[go: up one dir, main page]

WO2008101426A1 - Procédé d'identification d'itinérance en fonction du certificat wapi - Google Patents

Procédé d'identification d'itinérance en fonction du certificat wapi Download PDF

Info

Publication number
WO2008101426A1
WO2008101426A1 PCT/CN2008/070242 CN2008070242W WO2008101426A1 WO 2008101426 A1 WO2008101426 A1 WO 2008101426A1 CN 2008070242 W CN2008070242 W CN 2008070242W WO 2008101426 A1 WO2008101426 A1 WO 2008101426A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
network server
server
external network
authentication
Prior art date
Application number
PCT/CN2008/070242
Other languages
English (en)
Chinese (zh)
Inventor
Bianling Zhang
Jun Cao
Xiaolong Lai
Zhenhai Huang
Benteng Ma
Yuan Jiang
Original Assignee
China Iwncomm Co., Ltd.
China Mobile Group Design Institute Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co., Ltd., China Mobile Group Design Institute Co., Ltd. filed Critical China Iwncomm Co., Ltd.
Publication of WO2008101426A1 publication Critical patent/WO2008101426A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the invention relates to the field of network security access systems, in particular to a method for certificate roaming authentication based on WAPI.
  • IP network carries a wide variety of services, and has been involved in all aspects of the national economy and social life.
  • wireless IP networks transmit data through radio waves, and the network's physical openness reaches a new stage.
  • secure access The problem becomes a key issue in the safe operation of the network.
  • WLAN Wireless Local Area Network
  • GB15629.il GB15629.1102
  • Wired National Standard No. 1 modification list GB 15629.11-2003/XG1-2006 and other related sub-standards GB15629.1101, GB/T 15629.1103 and GB15629.1104 were also promulgated and implemented, and the WLAN national standard system was initially formed.
  • the standard system uses the WLAN Authentication and Privacy Infrastructure (WAPI) security mechanism to ensure that legitimate users access the legitimate network and achieve secure communication between users and the network.
  • WAPI WLAN Authentication and Privacy Infrastructure
  • the WLAN provides users with wireless access to the network, so that users are no longer restricted to one Internet cable, but can move flexibly to meet the needs of users to access the network.
  • the network scale covers all geographic regions of the country, and the number of users is very large, and roaming often occurs frequently. In the case of roaming, how to solve the authentication problem is the key to the normal operation of the network.
  • WAPI provides a security mechanism based on certificates and pre-shared keys, where the certificate mechanism is suitable for the environment in which the application is run; however, including the WLAN national standard, the prior art only includes the definition and implementation method of the interface for the certificate authentication by the AS, There is still no specific implementation solution for how to implement certificate roaming authentication.
  • the invention provides a WAPI-based certificate roaming authentication method, which can solve the problem in the background art Certificate roaming authentication issues when using WAPI security mechanisms.
  • the invention is a WAPI-based certificate roaming authentication method, which comprises the following steps: after the user roams to the remote network, the terminal is started, the WAPI security mechanism is enabled, and the wireless access point is associated;
  • the wireless access point sends an authentication activation packet, and the terminal determines whether to trust the external network server according to the identity of the server trusted by the wireless access point AP in the authentication activation packet; when it is determined to trust the external network server, add the external authentication request packet
  • the wireless access point After receiving the access authentication request packet, the wireless access point sends a certificate authentication request to the external network server, and the external network server obtains the home network server information of the client according to the client certificate, and determines whether the home network server is in the trust list of the external network server.
  • the external network server contains a valid home network server certificate
  • the external network server uses the legal home network server certificate to verify the validity of the terminal STA certificate, and queries the certificate revocation list server to set the terminal and the wireless access point certificate identification.
  • the authentication result is signed, and the certificate authentication response packet is returned to the wireless access point and the terminal according to the protocol format specified by the national standard;
  • the wireless access point and the terminal verify the signature of the external network server, and perform corresponding access control according to the certificate authentication result.
  • the step of determining, by the terminal, whether to trust the external network server according to the identity of the server trusted by the wireless access point AP in the authentication activation packet further includes:
  • the terminal uses the locally stored root server certificate to verify the external network server certificate, if If it is legal, join the terminal's trust server list and continue with the next step. If the certificate is illegal, discard the certificate.
  • the step of adding the identity of the external network server F-AS in the access authentication request packet is specifically: adding an external network server F-AS in the "ASUE trusted ASU list" field in the access authentication request packet identity of.
