CN1124759C - Safe access method of mobile terminal to radio local area network - Google Patents

Abstract

The present invention relates to a safe access method of a mobile terminal to a wireless local area network. When a mobile terminal MT logs in a wireless access point AP, a certificate authorization center CA is adopted to carry out bidirectional identity authentication to the mobile terminal MT and the wireless access point AP. If the authentication is successful, the mobile terminal MT holding a legal certificate is accessed to the wireless access point AP holding a legal certificate, or else the wireless access point AP rejects the access of the mobile terminal MT, or the mobile terminal MT rejects to log in the wireless access point AP. The method mainly comprises the steps: the authentication of the certificate, and the private key verification of the mobile terminal MT. The present invention solves the problem that the effective and safe access control is not carried out to the mobile terminal MT in a wireless local area network WLAN, and the secrecy limitation problem of data communication on a wireless link is solved. The present invention can not only realize the access control of the mobile terminal MT but also ensure the access security and high communication security. The mobile terminal MT can be logged are local places and foreign places, and the roaming function of the mobile terminal MT is supported.

Description

The safety access method of mobile terminal of wireless local area network

Technical field

The present invention relates to a kind of safety access method of mobile terminal of wireless local area network, it is the product that wireless communication technology combines with cryptographic technique.

Background technology

The target of personal communication makes people at any time write to each other arbitrarily with all other men exactly, freely enjoys the multiple business that network provides.The wide-band wireless IP technology will be at present the most popular two big technology---IP technology and wireless communication technology organically merge, and comply with broadband development trend, for mobile host or portable terminal is provided convenience, fast, internet Internet access service at a high speed, to adapt to people to express network and the ever-increasing demand of multimedia communication service.WLAN (wireless local area network) WLAN (Wireless LocalArea Network) not only supports mobile computing, and have flexibility, agility and an extensibility of framework, based on WLAN (wireless local area network), as shown in Figure 1 based on the BRAN structural representation of Internet.It mainly is made up of portable terminal MT (Mobile Terminal), wireless access point AP (Access Point) and wireless access server WAS equipment such as (Wireless Access Server), wherein portable terminal MT can move arbitrarily in net, wireless access point AP realizes comprising the cell management of handover, to management and the bridging functionality of portable terminal MT, wireless access server WAS realizes the internetwork roaming management of wireless access terminal.Insert Internet from fixedly being linked into mobile wireless, the wide-band wireless IP technology has been brought new idea and huge impact for world's network environment.The application of this system will be more extensive, and the occasion that is difficult in commerce NET (mainly being company intranet), organization user's network (as public security, finance, Government departments etc.), cell networks (as school, hospital, residential area etc.), remote monitoring or centralized monitor etc., casual network (as temporary meeting etc.), outdoor mobile subscriber, wiring, the occasion that needs often change etc. are all very useful.

For WLAN (wireless local area network), its safety problem is more than serious many of wired ethernet, and the WLAN (wireless local area network) means of having introduced several levels solve safety problem for this reason.At first be by each wireless access point AP being provided with different service set identifier SSID (Service Set ID), and provide corresponding business group identifier SSID when forcing portable terminal MT to insert, thereby can allow the user of different groups to insert, and the authority of resource access is distinguished restriction.But utilizing service set identifier SSID is the most a kind of authentication mode, is more rudimentary safety certification, as long as because anyone knows that service set identifier SSID just can access network.Next is an address limitation, promptly stops unauthorized visit by media interviews control MAC (the Medium Access Control) address table that the portable terminal MT wireless network card that is authorized to is set on wireless access point AP.But the not so difficult acquisition of the media interviews of wireless network card control MAC Address, and can forge, so this also belongs to more low-level authorization identifying.In a word, above dual mode can not be controlled the access of portable terminal MT effectively, more can't ensure the confidentiality of communication.

Except that above-mentioned two kinds of methods, a kind of measure of more employings at present is the international standards (IEEE802.11) according to WLAN (wireless local area network) WLAN, introduces in WLAN (wireless local area network) WLAN and with WEP wired equivalence (Wired Equivalent Privacy) privacy mechanism data is carried out encrypted transmission based on RC-4.The WEP algorithm adopts single key system, and promptly encryption and decryption is same key, and its length is 64 or 128.Wherein 40 or 104 is standing part, be called initialization key, the i.e. key that is provided with at wireless access point AP and portable terminal MT, remaining 24 is variable part, be called initialization vector, this vector is changed by the drive software of network interface card in communication process, that is to say that to be used for encrypted secret key variable, and this has guaranteed the confidentiality of radio communication to a certain extent.But because the regularity that initialization vector changes, the RC-4 algorithm be subject to attacking property, therefore the safe coefficient of WEP algorithm is not high, prior to discovery in March calendar year 2001, they point out to adopt the WLAN of WEP algorithm only can be broken at 5 hours to this point by one research group of California, USA university.Reason wherein is explained as follows: suppose that the initialization vector value increases progressively 1 rapid change with every frame, every frame length is 1500 bytes, and data transmission rate is 11 megabit per seconds, and then the cycle of initialization vector repetition is: Promptly just can obtain two frame ciphertexts, just can guess or calculate initial key values thus through same secret key encryption every 5 hours.Here it must be noted that the length of key does not influence the time of its decoding, the complexity that has just increased conjecture or calculated.August calendar year 2001 two Israel Zi Man Wei research institutes the expert and the researcher of a Cisco System Co.---three whole world top decoding experts have carried out the WEP safety test, they are according to the sub-fraction data of stealing in the network, less than promptly cracking the key that WLAN uses, AT﹠amp simultaneously in one hour; T laboratory research group also successfully cracks with same method.Safety problem has become one of major obstacle that hinders the application popularization of wireless IP technology, how to insert the most important thing that Internet just becomes wide-band wireless IP system research safely.

Summary of the invention

The invention solves in the background technology and portable terminal MT is not carried out the circumscribed technical problem of data communication security on effective safe access control and the Radio Link among the WLAN (wireless local area network) WLAN.

Technical solution of the present invention is:

A kind of safety access method of mobile terminal of wireless local area network, it is characterized in that: when portable terminal MT logins to wireless access point AP, adopt certificate authorization center CA that portable terminal MT and wireless access point AP are carried out bidirectional identity authentication, if authentication success, the portable terminal MT that holds legal certificate inserts the wireless access point AP of holding legal certificate, otherwise wireless access point AP refusal portable terminal MT inserts or portable terminal MT refusal is logined to wireless access point AP; Its key step comprises

1]. the authentication of certificate

The authentication of described certificate is meant adopts certificate authorization center CA that portable terminal MT and wireless access point AP are carried out bidirectional identity authentication, the authentication of certificate when the authentication of certificate and strange land were inserted when it comprised local the access; The authentication of certificate was meant certificate verification request, access authentication request, access authentication response and certificate verification response when described this locality was inserted; The authentication of certificate was meant certificate verification request, access authentication request, strange land authentication request, strange land authentication response, access authentication response and certificate verification response when described strange land was inserted;

2]. the private key checking of portable terminal MT

The private key checking of described portable terminal MT comprises private key, the checking of response private key and the checking private key signature of requests verification portable terminal MT.

The authentication of certificate was meant when above-mentioned this locality was inserted

1]. the certificate verification request, it comprises that portable terminal MT sends the certificate verification request message to wireless access point AP, and portable terminal MT certificate and the current system time that is called the certificate verification request time are mail to wireless access point AP;

2]. the access authentication request, after it comprises that wireless access point AP is received portable terminal MT certificate verification request, send the access authentication request to local certificate authorization center CA server, with portable terminal MT certificate, certificate verification request time, wireless access point AP certificate and with the private key of wireless access point AP these three signatures that carry out are constituted the access authentication request messages and send to local certificate authorization center CA;

3]. the access authentication response, after it comprises that local certificate authorization center CA is received the access authentication request of wireless access point AP, the signature of checking wireless access point AP, if incorrect, then verification process failure, otherwise further verify portable terminal MT certificate; Local certificate authorization center CA is judged portable terminal MT certificate whether in local CRL, if, then verification process is failed, otherwise, authentication success; Last local certificate authorization center CA constitutes the access authentication response message with portable terminal MT certificate verification object information, wireless access point AP certificate verification object information and sends back to wireless access point AP;

4]. the certificate verification response, it access authentication response message that comprises that wireless access point AP is returned local certificate authorization center CA carries out signature verification, obtains the authentication result of portable terminal MT certificate; Wireless access point AP is formed the certificate verification response message with authentication result, the wireless access point AP certificate verification object information of portable terminal MT and is recycled to portable terminal MT, portable terminal MT just obtains the authentication result of wireless access point AP certificate, and the local certificate verification process between portable terminal MT and the wireless access point AP is finished.

The authentication of certificate was meant when above-mentioned strange land was inserted

1]. the certificate verification request, it is that portable terminal MT sends the certificate verification request message to wireless access point AP, and portable terminal MT certificate and the current system time that is called the certificate verification request time are mail to wireless access point AP;

2]. the access authentication request, it is after wireless access point AP is received portable terminal MT certificate verification request, send the access authentication request to local certificate authorization center CA server, with portable terminal MT certificate, certificate verification request time, wireless access point AP certificate and with the private key of wireless access point AP these three signatures that carry out are constituted the access authentication request messages and send to local certificate authorization center CA;

3]. the strange land authentication request, it is after local certificate authorization center CA is received the access authentication request of wireless access point AP, the signature of checking wireless access point AP, if incorrect, then verification process failure; Otherwise, after having verified the legitimacy of wireless access point AP certificate, further verify portable terminal MT certificate again, local certificate authorization center CA outwards certificate authorization center CA is sent the strange land authentication request, with the certificate of wireless access point AP certificate, wireless access point AP certificate verification result, portable terminal MT certificate, local certificate authorization center CA, certificate verification request time and with the private key of local certificate authorization center CA these five the signatures formation strange land authentication request packets that carry out is sent to nonlocal certificate authorization center CA by Internet;

4]. the strange land authentication response, it is the signature that nonlocal certificate authorization center CA is received the local certificate authorization center CA of checking behind the message, if incorrect, authentification failure then, otherwise, judge that portable terminal MT certificate is whether in CRL; If, then verification process failure, otherwise, authentication success; Last nonlocal certificate authorization center CA is formed strange land authentication response message with the certificate of portable terminal MT certificate verification object information, wireless access point AP certificate verification object information, nonlocal certificate authorization center CA and with the private key of nonlocal certificate authorization center CA to these three signatures that carry out, and sends back to local certificate authorization center CA by Internet again;

5]. the access authentication response, it is that local certificate authorization center CA is received the strange land authentication response message that nonlocal certificate authorization center CA is returned, verify the signature of nonlocal certificate authorization center CA, if it is incorrect, authentification failure then, otherwise change the signature of nonlocal certificate authorization center CA in the portable terminal MT certificate verification object information signature of local certificate authorization center CA into, will change portable terminal MT certificate verification object information behind the signature and wireless access point AP certificate verification object information again and constitute and insert response message and be transmitted back to wireless access point AP;

6]. the certificate verification response, its access authentication response message that is wireless access point AP is returned local certificate authorization center CA carries out signature verification, obtains the authentication result of portable terminal MT certificate; Wireless access point AP is formed the certificate verification response message with authentication result, the wireless access point AP certificate verification object information of portable terminal MT and is recycled to portable terminal MT, portable terminal MT just obtains the authentication result of wireless access point AP certificate, and the strange land certificate verification process between portable terminal MT and the wireless access point AP is finished.

During above-mentioned local the access, portable terminal MT certificate verification object information be meant portable terminal MT certificate, portable terminal MT certificate verification result and with the private key of local certificate authorization center CA to this signature of two; Described wireless access point AP certificate verification object information be meant wireless access point AP certificate, wireless access point AP certificate verification result, certificate verification request time and with the private key of local certificate authorization center CA to this signature of three.

When above-mentioned strange land is inserted, portable terminal MT certificate verification object information in the authentication response message of strange land, be meant portable terminal MT certificate, portable terminal MT certificate verification result and with the private key of nonlocal certificate authorization center CA to this signature of two, in the access authentication response message, be meant portable terminal MT certificate, portable terminal MT certificate verification result and with the private key of local certificate authorization center CA to this signature of two; Described wireless access point AP certificate verification object information be meant wireless access point AP certificate, wireless access point AP certificate verification result, certificate verification request time and with the private key of nonlocal certificate authorization center CA to this signature of three.

In the checking of above-mentioned portable terminal MT private key

1]. described requests verification portable terminal MT private key is that wireless access point AP produces data at random, and it is passed to portable terminal MT;

2]. described response private key checking is after portable terminal MT receives the checking private key request message of wireless access point AP, to utilize private key to sign to the random data that receives, and the result that will sign returns to wireless access point AP;

3]. described checking private key signature is the private key signature that wireless access point AP is received portable terminal MT, utilize this signature of public key verifications of portable terminal MT certificate, if be proved to be successful, then wireless access point AP allows portable terminal MT to insert, otherwise refuse its access, the portable terminal MT that then has legal certificate and respective private keys thereof successfully inserts the wireless access point AP with legal certificate, and wireless access point AP is finished the safe access control of portable terminal MT.

When logining to wireless access point AP, adopt above-mentioned portable terminal MT certificate authorization center CA that portable terminal MT and wireless access point AP are carried out bidirectional identity authentication, its step comprises session key agreement, described session key agreement is after portable terminal MT and wireless access point AP certificate verification and private key are proved to be successful, both sides consult to generate session key, are used for the encryption and decryption of communication data message.

Above-mentioned session key agreement comprises static the negotiation and dynamic negotiation, and described static negotiation is meant with the other side's PKI and the private key of oneself carries out session key agreement, and described dynamic negotiation comprises that activation key is consulted, response key is consulted and session key generates.

In the dynamic negotiation of above-mentioned session key

1]. it is that portable terminal MT or wireless access point AP produce a random data that described activation key is consulted, utilize the public key encryption of wireless access point AP or portable terminal MT after, send request key agreement message to wireless access point AP or portable terminal MT;

2]. it is after wireless access point AP or portable terminal MT receive that key agreement that portable terminal MT or wireless access point AP are sent activates message that described response key is consulted, utilize the private key of oneself to be decrypted, obtain the random data that the other side produces, then, the local random data that produces, after utilizing the public key encryption of portable terminal MT or wireless access point AP, respond the key negotiation response message to portable terminal MT or wireless access point AP;

3]. it is that portable terminal MT and wireless access point AP all utilize own two random data that produce respectively with the other side to generate session key in this locality that described session key generates, and communicates the encryption and decryption of data message.

The present invention has following advantage:

The present invention is based on public key certificate mechanism, solved among the WLAN (wireless local area network) WLAN and portable terminal MT has not been carried out data communication security limitation problem on effective and safe access control and the Radio Link, not only realize the access control of portable terminal MT, and ensured the fail safe that inserts, the high security of communication.But portable terminal MT can also login in the strange land this locality, supports the roaming function of portable terminal MT.

The explanation of accompanying drawing drawing

Fig. 1 is the structural representation of prior art wide-band wireless IP system;

Fig. 2 is the physical structure schematic diagram that the present invention is based on the wireless LAN safety Verification System of certificate authorization center CA;

Fig. 3 is the local identifying procedure figure that inserts of portable terminal MT of the present invention;

The identifying procedure figure that Fig. 4 inserts for portable terminal MT of the present invention strange land.

Embodiment

The physical structure schematic diagram that is based on the wireless LAN safety Verification System of certificate authorization center CA (Certification Authorities) shown in Figure 2.Wherein the certificate authorization center CA system is a sandwich construction.Adopt X.509 public key certificate mechanism, when portable terminal MT logins to wireless access point AP, must the certificate of utility mandate carry out bidirectional identity authentication, that is to say that the portable terminal MT that only holds legal certificate could insert the wireless access point AP of holding legal certificate heart CA.If authentication success, then wireless access point AP allows portable terminal MT to insert, otherwise wireless access point AP refusal portable terminal MT inserts or portable terminal MT refusal is logined to wireless access point AP.Whole authentication process comprises certificate verification, private key checking and three steps of session key agreement, as shown in Figure 3, Figure 4.Wherein adopt the certificate of form X.509 mainly to comprise the term of validity, the certificate holder's of sequence number, the certificate authority person's of certificate title, certificate title, certificate holder's public key information, signature algorithm that the certificate authority person adopts and certificate authority person contents such as signature to certificate.1. certificate verification

1). the verification process of certificate during local the access

Portable terminal MT holds the certificate that local certificate authorization center CA is issued, and the identifying procedure of certificate is as follows during local the access:

A). the certificate verification request.Portable terminal MT sends the certificate verification request message to wireless access point AP, is about to portable terminal MT certificate and mails to wireless access point AP with the current system time that is called the certificate verification request time;

B). the access authentication request.After wireless access point AP is received portable terminal MT certificate verification request, send the access authentication request to local certificate authorization center CA server, be about to portable terminal MT certificate, certificate verification request time, wireless access point AP certificate and these three the signatures formation access authentication request messages that carry out sent to local certificate authorization center CA with the private key of wireless access point AP;

C). the access authentication response.After local certificate authorization center CA is received the access authentication request of wireless access point AP, the signature of checking wireless access point AP, if incorrect, then verification process failure, otherwise further verify portable terminal MT certificate.Local certificate authorization center CA is judged portable terminal MT certificate whether in local CRL, if, then verification process is failed, otherwise, authentication success; Last local certificate authorization center CA (comprises portable terminal MT certificate with portable terminal MT certificate verification object information, portable terminal MT certificate verification result, with the private key of local certificate authorization center CA to this signature of two) (comprise the wireless access point AP certificate with wireless access point AP certificate verification object information, wireless access point AP certificate verification result, the certificate verification request time, with the private key of local certificate authorization center CA to these three signatures that carry out) constitute the access authentication response message and send back to wireless access point AP;

D). the certificate verification response.The access authentication response message that wireless access point AP is returned local certificate authorization center CA carries out signature verification, just obtains the authentication result of portable terminal MT certificate.Wireless access point AP is formed the certificate verification response message with authentication result, the wireless access point AP certificate verification object information of portable terminal MT and is recycled to portable terminal MT, and portable terminal MT just obtains the authentication result of wireless access point AP certificate.So far finished the verification process of local certificate between portable terminal and the wireless access point AP.

2). the verification process of certificate when the strange land is inserted

Portable terminal MT holds the certificate that nonlocal certificate authorization center CA is issued, and the identifying procedure of certificate was as follows when the strange land was inserted:

A). the certificate verification request.Portable terminal MT sends the certificate verification request message to wireless access point AP, is about to portable terminal MT certificate and mails to wireless access point AP with the current system time that is called the certificate verification request time;

B). the access authentication request.After wireless access point AP is received portable terminal MT certificate verification request, send the access authentication request to local certificate authorization center CA server, be about to portable terminal MT certificate, certificate verification request time, wireless access point AP certificate and these three the signatures formation access authentication request messages that carry out sent to local certificate authorization center CA with the private key of wireless access point AP;

C). the strange land authentication request.After local certificate authorization center CA is received the access authentication request of wireless access point AP, the signature of checking wireless access point AP, if incorrect, then verification process failure; Otherwise after having verified the legitimacy of wireless access point AP certificate, further verify portable terminal MT certificate again.Local certificate authorization center CA outwards certificate authorization center CA is sent the strange land authentication request, is about to the certificate, certificate verification request time of wireless access point AP certificate, wireless access point AP certificate verification result, portable terminal MT certificate, local certificate authorization center CA and with the private key of local certificate authorization center CA this signature of five formation strange land authentication request packet is sent to nonlocal certificate authorization center CA by Internet;

D). the strange land authentication response.The other places certificate authorization center CA is received the signature of the local certificate authorization center CA of checking behind the message, if incorrect, and authentification failure then; Otherwise judge that portable terminal MT certificate is whether in CRL.If, then verification process failure, otherwise, authentication success.Last nonlocal certificate authorization center CA (comprises portable terminal MT certificate with portable terminal MT certificate verification object information, portable terminal MT certificate verification result and with the private key of nonlocal certificate authorization center CA to this signature of two), wireless access point AP certificate verification object information (comprises the wireless access point AP certificate, wireless access point AP certificate verification result, the certificate verification request time and with the private key of nonlocal certificate authorization center CA to these three signatures that carry out), the certificate of other places certificate authorization center CA and with the private key of nonlocal certificate authorization center CA to this signature of three composition strange land authentication response message, send back to local certificate authorization center CA by Internet again;

E). the access authentication response.Local certificate authorization center CA is received the strange land authentication response message that nonlocal certificate authorization center CA is returned, verify the signature of nonlocal certificate authorization center CA, if it is incorrect, authentification failure then, otherwise change the signature of nonlocal certificate authorization center CA in the portable terminal MT certificate verification object information signature of local certificate authorization center CA into, will change portable terminal MT certificate verification object information behind the signature and wireless access point AP certificate verification object information again and constitute and insert response message and be transmitted back to wireless access point AP;

F). the certificate verification response.The access authentication response message that wireless access point AP is returned local certificate authorization center CA carries out signature verification, just obtains the authentication result of portable terminal MT certificate.Wireless access point AP is formed the certificate verification response message with authentication result, the wireless access point AP certificate verification object information of portable terminal MT and is recycled to portable terminal MT, and portable terminal MT just obtains the authentication result of wireless access point AP certificate.So far finished the verification process of strange land certificate between portable terminal and the wireless access point AP.2. the private key of portable terminal MT checking

After the certificate verification success, can not prove the legitimacy of portable terminal MT identity fully, must verify also whether it holds and the corresponding private key of certificate.Process is as follows:

A). the private key of requests verification portable terminal MT.Wireless access point AP produces data at random, and length and content pass to portable terminal MT with it all at random;

B). the checking of response private key.Portable terminal MT utilizes private key to sign to the random data that receives after receiving the checking private key request message of wireless access point AP, and the result that will sign returns to wireless access point AP;

C). the checking private key signature.Wireless access point AP is received the private key signature of portable terminal MT, utilizes this signature of public key verifications of portable terminal MT certificate, if be proved to be successful, then wireless access point AP allows portable terminal MT to insert, otherwise refuses its access.So far, the portable terminal MT with legal certificate and respective private keys thereof just successfully inserts has the wireless access point AP of legal certificate, thereby finishes the safe access control function of wireless access point AP to portable terminal MT.3. session key agreement

After portable terminal MT and wireless access point AP certificate verification and private key are proved to be successful, promptly finished the successful login of portable terminal MT.This moment, both sides utilized the other side's PKI and the private key of oneself to generate session key at this machine, and the method for this generation session key is called the static negotiation of key.Both sides are used for the encryption and decryption of communication data message with the session key that negotiates, thereby realize the wireless security secure communication between portable terminal MT and the wireless access point AP.Yet it should be noted that in validity period of certificate, portable terminal MT and wireless access point AP between session key constant all the time, in order to accomplish the every key of every session, need carry out the dynamic negotiation of session key.The process that dynamic key is consulted is as follows:

A). activation key is consulted.Portable terminal MT or wireless access point AP produce a random data, utilize the public key encryption of wireless access point AP or portable terminal MT after, send request key agreement message to wireless access point AP or portable terminal MT;

B). response key is consulted.Wireless access point AP or portable terminal MT utilize the private key of oneself to be decrypted after receiving that key agreement that portable terminal MT or wireless access point AP send activates message, obtain the random data of the other side's generation.The local then random data that produces, utilize the public key encryption of portable terminal MT or wireless access point AP after, respond the key negotiation response message to portable terminal MT or wireless access point AP;

C). session key generates.Portable terminal MT and wireless access point AP all utilize own two random data that produce respectively with the other side to generate session key in this locality, be used for the encryption and decryption of communication data message.

In order further to improve the confidentiality of communication, portable terminal MT communicate by letter with wireless access point AP a period of time or exchange the message of some after, can also carry out the negotiation again of session key.In addition, the safe access control of wireless access point AP to portable terminal MT finished in certificate verification and private key checking, and session key agreement has then fully guaranteed the high communication security between portable terminal MT and the wireless access point AP.

What particularly point out is: in the specific implementation process, certificate verification, private key checking and three processes of session key negotiation can be carried out in proper order, also can intersect and carry out, and also can merge and carry out.

Claims (9)

1. the safety access method of a mobile terminal of wireless local area network, it is characterized in that: when portable terminal MT logins to wireless access point AP, adopt certificate authorization center CA that portable terminal MT and wireless access point AP are carried out bidirectional identity authentication, if authentication success, the portable terminal MT that holds legal certificate inserts the wireless access point AP of holding legal certificate, otherwise wireless access point AP refusal portable terminal MT inserts or portable terminal MT refusal is logined to wireless access point AP; Its key step comprises

1]. the authentication of certificate

The authentication of described certificate is meant adopts certificate authorization center CA that portable terminal MT and wireless access point AP are carried out bidirectional identity authentication, the authentication of certificate when the authentication of certificate and strange land were inserted when it comprised local the access; The authentication of certificate was meant certificate verification request, access authentication request, access authentication response and certificate verification response when described this locality was inserted; The authentication of certificate was meant certificate verification request, access authentication request, strange land authentication request, strange land authentication response, access authentication response and certificate verification response when described strange land was inserted;

2]. the private key checking of portable terminal MT

The private key checking of described portable terminal MT comprises private key, the checking of response private key and the checking private key signature of requests verification portable terminal MT.

2. the safety access method of mobile terminal of wireless local area network according to claim 1 is characterized in that: the authentication of certificate is meant during described local the access

1]. the certificate verification request, it comprises that portable terminal MT sends the certificate verification request message to wireless access point AP, and portable terminal MT certificate and the current system time that is called the certificate verification request time are mail to wireless access point AP;

2]. the access authentication request, after it comprises that wireless access point AP is received portable terminal MT certificate verification request, send the access authentication request to local certificate authorization center CA server, with portable terminal MT certificate, certificate verification request time, wireless access point AP certificate and with the private key of wireless access point AP these three signatures that carry out are constituted the access authentication request messages and send to local certificate authorization center CA;

3]. the access authentication response, after it comprises that local certificate authorization center CA is received the access authentication request of wireless access point AP, the signature of checking wireless access point AP, if incorrect, then verification process failure, otherwise further verify portable terminal MT certificate; Local certificate authorization center CA is judged portable terminal MT certificate whether in local CRL, if, then verification process is failed, otherwise, authentication success; Last local certificate authorization center CA constitutes the access authentication response message with portable terminal MT certificate verification object information, wireless access point AP certificate verification object information and sends back to wireless access point AP;

4]. the certificate verification response, it access authentication response message that comprises that wireless access point AP is returned local certificate authorization center CA carries out signature verification, obtains the authentication result of portable terminal MT certificate; Wireless access point AP is formed the certificate verification response message with authentication result, the wireless access point AP certificate verification object information of portable terminal MT and is recycled to portable terminal MT, portable terminal MT just obtains the authentication result of wireless access point AP certificate, and the local certificate verification process between portable terminal MT and the wireless access point AP is finished.

3. the safety access method of mobile terminal of wireless local area network according to claim 1 is characterized in that: the authentication of certificate was meant when described strange land was inserted

1]. the certificate verification request, it is that portable terminal MT sends the certificate verification request message to wireless access point AP, and portable terminal MT certificate and the current system time that is called the certificate verification request time are mail to wireless access point AP;

2]. the access authentication request, it is after wireless access point AP is received portable terminal MT certificate verification request, send the access authentication request to local certificate authorization center CA server, with portable terminal MT certificate, certificate verification request time, wireless access point AP certificate and with the private key of wireless access point AP these three signatures that carry out are constituted the access authentication request messages and send to local certificate authorization center CA;

3]. the strange land authentication request, it is after local certificate authorization center CA is received the access authentication request of wireless access point AP, the signature of checking wireless access point AP, if incorrect, then verification process failure; Otherwise, after having verified the legitimacy of wireless access point AP certificate, further verify portable terminal MT certificate again, local certificate authorization center CA outwards certificate authorization center CA is sent the strange land authentication request, with the certificate of wireless access point AP certificate, wireless access point AP certificate verification result, portable terminal MT certificate, local certificate authorization center CA, certificate verification request time and with the private key of local certificate authorization center CA this signature of five formation strange land authentication request packet is sent to nonlocal certificate authorization center CA by the internet;

4]. the strange land authentication response, it is the signature that nonlocal certificate authorization center CA is received the local certificate authorization center CA of checking behind the message, if incorrect, authentification failure then, otherwise, judge portable terminal MT certificate whether in CRL, if, then verification process failure, otherwise, authentication success; Last nonlocal certificate authorization center CA is formed strange land authentication response message with the certificate of portable terminal MT certificate verification object information, wireless access point AP certificate verification object information, nonlocal certificate authorization center CA and with the private key of nonlocal certificate authorization center CA to this signature of three, sends back to local certificate authorization center CA by the internet again;

5]. the access authentication response, it is that local certificate authorization center CA is received the strange land authentication response message that nonlocal certificate authorization center CA is returned, verify the signature of nonlocal certificate authorization center CA, if it is incorrect, authentification failure then, otherwise change the signature of nonlocal certificate authorization center CA in the portable terminal MT certificate verification object information signature of local certificate authorization center CA into, will change portable terminal MT certificate verification object information behind the signature and wireless access point AP certificate verification object information again and constitute and insert response message and be transmitted back to wireless access point AP;

6]. the certificate verification response, its access authentication response message that is wireless access point AP is returned local certificate authorization center CA carries out signature verification, obtains the authentication result of portable terminal MT certificate; Wireless access point AP is formed the certificate verification response message with authentication result, the wireless access point AP certificate verification object information of portable terminal MT and is recycled to portable terminal MT, portable terminal MT just obtains the authentication result of wireless access point AP certificate, and the strange land certificate verification process between portable terminal MT and the wireless access point AP is finished.

4. the safety access method of mobile terminal of wireless local area network according to claim 2 is characterized in that: described portable terminal MT certificate verification object information be meant portable terminal MT certificate, portable terminal MT certificate verification result and with the private key of local certificate authorization center CA to this signature of two; Described wireless access point AP certificate verification object information comprise wireless access point AP certificate, wireless access point AP certificate verification result, certificate verification request time and with the private key of local certificate authorization center CA to this signature of three.

5. the safety access method of mobile terminal of wireless local area network according to claim 3, it is characterized in that: described portable terminal MT certificate verification object information in the authentication response message of strange land, be meant portable terminal MT certificate, portable terminal MT certificate verification result and with the private key of nonlocal certificate authorization center CA to this signature of two, in the access authentication response message, be meant portable terminal MT certificate, portable terminal MT certificate verification result and with the private key of local certificate authorization center CA to this signature of two; Described wireless access point AP certificate verification object information be meant wireless access point AP certificate, wireless access point AP certificate verification result, certificate verification request time and with the private key of nonlocal certificate authorization center CA to this signature of three.

6. according to the safety access method of claim 1 or 2 or 3 described mobile terminal of wireless local area network, it is characterized in that: in the checking of described portable terminal MT private key

1]. described requests verification portable terminal MT private key is that wireless access point AP produces data at random, and it is passed to portable terminal MT;

2]. described response private key checking is after portable terminal MT receives the checking private key request message of wireless access point AP, to utilize private key to sign to the random data that receives, and the result that will sign returns to wireless access point AP;

3]. described checking private key signature is the private key signature that wireless access point AP is received portable terminal MT, utilize this signature of public key verifications of portable terminal MT certificate, if be proved to be successful, then wireless access point AP allows portable terminal MT to insert, otherwise refuse its access, the portable terminal MT that then has legal certificate and respective private keys thereof successfully inserts the wireless access point AP with legal certificate, and wireless access point AP is finished the safe access control of portable terminal MT.

7. the safety access method of mobile terminal of wireless local area network according to claim 6, it is characterized in that: adopt certificate authorization center CA that portable terminal MT and wireless access point AP are carried out bidirectional identity authentication when described portable terminal MT logins to wireless access point AP, its step comprises session key agreement, described session key agreement is after portable terminal MT and wireless access point AP certificate verification and private key are proved to be successful, both sides consult to generate session key, are used for the encryption and decryption of communication data message.

8. the safety access method of mobile terminal of wireless local area network according to claim 7, it is characterized in that: described session key agreement comprises static the negotiation and dynamic negotiation, described static negotiation is meant with the other side's PKI and the private key of oneself carries out session key agreement, and described dynamic negotiation comprises that activation key is consulted, response key is consulted and session key generates.

9. the safety access method of mobile terminal of wireless local area network according to claim 8 is characterized in that: in the dynamic negotiation of described session key

1]. it is that portable terminal MT or wireless access point AP produce a random data that described activation key is consulted, utilize the public key encryption of wireless access point AP or portable terminal MT after, send request key agreement message to wireless access point AP or portable terminal MT;

2]. it is after wireless access point AP or portable terminal MT receive that key agreement that portable terminal MT or wireless access point AP are sent activates message that described response key is consulted, utilize the private key of oneself to be decrypted, obtain the random data that the other side produces, then, the local random data that produces, after utilizing the public key encryption of portable terminal MT or wireless access point AP, respond the key negotiation response message to portable terminal MT or wireless access point AP;

3]. it is that portable terminal MT and wireless access point AP all utilize own two random data that produce respectively with the other side to generate session key in this locality that described session key generates, and communicates the encryption and decryption of data message.

Images