CN101232372A - Authentication method, authentication system and authentication device - Google Patents
Authentication method, authentication system and authentication device Download PDFInfo
- Publication number
- CN101232372A CN101232372A CNA2007100026904A CN200710002690A CN101232372A CN 101232372 A CN101232372 A CN 101232372A CN A2007100026904 A CNA2007100026904 A CN A2007100026904A CN 200710002690 A CN200710002690 A CN 200710002690A CN 101232372 A CN101232372 A CN 101232372A
- Authority
- CN
- China
- Prior art keywords
- authentication
- requester
- authenticator
- request
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
Description
技术领域 technical field
本发明涉及通信领域,更具体而言,涉及认证方法、认证系统和认证装置。The present invention relates to the communication field, and more specifically, to an authentication method, an authentication system and an authentication device.
背景技术 Background technique
随着因特网(Internet)的高速发展,宽带接入技术层出不穷,其中以太网因为其较高的性能价格比逐渐占据了宽带接入的大部分市场。个人计算机可以通过有线方式与以太网交换机相连,或者通过无线方式与无线接入点(Access Point,简称AP)相连,再通过以太网线路接到核心网中,如企业局域网或城域网等,但是传统的以太网接入方式缺乏可管理性,无法实现对用户的认证、授权和计费等功能。运营商只能采用包月的方式对用户计费,这对用户和运营商来说都存在一定程度上的不公平。随后出现的几种常见的以太网接入方法,其中一种就是由IEEE(Institute of Electrical andElectronics Engineers,电气和电子工程师学会)802工作组开发的802.1x协议。在网络中通常设有远程用户拨入鉴权服务(RemoteAuthentication Dialin User service,简称为RADIUS)认证服务器来验证计算机用户身份的合法性。在实际的组网中,个人计算机可直接连在以太网交换机上,也可以通过集线器、以太网交换设备等级联到以太网交换机上,还可以通过不对称数字用户线(AsymmetricDigital Subscriber Line,简称ADSL)和DSLAM设备(DigitalSubscriber Line Access Multiplexer,数字用户线路接入复用设备)相连,其中在ADSL线路中传递的是以太网格式的报文。在无线局域网中,可采用IEEE 802.11、802.11a、802.11b、802.11g等无线以太网协议来连接个人计算机和无线网络接入点。With the rapid development of the Internet (Internet), broadband access technologies emerge in an endless stream, among which Ethernet gradually occupies most of the broadband access market because of its high performance-cost ratio. A personal computer can be connected to an Ethernet switch through a wired method, or connected to a wireless access point (Access Point, referred to as AP) through a wireless method, and then connected to a core network through an Ethernet line, such as an enterprise LAN or a metropolitan area network, etc. However, the traditional Ethernet access method lacks manageability and cannot implement functions such as user authentication, authorization, and accounting. Operators can only use monthly subscriptions to bill users, which is unfair to both users and operators to a certain extent. Several common Ethernet access methods appeared later, one of which was the 802.1x protocol developed by the IEEE (Institute of Electrical and Electronics Engineers, Institute of Electrical and Electronics Engineers) 802 working group. In the network, a Remote Authentication Dialin User service (RADIUS for short) authentication server is usually set up to verify the legitimacy of the identity of the computer user. In actual networking, a personal computer can be directly connected to an Ethernet switch, or can be connected to an Ethernet switch through a hub or an Ethernet switching device, or through an Asymmetric Digital Subscriber Line (ADSL for short). ) and DSLAM equipment (Digital Subscriber Line Access Multiplexer, Digital Subscriber Line Access Multiplexer) are connected, and the message in Ethernet format is transmitted in the ADSL line. In the wireless local area network, IEEE 802.11, 802.11a, 802.11b, 802.11g and other wireless Ethernet protocols can be used to connect personal computers and wireless network access points.
扩展认证协议(Extensible Authentication Protocol,简称EAP)认证是为点到点协议(Point-to-Point Protocol,简称PPP)设计的一种新的认证构架,可以包括多种认证方法,比如常用的EAP-MD5(Message Digest 5,消息摘要5,一种加密算法)、EAP-TLS(Transport Layer Security,传输层安全)、LEAP(LightweightExtensible Authentication Protocol,轻权可扩展鉴权协议)、OTP(oneTime Password,一次性密码)、SIM(Subscriber Identification Module,用户识别卡)等等。然而,目前知道的在EAP这种认证架构下开发的具体认证方法,往往在安全性和复杂度上存在不同。当复杂度越大,耗费的资源则越多,认证的过程则越为繁琐复杂,那么安全性也就越高,反之亦然。Extensible Authentication Protocol (EAP) authentication is a new authentication framework designed for Point-to-Point Protocol (PPP), which can include multiple authentication methods, such as the commonly used EAP- MD5 (Message Digest 5, Message Digest 5, an encryption algorithm), EAP-TLS (Transport Layer Security, Transport Layer Security), LEAP (Lightweight Extensible Authentication Protocol, Lightweight Extensible Authentication Protocol), OTP (oneTime Password, one time password), SIM (Subscriber Identification Module, user identification card) and so on. However, currently known specific authentication methods developed under the authentication framework of EAP often differ in security and complexity. The greater the complexity, the more resources will be consumed, and the more cumbersome and complicated the authentication process will be, and the higher the security will be, and vice versa.
802.1x协议称为基于端口的访问控制协议,是一种基于以太网技术的认证协议,802.1x以其协议安全、实现简单的特点,为使用ADSL、VDSL、局域网(Local Area Network,简称LAN)、无线局域网(Wireless Local Area Network,简称WLAN)等多种宽带接入方式的用户提供了认证方式。802.1x提供了EAPOL(EAP overLAN,局域网承载EAP协议)的封装,以及支撑EAP认证的构架。The 802.1x protocol is called a port-based access control protocol. It is an authentication protocol based on Ethernet technology. 802.1x is characterized by its protocol security and simple implementation. , wireless local area network (Wireless Local Area Network, referred to as WLAN) and other broadband access methods provide users with authentication methods. 802.1x provides the encapsulation of EAPOL (EAP over LAN, LAN carrying EAP protocol), and the framework supporting EAP authentication.
802.1x协议的应用体系结构100如图1所示,包括:认证请求者10、认证者20和认证服务器30。An
认证请求者一般为用户终端系统,可以是位于局域网或无线局域网点对点链路一端的一个实体。通常要安装认证请求者软件,用户通过启动这个认证请求者软件发起802.1x协议的认证过程。为支持基于端口的接入控制,认证请求者需支持EAPOL协议。The authentication requester is generally a user terminal system, which can be an entity located at one end of a point-to-point link in a local area network or a wireless local area network. Usually, the authentication requester software needs to be installed, and the user initiates the authentication process of the 802.1x protocol by starting the authentication requester software. In order to support port-based access control, the authentication requester needs to support the EAPOL protocol.
认证者通常为支持802.1x协议的网络设备,可以是位于局域网或无线局域网上点对点链路另一端的实体。认证请求者通过认证者接入局域网的网络接入端口,该网络接入端口可以是认证者的物理端口,也可以是认证请求者的媒质接入控制(Media Access Control,简称MAC)地址。网络接入端口被划分成两个虚端口:受控端口22和非受控端口24(受控端口是打开的那个端口,而非受控端口是闭合的那个端口)。非受控端口始终处于双向连通状态,主要用来传递EAPOL认证报文,保证认证请求者始终可以发出或接受认证。受控端口则用于传递业务报文,在未授权状态下被阻塞,在授权状态下连通。为适应不同的应用环境,受控端口的操作受控方向可配置为双向受控和单向受控两种方式。图1中,认证者的受控端口处于未认证、未授权状态,因此认证请求者无法访问认证者提供的服务。The authenticator is usually a network device supporting the 802.1x protocol, and may be an entity at the other end of a point-to-point link on a local area network or a wireless local area network. The authentication requester accesses the network access port of the local area network through the authenticator. The network access port can be the physical port of the authenticator or the Media Access Control (MAC) address of the authentication requester. The network access port is divided into two virtual ports: a controlled
认证服务器通常为RADIUS服务器,用于存储有关认证请求者的信息,比如认证请求者的用户名和密码,以及认证请求者的权利参数等,例如承诺访问速率(Committed Access Rate,简称CAR)参数、优先级、认证请求者的访问控制列表等等。当认证服务器通过某种认证方法对认证请求者认证后,认证服务器会把认证请求者的相关信息传递给认证者,由认证者构建动态的访问控制列表,认证请求者的后续流量接受上述参数的监管和控制。The authentication server is usually a RADIUS server, which is used to store information about the authentication requester, such as the user name and password of the authentication requester, and the rights parameters of the authentication requester, such as Committed Access Rate (CAR) parameters, priority levels, access control lists for authentication requestors, and so on. When the authentication server authenticates the authentication requester through a certain authentication method, the authentication server will pass the relevant information of the authentication requester to the authenticator, and the authenticator will build a dynamic access control list, and the subsequent traffic of the authentication requester will accept the above parameters. Regulation and Control.
认证者的端口认证实体通过非受控端口与认证请求者端口认证实体进行通信,二者之间运行EAPOL协议;认证者端口认证实体与认证服务器之间运行EAP协议。如果认证者和认证服务器集成在同一个系统内,那么两者之间的通信可以不采用EAP协议,至于采用EAP架构下哪一种具体的认证方法可以根据安全性和用户的需要选择。在802.1x协议中使用了EAP认证方式。用户提供用户名、用户密码等认证信息,通过802.1x协议中包含的某种EAP认证方式,到认证者进行用户身份合法性的认证。当认证者收到用户的认证信息后,可以通过承载在RADIUS协议上的EAP(EAP overRADIUS,简称EAPOR)协议到对应的认证服务器上进行认证。The port authentication entity of the authenticator communicates with the authentication requester port authentication entity through an uncontrolled port, and the EAPOL protocol is run between the two; the EAP protocol is run between the authenticator port authentication entity and the authentication server. If the authenticator and the authentication server are integrated in the same system, the communication between the two may not use the EAP protocol. As for which specific authentication method to use under the EAP architecture, it can be selected according to security and user needs. The EAP authentication method is used in the 802.1x protocol. The user provides authentication information such as user name and user password, and through a certain EAP authentication method included in the 802.1x protocol, the authenticator conducts authentication of user identity validity. After receiving the user's authentication information, the authenticator can authenticate to the corresponding authentication server through the EAP (EAP over RADIUS, EAPOR) protocol carried on the RADIUS protocol.
下面以EAP-MD5为例描述802.1x认证方法。实际使用时,可以使用所有EAP的认证方法。图2为根据现有技术的EAP-MD5认证方法的示意图。具体流程如下:The following uses EAP-MD5 as an example to describe the 802.1x authentication method. In actual use, all EAP authentication methods can be used. Fig. 2 is a schematic diagram of an EAP-MD5 authentication method according to the prior art. The specific process is as follows:
1)在用户和认证者之间建立好物理连接后,用户认证请求者向认证者发送一个目的地址是组播地址01-80-C2-00-00-03的EAPOL开始报文,开始802.1x接入;1) After the physical connection is established between the user and the authenticator, the user authentication requester sends an EAPOL start message whose destination address is the multicast address 01-80-C2-00-00-03 to the authenticator, and starts 802.1x access;
2)认证者向认证请求者发送目的地址是认证请求者地址的EAP请求报文,要求认证请求者将用户名报上来;2) The authenticator sends an EAP request message whose destination address is the address of the authentication requester to the authentication requester, and requires the authentication requester to report the user name;
3)认证请求者回应一个EAP响应报文给认证者的请求,其中包括用户名;3) The authentication requester responds with an EAP response message to the authenticator's request, including the username;
4)认证者以EAP Over RADIUS的报文格式向RADIUS认证服务器发送接入请求报文,里面含有认证请求者发给认证者的带有用户名的EAP响应报文,将用户名提交RADIUS认证服务器;4) The authenticator sends an access request message to the RADIUS authentication server in the message format of EAP Over RADIUS, which contains the EAP response message with the user name sent by the authentication requester to the authenticator, and submits the user name to the RADIUS authentication server ;
5)RADIUS认证服务器产生一个128bit的挑战字;5) The RADIUS authentication server generates a 128bit challenge word;
6)RADIUS认证服务器回应认证者一个接入挑战字报文,里面含有EAP挑战字请求报文,送给认证者用户对应的挑战字;6) The RADIUS authentication server responds to the authenticator with an access challenge message, which contains an EAP challenge request message, and sends the corresponding challenge word to the authenticator user;
7)认证者通过带有挑战字的EAP请求报文发送给认证请求者,送给用户挑战字;7) The authenticator sends the challenge word to the authentication requester through the EAP request message with the challenge word;
8)认证请求者收到带有挑战字的EAP请求报文后,将密码和挑战字做MD5算法后生成带有密码的挑战字,在EAP响应报文中包含带有密码的挑战字并在回应中把它发送给认证者;8) After the authentication requester receives the EAP request message with the challenge word, it generates the challenge word with the password after performing the MD5 algorithm on the password and the challenge word, and includes the challenge word with the password in the EAP response message and puts it in the Send it to the authenticator in the response;
9)认证者将带有密码的挑战字通过接入请求报文送到RADIUS用户认证服务器,由RADIUS认证服务器进行认证;9) The authenticator sends the challenge word with the password to the RADIUS user authentication server through the access request message, and is authenticated by the RADIUS authentication server;
10)RADIUS用户认证服务器根据用户信息判断用户是否合法,然后回应认证成功/失败报文到认证者;如果成功,携带协商参数,以及用户的相关业务属性给用户授权;10) The RADIUS user authentication server judges whether the user is legal according to the user information, and then responds with an authentication success/failure message to the authenticator; if successful, it carries the negotiation parameters and the relevant business attributes of the user to authorize the user;
11)认证者根据认证结果,给用户回应EAP认证成功/失败报文,通知用户认证结果;如果认证失败,则流程到此结束;如果成功,则可以进行后续的授权、计费等流程。11) The authenticator responds to the user with an EAP authentication success/failure message according to the authentication result, and notifies the user of the authentication result; if the authentication fails, the process ends here; if it succeeds, subsequent authorization, billing and other processes can be performed.
认证请求者通过802.1x认证成功之后,用户就享有了他应该享有的权利,例如可以接入到校园局域网或者城域网中,而后接入到INTERNET中。当用户不想继续享有该权利时,认证请求者发送一个下线报文通知认证者,认证者收到该报文就关闭受控端口以便终止用户的权利,并向认证服务器通告该用户请求下线,认证服务器收到认证者转发来的下线报文后,配合DHCP(Dynamic HostConfiguration Protocol,动态主机配置协议)服务器和计费中心等设备完成IP地址的回收工作和计费终结工作。After the authentication requester successfully passes the 802.1x authentication, the user enjoys the rights he should enjoy, for example, he can access the campus LAN or MAN, and then access the Internet. When the user does not want to continue to enjoy the right, the authentication requester sends an offline message to notify the authenticator, and the authenticator closes the controlled port after receiving the message to terminate the user's right, and notifies the authentication server that the user requests to log off After the authentication server receives the offline message forwarded by the authenticator, it cooperates with the DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol) server and billing center to complete the recovery of IP addresses and the termination of billing.
但是当认证请求者,例如是一台个人计算机因为死机或者断电等原因突然下线,来不及发送下线报文给认证者,致使认证者和认证服务器无法得知该用户已经下线,进而无法通知DHCP服务器和计费中心进行IP地址的回收和对该用户计费的终止工作,这将给运营商和用户带来损失。为了解决该问题,相关技术中提供了以下几种解决方案:However, when the authentication requester, such as a personal computer, suddenly goes offline due to a crash or power failure, it is too late to send an offline message to the authenticator, so that the authenticator and the authentication server cannot know that the user has gone offline, and thus cannot Inform the DHCP server and the billing center to recycle the IP address and terminate the billing of the user, which will bring losses to the operator and the user. In order to solve this problem, the following solutions are provided in related technologies:
相关解决方案一:Related solution one:
目前实际应用中绝大多数厂家采用的是一种查询/响应的机制来察觉当用户在没有发送下线报文情况下的突然下线。具体实现有以下几种方式,主要分为认证者主动发送查询报文和认证请求者主动发送在线报文两种情况。At present, most manufacturers in practical applications use a query/response mechanism to detect when a user suddenly goes offline without sending a logout message. There are several methods for specific implementation, mainly divided into two cases: the authenticator actively sends the query message and the authentication requester actively sends the online message.
1)认证者主动发送查询报文:认证者定期发送查询报文,询问特定的用户是否在线,间隔的时间可以通过软件来设定,通常为30秒;认证请求者收到认证者的查询报文后,向认证者发送响应报文以通知认证者自己还在线,认证者收到认证请求者的响应报文,将针对该认证请求者的死亡定时器重新置零。为了避免可能因为一些不可知的因素造成认证请求者发送响应报文认证者没有收到,所以一般而言,死亡定时器的时间是发送查询报文时间的三倍,也就是说认证者发送三个查询报文后还没有收到认证请求者的响应报文,那么认证者就认为该认证请求者已经下线,关闭受控端口以便终止用户的权利,通知认证服务器收回IP地址和终止该用户的计费。1) The authenticator actively sends a query message: the authenticator sends a query message periodically to ask whether a specific user is online, and the interval can be set by software, usually 30 seconds; the authentication requester receives the query message from the authenticator After receiving the authentication requester's response message, the authenticator will reset the death timer for the authentication requester to zero. In order to avoid that the authenticator may not receive the response message sent by the authentication requester due to some unknown factors, generally speaking, the time of the death timer is three times the time of sending the query message, that is to say, the authenticator sends three If no response message is received from the authentication requester after two query messages, the authenticator considers the authentication requester to be offline, closes the controlled port to terminate the user's rights, and notifies the authentication server to take back the IP address and terminate the user. billing.
2)认证请求者主动发送在线报文:认证请求者定期发送在线报文,通告认证者自己还在线,间隔时间可以通过软件来设定,通常为30秒;认证者收到认证请求者的在线报文后,将针对该认证请求者的死亡定时器重新置零。为了避免可能因为一些不可知的因素造成认证请求者发送的在线报文认证者没有收到,所以一般而言死亡定时器的时间是认证请求者发送在线报文时间的三倍,当死亡时间为零时,那么认证者就认为该认证请求者已经下线,关闭受控端口以便终止用户的权利,通知认证服务器收回IP地址和终止该用户的计费。2) The authentication requester actively sends online messages: the authentication requester regularly sends online messages to inform the authenticator that he is still online, and the interval can be set by software, usually 30 seconds; the authenticator receives the online message from the authentication requester. After the packet is sent, the death timer for the authentication requester is reset to zero. In order to avoid that the online message sent by the authentication requester may not be received by the authenticator due to some unknown factors, generally speaking, the time of the death timer is three times that of the online message sent by the authentication requester. When the dead time is At zero time, the authenticator thinks that the authentication requester has gone offline, closes the controlled port to terminate the user's rights, and notifies the authentication server to take back the IP address and terminate the user's billing.
相关解决方案一的缺陷是实时性不强,而且对响应报文或在线报文没有进行认证,可能会导致安全问题。举个例子,当某个用户经过认证后,与之相连的交换机或者AP打开了受控端口,而当该用户突然掉线,在同一个网络或在一边监听的另一个非法用户可以通过冒用该用户的MAC地址并伪造响应报文或在线报文从而达到冒用原用户而享有原用户的一切权利。The defect of related solution 1 is that the real-time performance is not strong, and the response message or online message is not authenticated, which may cause security problems. For example, when a user is authenticated, the switch or AP connected to it opens the controlled port, and when the user suddenly drops out, another illegal user on the same network or listening on the side can The user's MAC address and forged response message or online message to achieve fraudulent use of the original user and enjoy all the rights of the original user.
针对相关解决方案一对响应报文或在线报文没有进行认证和实时性不强的缺陷,相关技术中提出了以下的解决方案二和三。In view of the shortcomings of related solutions that a pair of response messages or online messages are not authenticated and the real-time performance is not strong, the following solutions 2 and 3 are proposed in related technologies.
相关解决方案二:Related solution two:
针对响应报文或在线报文没有进行认证,本方案对响应报文或者在线报文进行认证,最为彻底的方法就是定期地认证请求者重新进行认证。这样第一可以保证通过的用户是合法的,第二也可以确定合法的用户是在线的。一般地,重认证是由认证者发起,这样需要在认证者中定义一个发起重认证流程的定时器;当然重认证流程也可以由认证请求者发起。图3示出了根据相关解决方案二的重认证流程,因为该流程和首次认证流程基本相同,所以这里不再详细阐述。Since no authentication is performed on the response message or the online message, the most thorough method for authenticating the response message or the online message in this scheme is to periodically re-authenticate the authentication requester. In this way, firstly, it can be guaranteed that the passed users are legal, and secondly, it can be determined that the legal users are online. Generally, re-authentication is initiated by the authenticator, so a timer for initiating the re-authentication process needs to be defined in the authenticator; of course, the re-authentication process can also be initiated by the authentication requester. FIG. 3 shows the re-authentication process according to the second related solution. Since this process is basically the same as the initial authentication process, it will not be described in detail here.
然而,方案二的重认证流程和首次认证流程相同,导致了以下问题:第一、增加了认证请求者的负担;第二、报文数目繁多,交互次数频繁,增加了网络的负担;第三、报文数目繁多,交互次数频繁,造成重认证时间较长;第四、增加了认证服务器的负担,一般而言,认证服务器是同时管理大量的用户的,原先仅仅是在用户上线和下线的时候需要认证服务器的参与,采用重认证后,假设重认证定时器为30秒,那么每30秒就需要对用户进行认证一次,认证服务器将可能不堪重负。However, the re-authentication process of Scheme 2 is the same as the first-time authentication process, which leads to the following problems: first, it increases the burden on the authentication requester; second, the large number of messages and frequent interactions increase the burden on the network; third, 1. The number of messages is large and the number of interactions is frequent, resulting in a long re-authentication time; Fourth, the burden on the authentication server is increased. Generally speaking, the authentication server manages a large number of users at the same time. Originally, it was only when users went online and offline. The participation of the authentication server is required when re-authentication is adopted, assuming that the re-authentication timer is 30 seconds, then the user needs to be authenticated every 30 seconds, and the authentication server may be overwhelmed.
相关解决方案三:Related solution three:
针对实行性不强,相关技术中提供了一种用户突然下线实时通告的方法。In view of the lack of practicability, a related technology provides a method for real-time notification of a user's sudden offline.
如图4所示,认证请求者(个人计算机)12通过IP PHONE 18(也可以是其他的中间设备,例如集线器或者交换机)连接到认证者16上,经过认证服务器20的认证而享有接入权利,当认证请求者12或者链路22发生故障时,认证者16无法察觉(如果不用到上述的方案一方案二,仅仅802.1x是无法察觉的),该方案中提供了一种通过IP PHONE(IP电话)18来察觉认证请求者12下线的机制。当IP PHONE 18发现认证请求者12或链路22出现故障时,IP PHONE 18向认证者16发送一个伪造成是认证请求者12发送的下线报文(伪造可以通过IP PHONE 18发送一个源MAC地址为认证请求者12的离线报文包)通告自己的下线,之后认证者16告知认证服务器20进行IP地址的回收和计费的终止。As shown in Figure 4, the authentication requester (personal computer) 12 is connected to the
上述方案目前没有大规模应用,其要求对认证者和认证请求者之间所有的设备进行升级,因此不具备实际可行的操作性。The above-mentioned solution has not been applied on a large scale at present, and it requires upgrading all devices between the authenticator and the authentication requester, so it is not practical and feasible.
相关解决方案四:Related solution four:
针对方案二中的增大认证服务器负担的缺点,相关技术中提供了一种认证服务器代理的方法来减轻认证服务器的负担。Aiming at the disadvantage of increasing the burden on the authentication server in the second solution, a related technology provides an authentication server proxy method to reduce the burden on the authentication server.
如图6所示,在AP和Radius服务器之间引入Radius代理,该代理对于AP点而言是Radius服务器,对于Radius服务器而言是AP点,在AP和Radius服务器之间通信的时候,进行侦听,并记录下Radius服务器发给AP点的认证密钥材料用作当移动终端位置发生变化的时候,向另一台AP发送重认证请求,另一AP向Radius服务器转发该请求到Radius代理上,Radius代理查找自身数据库,看是否有该移动终端的认证密钥材料,如果有,则充当Radius服务器向AP发送认证密钥材料,如果没有,向Radius服务器转发该移动终端的重认证请求。As shown in Figure 6, a Radius agent is introduced between the AP and the Radius server. The agent is a Radius server for the AP point and an AP point for the Radius server. Listen, and record the authentication key material sent by the Radius server to the AP. When the location of the mobile terminal changes, send a re-authentication request to another AP, and the other AP forwards the request to the Radius server to the Radius agent. , the Radius agent searches its own database to see if there is the authentication key material of the mobile terminal, if yes, it acts as the Radius server to send the authentication key material to the AP, if not, forwards the re-authentication request of the mobile terminal to the Radius server.
该方案中增加了一个设备认证服务器代理,在网络中增加一个设备的增大了网络的复杂性,同时也降低了安全性,而且当认证服务器代理下面接着多个AP或者认证者时,同样会造成认证服务器代理负担过重。In this solution, a device authentication server agent is added. Adding a device in the network increases the complexity of the network, and also reduces the security. When the authentication server agent is connected to multiple APs or authenticators, the same will happen. Causes the authentication server proxy to be overloaded.
因此,需要开发一种减轻认证服务器负担的解决下线问题的技术方案。Therefore, it is necessary to develop a technical solution to solve the offline problem that reduces the burden on the authentication server.
发明内容 Contents of the invention
考虑到前面现有技术的缺点,本发明提供了一种利用认证者来进行本地认证来减轻认证服务器的负担并加快重认证速度的认证方法、系统和装置。Considering the above disadvantages of the prior art, the present invention provides an authentication method, system and device which utilize authenticators to perform local authentication to reduce the burden on the authentication server and speed up re-authentication.
在本发明的实施例中,提供了一种认证方法,包括以下步骤:认证请求者首次向提供接入业务的认证者发起认证请求;认证者将发起的首次认证请求转发给存储有关认证请求者的信息的认证服务器;认证服务器在对首次认证请求进行认证成功后,将认证请求者的认证信息告知认证者;以及当认证请求者再次向认证者发起认证请求时,认证者利用认证信息对认证请求者进行本地认证。In an embodiment of the present invention, an authentication method is provided, comprising the following steps: an authentication requester initiates an authentication request to an authenticator providing an access service for the first time; information of the authentication server; after the authentication server successfully authenticates the first authentication request, it informs the authenticator of the authentication information of the authentication requester; and when the authentication requester initiates an authentication request to the authenticator again, the authenticator uses the authentication information to verify the The supplicant performs local authentication.
在上述的认证方法中,认证者利用认证信息对认证请求者进行本地认证包括以下步骤:认证者将认证服务器所告知的认证信息保存于本地,认证信息包括认证请求者的标识;当认证请求者再次向认证者发起认证请求时,认证者利用标识从本地检索到认证信息,对认证请求者进行认证。In the above authentication method, the authenticator uses the authentication information to locally authenticate the authentication requester, including the following steps: the authenticator saves the authentication information notified by the authentication server locally, and the authentication information includes the identity of the authentication requester; when the authentication requester When initiating an authentication request to the authenticator again, the authenticator uses the identifier to retrieve the authentication information locally and authenticate the authentication requester.
在上述的认证方法中,认证信息包括认证请求者的密码以及认证服务器与认证请求者采用的认证方式。In the above authentication method, the authentication information includes the password of the authentication requester and the authentication mode adopted by the authentication server and the authentication requester.
在上述的认证方法中,认证者利用标识从本地检索到认证信息,对认证请求者进行认证包括以下步骤:认证者利用认证方式对再次认证请求的信息与本地所保存的认证请求者的密码进行比较验证。In the above-mentioned authentication method, the authenticator retrieves the authentication information locally by using the identification, and authenticating the authentication requester includes the following steps: the authenticator uses the authentication method to verify the information of the re-authentication request and the password of the authentication requester stored locally. Compare verification.
在上述的认证方法中,认证方式包括扩展认证协议所规定的认证方式。In the above authentication method, the authentication method includes the authentication method specified in the extended authentication protocol.
在上述的认证方法中,认证服务器包括远程用户拨入鉴权服务认证服务器,再次认证请求用于检测认证请求者是否在线。In the above authentication method, the authentication server includes a remote user dial-in authentication service authentication server, and the re-authentication request is used to detect whether the authentication requester is online.
在上述的认证方法中,认证者和认证服务器之间的通信采用802.1x协议,认证者包括多个无线接入点,再次认证请求用于认证请求者在多个认证者之间的切换。In the above authentication method, the communication between the authenticator and the authentication server adopts the 802.1x protocol, the authenticator includes multiple wireless access points, and the re-authentication request is used to switch the authentication requester among multiple authenticators.
在上述的认证方法中,还包括以下步骤:认证者收到认证请求者的认证请求时,在自身的数据库进行查找,如果有则确定认证请求不是首次认证请求,否则确定认证请求是首次认证请求。In the above-mentioned authentication method, the following steps are also included: when the authenticator receives the authentication request from the authentication requester, he searches in his own database, and if there is, it is determined that the authentication request is not the first authentication request, otherwise it is determined that the authentication request is the first authentication request .
在上述的认证方法中,还包括以下步骤:在认证请求者发起的认证请求中包含关于认证请求者原先在哪个认证者上已经经过了认证的信息;以及认证者收到认证请求者的认证请求时,利用信息判断认证请求是否为首次认证请求。In the above-mentioned authentication method, the following steps are also included: in the authentication request initiated by the authentication requester, information about which authenticator the authentication requester was previously authenticated on; and the authenticator receives the authentication request from the authentication requester , use the information to judge whether the authentication request is the first authentication request.
在本发明的实施例中,还提供了一种认证系统,包括:认证请求者,用于发起认证请求;认证者,其用于向认证请求者提供接入业务,如果认证请求者发起的认证请求是首次认证请求,转发给存储有关认证请求者的信息的认证服务器处理,如果是再次认证请求,则本地处理;认证服务器,其用于对首次认证请求进行认证,以及认证成功后,将认证请求者的认证信息告知认证者。In an embodiment of the present invention, an authentication system is also provided, including: an authentication requester, used to initiate an authentication request; an authenticator, used to provide access services to the authentication requester, if the authentication requester initiated The request is the first authentication request, forwarded to the authentication server that stores information about the authentication requester for processing, if it is a re-authentication request, it will be processed locally; the authentication server is used to authenticate the first authentication request, and after the authentication is successful, the authentication The requester's authentication information is notified to the authenticator.
在上述的认证系统中,认证者包括:存储器,用于保存认证服务器所告知的认证信息,认证信息包括认证请求者的标识;以及认证模块,用于当认证请求者再次向认证者发起认证请求时,利用标识从本地检索到认证信息,对认证请求者进行认证。In the above authentication system, the authenticator includes: a memory for storing the authentication information notified by the authentication server, the authentication information including the identity of the authentication requester; and an authentication module for when the authentication requester initiates an authentication request to the authenticator again , use the ID to retrieve the authentication information from the local, and authenticate the authentication requester.
在上述的认证系统中,认证信息包括认证请求者的密码以及认证服务器与认证请求者采用的认证方式。In the above authentication system, the authentication information includes the password of the authentication requester and the authentication mode adopted by the authentication server and the authentication requester.
在上述的认证系统中,认证模块利用认证方式对再次认证请求的信息与本地所保存的认证请求者的密码进行比较验证。In the above authentication system, the authentication module compares and verifies the information of the re-authentication request and the password of the authentication requester stored locally by using the authentication method.
在上述的认证系统中,认证方式包括扩展认证协议所规定的认证方式。In the above authentication system, the authentication method includes the authentication method specified by the extended authentication protocol.
在上述的认证系统中,认证服务器包括远程用户拨入鉴权服务认证服务器,认证者包括多个无线接入点,再次认证请求用于检测认证请求者是否在线。In the above authentication system, the authentication server includes a remote user dial-in authentication service authentication server, the authenticator includes multiple wireless access points, and the re-authentication request is used to detect whether the authentication requester is online.
在上述的认证系统中,认证请求者、认证者和认证服务器之间的通信采用802.1x协议,再次认证请求用于认证请求者在多个认证者之间的切换。In the above-mentioned authentication system, the communication between the authentication requester, the authenticator and the authentication server adopts the 802.1x protocol, and the re-authentication request is used to switch the authentication requester among multiple authenticators.
在本发明的实施例中,还提供了一种认证装置,用于向认证请求者提供接入业务,如果认证请求者发起的认证请求是首次认证请求,则转发给存储有关认证请求者的信息的认证服务器处理,如果是再次认证请求,则本地处理。In the embodiment of the present invention, there is also provided an authentication device, which is used to provide access services to the authentication requester, and if the authentication request initiated by the authentication requester is the first authentication request, it is forwarded to store information about the authentication requester If it is a re-authentication request, it will be processed locally.
在上述的认证装置中,包括:存储器,用于保存认证服务器所告知的认证信息,认证信息包括认证请求者的标识;以及认证模块,用于当认证请求者再次向认证装置发起认证请求时,利用标识从本地检索到认证信息,对认证请求者进行认证。In the above authentication device, it includes: a memory for storing the authentication information notified by the authentication server, the authentication information including the identity of the authentication requester; and an authentication module for when the authentication requester initiates an authentication request to the authentication device again, The authentication requester is authenticated by using the identification to retrieve the authentication information from the local.
在上述的认证装置中,认证信息包括认证请求者的密码以及认证服务器与认证请求者采用的认证方式。In the above authentication device, the authentication information includes the password of the authentication requester and the authentication mode adopted by the authentication server and the authentication requester.
在上述的认证装置中,认证模块利用认证方式对再次认证请求的信息与本地所保存的认证请求者的密码进行比较验证。In the above authentication device, the authentication module compares and verifies the information of the re-authentication request and the password of the authentication requester stored locally by using the authentication method.
在上述的认证装置中,认证方式包括扩展认证协议所规定的认证方式。In the above authentication device, the authentication method includes the authentication method specified by the extended authentication protocol.
上述的本发明实施例提供了一种减轻认证服务器负担,快速进行重认证的认证方法、系统和装置,同时通过上述实施例也可实现在WLAN中不同AP接入时切换的快速重认证。The above-mentioned embodiments of the present invention provide an authentication method, system and device for fast re-authentication by reducing the burden on the authentication server. Meanwhile, the above-mentioned embodiments can also realize fast re-authentication when switching between different APs in a WLAN.
本发明的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
附图说明 Description of drawings
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of the application. The schematic embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations to the present invention. In the attached picture:
图1示出了根据802.1x协议的应用体系结构;Figure 1 shows the application architecture according to the 802.1x protocol;
图2为根据现有技术的EAP-MD5认证方法的示意图;FIG. 2 is a schematic diagram of an EAP-MD5 authentication method according to the prior art;
图3示出了根据相关解决方案二的重认证流程;Figure 3 shows the re-authentication process according to related solution two;
图4示出了根据相关解决方案三的网络系统的示意图;FIG. 4 shows a schematic diagram of a network system according to related solution three;
图5示出了根据本发明实施例的认证系统的示意图;Fig. 5 shows a schematic diagram of an authentication system according to an embodiment of the present invention;
图6示出了根据本发明实施例的认证方法的流程图;Fig. 6 shows a flowchart of an authentication method according to an embodiment of the present invention;
图7示出了图6所示实施例的认证方法的信令流程图;Fig. 7 shows the signaling flowchart of the authentication method of the embodiment shown in Fig. 6;
图8示出了根据本发明实施例的认证者是AP时的认证系统的示意图;以及Figure 8 shows a schematic diagram of an authentication system when the authenticator is an AP according to an embodiment of the present invention; and
图9示出了图8所示实施例的认证方法的信令流程图。FIG. 9 shows a signaling flowchart of the authentication method in the embodiment shown in FIG. 8 .
具体实施方式 Detailed ways
下面将参考附图并结合实施例,来详细说明本发明。The present invention will be described in detail below with reference to the accompanying drawings and in combination with embodiments.
图5示出了根据本发明实施例的认证系统的示意图,包括:认证请求者10,用于发起认证请求;认证者20,其用于向认证请求者提供接入业务,如果认证请求者发起的认证请求是首次认证请求,转发给存储有关认证请求者的信息的认证服务器处理,如果是再次认证请求,则本地处理;认证服务器30,其用于对首次认证请求进行认证,以及认证成功后,将认证请求者的认证信息告知认证者。5 shows a schematic diagram of an authentication system according to an embodiment of the present invention, including: an authentication requester 10, configured to initiate an authentication request; an
图6示出了根据本发明实施例的认证方法的流程图,包括以下步骤:Figure 6 shows a flow chart of an authentication method according to an embodiment of the present invention, including the following steps:
步骤S10,认证请求者首次向提供接入业务的认证者发起认证请求;Step S10, the authentication requester initiates an authentication request to the authenticator providing the access service for the first time;
步骤S20,认证者将发起的首次认证请求转发给存储有关认证请求者的信息的认证服务器,认证信息可包括认证请求者的密码以及认证服务器与认证请求者采用的认证方式;Step S20, the authenticator forwards the initial authentication request initiated by the authenticator to the authentication server that stores information about the authentication requester. The authentication information may include the password of the authentication requester and the authentication method adopted by the authentication server and the authentication requester;
步骤S30,认证服务器在对首次认证请求进行认证成功后,将认证请求者的认证信息告知认证者;以及Step S30, after the authentication server successfully authenticates the first authentication request, it notifies the authenticator of the authentication requester's authentication information; and
步骤S40,当认证请求者再次向认证者发起认证请求时,认证者利用认证信息对认证请求者进行本地认证,认证者进行本地认证可包括以下步骤:证者将认证服务器所告知的认证信息保存于本地,认证信息包括认证请求者的标识;当认证请求者再次向认证者发起认证请求时,认证者利用该标识从本地检索到认证信息,对认证请求者进行认证。Step S40, when the authentication requester initiates an authentication request to the authenticator again, the authenticator uses the authentication information to perform local authentication on the authentication requester, and the authenticator's local authentication may include the following steps: the authenticator saves the authentication information notified by the authentication server Locally, the authentication information includes the identity of the authentication requester; when the authentication requester initiates an authentication request to the authenticator again, the authenticator uses the identity to retrieve the authentication information from the local, and authenticates the authentication requester.
认证者利用该标识从本地检索到认证信息,对认证请求者进行认证可包括以下步骤:认证者利用认证方式对再次认证请求的信息与本地所保存的认证请求者的密码进行比较验证。The authenticator uses the identification to retrieve the authentication information locally, and authenticating the authentication requester may include the following steps: the authenticator uses the authentication method to compare and verify the information of the re-authentication request with the password of the authentication requester stored locally.
本发明实施例中还提供了一种认证系统,包括:认证请求者,用于发起认证请求;认证者,其用于向认证请求者提供接入业务,如果认证请求者发起的认证请求是首次认证请求,转发给存储有关认证请求者的信息的认证服务器处理,如果是再次认证请求,则本地处理;认证服务器,其用于对首次认证请求进行认证,以及认证成功后,将认证请求者的认证信息告知认证者。An authentication system is also provided in an embodiment of the present invention, including: an authentication requester, used to initiate an authentication request; an authenticator, used to provide access services to the authentication requester, if the authentication request initiated by the authentication requester is the first The authentication request is forwarded to the authentication server that stores information about the authentication requester for processing, and if it is a re-authentication request, it is processed locally; the authentication server is used to authenticate the first authentication request, and after the authentication is successful, the authentication requester's The authentication information is notified to the authenticator.
在上述的认证系统中,认证者可包括:存储器,用于保存认证服务器所告知的认证信息,认证信息包括认证请求者的标识;以及认证模块,用于当认证请求者再次向认证者发起认证请求时,利用标识从本地检索到认证信息,对认证请求者进行认证。In the above authentication system, the authenticator may include: a memory for saving the authentication information notified by the authentication server, the authentication information including the identity of the authentication requester; and an authentication module for when the authentication requester initiates authentication to the authenticator again When requesting, use the identification to retrieve the authentication information from the local, and authenticate the authentication requester.
认证信息可包括认证请求者的密码以及认证服务器与认证请求者采用的认证方式。认证模块利用认证方式对再次认证请求的信息与本地所保存的认证请求者的密码进行比较验证。The authentication information may include the password of the authentication requester and the authentication mode adopted by the authentication server and the authentication requester. The authentication module uses the authentication method to compare and verify the information of the re-authentication request and the password of the authentication requester stored locally.
在具体实践中,认证服务器可以是远程用户拨入鉴权服务认证服务器,再次认证请求用于检测认证请求者是否在线。In a specific practice, the authentication server may be a remote user dial-in authentication service authentication server, and the re-authentication request is used to detect whether the authentication requester is online.
另外,认证者和认证服务器之间的通信可采用802.1x协议,所述认证者包括多个AP,再次认证请求用于认证请求者在多个认证者之间的切换,图8示出了这种情况。In addition, the communication between the authenticator and the authentication server can adopt the 802.1x protocol, the authenticator includes multiple APs, and the re-authentication request is used to switch the authentication requester between multiple authenticators. Figure 8 shows this situation.
认证者为了判断所述认证请求是否为首次,可以在收到认证请求者的认证请求时,在自身的数据库进行查找,如果有则确定认证请求不是首次认证请求,否则确定认证请求是首次认证请求。或者可以在认证请求者发起的认证请求中包含关于认证请求者原先在哪个认证者上已经经过了认证的信息;以及认证者收到认证请求者的认证请求时,利用信息判断认证请求是否为首次认证请求。In order to judge whether the authentication request is the first time, the authenticator can search in its own database when receiving the authentication request from the authentication requester, and if there is, it is determined that the authentication request is not the first authentication request, otherwise it is determined that the authentication request is the first authentication request . Or the authentication request initiated by the authentication requester can include information about which authenticator the authentication requester was originally authenticated on; and when the authenticator receives the authentication request from the authentication requester, use the information to determine whether the authentication request is the first time Authentication request.
在本发明的实施例中,还提供了一种用于实现上述实施例的认证系统中的认证者功能的认证装置,用于向认证请求者提供接入业务,如果认证请求者发起的认证请求是首次认证请求,则转发给存储有关认证请求者的信息的认证服务器处理,如果是再次认证请求,则本地处理。由于以上已经详细描述了认证者的实现,所以这里不再赘述该认证装置的实现。In an embodiment of the present invention, there is also provided an authentication device for realizing the authenticator function in the authentication system of the above embodiment, for providing access services to the authentication requester, if the authentication request initiated by the authentication requester If it is the first authentication request, it will be forwarded to the authentication server that stores the information about the authentication requester for processing; if it is a re-authentication request, it will be processed locally. Since the implementation of the authenticator has been described in detail above, the implementation of the authentication device will not be repeated here.
上述实施例中的首次认证和上述相关技术的首次认证没有太大的不同,需要增加的功能是认证成功后,认证服务器除了把认证请求者的用户名,认证请求者的权利参数等,例如承诺访问速率(Committed Access Rate,简称CAR)参数、优先级、认证请求者的访问控制列表等等参数发送给认证者,还需要把认证请求者的密码告诉认证者,同时告知认证者,在首次认证时认证请求者和认证服务器之间采用了EAP的哪种认证方法。这样做的目的是为了在重认证过程中可以不需要认证服务器的参与而实现重认证。The first authentication in the above embodiment is not much different from the first authentication of the above-mentioned related technologies. The function that needs to be added is that after the authentication is successful, the authentication server will not only send the user name of the authentication requester, the rights parameters of the authentication requester, etc., such as commitment The access rate (Committed Access Rate, referred to as CAR) parameters, priority, authentication requester's access control list and other parameters are sent to the authenticator, and the password of the authentication requester needs to be told to the authenticator, and the authenticator is informed at the same time. Which EAP authentication method is used between the authentication requester and the authentication server. The purpose of doing this is to implement re-authentication without the participation of the authentication server in the re-authentication process.
图7示出了图6所示实施例的认证方法的信令流程图。FIG. 7 shows a signaling flowchart of the authentication method in the embodiment shown in FIG. 6 .
如图7所示,在首次认证成功后,认证服务器把该认证请求者的用户名,密码等信息告知认证者,而后的重认证过程中,认证过程就只发生在认证请求者和认证者之间,无需认证服务器的参与。As shown in Figure 7, after the first authentication is successful, the authentication server informs the authenticator of the authentication requester's user name, password and other information, and then in the re-authentication process, the authentication process only occurs between the authentication requester and the authenticator. , without the participation of the authentication server.
具体流程如下:The specific process is as follows:
1.在用户和认证者之间建立好物理连接后,用户认证请求者向认证者发送一个目的地址是组播地址01-80-C2-00-00-03的EAPOL开始报文,开始802.1x接入;1. After the physical connection is established between the user and the authenticator, the user authentication requester sends an EAPOL start packet whose destination address is the multicast address 01-80-C2-00-00-03 to the authenticator, and starts 802.1x access;
2.认证者向认证请求者发送目的地址是认证请求者地址的EAP请求报文,要求认证请求者将用户名报上来;2. The authenticator sends an EAP request message whose destination address is the address of the authentication requester to the authentication requester, and requires the authentication requester to report the user name;
3.认证请求者回应一个EAP响应报文给认证者的请求,其中包括用户名。认证者查找本地数据库是否有该用户的信息,如果有,则采用数据库中登记的某种EAP方法对该用户进行认证,调转到步骤7,如果本地数据库中没有该用户的信息,进行步骤4的操作;3. The authentication requester responds with an EAP response message to the authenticator's request, which includes the username. The authenticator checks whether the local database has the user's information, and if so, uses a certain EAP method registered in the database to authenticate the user, and transfers to step 7, if there is no information about the user in the local database, proceed to step 4 operate;
4.认证者以EAP Over RADIUS的报文格式向RADIUS认证服务器发送接入请求报文,里面含有认证请求者发给认证者的带有用户名的EAP响应报文,将用户名提交RADIUS认证服务器;4. The authenticator sends an access request message to the RADIUS authentication server in the message format of EAP Over RADIUS, which contains the EAP response message with the user name sent by the authentication requester to the authenticator, and submits the user name to the RADIUS authentication server ;
5.RADIUS认证服务器产生一个128bit的挑战字;5. The RADIUS authentication server generates a 128bit challenge word;
6.RADIUS认证服务器回应认证者一个接入挑战字报文,里面含有EAP挑战字请求报文,送给认证者用户对应的挑战字;6. The RADIUS authentication server responds to the authenticator with an access challenge message, which contains the EAP challenge request message, and sends the corresponding challenge word to the authenticator user;
7.认证者通过带有挑战字的EAP请求报文发送给认证请求者,送给用户挑战字;7. The authenticator sends the challenge word to the authentication requester through the EAP request message with the challenge word;
8.认证请求者收到带有挑战字的EAP请求报文后,将密码和挑战字做MD5算法后生成带有密码的挑战字,在EAP响应报文中包含带有密码的挑战字并在回应中把它发送给认证者;8. After the authentication requester receives the EAP request message with the challenge word, it will generate the challenge word with the password after performing the MD5 algorithm on the password and the challenge word, and include the challenge word with the password in the EAP response message and place it in the Send it to the authenticator in the response;
9.认证者将带有密码的挑战字通过接入请求报文送到RADIUS用户认证服务器,由RADIUS认证服务器进行认证;9. The authenticator sends the challenge word with the password to the RADIUS user authentication server through the access request message, and the RADIUS authentication server performs authentication;
10.RADIUS用户认证服务器根据用户信息判断用户是否合法,然后回应认证成功/失败报文到认证者。如果成功,携带协商参数,以及用户的相关业务属性给用户授权;10. The RADIUS user authentication server judges whether the user is legal according to the user information, and then responds with an authentication success/failure message to the authenticator. If successful, carry the negotiation parameters and the relevant business attributes of the user to authorize the user;
11.认证者根据认证结果,给用户回应EAP认证成功/失败报文,通知用户认证结果。如果认证失败,则流程到此结束。如果成功,可以进行后续的授权、计费等流程;11. The authenticator responds to the user with an EAP authentication success/failure message according to the authentication result, and notifies the user of the authentication result. If authentication fails, the process ends here. If successful, follow-up procedures such as authorization and billing can be carried out;
12.认证者向认证服务器发送一个请求报文(可以采用已经定义的报文格式,例如EAP报文,也可以是自定义的报文;可以承载在RADIUS协议上面,也可以是自定义的私有协议),携带了该认证请求者的用户名,向认证服务器请求该认证请求者的相应信息和参数,认证服务器把该认证请求者的相应信息,例如用户名、密码、承诺访问速率参数、优先级、认证请求者的访问控制列表、采用EAP的认证方法等信息发送给认证者。认证者把这些信息保存在自身数据库中。当然认证者也可以只保留用户名、密码和EAP认证方法三项,因为在重认证过程中其他的参数并无用处;12. The authenticator sends a request message to the authentication server (it can use a defined message format, such as an EAP message, or a custom message; it can be carried on the RADIUS protocol, or it can be a custom private agreement), carrying the user name of the authentication requester, requesting the corresponding information and parameters of the authentication requester to the authentication server, and the authentication server sends the corresponding information of the authentication requester, such as user name, password, committed access rate parameters, priority The authentication level, the access control list of the authentication requester, and the authentication method using EAP are sent to the authenticator. The authenticator saves this information in its own database. Of course, the authenticator can also only keep the user name, password and EAP authentication method, because other parameters are useless in the re-authentication process;
13.重认证定时器触发再次认证(重认证可以是认证请求者发起,也可以是认证者发起,这里以认证者发起为例),认证者向认证请求者发送目的地址是认证请求者地址的EAP请求报文,要求认证请求者将用户名报上来;13. The re-authentication timer triggers re-authentication (re-authentication can be initiated by the authentication requester or the authenticator, here we take the authenticator as an example), and the authenticator sends the authentication requester the destination address is the address of the authentication requester. EAP request message, requiring the authentication requester to report the user name;
14.认证请求者回应一个EAP响应报文给认证者的请求,其中包括用户名;14. The authentication requester responds with an EAP response message to the authenticator's request, including the username;
15.认证者查找本地数据库是否有该用户的信息,发现本地数据库中有该用户信息,并能获得该用户信息采用何种EAP认证方法,以MD5为例;15. The authenticator searches the local database for the user's information, finds that the user's information exists in the local database, and can obtain the EAP authentication method used for the user's information, taking MD5 as an example;
16.认证者产生一个128bit的挑战字;16. The authenticator generates a 128bit challenge word;
17.认证者通过带有挑战字的EAP请求报文发送给认证请求者,送给用户挑战字;17. The authenticator sends the challenge word to the authentication requester through the EAP request message with the challenge word;
18.认证请求者收到带有挑战字的EAP请求报文后,将密码和挑战字做MD5算法后生成带有密码的挑战字,在EAP响应报文中包含带有密码的挑战字并在回应中把它发送给认证者;18. After the authentication requester receives the EAP request message with the challenge word, it will generate the challenge word with the password after performing the MD5 algorithm on the password and the challenge word, and include the challenge word with the password in the EAP response message and place it in the Send it to the authenticator in the response;
19.认证服务器根据用户信息判断用户是否合法,如果合法则执行步骤20,如果不合法则执行步骤21;19. The authentication server judges whether the user is legal according to the user information, and if it is legal, execute
20.重新设置重认证定时器准备下次重认证,保持受控端口连接状态以给认证请求者提供服务;可以根据需要向认证服务器通告该认证请求者仍然在线并且合法(可以在每次重认证成功都通告一次,也可以在每重认证成功几次后通告一次,也可以重认证成功后不通告);20. Reset the re-authentication timer to prepare for the next re-authentication, keep the controlled port connection status to provide services to the authentication requester; you can notify the authentication server that the authentication requester is still online and legal as needed (you can re-authenticate each time) Success is notified once, or after each re-authentication succeeds several times, or not after re-authentication is successful);
21.如果认证不成功,则断开受控端口以终止给认证请求者继续提供服务,并通告认证服务器该认证请求者不在线或者是非法的,以便进行DHCP地址回收和计费的终止。21. If the authentication is unsuccessful, then disconnect the controlled port to terminate the continued service provided to the authentication requester, and notify the authentication server that the authentication requester is offline or illegal, so as to terminate the DHCP address recovery and billing.
上述的过程也可以应用于WLAN中(另一个实施例)的移动终端在不同AP接入点中切换的快速重认证,如图8所示。在图8中,认证请求者是移动终端,认证者是AP。当一个移动终端从图8的上面位置移动到下面位置时,需要进行重认证以便让下面的AP接入点打开受控端口给移动终端提供服务,现有的技术是通过认证服务器或者认证控制点(类似于相关技术解决方案四的认证服务器代理的一个设备)进行重认证的,这样也有可能给认证服务器和认证控制点带来太多的负担,在AP切换间进行重认证时使用上述的方法,可以显著地减轻认证服务器和认证控制点的负担而且带来更快的认证速度。The above process can also be applied to fast re-authentication when a mobile terminal switches between different AP access points in a WLAN (another embodiment), as shown in FIG. 8 . In FIG. 8, the authentication requester is a mobile terminal, and the authenticator is an AP. When a mobile terminal moves from the upper position in Figure 8 to the lower position, re-authentication is required to allow the lower AP access point to open a controlled port to provide services to the mobile terminal. The existing technology is through an authentication server or an authentication control point. (similar to a device of the authentication server proxy of related technology solution 4) re-authentication, which may also bring too much burden to the authentication server and authentication control point, use the above-mentioned method when performing re-authentication between AP switching , can significantly reduce the burden of authentication server and authentication control point and bring faster authentication speed.
首次认证的流程和上述流程一致,当移动终端切换到下面的AP时,发送EAPOL开始报文启动重认证流程,具体流程如下(图9):The first authentication process is consistent with the above process. When the mobile terminal switches to the following AP, it sends an EAPOL start message to start the re-authentication process. The specific process is as follows (Figure 9):
1.在用户和认证者之间建立好物理连接后,用户认证请求者向认证者AP2发送一个目的地址是组播地址01-80-C2-00-00-03的EAPOL开始报文,开始802.1x接入。和上述不同的是这个EAPOL报文需要携带该移动终端原先已经经过认证的认证者AP1的地址,当然这个不同点也可以放在EAP应答报文中;1. After the physical connection is established between the user and the authenticator, the user authentication requester sends an EAPOL start packet whose destination address is the multicast address 01-80-C2-00-00-03 to the authenticator AP2, and starts 802.1 x access. The difference from the above is that this EAPOL message needs to carry the address of the authenticator AP1 that the mobile terminal has previously authenticated. Of course, this difference can also be placed in the EAP response message;
2.认证者向认证请求者发送目的地址是认证请求者地址的EAP请求报文,要求认证请求者将用户名报上来;2. The authenticator sends an EAP request message whose destination address is the address of the authentication requester to the authentication requester, and requires the authentication requester to report the user name;
3.认证请求者回应一个EAP响应报文给认证者的请求,其中包括用户名。如果EAP开始报文中没有包含原认证者AP1的地址,可以在这个报文中包含该AP1的地址;3. The authentication requester responds with an EAP response message to the authenticator's request, which includes the username. If the address of the original authenticator AP1 is not included in the EAP start message, the address of the AP1 can be included in this message;
4.认证者AP2向原认证者AP1发送带有认证请求者的用户名的请求报文;4. The authenticator AP2 sends a request message with the username of the authentication requester to the original authenticator AP1;
5.原认证者AP1查找本地数据库,如果有该认证请求者的用户信息则发送该用户的信息,例如用户名、密码、承诺访问速率参数、优先级、认证请求者的访问控制列表、采用EAP的认证方法等信息发送给认证者AP2。认证者AP2把这些信息保存在自身数据库中。当然认证者AP2也可以只保留用户名、密码和EAP认证方法三项,因为在重认证过程中其他的参数并无用处。如果AP1查找不到该认证请求者的信息,则返回认证失败报文,结束本次认证;5. The original authenticator AP1 searches the local database, and if there is user information of the authentication requester, it sends the user's information, such as user name, password, promised access rate parameters, priority, access control list of the authentication requester, and EAP The information such as the authentication method is sent to the authenticator AP2. The authenticator AP2 saves these information in its own database. Of course, the authenticator AP2 can also only keep the user name, password and EAP authentication method, because other parameters are useless in the re-authentication process. If AP1 cannot find the information of the authentication requester, it will return an authentication failure message and end this authentication;
6.认证者AP2产生一个128bit的挑战字;6. The authenticator AP2 generates a 128-bit challenge word;
7.认证者AP2通过带有挑战字的EAP请求报文发送给认证请求者,送给用户挑战字;7. The authenticator AP2 sends the challenge word to the authentication requester through the EAP request message with the challenge word;
8.认证请求者收到带有挑战字的EAP请求报文后,将密码和挑战字做MD5算法后生成带有密码的挑战字,在EAP响应报文中包含带有密码的挑战字并在回应中把它发送给认证者AP2;8. After the authentication requester receives the EAP request message with the challenge word, it will generate the challenge word with the password after performing the MD5 algorithm on the password and the challenge word, and include the challenge word with the password in the EAP response message and place it in the Send it to the authenticator AP2 in the response;
9.认证者AP2根据用户发来的挑战字信息判断用户是否合法,如果合法则执行步骤10,如果不合法则执行步骤11;9. Authenticator AP2 judges whether the user is legal according to the challenge word information sent by the user. If it is legal, go to step 10; if not, go to step 11;
10.AP2向移动终端发送认证成功报文,打开受控端口给认证请求者提供服务,同时发送用户信息删除报文给AP1以通知AP1删除该认证请求者的消息释放空间;10. AP2 sends an authentication success message to the mobile terminal, opens the controlled port to provide services to the authentication requester, and sends a user information deletion message to AP1 to notify AP1 to delete the message of the authentication requester to release space;
11.重认证不成功,向移动终端发送认证失败报文,不打开受控端口,同时向AP1发送该认证请求者认证失败消息,由AP1决定是否向该认证请求者进行重认证或提示认证请求者他可能正在受到攻击。11. If the re-authentication is unsuccessful, send an authentication failure message to the mobile terminal, do not open the controlled port, and send the authentication requester’s authentication failure message to AP1 at the same time, and AP1 decides whether to re-authenticate or prompt the authentication requester for the authentication request Or he may be under attack.
以上列举的实施例流程图都是以EAP-MD5这种较为简单的EAP认证方式来描述的。目前EAP的认证方式有十几种,对于本领域的技术人员来说,上述的实施例显然可以应用于EAP的这些认证方式。The flow charts of the embodiments listed above are all described in the relatively simple EAP authentication mode of EAP-MD5. Currently, there are more than a dozen authentication methods of EAP. For those skilled in the art, it is obvious that the above-mentioned embodiments can be applied to these authentication methods of EAP.
可以看出,上述的实施例是对相关技术解决方案二的改进,提供了一种减轻认证服务器负担,快速进行重认证的方法,同时通过上述实施例也可实现在WLAN中不同AP接入时切换的快速重认证。It can be seen that the above-mentioned embodiment is an improvement on the second related technical solution, and provides a method for reducing the burden on the authentication server and quickly performing re-authentication. Toggle fast reauthentication.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。应该明白,这些具体实施中的变化对于本领域的技术人员来说是显而易见的,不脱离本发明的精神保护范围。Obviously, those skilled in the art should understand that each module or each step of the above-mentioned present invention can be realized by a general-purpose computing device, and they can be concentrated on a single computing device, or distributed in a network formed by multiple computing devices Optionally, they can be implemented with program codes executable by a computing device, so that they can be stored in a storage device and executed by a computing device, or they can be made into individual integrated circuit modules, or they can be integrated into Multiple modules or steps are fabricated into a single integrated circuit module to realize. As such, the present invention is not limited to any specific combination of hardware and software. It should be understood that changes in these specific implementations are obvious to those skilled in the art and do not depart from the spirit protection scope of the present invention.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.
Claims (21)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100026904A CN101232372B (en) | 2007-01-26 | 2007-01-26 | Authentication method, authentication system and authentication device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100026904A CN101232372B (en) | 2007-01-26 | 2007-01-26 | Authentication method, authentication system and authentication device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101232372A true CN101232372A (en) | 2008-07-30 |
| CN101232372B CN101232372B (en) | 2011-02-02 |
Family
ID=39898573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100026904A Active CN101232372B (en) | 2007-01-26 | 2007-01-26 | Authentication method, authentication system and authentication device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101232372B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101827112A (en) * | 2010-05-25 | 2010-09-08 | 中兴通讯股份有限公司 | Method and system for recognizing client software through network authentication server |
| CN101867912A (en) * | 2010-06-07 | 2010-10-20 | 华为终端有限公司 | Authentication method of access network and terminal |
| CN102158464A (en) * | 2010-02-11 | 2011-08-17 | 上海博泰悦臻电子设备制造有限公司 | Vehicle-mounted equipment and system and vehicle-mounted login method |
| CN102299859A (en) * | 2011-09-20 | 2011-12-28 | 北京星网锐捷网络技术有限公司 | Mutual information forwarding method and device |
| WO2012075863A1 (en) * | 2010-12-09 | 2012-06-14 | 华为技术有限公司 | Centralized 802.1x authentication method, device and system of wireless local area network |
| CN102625310A (en) * | 2012-03-13 | 2012-08-01 | 中国联合网络通信集团有限公司 | Wireless network access method, authentication method and device |
| CN101764693B (en) * | 2009-12-24 | 2013-01-30 | 福建星网锐捷网络有限公司 | Authentication method, system, client and network equipment |
| CN103200172A (en) * | 2013-02-19 | 2013-07-10 | 中兴通讯股份有限公司 | Method and system for keep-alive of 802.1X access conversation |
| CN105071939A (en) * | 2015-07-15 | 2015-11-18 | 傅程燕 | User information authentication method and user information authentication system |
| WO2015176500A1 (en) * | 2014-05-21 | 2015-11-26 | 西安中兴新软件有限责任公司 | Single sign-on authentication method, device and system, and computer storage medium |
| CN105306448A (en) * | 2015-09-22 | 2016-02-03 | 深圳前海华视移动互联有限公司 | Method for accessing extranet data, car-mounted multimedia terminal and kernel Netfilter module of car-mounted multimedia terminal |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
| CN106936942A (en) * | 2017-03-07 | 2017-07-07 | 迈普通信技术股份有限公司 | A kind of dhcp address recovery system and method |
| CN107046689A (en) * | 2017-05-08 | 2017-08-15 | 北京工业大学 | A kind of BLE wearable device safety certifying methods of lightweight |
| JP2017170782A (en) * | 2016-03-24 | 2017-09-28 | コニカミノルタ株式会社 | Information processor, setting continuation method and program |
| CN108769075A (en) * | 2018-07-06 | 2018-11-06 | 广东微云科技股份有限公司 | A kind of method and system of addressing login service device |
| CN108880788A (en) * | 2017-05-08 | 2018-11-23 | 西门子股份公司 | Authentication method and control system in the control system for technical equipment |
| CN112749182A (en) * | 2019-10-30 | 2021-05-04 | 深圳市傲冠软件股份有限公司 | Method, audit terminal, device and storage medium for agent access to Oracle database |
| CN113472714A (en) * | 2020-03-12 | 2021-10-01 | 华为技术有限公司 | Method and device for authenticating terminal equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040255037A1 (en) * | 2002-11-27 | 2004-12-16 | Corvari Lawrence J. | System and method for authentication and security in a communication system |
| US7275157B2 (en) * | 2003-05-27 | 2007-09-25 | Cisco Technology, Inc. | Facilitating 802.11 roaming by pre-establishing session keys |
| CN1703004B (en) * | 2005-02-28 | 2010-08-25 | 联想(北京)有限公司 | Method for implementing network access authentication |
-
2007
- 2007-01-26 CN CN2007100026904A patent/CN101232372B/en active Active
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101764693B (en) * | 2009-12-24 | 2013-01-30 | 福建星网锐捷网络有限公司 | Authentication method, system, client and network equipment |
| CN102158464A (en) * | 2010-02-11 | 2011-08-17 | 上海博泰悦臻电子设备制造有限公司 | Vehicle-mounted equipment and system and vehicle-mounted login method |
| CN101827112A (en) * | 2010-05-25 | 2010-09-08 | 中兴通讯股份有限公司 | Method and system for recognizing client software through network authentication server |
| CN101827112B (en) * | 2010-05-25 | 2016-05-11 | 中兴通讯股份有限公司 | The method and system of recognizing client software through network authentication server |
| CN101867912A (en) * | 2010-06-07 | 2010-10-20 | 华为终端有限公司 | Authentication method of access network and terminal |
| US9071968B2 (en) | 2010-12-09 | 2015-06-30 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for centralized 802.1X authentication in wireless local area network |
| WO2012075863A1 (en) * | 2010-12-09 | 2012-06-14 | 华为技术有限公司 | Centralized 802.1x authentication method, device and system of wireless local area network |
| CN102299859A (en) * | 2011-09-20 | 2011-12-28 | 北京星网锐捷网络技术有限公司 | Mutual information forwarding method and device |
| CN102625310B (en) * | 2012-03-13 | 2016-06-15 | 中国联合网络通信集团有限公司 | Wireless network access method, authentication method and device |
| CN102625310A (en) * | 2012-03-13 | 2012-08-01 | 中国联合网络通信集团有限公司 | Wireless network access method, authentication method and device |
| WO2014127630A1 (en) * | 2013-02-19 | 2014-08-28 | 中兴通讯股份有限公司 | 802.1x access session keepalive method, device, and system |
| CN103200172A (en) * | 2013-02-19 | 2013-07-10 | 中兴通讯股份有限公司 | Method and system for keep-alive of 802.1X access conversation |
| RU2639696C2 (en) * | 2013-02-19 | 2017-12-21 | ЗетТиИ Корпорейшн | Method, device and system for maintaining activity of access session on 802,1x standard |
| CN103200172B (en) * | 2013-02-19 | 2018-06-26 | 中兴通讯股份有限公司 | A kind of method and system of 802.1X accesses session keepalive |
| US9918353B2 (en) | 2013-02-19 | 2018-03-13 | Zte Corporation | 802.1X access session keepalive method, device, and system |
| WO2015176500A1 (en) * | 2014-05-21 | 2015-11-26 | 西安中兴新软件有限责任公司 | Single sign-on authentication method, device and system, and computer storage medium |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
| CN105592037B (en) * | 2015-07-10 | 2019-03-15 | 新华三技术有限公司 | A kind of MAC address authentication method and apparatus |
| CN105071939A (en) * | 2015-07-15 | 2015-11-18 | 傅程燕 | User information authentication method and user information authentication system |
| CN105071939B (en) * | 2015-07-15 | 2018-12-28 | 傅程燕 | A kind of user information authentication method and system |
| CN105306448A (en) * | 2015-09-22 | 2016-02-03 | 深圳前海华视移动互联有限公司 | Method for accessing extranet data, car-mounted multimedia terminal and kernel Netfilter module of car-mounted multimedia terminal |
| CN107317946A (en) * | 2016-03-24 | 2017-11-03 | 柯尼卡美能达株式会社 | Information processor and setting continuation method |
| JP2017170782A (en) * | 2016-03-24 | 2017-09-28 | コニカミノルタ株式会社 | Information processor, setting continuation method and program |
| US10178277B2 (en) | 2016-03-24 | 2019-01-08 | Konica Minolta, Inc. | Information processing apparatus, setting continuation method and non-transitory computer-readable recording medium encoded with setting continuation program |
| CN106936942A (en) * | 2017-03-07 | 2017-07-07 | 迈普通信技术股份有限公司 | A kind of dhcp address recovery system and method |
| CN108880788A (en) * | 2017-05-08 | 2018-11-23 | 西门子股份公司 | Authentication method and control system in the control system for technical equipment |
| CN107046689A (en) * | 2017-05-08 | 2017-08-15 | 北京工业大学 | A kind of BLE wearable device safety certifying methods of lightweight |
| US11163870B2 (en) | 2017-05-08 | 2021-11-02 | Siemens Aktiengesellschaft | Plant-specific, automated certificate management |
| CN108880788B (en) * | 2017-05-08 | 2021-12-03 | 西门子股份公司 | Authentication method in a control system for a technical installation and control system |
| CN108769075A (en) * | 2018-07-06 | 2018-11-06 | 广东微云科技股份有限公司 | A kind of method and system of addressing login service device |
| CN108769075B (en) * | 2018-07-06 | 2021-05-18 | 广东微云科技股份有限公司 | Method and system for addressing login server |
| CN112749182A (en) * | 2019-10-30 | 2021-05-04 | 深圳市傲冠软件股份有限公司 | Method, audit terminal, device and storage medium for agent access to Oracle database |
| CN112749182B (en) * | 2019-10-30 | 2023-01-31 | 深圳市傲冠软件股份有限公司 | Method for accessing Oracle database by proxy, audit terminal, device and computer readable storage medium |
| CN113472714A (en) * | 2020-03-12 | 2021-10-01 | 华为技术有限公司 | Method and device for authenticating terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101232372B (en) | 2011-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101232372A (en) | Authentication method, authentication system and authentication device | |
| US11825303B2 (en) | Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus | |
| AU2003243680B2 (en) | Key generation in a communication system | |
| US7802091B2 (en) | Fast re-authentication with dynamic credentials | |
| US7650629B2 (en) | Enhanced trust relationship in an IEEE 802.1×network | |
| US8635444B2 (en) | System and method for distributing keys in a wireless network | |
| US8094821B2 (en) | Key generation in a communication system | |
| KR101068424B1 (en) | Inter-working function for a communication system | |
| CN1319337C (en) | Authentication method based on Ethernet authentication system | |
| WO2011017924A1 (en) | Method, system, server, and terminal for authentication in wireless local area network | |
| DK2924944T3 (en) | Presence authentication | |
| WO2008034319A1 (en) | Authentication method, system and device for network device | |
| WO2007097101A1 (en) | Radio access system and radio access method | |
| WO2010000185A1 (en) | A method, apparatus, system and server for network authentication | |
| WO2008080351A1 (en) | Wireless local network operation method based on wapi | |
| WO2009152749A1 (en) | A binding authentication method, system and apparatus | |
| WO2009074050A1 (en) | A method, system and apparatus for authenticating an access point device | |
| CN101272379A (en) | An Improved Method Based on IEEE802.1x Security Authentication Protocol | |
| US9137661B2 (en) | Authentication method and apparatus for user equipment and LIPA network entities | |
| KR101532117B1 (en) | System and method for supporting emergency call after the access fail | |
| KR101068426B1 (en) | Interoperability for Communication Systems | |
| Lee et al. | Performance of an efficient performing authentication to obtain access to public wireless LAN with a cache table | |
| Latze | Towards a secure and user friendly authentication method for public wireless networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |