[go: up one dir, main page]

CN106454836A - Method and device for enhancing use security of equipment certificate - Google Patents

Method and device for enhancing use security of equipment certificate Download PDF

Info

Publication number
CN106454836A
CN106454836A CN201510477798.3A CN201510477798A CN106454836A CN 106454836 A CN106454836 A CN 106454836A CN 201510477798 A CN201510477798 A CN 201510477798A CN 106454836 A CN106454836 A CN 106454836A
Authority
CN
China
Prior art keywords
equipment
access
certificate
gateway
transmission network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510477798.3A
Other languages
Chinese (zh)
Other versions
CN106454836B (en
Inventor
曾苗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201510477798.3A priority Critical patent/CN106454836B/en
Priority to PCT/CN2016/070380 priority patent/WO2017020546A1/en
Publication of CN106454836A publication Critical patent/CN106454836A/en
Application granted granted Critical
Publication of CN106454836B publication Critical patent/CN106454836B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种增强设备证书使用安全的方法及装置,涉及通信技术,所述方法包括:在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID;所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。本发明能够提高数字证书的安全性,可以有效防止不法分子窃取设备的证书,保证设备和传输领域的接入安全。

The invention discloses a method and device for enhancing the security of equipment certificate use, and relates to communication technology. The method includes: when a device requests to access a public transmission network, the gateway of the public transmission network acquires the device certificate from the device requesting access. ID and certificate ID; the gateway of the public transmission network judges whether the device requesting access is a legitimate device according to the obtained device ID and/or the relationship between the device ID and the certificate ID; when the gateway of the public transmission network When it is judged that the device requesting access is a legal device, the device requesting access is connected to the public transmission network; otherwise, the device requesting access is denied to access the public transmission network. The invention can improve the security of the digital certificate, can effectively prevent criminals from stealing the certificate of the equipment, and guarantee the access safety of the equipment and the transmission field.

Description

一种增强设备证书使用安全的方法及装置A method and device for enhancing the security of equipment certificate use

技术领域technical field

本发明涉及通信技术,特别涉及一种增强设备证书使用安全的方法及装置。The invention relates to communication technology, in particular to a method and device for enhancing the security of using equipment certificates.

背景技术Background technique

家庭级基站(Home eNodeB,HeNB)一般放置在企业或用户家中,可能经过公共传输网络,因此对设备的安全性有更高要求。A home base station (Home eNodeB, HeNB) is generally placed in an enterprise or a user's home, and may pass through a public transmission network, so it has higher requirements on device security.

第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)规定HeNB使用网络互连协议安全性(Internet Protocol Security,IPSec)协议保证基站报文的认证和加密,其中协商协议为网络密钥交换(Internet Key Exchangev v2,IKEv2),认证方式推荐了证书和全球用户识别卡(Universal Subscriber Identity Module,USIM)卡。实际应用中,基于公开密钥体系(Public Key Infrastructure,PKI)架构的证书系统过于复杂,部署缓慢,应用扩展能力等不佳。The 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) stipulates that HeNB uses Internet Protocol Security (Internet Protocol Security, IPSec) protocol to ensure the authentication and encryption of base station messages, and the negotiation protocol is Internet Key Exchange (Internet Key Exchangev v2, IKEv2), certificates and Universal Subscriber Identity Module (USIM) cards are recommended for authentication. In practical applications, the certificate system based on the public key infrastructure (Public Key Infrastructure, PKI) architecture is too complex, slow to deploy, and poor in application expansion capabilities.

运营商对于具体的PKI部署有各自的进度,如中移的数字证书系统还在建设中,但是无线接入设备(NanoCell)已经在一些省份开始部署,所以基站在运营商没有PKI系统时,推行的是预置运营商证书,反之推行的是在线证书申请(CMPV2协议)方案。Operators have their own progress in specific PKI deployment. For example, China Mobile's digital certificate system is still under construction, but wireless access equipment (NanoCell) has already begun to be deployed in some provinces. What is the pre-installed operator certificate, and vice versa is the implementation of the online certificate application (CMPV2 protocol) program.

HeNB基站可能经过公共传输网络,在现有硬件无法很好的保护证书和私钥的情况下,即使通过在线证书申请方案,HeNB的证书也可能会被非法用户盗用,安全性存在问题。The HeNB base station may pass through the public transmission network. In the case that the existing hardware cannot protect the certificate and private key well, even through the online certificate application scheme, the HeNB certificate may be stolen by illegal users, and there are security problems.

在保证证书和设备的绑定关系上,3GPP推荐了证书+USIM的双认证模式,但该实现方式极为复杂,目前没有支持该协议的设备。在双认证功能没有实现的基础上,如何防止非法用户盗用基站的证书,如何保证证书和设备的唯一关联性就显得极为重要。In terms of ensuring the binding relationship between the certificate and the device, 3GPP recommends the dual authentication mode of certificate + USIM, but this implementation method is extremely complicated, and currently there is no device that supports this protocol. On the basis that the dual authentication function has not been realized, how to prevent illegal users from stealing the certificate of the base station and how to ensure the unique association between the certificate and the device is extremely important.

发明内容Contents of the invention

本发明的目的在于提供一种增强设备证书使用安全的方法及装置,能更好地拒绝非法使用证书的设备接入传输网络。The purpose of the present invention is to provide a method and device for enhancing the safety of using certificates of equipment, which can better deny access to the transmission network for equipment illegally using certificates.

根据本发明的一个方面,提供了一种增强设备证书使用安全的方法,包括:According to one aspect of the present invention, a method for enhancing the security of using a device certificate is provided, including:

在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID;When a device requests access to a public transport network, the gateway of the public transport network obtains a device ID and a certificate ID from the device requesting access;

所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway of the public transmission network judges whether the device requesting access is a legitimate device according to the obtained device ID and/or the relationship between the device ID and the certificate ID;

当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。When the gateway of the public transmission network judges that the device requesting access is a legal device, the device requesting access is connected to the public transmission network; otherwise, the device requesting access is denied access The public transport network.

优选地,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:Preferably, the gateway of the public transport network determines whether the device requesting access is a legal device according to the obtained device ID and/or the relationship between the device ID and the certificate ID, including:

所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态;The gateway of the public transmission network queries the access state of the device corresponding to the device ID according to the obtained device ID;

若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备,反之,判断请求接入的设备为非法设备。If the access state of the device corresponding to the queried device ID is connected, it is judged that the device requesting access is an illegal device; otherwise, it is judged that the device requesting access is an illegal device.

优选地,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:Preferably, the gateway of the public transport network determines whether the device requesting access is a legal device according to the obtained device ID and/or the relationship between the device ID and the certificate ID, including:

对所述设备ID与证书ID的关系进行一致性校验;Perform consistency verification on the relationship between the device ID and the certificate ID;

当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。When the verification is passed, it is judged that the device requesting access is a legitimate device, otherwise, it is judged that the device requesting access is an illegal device.

优选地,所述公共传输网络的网关根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备的步骤包括:Preferably, the gateway of the public transport network determines whether the device requesting access is a legal device according to the obtained device ID and/or the relationship between the device ID and the certificate ID, including:

所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态;The gateway of the public transmission network queries the access state of the device corresponding to the device ID according to the obtained device ID;

若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验;If the access state of the device corresponding to the queried device ID is not connected, then perform a consistency check on the relationship between the device ID and the certificate ID;

当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。When the verification is passed, it is judged that the device requesting access is a legitimate device, otherwise, it is judged that the device requesting access is an illegal device.

优选地,所述公共传输网络的网关预先将所述设备ID与证书ID进行绑定,以供一致性校验。Preferably, the gateway of the public transport network binds the device ID and the certificate ID in advance for consistency verification.

根据本发明的另一方面,提供了一种增强设备证书使用安全的装置,包括:According to another aspect of the present invention, a device for enhancing the security of device certificate use is provided, including:

网关获取模块,用于在设备请求接入公共传输网络时,从请求接入的设备获取设备ID和证书ID;The gateway obtaining module is used to obtain the device ID and the certificate ID from the device requesting access when the device requests access to the public transmission network;

网关判断模块,用于根据所获取的设备ID和/或设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;A gateway judging module, configured to judge whether the device requesting access is a legal device according to the obtained device ID and/or the relationship between the device ID and the certificate ID;

网关接入处理模块,用于判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。A gateway access processing module, configured to connect the device requesting access to the public transmission network when judging that the device requesting access is a legitimate device, otherwise, rejecting the device requesting access to access The public transport network.

优选地,所述网关判断模块根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备,反之,判断请求接入的设备为非法设备。Preferably, the gateway judging module queries the access state of the device corresponding to the device ID according to the obtained device ID, and if the access state of the device corresponding to the queried device ID is connected, then judges The device requesting access is an illegal device, otherwise, it is determined that the device requesting access is an illegal device.

优选地,所述网关判断模块对所述设备ID与证书ID的关系进行一致性校验,若校验通过,则判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Preferably, the gateway judging module performs a consistency check on the relationship between the device ID and the certificate ID, and if the verification passes, it judges that the device requesting access is a legal device, otherwise, it judges that the device requesting access is an illegal device.

优选地,所述网关判断模块根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Preferably, the gateway judging module queries the access status of the device corresponding to the device ID according to the obtained device ID, and if the access status of the device corresponding to the queried device ID is not connected, then the The relationship between the device ID and the certificate ID is checked for consistency. When the verification is passed, it is judged that the device requesting access is a legitimate device, otherwise, the device requesting access is judged as an illegal device.

优选地,还包括:Preferably, it also includes:

网关绑定模块,用于预先将所述设备ID与证书ID进行绑定,以供一致性校验。The gateway binding module is configured to bind the device ID and the certificate ID in advance for consistency verification.

与现有技术相比较,本发明的有益效果在于:Compared with the prior art, the beneficial effects of the present invention are:

1、本发明提高了证书的安全性,可以有效防止不法分子窃取设备的证书;1. The present invention improves the security of certificates and can effectively prevent criminals from stealing device certificates;

2、本发明通过证书和设备的绑定,达到拒绝非法使用证书的设备接入公共传输网络的目的,从而保证基站及传输领域的接入安全。2. Through the binding of certificates and devices, the present invention achieves the purpose of denying devices that illegally use certificates to access the public transmission network, thereby ensuring the access security of the base station and the transmission field.

附图说明Description of drawings

图1是本发明实施例提供的增强设备证书使用安全的方法原理框图;Fig. 1 is a functional block diagram of a method for enhancing the security of using a device certificate provided by an embodiment of the present invention;

图2是本发明实施例提供的增强设备证书使用安全的装置框图;Fig. 2 is a block diagram of an apparatus for enhancing device certificate use security provided by an embodiment of the present invention;

图3是本发明实施例提供的增强设备证书使用安全的系统组网图;FIG. 3 is a network diagram of a system for enhancing device certificate use security provided by an embodiment of the present invention;

图4是本发明实施例提供的增强设备证书使用安全的基站和安全网关的交互流程图。Fig. 4 is a flow chart of interaction between a base station and a security gateway for enhancing device certificate use security provided by an embodiment of the present invention.

具体实施方式detailed description

以下结合附图对本发明的优选实施例进行详细说明,应当理解,以下所说明的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. It should be understood that the preferred embodiments described below are only used to illustrate and explain the present invention, and are not intended to limit the present invention.

图1是本发明实施例提供的增强设备证书使用安全的方法原理框图,如图1所示,步骤包括:Fig. 1 is a schematic block diagram of a method for enhancing device certificate use security provided by an embodiment of the present invention. As shown in Fig. 1 , the steps include:

步骤S101:在设备请求接入公共传输网络时,所述公共传输网络的网关从请求接入的设备获取设备ID和证书ID。Step S101: When a device requests to access a public transmission network, the gateway of the public transmission network obtains a device ID and a certificate ID from the device requesting access.

具体地说,所述请求接入公共传输网络的设备发起IPSEC协商期间,所述请求接入公共传输网络的设备将设备ID和设备的证书发送给公共传输网络的网关;所述公共传输网络的网关收到所述设备ID和设备的证书后,从所述证书中获取证书ID。Specifically, during the IPSEC negotiation initiated by the device requesting access to the public transport network, the device requesting access to the public transport network sends the device ID and the certificate of the device to the gateway of the public transport network; After receiving the device ID and the device certificate, the gateway obtains the certificate ID from the certificate.

其中,所述请求接入公共传输网络的设备根据其读取的自身的设备资产编号(SN),生成所述设备ID,也可以在本地预先保存所述设备ID。Wherein, the device requesting to access the public transmission network generates the device ID according to its read device asset number (SN), and may also pre-save the device ID locally.

步骤S102:所述公共传输网络的网关根据所获取的设备ID以及设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备。Step S102: The gateway of the public transport network judges whether the device requesting access is a legal device according to the obtained device ID and the relationship between the device ID and the certificate ID.

具体地说,所述公共传输网络的网关可以通过以下三种方式判断所述请求接入的设备是否为合法设备:Specifically, the gateway of the public transport network can determine whether the device requesting access is a legitimate device in the following three ways:

方式1:所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备,反之,判断请求接入的设备为非法设备。Method 1: The gateway of the public transmission network queries the access state of the device corresponding to the device ID according to the obtained device ID, and if the access state of the device corresponding to the device ID found is connected, Then it is judged that the device requesting access is an illegal device, otherwise, it is judged that the device requesting access is an illegal device.

方式2:所述公共传输网络的网关对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Method 2: The gateway of the public transmission network performs a consistency check on the relationship between the device ID and the certificate ID, and when the verification passes, it is judged that the device requesting access is a legitimate device, otherwise, it is judged that the requesting access The device is an illegal device.

方式3:所述公共传输网络的网关根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。也就是说,只有当查询到的所述设备ID对应的设备的接入状态为未接入,且对所述设备ID与证书ID的关系进行一致性校验通过时,判断所述请求接入的设备为合法设备。Method 3: The gateway of the public transmission network queries the access state of the device corresponding to the device ID according to the obtained device ID, and if the access state of the device corresponding to the device ID found is not connected, A consistency check is performed on the relationship between the device ID and the certificate ID, and when the verification is passed, it is judged that the device requesting access is a legitimate device, otherwise, the device requesting access is judged to be an illegal device. That is to say, only when the access state of the device corresponding to the queried device ID is not connected, and the consistency check of the relationship between the device ID and the certificate ID is passed, it is judged that the request for access The device is a legal device.

进一步地,在步骤S101之前,所述公共传输网络的网关需要预先将所述设备ID与证书ID进行绑定,以供在进行一致性校验时,利用预先绑定的设备ID与证书ID,确定收到的设备ID与证书ID绑定关系是否合法,如果合法,则校验通过,反之,校验不通过。换句话说,当所述设备ID对应的设备的接入状态为未接入,且所述设备ID与所述证书ID的关系与预先保存的绑定关系一致时,判断所述请求接入的设备为合法设备,反之为非法设备。Further, before step S101, the gateway of the public transport network needs to bind the device ID and certificate ID in advance, so that the pre-bound device ID and certificate ID can be used when performing consistency verification, Determine whether the binding relationship between the received device ID and the certificate ID is legal. If it is legal, the verification is passed. Otherwise, the verification is not passed. In other words, when the access state of the device corresponding to the device ID is not connected, and the relationship between the device ID and the certificate ID is consistent with the pre-saved binding relationship, it is determined that the request for access The device is a legal device, otherwise it is an illegal device.

步骤S103:当所述公共传输网络的网关判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。Step S103: When the gateway of the public transmission network determines that the device requesting access is a legal device, connect the device requesting access to the public transmission network; otherwise, reject the device requesting access The device accesses the public transmission network.

图2是本发明实施例提供的增强设备证书使用安全的装置框图,如图2所示,包括:网关获取模块10、网关判断模块20、网关接入处理模块30。FIG. 2 is a block diagram of an apparatus for enhancing device certificate use security provided by an embodiment of the present invention. As shown in FIG. 2 , it includes: a gateway acquisition module 10 , a gateway judgment module 20 , and a gateway access processing module 30 .

网关获取模块10用于在设备请求接入公共传输网络时,从请求接入的设备获取设备ID和证书ID;The gateway obtaining module 10 is used to obtain the device ID and the certificate ID from the device requesting access when the device requests access to the public transport network;

网关判断模块20用于根据所获取的设备ID以及设备ID与证书ID的关系,判断所述请求接入的设备是否为合法设备;The gateway judging module 20 is used to judge whether the device requesting access is a legal device according to the obtained device ID and the relationship between the device ID and the certificate ID;

网关接入处理模块30用于判断所述请求接入的设备为合法设备时,将所述请求接入的设备接入所述公共传输网络,反之,则拒绝所述请求接入的设备接入所述公共传输网络。The gateway access processing module 30 is used for judging that the device requesting access is a legal device, and connecting the device requesting access to the public transmission network; otherwise, rejecting the device requesting access to access The public transport network.

进一步地,所述装置还包括:Further, the device also includes:

网关绑定模块40用于预先将所述设备ID与证书ID进行绑定,并保存所述绑定关系,以供一致性校验。The gateway binding module 40 is used to bind the device ID and the certificate ID in advance, and save the binding relationship for consistency verification.

所述装置的工作流程如下:The workflow of the device is as follows:

步骤1:在所述请求接入公共传输网络的设备发起IPSEC协商期间,网关获取模块10接收所述请求接入公共传输网络的设备发送的设备ID和设备的证书,并从所述证书中获取证书ID。Step 1: During the IPSEC negotiation initiated by the device requesting access to the public transport network, the gateway acquisition module 10 receives the device ID and the certificate of the device sent by the device requesting access to the public transport network, and obtains the certificate from the certificate Certificate ID.

步骤2:网关判断模块20判断所述请求接入的设备是否为合法设备。Step 2: The gateway judging module 20 judges whether the device requesting access is a legitimate device.

具体判断方式可以采用以下三种方式中的任意一种:The specific judgment method can adopt any one of the following three methods:

方式1:网关判断模块20根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为已接入,则判断所述请求接入的设备为非法设备,反之,判断请求接入的设备为非法设备。Mode 1: The gateway judging module 20 queries the access state of the device corresponding to the device ID according to the obtained device ID, and if the access state of the device corresponding to the device ID found is connected, then judges the access status of the device corresponding to the device ID. If the above-mentioned device requesting access is an illegal device, otherwise, it is judged that the device requesting access is an illegal device.

方式2:网关判断模块20对所述设备ID与证书ID的关系进行一致性校验,即利用网关绑定模块40预先绑定和保存的设备ID和证书ID的绑定关系,对所述设备ID与证书ID的关系进行一致性校验,若校验通过,则判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Mode 2: The gateway judging module 20 performs a consistency check on the relationship between the device ID and the certificate ID, that is, uses the binding relationship between the device ID and the certificate ID previously bound and stored by the gateway binding module 40 to verify the device ID. The relationship between the ID and the certificate ID is verified for consistency. If the verification is passed, it is judged that the device requesting access is a legal device, otherwise, the device requesting access is judged as an illegal device.

方式3:网关判断模块20根据所获取的设备ID,查询所述设备ID对应的设备的接入状态,若查询到的所述设备ID对应的设备的接入状态为未接入,则对所述设备ID与证书ID的关系进行一致性校验,当校验通过时,判断所述请求接入的设备为合法设备,反之,判断请求接入的设备为非法设备。Mode 3: The gateway judging module 20 queries the access state of the device corresponding to the device ID according to the obtained device ID, and if the access state of the device corresponding to the device ID found is not connected, then the The relationship between the device ID and the certificate ID is checked for consistency. When the verification is passed, it is judged that the device requesting access is a legitimate device, otherwise, the device requesting access is judged to be an illegal device.

步骤3:若网关判断模块20判断所述请求接入的设备为非法设备,则网关接入处理模块30拒绝所述请求接入的设备接入所述公共传输网络,反之,网关接入处理模块30将所述请求接入的设备接入所述公共传输网络。Step 3: If the gateway judging module 20 judges that the device requesting access is an illegal device, the gateway access processing module 30 rejects the device requesting access to access the public transmission network, otherwise, the gateway access processing module 30. Connect the device requesting access to the public transmission network.

图1和图2所述实施例中的设备可以指所有使用到数字证书的设备,以下以基站为例,并结合图3和图4进行进一步说明。The devices in the embodiments shown in FIG. 1 and FIG. 2 may refer to all devices that use digital certificates. The base station is taken as an example below, and further description will be made in conjunction with FIG. 3 and FIG. 4 .

图3是本发明实施例提供的增强设备证书使用安全的系统组网图,如图3所示,包括:多个请求接入公共传输网络的基站(AP-A,AP-B,…,AP-N),处于公共传输网络的安全网关(SeGW),核心网。Fig. 3 is a network diagram of a system for enhancing device certificate use security provided by an embodiment of the present invention. As shown in Fig. 3, it includes: multiple base stations (AP-A, AP-B, ..., AP -N), in the security gateway (SeGW) of the public transport network, the core network.

1.安全网关预置相关信息1. Security gateway preset related information

在安全网关上预先配置基站和证书的对应关系,具体地说,将基站ID和证书ID进行绑定,并保存至数据库系统或者其它设备上。The corresponding relationship between the base station and the certificate is pre-configured on the security gateway, specifically, the base station ID and the certificate ID are bound and stored in a database system or other devices.

2.基站向安全网关发起IPSEC协商请求2. The base station initiates an IPSEC negotiation request to the security gateway

在IPSEC协商过程中,请求接入公共传输网络的基站会将基站的唯一标识(即基站ID,APID)发送给安全网关,同时在IPSEC的身份认证阶段,会将基站的证书发送给安全网关,安全网关会从基站的证书中取出基站证书的CN字段,所述CN字段可以用来唯一标识证书,即获取证书ID。During the IPSEC negotiation process, the base station requesting access to the public transport network will send the unique identifier of the base station (that is, the base station ID, APID) to the security gateway, and at the same time, in the identity authentication phase of IPSEC, the base station certificate will be sent to the security gateway. The security gateway will extract the CN field of the base station certificate from the certificate of the base station, and the CN field can be used to uniquely identify the certificate, that is, obtain the certificate ID.

所述IPSEC协商请求也可以由安全网关向基站发起。The IPSEC negotiation request may also be initiated by the security gateway to the base station.

3.安全网关的处理3. Processing of the security gateway

作为第一种实施方式,安全网关在预置的数据库系统里查询所述请求接入公共传输网络的基站的APID和CN,如果该APID对应的基站是已经处于接入状态,则拒绝此次的IPSEC协商请求,拒绝所述请求接入公共传输网络的基站的接入,并上报告警;反之,如果该APID对应的基站处于未接入状态,继续判断APID和CN的关系是否否符合要求,如果符合证书与设备的一致性要求,则校验通过,继续与基站进行协商,协商成功后,所述请求接入公共传输网络的基站成功接入,安全网关更新基站的接入状态为已接入;如果校验不通过,则拒绝所述请求接入公共传输网络的基站接入。As the first implementation mode, the security gateway queries the APID and CN of the base station requesting to access the public transport network in the preset database system, and if the base station corresponding to the APID is already in the access state, it rejects this request. IPSEC negotiation request, rejecting the access of the base station requesting access to the public transmission network, and reporting an alarm; otherwise, if the base station corresponding to the APID is not in the access state, continue to judge whether the relationship between the APID and the CN meets the requirements, If the consistency requirements of the certificate and the device are met, the verification is passed, and the negotiation with the base station is continued. After the negotiation is successful, the base station requesting access to the public transmission network is successfully accessed, and the security gateway updates the access status of the base station as accepted If the verification fails, the access of the base station requesting to access the public transport network is rejected.

作为第二种实施方式,安全网关的上述处理过程也可以在网管执行,具体地说,安全网关将所述请求接入公共传输网络的基站的APID和CN发送至网管,网管上预先配置好基站和证书的对应关系,对安全网关发送过来的APID和CN,网管通过查询数据库,确定所述APID和CN是否符合一致性要求,如果符合证书与设备的一致性要求,则向安全网关返回校验通过的消息,否则返回校验不通过的消息;安全网关收到网管返回的消息后,如果是校验通过的消息,则继续进行协商,协商成功后,将所述请求接入公共传输网络的基站接入公共传输网络;如果是校验不通过的消息,则拒绝所述请求接入公共传输网络的基站接入公共传输网络。As a second implementation mode, the above-mentioned processing procedure of the security gateway can also be executed in the network management. Specifically, the security gateway sends the APID and CN of the base station requesting to access the public transmission network to the network management, and the base station is pre-configured on the network management. The corresponding relationship with the certificate. For the APID and CN sent by the security gateway, the network management checks the database to determine whether the APID and CN meet the consistency requirements. If they meet the consistency requirements between the certificate and the device, the verification is returned to the security gateway. If the message is passed, otherwise it returns a message that the verification fails; after the security gateway receives the message returned by the network management, if it is a message that passes the verification, it will continue to negotiate. After the negotiation is successful, the request will be connected to the public transmission network The base station accesses the public transmission network; if it is a message that the verification fails, deny the base station requesting to access the public transmission network to access the public transmission network.

以第一种实施方式为例,图4提供了一种增强设备证书使用安全的基站和安全网关的交互流程图,如图4所示,步骤包括:Taking the first implementation as an example, Fig. 4 provides a flow chart of interaction between a base station and a security gateway that enhances the security of using device certificates. As shown in Fig. 4, the steps include:

步骤201:请求接入公共传输网络的基站(LTE-Femto)读取其SN,并根据所述SN,生成APID。Step 201: Request the base station (LTE-Femto) to access the public transport network to read its SN, and generate an APID according to the SN.

步骤202:所述请求接入公共传输网络的基站向公共传输网络的网关(SeGW)发起IPSEC协商,并在IKEv2协商期间,将其基站ID(即APID)和证书发送至网关。Step 202: The base station requesting access to the public transport network initiates IPSEC negotiation to the gateway (SeGW) of the public transport network, and sends its base station ID (ie APID) and certificate to the gateway during the IKEv2 negotiation.

步骤203:网关判断所述APID对应的基站的接入状态是否是已接入,如果是已接入,则执行步骤204,否则执行步骤205、步骤206、步骤207。Step 203: The gateway judges whether the access state of the base station corresponding to the APID is connected, and if so, executes step 204, otherwise executes steps 205, 206, and 207.

步骤204:网关拒绝将所述请求接入公共传输网络的基站接入公共传输网络。Step 204: The gateway refuses to allow the base station requesting to access the public transmission network to access the public transmission network.

步骤205:网关从所述证书中取出CN字段。Step 205: The gateway fetches the CN field from the certificate.

步骤206:网关判断所述请求接入公共传输网络的基站的APID和CN的对应关系是否合法,根据判断结果确定是否继续协商以接入所述请求接入公共传输网络的基站,或者直接拒绝将所述请求接入公共传输网络的基站接入公共传输网络。Step 206: The gateway judges whether the corresponding relationship between the APID and CN of the base station requesting access to the public transport network is legal, and determines whether to continue the negotiation to access the base station requesting access to the public transport network according to the judgment result, or directly refuses to The base station requesting to access the public transmission network accesses the public transmission network.

步骤207:网关将继续协商或拒绝接入的消息发送至所述请求接入公共传输网络的基站。Step 207: The gateway sends a message of continuing negotiation or denying access to the base station requesting access to the public transport network.

步骤208:协商成功后,将所述请求接入公共传输网络的基站的接入状态从未接入更新为已接入。Step 208: After the negotiation is successful, update the access status of the base station requesting to access the public transport network from non-access to access.

从上述流程可以看出,本发明对现有流程影响非常小。It can be seen from the above flow that the present invention has very little impact on the existing flow.

以下以一个具体应用实例进行进一步说明。A specific application example is used for further description below.

在安全网关上预置关于APID和CN的关系的数据库,表1为部分映射或绑定关系表。A database about the relationship between APID and CN is preset on the security gateway, and Table 1 is a partial mapping or binding relationship table.

表1.第一映射关系表Table 1. The first mapping relationship table

序号serial number APIDAPID CNCN 接入状态access status 11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 OFFOFF 22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF 33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF 44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF 55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF

1、应用实例11. Application example 1

基站A的APID为001E7327042000021,使用CN为Nodeb01的数字证书向安全网关发起IPSEC协商请求。安全网关根据表1,确定APID为001E7327042000021的基站的接入状态为未接入(OFF)且基站A的APID和CN的关系与表1中的映射关系一致,校验通过,允许基站A接入公共传输网络,并将表1中接入状态更新为已接入(ON),对数据库进行更新,具体如表2所示。The API ID of base station A is 001E7327042000021, and uses the digital certificate whose CN is Nodeb01 to initiate an IPSEC negotiation request to the security gateway. According to Table 1, the security gateway determines that the access status of the base station with APID 001E7327042000021 is not connected (OFF) and the relationship between APID and CN of base station A is consistent with the mapping relationship in Table 1, and the verification passes, allowing base station A to access The public transmission network, and the access status in Table 1 is updated to connected (ON), and the database is updated, as shown in Table 2.

表2.第二映射关系表Table 2. The second mapping relationship table

序号serial number APIDAPID CNCN 接入状态access status 11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON 22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF 33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF 44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF 55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF

2、应用实例22. Application example 2

基站B的APID为00000000000021,基站B盗用基站A的CN为Nodeb01的数字证书向安全网关发起IPSEC协商请求。安全网关校验后,因APID和CN对应关系不合法,检验不通过,安全网关拒绝基站B的接入。The APID of base station B is 00000000000021, base station B steals the digital certificate of Nodeb01 whose CN is Nodeb01 of base station A, and initiates an IPSEC negotiation request to the security gateway. After the verification by the security gateway, because the corresponding relationship between APID and CN is invalid, the verification fails, and the security gateway rejects the access of base station B.

3、应用实例33. Application example 3

基站C的APID为00000000000031,基站C盗用了基站A的CN为Nodeb01的数字证书,伪造上报APID为001E7327042000021,向安全网关发起IPSEC协商请求。安全网关判断APID为001E7327042000021的基站已经在线,因此检验不通过,安全网关拒绝基站C的接入。The APID of base station C is 00000000000031. Base station C stole the digital certificate of base station A whose CN is Nodeb01, forged and reported the APID as 001E7327042000021, and initiated an IPSEC negotiation request to the security gateway. The security gateway judges that the base station whose APID is 001E7327042000021 is already online, so the verification fails, and the security gateway rejects the access of base station C.

4、应用实例44. Application example 4

用户在扩容时,新增一个基站D,其APID为001E7327042000029,使用CN为Nodeb09的数字证书,此时需求先在安全网关上添加此基站的相关信息,更新后的数据库如表3所示。When expanding capacity, the user adds a new base station D, whose APID is 001E7327042000029, and uses the digital certificate whose CN is Nodeb09. At this time, it is necessary to add the relevant information of this base station on the security gateway first. The updated database is shown in Table 3.

基站D发起IPSEC协商请求时,安全网关确定APID为001E7327042000029的基站接入状态为未接入(OFF),且APID和CN对应关系合法,此时,安全网关校验通过,允许基站D接入,协商成功后,将数据库中的接入状态从未接入(OFF)更新为已接入(ON),具体如表4所示。When base station D initiates an IPSEC negotiation request, the security gateway determines that the access status of the base station with APID 001E7327042000029 is not connected (OFF), and the corresponding relationship between APID and CN is legal. At this time, the security gateway passes the verification and allows base station D to access. After the negotiation is successful, the access state in the database is updated from not connected (OFF) to connected (ON), as shown in Table 4 for details.

表3.第三映射关系表Table 3. The third mapping relationship table

序号serial number APIDAPID CNCN 接入状态access status 11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON 22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF 33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF 44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF 55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF 66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 OFFOFF

表4.第四映射关系表Table 4. The fourth mapping relationship table

序号serial number APIDAPID CNCN 接入状态access status 11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON 22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF 33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF 44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 OFFOFF 55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF 66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON

5、应用实例55. Application example 5

基站E的APID为001E7327042000024,使用CN为Nodeb04的数字证书,正常运行,安全网关上的对应数据库如表5所示。The APID of base station E is 001E7327042000024, and the digital certificate whose CN is Nodeb04 is used, and it runs normally. The corresponding database on the security gateway is shown in Table 5.

表5.第五映射关系表Table 5. The fifth mapping relationship table

序号serial number APIDAPID CNCN 接入状态access status 11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON 22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF 33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF 44 001E7327042000024001E7327042000024 Nodeb04Nodeb04 ONON 55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF 66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON

现在因为基站E的硬件出现问题,需要回厂返修,返修周期较长,用另外一块新硬件(APID为001E7327042000030)替换基站E,但是希望仍沿用基站E原来的证书,此时可以通过以下操作达到预期。Now because there is a problem with the hardware of base station E, it needs to be returned to the factory for repair, and the repair period is long. Replace base station E with another piece of new hardware (APID is 001E7327042000030), but hope to still use the original certificate of base station E. At this time, you can do the following to achieve expected.

1、将基站E原来的证书拷贝到新硬件里面,1. Copy the original certificate of base station E to the new hardware,

2、安全网关修改数据库,更新后的数据库如表6所示。2. The security gateway modifies the database, and the updated database is shown in Table 6.

表6.第六映射关系表Table 6. The sixth mapping table

序号serial number APIDAPID CNCN 接入状态access status 11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON 22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF 33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF 44 001E7327042000030001E7327042000030 Nodeb04Nodeb04 OFFOFF 55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF 66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON

APID为001E7327042000030的设备发起IPSEC协商请求时,安全网关校验通过,允许其接入,协商成功后,更新数据库如表7所示。When the device whose APID is 001E7327042000030 initiates an IPSEC negotiation request, the security gateway passes the verification and allows its access. After the negotiation succeeds, the database is updated as shown in Table 7.

表7.第七映射关系表Table 7. The seventh mapping relationship table

序号serial number APIDAPID CNCN 接入状态access status 11 001E7327042000021001E7327042000021 Nodeb01Nodeb01 ONON 22 001E7327042000022001E7327042000022 Nodeb02Nodeb02 OFFOFF 33 001E7327042000023001E7327042000023 Nodeb03Nodeb03 OFFOFF 44 001E7327042000030001E7327042000030 Nodeb04Nodeb04 ONON 55 001E7327042000025001E7327042000025 Nodeb05Nodeb05 OFFOFF 66 001E7327042000029001E7327042000029 Nodeb09Nodeb09 ONON

综上所述,本发明具有以下技术效果:In summary, the present invention has the following technical effects:

本发明利用设备ID和/或设备ID与证书ID的绑定关系,确定请求接入公共网络的设备是否是合法设备,从而拒绝非法设备接入公共传输网络,特别是拒绝非法使用证书的设备接入公共传输网络,提高了证书的安全性,保证了传输领域的接入安全。The present invention utilizes the device ID and/or the binding relationship between the device ID and the certificate ID to determine whether the device requesting access to the public network is a legal device, thereby rejecting the access of illegal devices to the public transmission network, especially rejecting the access of devices that illegally use certificates. Access to the public transmission network improves the security of the certificate and ensures the security of access in the transmission field.

尽管上文对本发明进行了详细说明,但是本发明不限于此,本技术领域技术人员可以根据本发明的原理进行各种修改。因此,凡按照本发明原理所作的修改,都应当理解为落入本发明的保护范围。Although the present invention has been described in detail above, the present invention is not limited thereto, and various modifications can be made by those skilled in the art based on the principle of the present invention. Therefore, any modifications made according to the principles of the present invention should be understood as falling within the protection scope of the present invention.

Claims (10)

1. a kind of device certificate that strengthens uses the method for safety it is characterised in that including:
When device request accesses common transmission network, the gateway of described common transmission network is from setting that request accesses Standby acquisition device id and certificate ID;
The gateway of described common transmission network is according to the pass of acquired device id and/or device id and certificate ID System, judges whether the equipment that described request accesses is legitimate device;
When the gateway of described common transmission network judges the equipment of described request access for legitimate device, will be described The equipment that request accesses accesses described common transmission network, conversely, the equipment then refusing described request access accesses Described common transmission network.
2. method according to claim 1 is it is characterised in that the gateway root of described common transmission network According to acquired device id and/or device id and the relation of certificate ID, judge that the equipment that described request accesses is The no step for legitimate device includes:
According to acquired device id, described device id is corresponding sets for inquiry for the gateway of described common transmission network Standby access state;
If the access state of the corresponding equipment of described device id inquiring is to access, judge described request The equipment accessing is illegality equipment, conversely, judging to ask the equipment accessing to be illegality equipment.
3. method according to claim 1 is it is characterised in that the gateway root of described common transmission network According to acquired device id and/or device id and the relation of certificate ID, judge that the equipment that described request accesses is The no step for legitimate device includes:
Consistency desired result is carried out to the relation of described device id and certificate ID;
When verification is passed through, judge that the equipment that described request accesses is legitimate device, conversely, judging that request accesses Equipment be illegality equipment.
4. method according to claim 1 is it is characterised in that the gateway root of described common transmission network According to acquired device id and/or device id and the relation of certificate ID, judge that the equipment that described request accesses is The no step for legitimate device includes:
According to acquired device id, described device id is corresponding sets for inquiry for the gateway of described common transmission network Standby access state;
If the access state of the corresponding equipment of described device id inquiring is not access, to described device id Carry out consistency desired result with the relation of certificate ID;
When verification is passed through, judge that the equipment that described request accesses is legitimate device, conversely, judging that request accesses Equipment be illegality equipment.
5. the method according to claim 3 or 4 is it is characterised in that the net of described common transmission network Close and in advance described device id is bound with certificate ID, for consistency desired result.
6. a kind of device certificate that strengthens uses the device of safety it is characterised in that including:
Gateway acquisition module, for when device request accesses common transmission network, the equipment accessing from request obtains Taking equipment ID and certificate ID;
Gateway judge module, for the relation according to acquired device id and/or device id and certificate ID, Judge whether the equipment that described request accesses is legitimate device;
Gateway accessing processing module, during for judging the equipment of described request access for legitimate device, asks described The equipment asking access accesses described common transmission network, conversely, then refusing the equipment access institute that described request accesses State common transmission network.
7. device according to claim 6 is it is characterised in that described gateway judge module is according to being obtained The device id taking, the access state of the inquiry corresponding equipment of described device id, if the described device id inquiring The access state of corresponding equipment is to access, then judge that the equipment that described request accesses is illegality equipment, conversely, Judge to ask the equipment accessing to be illegality equipment.
8. device according to claim 6 is it is characterised in that described gateway judge module sets to described The relation of standby ID and certificate ID carries out consistency desired result, if verification is passed through, judges setting of described request access Standby for legitimate device, conversely, the equipment judging to ask access is illegality equipment.
9. device according to claim 6 is it is characterised in that described gateway judge module is according to being obtained The device id taking, the access state of the inquiry corresponding equipment of described device id, if the described device id inquiring The access state of corresponding equipment is not access, then carry out concordance to the relation of described device id and certificate ID Verification, when verification is passed through, judges that the equipment that described request accesses is legitimate device, conversely, judging that request connects The equipment entering is illegality equipment.
10. device according to claim 8 or claim 9 is it is characterised in that also include:
Gateway binds module, for being bound described device id with certificate ID in advance, for concordance school Test.
CN201510477798.3A 2015-08-06 2015-08-06 Method and device for enhancing use safety of equipment certificate Expired - Fee Related CN106454836B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510477798.3A CN106454836B (en) 2015-08-06 2015-08-06 Method and device for enhancing use safety of equipment certificate
PCT/CN2016/070380 WO2017020546A1 (en) 2015-08-06 2016-01-07 Network access device verifying method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510477798.3A CN106454836B (en) 2015-08-06 2015-08-06 Method and device for enhancing use safety of equipment certificate

Publications (2)

Publication Number Publication Date
CN106454836A true CN106454836A (en) 2017-02-22
CN106454836B CN106454836B (en) 2021-12-31

Family

ID=57942392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510477798.3A Expired - Fee Related CN106454836B (en) 2015-08-06 2015-08-06 Method and device for enhancing use safety of equipment certificate

Country Status (2)

Country Link
CN (1) CN106454836B (en)
WO (1) WO2017020546A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115250186B (en) * 2021-04-12 2024-04-16 顺丰科技有限公司 Network connection authentication method, device, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103024742A (en) * 2012-12-04 2013-04-03 广州杰赛科技股份有限公司 Family base station network security access method, device and system
CN103108326A (en) * 2011-11-10 2013-05-15 腾讯科技(深圳)有限公司 Session relationship establishing method and device and system
US20140310529A1 (en) * 2011-10-31 2014-10-16 Zte Corporation HNB OR HeNB SECURITY ACCESS METHOD AND SYSTEM, AND CORE NETWORK ELEMENT
CN104349322A (en) * 2013-08-01 2015-02-11 杭州华三通信技术有限公司 Device for detecting faker in wireless local area network and method thereof
CN104506352A (en) * 2014-12-24 2015-04-08 福建江夏学院 Internet-of-things data preprocessing method and system
CN104518874A (en) * 2013-09-26 2015-04-15 中兴通讯股份有限公司 Network access control method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008096825A1 (en) * 2007-02-07 2008-08-14 Nippon Telegraph And Telephone Corporation Certificate authenticating method, certificate issuing device, and authentication device
CN102984115B (en) * 2011-09-02 2016-03-16 中国长城计算机深圳股份有限公司 A kind of network security method and client-server
CN103051643B (en) * 2013-01-22 2016-03-23 西安邮电大学 Fictitious host computer secure connection dynamic establishing method and system under cloud computing environment
CN103618603A (en) * 2013-11-25 2014-03-05 网神信息技术(北京)股份有限公司 Access method and device for multi-protocol label switching network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140310529A1 (en) * 2011-10-31 2014-10-16 Zte Corporation HNB OR HeNB SECURITY ACCESS METHOD AND SYSTEM, AND CORE NETWORK ELEMENT
CN103108326A (en) * 2011-11-10 2013-05-15 腾讯科技(深圳)有限公司 Session relationship establishing method and device and system
CN103024742A (en) * 2012-12-04 2013-04-03 广州杰赛科技股份有限公司 Family base station network security access method, device and system
CN104349322A (en) * 2013-08-01 2015-02-11 杭州华三通信技术有限公司 Device for detecting faker in wireless local area network and method thereof
CN104518874A (en) * 2013-09-26 2015-04-15 中兴通讯股份有限公司 Network access control method and system
CN104506352A (en) * 2014-12-24 2015-04-08 福建江夏学院 Internet-of-things data preprocessing method and system

Also Published As

Publication number Publication date
WO2017020546A1 (en) 2017-02-09
CN106454836B (en) 2021-12-31

Similar Documents

Publication Publication Date Title
CN104767715B (en) Access control method and equipment
CN107079007B (en) Method, apparatus, and computer-readable medium for certificate-based authentication
CN104244227A (en) Terminal access authentication method and device in internet of things system
JP6337642B2 (en) Method for securely accessing a network from a personal device, personal device, network server, and access point
WO2019062384A1 (en) Method and device for public network user accessing private network
CN109561429B (en) Authentication method and device
CN114268943A (en) Authorization method and device
CN105306464A (en) Wireless network authentication apparatus and methods
JP2023547926A (en) Service authentication method, communication device, and system
CN101369893A (en) A method of local area network access authentication for temporary users
CN106851632A (en) A kind of smart machine accesses the method and device of WLAN
CN108737381A (en) A kind of extended authentication method of Internet of things system
WO2018176441A1 (en) User authentication method and device
CN115843447B (en) Network authentication for user equipment access to edge data networks
CN105050086B (en) A method for terminal login to Wifi hotspot
CN104735027A (en) Safety authentication method and authentication certification server
CN106412901A (en) Network-loitering prevention wireless routing method and system
CN111132305B (en) Method, user terminal equipment and medium for 5G user terminal to access 5G network
WO2016188053A1 (en) Wireless network access method, device, and computer storage medium
CN101754210B (en) Method and system for authenticating home base station equipment
WO2014177106A1 (en) Network access control method and system
WO2016061980A1 (en) Wlan sharing method and system, and wlan sharing registration server
WO2015135278A1 (en) Authentication method and system, prose functional entity, and ue
CN106454836A (en) Method and device for enhancing use security of equipment certificate
CN109845341A (en) The cellular network discovery and selection of WLAN auxiliary

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20211231

CF01 Termination of patent right due to non-payment of annual fee