CN1549526A - Method for realizing radio local area network authentication - Google Patents
Method for realizing radio local area network authentication Download PDFInfo
- Publication number
- CN1549526A CN1549526A CNA031310362A CN03131036A CN1549526A CN 1549526 A CN1549526 A CN 1549526A CN A031310362 A CNA031310362 A CN A031310362A CN 03131036 A CN03131036 A CN 03131036A CN 1549526 A CN1549526 A CN 1549526A
- Authority
- CN
- China
- Prior art keywords
- sta
- aaa
- authentication
- hlr
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/04—Large scale networks; Deep hierarchical networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
In the method, server (U-AAA) used to carry on certification, authorization and charging for user identification module is set in the multimode network, user information in STA self user identification module is used as user status identification, right discrimination set is obtained by U-AAA from HLR in mobile network supporting radio roaming, certification is carried out to each other between user terminal and U-AAA through random number generated by STA and right discrimination number in corresponding right discrimination at HLR in mobile network supporting radio roaming.
Description
Technical field
The present invention relates to the authentication techniques of network, be meant especially in the mobile network who comprises wlan network and radio roaming at least, carry out the method for authentication during the WLAN user access network with attaching position register (HLR).
Background technology
WLAN adopts radio frequency (RF) technology to constitute LAN, is a kind of data transmission system easily.In June, 1997, first WLAN standard IEEE802.11 formally announces, for the physical layer and media interviews controls (MAC) layer of WLAN (wireless local area network) provides unified standard, promoted the fast-developing of WLAN (wireless local area network) effectively and uses.
WLAN user's identification and authentication generally depend on account number unique in the network and corresponding password thereof, pass through authentication center, as far-end access dial user service agreement server (RadiusServer), realize the affirmation and the authentication process of user identity, this process and existing fixed network authentication mechanism are similar.Such as, when travelling carriage sends call request, in location of mobile station registration, when the position is upgraded, system all needs to initiate identification and authentication process, and only after authentication is passed through, just allows access network.
At present, WLAN user's authentication is adopted 802.1x, PPPoE, Web agreement usually, and realize based on the mode of account number/password.As shown in Figure 1, in the 802.1x mode is example, the networking structure that WLAN carries out authentication comprises wireless local network user terminal (STA), WAP (wireless access point) (AP), access controller (AC), certificate server (AAA), wherein, adopts the 802.1x agreement between STA and the AC.
Referring to shown in Figure 2, be example in the 802.1x mode, the detailed process that wlan network carries out authentication is as follows:
Step 201, user needed to set up physical connection between STA and the AP, and open an account in AAA before inserting wlan network, thereby obtained its own user name and password, and preserved user's username and password in AAA and STA;
Step 202, STA send authentication initial (EAPoL-Start) message to authentication points AC, begin to carry out the process of 802.1x;
After step 203, AC receive the EAPoL-Start message, send request user name (EAP-Request/Identity) message, require STA that User Identity is sent up to STA;
After step 204, STA receive the EAP-Request/Identity message, oneself User Identity is sent to AC by response user name (EAP-Response/Identity) message;
After step 205~206, AC receive the EAP-Response/Identity message, produce the random number Challenge1 of one 16 byte at random; Send request MD5 mode user cipher (EAP-Request/MD5-Challenge) message that contains random number Challenge1 to STA then;
After step 207, STA receive the EAP-Request/MD5-Challenge message, parse random number Challenge1 wherein, then random number Challenge1 and password are encrypted together, after obtaining new password Key1, response MD5 mode user cipher (EAP-Response/MD5-Challenge) message that will contain the password Key1 after the encryption again sends to AC;
After step 208, AC received the EAP-Response/MD5-Challenge message, access request (Access-Request) message of the password Key1 after will containing random number Challenge1 and encrypting was initiated authentication request to AAA;
Step 209, after AAA receives the Access-Request message that AC sends, parse the random number Challenge1 and the password Key1 that wherein carry, and the utilization mode the same with STA encrypted the password Key2 after obtaining encrypting with Challenge1 that obtains and the user cipher of oneself preserving; Then Key1 and Key2 are compared,, then send and allow access (Access-Accept) message,, then send refusal and insert (Access-Reject) message to AC if inconsistent to AC if consistent;
If step 210 AC receives the Access-Accept message, then send authentication success (EAP-Success) message, notice STA authentication success to STA; If receive the Access-Reject message, then send authentification failure (EAP-Failure) message, notice STA authentification failure to STA.
As can be seen, this method adopts unilateral authentication mechanism, has promptly only realized the authentication of AAA to STA from top process, and owing to the authentication not realization of STA to AAA, STA also just can't check the legitimacy of AAA, so fail safe is low.And, behind the STA authentication success, when access WLAN carries out transfer of data, need data encryption between STA and the AP, need an initial key between STA and the AP, this initial key is to carry out the preceding static keys that sets in advance between STA and AP of authentication, this static keys only is provided with once, can not change later on, so be easy to be cracked, safety of data transmission is not high.
At present, because the complementarity of WLAN and cdma network, traditional CDMA mobile operator is also considering to build the WLAN access service.In cdma network, authentication mode has obviously differently in the identification of travelling carriage (MS) and authentication process and the WLAN (wireless local area network), and it depends on Subscriber Identity Module (UIM) and carries out identification and authentication.3GPP has stipulated to adopt the WLAN authentication scheme based on SIM and usim card mechanism, is suitable for global mobile communication network (GSM)/GPRS (GPRS)/WCDMA network (WCDMA).
Authentification of user in the CDMA IS95/CDMA 20001x network is to finish jointly by MSC/VLR and HLR/AN.And shared secret data (SSD) are kept among terminal and the HLR/AC as authentication one of input parameter, preserve identical A-key in terminal and HLR/AC, are exclusively used in and upgrade SSD.When needs authenticate, go out authentication result with parameters such as SSD, random number, ESN, MIN by the CAVE algorithm computation, whether and it is consistent to compare authentication result by MSC/VLR or HLR/AC, if inconsistent, system will initiate shared secret data (SSD) update, after the shared secret data (SSD) update success, the SSD that is end side and network side is consistent, next time is when inserting, and user terminal uses the authentication result that SSD calculates should be consistent with the authentication result calculated among the HLR/AC, and authentication could success.
But, with regard to As-Is, in the multimode network of WLAN and CDMA IS95/CDMA 20001x network, when utilizing existing wlan network to carry out authentication, will produce many unfavorable factors.Such as, wlan network and CDMA IS95/CDMA 20001x network are two independently networks, open an account, safeguard all be independently, the authentication mechanism difference of two kinds of networks is so run, safeguard inconvenient; Because wlan network is the network of a property roamed, be subjected to the AAA capacity limit, in implementation procedure, need a plurality of AAA, and require between each AAA can intercommunication, this the special-purpose roaming network that just need build again between WLAN and the AAA is realized roaming, so networking cost height.
In sum, utilize the method for existing wlan network authentication, in the multimode network of WLAN and CDMAIS95/CDMA 20001x network, carry out authentication and have following shortcoming:
1) have only AAA that STA is authenticated, fail safe is low;
2) adopt the static configuration initial key, safety of data transmission is not high;
3) operation, maintenance inconvenience, the cost height.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of method that realizes radio local area network authentication, make it carry out network side and user terminal authenticates mutually, method safety, reliable, cost is low, operation, easy to maintenance.
The invention discloses a kind of method that realizes the wireless lan (wlan) authentication, be applied to comprise at least among the mobile network of wlan network and radio roaming with attaching position register (HLR), user terminal (STA) is set up physical connection with WAP (wireless access point) (AP), and this method comprises:
A. in described multimode network, the AAA server (U-AAA) that is used for carrying out based on Subscriber Identity Module is set, STA with the user profile in self Subscriber Identity Module (UIM) as User Identity, the authentication between beginning and U-AAA;
B.STA produces first random number that U-AAA is authenticated, U-AAA utilizes described first random number and coherent element to encrypt and obtains making a summary 1, and U-AAA obtains pairing second authentication number of second random number that second random number that STA is authenticated and HLR calculate according to described second random number and the SSD that self preserves according to the User Identity of the correspondence HLR from support the radio roaming network;
C.STA utilizes with the same mode of U-AAA first random number and coherent element to be encrypted and obtains making a summary 2, and whether relatively make a summary then 1 consistent with summary 2, if unanimity, then STA authenticates U-AAA and passes through, execution in step D again, otherwise, authentification failure;
D.STA calculates first authentication number according to second random number, the password of self preserving and the SSD that self preserves, and U-AAA compares first authentication number and second authentication number, if identical, then U-AAA is to the STA authentication success, otherwise, authentification failure.
Before execution in step A, this method further comprises: STA sends the authentication start message to AC, and AC requires the identify label of STA report of user after receiving authentication initiation requests message.
Described steps A further comprises:
STA is sent to U-AAA with the User Identity of self by AC, initiates authentication request.
Described steps A further comprises
A1, STA send to AC with User Identity by request user name (EAP-Response/Identity) message;
After A2, AC receive the EAP-Response/Identity message, this message is encapsulated in access request (Access-Request) message, then the Access-Request message is sent to U-AAA.
Behind step D authentification failure, this method further comprises step e:
U-AAA notice HLR authentification failure, HLR produces shared secret data (SSD) update random number (RANDSSD), and according to the user's secret data (SSD) among this RANDSSD renewal STA that produces and the HLR, and then execution in step B, authenticate once more.
Described step e further comprises:
E1, HLR are sent to U-AAA with the RANDSSD that produces, and initiate to upgrade the SSD flow process;
E2, U-AAA are sent to STA with RANDSSD by AC, STA calculates according to the RANDSSD that receives, SSD must make new advances, and produce a base station inquiry random number (RANDSB), calculate the first corresponding base station Query Result (AUTHUSB1) according to new SSD, then the random number RA NDSB that produces is sent to U-AAA by AC;
E3, U-AAA by with HLR between obtain the second corresponding base station Query Result (AUTHUSB2) of RANDSB alternately, then the AUTHUSB2 that obtains is sent to STA by AC;
Whether the AUTHUSB1 that E4, STA relatively self calculate is consistent with the AUTHUSB2 that obtains from HLR, if unanimity, then new shared secret data (SSD) update STA that calculates with step e 2 and the SSD among the HLR, execution in step B then, otherwise authentification failure.
First random number that U-AAA is authenticated that STA produces among the step B is to be sent to U-AAA by AC.
Step B further comprises: U-AAA 1 and second random number of will making a summary is sent to STA by AC.
After step D, this method further comprises: U-AAA notifies STA with authentication result by AC.
Coherent element described in step B, the C is request EAP-UIM authenticated user password (EAP-Request/UIM/Challenge) message.
After STA calculated first authentication number in step C, STA obtained initial key 1 according to certain algorithm again, then after the described U-AAA of step D is to the STA authentication success,
This method also further comprises: U-AAA utilizes with the employed same algorithm computation of STA and obtains initial key 2, and initial key 1 is identical with initial key 2, and the initial key that calculates 2 is sent to AP by AC.
U-AAA is undertaken by IS41 agreement and HLR alternately among the step B.
As can be seen, method of the present invention has following advantage and characteristics from top narration:
1) use method of the present invention to carry out authentication, the user does not need manual input username and password, can insert wlan network by UIM, and method is simple, easy to operate;
2) utilize existing CDMA IS-41 core net to support whole nation roaming, do not need again the national special-purpose roaming network of building WLAN, saved the networking cost;
3) user's cdma service and WLAN uniform service are opened an account at HLR, have realized unified sign, unified charging, the unified maintenance, make things convenient for operator's operation;
4) can provide mutual authentication between network and the terminal, owing in authentication process, can dynamically produce a different initial key, so safe.
Description of drawings
Fig. 1 is the networking structure schematic diagram of wlan network authentication in the prior art;
Fig. 2 carries out the method for authentication for the prior art wlan network;
Fig. 3 carries out authentication networking structure schematic diagram for wlan network of the present invention;
Fig. 4 realizes the schematic flow sheet of authentication for wlan network of the present invention;
Fig. 5 is for realizing specific embodiments of the invention one flow process schematic diagram;
Fig. 6 comprises Fig. 6 A, Fig. 6 B two parts for realizing specific embodiments of the invention two flow process schematic diagrames.
Embodiment
Core content of the present invention is: with the user profile in STA self Subscriber Identity Module as User Identity, AAA server (U-AAA) based on Subscriber Identity Module obtains the authentication collection according to this User Identity from the HLR of CDMA IS95/CDMA 20001x network, utilize the random number of STA generation and the mutual authentication between realization user terminal of the authentication collection among the HLR and the U-AAA then.
Referring to shown in Figure 3, the networking structure that the present invention carries out authentication comprises STA, AC, U-AAA and HLR.Here, because HLR and AC physically generally are positioned at same entity, the below unified HLR that abbreviates as.Subscriber Identity Module used in the present invention has the WLAN business function, and open an account at HLR, detailed says, all there are user authentication informations such as respective user sign and password among Subscriber Identity Module and the HLR simultaneously, and the corresponding relation of storage User Identity and authentication collection in HLR, this with prior art in consistent in the cdma system.In addition, in order to realize method of the present invention, STA requires to support UIM card, the information that can read the UIM card; AC requires to support the 802.1x agreement, supports mode and the U-AAA of EAPoRadius to carry out interacting message; Carry out interacting message by the mode of EAPoRadius between U-AAA support and the AC, support simultaneously to carry out interacting message by IS41 agreement and HLR; HLR supports to carry out the setting of WLAN business.
Need to prove that when STA starts shooting first, the process of carrying out authentication specifically comprises three phases: authentication phase, shared secret data (SSD) update stage, re-authentication stage first.Start shooting for the first time authentication carried out of STA is authentication first, and, inconsistent for the SSD that system side and STA side are preserved when STA starts shooting for the first time, so STA authenticates failure always first.Therefore, behind authentification failure first, carry out shared secret data (SSD) update, i.e. shared secret data (SSD) update random number (RANDSSD) by from HLR, obtaining, in STA and HLR by RANDSSD, ESN, A-key through identical SSD generating algorithm, calculate the SSD that makes new advances.Because RANDSSD, ESN, the A-key of STA and HLR side are identical, algorithm is identical, so the SSD of output is also identical.After SSD upgrades, carry out re-authentication.At this moment, owing to guaranteed that STA is identical with the SSD of HLR side, under normal circumstances, re-authentication will be successful.So for the user who starts shooting once more, system side is identical with the SSD of STA side, so need not pass through shared secret data (SSD) update and re-authentication later on, authentication first can success.
Referring to shown in Figure 4, the present invention utilizes HLR to realize that the method for authentication may further comprise the steps:
Step 401, STA as User Identity, and are sent to U-AAA with this User Identity by AC with the user profile in self Subscriber Identity Module card;
After step 402, U-AAA receive this User Identity, send EAP-UIM authentication beginning request message to STA by AC;
Step 403, STA produce first random number that U-AAA is authenticated at random, and this first random number are sent to U-AAA by AC after receiving EAP-UIM authentication beginning request message;
After step 404, U-AAA receive first random number, obtain pairing second authentication number of second random number that second random number that STA is authenticated and HLR calculate according to the SSD that self preserves according to the User Identity of correspondence from HLR, then described first random number and coherent element are encrypted and are obtained making a summary 1, and will make a summary 1 and described second random number be sent to STA by AC;
After step 405, STA receive summary 1 and described second random number, utilize and the same method of U-AAA, described first random number and coherent element are encrypted obtained making a summary 2;
Step 406, STA will make a summary and 12 compare with summary, if it is consistent, then STA authenticates U-AAA and passes through, and STA will calculate first authentication number according to password of self preserving in described second random number and the UIM card and the SSD that self preserves then, simultaneously according to certain method, dynamically obtain initial key 1, and this initial key 1 is kept at user terminal, and first authentication number is sent to U-AAA by AC, execution in step 407, otherwise, authentification failure;
After step 407, U-AAA receive first authentication number, first authentication number and described second authentication number are compared, if identical, then U-AAA is to the authentication success of STA, otherwise, authentification failure, and notice HLR, execution in step 408 then.
Step 408, HLR produce RANDSSD, and the RANDSSD that produces is sent to U-AAA, initiate to upgrade the SSD flow process;
Step 409, U-AAA are sent to STA with RANDSSD by AC, STA calculates according to the RANDSSD that receives, SSD must make new advances, and produce a base station inquiry random number (RANDSB), calculate the first corresponding base station Query Result (AUTHUSB1) according to new SSD, then the random number RA NDSB that produces is sent to U-AAA by AC;
Step 410, U-AAA by with HLR between obtain the second corresponding base station Query Result of RANDSB alternately, then the AUTHUSB2 that obtains is sent to STA by AC;
Whether the AUTHUSB1 that step 411, STA relatively self calculate is consistent with this AUTHUSB2 that obtains from HLR, if consistent, then with new shared secret data (SSD) update STA that calculates and the SSD among the HLR, execution in step 403 then, again authenticate, otherwise the shared secret data (SSD) update failure, and then authentification failure.
Describe technical scheme of the present invention in detail below in conjunction with the drawings and specific embodiments.
Need to prove that present embodiment adopts the 802.1x agreement between STA and AC, carrying EAP/EAP-UIM mode; Between AC and U-AAA, adopt Radius agreement, this agreement carrying RADIUS/EAP/EAP-UIM mode; No. seven interfaces of use standard, IS41 agreement between U-AAA and the HLR.
Referring to shown in Figure 5, wlan network utilizes the flow chart description of HLR authentication as follows:
Set up physical connection between step 501, STA and the AP;
Step 502, STA send EAPoL-Start message to authentication points AC, begin to carry out the process of 802.1x;
After step 503, AC receive EAPoL-Start message, send EAP-Request/Identity message, require STA that User Identity is sent up to STA;
After step 504, STA receive EAP-Request/Identity message,, preservation information in the UIM card is read out,, send to AC by the EAP-Response/Identity message as the User Identity of oneself by corresponding interface;
After step 505, AC receive the EAP-Response/Identity message, initiate authentication request to U-AAA, encapsulated the EAP-Response/Identity message in the message by the Access-Request message in the Radius agreement;
After step 507, AC receive the Access-Challenge message, separate EAP-Request/UIM/Start message wherein, this message that will separate then sends to STA;
Step 508, after STA receives the EAP-Request/UIM/Start message that AC sends over, produce one and be used for the first random number R and1 that AAA is authenticated, send the EAP-Response/UIM/Start message to AC then, random number R and1 is carried in the inside;
Step 509, AC are encapsulated in the EAP-Response/UIM/Start message in the Access-Request message after receiving the EAP-Response/UIM/Start message that STA sends, and Access-Request message is sent to U-AAA;
After step 510, U-AAA receive the Access-Request message that AC sends over, parse the random number R and1 that carries, and begin to be undertaken alternately by IS41 agreement and HLR according to the User Identity of correspondence, obtain one group of authentication collection that contains second authentication number (AUTHU2), second random number from HLR, here RAND2 is produced at random by HLR, and HLR calculates the authentication number AUTHU2 of RAND2 correspondence according to the SSD of RAND2 and self preservation;
Step 511, U-AAA will encrypt from Rand1 and whole EAP-Request/UIM/Challenge message that STA obtains, obtain a new summary (MAC) 1, and here, the EAP-Request/UIM/Challenge message is as coherent element; Again RAND2 and MAC1 are encapsulated in the EAP-Request/UIM/Challenge message, send to AC by the Access-Challenge message that contains the EAP-Request/UIM/Challenge message then;
Step 514, AC are encapsulated in the EAP-Response/UIM/Challeng message of receiving in access request (Access-Request) message of Radius agreement, and packaged Access-Request message is sent to U-AAA;
After step 515, U-AAA receive the Access-Request message of AC transmission, parse AUTHU1 wherein, and AUTHU1 and AUTHU2 from HLR acquisition compared, if it is consistent, then U-AAA passes through the authentication of STA, the method that the U-AAA foundation is the same with STA draws initial key Key2, and Key1 is identical with Key2, and then the Access-Accept message that will contain EAP-Success message and Key2 sends to AC; Otherwise then U-AAA is to the authentification failure of STA, and U-AAA sends the Access-Reject message that contains the EAP-Failure message to AC;
Step 516, after AC receives the Access-Accept message that U-AAA sends, separate wherein EAP-Success message and Key2, and the EAP-Success message be sent to STA, notice STA authentication success, AC sends to AP with Key2 simultaneously; If after receiving the Access-Reject message, separate EAP-Failure message wherein, send each STA, notice STA authentification failure.
Referring to shown in Figure 6, when STA starts shooting first, the detailed process of carrying out authentication is as follows:
Step 601~step 613 is with step 501~step 513 among Fig. 5;
Step 614, U-AAA equipment compare with the AUTHU1 that is kept in this machine after receiving AUTHU1, if it is consistent, the expression client certificate passes through, if do not pass through, then respond the message of authentification failure, after HLR receives, produce RANDSSD to HLR, and RANDSSD is sent to U-AAA, begin to upgrade SSD;
After step 617, STA receive the EAP-Request/UIM/Update message that AC sends over, parse RANDSSD wherein, calculate the SSD that makes new advances according to RANDSSD then, produce RANDBS then at random, and, by the EAP-Response/UIM/Challenge message RANDBS is sent to AC then according to the AUTHBS1 that new SSD calculates the RANDBS correspondence;
After step 619, U-AAA receive the EAP-Response/UIM/Challenge message, obtain corresponding AUTHBS2 alternately with HLR according to wherein RANDBS;
Step 620, U-AAA send the Access-Challenge message to AC, and the EAP-Request/UIM/Challenge message that carries AUTHBS2 is contained in the inside;
Step 621, AC send to STA with the EAP-Request/UIM/Challenge message;
After step 622, STA receive the EAP-Request/UIM/Challenge message that AC sends over, parse AUTHBS2 as a result wherein, relatively whether AUTHBS1 is consistent with AUTHBS2 then, if it is consistent, U-AAA is legal in expression, sends the EAP-Response/UIM/success message to AC then;
After step 623, AC receive the EAP-Response/UIM/success message, message format with Access-Request sends to certificate server U-AAA with EAP-Response/UIM/success, and, illustrate that the shared secret data (SSD) update process finishes with going up relevant radius attribute;
Step 624~step 630 is with 510~516 steps of Fig. 5.
From said process as can be seen, step 601~step 613 is authentication phase first, and when STA starts shooting for the first time, for the identifying procedure input of network side and STA side, SSD is inconsistent, so the authentication first that STA starts shooting is for the first time failed.Immediately initiate the shared secret data (SSD) update flow process, carry out the shared secret data (SSD) update process, recomputate SSD, and upgrade the SSD of STA side and HLR side by step 615 and step 623.Owing to guaranteed that STA is identical with the SSD of HLR side, therefore, under normal circumstances, the re-authentication that carries out in step 624~step 630 will be successful.Certainly, for re-authentication or the authentication when starting shooting the non-first time also may fail, therefore, also can carry out shared secret data (SSD) update in this case.
Technical scheme of the present invention is utilized the authentication mechanism of cdma network and existing the whole network roaming capacity to be supported among the HLR WLAN business is opened an account; Adopt the access way of 802.1x simultaneously, its authentication protocol adopts the EAP-UIM authentication protocol based on the UIM card; And support to authenticate mutually and dynamic key.When WLAN user inserts wlan network, as long as by opening an account, have the UIM card of the function of WLAN business at HLR, just can realize the authentication of safety.
Claims (12)
1, a kind of method that realizes the wireless lan (wlan) authentication, be applied to comprise at least among the mobile network of wlan network and radio roaming with attaching position register (HLR), user terminal (STA) is set up physical connection with WAP (wireless access point) (AP), it is characterized in that this method may further comprise the steps:
A. in described multimode network, the AAA server (U-AAA) that is used for carrying out based on Subscriber Identity Module is set, STA with the user profile in self Subscriber Identity Module (UIM) as User Identity, the authentication between beginning and U-AAA;
B.STA produces first random number that U-AAA is authenticated, U-AAA utilizes described first random number and coherent element to encrypt and obtains making a summary 1, and U-AAA obtains pairing second authentication number of second random number that second random number that STA is authenticated and HLR calculate according to described second random number and the SSD that self preserves according to the User Identity of the correspondence HLR from support the radio roaming network;
C.STA utilizes with the same mode of U-AAA first random number and coherent element to be encrypted and obtains making a summary 2, and whether relatively make a summary then 1 consistent with summary 2, if unanimity, then STA authenticates U-AAA and passes through, execution in step D again, otherwise, authentification failure;
D.STA calculates first authentication number according to second random number, the password of self preserving and the SSD that self preserves, and U-AAA compares first authentication number and second authentication number, if identical, then U-AAA is to the STA authentication success, otherwise, authentification failure.
2, method according to claim 1 is characterized in that, before execution in step A, this method further comprises: STA sends the authentication start message to AC, and AC requires the identify label of STA report of user after receiving authentication initiation requests message.
3, method according to claim 1 is characterized in that, described steps A further comprises:
STA is sent to U-AAA with the User Identity of self by AC, initiates authentication request.
4, method according to claim 3 is characterized in that, described steps A further comprises
A1, STA send to AC with User Identity by request user name (EAP-Response/Identity) message;
After A2, AC receive the EAP-Response/Identity message, this message is encapsulated in access request (Access-Request) message, then the Access-Request message is sent to U-AAA.
5, method according to claim 1 is characterized in that, behind step D authentification failure, this method further comprises step e:
U-AAA notice HLR authentification failure, HLR produces shared secret data (SSD) update random number (RANDSSD), and according to the user's secret data (SSD) among this RANDSSD renewal STA that produces and the HLR, and then execution in step B, authenticate once more.
6, method according to claim 5 is characterized in that, described step e further comprises:
E1, HLR are sent to U-AAA with the RANDSSD that produces, and initiate to upgrade the SSD flow process;
E2, U-AAA are sent to STA with RANDSSD by AC, STA calculates according to the RANDSSD that receives, SSD must make new advances, and produce a base station inquiry random number (RANDSB), calculate the first corresponding base station Query Result (AUTHUSB1) according to new SSD, then the random number RA NDSB that produces is sent to U-AAA by AC;
E3, U-AAA by with HLR between obtain the second corresponding base station Query Result (AUTHUSB2) of RANDSB alternately, then the AUTHUSB2 that obtains is sent to STA by AC;
Whether the AUTHUSB1 that E4, STA relatively self calculate is consistent with the AUTHUSB2 that obtains from HLR, if unanimity, then new shared secret data (SSD) update STA that calculates with step e 2 and the SSD among the HLR, execution in step B then, otherwise authentification failure.
7, method according to claim 1 is characterized in that, first random number that U-AAA is authenticated that STA produces among the step B is to be sent to U-AAA by AC.
8, method according to claim 1 is characterized in that, step B further comprises: U-AAA 1 and second random number of will making a summary is sent to STA by AC.
9, method according to claim 1 is characterized in that, after step D, this method further comprises: U-AAA notifies STA with authentication result by AC.
10, method according to claim 1 is characterized in that, coherent element described in step B, the C is request EAP-UIM authenticated user password (EAP-Request/UIM/Challenge) message.
11, method according to claim 1 is characterized in that, after STA calculated first authentication number in step C, STA obtained initial key 1 according to certain algorithm again, then after the described U-AAA of step D is to the STA authentication success,
This method also further comprises: U-AAA utilizes with the employed same algorithm computation of STA and obtains initial key 2, and initial key 1 is identical with initial key 2, and the initial key that calculates 2 is sent to AP by AC.
12, method according to claim 1 is characterized in that, U-AAA is undertaken by IS41 agreement and HLR alternately among the step B.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031310362A CN100539521C (en) | 2003-05-16 | 2003-05-16 | A kind of method that realizes radio local area network authentication |
| PCT/CN2004/000498 WO2004102884A1 (en) | 2003-05-16 | 2004-05-17 | A method for performing authentication in a wireless lan |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031310362A CN100539521C (en) | 2003-05-16 | 2003-05-16 | A kind of method that realizes radio local area network authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1549526A true CN1549526A (en) | 2004-11-24 |
| CN100539521C CN100539521C (en) | 2009-09-09 |
Family
ID=33438172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031310362A Expired - Fee Related CN100539521C (en) | 2003-05-16 | 2003-05-16 | A kind of method that realizes radio local area network authentication |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100539521C (en) |
| WO (1) | WO2004102884A1 (en) |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100367701C (en) * | 2005-05-16 | 2008-02-06 | 航天科工信息技术研究院 | Apparatus and method for implementing data safety transmission of mobile communication apparatus |
| CN100389555C (en) * | 2005-02-21 | 2008-05-21 | 西安西电捷通无线网络通信有限公司 | An access authentication method suitable for wired and wireless network |
| CN100417285C (en) * | 2005-08-29 | 2008-09-03 | 华为技术有限公司 | Method for continuous'y using authentication tuple |
| CN100431308C (en) * | 2006-01-27 | 2008-11-05 | 智易科技股份有限公司 | Wireless local area network system and its setting method |
| CN100466803C (en) * | 2005-01-28 | 2009-03-04 | 华为技术有限公司 | Method for realizing right discriminating to network by terminal in CDMA network |
| US7539519B2 (en) | 2005-01-11 | 2009-05-26 | Samsung Electronics Ci., Ltd. | Power saving method and apparatus for multimode wireless terminal |
| CN101155033B (en) * | 2006-09-26 | 2010-05-19 | 中兴通讯股份有限公司 | Method for confirming client identity |
| CN101420687B (en) * | 2007-10-24 | 2010-07-14 | 中兴通讯股份有限公司 | Identity verification method based on mobile terminal payment |
| CN1976309B (en) * | 2006-12-22 | 2010-08-18 | 杭州华三通信技术有限公司 | Method for wireless user inserting network service, access controller and server |
| CN101867929A (en) * | 2010-05-25 | 2010-10-20 | 北京星网锐捷网络技术有限公司 | Authentication method, system, authentication server and terminal equipment |
| CN101217386B (en) * | 2008-01-16 | 2011-01-19 | 中兴通讯股份有限公司 | Authorized charging server and charging method |
| CN101977383A (en) * | 2010-08-03 | 2011-02-16 | 北京星网锐捷网络技术有限公司 | Authentication processing method, system, client side and server for network access |
| CN101094063B (en) * | 2006-07-19 | 2011-05-11 | 中兴通讯股份有限公司 | Security interaction method for the roam terminals to access soft switching network system |
| CN101453394B (en) * | 2007-12-03 | 2011-06-01 | 华为技术有限公司 | Method, system and equipment for access control |
| CN101351021B (en) * | 2007-07-16 | 2011-11-30 | 中兴通讯股份有限公司 | Microwave access global interconnection system and implementing method thereof |
| CN101330384B (en) * | 2007-06-19 | 2011-12-07 | 中兴通讯股份有限公司 | Authentication method for terminal equipment |
| CN102355701A (en) * | 2011-09-19 | 2012-02-15 | 中兴通讯股份有限公司 | Wireless local area network (WLAN) accessing method and terminal |
| CN101350748B (en) * | 2007-07-20 | 2012-02-29 | 中兴通讯股份有限公司 | Method and system for accessing control terminal after being losing to obtain data summary calculation parameter |
| CN101133586B (en) * | 2004-12-28 | 2012-03-21 | 摩托罗拉解决方案公司 | Authentication for ad hoc network setup |
| CN101707773B (en) * | 2009-11-23 | 2012-05-30 | 中国电信股份有限公司 | Method and system for fusing WLAN access gateway, mobile network and wireless broadband network |
| CN101455024B (en) * | 2006-05-15 | 2012-07-18 | 英特尔公司 | Methods and apparatus for a keying mechanism for end-to-end service control protection |
| CN101621800B (en) * | 2009-08-13 | 2013-01-30 | 深圳市星谷科技有限公司 | Method for exchanging authentication information between wireless terminal and wireless router |
| CN101730092B (en) * | 2008-10-20 | 2013-07-03 | 深圳富泰宏精密工业有限公司 | System and method for generating one-time passwords by using GSM mobile phone |
| CN103391542A (en) * | 2012-05-08 | 2013-11-13 | 华为终端有限公司 | EAP authentication triggering method and system, access network equipment and terminal equipment |
| CN103685201A (en) * | 2012-09-24 | 2014-03-26 | 中兴通讯股份有限公司 | Method and system for WLAN user fixed network access |
| CN105188055A (en) * | 2015-08-14 | 2015-12-23 | 中国联合网络通信集团有限公司 | Wireless network access method, wireless access point and server |
| CN110876142A (en) * | 2018-09-02 | 2020-03-10 | 中城智慧科技有限公司 | Identification-based wifi authentication method |
| CN112702776A (en) * | 2020-12-15 | 2021-04-23 | 锐捷网络股份有限公司 | Method for realizing wireless terminal access to wireless local area network and wireless access point |
| CN113423116A (en) * | 2021-08-25 | 2021-09-21 | 广州朗国电子科技股份有限公司 | Configuration method of 5G hot spot default mode based on Android system |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100725767B1 (en) * | 2005-11-24 | 2007-06-08 | 삼성전자주식회사 | Apparatus and method for location registration of convergence terminal with multiple interface |
| CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6377691B1 (en) * | 1996-12-09 | 2002-04-23 | Microsoft Corporation | Challenge-response authentication and key exchange for a connectionless security protocol |
| US6094487A (en) * | 1998-03-04 | 2000-07-25 | At&T Corporation | Apparatus and method for encryption key generation |
| US6201871B1 (en) * | 1998-08-19 | 2001-03-13 | Qualcomm Incorporated | Secure processing for authentication of a wireless communications device |
| FR2790177B1 (en) * | 1999-02-22 | 2001-05-18 | Gemplus Card Int | AUTHENTICATION IN A RADIOTELEPHONY NETWORK |
| WO2003036867A1 (en) * | 2001-10-26 | 2003-05-01 | Ktfreetel Co., Ltd. | System and method for performing mutual authentication between mobile terminal and server |
| US20030093680A1 (en) * | 2001-11-13 | 2003-05-15 | International Business Machines Corporation | Methods, apparatus and computer programs performing a mutual challenge-response authentication protocol using operating system capabilities |
-
2003
- 2003-05-16 CN CNB031310362A patent/CN100539521C/en not_active Expired - Fee Related
-
2004
- 2004-05-17 WO PCT/CN2004/000498 patent/WO2004102884A1/en active Application Filing
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101133586B (en) * | 2004-12-28 | 2012-03-21 | 摩托罗拉解决方案公司 | Authentication for ad hoc network setup |
| US7539519B2 (en) | 2005-01-11 | 2009-05-26 | Samsung Electronics Ci., Ltd. | Power saving method and apparatus for multimode wireless terminal |
| CN100466803C (en) * | 2005-01-28 | 2009-03-04 | 华为技术有限公司 | Method for realizing right discriminating to network by terminal in CDMA network |
| CN100389555C (en) * | 2005-02-21 | 2008-05-21 | 西安西电捷通无线网络通信有限公司 | An access authentication method suitable for wired and wireless network |
| CN100367701C (en) * | 2005-05-16 | 2008-02-06 | 航天科工信息技术研究院 | Apparatus and method for implementing data safety transmission of mobile communication apparatus |
| CN100417285C (en) * | 2005-08-29 | 2008-09-03 | 华为技术有限公司 | Method for continuous'y using authentication tuple |
| CN100431308C (en) * | 2006-01-27 | 2008-11-05 | 智易科技股份有限公司 | Wireless local area network system and its setting method |
| CN101455024B (en) * | 2006-05-15 | 2012-07-18 | 英特尔公司 | Methods and apparatus for a keying mechanism for end-to-end service control protection |
| CN101094063B (en) * | 2006-07-19 | 2011-05-11 | 中兴通讯股份有限公司 | Security interaction method for the roam terminals to access soft switching network system |
| CN101155033B (en) * | 2006-09-26 | 2010-05-19 | 中兴通讯股份有限公司 | Method for confirming client identity |
| CN1976309B (en) * | 2006-12-22 | 2010-08-18 | 杭州华三通信技术有限公司 | Method for wireless user inserting network service, access controller and server |
| CN101330384B (en) * | 2007-06-19 | 2011-12-07 | 中兴通讯股份有限公司 | Authentication method for terminal equipment |
| CN101351021B (en) * | 2007-07-16 | 2011-11-30 | 中兴通讯股份有限公司 | Microwave access global interconnection system and implementing method thereof |
| CN101350748B (en) * | 2007-07-20 | 2012-02-29 | 中兴通讯股份有限公司 | Method and system for accessing control terminal after being losing to obtain data summary calculation parameter |
| CN101420687B (en) * | 2007-10-24 | 2010-07-14 | 中兴通讯股份有限公司 | Identity verification method based on mobile terminal payment |
| CN101453394B (en) * | 2007-12-03 | 2011-06-01 | 华为技术有限公司 | Method, system and equipment for access control |
| CN101217386B (en) * | 2008-01-16 | 2011-01-19 | 中兴通讯股份有限公司 | Authorized charging server and charging method |
| CN101730092B (en) * | 2008-10-20 | 2013-07-03 | 深圳富泰宏精密工业有限公司 | System and method for generating one-time passwords by using GSM mobile phone |
| CN101621800B (en) * | 2009-08-13 | 2013-01-30 | 深圳市星谷科技有限公司 | Method for exchanging authentication information between wireless terminal and wireless router |
| CN101707773B (en) * | 2009-11-23 | 2012-05-30 | 中国电信股份有限公司 | Method and system for fusing WLAN access gateway, mobile network and wireless broadband network |
| CN101867929A (en) * | 2010-05-25 | 2010-10-20 | 北京星网锐捷网络技术有限公司 | Authentication method, system, authentication server and terminal equipment |
| CN101867929B (en) * | 2010-05-25 | 2013-03-13 | 北京星网锐捷网络技术有限公司 | Authentication method, system, authentication server and terminal equipment |
| CN101977383A (en) * | 2010-08-03 | 2011-02-16 | 北京星网锐捷网络技术有限公司 | Authentication processing method, system, client side and server for network access |
| CN102355701A (en) * | 2011-09-19 | 2012-02-15 | 中兴通讯股份有限公司 | Wireless local area network (WLAN) accessing method and terminal |
| CN102355701B (en) * | 2011-09-19 | 2017-12-29 | 中兴通讯股份有限公司 | Access the method and terminal of WLAN focus |
| CN103391542B (en) * | 2012-05-08 | 2016-11-23 | 华为终端有限公司 | EAP authentication triggering method and system, access network equipment, terminal unit |
| WO2013166909A1 (en) * | 2012-05-08 | 2013-11-14 | 华为终端有限公司 | Method and system for eap authentication triggering, access network device and terminal device |
| CN103391542A (en) * | 2012-05-08 | 2013-11-13 | 华为终端有限公司 | EAP authentication triggering method and system, access network equipment and terminal equipment |
| CN103685201A (en) * | 2012-09-24 | 2014-03-26 | 中兴通讯股份有限公司 | Method and system for WLAN user fixed network access |
| WO2014044098A1 (en) * | 2012-09-24 | 2014-03-27 | 中兴通讯股份有限公司 | Wlan user fixed network access method and system |
| US9736156B2 (en) | 2012-09-24 | 2017-08-15 | Zte Corporation | WLAN user fixed network accessing method and system |
| CN105188055A (en) * | 2015-08-14 | 2015-12-23 | 中国联合网络通信集团有限公司 | Wireless network access method, wireless access point and server |
| CN105188055B (en) * | 2015-08-14 | 2018-06-12 | 中国联合网络通信集团有限公司 | wireless network access method, wireless access point and server |
| CN110876142A (en) * | 2018-09-02 | 2020-03-10 | 中城智慧科技有限公司 | Identification-based wifi authentication method |
| CN110876142B (en) * | 2018-09-02 | 2023-08-18 | 中城智慧科技有限公司 | Identification-based wifi authentication method |
| CN112702776A (en) * | 2020-12-15 | 2021-04-23 | 锐捷网络股份有限公司 | Method for realizing wireless terminal access to wireless local area network and wireless access point |
| CN113423116A (en) * | 2021-08-25 | 2021-09-21 | 广州朗国电子科技股份有限公司 | Configuration method of 5G hot spot default mode based on Android system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100539521C (en) | 2009-09-09 |
| WO2004102884A1 (en) | 2004-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1549526A (en) | Method for realizing radio local area network authentication | |
| CN108293185B (en) | Wireless device authentication method and device | |
| JP5193850B2 (en) | Wireless communication method | |
| US7546459B2 (en) | GSM-like and UMTS-like authentication in a CDMA2000 network environment | |
| US10880291B2 (en) | Mobile identity for single sign-on (SSO) in enterprise networks | |
| US9232398B2 (en) | Method and apparatus for link setup | |
| US7515906B2 (en) | Method of implementing authentication of high-rate packet data services | |
| CN1842000A (en) | Method for realizing access authentication of WLAN | |
| CN1720688A (en) | Key generation in a communication system | |
| US20240298174A1 (en) | Method and systems for authenticating ue for accessing non-3gpp service | |
| EP2939490A1 (en) | Secure on-line signup and provisioning of wireless devices | |
| CN1848994A (en) | Method for realizing right discrimination of microwave cut-in global interoperating system | |
| EP1502388A1 (en) | System, apparatus and method for sim-based authentication and encryption in wireless local area network access | |
| CN1645826A (en) | Method for building session connection to wireless local network user | |
| CN101926151A (en) | Method and communication network system for establishing security conjunction | |
| CN1662092A (en) | Access authentication method and equipment in data packet network at high speed | |
| CN101056456A (en) | Method and secure system for authenticating the radio evolution network | |
| CN1283062C (en) | Cut-in identification realizing method for wireless local network | |
| US11956626B2 (en) | Cryptographic key generation for mobile communications device | |
| WO2009074050A1 (en) | A method, system and apparatus for authenticating an access point device | |
| CN101052032A (en) | Business entity certifying method and device | |
| CN1835623A (en) | Updating method of controlled secret key | |
| CN1691582A (en) | Method for implementing compatibility between WAPI protocol and 802.1X protocol | |
| CN101272297B (en) | EAP authentication method of WiMAX network user | |
| KR20060135004A (en) | Method and device for authenticating ms that has an r-uim by using cave algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160513 Address after: American California Patentee after: Snaptrack, Inc. Address before: 518057 Guangdong city of Shenzhen province science and Technology Park of HUAWEI Road Service Building Patentee before: Huawei Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090909 Termination date: 20190516 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |