CN103491540A - Wireless local area network two-way access authentication system and method based on identity certificates - Google Patents

Wireless local area network two-way access authentication system and method based on identity certificates Download PDF

Info

Publication number
CN103491540A
CN103491540A CN201310429993.XA CN201310429993A CN103491540A CN 103491540 A CN103491540 A CN 103491540A CN 201310429993 A CN201310429993 A CN 201310429993A CN 103491540 A CN103491540 A CN 103491540A
Authority
CN
China
Prior art keywords
mobile subscriber
router
couple
identity documents
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310429993.XA
Other languages
Chinese (zh)
Other versions
CN103491540B (en
Inventor
高天寒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201310429993.XA priority Critical patent/CN103491540B/en
Publication of CN103491540A publication Critical patent/CN103491540A/en
Application granted granted Critical
Publication of CN103491540B publication Critical patent/CN103491540B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a wireless local area network two-way access authentication system and method based on identity certificates. The wireless local area network two-way access authentication system comprises access routers arranged in a safety area and further comprises an identity certificate management server and an authentication server. The identity certificate management server is used for managing the identity certificates of entities in the safety area, namely, issuing the identity certificates and maintaining the identity certificates. The authentication server is used for authenticating access certification application of mobile subscribers and completing shared key negotiation with the mobile subscribers. The access routers are used for controlling whether the mobile subscribers have access to the wireless local area network or not according to the authentication result fed back from the authentication server and receiving and forwarding authentication information between the mobile subscribers and the authentication server. According to the wireless local area network two-way access authentication system and method, in an autonomous security domain, two-way access authentication and secret key negotiation between the mobile subscribers and the accessed network can be achieved, efficient access authentication conducted when the mobile subscribers switch between the different access routers is supported, and the access authentication efficiency is improved.

Description

The two-way access authentication system of a kind of WLAN (wireless local area network) based on identity documents and method
Technical field
The invention belongs to the wireless network secure field, particularly the two-way access authentication system of a kind of WLAN (wireless local area network) based on identity documents and method.
Background technology
Along with the develop rapidly of computer network and mobile communication technology, a large amount of mobile devices emerge in large numbers, and people are urgent all the more to ubiquitous Ubiquitous Network access demand.Expansion and extension as Internet, IEEE802.11 WLAN (wireless local area network) (Wireless Local Area Network, WLAN) is disposed best solution flexible, that the advantages such as isomery is compatible, low-cost, bandwidth rich become " last kilometer " access field with it.
Yet, along with the widespread deployment of WLAN, its safety issue starts to show especially.It is the key of guaranteeing wlan security that Next-Generation Wireless Communication Systems requires WLAN that the access service of highly effective and safe, access security can be provided for the user in open environment.When the mobile subscriber accesses WLAN, accesses network need to authenticate mobile subscriber's identity to prevent its illegal use to Internet resources, thereby the mobile subscriber need authenticate accesses network and obtains reliable access service on the other hand.Two-way authentication between accesses network and mobile subscriber is the basis of realizing the wlan security access.
The existing solution for the wlan security access mainly comprises: the centralized access authentication method based on the 802.11i framework, distributed access authentication method and the access authentication method based on the identification cipher system based on the PKI system.(1) in the centralized authentication method based on 802.11i, when mobile subscriber's access network, at first to couple in router, authentication request is proposed, couple in router transfer authentication request is to the center certification server, by center certification server authentication mobile subscriber identifier and complete the mobile subscriber and couple in router between key agreement.Centralized certification mode needs certification entity to carry out a large amount of interacting messages with remote center's certificate server, has reduced access authentication efficiency.(2) in the distributed access authentication method based on PKI, digital certificate authority (Certificate Authority, CA) be respectively mobile subscriber and couple in router and issue X.509 digital certificate, when the mobile subscriber accesses WLAN, thereby mobile subscriber and couple in router exchange and verify that the other side's digital certificate realizes local two-way access authentication.Yet mobile subscriber and the couple in router practicality that cost has limited relevant programme that administers and maintains to digital certificate.(3) in recent years rise based on identification cipher system (IBC) and start to be applied to WLAN access authentication field, the identity of usining can alleviate digital certificate management and the maintenance cost under the PKI system as entity public key.Mobile subscriber and couple in router can be realized two-way access authentication by checking the other side's the signature based on identity.But the private key of entity is distributed by private key generating center (Private Key Generator, PKG), cause a series of safety problems such as key escrow and cipher key delivery to produce, make this type of scheme only be confined to apply in trustable network among a small circle.
There is defect in the aspects such as visible above-mentioned wlan security mechanism postpones alternately in authentication message, digital certificate maintenance cost and applicability, what is more important is when switching between the different access router of mobile subscriber in accesses network, complete access authentication procedure need re-execute, and has further reduced access authentication efficiency.
Summary of the invention
The deficiency existed for prior art, the invention provides the two-way access authentication system of a kind of WLAN (wireless local area network) based on identity documents and method.
Technical scheme of the present invention is:
The two-way access authentication system of a kind of WLAN (wireless local area network) based on identity documents, comprise couple in router, is arranged in security domain, also comprises identity documents management server and certificate server;
Described identity documents management server manages for the identity documents to entity in security domain, comprises and issues identity documents and safeguard identity documents; Described identity documents comprises issuer identity, issuer public key, user identity, client public key, user identity certificate and the identity documents term of validity; In described security domain, entity comprises: mobile subscriber and couple in router;
Described certificate server for verify mobile subscriber's access authentication application and complete and the mobile subscriber between shared key consult;
Described couple in router is controlled whether accessing WLAN of mobile subscriber for the result that returns according to certificate server, and couple in router receives and forward the authentication message between mobile subscriber and certificate server simultaneously.
Adopt the two-way access authentication system of the described WLAN (wireless local area network) based on identity documents to carry out the method for the two-way access authentication of WLAN (wireless local area network), comprise the following steps:
Step 1: the identity documents management server is according to security parameter generation system common parameter the delivery system common parameter selected;
Described system common parameter comprises that cyclic group G1 and cyclic group G2, bilinearity are to basic point P and G on e, cyclic group G1, and character set is to the one-way Hash function H1 of cyclic group G1, and cyclic group G2 extremely
Figure BDA00003843955800021
one-way Hash function H2:
Figure BDA00003843955800022
be 1 positive integer to the q-1 scope, q is the security parameter that the identity documents management server is selected, the PKI of identity documents management server;
Step 2: the identity documents management server is examined entity identities, and issues identity documents for entity;
Step 2.1: before entity application identity documents, generate the public, private key pair of entity based on the system common parameter, wherein, the private key of entity
Figure BDA00003843955800023
selected at random the PKI PK of entity by entity eN=SK eNp, i.e. the private key SK of the basic point P on cyclic group G1 and entity eNproduct;
Step 2.2: entity sends the PKI of identity information and entity to the identity documents management server, to identity documents management server application identity documents;
Described identity information is network address identifiers;
Step 2.3: the identity documents management server, after the identity documents application that receives entity, is verified the legitimacy of this entity identities information, if identity information is legal, generates identity documents and is presented to this entity, otherwise to this entity, do not issue identity documents;
Described identity documents comprises issuer identity, issuer public key, user identity, client public key, user identity certificate and the identity documents term of validity, and wherein, user identity certificate is by generating based on certificate signature algorithm CBS;
Step 2.4: after entity receives identity documents, use the private key of entity and the signature key of the entity identities certificates constructing entity in identity documents;
Step 3: in the mobile subscriber moves to security domain, and during certain couple in router of request access, carry out two-way access authentication between mobile subscriber, couple in router and certificate server;
Step 3.1: the mobile subscriber sends identity documents to couple in router and shows message, and couple in router is forwarded to certificate server by this message;
Step 3.1.1: the mobile subscriber sends router request message to find the couple in router in the security domain of current place;
Step 3.1.2: couple in router carries out access authentication after receiving the router request message that the mobile subscriber sends;
Step 3.1.3: couple in router sends the router response message to the mobile subscriber, request mobile subscriber's identity documents;
Step 3.1.4: the mobile subscriber sends identity documents and shows message to couple in router, and the identity documents that this message comprises the mobile subscriber, current time stamp, mobile subscriber's key agreement parameter and movement-based user's signature key is used the CBS algorithm identity documents to be shown to the CBS signature result of message;
Described mobile subscriber's key agreement parameter is mobile subscriber's PKI and the product of random number;
Step 3.1.5: after the identity documents that couple in router receives the mobile subscriber is shown message, this message is forwarded to certificate server; Step 3.2: after the identity documents that certificate server receives the mobile subscriber is shown message, mobile subscriber's identity documents is verified: if be proved to be successful, perform step 3.3; If authentication failed, refuse mobile subscriber's access, and authentication failed message sent to couple in router;
Step 3.2.1: checking mobile subscriber's identity documents is shown the freshness of the timestamp in message to prevent Replay Attack: if timestamp is fresh, the term of validity of certificate server identity verification voucher, execution step 3.2.2, otherwise authentication failed, refusal mobile subscriber access, send to couple in router by authentication failed message;
Step 3.2.2: if identity documents in the term of validity, the CBS signature result that certificate server shows message to identity documents verified, execution step 3.2.3, if identity documents is expired, send to couple in router by authentication failed message;
Step 3.2.3: the CBS signature result that certificate server shows message according to the issuer public key in identity documents and client public key to identity documents is verified: if the verification passes, certificate server confirms that the mobile subscriber is legal access user; If authentication failed, refuse mobile subscriber's access, authentication failed message is sent to couple in router;
Step 3.3: certificate server will send to the mobile subscriber to mobile subscriber identifier credential verification success message;
Step 3.3.1: certificate server sends and is proved to be successful message to couple in router, and this message comprises certificate server key agreement parameter;
The PKI of described certificate server key agreement parameter authentication authorization and accounting server and the product of random number;
Step 3.3.2: couple in router receives that certificate server sends be proved to be successful message after, insert identity documents and the current time stamp of couple in router in message;
Step 3.3.3: the signature key of couple in router based on couple in router used the CBS algorithm to carry out the CBS signature to being proved to be successful message, and couple in router will be proved to be successful message and the CBS signature result that is proved to be successful message is sent to the mobile subscriber;
Step 3.4: the mobile subscriber receive couple in router be proved to be successful message after, the identity documents of couple in router is verified: if be proved to be successful, access current couple in router, complete two-way access authentication; If authentication failed, the current couple in router of refusal access;
Step 4: certificate server and mobile subscriber carry out the shared key negotiation based on the key agreement parameter;
Step 4.1: the shared key between certificate server movement-based user key arrangement calculation of parameter certificate server and mobile subscriber;
Step 4.2: the shared key of mobile subscriber based between certificate server key agreement calculation of parameter mobile subscriber and certificate server;
Step 5: when the mobile subscriber continues to move and access new couple in router in security domain, utilize the shared key between mobile subscriber and certificate server to be switched access authentication;
Step 5.1: when the mobile subscriber continues to move and access new couple in router in security domain, the mobile subscriber sends identity documents to couple in router and shows message, and couple in router is forwarded to certificate server by this message;
Step 5.1.1: the mobile subscriber sends router request message to find the couple in router in the security domain of current place;
Step 5.1.2: couple in router carries out access authentication after receiving the router request message that the mobile subscriber sends;
Step 5.1.3: couple in router sends the router response message to the mobile subscriber, request mobile subscriber's identity documents;
Step 5.1.4: the mobile subscriber sends identity documents and shows message to couple in router, and the shared key that the identity documents that this message comprises the mobile subscriber, current time stamp and movement-based user and certificate server are consulted is used hmac algorithm identity documents to be shown to the HMAC authentication result of message;
Step 5.1.5: after the identity documents that couple in router receives the mobile subscriber is shown message, this message is forwarded to certificate server;
Step 5.2: after the identity documents that certificate server receives the mobile subscriber is shown message, mobile subscriber's identity documents is verified: if be proved to be successful, perform step 5.3; If authentication failed, refuse mobile subscriber's access, and authentication failed message sent to couple in router;
Step 5.3: certificate server will be proved to be successful message and send to the mobile subscriber to mobile subscriber's identity documents;
Step 5.3.1: certificate server sends and is proved to be successful message to couple in router, and this message comprises certificate server and passes through the encrypted result of couple in router PKI to shared key;
Step 5.3.2: couple in router receives that certificate server sends be proved to be successful message after, utilize the couple in router private key to be decrypted shared key, extract shared key;
Step 5.3.3: couple in router inserts identity documents and the current time stamp of couple in router in being proved to be successful message, couple in router utilizes shared key to use hmac algorithm to carry out the HAMC authentication to being proved to be successful message, and couple in router will be proved to be successful message and the HMAC authentication result that is proved to be successful message is sent to the mobile subscriber;
Step 5.4: the shared key that the mobile subscriber utilizes itself and certificate server to consult is verified the legitimacy of couple in router, if couple in router is legal, the mobile subscriber is switched this legal couple in router of access, completes the switching access authentication; If couple in router is illegal, the mobile subscriber refuses to access this couple in router.
Described step 3.4 mobile subscriber receive couple in router be proved to be successful message after, the identity documents of couple in router is verified, concrete steps are as follows:
Step 3.4.1: the mobile subscriber verifies the timestamp freshness in message that is proved to be successful received, to prevent Replay Attack: if timestamp is fresh, verify the term of validity of couple in router identity documents, execution step 3.4.2; Otherwise authentication failed, the current couple in router of refusal access;
Step 3.4.2: if identity documents in the term of validity, the mobile subscriber is verified the CBS signature result that is proved to be successful message, execution step 3.4.3; If identity documents is expired, refusal accesses current couple in router;
Step 3.4.3: the mobile subscriber is verified the CBS signature result that is proved to be successful message according to the issuer public key in identity documents and client public key: if the verification passes, the mobile subscriber confirms to access this legal couple in router, completes two-way access authentication; If authentication failed, the mobile subscriber refuses to access current couple in router.
Shared key between described step 4.1 certificate server movement-based user key arrangement calculation of parameter certificate server and mobile subscriber, concrete steps are as follows:
Step 4.1.1: it is input that certificate server be take basic point G on mobile subscriber's key agreement parameter and cyclic group G1 and the product of certificate server private key, utilizes bilinearity to calculate certificate server shared key value to e;
Step 4.1.2: it is input that certificate server be take certificate server shared key value, utilizes one-way Hash function H2 to calculate itself and mobile subscriber's shared key.
The shared key of described step 4.2 mobile subscriber based between certificate server key agreement calculation of parameter mobile subscriber and certificate server, concrete steps are as follows:
Step 4.2.1: it is input with the product of mobile subscriber's private key that the mobile subscriber be take the upper basic point G of certificate server key agreement parameter and cyclic group G1, utilizes bilinearity to e calculating mobile subscriber shared key value;
Step 4.2.2: it is input that the mobile subscriber be take mobile subscriber's shared key value, utilizes one-way Hash function H2 to calculate the shared key of itself and certificate server.
After the identity documents that described step 5.2 certificate server receives the mobile subscriber is shown message, mobile subscriber's identity documents is verified, concrete steps are as follows:
Step 5.2.1: checking mobile subscriber's identity documents is shown the freshness of timestamp in message to prevent Replay Attack: if timestamp is fresh, the term of validity of certificate server identity verification voucher, execution step 5.2.2, otherwise authentication failed, refusal mobile subscriber access, send to couple in router by authentication failed message;
Step 5.2.2: if identity documents in the term of validity, the HMAC authentication result that certificate server shows message to identity documents verified, execution step 5.2.3, if identity documents is expired, send to couple in router by authentication failed message;
Step 5.2.3: the HMAC authentication result that the shared key that certificate server is consulted according to itself and mobile subscriber is shown message to identity documents is verified: if the verification passes, certificate server confirms that the mobile subscriber is legal access user; If authentication failed, refuse mobile subscriber's access, authentication failed message is sent to couple in router.
The shared key that described step 5.4 mobile subscriber utilizes itself and certificate server to consult is verified the legitimacy of couple in router, and concrete steps are as follows:
Step 5.4.1: the mobile subscriber verifies the timestamp freshness in message that is proved to be successful received, to prevent Replay Attack: if timestamp is fresh, verify the term of validity of couple in router identity documents, execution step 5.4.2; Otherwise authentication failed, the current couple in router of refusal access;
Step 5.4.2: if identity documents in the term of validity, the mobile subscriber is verified the HMAC authentication result that is proved to be successful message, the execution step 5.4.3; If identity documents is expired, the current couple in router of refusal access;
Step 5.4.3: the shared key that the mobile subscriber consults according to itself and certificate server is verified the HMAC authentication result that is proved to be successful message: if the verification passes, the mobile subscriber confirms to access this legal couple in router, completes the switching access authentication; If authentication failed, the mobile subscriber refuses to access current couple in router.
Beneficial effect:
System and method of the present invention is in an Autonomy secure domain, can realize the two-way access Authentication and Key Agreement between mobile subscriber and accesses network, support again the efficient access authentication when mobile subscriber is switched between different access router, improved access authentication efficiency.
The accompanying drawing explanation
The two-way access authentication system schematic diagram of the WLAN (wireless local area network) based on identity documents that Fig. 1 is the specific embodiment of the invention;
Fig. 2 is the specific embodiment of the invention entity identities is examined and is that entity is issued the identity documents flow chart;
The mobile subscriber that Fig. 3 is the specific embodiment of the invention sends identity documents to certificate server and shows the message process schematic diagram;
The certificate server that Fig. 4 is the specific embodiment of the invention is to mobile subscriber's identifying procedure figure;
The certificate server that Fig. 5 is the specific embodiment of the invention sends and is proved to be successful the message process schematic diagram to the mobile subscriber;
The mobile subscriber that Fig. 6 is the specific embodiment of the invention is to couple in router identifying procedure figure;
The switching verification process schematic diagram that Fig. 7 is the specific embodiment of the invention;
The system module communication flow diagram that Fig. 8 is the specific embodiment of the invention;
The method flow diagram of the two-way access authentication of WLAN (wireless local area network) that Fig. 9 is the specific embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is elaborated.
Present embodiment is that the two-way access authentication system of the WLAN (wireless local area network) based on identity documents and method are applied to certain access authentication of WLAN link.Adopt ripe 802.11i authentication framework in implementation process, for the carrying of authentication message, adopt the EAP agreement between mobile subscriber and couple in router, between couple in router and certificate server, adopt radius protocol.
As shown in Figure 1, the two-way access authentication system of WLAN (wireless local area network) based on identity documents, comprise some couple in routers (comprising AR1 and AR2), be arranged in an Autonomy secure domain, also comprise an identity documents management server (ICM) and a certificate server (AS);
The identity documents management server manages for the identity documents (Identity Credential, IC) to entity in security domain (couple in router AR and mobile subscriber MN), comprises and issues identity documents and safeguard identity documents;
Identity documents is the important evidence in two-way access authentication procedure, and the X.509 digital certificate under this voucher and PKI system has essential distinction.X.509 digital certificate has mainly been realized the binding of subscriber identity information with the PKI of holding, and the identity documents of present embodiment comprises issuer identity, issuer public key, user identity, client public key, user identity certificate and the identity documents term of validity;
Certificate server for verify mobile subscriber's access authentication application and complete and the mobile subscriber between shared key consult;
Couple in router controls whether allow mobile subscriber's accessing WLAN for the result returned according to certificate server, and couple in router receives and forward the authentication message between mobile subscriber and certificate server simultaneously.
For ease of subsequent descriptions, provide sign as shown in table 1 and explanation.
Table 1 sign and explanation
Figure BDA00003843955800071
Figure BDA00003843955800081
Adopt the two-way access authentication system of the described WLAN (wireless local area network) based on identity documents to carry out the method for the two-way access authentication of WLAN (wireless local area network), as shown in Figure 9, comprise the following steps:
Step 1: identity documents management server ICM is according to security parameter generation system common parameter the delivery system common parameter selected;
ICM is the trusted third party in security domain, generation system common parameter delivery system common parameter;
System common parameter { G1, G2, e, P, G, H1, H2, PK iCM, comprising that cyclic group G1 and cyclic group G2, bilinearity are to basic point P and G on e, cyclic group G1, character set is to the one-way Hash function H1 of cyclic group G1, and cyclic group G2 is extremely
Figure BDA00003843955800082
one-way Hash function H2 (H1:{0,1} *→ G1, be 1 positive integer to the q-1 scope, q is the security parameter that the identity documents management server is selected), the PKI PK of identity documents management server iCM=SK iCMp, identity documents management server private key
Figure BDA00003843955800084
by the identity documents management server, selected at random;
Step 2: the identity documents management server is examined entity identities, and issues identity documents for entity, as shown in Figure 2;
Step 2.1: before entity application identity documents, generate the public, private key pair of entity based on the system common parameter, wherein, the private key of entity
Figure BDA00003843955800085
selected at random the PKI PK of entity by entity eN=SK eNp, i.e. the private key SK of the basic point P on cyclic group G1 and entity eNproduct;
Step 2.2: entity sends the PKI of identity information and entity to the identity documents management server, to identity documents management server application identity documents;
Described identity information is network address identifiers, as Entity@Domain;
Step 2.3: the identity documents management server, after the identity documents application that receives entity, is verified the legitimacy of this entity identities information, if identity information is legal, generates identity documents and is presented to this entity, otherwise to this entity, do not issue identity documents;
Identity documents comprises issuer identity, issuer public key, user identity, client public key, user identity certificate and the identity documents term of validity, and wherein, user identity certificate is by generating based on certificate signature algorithm CBS;
Entity identities certificate in identity documents is:
Cert EN=SK ICM·P EN,P EN=H 1(PK ICM||PK EN||ID EN)∈G1.
Step 2.4: after entity receives identity documents, use the private key of entity and the signature key of the entity identities certificates constructing entity in identity documents;
The signature key of entity is:
SignKey EN=Cert EN+SK EN·P EN.
Step 3: in the mobile subscriber moves to security domain, and during certain couple in router AR of request access, between mobile subscriber MN, couple in router AR and certificate server AS, carry out two-way access authentication;
Step 3.1: the mobile subscriber sends identity documents to couple in router and shows message, and couple in router AR is forwarded to certificate server by this message, as shown in Figure 3;
Step 3.1.1: the mobile subscriber sends router request message to find the couple in router in the security domain of current place;
MN sends packet (EAP-Start) with the EAP agreement and finds certain AR in security domain, the essential field of only having EAP to comprise frame in the EAP multicast frame of transmission;
Step 3.1.2: couple in router carries out access authentication after receiving the router request message that the mobile subscriber sends;
Step 3.1.3: couple in router sends the router response message to the mobile subscriber, request mobile subscriber's identity documents;
AR, after receiving the EAP-Start of MN, sends EAP packet (EAP-Request-Credential) to MN, the identity documents information of request MN;
Step 3.1.4: the mobile subscriber shows that message is to couple in router after sending identity documents, the identity documents that this message comprises the mobile subscriber, current time stamp (Ts1), mobile subscriber's key agreement parameter and movement-based user the signature key CBS signature σ as a result that shows message after using the CBS algorithm to identity documents;
The mobile subscriber shows that message is to couple in router after sending identity documents by EAP packet (EAP-Response);
Mobile subscriber's key agreement parameter is mobile subscriber's PKI and the product of random number,
Figure BDA00003843955800091
Movement-based user's signature key shows message CBS signature after using the CBS algorithm to identity documents is σ=(U, V) as a result, U=rP mN, h=H2 (m, U), V=(r+h) SignKey mN, m shows message after identity documents;
Step 3.1.5: couple in router is forwarded to certificate server by this message after receiving after mobile subscriber's identity documents and showing message;
After the identity documents that AR receives MN is shown message, data division from the EAP agreement obtains corresponding data, then Reseal, among radius protocol, forwards identity documents by RADIUS message bag (RADIUS-Access-Request) and shows message to AS;
Step 3.2: after the identity documents that certificate server receives the mobile subscriber is shown message, as shown in Figure 4, mobile subscriber's identity documents is verified: if be proved to be successful, perform step 3.3; If authentication failed, refuse mobile subscriber's access, and authentication failed message sent to couple in router;
Step 3.2.1: checking mobile subscriber's identity documents is shown the freshness of the time stamp T s1 in message to prevent Replay Attack: if time stamp T s1 is fresh, the term of validity of certificate server identity verification voucher, execution step 3.2.2, otherwise authentication failed, refusal mobile subscriber access, send to couple in router by authentication failed message;
Step 3.2.2: if identity documents in the term of validity, the CBS signature result that certificate server shows message to identity documents verified, execution step 3.2.3, if identity documents is expired, send to couple in router by authentication failed message;
Step 3.2.3: the CBS signature result that certificate server shows message according to the issuer public key in identity documents and client public key to identity documents is verified: if the verification passes, certificate server confirms that the mobile subscriber is legal access user; If authentication failed, refuse mobile subscriber's access, authentication failed message is sent to couple in router;
The CBS signature that certificate server shows message to identity documents σ is as a result verified as follows:
e(PK ICM+PK MN,U+hP MN)=?e(P,V).
Step 3.3: certificate server will send to the mobile subscriber to mobile subscriber identifier credential verification success message, as shown in Figure 5;
Step 3.3.1: certificate server sends and is proved to be successful message to couple in router, and this message comprises certificate server key agreement parameter;
Certificate server sends and is proved to be successful message to couple in router by RADIUS message bag (RADIUS-Access-Success);
The PKI of described certificate server key agreement parameter authentication authorization and accounting server and the product of random number,
Figure BDA00003843955800101
Step 3.3.2: couple in router receives that certificate server sends be proved to be successful message after, insert identity documents and the current time stamp (Ts2) of couple in router in message;
Couple in router receive certificate server be proved to be successful message after, the data division from radius protocol obtains corresponding data, inserts identity documents and the current time stamp (Ts2) of couple in router, then Reseal is among the EAP agreement;
Step 3.3.3: the signature key of couple in router based on couple in router used the CBS algorithm to carry out the CBS signature to being proved to be successful message, and couple in router will be proved to be successful message and the CBS signature result that is proved to be successful message is sent to the mobile subscriber;
Signature key based on couple in router is used the CBS algorithm to the CBS signature that is proved to be successful message σ '=(U ', V ') as a result, U '=r ' P aR, h '=H2 (m ', U '), V '=(r '+h ') SignKey aR, wherein, m ' is for being proved to be successful message;
Couple in router is proved to be successful message by EAP packet (EAP-Success) forwarding and CBS signs result to the mobile subscriber;
Step 3.4: as shown in Figure 6, the mobile subscriber receive couple in router be proved to be successful message after, the identity documents of couple in router is verified: if be proved to be successful, access current couple in router, complete two-way access authentication; If authentication failed, the current couple in router of refusal access;
Described mobile subscriber receive couple in router be proved to be successful message after, the identity documents of couple in router is verified, concrete steps are as follows:
Step 3.4.1: the mobile subscriber verifies timestamp (Ts2) freshness in message that is proved to be successful received, to prevent Replay Attack: if timestamp (Ts2) is fresh, verify the term of validity of couple in router identity documents, execution step 3.4.2; Otherwise authentication failed, the current couple in router of refusal access;
Step 3.4.2: if identity documents in the term of validity, the mobile subscriber is verified the CBS signature result that is proved to be successful message, execution step 3.4.3; If identity documents is expired, refusal accesses current couple in router;
Step 3.4.3: the mobile subscriber is verified the CBS signature result that is proved to be successful message according to the issuer public key in identity documents and client public key: if the verification passes, the mobile subscriber confirms to access this legal couple in router, completes two-way access authentication; If authentication failed, the mobile subscriber refuses to access current couple in router.
The mobile subscriber to the CBS signature that is proved to be successful message as a result σ ' verify as follows:
e(PK ICM+PK AR,U′+h′P AR)=?e(P,V′).
Step 4: certificate server and mobile subscriber carry out the shared key negotiation based on the key agreement parameter;
Step 4.1: the shared key between certificate server movement-based user key arrangement calculation of parameter certificate server and mobile subscriber;
Step 4.1.1: it is input that certificate server be take basic point G on mobile subscriber's key agreement parameter and cyclic group G1 and the product of certificate server private key, utilizes bilinearity to calculate certificate server shared key value to e;
ShareKey_Value AS-MN=e(b·T a,SK AS·G),
Figure BDA00003843955800111
Wherein, ShareKey_Value aS-MNfor the shared key value between AS and MN, b is that AS selects parameter at random;
Step 4.1.2: it is input that certificate server be take certificate server shared key value, utilizes one-way Hash function H2 to calculate certificate server and mobile subscriber's shared key.
ShareKey AS-MN=H2(ShareKey_Value AS-MN).
Wherein, ShareKey aS-MNfor the shared key between AS and MN;
Step 4.2: the shared key of mobile subscriber based between certificate server key agreement calculation of parameter mobile subscriber and certificate server;
Step 4.2.1: it is input with the product of mobile subscriber's private key that the mobile subscriber be take the upper basic point G of certificate server key agreement parameter and cyclic group G1, utilizes bilinearity to e calculating mobile subscriber shared key value;
ShareKey_Value MN-AS=e(a·T b,SK MN·G),
Figure BDA00003843955800112
Wherein, ShareKey_Value mN-ASfor the shared key value between MN and AS, a is that MN selects parameter at random;
Step 4.2.2: it is input that the mobile subscriber be take mobile subscriber's shared key value, utilizes one-way Hash function H2 to calculate the shared key of itself and certificate server.
ShareKey MN-AS=H2(ShareKey_Value MN-AS)
Wherein, ShareKey mN-ASfor the shared key between MN and AS;
Step 5: as shown in Figure 7, when the mobile subscriber continues to move and access new couple in router in security domain, utilize the shared key between mobile subscriber and certificate server to be switched access authentication;
Step 5.1: continue to move and access new couple in router AR ' time in security domain as the mobile subscriber, the mobile subscriber sends identity documents to couple in router and shows message, and couple in router is forwarded to certificate server by this message;
Step 5.1.1: the mobile subscriber sends router request message to find the couple in router in the security domain of current place;
Step 5.1.2: couple in router carries out access authentication after receiving the router request message that the mobile subscriber sends;
Step 5.1.3: couple in router sends the router response message to the mobile subscriber, request mobile subscriber's identity documents;
Step 5.1.4: the mobile subscriber sends identity documents and shows message to couple in router, and the shared key that the identity documents that this message comprises the mobile subscriber, current time stamp Ts3 and movement-based user and certificate server are consulted is used hmac algorithm identity documents to be shown to the HMAC authentication result of message
Figure BDA00003843955800125
Figure BDA00003843955800121
generative process as follows:
∂ = HMAC MN ( Cred MN | | Ts 3 | | S hareKey MN - AS )
Step 5.1.5: after the identity documents that couple in router receives the mobile subscriber is shown message, this message is forwarded to certificate server;
After the identity documents that AR receives MN is shown message, data division from the EAP agreement obtains corresponding data, then Reseal, among radius protocol, forwards identity with showing message to AS by RADIUS message bag (RADIUS-Access-Request);
Step 5.2: after the identity documents that certificate server receives the mobile subscriber is shown message, mobile subscriber's identity documents is verified: if be proved to be successful, perform step 5.3; If authentication failed, refuse mobile subscriber's access, and authentication failed message sent to couple in router;
After the identity documents that described certificate server receives the mobile subscriber is shown message, mobile subscriber's identity documents is verified, concrete steps are as follows:
Step 5.2.1: checking mobile subscriber's identity documents is shown the freshness of time stamp T s3 in message to prevent Replay Attack: if time stamp T s3 is fresh, the term of validity of certificate server identity verification voucher, execution step 5.2.2, otherwise authentication failed, refusal mobile subscriber access, send to couple in router by authentication failed message;
Step 5.2.2: if identity documents in the term of validity, the HMAC authentication result that certificate server shows message to identity documents verified, execution step 5.2.3, if identity documents is expired, send to couple in router by authentication failed message;
Step 5.2.3: the HMAC authentication result that the shared key that certificate server is consulted according to itself and mobile subscriber is shown message to identity documents is verified: if the verification passes, certificate server confirms that the mobile subscriber is legal access user; If authentication failed, refuse mobile subscriber's access, authentication failed message is sent to couple in router.
Certificate server shows the HMAC authentication result of message to identity documents
Figure BDA00003843955800123
verify as follows:
Figure BDA00003843955800126
Step 5.3: certificate server will be proved to be successful message and send to the mobile subscriber to mobile subscriber's identity documents;
Step 5.3.1: certificate server sends and is proved to be successful message to couple in router, and this message comprises certificate server and passes through the encrypted result of couple in router PKI to shared key;
Step 5.3.2: couple in router receives that certificate server sends be proved to be successful message after, utilize the couple in router private key to be decrypted shared key, extract shared key;
Step 5.3.3: couple in router inserts identity documents and the current time stamp of couple in router in being proved to be successful message, couple in router utilizes shared key to use hmac algorithm to carry out the HAMC authentication to being proved to be successful message, and couple in router will be proved to be successful message and the HMAC authentication result that is proved to be successful message is sent to the mobile subscriber;
To being proved to be successful the HMAC authentication result of message
Figure BDA00003843955800131
as follows:
∂ ′ = HMAC AS ( Cred AS | | Ts 4 | | S hareKey AS - MN )
Step 5.4: the shared key that the mobile subscriber utilizes itself and certificate server to consult is verified the legitimacy of couple in router, if couple in router is legal, the mobile subscriber is switched this legal couple in router of access, completes the switching access authentication; If couple in router is illegal, the mobile subscriber refuses to access this couple in router.
The shared key that described mobile subscriber utilizes itself and certificate server to consult is verified the legitimacy of couple in router, and concrete steps are as follows:
Step 5.4.1: the mobile subscriber verifies the time stamp T s4 freshness in message that is proved to be successful received, to prevent Replay Attack: if time stamp T s4 is fresh, verify the term of validity of couple in router identity documents, execution step 5.4.2; Otherwise authentication failed, the current couple in router of refusal access;
Step 5.4.2: if identity documents in the term of validity, the mobile subscriber is verified the HMAC authentication result that is proved to be successful message, the execution step 5.4.3; If identity documents is expired, the current couple in router of refusal access;
Step 5.4.3: the shared key that the mobile subscriber consults according to itself and certificate server is verified the HMAC authentication result that is proved to be successful message: if the verification passes, the mobile subscriber confirms to access this legal couple in router, completes the switching access authentication; If authentication failed, the mobile subscriber refuses to access current couple in router.
The mobile subscriber is to being proved to be successful the HMAC authentication result of message
Figure BDA00003843955800133
verify as follows:
Based on the foregoing description process, the two-way access authentication system of the WLAN (wireless local area network) based on identity documents is designed and realizes.System is developed realization on windows platform, and programming language is C++, and developing instrument is Visual Studio, and the built-in function used has Winpcap, and the network layer communication agreement is UDP.
MN module major function is: find AR, show voucher and validating documents.Design the initialization class in the MN module, show card class, checking class and encryption and decryption class.The initialization class is mainly carried out initialization to system, then monitors the network adapter data; Show that according to the data call received the card class sends identity documents and shows message; Finally call checking class and encryption and decryption class the message that is proved to be successful received is carried out to bi-directional verification.The design of MN module class is as shown in table 2.
The class design of table 2 MN module
Figure BDA00003843955800135
Figure BDA00003843955800141
The major function of AR module is: from MN receive identity documents show message and be forwarded to AS, from AS Receipt Validation success message, decryption sharing key, HMAC authentication, forward corresponding message to MN.In the AR module, class and encryption and decryption class are processed in design initialization class, data analysis.The initialization class mainly is responsible for system initialization and is received data from MN and AS; Calling data analyzing and processing class and encryption and decryption class data analysis and the processing to receiving after receiving data, and corresponding data are carried out to protocol encapsulation; The last access of controlling MN after authentication completes.The design of AR module class is as shown in table 3.
The class design of table 3 AR module
Figure BDA00003843955800142
Figure BDA00003843955800151
The major function of AS module is: to MN carry out access authentication, with the MN negotiating about cipher key shared.In the AS module, design initialization class, data analysis are processed class, checking class, are shown card class and encryption and decryption class.The initialization class mainly is responsible for system initialization and is received data; Data analysis is processed class and is responsible for data analysis and the processing to receiving; Then calling the checking class is verified MN; Call after being verified and show that the card class returns and be proved to be successful message to AR.The design of AS module class is as shown in table 4.
The class design of table 4 AS module
Figure BDA00003843955800152
In conjunction with the design of above-mentioned module and class, the realization of programming of MN module that can be related to access authentication by flow process shown in Fig. 8, AR module and AS module.

Claims (7)

1. the two-way access authentication system of the WLAN (wireless local area network) based on identity documents, comprise couple in router, is arranged in security domain, it is characterized in that: also comprise identity documents management server and certificate server;
Described identity documents management server manages for the identity documents to entity in security domain, comprises and issues identity documents and safeguard identity documents; Described identity documents comprises issuer identity, issuer public key, user identity, client public key, user identity certificate and the identity documents term of validity; In described security domain, entity comprises: mobile subscriber and couple in router;
Described certificate server for verify mobile subscriber's access authentication application and complete and the mobile subscriber between shared key consult;
Described couple in router is controlled whether accessing WLAN of mobile subscriber for the result that returns according to certificate server, and couple in router receives and forward the authentication message between mobile subscriber and certificate server simultaneously.
2. adopt the two-way access authentication system of the WLAN (wireless local area network) based on identity documents claimed in claim 1 to carry out the method for the two-way access authentication of WLAN (wireless local area network), it is characterized in that: comprise the following steps:
Step 1: the identity documents management server is according to security parameter generation system common parameter the delivery system common parameter selected;
Described system common parameter comprises that cyclic group G1 and cyclic group G2, bilinearity are to basic point P and G on e, cyclic group G1, and character set is to the one-way Hash function H1 of cyclic group G1, and cyclic group G2 extremely
Figure FDA00003843955700011
one-way Hash function H2:
Figure FDA00003843955700012
be 1 positive integer to the q-1 scope, q is the security parameter that the identity documents management server is selected, the PKI of identity documents management server;
Step 2: the identity documents management server is examined entity identities, and issues identity documents for entity;
Step 2.1: before entity application identity documents, generate the public, private key pair of entity based on the system common parameter, wherein, the private key of entity
Figure FDA00003843955700013
selected at random the PKI PK of entity by entity eN=SK eNp, i.e. the private key SK of the basic point P on cyclic group G1 and entity eNproduct;
Step 2.2: entity sends the PKI of identity information and entity to the identity documents management server, to identity documents management server application identity documents;
Described identity information is network address identifiers;
Step 2.3: the identity documents management server, after the identity documents application that receives entity, is verified the legitimacy of this entity identities information, if identity information is legal, generates identity documents and is presented to this entity, otherwise to this entity, do not issue identity documents;
Described identity documents comprises issuer identity, issuer public key, user identity, client public key, user identity certificate and the identity documents term of validity, and wherein, user identity certificate is by generating based on certificate signature algorithm CBS;
Step 2.4: after entity receives identity documents, use the private key of entity and the signature key of the entity identities certificates constructing entity in identity documents;
Step 3: in the mobile subscriber moves to security domain, and during certain couple in router of request access, carry out two-way access authentication between mobile subscriber, couple in router and certificate server;
Step 3.1: the mobile subscriber sends identity documents to couple in router and shows message, and couple in router is forwarded to certificate server by this message;
Step 3.1.1: the mobile subscriber sends router request message to find the couple in router in the security domain of current place;
Step 3.1.2: couple in router carries out access authentication after receiving the router request message that the mobile subscriber sends;
Step 3.1.3: couple in router sends the router response message to the mobile subscriber, request mobile subscriber's identity documents;
Step 3.1.4: the mobile subscriber sends identity documents and shows message to couple in router, and the identity documents that this message comprises the mobile subscriber, current time stamp, mobile subscriber's key agreement parameter and movement-based user's signature key is used the CBS algorithm identity documents to be shown to the CBS signature result of message;
Described mobile subscriber's key agreement parameter is mobile subscriber's PKI and the product of random number;
Step 3.1.5: after the identity documents that couple in router receives the mobile subscriber is shown message, this message is forwarded to certificate server;
Step 3.2: after the identity documents that certificate server receives the mobile subscriber is shown message, mobile subscriber's identity documents is verified: if be proved to be successful, perform step 3.3; If authentication failed, refuse mobile subscriber's access, and authentication failed message sent to couple in router;
Step 3.2.1: checking mobile subscriber's identity documents is shown the freshness of the timestamp in message to prevent Replay Attack: if timestamp is fresh, the term of validity of certificate server identity verification voucher, execution step 3.2.2, otherwise authentication failed, refusal mobile subscriber access, send to couple in router by authentication failed message;
Step 3.2.2: if identity documents in the term of validity, the CBS signature result that certificate server shows message to identity documents verified, execution step 3.2.3, if identity documents is expired, send to couple in router by authentication failed message;
Step 3.2.3: the CBS signature result that certificate server shows message according to the issuer public key in identity documents and client public key to identity documents is verified: if the verification passes, certificate server confirms that the mobile subscriber is legal access user; If authentication failed, refuse mobile subscriber's access, authentication failed message is sent to couple in router;
Step 3.3: certificate server will send to the mobile subscriber to mobile subscriber identifier credential verification success message;
Step 3.3.1: certificate server sends and is proved to be successful message to couple in router, and this message comprises certificate server key agreement parameter;
The PKI of described certificate server key agreement parameter authentication authorization and accounting server and the product of random number;
Step 3.3.2: couple in router receives that certificate server sends be proved to be successful message after, insert identity documents and the current time stamp of couple in router in message;
Step 3.3.3: the signature key of couple in router based on couple in router used the CBS algorithm to carry out the CBS signature to being proved to be successful message, and couple in router will be proved to be successful message and the CBS signature result that is proved to be successful message is sent to the mobile subscriber;
Step 3.4: the mobile subscriber receive couple in router be proved to be successful message after, the identity documents of couple in router is verified: if be proved to be successful, access current couple in router, complete two-way access authentication; If authentication failed, the current couple in router of refusal access;
Step 4: certificate server and mobile subscriber carry out the shared key negotiation based on the key agreement parameter;
Step 4.1: the shared key between certificate server movement-based user key arrangement calculation of parameter certificate server and mobile subscriber;
Step 4.2: the shared key of mobile subscriber based between certificate server key agreement calculation of parameter mobile subscriber and certificate server;
Step 5: when the mobile subscriber continues to move and access new couple in router in security domain, utilize the shared key between mobile subscriber and certificate server to be switched access authentication;
Step 5.1: when the mobile subscriber continues to move and access new couple in router in security domain, the mobile subscriber sends identity documents to couple in router and shows message, and couple in router is forwarded to certificate server by this message;
Step 5.1.1: the mobile subscriber sends router request message to find the couple in router in the security domain of current place;
Step 5.1.2: couple in router carries out access authentication after receiving the router request message that the mobile subscriber sends;
Step 5.1.3: couple in router sends the router response message to the mobile subscriber, request mobile subscriber's identity documents;
Step 5.1.4: the mobile subscriber sends identity documents and shows message to couple in router, and the identity documents that this message comprises the mobile subscriber, current time stamp and the shared key use hmac algorithm based on this mobile subscriber and certificate server are consulted show the HMAC authentication result of message to identity documents;
Step 5.1.5: after the identity documents that couple in router receives the mobile subscriber is shown message, this message is forwarded to certificate server;
Step 5.2: after the identity documents that certificate server receives the mobile subscriber is shown message, mobile subscriber's identity documents is verified: if be proved to be successful, perform step 5.3; If authentication failed, refuse mobile subscriber's access, and authentication failed message sent to couple in router;
Step 5.3: certificate server will be proved to be successful message and send to the mobile subscriber to mobile subscriber's identity documents;
Step 5.3.1: certificate server sends and is proved to be successful message to couple in router, and this message comprises certificate server and passes through the encrypted result of couple in router PKI to shared key;
Step 5.3.2: couple in router receives that certificate server sends be proved to be successful message after, utilize the couple in router private key to be decrypted shared key, extract shared key;
Step 5.3.3: couple in router inserts identity documents and the current time stamp of couple in router in being proved to be successful message, couple in router utilizes shared key to use hmac algorithm to carry out the HAMC authentication to being proved to be successful message, and couple in router will be proved to be successful message and the HMAC authentication result that is proved to be successful message is sent to the mobile subscriber;
Step 5.4: the shared key that the mobile subscriber utilizes itself and certificate server to consult is verified the legitimacy of couple in router, if couple in router is legal, the mobile subscriber is switched this legal couple in router of access, completes the switching access authentication; If couple in router is illegal, the mobile subscriber refuses to access this couple in router.
3. the WLAN (wireless local area network) bidirectional access authentication method based on identity documents according to claim 2, it is characterized in that: described step 3.4 mobile subscriber receive couple in router be proved to be successful message after, identity documents to couple in router verified, concrete steps are as follows:
Step 3.4.1: the mobile subscriber verifies the timestamp freshness in message that is proved to be successful received, to prevent Replay Attack: if timestamp is fresh, verify the term of validity of couple in router identity documents, execution step 3.4.2; Otherwise authentication failed, the current couple in router of refusal access;
Step 3.4.2: if identity documents in the term of validity, the mobile subscriber is verified the CBS signature result that is proved to be successful message, execution step 3.4.3; If identity documents is expired, refusal accesses current couple in router;
Step 3.4.3: the mobile subscriber is verified the CBS signature result that is proved to be successful message according to the issuer public key in identity documents and client public key: if the verification passes, the mobile subscriber confirms to access this legal couple in router, completes two-way access authentication; If authentication failed, the mobile subscriber refuses to access current couple in router.
4. the WLAN (wireless local area network) bidirectional access authentication method based on identity documents according to claim 2, it is characterized in that: the shared key between described step 4.1 certificate server movement-based user key arrangement calculation of parameter certificate server and mobile subscriber, concrete steps are as follows:
Step 4.1.1: it is input that certificate server be take basic point G on mobile subscriber's key agreement parameter and cyclic group G1 and the product of certificate server private key, utilizes bilinearity to calculate certificate server shared key value to e;
Step 4.1.2: it is input that certificate server be take certificate server shared key value, utilizes one-way Hash function H2 to calculate itself and mobile subscriber's shared key.
5. the WLAN (wireless local area network) bidirectional access authentication method based on identity documents according to claim 2, it is characterized in that: the shared key of described step 4.2 mobile subscriber based between certificate server key agreement calculation of parameter mobile subscriber and certificate server, concrete steps are as follows:
Step 4.2.1: it is input with the product of mobile subscriber's private key that the mobile subscriber be take the upper basic point G of certificate server key agreement parameter and cyclic group G1, utilizes bilinearity to e calculating mobile subscriber shared key value;
Step 4.2.2: it is input that the mobile subscriber be take mobile subscriber's shared key value, utilizes one-way Hash function H2 to calculate the shared key of itself and certificate server.
6. the WLAN (wireless local area network) bidirectional access authentication method based on identity documents according to claim 2, it is characterized in that: after the identity documents that described step 5.2 certificate server receives the mobile subscriber is shown message, identity documents to the mobile subscriber verified, concrete steps are as follows:
Step 5.2.1: checking mobile subscriber's identity documents is shown the freshness of timestamp in message to prevent Replay Attack: if timestamp is fresh, the term of validity of certificate server identity verification voucher, execution step 5.2.2, otherwise authentication failed, refusal mobile subscriber access, send to couple in router by authentication failed message;
Step 5.2.2: if identity documents in the term of validity, the HMAC authentication result that certificate server shows message to identity documents verified, execution step 5.2.3, if identity documents is expired, send to couple in router by authentication failed message;
Step 5.2.3: the HMAC authentication result that the shared key that certificate server is consulted according to itself and mobile subscriber is shown message to identity documents is verified: if the verification passes, certificate server confirms that the mobile subscriber is legal access user; If authentication failed, refuse mobile subscriber's access, authentication failed message is sent to couple in router.
7. the WLAN (wireless local area network) bidirectional access authentication method based on identity documents according to claim 2, it is characterized in that: the shared key that described step 5.4 mobile subscriber utilizes itself and certificate server to consult is verified the legitimacy of couple in router, and concrete steps are as follows:
Step 5.4.1: the mobile subscriber verifies the timestamp freshness in message that is proved to be successful received, to prevent Replay Attack: if timestamp is fresh, verify the term of validity of couple in router identity documents, execution step 5.4.2; Otherwise authentication failed, the current couple in router of refusal access;
Step 5.4.2: if identity documents in the term of validity, the mobile subscriber is verified the HMAC authentication result that is proved to be successful message, the execution step 5.4.3; If identity documents is expired, the current couple in router of refusal access;
Step 5.4.3: the shared key that the mobile subscriber consults according to itself and certificate server is verified the HMAC authentication result that is proved to be successful message: if the verification passes, the mobile subscriber confirms to access this legal couple in router, completes the switching access authentication; If authentication failed, the mobile subscriber refuses to access current couple in router.
CN201310429993.XA 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method Active CN103491540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310429993.XA CN103491540B (en) 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310429993.XA CN103491540B (en) 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method

Publications (2)

Publication Number Publication Date
CN103491540A true CN103491540A (en) 2014-01-01
CN103491540B CN103491540B (en) 2016-05-25

Family

ID=49831430

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310429993.XA Active CN103491540B (en) 2013-09-18 2013-09-18 The two-way access authentication system of a kind of WLAN based on identity documents and method

Country Status (1)

Country Link
CN (1) CN103491540B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929745A (en) * 2014-04-16 2014-07-16 东北大学 Wireless MESH network access authentication system and method based on privacy protection
CN104320253A (en) * 2014-09-28 2015-01-28 东北大学 Two-dimension code authentication system and method based on CBS signature mechanism
CN105188024A (en) * 2015-10-29 2015-12-23 小米科技有限责任公司 Method, apparatus and system for accessing network
CN105578464A (en) * 2015-07-31 2016-05-11 宇龙计算机通信科技(深圳)有限公司 Enhanced WLAN certificate authentication method, device and system
CN105744522A (en) * 2016-04-29 2016-07-06 东北大学 WMN anonymous access authentication system and method based on proxy ring signature
CN107483195A (en) * 2017-09-08 2017-12-15 哈尔滨工业大学深圳研究生院 Safe mutual authentication and key agreement protocol under environment of internet of things
CN108599936A (en) * 2018-04-20 2018-09-28 西安电子科技大学 A kind of OpenStack increases income the safety certifying method of cloud user
CN108989034A (en) * 2018-08-03 2018-12-11 苏州国芯科技有限公司 A kind of audio-video monitoring method, system, monitoring server and computer media
CN109450641A (en) * 2018-10-25 2019-03-08 烟台市奥境数字科技有限公司 A kind of high-end die information management system access control method
CN109495889A (en) * 2018-12-20 2019-03-19 中山大学新华学院 Heterogeneous mobile network access control method based on mutual confidence-building mechanism
CN110046507A (en) * 2018-12-12 2019-07-23 阿里巴巴集团控股有限公司 Form the method and device of trust computing cluster
CN110730450A (en) * 2019-10-18 2020-01-24 中国联合网络通信集团有限公司 Mobile communication method and system
CN110876142A (en) * 2018-09-02 2020-03-10 中城智慧科技有限公司 Identification-based wifi authentication method
CN111163470A (en) * 2019-12-31 2020-05-15 联想(北京)有限公司 Core network element communication method and device, computer storage medium and electronic equipment
CN111741468A (en) * 2020-08-14 2020-10-02 北京微智信业科技有限公司 MEC-based AMF (advanced metering library) and identity authentication method, construction method and device thereof
CN112291064A (en) * 2020-10-10 2021-01-29 达闼机器人有限公司 Authentication system, registration and authentication method, device, storage medium and electronic equipment
CN112565175A (en) * 2019-09-26 2021-03-26 富士通株式会社 Communication relay program, relay device, communication relay method, and communication system
WO2022135380A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus
CN115314278A (en) * 2022-08-04 2022-11-08 长扬科技(北京)股份有限公司 Trusted network connection identity authentication method, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
CN1564626A (en) * 2004-03-22 2005-01-12 西安电子科技大学 Radio LAN security access method based on roaming key exchange authentication protocal
CN1697370A (en) * 2004-05-14 2005-11-16 华为技术有限公司 Method for mobile terminal in WLAN to apply for certificate
CN103002442A (en) * 2012-12-20 2013-03-27 邱华 Safe wireless local area network key distribution method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030056096A1 (en) * 2001-04-18 2003-03-20 Albert Roy David Method and system for securely authenticating network access credentials for users
CN1564626A (en) * 2004-03-22 2005-01-12 西安电子科技大学 Radio LAN security access method based on roaming key exchange authentication protocal
CN1697370A (en) * 2004-05-14 2005-11-16 华为技术有限公司 Method for mobile terminal in WLAN to apply for certificate
CN103002442A (en) * 2012-12-20 2013-03-27 邱华 Safe wireless local area network key distribution method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
高天寒等: "节点证书与身份相结合的HMIPv6网络接入认证机制", 《软件学报》, vol. 23, no. 9, 30 September 2012 (2012-09-30) *

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929745B (en) * 2014-04-16 2017-04-12 东北大学 Wireless MESH network access authentication system and method based on privacy protection
CN103929745A (en) * 2014-04-16 2014-07-16 东北大学 Wireless MESH network access authentication system and method based on privacy protection
CN104320253A (en) * 2014-09-28 2015-01-28 东北大学 Two-dimension code authentication system and method based on CBS signature mechanism
CN104320253B (en) * 2014-09-28 2017-06-09 东北大学 A kind of Quick Response Code Verification System and method based on CBS signature mechanisms
CN105578464B (en) * 2015-07-31 2019-04-12 宇龙计算机通信科技(深圳)有限公司 A kind of WLAN certificate identification method, the apparatus and system of enhancing
CN105578464A (en) * 2015-07-31 2016-05-11 宇龙计算机通信科技(深圳)有限公司 Enhanced WLAN certificate authentication method, device and system
CN105188024A (en) * 2015-10-29 2015-12-23 小米科技有限责任公司 Method, apparatus and system for accessing network
CN105188024B (en) * 2015-10-29 2019-06-14 小米科技有限责任公司 Access the method, apparatus and system of network
CN105744522A (en) * 2016-04-29 2016-07-06 东北大学 WMN anonymous access authentication system and method based on proxy ring signature
CN105744522B (en) * 2016-04-29 2018-10-23 东北大学 A kind of WMN anonymous access authentication systems and method based on proxy ring signature
CN107483195A (en) * 2017-09-08 2017-12-15 哈尔滨工业大学深圳研究生院 Safe mutual authentication and key agreement protocol under environment of internet of things
CN108599936A (en) * 2018-04-20 2018-09-28 西安电子科技大学 A kind of OpenStack increases income the safety certifying method of cloud user
CN108989034B (en) * 2018-08-03 2021-09-14 苏州国芯科技股份有限公司 Audio and video monitoring method and system, monitoring server and computer medium
CN108989034A (en) * 2018-08-03 2018-12-11 苏州国芯科技有限公司 A kind of audio-video monitoring method, system, monitoring server and computer media
CN110876142A (en) * 2018-09-02 2020-03-10 中城智慧科技有限公司 Identification-based wifi authentication method
CN110876142B (en) * 2018-09-02 2023-08-18 中城智慧科技有限公司 Identification-based wifi authentication method
CN109450641A (en) * 2018-10-25 2019-03-08 烟台市奥境数字科技有限公司 A kind of high-end die information management system access control method
CN110046507A (en) * 2018-12-12 2019-07-23 阿里巴巴集团控股有限公司 Form the method and device of trust computing cluster
CN110046507B (en) * 2018-12-12 2024-02-06 创新先进技术有限公司 Method and device for forming trusted computing cluster
CN109495889B (en) * 2018-12-20 2022-01-04 中山大学新华学院 Heterogeneous mobile network access control method based on mutual trust mechanism
CN109495889A (en) * 2018-12-20 2019-03-19 中山大学新华学院 Heterogeneous mobile network access control method based on mutual confidence-building mechanism
CN112565175A (en) * 2019-09-26 2021-03-26 富士通株式会社 Communication relay program, relay device, communication relay method, and communication system
CN110730450A (en) * 2019-10-18 2020-01-24 中国联合网络通信集团有限公司 Mobile communication method and system
CN110730450B (en) * 2019-10-18 2023-03-24 中国联合网络通信集团有限公司 Mobile communication method and system
CN111163470B (en) * 2019-12-31 2021-06-08 联想(北京)有限公司 Core network element communication method and device, computer storage medium and electronic equipment
CN111163470A (en) * 2019-12-31 2020-05-15 联想(北京)有限公司 Core network element communication method and device, computer storage medium and electronic equipment
CN111741468B (en) * 2020-08-14 2020-11-24 北京微智信业科技有限公司 MEC-based AMF (advanced metering library) and identity authentication method, construction method and device thereof
CN111741468A (en) * 2020-08-14 2020-10-02 北京微智信业科技有限公司 MEC-based AMF (advanced metering library) and identity authentication method, construction method and device thereof
CN112291064A (en) * 2020-10-10 2021-01-29 达闼机器人有限公司 Authentication system, registration and authentication method, device, storage medium and electronic equipment
WO2022073420A1 (en) * 2020-10-10 2022-04-14 达闼机器人有限公司 Authentication system, registration and authentication method, apparatus, storage medium, and electronic device
WO2022135380A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus
CN115314278A (en) * 2022-08-04 2022-11-08 长扬科技(北京)股份有限公司 Trusted network connection identity authentication method, electronic equipment and storage medium
CN115314278B (en) * 2022-08-04 2023-06-30 长扬科技(北京)股份有限公司 Trusted network connection identity authentication method, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN103491540B (en) 2016-05-25

Similar Documents

Publication Publication Date Title
CN103491540B (en) The two-way access authentication system of a kind of WLAN based on identity documents and method
CN107919956B (en) End-to-end safety guarantee method in cloud environment facing to Internet of things
CN100558035C (en) A kind of mutual authentication method and system
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
US9313033B2 (en) Derived certificate based on changing identity
CN109347809A (en) A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN101005359B (en) Method and device for realizing safety communication between terminal devices
WO2017185999A1 (en) Method, apparatus and system for encryption key distribution and authentication
CN106789042B (en) Authentication key negotiation method for user in IBC domain to access resources in PKI domain
CN110958229A (en) Credible identity authentication method based on block chain
WO2010012203A1 (en) Authentication method, re-certification method and communication device
JP2005515715A (en) Data transmission link
JP2005515701A6 (en) Data transmission link
CN103929745B (en) Wireless MESH network access authentication system and method based on privacy protection
JP2005515701A (en) Data transmission link
CN103354498A (en) Identity-based file encryption transmission method
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
WO2010078755A1 (en) Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof
CN101610514B (en) Authentication method, authentication system and authentication server
CN103763356A (en) Establishment method, device and system for connection of secure sockets layers
CN104754581A (en) Public key password system based LTE wireless network security certification system
CN101540669A (en) Method for distributing keys and protecting information for wireless mobile communication network
CN103532713A (en) Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor
JP2017157984A (en) Communication system, hardware security module, terminal device, communication method and program
Jing et al. A privacy preserving handover authentication scheme for EAP-based wireless networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant