[go: up one dir, main page]

CN1697386B - A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System - Google Patents

A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System Download PDF

Info

Publication number
CN1697386B
CN1697386B CN 200410044235 CN200410044235A CN1697386B CN 1697386 B CN1697386 B CN 1697386B CN 200410044235 CN200410044235 CN 200410044235 CN 200410044235 A CN200410044235 A CN 200410044235A CN 1697386 B CN1697386 B CN 1697386B
Authority
CN
China
Prior art keywords
sta
asu
certificate
online
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200410044235
Other languages
Chinese (zh)
Other versions
CN1697386A (en
Inventor
刘淑玲
刘廷永
尹瀚
冯凯锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 200410044235 priority Critical patent/CN1697386B/en
Publication of CN1697386A publication Critical patent/CN1697386A/en
Application granted granted Critical
Publication of CN1697386B publication Critical patent/CN1697386B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明提供了一种基于无线局域网鉴别与保密基础结构体系的计费方法,其关键是,由颁发并保存有STA证书的ASU作为计费主体,统计用户在线时间,并根据在线时间对STA证书进行计费。进一步完善了WAPI体系。本发明保证了对WAPI体系中终端用户的较为精确的计时。而且,即使某STA证书被恶意拦截复制并向ASU发送鉴别请求,ASU也不会发生多收费的现象。另外,当AP本身出现故障时,比如死机时,ASU也可以及时地结束对STA的本次计时,从而停止计费。

Figure 200410044235

The present invention provides a billing method based on the wireless local area network authentication and security infrastructure system. The key is that the ASU that issues and stores the STA certificate is used as the billing subject to count the user's online time, and calculate the STA certificate according to the online time. for billing. Further improved the WAPI system. The invention ensures more accurate timing for end users in the WAPI system. Moreover, even if a certain STA certificate is maliciously intercepted and copied and sends an authentication request to ASU, ASU will not overcharge. In addition, when the AP itself fails, for example, when it crashes, the ASU can also end the current timing of the STA in time, thereby stopping charging.

Figure 200410044235

Description

一种基于无线局域网鉴别与保密基础结构体系的计费方法A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System

技术领域technical field

本发明涉及无线局域网鉴别与保密基础结构(WAPI)体系技术领域,特别是指一种基于WAPI体系的计费方法。The invention relates to the technical field of wireless local area network authentication and security infrastructure (WAPI) system, in particular to a charging method based on the WAPI system.

背景技术Background technique

我国宽带无线IP标准工作组制定了无线局域网(WLAN)国家标准GB/T15629.11,推出了基于WAPI体系的安全方案,该方案提供了一种基于公钥证书的无线局域网移动终端安全接入方法。my country's broadband wireless IP standard working group formulated the national standard GB/T15629.11 for wireless local area network (WLAN), and launched a security solution based on the WAPI system, which provides a secure access method for wireless local area network mobile terminals based on public key certificates .

在WAPI体系中,有无线接入用户终端(STA,Station),访问接入点(AP,Access Point)和鉴别服务单元(ASU,Authentication Service Unit)三种实体,分别作为鉴别请求者实体(ASUE,Authentication SupplicantEntity),鉴别器实体(AE,Authentication Entity)和鉴别服务实体(ASE,Authentication Service Entity)的载体。其中,ASUE是通过鉴别服务单元进行鉴别的实体,驻留在STA中;AE为鉴别请求者在接入服务之前提供鉴别操作的实体,驻留在AP;ASE为鉴别器和鉴别请求者提供相互鉴别的实体,驻留在ASU。In the WAPI system, there are three entities: wireless access user terminal (STA, Station), access point (AP, Access Point) and authentication service unit (ASU, Authentication Service Unit). , Authentication SupplicantEntity), the carrier of the authenticator entity (AE, Authentication Entity) and authentication service entity (ASE, Authentication Service Entity). Among them, ASUE is the entity that authenticates through the authentication service unit, and resides in the STA; AE is the entity that provides the authentication operation for the authentication requester before accessing the service, and resides in the AP; ASE provides mutual authentication for the authenticator and the authentication requester. The authenticated entity, resides at the ASU.

ASU对其管理范围内的AP和STA进行管理并为每一个合法的AP和STA颁发一个公钥证书,以作为网络设备在该WLAN内的数字身份凭证。该公钥证书中包括证书序列号以及用户名等信息,其中,颁发者ASU和序列号唯一标识了每个证书。同时,ASU内也保存了STA证书和AP证书。STA与AP之间通过ASU实现身份的相互鉴别。ASU manages the APs and STAs within its management range and issues a public key certificate to each legal AP and STA as the digital identity certificate of the network device in the WLAN. The public key certificate includes information such as certificate serial number and user name, where the issuer ASU and serial number uniquely identify each certificate. At the same time, the STA certificate and AP certificate are also saved in the ASU. Mutual identity authentication is implemented between STA and AP through ASU.

图1所示为基于WAPI体系的接入控制原理图。STA通过WLAN从未受控端口向AP发出连接请求,AP进一步封装该请求后发送给ASU,由ASU协助AP和STA进行相互身份认证,即证书鉴别,若认证成功,AP开放受控端口允许STA接入,且STA和AP之间进行密钥协商,利用协商的会话密钥对数据进行加密和解密,并进行数据通信;若认证不成功,AP拒绝STA接入或STA放弃接入AP。Figure 1 shows the schematic diagram of access control based on the WAPI system. The STA sends a connection request to the AP through the uncontrolled port through the WLAN. The AP further encapsulates the request and sends it to the ASU. The ASU assists the AP and the STA in mutual identity authentication, that is, certificate authentication. If the authentication is successful, the AP opens the controlled port to allow the STA Access, and the STA and AP perform key negotiation, use the negotiated session key to encrypt and decrypt data, and perform data communication; if the authentication fails, the AP refuses the STA to access or the STA gives up access to the AP.

WAPI体系提出了独特的鉴别方法和加密方法,弥补了现有国际标准在安全性方面的缺陷,提高了用户使用的安全可靠性。但同时,WAPI在计费方面没有给出明确的方法,而且也没有表明其可以支持的方法,而在WLAN的实际应用中,合理进行计费很有必要,为了更好地实施WAPI,如何计费应该得到体现。The WAPI system proposes a unique authentication method and encryption method, which makes up for the security flaws of the existing international standards and improves the security and reliability of users. But at the same time, WAPI does not give a clear method in terms of billing, nor does it indicate the method it can support. In the actual application of WLAN, it is necessary to perform reasonable billing. In order to better implement WAPI, how to count Fees should be reflected.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种基于WAPI体系的计费方法,进一步完善WAPI体系。In view of this, the purpose of the present invention is to provide a billing method based on the WAPI system and further improve the WAPI system.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:

一种基于无线局域网鉴别与保密基础结构体系的计费方法,该方法包括以下步骤:A charging method based on wireless local area network authentication and security infrastructure system, the method includes the following steps:

a、鉴别服务单元ASU接收到来自无线接入用户终端STA的鉴别请求,并对该STA鉴别成功后,根据保存的该STA的STA证书,对该STA证书设置计时标志,以记录该STA的已在线时间;a. The authentication service unit ASU receives the authentication request from the wireless access user terminal STA, and after the authentication of the STA is successful, according to the saved STA certificate of the STA, it sets a timing flag for the STA certificate to record the STA's STA certificate. online time;

b、ASU定时检测是否有来自访问接入点AP的STA在线信息,如果有,进一步检测该在线信息所指向的STA证书是否已设置计时标志,如果是,则ASU更新该STA的已在线时间信息,然后重复执行步骤b,如果该在线信息所指向的STA证书没有设置计时标志,则认为该在线信息无效,忽略该在线信息,不做任何处理;如果没有来自AP的STA在线信息,则停止该STA已在线时间的计时操作,统计该STA的在线时间并根据该时间实现对STA证书计费。b. The ASU periodically detects whether there is STA online information from the access point AP. If so, it further detects whether the STA certificate pointed to by the online information has a timing flag set. If yes, the ASU updates the online time information of the STA. , and then repeat step b. If the STA certificate pointed to by the online information does not have a timing flag set, the online information is considered invalid, the online information is ignored, and no processing is performed; if there is no STA online information from the AP, the STA online information is stopped. The STA online time counting operation counts the STA online time and implements billing for the STA certificate based on the time.

较佳地,步骤b所述当ASU在定时时间内没有检测到来自AP的STA在线信息时,该方法进一步包括:ASU再次确认该STA是否在线,如果在线,则更新该STA的已在线时间信息,然后重复执行步骤b,否则,停止该STA已在线时间的计时操作,统计该STA的在线时间并根据时间实现计费。Preferably, in step b, when the ASU does not detect the online information of the STA from the AP within the specified time, the method further includes: the ASU reconfirms whether the STA is online, and if online, updates the online time information of the STA , and then repeatedly execute step b, otherwise, stop counting the online time of the STA, count the online time of the STA, and implement charging according to the time.

较佳地,该方法进一步包括:在STA下线时,AP向ASU发送STA下线信息,ASU接收到来自AP的STA下线信息后,停止该STA已在线时间的计时操作,统计该STA的在线时间并根据时间实现计费。Preferably, the method further includes: when the STA goes offline, the AP sends the STA offline information to the ASU, and after the ASU receives the STA offline information from the AP, it stops the timing operation of the STA's online time, and counts the STA's online time. Online time and billing based on time.

较佳地,该方法进一步包括:Preferably, the method further comprises:

步骤b所述ASU停止对该STA已在线时间的计时操作后,取消本地保存的该STA证书的计时标志,然后再执行后续步骤。In step b, after the ASU stops counting the online time of the STA, it cancels the timing mark of the STA certificate stored locally, and then executes the subsequent steps.

较佳地,所述AP向ASU发送的STA下线信息的方法是:AP直接将STA下线信息发送给ASU,或者,AP对整个STA下线信息进行私钥签名,将签名后的下线信息发送给ASU。Preferably, the method of the STA offline information sent by the AP to the ASU is: the AP directly sends the STA offline information to the ASU, or the AP signs the entire STA offline information with a private key, and signs the signed offline information. Information sent to ASU.

较佳地,所述STA下线信息内至少包括:STA证书中的用户名和序列号;或者,该STA下线信息内包括完整的STA证书和AP证书,以及AP对整个消息的私钥签名信息;或者,下线信息内包括STA证书中的用户名称和序列号,AP证书中的用户名称和序列号,以及AP对整个消息的私钥签名信息。Preferably, the STA offline information includes at least: the user name and serial number in the STA certificate; or, the STA offline information includes the complete STA certificate and AP certificate, and the private key signature information of the entire message by the AP ; Or, the offline information includes the user name and serial number in the STA certificate, the user name and serial number in the AP certificate, and the private key signature information of the entire message by the AP.

较佳地,所述STA在线信息至少包括:STA证书中的用户名和序列号。Preferably, the online information of the STA includes at least: a user name and a serial number in the STA certificate.

较佳地,该方法进一步包括:如果一个STA证书仅允许一个STA使用,则ASU对该STA鉴别成功后,且ASU更新了该STA的已在线时间后,在该STA证书用户下线之前,ASU拒绝对同一STA证书的鉴别请求进行鉴别处理,并给AP发送鉴别失败;如果一个STA证书允许一个以上STA同时使用,则ASU统计该STA的在线时间并根据该时间实现对STA证书计费包括:Preferably, the method further includes: if a STA certificate is only allowed to be used by one STA, after the ASU successfully authenticates the STA, and after the ASU updates the online time of the STA, before the STA certificate user goes offline, the ASU Refuse to authenticate the authentication request of the same STA certificate, and send an authentication failure to the AP; if an STA certificate allows more than one STA to use it at the same time, ASU will count the online time of the STA and implement billing for the STA certificate based on this time, including:

ASU对多个使用该STA证书的通信端口的使用该STA证书时间进行累加,实现对该STA证书的计费。The ASU accumulates the time of using the STA certificate for multiple communication ports using the STA certificate to realize the billing of the STA certificate.

较佳地,该方法进一步包括:同级别的ASU之间交换STA在线信息,或低级别的ASU将自身保存的STA在线信息发送给更高级别的ASU。Preferably, the method further includes: exchanging STA online information between ASUs of the same level, or the lower-level ASU sends the STA online information stored by itself to a higher-level ASU.

本发明由颁发并保存有STA证书的ASU作为计费主体,统计用户在线时间,并根据在线时间对STA证书进行计费。进一步完善了WAPI体系。In the present invention, the ASU that issues and stores the STA certificate is used as the billing subject, counts the online time of the user, and charges the STA certificate according to the online time. Further improved the WAPI system.

本发明保证了对WAPI体系中终端用户的较为精确的计时。即使某STA证书被恶意拦截复制并向ASU发送鉴别请求,ASU也不会发生多收费的现象。因为即便这样的证书通过鉴别,由于没有用户私钥,其无法和AP进行有效的会话密钥协商,因而AP不会向ASU发送STA在线信息。另外,当AP本身出现故障时,比如死机时,由于AP无法向ASU发送在线信息,因而ASU在定时时间内也就无法收到STA在线信息,这样,ASU可以及时地结束对STA的本次计时,从而停止计费。The invention ensures more accurate timing for end users in the WAPI system. Even if a certain STA certificate is maliciously intercepted and copied and sends an authentication request to ASU, ASU will not overcharge. Because even if such a certificate passes the authentication, it cannot negotiate an effective session key with the AP without the user's private key, so the AP will not send STA online information to the ASU. In addition, when the AP itself fails, for example, when it crashes, because the AP cannot send online information to the ASU, the ASU cannot receive the online information of the STA within the time limit. In this way, the ASU can end the timing of the STA in time. , thereby stopping billing.

在授权许可下,同级别的ASU之间可以交换STA在线信息,或者,低级别的ASU将自身保存的STA在线信息发送给更高级别的ASU,使高级别的ASU进行有效的计费管理,方便用户查询。这一点,对于联网的运营项目,比如一些联网的酒店是很有必要的。Under authorization, ASUs at the same level can exchange STA online information, or a lower-level ASU can send STA online information saved by itself to a higher-level ASU, so that the higher-level ASU can perform effective billing management. It is convenient for users to inquire. This point is very necessary for networked operation projects, such as some networked hotels.

附图说明Description of drawings

图1所示为基于WAPI体系的接入控制原理图;Figure 1 shows a schematic diagram of access control based on the WAPI system;

图2所示为应用本发明的ASU实现计费的流程示意图。Fig. 2 is a schematic flow chart of implementing charging by the ASU of the present invention.

具体实施方式Detailed ways

为使本发明的技术方案更加清楚,下面结合附图对本发明再做进一步地详细说明。In order to make the technical solution of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings.

本发明的思路是:由颁发并保存有STA证书的ASU作为计费主体,统计用户在线时间,并根据在线时间对STA证书进行计费。The idea of the present invention is: the ASU which has issued and stored the STA certificate is used as the billing subject, counts the online time of the user, and charges the STA certificate according to the online time.

图2所示为应用本发明的ASU实现计费的流程示意图。Fig. 2 is a schematic flow chart of implementing charging by the ASU of the present invention.

步骤201,STA向AP发送鉴别请求消息;Step 201, the STA sends an authentication request message to the AP;

步骤202,AP将该鉴别请求消息发送给ASU;Step 202, the AP sends the authentication request message to the ASU;

步骤203,ASU协助AP和STA进行身份互认证,即证书鉴别,认证成功后,针对本地保存的该STA证书设置计时标志,根据该STA证书开始记录该STA的已在线时间信息,开始记录时通常为0分钟;In step 203, the ASU assists the AP and the STA to perform identity mutual authentication, that is, certificate authentication. After the authentication is successful, a timer flag is set for the STA certificate stored locally, and the online time information of the STA is started to be recorded according to the STA certificate. When the recording starts, usually is 0 minutes;

步骤204,ASU将鉴别成功的结果信息发送给AP;Step 204, the ASU sends the successful authentication result information to the AP;

步骤205,AP将鉴别成功的结果信息发送给STA;Step 205, the AP sends the successful authentication result information to the STA;

步骤206,STA与AP之间协商会话密钥,并利用协商的会话密钥对数据进行加解密,进行数据通信;Step 206, negotiating a session key between the STA and the AP, and using the negotiated session key to encrypt and decrypt data for data communication;

步骤207,当AP开始与STA之间进行有效通信,即AP与STA的会话密钥协商完毕,STA通过受控端口与AP开始数据通信之后,AP定时向ASU发送该STA证书的在线信息,也就是该STA的在线信息;Step 207, when the AP starts effective communication with the STA, that is, the session key negotiation between the AP and the STA is completed, and after the STA starts data communication with the AP through the controlled port, the AP sends the online information of the STA certificate to the ASU regularly, and also It is the online information of the STA;

上述在线信息中至少需要包括STA证书的用户名和序列号,且该信息的发送频率和ASU的计时单位要相匹配,如每分钟发送一次,以支持ASU能够较为精确地计算该用户的在线时间;The above online information needs to include at least the user name and serial number of the STA certificate, and the sending frequency of this information should match the timing unit of ASU, such as sending once every minute, so that ASU can calculate the online time of the user more accurately;

步骤208,在AP定时向ASU发送STA在线信息的同时,ASU也定时检测是否有AP发送来的STA在线信息,如果检测到,则ASU进一步检测该在线信息所指向的STA证书是否已设置计时标志,如果是,则更新该STA证书的已在线时间信息,如果ASU发现检测所指向的STA证书没有设置计时标志,则认为该信息无效,并忽略该信息,不做任何处理;这样可以防止由于AP运行错误,或者发生了被攻击等情况而对用户进行错误收费;Step 208: While the AP regularly sends STA online information to the ASU, the ASU also regularly detects whether there is STA online information sent by the AP. If detected, the ASU further checks whether the STA certificate pointed to by the online information has set a timing flag , if yes, then update the online time information of the STA certificate, if the ASU finds that the STA certificate pointed to by the detection does not set the timing flag, it will consider the information invalid, ignore the information, and do nothing; this can prevent the AP from Errors in operation, or the occurrence of attacks, etc., resulting in incorrect charges for users;

如果ASU没有检测到来自AP的STA在线信息,为了防止AP和ASU之间偶然发生的通信障碍干扰,ASU再次确认该STA是否在线,例如,通过重复检测来确认该STA是否确实不在线,如果确实不在线,则直接执行步骤210;如果该STA还在线,则更新该STA的已在线时间信息,并且继续定时检测是否有AP发送来的STA在线信息;该定时检测的时间同样需要与计时时间相匹配;If the ASU does not detect the online information of the STA from the AP, in order to prevent occasional communication disturbances between the AP and the ASU, the ASU reconfirms whether the STA is online. If the STA is not online, then directly execute step 210; if the STA is still online, then update the online time information of the STA, and continue to regularly detect whether there is STA online information sent by the AP; the time of the timing detection also needs to match the timing time match;

步骤209,为了更好地配合ASU的计费,在用户下线的时,AP可以向ASU发送STA下线的信息,该下线信息可以由AP直接发送给ASU,也可以由AP对整个下线信息进行私钥签名,将签名后的下线信息发送给ASU,ASU接收到该信息后直接执行步骤210;Step 209, in order to better cooperate with the ASU billing, when the user goes offline, the AP can send the STA offline information to the ASU. Sign the offline information with the private key, and send the signed offline information to the ASU, and the ASU directly executes step 210 after receiving the information;

上述下线信息内至少包含STA证书中的用户名称和序列号,如果需要对下线信息进行私钥签名,则下线信息内包括完整的STA证书和AP证书,以及AP对整个消息的私钥签名;或者,下线信息内包括STA证书中的用户名称和序列号,AP证书中的用户名称和序列号,以及AP对整个消息的私钥签名;The above offline information includes at least the user name and serial number in the STA certificate. If the private key signature is required for the offline information, the offline information includes the complete STA certificate and AP certificate, as well as the private key of the AP for the entire message. Signature; or, the offline information includes the user name and serial number in the STA certificate, the user name and serial number in the AP certificate, and the private key signature of the AP to the entire message;

步骤210,停止该STA已在线时间的计时操作,清除该STA证书的计时标志,用户下线时间以首次没有检测到STA在线信息的时间为准,统计该STA的在线时间并根据该时间实现对STA证书计费。Step 210, stop the timing operation of the STA's online time, clear the timing flag of the STA certificate, the user's offline time is based on the time when the STA's online information is not detected for the first time, count the online time of the STA, and realize the tracking according to the time. STA certificate billing.

由于WLAN采用无连接的通信方式,可能发生用户没有收到,或者不能及时收到鉴别结果信息的情况,因此,WAPI允许一个用户证书多次发送鉴别请求。如果一个证书仅允许一个STA使用,则在ASU鉴别该证书成功之后,且设置了该STA证书的计时标志并开始计时,在ASU没有收到来自AP的STA在线信息之前,仍然可以为相同STA证书的鉴别请求进行鉴别处理,此时设置的计时标志不变;但是当ASU已经获取了STA的在线信息,即更新了STA的已在线时间后,在该证书用户下线之前,ASU拒绝对同一STA证书的鉴别请求进行鉴别处理,并给AP发送鉴别失败;如果允许一个以上STA使用同一个证书,则当同一个证书被多个端口同时使用时,ASU可以通过累加多个端口的使用时间进行计费。Since WLAN adopts a connectionless communication mode, it may happen that the user does not receive or cannot receive the authentication result information in time. Therefore, WAPI allows a user certificate to send authentication requests multiple times. If a certificate is only allowed to be used by one STA, after the ASU authenticates the certificate successfully, the timing flag of the STA certificate is set and the timing starts, and before the ASU receives the STA online information from the AP, the same STA certificate can still be issued. However, when the ASU has acquired the online information of the STA, that is, after updating the online time of the STA, the ASU refuses to authenticate the same STA before the certificate user goes offline. The authentication request of the certificate is authenticated, and the authentication failure is sent to the AP; if more than one STA is allowed to use the same certificate, when the same certificate is used by multiple ports at the same time, the ASU can calculate the time by accumulating the usage time of multiple ports. fee.

当一个以上STA使用同一个证书时,ASU通过累加多个端口的使用时间进行计费的实现方法,说明如下:When more than one STA uses the same certificate, the implementation method of ASU charging by accumulating the usage time of multiple ports is described as follows:

当系统允许一个以上STA使用同一个证书时,AP定时向ASU发送该STA的在线信息中,不仅包括STA证书的用户名和序列号,还包括标识AP与STA通信的参数信息,该参数信息包括AP证书的用户名和序列号,通信受控端口的逻辑端口标识等;When the system allows more than one STA to use the same certificate, the AP regularly sends the online information of the STA to the ASU, including not only the user name and serial number of the STA certificate, but also parameter information identifying the communication between the AP and the STA. The parameter information includes AP The user name and serial number of the certificate, the logical port identification of the communication controlled port, etc.;

ASU定时检测到来自AP的在线信息后,进一步判断该在线信息中标识AP与STA通信的参数信息是否与本地已保存的标识AP与STA通信的参数信息相匹配,如果是,则更新该相匹配STA的已在线时间,如果不匹配,则保存该接收到的标识AP与STA通信的参数信息,以此区别相同证书的不同使用终端,并对该终端开始计时。After the ASU regularly detects the online information from the AP, it further judges whether the parameter information identifying the communication between the AP and the STA in the online information matches the locally saved parameter information identifying the communication between the AP and the STA, and if so, updates the matching If the STA's online time does not match, save the received parameter information identifying the communication between the AP and the STA, so as to distinguish different terminals using the same certificate, and start timing for the terminal.

当AP向ASU发送下线信息时,该下线信息中除了包括STA证书的用户名和序列号,还包括标识AP与STA通信的参数信息;当ASU收到来自AP的下线信息后,在所有AP与该STA通信的参数信息中匹配,查询与之相对的端口,结束对该STA证书使用的相应通信端口的计费。When the AP sends offline information to the ASU, the offline information not only includes the user name and serial number of the STA certificate, but also includes parameter information identifying the communication between the AP and the STA; when the ASU receives the offline information from the AP, all The AP matches the communication parameter information of the STA, queries the corresponding port, and ends the billing of the corresponding communication port used by the STA certificate.

最后,由ASU将所有使用同一STA证书的STA的在线时间相加,得到针对该STA证书的累计时间,并根据该时间对STA证书实现计费。Finally, the ASU adds up the online time of all STAs using the same STA certificate to obtain the accumulated time for the STA certificate, and implements billing for the STA certificate based on this time.

在授权许可下,同级别的ASU之间可以交换STA在线信息,或者,低级别的ASU将自身保存的STA在线信息发送给更高级别的ASU,使高级别的ASU进行有效的计费管理,方便用户查询。这一点,对于联网的运营项目,比如一些联网的酒店是很有必要的。Under authorization, ASUs at the same level can exchange STA online information, or a lower-level ASU can send STA online information saved by itself to a higher-level ASU, so that the higher-level ASU can perform effective billing management. It is convenient for users to inquire. This point is very necessary for networked operation projects, such as some networked hotels.

本发明保证了对WAPI体系中终端用户的较为精确的计时。即使某STA证书被恶意拦截复制并向ASU发送鉴别请求,ASU也不会发生多收费的现象。因为即便这样的证书通过鉴别,由于没有用户私钥,其无法和AP进行有效的会话密钥协商,因而AP不会向ASU发送STA在线信息。The invention ensures more accurate timing for end users in the WAPI system. Even if a certain STA certificate is maliciously intercepted and copied and sends an authentication request to ASU, ASU will not overcharge. Because even if such a certificate passes the authentication, it cannot negotiate an effective session key with the AP without the user's private key, so the AP will not send STA online information to the ASU.

另外,当AP本身出现故障时,比如死机时,由于AP无法向ASU发送在线信息,因而ASU在定时时间内也就无法收到STA在线信息,这样,ASU可以及时地结束对STA的本次计时,从而停止计费。In addition, when the AP itself fails, for example, when it crashes, because the AP cannot send online information to the ASU, the ASU cannot receive the online information of the STA within the time limit. In this way, the ASU can end the timing of the STA in time. , thereby stopping billing.

再有,由于STA和AP的密钥协商时间相对于计时单位而言很短,一般密钥协商过程最多为几秒,而如果AP和STA密钥协商失败,则ASU对STA的在线计时为0分钟,因此,不会发生多计时的情况,因而也就不会多计费。Furthermore, because the key negotiation time between STA and AP is very short relative to the timing unit, the general key negotiation process is a few seconds at most, and if the key negotiation between AP and STA fails, the online timing of ASU to STA is 0 Minutes, therefore, there will be no overtime, and therefore no overbilling.

WAPI的安全体系可以方便地应用在酒店,网吧,图书馆等公共场所。ASU对于使用了资源的STA,根据其在线时间长度进行合理地收费。例如,当一顾客入住酒店后,酒店利用自己的WAPI安全设备对用户提供无线上网服务,即产生公钥证书并颁发给用户,同时,采用本发明的方法对用户进行在线计时,在用户离开酒店时,结算相关费用。WAPI's security system can be easily applied in public places such as hotels, Internet cafes, and libraries. ASU charges STAs that use resources reasonably according to their online time. For example, when a customer checks into a hotel, the hotel uses its own WAPI security equipment to provide wireless Internet access services to the user, that is, to generate a public key certificate and issue it to the user. , settle the relevant fees.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (9)

1.一种基于无线局域网鉴别与保密基础结构体系的计费方法,其特征在于,该方法包括以下步骤:1. A charging method based on wireless local area network identification and security infrastructure system, characterized in that, the method may further comprise the steps: a、鉴别服务单元ASU接收到来自无线接入用户终端STA的鉴别请求,并对该STA鉴别成功后,根据保存的该STA的STA证书,对该STA证书设置计时标志,以记录该STA的已在线时间;a. The authentication service unit ASU receives the authentication request from the wireless access user terminal STA, and after the authentication of the STA is successful, according to the saved STA certificate of the STA, it sets a timing flag for the STA certificate to record the STA's STA certificate. online time; b、ASU定时检测是否有来自访问接入点AP的STA在线信息,如果有,进一步检测该在线信息所指向的STA证书是否已设置计时标志,如果是,则ASU更新该STA的已在线时间信息,然后重复执行步骤b,如果该在线信息所指向的STA证书没有设置计时标志,则认为该在线信息无效,忽略该在线信息,不做任何处理;如果没有来自AP的STA在线信息,则停止该STA已在线时间的计时操作,统计该STA的在线时间并根据该时间实现对STA证书计费。b. The ASU periodically detects whether there is STA online information from the access point AP. If so, it further detects whether the STA certificate pointed to by the online information has a timing flag set. If yes, the ASU updates the online time information of the STA. , and then repeat step b. If the STA certificate pointed to by the online information does not have a timing flag set, the online information is considered invalid, the online information is ignored, and no processing is performed; if there is no STA online information from the AP, the STA online information is stopped. The STA online time counting operation counts the STA online time and implements billing for the STA certificate based on the time. 2.根据权利要求1所述的方法,其特征在于,步骤b所述当ASU在定时时间内没有检测到来自AP的STA在线信息时,该方法进一步包括:ASU再次确认该STA是否在线,如果在线,则更新该STA的已在线时间信息,然后重复执行步骤b,否则,停止该STA已在线时间的计时操作,统计该STA的在线时间并根据时间实现计费。2. The method according to claim 1, wherein in step b, when the ASU does not detect the online information of the STA from the AP within the specified time, the method further comprises: the ASU reconfirms whether the STA is online, if online, then update the online time information of the STA, and then repeat step b, otherwise, stop the counting operation of the STA online time, count the online time of the STA and implement charging according to the time. 3.根据权利要求1所述的方法,其特征在于,该方法进一步包括:在STA下线时,AP向ASU发送STA下线信息,ASU接收到来自AP的STA下线信息后,停止该STA已在线时间的计时操作,统计该STA的在线时间并根据时间实现计费。3. The method according to claim 1, further comprising: when the STA goes offline, the AP sends the STA offline information to the ASU, and the ASU stops the STA after receiving the STA offline information from the AP The counting operation of the online time counts the online time of the STA and implements billing according to the time. 4.根据权利要求1、2或3所述的方法,其特征在于,该方法进一步包括:4. The method according to claim 1, 2 or 3, characterized in that the method further comprises: 步骤b所述ASU停止对该STA已在线时间的计时操作后,取消本地保存的该STA证书的计时标志,然后再执行后续步骤。In step b, after the ASU stops counting the online time of the STA, it cancels the timing mark of the STA certificate stored locally, and then executes the subsequent steps. 5.根据权利要求3所述的方法,其特征在于,所述AP向ASU发送的STA下线信息的方法是:AP直接将STA下线信息发送给ASU,或者,AP对整个STA下线信息进行私钥签名,将签名后的下线信息发送给ASU。5. The method according to claim 3, wherein the method of the STA offline information sent by the AP to the ASU is: the AP directly sends the STA offline information to the ASU, or the AP sends the entire STA offline information Sign with the private key and send the signed offline information to ASU. 6.根据权利要求3所述的方法,其特征在于,所述STA下线信息内至少包括:STA证书中的用户名和序列号;或者,该STA下线信息内包括完整的STA证书和AP证书,以及AP对整个消息的私钥签名信息;或者,该下线信息内包括STA证书中的用户名称和序列号,AP证书中的用户名称和序列号,以及AP对整个消息的私钥签名信息。6. The method according to claim 3, wherein the STA offline information includes at least: the user name and serial number in the STA certificate; or, the STA offline information includes a complete STA certificate and AP certificate , and the AP’s private key signature information for the entire message; or, the offline information includes the user name and serial number in the STA certificate, the user name and serial number in the AP certificate, and the AP’s private key signature information for the entire message . 7.根据权利要求1所述的方法,其特征在于,所述STA在线信息至少包括:STA证书中的用户名和序列号。7. The method according to claim 1, wherein the online information of the STA includes at least: a user name and a serial number in the STA certificate. 8.根据权利要求1所述的方法,其特征在于,该方法进一步包括:8. The method of claim 1, further comprising: 如果一个STA证书仅允许一个STA使用,则ASU对该STA鉴别成功后,且ASU更新了该STA的已在线时间后,在该STA证书用户下线之前,ASU拒绝对同一STA证书的鉴别请求进行鉴别处理,并给AP发送鉴别失败;If a STA certificate can only be used by one STA, after the ASU authenticates the STA successfully and the ASU updates the STA’s online time, before the STA certificate user goes offline, the ASU rejects the authentication request for the same STA certificate. Authentication processing, and send authentication failure to AP; 如果一个STA证书允许一个以上STA同时使用,则ASU统计该STA的在线时间并根据该时间实现对STA证书计费包括:If a STA certificate allows more than one STA to use it at the same time, the ASU counts the online time of the STA and implements billing for the STA certificate based on the time, including: ASU对多个使用该STA证书的通信端口的使用该STA证书时间进行累加,实现对该STA证书的计费。The ASU accumulates the time of using the STA certificate for multiple communication ports using the STA certificate to realize the billing of the STA certificate. 9.根据权利要求1所述的方法,其特征在于,该方法进一步包括:同级别的ASU之间交换STA在线信息,或低级别的ASU将自身保存的STA在线信息发送给更高级别的ASU。9. The method according to claim 1, further comprising: exchanging STA online information between ASUs of the same level, or sending the STA online information saved by itself to a higher-level ASU .
CN 200410044235 2004-05-14 2004-05-14 A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System Expired - Fee Related CN1697386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200410044235 CN1697386B (en) 2004-05-14 2004-05-14 A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200410044235 CN1697386B (en) 2004-05-14 2004-05-14 A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System

Publications (2)

Publication Number Publication Date
CN1697386A CN1697386A (en) 2005-11-16
CN1697386B true CN1697386B (en) 2010-04-07

Family

ID=35349926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200410044235 Expired - Fee Related CN1697386B (en) 2004-05-14 2004-05-14 A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System

Country Status (1)

Country Link
CN (1) CN1697386B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009055991A1 (en) * 2007-11-01 2009-05-07 Huawei Technologies Co., Ltd. Determination of network parameters
CN101540985B (en) * 2009-03-11 2011-04-06 西安西电捷通无线网络通信股份有限公司 Method for implementing terminal zero intervention charging of WAPI system
CN101521883B (en) * 2009-03-23 2011-01-19 中兴通讯股份有限公司 Method and system for renewing and using digital certificate
CN101925093B (en) * 2010-09-25 2013-06-05 杭州华三通信技术有限公司 Method and equipment for acquiring terminal information

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1416072A (en) * 2002-07-31 2003-05-07 华为技术有限公司 Method for realizing portal authentication based on protocols of authentication, charging and authorization
WO2003092190A1 (en) * 2002-04-23 2003-11-06 Sk Telecom Co., Ltd Authentication system and method having mobility in public wireless local area network
CN1464682A (en) * 2002-06-24 2003-12-31 华为技术有限公司 Method for implementing broad band pre-payment based on authentication, authorization and charging protocol
CN1490984A (en) * 2002-10-14 2004-04-21 华为技术有限公司 A method for online real-time detection of wireless local area network terminals

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003092190A1 (en) * 2002-04-23 2003-11-06 Sk Telecom Co., Ltd Authentication system and method having mobility in public wireless local area network
CN1464682A (en) * 2002-06-24 2003-12-31 华为技术有限公司 Method for implementing broad band pre-payment based on authentication, authorization and charging protocol
CN1416072A (en) * 2002-07-31 2003-05-07 华为技术有限公司 Method for realizing portal authentication based on protocols of authentication, charging and authorization
CN1490984A (en) * 2002-10-14 2004-04-21 华为技术有限公司 A method for online real-time detection of wireless local area network terminals

Also Published As

Publication number Publication date
CN1697386A (en) 2005-11-16

Similar Documents

Publication Publication Date Title
KR101044210B1 (en) Certificate-based Authorization Charging for Loose Coupling
EP1273197B1 (en) Billing in a packet data network
KR100754458B1 (en) Authentication in a packet data network
CN101317359B (en) Method and device for generating local interface cryptographic key
KR100652125B1 (en) Mutual authentication method for overall authentication and management between service provider, terminal, and user identification module, system and terminal device using same
US8005457B2 (en) Method and system for verifying network resource usage records
JP2005524262A5 (en)
US8274401B2 (en) Secure data transfer in a communication system including portable meters
JP5536628B2 (en) Wireless LAN connection method, wireless LAN client, and wireless LAN access point
KR20080047503A (en) How to Distribute Certificates to Communication Systems
CN101159624B (en) Account use monitoring method
WO2009053818A2 (en) Method and apparatus for providing secure linking to a user identity in a digital rights management system
JP2010045542A (en) Authentication system, connection controller, authentication device, and transfer device
CN101754203B (en) Method, device and network system for obtaining WAPI certificate
CN1697386B (en) A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure System
US8811272B2 (en) Method and network for WLAN session control
CN101568116A (en) Method for obtaining certificate state information and certificate state management system
CN100401670C (en) A remote access authentication method for a wireless local area network mobile terminal
CN100365981C (en) A Billing Method Based on Wireless Local Area Network Authentication and Security Infrastructure Certificate
CN115209411A (en) Method and system for issuing and applying WAPI certificate
EP1571802A1 (en) Collecting accounting information in telecommunications system
JP2015153287A (en) Authentication apparatus and online sign-up control method
Im et al. Secure mutual authentication and fair billing for roaming service in wireless mobile networks
CN112118549A (en) Authentication method, SMF, CHF, computer equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100407

Termination date: 20130514