证成功消息的HMAC认证结果进行验证:如果验证通过,则移动用户确认接入该合法接入路由器,完成切换接入认证;若验证失败,则移动用户拒绝接入当前接入路由器。Step 5.4.3: The mobile user verifies the HMAC authentication result of the verification success message according to the shared key negotiated with the authentication server: if the verification is passed, the mobile user confirms access to the legal access router, and completes the handover access authentication; If the verification fails, the mobile user refuses to access the current access router.
CN201310429993.XA 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method Expired - Fee Related CN103491540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310429993.XA CN103491540B (en) 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310429993.XA CN103491540B (en) 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method

Publications (2)

Publication Number Publication Date
CN103491540A true CN103491540A (en) 2014-01-01
CN103491540B CN103491540B (en) 2016-05-25

Family

ID=49831430

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310429993.XA Expired - Fee Related CN103491540B (en) 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method

Country Status (1)

Country Link
CN (1) CN103491540B (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929745A (en) * 2014-04-16 2014-07-16 东北大学 A wireless MESH network access authentication system and method based on privacy protection
CN104320253A (en) * 2014-09-28 2015-01-28 东北大学 Two-dimension code authentication system and method based on CBS signature mechanism
CN105188024A (en) * 2015-10-29 2015-12-23 小米科技有限责任公司 Method, apparatus and system for accessing network
CN105578464A (en) * 2015-07-31 2016-05-11 宇龙计算机通信科技(深圳)有限公司 Enhanced WLAN certificate authentication method, device and system
CN105744522A (en) * 2016-04-29 2016-07-06 东北大学 WMN anonymous access authentication system and method based on proxy ring signature
CN107483195A (en) * 2017-09-08 2017-12-15 哈尔滨工业大学深圳研究生院 A secure two-party authentication and key agreement protocol in the Internet of Things environment
CN108599936A (en) * 2018-04-20 2018-09-28 西安电子科技大学 A kind of OpenStack increases income the safety certifying method of cloud user
CN108989034A (en) * 2018-08-03 2018-12-11 苏州国芯科技有限公司 A kind of audio-video monitoring method, system, monitoring server and computer media
CN109450641A (en) * 2018-10-25 2019-03-08 烟台市奥境数字科技有限公司 A kind of high-end die information management system access control method
CN109495889A (en) * 2018-12-20 2019-03-19 中山大学新华学院 Heterogeneous mobile network access control method based on mutual confidence-building mechanism
CN110046507A (en) * 2018-12-12 2019-07-23 阿里巴巴集团控股有限公司 Form the method and device of trust computing cluster
CN110730450A (en) * 2019-10-18 2020-01-24 中国联合网络通信集团有限公司 A mobile communication method and system
CN110876142A (en) * 2018-09-02 2020-03-10 中城智慧科技有限公司 Identification-based wifi authentication method
CN111163470A (en) * 2019-12-31 2020-05-15 联想(北京)有限公司 Core network element communication method and device, computer storage medium and electronic equipment
CN111741468A (en) * 2020-08-14 2020-10-02 北京微智信业科技有限公司 MEC-based AMF (advanced metering library) and identity authentication method, construction method and device thereof
CN112291064A (en) * 2020-10-10 2021-01-29 达闼机器人有限公司 Authentication system, registration and authentication method, device, storage medium and electronic equipment
CN112565175A (en) * 2019-09-26 2021-03-26 富士通株式会社 Communication relay program, relay device, communication relay method, and communication system
WO2022135380A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus
CN115314278A (en) * 2022-08-04 2022-11-08 长扬科技(北京)股份有限公司 Trusted network connection identity authentication method, electronic equipment and storage medium
CN119232752A (en) * 2024-11-29 2024-12-31 福建省电子政务建设运营有限公司 Embedded timing task log management method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
CN1564626A (en) * 2004-03-22 2005-01-12 西安电子科技大学 Radio LAN security access method based on roaming key exchange authentication protocal
CN1697370A (en) * 2004-05-14 2005-11-16 华为技术有限公司 Method for mobile terminal in WLAN to apply for certificate
CN103002442A (en) * 2012-12-20 2013-03-27 邱华 Safe wireless local area network key distribution method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
CN1564626A (en) * 2004-03-22 2005-01-12 西安电子科技大学 Radio LAN security access method based on roaming key exchange authentication protocal
CN1697370A (en) * 2004-05-14 2005-11-16 华为技术有限公司 Method for mobile terminal in WLAN to apply for certificate
CN103002442A (en) * 2012-12-20 2013-03-27 邱华 Safe wireless local area network key distribution method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
高天寒等: "节点证书与身份相结合的HMIPv6网络接入认证机制", 《软件学报》, vol. 23, no. 9, 30 September 2012 (2012-09-30) *

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929745B (en) * 2014-04-16 2017-04-12 东北大学 Wireless MESH network access authentication system and method based on privacy protection
CN103929745A (en) * 2014-04-16 2014-07-16 东北大学 A wireless MESH network access authentication system and method based on privacy protection
CN104320253A (en) * 2014-09-28 2015-01-28 东北大学 Two-dimension code authentication system and method based on CBS signature mechanism
CN104320253B (en) * 2014-09-28 2017-06-09 东北大学 A kind of Quick Response Code Verification System and method based on CBS signature mechanisms
CN105578464B (en) * 2015-07-31 2019-04-12 宇龙计算机通信科技(深圳)有限公司 A kind of WLAN certificate identification method, the apparatus and system of enhancing
CN105578464A (en) * 2015-07-31 2016-05-11 宇龙计算机通信科技(深圳)有限公司 Enhanced WLAN certificate authentication method, device and system
CN105188024A (en) * 2015-10-29 2015-12-23 小米科技有限责任公司 Method, apparatus and system for accessing network
CN105188024B (en) * 2015-10-29 2019-06-14 小米科技有限责任公司 Access the method, apparatus and system of network
CN105744522A (en) * 2016-04-29 2016-07-06 东北大学 WMN anonymous access authentication system and method based on proxy ring signature
CN105744522B (en) * 2016-04-29 2018-10-23 东北大学 A kind of WMN anonymous access authentication systems and method based on proxy ring signature
CN107483195A (en) * 2017-09-08 2017-12-15 哈尔滨工业大学深圳研究生院 A secure two-party authentication and key agreement protocol in the Internet of Things environment
CN108599936A (en) * 2018-04-20 2018-09-28 西安电子科技大学 A kind of OpenStack increases income the safety certifying method of cloud user
CN108989034B (en) * 2018-08-03 2021-09-14 苏州国芯科技股份有限公司 Audio and video monitoring method and system, monitoring server and computer medium
CN108989034A (en) * 2018-08-03 2018-12-11 苏州国芯科技有限公司 A kind of audio-video monitoring method, system, monitoring server and computer media
CN110876142A (en) * 2018-09-02 2020-03-10 中城智慧科技有限公司 Identification-based wifi authentication method
CN110876142B (en) * 2018-09-02 2023-08-18 中城智慧科技有限公司 Identification-based wifi authentication method
CN109450641A (en) * 2018-10-25 2019-03-08 烟台市奥境数字科技有限公司 A kind of high-end die information management system access control method
CN110046507A (en) * 2018-12-12 2019-07-23 阿里巴巴集团控股有限公司 Form the method and device of trust computing cluster
CN110046507B (en) * 2018-12-12 2024-02-06 创新先进技术有限公司 Method and device for forming trusted computing cluster
CN109495889B (en) * 2018-12-20 2022-01-04 中山大学新华学院 Heterogeneous mobile network access control method based on mutual trust mechanism
CN109495889A (en) * 2018-12-20 2019-03-19 中山大学新华学院 Heterogeneous mobile network access control method based on mutual confidence-building mechanism
CN112565175A (en) * 2019-09-26 2021-03-26 富士通株式会社 Communication relay program, relay device, communication relay method, and communication system
CN110730450A (en) * 2019-10-18 2020-01-24 中国联合网络通信集团有限公司 A mobile communication method and system
CN110730450B (en) * 2019-10-18 2023-03-24 中国联合网络通信集团有限公司 Mobile communication method and system
CN111163470B (en) * 2019-12-31 2021-06-08 联想(北京)有限公司 Core network element communication method and device, computer storage medium and electronic equipment
CN111163470A (en) * 2019-12-31 2020-05-15 联想(北京)有限公司 Core network element communication method and device, computer storage medium and electronic equipment
CN111741468B (en) * 2020-08-14 2020-11-24 北京微智信业科技有限公司 MEC-based AMF (advanced metering library) and identity authentication method, construction method and device thereof
CN111741468A (en) * 2020-08-14 2020-10-02 北京微智信业科技有限公司 MEC-based AMF (advanced metering library) and identity authentication method, construction method and device thereof
CN112291064A (en) * 2020-10-10 2021-01-29 达闼机器人有限公司 Authentication system, registration and authentication method, device, storage medium and electronic equipment
WO2022073420A1 (en) * 2020-10-10 2022-04-14 达闼机器人有限公司 Authentication system, registration and authentication method, apparatus, storage medium, and electronic device
WO2022135380A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus
CN115314278A (en) * 2022-08-04 2022-11-08 长扬科技(北京)股份有限公司 Trusted network connection identity authentication method, electronic equipment and storage medium
CN115314278B (en) * 2022-08-04 2023-06-30 长扬科技(北京)股份有限公司 Trusted network connection identity authentication method, electronic equipment and storage medium
CN119232752A (en) * 2024-11-29 2024-12-31 福建省电子政务建设运营有限公司 Embedded timing task log management method and system

Also Published As

Publication number Publication date
CN103491540B (en) 2016-05-25

Similar Documents

Publication Publication Date Title
CN103491540B (en) The two-way access authentication system of a kind of WLAN based on identity documents and method
CN111371730B (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN110087239B (en) Anonymous access authentication and key agreement method and device based on 5G network
US8321663B2 (en) Enhanced authorization process using digital signatures
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
CN105554747B (en) Wireless network connecting method, apparatus and system
CN104754581B (en) A kind of safety certifying method of the LTE wireless networks based on public-key cryptosystem
US20180199205A1 (en) Wireless network connection method and apparatus, and storage medium
CN102036238B (en) Method for realizing user and network authentication and key distribution based on public key
CN110958229A (en) Credible identity authentication method based on block chain
US20090240941A1 (en) Method and apparatus for authenticating device in multi domain home network environment
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
CN103929745B (en) Wireless MESH network access authentication system and method based on privacy protection
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
WO2010012203A1 (en) Authentication method, re-certification method and communication device
CN101119196A (en) A two-way authentication method and system
CN106534050A (en) Method and device for realizing key agreement of virtual private network (VPN)
CN103188080A (en) Method and system for secret key certification consultation of terminal to terminal based on identify label
CN117278330B (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
CN114884698A (en) Kerberos and IBC security domain cross-domain authentication method based on alliance chain
CN105744522B (en) A kind of WMN anonymous access authentication systems and method based on proxy ring signature
CN110166445A (en) A kind of the secret protection anonymous authentication and cryptographic key negotiation method of identity-based
CN100544247C (en) The negotiating safety capability method
CN101715190A (en) System and method for realizing authentication of terminal and server in WLAN (Wireless Local Area Network)
CN112399407B (en) 5G network authentication method and system based on DH ratchet algorithm

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160525