Illegal WIFI detection methods, terminal, aaa server and systemTechnical field
The application is related to the communications field, more particularly to a kind of illegal wireless fidelity (Wireless Fidelity, WIFI) inspectionSurvey method, terminal and checking, mandate, book keeping operation (Authentication, Authorization, Accounting, AAA) serviceDevice and system.
Background technology
As wireless network is popularized, WIFI hot spot signal is ubiquitous, and user is not aware that it when connecting WIFI hot spotIt is whether legal.Once being connected to illegal WIFI hot spot, then network security can not be ensured, it is possible to cause economic loss.At present stillEnsure that terminal accesses the legitimacy of WIFI hot spot without complete security system, it is still necessary to artificial to judge, or by application programItself go to ensure data safety.Wireless access legitimacy is directed in the prior art, and connection is judged by the uniqueness of certificateThe legitimacy of WIFI hot spot, but certificate is complicated in end side application operating, it is impossible to it is used widely.
The content of the invention
Embodiments herein provides a kind of illegal WIFI detection methods, terminal, aaa server and system, for realizingDetection to illegal WIFI hot spot.
To reach above-mentioned purpose, embodiments herein is adopted the following technical scheme that:
First aspect includes there is provided a kind of illegal WIFI detection methods, this method:
Terminal completes the certification on wireless system by Wireless Fidelity WIFI to checking, authorization and accounting aaa server,And authentication record table is generated on the aaa server, the authentication record table includes the authentication result of the terminal;
The terminal sends authentication challenge message to the aaa server in an encrypted form by the WIFI;
The aaa server receives the authentication challenge message from the terminal;
The aaa server inquires about recognizing for the terminal according to the authentication challenge message and the authentication record tableResult is demonstrate,proved, and authentication result message is generated according to the authentication result;
The aaa server sends the authentication result message to the terminal in an encrypted form;
The terminal according to whether receive the authentication result message, or, recognizing in the authentication result messageResult is demonstrate,proved, judges whether the WIFI is legal.
Second aspect includes there is provided a kind of terminal, the terminal:
Authentication unit, for being completed by Wireless Fidelity WIFI to checking, authorization and accounting aaa server in wireless systemOn certification, and generate authentication record table on the aaa server, the authentication record table includes the certification of the terminalAs a result;
Transmitting element, for sending authentication challenge message, institute to the aaa server in an encrypted form by the WIFIStating authentication challenge message is used for the authentication result that the aaa server inquires about the terminal according to the authentication record table, and rootAuthentication result message is generated according to the authentication result;
Receiving unit, for receiving the authentication result message;
Judging unit, for whether receiving the authentication result message according to the receiving unit, or, recognized according to describedThe authentication result in result message is demonstrate,proved, judges whether the WIFI is legal.
The third aspect includes there is provided a kind of aaa server, the aaa server:
Authentication unit, completes the certification on wireless system, and generate certification note for terminal by Wireless Fidelity WIFITable is recorded, the authentication record table includes the authentication result of the terminal;
Receiving unit, for receiving the authentication challenge message in an encrypted form from the terminal;
Query unit, for according to the authentication challenge message and the authentication record table, inquiring about recognizing for the terminalResult is demonstrate,proved, and authentication result message is generated according to the authentication result;
Transmitting element, for sending the authentication result message, the authentication result report to the terminal in an encrypted formText judges whether the WIFI is legal for the terminal.
Illegal WIFI detection methods, terminal, aaa server and system that embodiments herein is provided, are existed by terminalAaa server generates authentication record table after being authenticated successfully on aaa server, and then terminal sends to aaa server and recognizedQuery message is demonstrate,proved, by aaa server according to authentication challenge message and authentication record table, the authentication result of terminal is inquired about, and willAuthentication result feeds back to terminal by authentication result message, by terminal according to whether receiving authentication result message, or, according to recognizingThe authentication result in result message is demonstrate,proved, to judge whether WIFI is legal.It is real there is provided a kind of detection mode whether legal WIFIThe detection to illegal WIFI hot spot is showed.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior artThere is the accompanying drawing used required in technology description to be briefly described.
