Nothing Special   »   [go: up one dir, main page]

CN100456725C - Network system and method for obtaining the public key certificate for WAPI - Google Patents

Network system and method for obtaining the public key certificate for WAPI Download PDF

Info

Publication number
CN100456725C
CN100456725C CNB2007100644352A CN200710064435A CN100456725C CN 100456725 C CN100456725 C CN 100456725C CN B2007100644352 A CNB2007100644352 A CN B2007100644352A CN 200710064435 A CN200710064435 A CN 200710064435A CN 100456725 C CN100456725 C CN 100456725C
Authority
CN
China
Prior art keywords
public key
key certificate
asu
hasu
sta
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2007100644352A
Other languages
Chinese (zh)
Other versions
CN101018174A (en
Inventor
胡鹤飞
袁东明
刘元安
唐碧华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ANTROSE TECHNOLOGY Co Ltd
Original Assignee
BEIJING ANTROSE TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ANTROSE TECHNOLOGY Co Ltd filed Critical BEIJING ANTROSE TECHNOLOGY Co Ltd
Priority to CNB2007100644352A priority Critical patent/CN100456725C/en
Publication of CN101018174A publication Critical patent/CN101018174A/en
Application granted granted Critical
Publication of CN100456725C publication Critical patent/CN100456725C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The network system obtaining public key certificate for WAPI only adds a DCS to store public key certificates of all ASUs and IP address and port number in whole network. The method for obtaining the public key certificate is also simple. This invention makes it easy to build trustiness between STS and ASU, solves the certification difficulty for roaming user, and has wide application future.

Description

The network system of obtaining public key certificate and the method that are used for WAPI
Technical field
The present invention relates to a kind of safe practice of WLAN (wireless local area network), exactly, relate to the network system of obtaining public key certificate and the method for a kind of WAPI of being used for, belong to wireless communication technology field.
Background technology
Along with developing rapidly of WLAN (wireless local area network), its safety problem is subjected to people's attention day by day.Two kinds of link verification mechanism of the open system of international standard ISO IEC 8802-11 definition and shared key and wired reinforcement equivalent privacy WEP (Wired Equivalency Privacy) security protocol solve safety problem; But security breaches still exist.In order to remedy the leak that security protocol among the ISO IEC 8802-11 exists, China was respectively at 2003 and issued the standard GB 15629.11/1102 and the GB 15629.11-2003/XG1-2006/1101/1103/1104 of a series of WLAN (wireless local area network) in 2006.GB 15629.11 has overcome the deficiency of conventional security scheme.These standards are the security protocols with independent intellectual property right of being worked out and being proposed by Chinese wide-band wireless IP standard operation group: WAPI WAPI (WLANAuthentication and Privacy Infrastructure), it is the safety encipher standard that is used for 802.11 existing associated transport agreements of standard.Its major technique feature comprises: adopt public key cryptography technology, realize access control, data confidentiality and data integrity etc.The WAPI agreement comprises two parts: wireless local area network authentication infrastructure WAI (WLAN Authentication Infrastructure) and wireless local area network security foundation structure WPI (WLAN Privacy Infrastructure), wherein, WAI is used to finish user's identity discriminating and key management, is the basis of realizing WAPI.
Insert the technical scheme of operation based on the Internet of WAPI,, must be easy to dispose, meet that existing business is carried out and management process for operator; Simultaneously must be seamless integrated with existing WLAN access service, for example: must support the supplementary service of WAPI, must support WAPI as the access service that is independent of the WLAN business as existing WLAN business.For the user, the program of transacting business must be simple, and meet the custom of handling of existing business; The occupation mode of the quick and easy broadband wireless access business of using and managing of user security must be provided; Use the interface necessary friendly, simple to operate.
WAPI is a kind of safety certification confidentiality foundation structure, it can provide safe service for the user, but, introduce the transmission security performance of WAPI standard solution data at WLAN after, the WAPI standard has also been brought following new problem and difficulty for disposing based on the broadband internet access service of WLAN: the obtaining and problem of management of digital certificates, and the user is when roaming and the trust problem between the network of roaming place.These problems still are not resolved so far.Following brief description it:
(1) obtaining and problem of management of digital certificates: the WAPI wireless network adopts the rivest, shamir, adelman of two keys, promptly is provided with PKI-public-key cryptography and private key-private cipher key; In information exchanging process, the Party A generates pair of secret keys and PKI is passed to the Party B, after the Party B obtains this PKI, sends to the Party A again after using this cipher key pair information to encrypt; The Party A is decrypted enciphered message with the private key that oneself is preserved again.The Party A must use its private key (private key) deciphering by any information behind its public key encryption.Each user terminal in the network all has its unique digital certificates-user certificate.User certificate is to issue public key certificate by certificate server ASU for this terminal earlier, and the client software request user by terminal imports its challenge password again, just generates after private key is encrypted.Because user certificate shows the voucher of its identity when being user terminal use WAPI network, must manage these public key certificate, to guarantee safety.The safety management of public key certificate comprises the public key certificate preserved on the supervising the network how and how issues the problem of public key certificate to user terminal.But, because the restriction of user's technical merit and the physical constraints of digital certificates carrier can't just be issued public key certificate for the user when user's transacting business.Therefore at first need to solve the problem of issuing of user's electronic certificate.
(2) user's roaming in other places; When the user roams the strange land, need with the roaming place certificate server ASU relation of breaking the wall of mistrust, therefore the user need hold roaming place ASU public key certificate, yet, because user's ownership place certificate server HASU and roaming place certificate server ASU lack the mutual trust relation between the two, thereby can't finish authentication, also can't provide the ASU public key certificate to the user to this user identity.
Therefore, how to design the network system of obtaining public key certificate and its implementation of a kind of WAPI of being used for, make the operation technical scheme of internet access authentication can better solve issuing and problem of management of user's electronic certificate, for user (especially roaming in other places user) provides safer, WAPI service easily, become one of focus that present WAPI those skilled in the art pay close attention to and study.
Summary of the invention
In view of this, the purpose of this invention is to provide the network system of obtaining public key certificate and the implementation method of a kind of WAPI of being used for, this network architecture is simple, and the operating procedure of obtaining public key certificate is also fairly simple, realizes easily; But, can provide the wireless access authentication service for user, especially roaming in other places user well.
In order to achieve the above object, the invention provides the network system of obtaining public key certificate of a kind of WAPI of being used for, comprise: the internet, telecommunications network, what be arranged in telecommunications network provides certificate server HASU and a plurality of certificate server ASU that lay respectively at each local network and the access controller AC, the wireless access point AP that directly are connected with aaa server, each certificate server ASU and each network and the terminal STA that the WAPI wireless network card is housed of aaa server, the user ascription area of authentication, mandate and charging service for the user; STA is during by AP and AC access network, undertaken just allowing STA access local networks after identity differentiates by the client public key certificate between ASU and the STA; It is characterized in that: this system also includes a catalogue certificate server DCS, this catalogue certificate server DCS internal memory contains the ASU public key certificate of each certificate server in the network and IP address and the port numbers that certificate server ASU issues the client public key certificate, return the HASU public key certificate so that obtain the ASU of request to proposition HASU public key certificate, the HASU public key certificate that this ASU can be utilized obtain is differentiated STA, realizes that the WAPI network connects; Simultaneously when terminal STA need break the wall of mistrust with the ASU of roaming place the relation and when DCS applies for the ASU public key certificate of this roaming place, DCS returns the ASU public key certificate of this roaming place to STA, so that terminal STA is differentiated current network, foundation realizes that to the trust of local networks the WAPI network connects; And receive the terminal STA request when issuing the client public key certificate as this catalogue certificate server DCS, then this DCS selects its ownership place certificate server HASU according to the STA ownership place earlier, issue client public key certificate by this HASU server to the terminal STA that proposes the request of client public key certificate authority by the client public key certificate authority interface of this HASU again, and Returning catalogue certificate server DCS, DCS sends to terminal STA by the catalogue certificate server, so that this STA obtains the trust to network, realize that the WAPI network connects.
The information that safeguard in catalogue certificate server DCS data in server storehouse in the described system includes: the IP address and the port numbers that are used for the client public key certificate authority of the user name of client public key certificate and password thereof, HASU issued in the request of user rs authentication terminal STA.
Described terminal STA is when installing client software, the HASU public key certificate of its client public key certificate or its ownership place certificate server is not installed, therefore, when terminal STA is used first, must issue the client public key certificate at the auxiliary request HASU down of DCS for it earlier, and download and install the HASU public key certificate of the certificate server of its ownership place from catalogue certificate server DCS, to obtain trust to local network.
Described each certificate server ASU stores, safeguards the ASU tabulation of trusting separately respectively, when the ownership place certificate server HASU that roams into local STA is not in the ASU tabulation that local ASU trusts, described STA will obtain the HASU public key certificate of its ownership place to catalogue certificate server DCS, so that roaming place ASU can differentiate the legitimacy of this HASU public key certificate; The ASU tabulation that described terminal STA all stores respectively, safeguard is separately trusted, when the ASU of this terminal STA roaming place is not in the ASU tabulation that this terminal STA is trusted, this terminal STA is obtained the ASU public key certificate of roaming place to certificate server DCS, is used to judge the legitimacy of this roaming place ASU.
In order to achieve the above object, the present invention also provides a kind of method of obtaining public key certificate that adopts above-mentioned network system, it is characterized in that: when user terminal was before the ownership place wireless network carries out the WAPI connection, the flow process that this user terminal obtains the client public key certificate comprised following operating procedure:
(1) STA downloads the HASU public key certificate of ownership place certificate server: when user terminal STA uses client software first at ownership place, will download the HASU public key certificate of ownership place earlier, to obtain the trust to local network; Detailed process is: STA downloads the HASU public key certificate to the DCS server requests earlier, and the DCS server is after this terminal STA is returned the HASU public key certificate, and terminal STA will be differentiated this HASU public key certificate; If differentiate successfully, then keep this HASU public key certificate, this HASU identity is added in the trusted ASU tabulation of STA; If differentiate failure, then abandon this HASU public key certificate;
(2) the client public key certificate is issued in the STA request: terminal STA is in order to use the secure data transmission of WAPI, and auxiliary at DCS is that STA issues the client public key certificate by ownership place certificate server HASU down; Detailed process is: terminal STA generates private key and client public key at random, submits to client public key and request to issue the client public key certificate for it to the DCS server; The username and password checking STA legitimacy of DCS server by utilizing storage, to the STA that is proved to be successful, earlier, submit client public key to this HASU again, and to ask this HASU be that terminal STA is issued the client public key certificate according to this user terminal STA ownership place choice of location ownership place HASU; Return success the client public key certificate of signature at HASU after, DCS returns the client public key certificate of having signed to this user terminal STA, finishes client public key certificate authority process;
Described step (1) further comprises following content of operation:
(11) the HASU public key certificate of ownership place is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA sends the request of downloading ownership place certificate server HASU public key certificate to the DCS server, comprises the HASU identity in this information, i.e. the HASU title;
(14) the DCS server returns the HASU public key certificate to terminal STA;
(15) terminal STA is differentiated the true and false of HASU public key certificate, if differentiate successfully, then keeps this HASU public key certificate, and this HASU is added in the ASU tabulation trusty; Otherwise, abandon this HASU public key certificate.
Described step (2) further comprises following content of operation:
(21) user starts the client public key certificate process of issuing on terminal, and the username and password of client public key certificate is issued in the input request; At this moment, automated randomized generation private key for user of terminal STA and client public key;
(22) the client public key certificate is issued in the terminal STA request, connects the DCS server again;
(23) aaa server is finished the authentication to terminal STA;
(24) terminal STA is submitted client public key to the DCS server, and the client public key certificate is issued in request; This information comprises terminal user name and password and the client public key information that the client public key certificate is issued in request;
(25) the DCS server is differentiated username and password, as differentiates success, then submits client public key to this terminal attaching ground HASU, asks to this user terminal STA issues the client public key certificate, and order is carried out subsequent operation; Otherwise, return failure response to terminal STA, end operation;
(26) HASU signs to client public key, and successful client public key certificate of signing is returned to the DCS server, and the DCS server returns success the client public key certificate of issuing to terminal STA again;
In order to achieve the above object, the present invention provides a kind of method that adopts above-mentioned network system to obtain certificate again, it is characterized in that: when user terminal was before the roaming place wireless network carries out the WAPI connection, the flow process that this user terminal obtains user ASU public key certificate comprised following operating procedure:
(1) STA downloads the public key certificate of roaming place certificate server ASU: when the user roams into the strange land, earlier will with the roaming place ASU relation of breaking the wall of mistrust, promptly to download the public key certificate of roaming place ASU earlier, to obtain trust to local network; Detailed process is: each terminal STA is all safeguarded the ASU tabulation of trusting separately, if the ASU that terminal STA connects by AP is not in this ASU tabulation trusty the time, terminal STA is downloaded this ASU public key certificate to the DCS server requests earlier, the DCS server is after terminal STA is returned the ASU public key certificate, this terminal STA will be differentiated this ASU public key certificate, if differentiate successfully, then keep this ASU public key certificate, this ASU is added in the trusted ASU tabulation of this STA; If differentiate failure, then abandon this ASU public key certificate;
(2) the ASU trusting relationship of downloading HASU public key certificate: STA and HASU foundation can only guarantee to enter in this locality the WAPI secure network, but can't insert the WAPI network in the roaming place; When the user roamed into the other places, roaming place ASU will judge the legitimacy of this user terminal equally, promptly will utilize its ownership place HASU public key certificate to differentiate the public key certificate of this user terminal STA, and with the private key of oneself the certificate identification result be signed; If ASU does not have the public key certificate of HASU, then to download the HASU public key certificate to the DCS application.
Described step (1) further comprises following content of operation:
(11) the ASU public key certificate of roaming place is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA comprises the ASU identity, i.e. the ASU title to the request of the ASU public key certificate of DCS server transmission download roaming place in this information;
(14) the DCS server returns the ASU public key certificate of this roaming place to terminal STA;
(15) terminal STA is differentiated the ASU public key certificate, if differentiate successfully, then keeps this ASU public key certificate, and this ASU is added in its ASU tabulation trusty; Otherwise, abandon this ASU public key certificate.
Described step (2) further comprises following content of operation:
(21) ASU starts the process of the ownership place HASU public key certificate that obtains roaming terminal;
(22) ASU initiates to obtain the request of HASU public key certificate to the DCS server, comprises the information of HASU identity in this request;
(23) the DCS server returns the HASU public key certificate to this ASU;
(24) ASU differentiates the HASU public key certificate that obtains; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in its trusted ASU tabulation; If differentiate failure, then abandon the HASU public key certificate.
The present invention is the network system of obtaining public key certificate and the method for a kind of WAPI of being used for, its innovation point and beneficial effect are: set up a catalogue certificate server DCS in network system, this DCS server stores has IP address and the port numbers that can issue each ownership place HASU of public key certificate for user terminal STA, can assist STA to obtain the public key certificate of user terminal, make the user obtain legal identity; Also store all ASU public key certificate of the whole network, download its public key certificate to the ASU that proposes authentication application, to obtain trust to network; Can assist ASU to finish the download of HASU public key certificate again, make ASU obtain trust, and then obtain trust STA to HASU.The DCS server that system of the present invention introduces has solved the problem that STA and ASU obtain public key certificate preferably, make between STA and the ASU than being easier to set up mutual trusting relationship, also solved the distrust problem of user's roaming in other places between network simultaneously, DCS assisting users terminal STA and ASU finish the download of public key certificate respectively, set up simultaneously the trusting relationship between the two in passing, make the user when roaming into the strange land, still can enjoy the network service of WAPI safety.In a word, the download that enforcement of the present invention can be better finished public key certificate for user terminal, especially roaming in other places user terminal is obtained and authentication service, has good popularization and application prospect.
Description of drawings
Fig. 1 is that the network architecture of issuing the Internet certificate that the present invention is based on WAPI is formed schematic diagram.
Fig. 2 is the certificate of the implementation method flow diagram network system of issuing the Internet certificate that the present invention is based on WAPI is issued to(for) LUT.
Fig. 3 is the concrete operations step sequential chart of step among Fig. 2 (1).
Fig. 4 is the concrete operations step sequential chart of step among Fig. 2 (2).
Fig. 5 is the certificate of the implementation method flow diagram network system of issuing the Internet certificate that the present invention is based on WAPI is issued to(for) the roaming place user terminal.
Fig. 6 is the concrete operations step sequential chart of step among Fig. 5 (2).
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
Referring to Fig. 1, the concrete structure of introducing the network system of the realization internet access authentication that the present invention is based on WAPI is formed, comprise: the internet, telecommunications network WAN, be arranged in the aaa server of telecommunications network WAN, the HASU certificate server of user ascription area, the a plurality of ASU certificate servers that lay respectively at each local network (carry out the identity discriminating by certificate between ASU and the STA, so that user terminal inserts local networks), with catalogue certificate server DCS, and and aaa server, the access controller AC that each certificate server ASU and all-network directly link to each other, wireless access point AP and the terminal STA (comprising: notebook computer, PDA etc.) that the WAPI wireless network card is housed; STA is during by AP and AC access network, undertaken just allowing STA access local networks after identity differentiates by the client public key certificate between ASU and the STA; Wherein catalogue certificate server DCS is the network element device that this system sets up, be used for storage networking each certificate server the ASU public key certificate and issue the IP address and the port numbers of client public key certificate, return the HASU public key certificate so that obtain the ASU of application to proposition HASU public key certificate, the HASU public key certificate that this ASU can be utilized obtain is differentiated STA, realizes that the WAPI network connects; And when terminal STA need break the wall of mistrust with the ASU of roaming place the relation and when DCS applies for the ASU public key certificate of this roaming place, DCS returns the ASU public key certificate of this roaming place to STA, so that terminal STA is differentiated local networks, set up trust to local networks, realize that the WAPI network connects; This catalogue certificate server DCS receives the terminal STA request when issuing the client public key certificate, then this DCS selects its ownership place certificate server HASU according to the STA ownership place earlier, issue client public key certificate by this HASU server to the terminal STA that proposes the request of client public key certificate authority by the client public key certificate authority interface of this HASU again, and return to terminal STA, so that this STA obtains the trust to network, realize that the WAPI network connects.
Each certificate server ASU in this system stores, safeguards the ASU tabulation of trusting separately respectively, when the ownership place certificate server HASU that roams into local STA is not in the ASU tabulation that local ASU trusts, this roaming terminal STA will obtain the HASU public key certificate of its ownership place to catalogue certificate server DCS, so that roaming place ASU can differentiate the legitimacy of this HASU public key certificate; The wherein terminal STA ASU tabulation all storing respectively, safeguard separately to be trusted, when the ASU of this terminal STA roaming place is not in the ASU tabulation that this terminal STA is trusted, this terminal STA is obtained the ASU public key certificate of roaming place to certificate server DCS, is used to judge the legitimacy of this roaming place ASU.
Referring to Fig. 2~Fig. 6, introduce the user and carry out the method that public key certificate is obtained in WAPI connection download before:
(1) local operation-introduce user terminal the ownership place wireless network carry out WAPI connect before the time, its user terminal obtains the flow process (referring to Fig. 2) of public key certificate:
(1) STA downloads the HASU public key certificate of ownership place certificate server: when client software is installed, user terminal STA does not install client public key certificate or HASU public key certificate, so when ownership place uses client software first, to download the HASU public key certificate earlier, to obtain trust to local network.Detailed process is: STA downloads the HASU public key certificate to the DCS server requests earlier, and the DCS server is after this terminal STA is returned the HASU public key certificate, and terminal STA will be differentiated this HASU public key certificate; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in the trusted ASU tabulation of STA; If differentiate failure, then abandon this HASU public key certificate.
Specify the sequential chart of this operating procedure referring to Fig. 3:
(11) the HASU public key certificate of ownership place is downloaded in the STA request, connects the DCS server;
(12) Portal of portal website of access controller AC/ operator pushes login page; STA client software interception login page is submitted the access terminals username and password to; Or when terminal was not provided with, the request user imported the access terminals username and password;
(13) AC is included in username and password and issues aaa server (if the user is in the roaming place, then transmits Access Request message and give the ownership place aaa server) in the Access Request message;
(14) aaa server checking username and password success is then returned Access Accept message and is given AC;
(15) AC is transmitted to terminal STA with the success identity information of returning;
(16) terminal STA sends the request of downloading ownership place certificate server HASU public key certificate to the DCS server, comprises the HASU identity in this information, i.e. the HASU title;
(17) the DCS server returns the HASU public key certificate to terminal STA;
(18) terminal STA is differentiated the true and false of HASU public key certificate, if differentiate successfully, then keeps this HASU public key certificate, and this HASU is added in the ASU tabulation trusty; Otherwise, abandon this HASU public key certificate.
(2) the client public key certificate is issued in the STA request: after the user installs client software on computers, just can use the broadband internet access service based on WLAN.Although this moment, the user downloaded the HASU public key certificate, promptly trusted local network, but the user wants to use WAPI to guarantee data transmission security on the Radio Link, and just must assist at DCS is that STA issues the client public key certificate by ownership place certificate server HASU down; Detailed process is: terminal STA generates private key and client public key at random, submits to client public key and request to issue the client public key certificate for it to the DCS server.The username and password checking STA legitimacy of DCS server by utilizing storage, the DSC server stores has the HASU address that can issue public key certificate for the user, to the STA that is proved to be successful, earlier according to this user terminal STA ownership place choice of location ownership place HASU, and to submit client public key to and ask this HASU to this HASU be that terminal STA is issued the client public key certificate.Return success the client public key certificate of signature at HASU after, DCS returns the client public key certificate of having signed to this user terminal STA, finishes client public key certificate authority process.The client software request user of this terminal imports challenge password at last, and private key is encrypted, and generates personal user's certificate file, so that user terminal STA carries this user certificate.
Specify the sequential chart of issuing client public key certificate step when the user uses for the first time referring to Fig. 4:
(21) user starts the client public key certificate process of issuing on terminal, and the username and password of client public key certificate is issued in the input request; At this moment, automated randomized generation private key for user of terminal STA and client public key;
(22) terminal STA connects access controller AC by Open System mode, connects the DCS server again;
(23) AC/Portal pushes login page; Terminal STA interception login page is submitted Internet user's name and password to; Or when the user is not provided with, require the user to input Internet user's name and password;
(24) AC is included in username and password and issues aaa server (if the user is in the roaming place, then transmits Access Request message and give ownership AAA) in the Access Request message; Aaa server is proved to be successful username and password, then returns Access Accept message and gives AC; By AC the success identity information of returning is transmitted to terminal STA;
(25) terminal STA is submitted client public key to the DCS server, and the client public key certificate is issued in request, and this information comprises terminal user name and password and the client public key information that the client public key certificate is issued in request;
(26) the DCS server is differentiated username and password, as differentiates success, then submits client public key to this terminal attaching ground HASU, asks to this user terminal STA issues this client public key certificate, and order is carried out subsequent operation; Otherwise, return failure response to terminal STA, end operation;
(27) HASU signs to client public key, and the client public key certificate that success is signed returns to the DCS server, and the DCS server returns success the client public key certificate of issuing to terminal STA again;
(28) terminal STA request user imports challenge password, and private key is encrypted, and generates the personal certificate file;
(29) terminal STA prompting individual subscriber certificate is downloaded successfully, can activate use; Download startup if WLAN this moment connects by personal certificate, then disconnect WLAN and connect.
(2) roam operation-introduce user terminal the roaming place wireless network carry out WAPI connect before the time, its user terminal obtains the flow process (referring to Fig. 5) of public key certificate:
(1) STA downloads the ASU public key certificate of roaming place certificate server: when the user roams into the strange land, earlier will with the roaming place ASU relation of breaking the wall of mistrust, promptly to download the ASU public key certificate of roaming place earlier, to obtain trust to local network; Detailed process is: each terminal STA is all safeguarded the ASU tabulation of trusting separately, if the ASU that terminal STA connects by AP is not in this ASU tabulation trusty the time, terminal STA is downloaded this ASU public key certificate to the DCS server requests earlier, the DCS server is after terminal STA is returned the ASU public key certificate, this terminal STA will be differentiated this ASU public key certificate, if differentiate successfully, then keep this ASU public key certificate, this ASU is added in the trusted ASU tabulation of this STA; If differentiate failure, then abandon this ASU public key certificate.Need to prove: the sequential chart of downloading the HASU public key certificate among the download roaming place ASU certificate flow process of this step and Fig. 3 is basic identical, repeats no more.
(2) ASU downloads the HASU public key certificate: the trusting relationship of setting up between STA and the HASU can only guarantee to enter the WAPI secure network at its ownership place, but can't insert the WAPI network in the roaming place; Therefore, when user terminal roams into the other places, roaming place ASU will judge the legitimacy of this user terminal equally, promptly will utilize its ownership place HASU public key certificate to differentiate the client public key certificate of this user terminal STA, and with the private key of oneself the certificate identification result be signed; If ASU does not have the HASU public key certificate, then to download the HASU public key certificate to the DCS application.
Specify the sequential chart that ASU downloads HASU public key certificate operating procedure referring to Fig. 6:
(21) ASU starts the process of the ownership place HASU public key certificate that obtains roaming terminal;
(22) ASU initiates to obtain the request of HASU public key certificate to the DCS server, comprises the HASU identity information in this request;
(23) the DCS server returns the HASU public key certificate to this ASU;
(24) ASU differentiates the HASU public key certificate that obtains; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in its trusted ASU tabulation; If differentiate failure, then abandon the HASU public key certificate.
In a word, utilize the present invention, after user terminal downloads is obtained client public key certificate and roaming place ASU public key certificate, just the wireless network of trusted roaming place, after ASU differentiates this terminal by terminal attaching ground HASU, also can differentiate the legitimacy of this user terminal, the relation that breaks the wall of mistrust mutually, thereby safety, convenient service that the user can use the WAPI network to provide.

Claims (10)

1, the network system of obtaining public key certificate of a kind of WAPI of being used for, comprise: the internet, telecommunications network, what be arranged in telecommunications network provides certificate server HASU and a plurality of certificate server ASU that lay respectively at each local network and the access controller AC, the wireless access point AP that directly are connected with aaa server, each certificate server ASU and each network and the terminal STA that the WAPI wireless network card is housed of aaa server, the user ascription area of authentication, mandate and charging service for the user; STA is during by AP and AC access network, undertaken just allowing STA access local networks after identity differentiates by the client public key certificate between ASU and the STA; It is characterized in that: this system also includes a catalogue certificate server DCS, this catalogue certificate server DCS internal memory contains the ASU public key certificate of each certificate server in the network and IP address and the port numbers that certificate server ASU issues the client public key certificate, return the HASU public key certificate so that obtain the ASU of request to proposition HASU public key certificate, the HASU public key certificate that this ASU can be utilized obtain is differentiated STA, realizes that the WAPI network connects; Simultaneously when terminal STA need break the wall of mistrust with the ASU of roaming place the relation and when DCS applies for the ASU public key certificate of this roaming place, DCS returns the ASU public key certificate of this roaming place to STA, so that terminal STA is differentiated current network, foundation realizes that to the trust of local networks the WAPI network connects; And receive the terminal STA request when issuing the client public key certificate as this catalogue certificate server DCS, then this DCS selects its ownership place certificate server HASU according to the STA ownership place earlier, issue client public key certificate by this HASU server to the terminal STA that proposes the request of client public key certificate authority by the client public key certificate authority interface of this HASU again, and Returning catalogue certificate server DCS, DCS sends to terminal STA by the catalogue certificate server, realizes that the WAPI network connects.
2, network system according to claim 1 is characterized in that: the information of the database maintenance of the catalogue certificate server DCS in the described system includes: be used for the IP address and the port numbers that are used for the client public key certificate authority that the user name of client public key certificate and password thereof, HASU are issued in verification terminal STA request.
3, network system according to claim 1, it is characterized in that: described terminal STA is when installing client software, the HASU public key certificate of its client public key certificate or its ownership place certificate server is not installed, therefore, when terminal STA is used first, must earlier issue the client public key certificate for it, and download and install the HASU public key certificate of the certificate server of its ownership place, to obtain trust local network from catalogue certificate server DCS at the auxiliary request down of DCS HASU.
4, network system according to claim 1, it is characterized in that: described each certificate server ASU stores, safeguards the ASU tabulation of trusting separately respectively, when the ownership place certificate server HASU that roams into local STA is not in the ASU tabulation that local ASU trusts, described STA will obtain the HASU public key certificate of its ownership place to catalogue certificate server DCS, so that roaming place ASU can differentiate the legitimacy of this HASU public key certificate; The ASU tabulation that described terminal STA all stores respectively, safeguard is separately trusted, when the ASU of this terminal STA roaming place is not in the ASU tabulation that this terminal STA is trusted, this terminal STA is obtained the ASU public key certificate of roaming place to certificate server DCS, is used to judge the legitimacy of this roaming place ASU.
5, a kind of method of obtaining public key certificate that adopts the described network system of claim 1, it is characterized in that: when user terminal was before the ownership place wireless network carries out the WAPI connection, the flow process that this user terminal obtains the client public key certificate comprised following operating procedure:
(1) STA downloads the HASU public key certificate of ownership place certificate server: when user terminal STA uses client software first at ownership place, will download the HASU public key certificate of ownership place earlier, to obtain the trust to local network; Detailed process is: STA downloads the HASU public key certificate to the DCS server requests earlier, and the DCS server is after this terminal STA is returned the HASU public key certificate, and terminal STA will be differentiated this HASU public key certificate; If differentiate successfully, then keep this HASU public key certificate, this HASU identity is added in the trusted ASU tabulation of STA; If differentiate failure, then abandon this HASU public key certificate;
(2) the client public key certificate is issued in the STA request: terminal STA is in order to use the secure data transmission of WAPI, and auxiliary at DCS is that STA issues the client public key certificate by ownership place certificate server HASU down; Detailed process is: terminal STA generates private key and client public key at random, submits to client public key and request to issue the client public key certificate for it to the DCS server; The username and password checking STA legitimacy of DCS server by utilizing storage, to the STA that is proved to be successful, earlier, submit client public key to this HASU again, and to ask this HASU be that terminal STA is issued the client public key certificate according to this user terminal STA ownership place choice of location ownership place HASU; Return success the client public key certificate of signature at HASU after, DCS returns the client public key certificate of having signed to this user terminal STA, finishes client public key certificate authority process.
6, the method for obtaining public key certificate according to claim 5 is characterized in that: described step (1) further comprises following content of operation:
(11) the HASU public key certificate of ownership place is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA is submitted the request of downloading ownership place certificate server HASU public key certificate to the DCS server, comprises the HASU identity in this information, i.e. the HASU title;
(14) the DCS server returns the HASU public key certificate to terminal STA;
(15) terminal STA is differentiated the true and false of HASU public key certificate, if differentiate successfully, then keeps this HASU public key certificate, and this HASU is added in the ASU tabulation trusty; Otherwise, abandon this HASU public key certificate.
7, the method for obtaining public key certificate according to claim 5 is characterized in that: described step (2) further comprises following content of operation:
(21) user starts the client public key certificate process of issuing on terminal, and the username and password of client public key certificate is issued in the input request; At this moment, automated randomized generation private key for user of terminal STA and client public key;
(22) the client public key certificate is issued in the terminal STA request, connects the DCS server;
(23) aaa server is finished the authentication to terminal STA;
(24) terminal STA is submitted client public key to the DCS server, and the client public key certificate is issued in request; This solicited message comprises terminal user name and password and the client public key information that the client public key certificate is issued in request;
(25) the DCS server is differentiated username and password, as differentiates success, then submits client public key to this terminal attaching ground HASU, asks to this user terminal STA issues the client public key certificate, and order is carried out subsequent operation; Otherwise, return failure response to terminal STA, end operation;
(26) HASU signs to client public key, and successful client public key certificate of signing is returned to the DCS server, and the DCS server returns success the client public key certificate of issuing to terminal STA again;
8, a kind of method of obtaining public key certificate that adopts the described network system of claim 1, it is characterized in that: when user terminal was before the roaming place wireless network carries out the WAPI connection, the flow process that this user terminal obtains user ASU public key certificate comprised following operating procedure:
(1) STA downloads the ASU public key certificate of roaming place certificate server: when the user roams into the strange land, earlier will with the roaming place ASU relation of breaking the wall of mistrust, promptly to download the ASU public key certificate of roaming place earlier, to obtain trust to local network; Detailed process is: each terminal STA is all safeguarded the ASU tabulation of trusting separately, if the ASU that terminal STA connects by AP is not in this ASU tabulation trusty the time, terminal STA is downloaded this ASU public key certificate to the DCS server requests earlier, the DCS server is after terminal STA is returned the ASU public key certificate, this terminal STA will be differentiated this ASU public key certificate, if differentiate successfully, then keep this ASU public key certificate, this ASU is added in the trusted ASU tabulation of this STA; If differentiate failure, then abandon this ASU public key certificate;
(2) the ASU trusting relationship of downloading HASU public key certificate: STA and HASU foundation can only guarantee to enter in this locality the WAPI secure network, but can't insert the WAPI network in the roaming place; When the user roamed into the other places, roaming place ASU will judge the legitimacy of this user terminal equally, promptly will utilize its ownership place HASU public key certificate to differentiate the client public key certificate of this user terminal STA, and with the private key of oneself the certificate identification result be signed; If ASU does not have the HASU public key certificate, then to download the HASU public key certificate to the DCS application.
9, the method for obtaining public key certificate according to claim 8 is characterized in that: described step (1) further comprises following content of operation:
(11) the ASU public key certificate of roaming place is downloaded in the STA request, connects the DCS server;
(12) aaa server is finished the authentication to STA;
(13) terminal STA comprises the ASU identity, i.e. the ASU title to the request of the ASU public key certificate of DCS server transmission download roaming place in this information;
(14) the DCS server returns the ASU public key certificate of this roaming place to terminal STA;
(15) terminal STA is differentiated the ASU public key certificate, if differentiate successfully, then keeps this ASU public key certificate, and this ASU is added in its ASU tabulation trusty; Otherwise, abandon this ASU public key certificate.
10, the method for obtaining public key certificate according to claim 8 is characterized in that: described step (2) further comprises following content of operation:
(21) ASU starts the process of the ownership place HASU public key certificate that obtains roaming terminal;
(22) ASU initiates to obtain the request of HASU public key certificate to the DCS server, comprises the information of HASU identity in this request;
(23) the DCS server returns the HASU public key certificate to this ASU;
(24) ASU differentiates the HASU public key certificate that obtains; If differentiate successfully, then keep this HASU public key certificate, this HASU is added in its trusted ASU tabulation; If differentiate failure, then abandon the HASU public key certificate.
CNB2007100644352A 2007-03-15 2007-03-15 Network system and method for obtaining the public key certificate for WAPI Expired - Fee Related CN100456725C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2007100644352A CN100456725C (en) 2007-03-15 2007-03-15 Network system and method for obtaining the public key certificate for WAPI

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2007100644352A CN100456725C (en) 2007-03-15 2007-03-15 Network system and method for obtaining the public key certificate for WAPI

Publications (2)

Publication Number Publication Date
CN101018174A CN101018174A (en) 2007-08-15
CN100456725C true CN100456725C (en) 2009-01-28

Family

ID=38726939

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2007100644352A Expired - Fee Related CN100456725C (en) 2007-03-15 2007-03-15 Network system and method for obtaining the public key certificate for WAPI

Country Status (1)

Country Link
CN (1) CN100456725C (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100566240C (en) * 2007-11-16 2009-12-02 西安西电捷通无线网络通信有限公司 A kind of WAPI unicast key negotiation method
CN100593936C (en) * 2008-05-09 2010-03-10 西安西电捷通无线网络通信有限公司 Roaming authentication method based on WAPI
CN101425909B (en) * 2008-09-28 2011-06-01 西安西电捷通无线网络通信股份有限公司 Method for implementing WAPI system terminal zero interference charging
CN101466079A (en) * 2009-01-12 2009-06-24 中兴通讯股份有限公司 Method, system and WAPI terminal for transmitting e-mail
CN101540679B (en) * 2009-04-30 2011-09-21 中兴通讯股份有限公司 Method for acquiring WLAN authentication and privacy infrastructure certificate and system thereof
CN101754203B (en) * 2009-12-25 2014-04-09 宇龙计算机通信科技(深圳)有限公司 Method, device and network system for obtaining WAPI certificate
CN102196438A (en) 2010-03-16 2011-09-21 高通股份有限公司 Communication terminal identifier management methods and device
CN102202302B (en) * 2010-03-23 2016-01-20 中兴通讯股份有限公司 The method of network is added in conjunction with network and Wireless Sensor Network Terminal
US9112905B2 (en) * 2010-10-22 2015-08-18 Qualcomm Incorporated Authentication of access terminal identities in roaming networks
US9668128B2 (en) 2011-03-09 2017-05-30 Qualcomm Incorporated Method for authentication of a remote station using a secure element
CN102307349B (en) * 2011-08-16 2015-04-01 宇龙计算机通信科技(深圳)有限公司 Access method of wireless network, terminal and server
CN105850095B (en) * 2014-01-08 2019-04-12 华为技术有限公司 Authentication associated method and system
CN107147636A (en) * 2017-05-03 2017-09-08 北京小米移动软件有限公司 E-mail transmission method and device
WO2019221738A1 (en) 2018-05-17 2019-11-21 Nokia Technologies Oy Facilitating residential wireless roaming via vpn connectivity over public service provider networks
CN112312395B (en) * 2019-07-17 2023-03-31 中国电信股份有限公司 WAPI certificate centralized distribution method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050081036A1 (en) * 2002-06-20 2005-04-14 Hsu Raymond T. Key generation in a communication system
CN1674497A (en) * 2004-03-26 2005-09-28 华为技术有限公司 Certification method for WLAN terminal switching in mobile network
CN1725685A (en) * 2004-07-22 2006-01-25 中兴通讯股份有限公司 Security identification method for mobiole terminal of radio cocal network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050081036A1 (en) * 2002-06-20 2005-04-14 Hsu Raymond T. Key generation in a communication system
CN1674497A (en) * 2004-03-26 2005-09-28 华为技术有限公司 Certification method for WLAN terminal switching in mobile network
CN1725685A (en) * 2004-07-22 2006-01-25 中兴通讯股份有限公司 Security identification method for mobiole terminal of radio cocal network

Also Published As

Publication number Publication date
CN101018174A (en) 2007-08-15

Similar Documents

Publication Publication Date Title
CN100456725C (en) Network system and method for obtaining the public key certificate for WAPI
US8161278B2 (en) System and method for distributing keys in a wireless network
AU2011309758B2 (en) Mobile handset identification and communication authentication
CN100456726C (en) Network system and method for realizing the Internet access authentication based on WAPI
CN1753359B (en) Method of implementing SyncML synchronous data transmission
US9392453B2 (en) Authentication
CN101156352B (en) Authentication method, system and authentication center based on mobile network P2P communication
CN113746632B (en) Multi-level identity authentication method for Internet of things system
US11736304B2 (en) Secure authentication of remote equipment
US20070098176A1 (en) Wireless LAN security system and method
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
CN101772024B (en) User identification method, device and system
WO2007085175A1 (en) Authentication method, system and authentication center based on end to end communication in the mobile network
CN101371550A (en) Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service
CN100499453C (en) Method of the authentication at client end
CN213938340U (en) 5G application access authentication network architecture
CN113972995A (en) Network configuration method and device
JP4499575B2 (en) Network security method and network security system
CN101454767B (en) Dynamic authentication in secured wireless networks
KR101550425B1 (en) System and method for service providing using USIM authentication
CN101917722B (en) Method for identifying non-attributive place access identity of terminal in wireless local area network
Lee et al. A secure wireless lan access technique for home network
Wang et al. A wireless mesh network secure access method based on identity-based signature
CN101925061B (en) Method for non-home domain accessing identity authentication in wireless metropolitan area network terminal
CN115988496A (en) Access authentication method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090128

Termination date: 20160315