WLAN Authentication Privacy Infrastructure (WAPI) is a kind of access authentication protocols applied in the Wireless Local Area Networks (WLAN) system. The WAPI applies the access control method based on the tri-element peer authentication in the wireless local area network field, which ensures the legal Mobile Terminal (MT) accesses the network through the legal Access Point (AP) and implements the privacy communication between the mobile terminal and the access point.
The WLAN security network based on the WAPI protocol is composed by three entities of the Authentication Supplicant Entity (ASUE, which usually resides in the mobile terminal), the Authenticator Entity (AE, which usually resides in the access point) and the Authentication Service Entity (ASE, which usually resides in the authentication server), and takes use of the public key system to complete the bidirectional authentication between the mobile terminal and the access point, the mobile terminal and AP use the elliptic curve cryptography algorithm to negotiate the session key in the authentication process, and use the encryption algorithm specified by the national cipher administration department to complete the encryption in the communication process, which has a very high security. At the same time, the WAPI further supports to update the session key after a period of time or after transmitting a certain amount of data packets in the communication process, which greatly improves the security of the data transmission.
According to the WAPI protocol, the authentication server (AS) is responsible for processing such as issuing, validating and revoking certificates and so on, and both of the mobile terminal (MT) and the wireless access point (AP) install the public key certificate issued by the AS to act as their own digital identification certificates. After the mobile terminal associating with the AP, and before using or accessing the network, the mobile terminal and the AP should validate both identification through the authentication server, and according to the validation result, only the mobile terminal holding the legal certificate is able to access the AP holding the valid certificate, and that is to say the mobile terminal holding the legal certificate is able to access the network through the AP, which not only can prevent the illegal mobile terminal from accessing the AP to access the network and occupying the network resources, but also can prevent the illegal mobile terminal from accessing the illegal AP to cause the information leakage.
In the next generation cellular mobile communication network system based on the Internet Protocol (IP), such as the in the systems of the Worldwide Interoperability for Microwave Access (WiMAX), Long Term Evolution (LTE) and so on, the access authentication is completed by one Authentication Authorization Accounting (AAA) server or a group of AAA servers separately configured by the network side, and the AAA server can carry out unidirectional authentication on the terminal or carry out bidirectional authentication with the terminal based on the Extensible Authentication Protocol (EAP).
At present, there are great many operators have the cellular mobile communication network system based on the IP and the wireless local area network system at the same time, since different authentication mechanisms should be used regarding to different systems, operators should deploy different types of authentication servers, which increases the hardware cost of the operator, and also is bad for the network convergence, service convergence and the integration management of the network and service at the same time.
At the same time, with the popularization of the dual mode terminal, if the same access authentication mechanism can be used to access the cellular wireless communication system and the wireless local area network system, it can configure single access authentication module in the dual mode terminal so as to reduce the hardware and software cost of the dual mode terminal and be prone to implement the handover among different access networks.
Taking the WAPI as the unified authentication mechanism of the cellular mobile communication network system and the wireless local area network system is a practicable scheme for satisfying the above demand of the operator and user. However, the prior art has not had a technical scheme for implementing the WAPI in the cellular mobile communication system based on the IP yet.