The structural representation for the illegal WIFI detecting systems that Fig. 1 provides for embodiments herein;
A kind of schematic flow sheet for illegal WIFI detection methods that Fig. 2 provides for embodiments herein;
The schematic flow sheet for another illegal WIFI detection methods that Fig. 3 provides for embodiments herein;
Fig. 4 for another illegal WIFI detection method that embodiments herein is provided schematic flow sheet;
The structural representation for the terminal that Fig. 5 provides for embodiments herein;
The structural representation for the aaa server that Fig. 6 provides for embodiments herein.
Embodiment
Below in conjunction with the accompanying drawings, embodiments herein is described.
Shown in reference picture 1, a kind of illegal WIFI detecting systems provided for the embodiment of the present application, the system includes:EventuallyHold (Station, STA) 11, access point (Access Point, AP) 12, access controller (Access Controller, AC)13 and aaa server 14.Terminal 11 includes mobile phone, flat board, computer etc. can be by the equipment of WIFI connection networks;AP 12、AC13 are mainly used in building wireless network linear system system;Aaa server 14 is used to provide authentication service for the incoming wireless signal of terminal 11, rawInto authentication record list item, while the access authentication state for inquiring about terminal.
Embodiment 1,
The embodiment of the present application provides a kind of illegal WIFI detection methods, applied to said system, shown in reference picture 2,This method includes:
S101, terminal complete the certification on wireless system by WIFI to aaa server, and raw on aaa serverInto authentication record table, authentication record table includes the authentication result of terminal.
The account of authentication record table including terminal, media access control (Media Access Control, MAC) address,The information such as Internet protocol (Internet Protocol, IP) address, authenticated time, authentication result.
S102, terminal send authentication challenge message to aaa server in an encrypted form by the WIFI.
Authentication challenge message mainly includes the wireless link parameter of terminal, wireless link parameter include terminal MAC Address,IP address, the current time stamp of terminal (this three is also referred to as triplet information).
It can be rivest, shamir, adelman or symmetrical that used algorithm, which is encrypted, in terminal-pair authentication challenge messageAES, such as triple DES (TDEA, Triple Data Encryption Standard) algorithm.
In the embodiment of the present invention, the opportunity that terminal initiates authentication challenge message can be:Wireless connection and certification complete withTriggering sends authentication challenge message afterwards;Can also be that terminal needs to use certain to trigger (when such as Net silver APP is opened) when applying,It is not especially limited.
S103, aaa server receive the authentication challenge message for carrying out self terminal.
It should be noted that authentication challenge message is have sent in terminal, if aaa server does not receive authentication challenge reportWen Ze may determine that the WIFI is illegal.Aaa server is using the AES as terminal, by encrypted authentication challengeMessage decryption is the authentication challenge message of plaintext, if can not decrypt, it is illegal to judge the WIFI, or, judge the terminalFor abnormal terminals, the message is abandoned.
S104, aaa server inquire about the authentication result of terminal, and root according to authentication challenge message and authentication record tableAuthentication result message is generated according to authentication result.
Specifically, shown in reference picture 3, the step includes:
S1041, aaa server are according to following condition according to recognizing that authentication challenge message inquiry authentication record table is matchedRecord sheet is demonstrate,proved, and obtains authentication result therein:
First, the IP address and MAC Address of terminal are accurate matching, it is necessary to corresponded, in authentication authorization and accounting query messageMAC Address is equal to the MAC Address in authentication record table, also, IP address in authentication challenge message is equal in authentication record tableIP address.
Second, timestamp information must is fulfilled for:Authenticated time<Current time stamp<(authenticated time+online hours).
In the present embodiment, authenticated time is time value of the terminal by aaa server certification;Online hours are that terminal existsOn aaa server after certification, aaa server starts timing, until the current time for receiving query message, that is, receive and look intoAsk the time value of time value-certification of reaching the standard grade of message.
The authentication result that inquiry obtains the terminal includes three kinds of situations:There is no authentication record, have authentication record but certification knotFruit is failure, there is authentication record and authentication result is success.
For no authentication record, illustrate that the terminal, not in wireless system certification, is returned without result (no result).
For thering is authentication record but authentication result to be failure, illustrate that although the terminal is connected to the wireless system but unverifiedSuccess, returns to failure (fail).
For have an authentication record and authentication result be successfully, illustrate the terminal be connected to the wireless system and certification intoWork(, is returned successfully (success).
S105, aaa server send authentication result message to terminal in an encrypted form.
Authentication result message can include the account of terminal, MAC Address, IP address, authentication state (no result,Fail, success) etc. information.Aaa server can use the AES identical or different with parsing authentication challenge message.
S106, terminal according to whether receive authentication result message, or, according to the authentication result in authentication result message,Judge whether WIFI is legal.
Specifically, shown in reference picture 4, the step includes:
If S1061, terminal do not receive authentication result message, judge that WIFI is illegal.
If S1062, terminal receive but can not decrypted authentication result message, judge that WIFI is illegal.
If terminal is received and the success of decrypted authentication result message, the authentication result of the terminal is obtained, then according to certification knotFruit judges the WIFI of connection legitimacy, is divided into following three kinds of situations:
S1063, authentication result are, without result (no result), to illustrate that the terminal is not recognized in the connection of correct wireless systemCard, by authentication challenge message may be sent to aaa server by go-between, then judge that WIFI is illegal.
S1064, authentication result are failure (fail), illustrate that the terminal is connected to correct wireless system but authentification failure, authentication challenge message may be sent to by aaa server by go-between, then judge that WIFI is illegal.
S1065, authentication result be successfully (success), illustrate the terminal be connected to correct wireless system and certification intoWork(, then judge that the WIFI is legal.
The illegal WIFI detection methods that the embodiment of the present application is provided, by terminal after aaa server is authenticated successfullyAuthentication record table is generated on aaa server, then terminal sends authentication challenge message to aaa server, by aaa server rootAccording to authentication challenge message and authentication record table, the authentication result of terminal is inquired about, and authentication result is passed through into authentication result messageTerminal is fed back to, by terminal according to whether receiving authentication result message, or, according to the authentication result in authentication result message,To judge whether WIFI is legal.There is provided a kind of detection mode whether legal WIFI, the inspection to illegal WIFI hot spot is realizedSurvey.
Embodiment 2,
The embodiment of the present application provides a kind of terminal 11, and applied to the above method, shown in reference picture 5, the terminal includes:
Authentication unit 1101, for being completed by Wireless Fidelity WIFI to checking, authorization and accounting aaa server wirelessCertification in system, and the generation authentication record table on aaa server, authentication record table include the authentication result of terminal.
Transmitting element 1102, for sending authentication challenge message to aaa server in an encrypted form by WIFI, certification is looked intoAsking message is used for the authentication result that aaa server inquires about terminal according to authentication record table, and generates certification knot according to authentication resultRetribution text.
Receiving unit 1103, for receiving authentication result message.
Judging unit 1104, for whether receiving authentication result message according to receiving unit 1103, or, according to certification knotAuthentication result in retribution text, judges whether WIFI is legal.
In a kind of possible design, judging unit 1104 specifically for:If terminal does not receive authentication result message,Or, terminal can not decrypted authentication result message, or, authentication result instruction terminal not in wireless system certification, or, certificationAs a result instruction terminal then judges that WIFI is illegal in wireless system authentification failure;If authentication result instruction terminal is in wireless systemCertification success, then judge that WIFI is legal.
Because the terminal in the embodiment of the present application can apply to the above method, therefore, it can be obtained technique effectAlso above method embodiment is referred to, the embodiment of the present application will not be repeated here.
It should be noted that authentication unit, judging unit can be the processor individually set up, control can also be integrated inRealized in some processor of device, in addition it is also possible to be stored in the form of program code in the memory of controller, by controllingSome processor of device processed calls and performs above authentication unit, the function of judging unit.Processor described here can be withIt is a central processing unit (Central Processing Unit, CPU), or specific integrated circuit (ApplicationSpecific Integrated Circuit, ASIC), or be arranged to implement the one or more of the embodiment of the present applicationIntegrated circuit.
Embodiment 3,
The embodiment of the present application provides a kind of aaa server 14, applied to the above method, shown in reference picture 6, the terminalIncluding:
Authentication unit 1401, the certification on wireless system is completed for terminal by Wireless Fidelity WIFI, and generation is recognizedRecord sheet is demonstrate,proved, authentication record table includes the authentication result of terminal.
Receiving unit 1402, the authentication challenge message in an encrypted form of self terminal is carried out for receiving.
Query unit 1403, for according to authentication challenge message and authentication record table, inquiring about the authentication result of terminal, andAuthentication result message is generated according to authentication result.
Transmitting element 1404, for sending authentication result message to terminal in an encrypted form, authentication result message is used for eventuallyEnd judges whether WIFI is legal.
In a kind of possible design, account of the authentication record table including terminal, MAC address, interconnectionFidonetFido IP address, authenticated time, authentication result;MAC Address of the authentication challenge message including terminal, IP address, current timeStamp.
Query unit 1403, is obtained specifically for inquiring about authentication record table according to authentication challenge message according to following conditionThe authentication record table matched somebody with somebody, and obtain authentication result therein:
MAC Address in authentication challenge message is equal to the MAC Address in authentication record table, also, in authentication challenge messageIP address be equal to IP address in authentication record table, also, authenticated time<Current time stamp<(during authenticated time+onlineIt is long).
In a kind of possible design, in addition to judging unit 1405, if for aaa server can not decrypted authentication look intoMessage is ask, then judges that WIFI is illegal.
Because the aaa server in the embodiment of the present application can apply to the above method, therefore, it can be obtained technologyEffect also refers to above method embodiment, and the embodiment of the present application will not be repeated here.
It should be noted that authentication unit, query unit, judging unit can be the processor individually set up, can alsoIt is integrated in some processor of controller and realizes, in addition it is also possible to is stored in depositing for controller in the form of program codeIn reservoir, called by some processor of controller and perform above authentication unit, query unit, the function of judging unit.Processor described here can be a CPU, or ASIC, or be arranged to implement one of the embodiment of the present applicationOr multiple integrated circuits.
It should be understood that in the various embodiments of the application, the size of the sequence number of above-mentioned each process is not meant to that execution is suitableThe priority of sequence, the execution sequence of each process should be determined with its function and internal logic, without the implementation of reply the embodiment of the present applicationProcess constitutes any limit.
Those of ordinary skill in the art are it is to be appreciated that the list of each example described with reference to the embodiments described hereinMember and algorithm steps, can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actuallyPerformed with hardware or software mode, depending on the application-specific and design constraint of technical scheme.Professional and technical personnelDescribed function can be realized using distinct methods to each specific application, but this realization is it is not considered that exceedScope of the present application.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description,The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
, can be with several embodiments provided herein, it should be understood that disclosed system, apparatus and methodRealize by another way.For example, apparatus embodiments described above are only schematical, for example, the unitDivide, only a kind of division of logic function there can be other dividing mode when actually realizing, such as multiple units or componentAnother system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown orThe coupling each other discussed or direct-coupling or communication connection can be the indirect couplings of equipment or unit by some interfacesClose or communicate to connect, can be electrical, machinery or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unitThe part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multipleOn NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs's.
In addition, each functional unit in the application each embodiment can be integrated in a processing unit, can alsoThat unit is individually physically present, can also two or more units it is integrated in a unit.
In the above-described embodiments, it can come real wholly or partly by software, hardware, firmware or its any combinationIt is existing.When being realized using software program, it can realize in the form of a computer program product whole or in part.The computerProgram product includes one or more computer instructions.On computers load and perform computer program instructions when, all orPartly produce according to the flow or function described in the embodiment of the present application.The computer can be all-purpose computer, special meterCalculation machine, computer network or other programmable devices.The computer instruction can be stored in computer-readable recording mediumIn, or the transmission from a computer-readable recording medium to another computer-readable recording medium, for example, the computerInstruction can pass through wired (such as coaxial cable, optical fiber, number from web-site, computer, server or data centerWord user line (Digital Subscriber Line, DSL)) or wireless (such as infrared, wireless, microwave) mode to anotherIndividual web-site, computer, server or data center are transmitted.The computer-readable recording medium can be computerAny usable medium that can be accessed either can use the numbers such as medium integrated server, data center comprising one or moreAccording to storage device.The usable medium can be magnetic medium (for example, floppy disk, hard disk, tape), optical medium (for example, DVD),Or semiconductor medium (such as solid state hard disc (Solid State Disk, SSD)) etc..
It is described above, the only embodiment of the application, but the protection domain of the application is not limited thereto, and it is anyThose familiar with the art can readily occur in change or replacement in the technical scope that the application is disclosed, and should all containCover within the protection domain of the application.Therefore, the protection domain of the application should be based on the protection scope of the described claims.