  • the method further includes: when the home network server is not in the trust list, the external network server applies for the home network server certificate to the certificate server, and after obtaining the home network server certificate, the external network server uses the locally stored root server certificate to authenticate the home network server certificate. Verify, if it is legal, join the external server In the list of trusted servers, continue with the next steps; if the certificate is illegal, discard the certificate.
  • the invention provides an authentication method in a WAPI-based certificate roaming process on the basis of conforming to the national standard of the wireless local area network.
  • the invention is based on the national standard of the wireless local area network (LAN).
  • LAN wireless local area network
  • full two-way authentication is still used to ensure that only legitimate users can access the legal network.
  • the certificate is verified by the signature to ensure the security of the certificate obtained through the network. Sex.
  • the authentication process can be completed only locally, and only one server signature is needed in the certificate authentication response, which shortens the authentication time and improves the authentication efficiency. When users roam, there is no need to change the certificate in the business hall to achieve seamless network roaming access.
  • Figure 1 shows the topology of the WLAN operation application network.
  • the invention solves the problem of certificate roaming authentication when the WAPI security mechanism is applied in the background art, and provides a WAPI-based certificate roaming authentication method with high security, high efficiency and convenience.
  • the present invention will be further described in detail below.
  • a root server R-AS (Root - Authentication Server) 101, a certificate server CS (Certificate Server) 102, and a CRS (Certificate Revocation List Server) CR 103 are generally included.
  • the root server R-AS 101 issues certificates for all server ASs in the network;
  • the certificate server CS 102 stores all server AS certificates;
  • the revocation list server CLRS 103 stores all revoked certificates for the entire network.
  • the local network of the WLAN operation generally includes a server AS (such as an external network server F-AS 112, a home network server H-AS 122), an access controller AC (Access Controller) 114, a RADIUS server 115, and a wireless access point AP ( Access Point) (such as the first wireless access point AP 123, the second wireless access point AP 113) and the terminal STAl11, wherein the server AS issues a certificate to the terminal STA and the wireless access point AP, and the authentication server AC 114 pairs the user
  • the service access control is implemented, and the RADIUS server 115 implements functions such as user account information storage and charging.
  • the specific steps of the roaming authentication are as follows: 1) The terminal STA 111 obtains an external network server F-AS (Foreign - Authentication Server) 112 certificate, and establishes a trust relationship; 1.1) After the user roams to the remote network, the terminal STA 111 is activated, the WAPI security mechanism is enabled, and the second wireless access point AP 113 is associated;
  • F-AS Form - Authentication Server
  • the second wireless access point AP 113 sends an authentication activation packet, and the terminal STA 111 determines whether to trust the external network server F-AS 112 according to the identity of the server trusted by the second wireless access point AP 113 in the authentication activation packet;
  • the terminal STA 111 If the external network server F-AS 112 is not in the trusted server list of the terminal STA 111, apply to the certificate server CS 102 for the F-AS certificate of the external network server, and obtain the F-AS certificate of the external network server, the terminal The STA 111 authenticates the external network server F-AS certificate by using the locally stored root server R-AS certificate. If it is legal, it joins the trust server list of the terminal STA 111, and proceeds to step 2); if the certificate is illegal, the STA loses Discard the certificate;
  • the second wireless access point AP 113 After receiving the access authentication request packet, the second wireless access point AP 113 sends a certificate authentication request to the external network service F-AS 112, and the external network server F-AS 112 obtains the home network of the terminal STA 111 according to the terminal STA certificate.
  • the network server F-AS 112 determines whether the home network server H-AS 122 is in the trust list of the external network server F-AS 112, when the external network server F-AS 112, if the legal home network server H-AS certificate is included, the process proceeds directly to step 2.3); when the home network server H-AS 122 is not in the trust list, the external network server F-AS 112 applies to the certificate server CS 102 for the home network server.
  • the external network server F-AS 112 After obtaining the H-AS certificate to the home network server, the external network server F-AS 112 authenticates the home network server H-AS certificate by using the locally stored root server R-AS certificate, and if it is legal, joins the external network server F.
  • -AS 112 trusts the list of servers, proceeds to step 2.3); if the certificate is illegal, discards the certificate;
  • the external network server F-AS 112 verifies the legality of the terminal STA certificate by using the legal home network server H-AS certificate, and queries the certificate revocation list server CRLS 103 to set the terminal STA 111 and the second wireless access point AP certificate. Identifying the result, and signing the authentication result, and returning the certificate authentication response packet to the second wireless access point AP 113 and the terminal STA according to the protocol format specified by the national standard;
  • the second wireless access point AP 113 and the terminal STA 111 verify the signature of the external network server F-AS, And according to the certificate identification result, the corresponding access control is performed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

La présente invention concerne un procédé d'authentification d'itinérance en fonction du certificat WAPI qui comporte les étapes suivantes : 1) obtention par un terminal d'un certificat de serveur d'authentification étranger et établissement d'une relation de crédit; 2) authentification de l'itinérance WAPI. La présente invention vise à résoudre le problème d'authentification d'itinérance lors de l'utilisation d'une police de sécurité WAPI dans les technologies d'arrière-plan. A cet effet, le procédé d'authentification d'itinérance proposé est très sécurisant, efficace et approprié en fonction du certificat WAPI.
PCT/CN2008/070242 2007-02-16 2008-02-02 Procédé d'identification d'itinérance en fonction du certificat wapi WO2008101426A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2007100174501A CN100496156C (zh) 2007-02-16 2007-02-16 一种基于wapi的证书漫游认证方法
CN200710017450.1 2007-02-16

Publications (1)

Publication Number Publication Date
WO2008101426A1 true WO2008101426A1 (fr) 2008-08-28

Family

ID=38727110

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070242 WO2008101426A1 (fr) 2007-02-16 2008-02-02 Procédé d'identification d'itinérance en fonction du certificat wapi

Country Status (2)

Country Link
CN (1) CN100496156C (fr)
WO (1) WO2008101426A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895884A (zh) * 2010-06-29 2010-11-24 北京星网锐捷网络技术有限公司 一种wapi证书更新的方法、系统及装置
CN115314895A (zh) * 2022-08-09 2022-11-08 中国电信股份有限公司 一种wapi用户的鉴别方法、系统及接入地as

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100496156C (zh) * 2007-02-16 2009-06-03 西安西电捷通无线网络通信有限公司 一种基于wapi的证书漫游认证方法
CN100456726C (zh) * 2007-03-15 2009-01-28 北京安拓思科技有限责任公司 基于wapi的互联网接入认证的实现方法
CN103260161B (zh) * 2008-02-29 2016-01-27 华为技术有限公司 一种终端安全状态评估方法、网络设备及系统
CN100593936C (zh) 2008-05-09 2010-03-10 西安西电捷通无线网络通信有限公司 一种基于wapi的漫游认证方法
CN101568147A (zh) * 2009-05-15 2009-10-28 刘建 一种无线局域网鉴别基础结构超时处理的方法及装置
CN101583083B (zh) * 2009-06-01 2011-11-30 中兴通讯股份有限公司 一种实时数据业务的实现方法和实时数据业务系统
CN106330828B (zh) * 2015-06-25 2020-02-18 联芯科技有限公司 网络安全接入的方法、终端设备
CN112312395B (zh) * 2019-07-17 2023-03-31 中国电信股份有限公司 Wapi证书集中分发方法和系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1564626A (zh) * 2004-03-22 2005-01-12 西安电子科技大学 基于漫游密钥交换认证协议的无线局域网安全接入方法
US20060135155A1 (en) * 2004-12-20 2006-06-22 Institute For Information Industry Method for roaming authentication in public wireless LAN
EP1707024A1 (fr) * 2004-01-23 2006-10-04 Nokia Corporation Ameliorations de l'authentification et de l'autorisation dans les reseaux heterogenes
CN101018411A (zh) * 2007-02-16 2007-08-15 西安西电捷通无线网络通信有限公司 一种基于wapi的证书漫游认证方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1707024A1 (fr) * 2004-01-23 2006-10-04 Nokia Corporation Ameliorations de l'authentification et de l'autorisation dans les reseaux heterogenes
CN1564626A (zh) * 2004-03-22 2005-01-12 西安电子科技大学 基于漫游密钥交换认证协议的无线局域网安全接入方法
US20060135155A1 (en) * 2004-12-20 2006-06-22 Institute For Information Industry Method for roaming authentication in public wireless LAN
CN101018411A (zh) * 2007-02-16 2007-08-15 西安西电捷通无线网络通信有限公司 一种基于wapi的证书漫游认证方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895884A (zh) * 2010-06-29 2010-11-24 北京星网锐捷网络技术有限公司 一种wapi证书更新的方法、系统及装置
CN115314895A (zh) * 2022-08-09 2022-11-08 中国电信股份有限公司 一种wapi用户的鉴别方法、系统及接入地as
CN115314895B (zh) * 2022-08-09 2024-05-14 中国电信股份有限公司 一种wapi用户的鉴别方法、系统及接入地as

Also Published As

Publication number Publication date
CN100496156C (zh) 2009-06-03
CN101018411A (zh) 2007-08-15

Similar Documents

Publication Publication Date Title
WO2008101426A1 (fr) Procédé d'identification d'itinérance en fonction du certificat wapi
CN101616410B (zh) 一种蜂窝移动通信网络的接入方法和系统
US8417951B2 (en) Roaming authentication method based on WAPI
CN101212297B (zh) 基于web的wlan接入认证方法及系统
JP4820826B2 (ja) 有線ネットワークおよび無線ネットワークに適したアクセス認証方法
KR101198570B1 (ko) Id 기반 무선 멀티-홉 네트워크 인증 액세스의 방법,장치 및 시스템
US8689283B2 (en) Security access control method and system for wired local area network
RU2414086C2 (ru) Аутентификация приложения
CN110086821A (zh) 基于区块链的电力物联网网关和电力物联网终端接入的认证方法
CN100448196C (zh) 一种基于wapi的无线局域网运营方法
US20090240941A1 (en) Method and apparatus for authenticating device in multi domain home network environment
US20120131329A1 (en) Method and System for Accessing 3rd Generation Network
US20090063851A1 (en) Establishing communications
WO2010108347A1 (fr) Procédé et système de mise à jour et d'utilisation de certificats numériques
CN110267270B (zh) 一种变电站内传感器终端接入边缘网关身份认证方法
WO2008034361A1 (fr) Procédé d'acquisition et authentification du statut du certificat d'une clef publique
WO2010078492A2 (fr) Sélection de procédé d'authentification utilisant un profil de noeud b évolué domestique
WO2008002081A1 (fr) Procédé et appareil pour authentifier un dispositif dans un environnement de réseau domestique multidomaine
US20080148044A1 (en) Locking carrier access in a communication network
CN101527907B (zh) 无线局域网接入认证方法及无线局域网系统
WO2010102497A1 (fr) Procédé d'authentification d'itinérance et d'autorisation de service basé sur une infrastructure d'authentification de réseau local sans fil et de sécurité (wapi)
CN104518874A (zh) 一种网络接入控制方法和系统
CN1225941C (zh) 无线ip系统移动节点的漫游接入方法
CN100512110C (zh) 采用一张终端证书实现基于wapi的wlan运营的方法
WO2008080353A1 (fr) Procédé d'exploitation de réseau local sans fil basé sur une infrastructure d'authentification et de confidentialité de réseau wlan (wapi)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08706618

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08706618

Country of ref document: EP

Kind code of ref document: A1