CN107295510B - Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) - Google Patents
Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) Download PDFInfo
- Publication number
- CN107295510B CN107295510B CN201610197304.0A CN201610197304A CN107295510B CN 107295510 B CN107295510 B CN 107295510B CN 201610197304 A CN201610197304 A CN 201610197304A CN 107295510 B CN107295510 B CN 107295510B
- Authority
- CN
- China
- Prior art keywords
- ocsp
- equipment
- certificate
- admission
- response information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/02—Access restriction performed under specific conditions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a method, equipment and a system for realizing access control of a home base station based on OCSP (online charging and charging process), which relate to the field of home base station authentication, wherein the method comprises the following steps: receiving an OCSP certificate status query request sent by a security gateway, wherein the OCSP certificate status query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of a home base station to be verified; sending an OCSP certificate status query request to an OCSP server; analyzing the equipment information in the OCSP certificate state query request, and sending an equipment access query request to an equipment access control unit according to the equipment information; receiving OCSP certificate state inquiry response information and equipment admission inquiry response information; and generating and sending final OCSP certificate state query response information to the security gateway.
Description
Technical Field
The invention mainly relates to the field of home base station authentication, in particular to a method, equipment and a system for realizing home base station access control based on OCSP.
Background
A Home base station, also called HeNB (Home evolved Node B), is a miniaturized, low-power cellular technology, and accesses to a mobile core network through a fixed network broadband, so as to provide a fixed mobile convergence service including a traditional cellular mobile communication basic service for a user. Currently, 3GPP HeNB security specification TS 33.320 defines an authentication method of the HeNB, and a digital certificate is used between the HeNB and the security gateway for bidirectional device authentication.
After receiving an internet key exchange-authentication IKE _ AUTH message sent by the HeNB base station, the security gateway verifies the validity of the equipment certificate, and only when the equipment holds the own legal certificate, the security gateway allows the base station to access. Generally, authentication with the security gateway can be successfully completed as long as the base station holds a legitimate device certificate. The scheme realizes the admission control of the certificate through whether the certificate is revoked, namely that the base station has the access authority as long as a legal certificate is issued to the base station, and the certificate held by the base station needs to be revoked if the base station needs to be limited to access.
In part of cases where a base station may not be able to access due to some other reasons, for example, when a certain base station device is intruded or frequently attacks the network, the device needs to be prevented from accessing the network, according to the above scheme, the certificate of the base station device needs to be revoked to prevent the base station device from accessing the mobile core network, and the certificate cannot be recovered after revocation, so that after the base station device is repaired, the base station needs to apply for the device certificate to the certificate authority CA again, and particularly, in a case where the CA organization does not support the device to apply for the digital certificate online, manual intervention is also needed to configure the device certificate, which is complex in flow and low in efficiency. When the base station is subjected to access control, the access of the base station is usually not allowed due to other factors such as cost and the like, and obviously, the fact that equipment certificate revoking is carried out to prevent the access of the base station under similar conditions is not a reasonable solution measure, the existing home base station access control scheme cannot flexibly realize the access control of the equipment, and the application scale of the equipment is limited.
Disclosure of Invention
The invention provides a method, equipment and a system for realizing access control of a home base station based on OCSP (online charging and charging process), which are used for solving the problems that the existing access control scheme of the home base station cannot flexibly realize the access control of the equipment and limit the application scale of the equipment.
In order to solve the technical problems, the invention adopts the following technical scheme:
in one aspect, the present invention provides a method for implementing admission control of a home base station based on an online certificate status query protocol (OCSP), which is applied to an OCSP proxy server, and the method comprises:
receiving an OCSP certificate status query request sent by a security gateway, wherein the OCSP certificate status query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of a home base station to be verified;
sending the OCSP certificate status query request to an OCSP server;
analyzing the equipment information in the OCSP certificate state query request, and sending an equipment admission query request to an equipment admission control unit according to the equipment information;
receiving OCSP certificate state query response information issued after the OCSP server acquires the OCSP certificate state query request and receiving equipment admission query response information issued after the equipment admission control unit acquires the equipment admission query request;
and generating final OCSP certificate state query response information according to the OCSP certificate state query response information and the equipment admission query response information, and sending the final OCSP certificate state query response information to the security gateway.
Optionally, the generating the final OCSP certificate status query response information according to the OCSP certificate status query response information and the device admission query response information includes:
analyzing the equipment access inquiry response information to obtain an equipment access inquiry result;
and adding the equipment admission inquiry result to the OCSP certificate state inquiry response information, and replacing the signature information of the OCSP certificate state inquiry response information with new signature information according to the signature certificate obtained by applying to a Certificate Authority (CA) so as to obtain the final OCSP certificate state inquiry response information.
Optionally, after the step of obtaining the result of the device admission query, the method further includes:
judging whether the equipment access inquiry result is not allowed to be accessed;
if so, acquiring a generation reason of disallowed access according to the equipment access inquiry response information;
and in the step of adding the device admission query result to the OCSP certificate state query response message, adding the generation reason to the OCSP certificate state query response message.
Optionally, the device information at least includes: device name and device serial number.
On the other hand, the invention also provides a method for realizing the admission control of the home base station based on the online certificate status query protocol (OCSP), which is applied to a security gateway and comprises the following steps:
sending an OCSP certificate status query request to an OCSP proxy server, wherein the OCSP certificate status query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of a home base station to be verified;
receiving final OCSP certificate state query response information issued by the OCSP proxy server, wherein the final OCSP certificate state query response information is generated by the OCSP proxy server according to the certificate state query response information received from the OCSP server and equipment admission query response information received from an equipment admission control unit;
and inquiring response information according to the final OCSP certificate state, and judging whether the femtocell to be verified meets the admission condition.
Optionally, the querying, according to the final OCSP certificate state, the response information to determine whether the femtocell to be verified meets an admission condition includes:
and when the base station certificate to be verified recorded in the final OCSP certificate state query response message is in a valid state and the device access query result is allowed to be accessed, judging that the home base station meets the access condition.
On the other hand, the invention also provides a method for realizing the admission control of the home base station based on the online certificate status query protocol (OCSP), which is applied to the equipment admission control unit and comprises the following steps:
receiving an equipment admission query request sent by an OCSP proxy server, wherein the equipment admission query request comprises: equipment information of the home base station to be verified;
according to the equipment information and a preset access rule, equipment access inquiry is carried out on the femtocell to be verified and equipment access inquiry response information is generated;
and sending the equipment admission inquiry response information to the OCSP proxy server.
Optionally, the performing, according to the device information and according to a preset admission rule, a device admission query on the femtocell to be verified and generating device admission query response information includes:
according to the equipment information and a blacklist or a white list set according to the preset admission rule, equipment admission inquiry is carried out on the femtocell to be verified;
when the equipment information does not exist in the blacklist or the equipment information exists in the white list, generating equipment admission inquiry response information allowing access;
and when the equipment information exists in the blacklist or the equipment information does not exist in the white list, generating equipment admission inquiry response information which is not allowed to be accessed.
Optionally, in the step of generating device admission query response information, the generated device admission query response information includes: the device access method comprises the steps of inquiring response time, a device access inquiring result and a generation reason when the device access inquiring result is not allowed to be accessed.
On the other hand, the invention also provides a device for realizing the admission control of the home base station based on the online certificate status query protocol OCSP, which comprises the following steps:
the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving an OCSP certificate state query request sent by a security gateway, the OCSP certificate state query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of a home base station to be verified;
the first sending module is used for sending the OCSP certificate status inquiry request to an OCSP server;
a second sending module, configured to parse the device information in the OCSP certificate status query request, and send a device admission query request to a device admission control unit according to the device information;
a second receiving module, configured to receive OCSP certificate status query response information issued after the OCSP server obtains the OCSP certificate status query request, and receive equipment admission query response information issued after the equipment admission control unit obtains the equipment admission query request;
and the generating module is used for generating final OCSP certificate state query response information and sending the final OCSP certificate state query response information to the security gateway according to the OCSP certificate state query response information and the equipment admission query response information.
Optionally, the generating module is configured to:
analyzing the equipment access inquiry response information to obtain an equipment access inquiry result;
and adding the equipment admission inquiry result to the OCSP certificate state inquiry response information, and replacing the signature information of the OCSP certificate state inquiry response information with new signature information according to the signature certificate obtained by applying to a Certificate Authority (CA) so as to obtain the final OCSP certificate state inquiry response information.
Optionally, the generating module is further configured to:
judging whether the equipment access inquiry result is not allowed to be accessed;
if so, acquiring a generation reason of disallowed access according to the equipment access inquiry response information;
and in the step of adding the device admission query result to the OCSP certificate state query response message, adding the generation reason to the OCSP certificate state query response message.
Optionally, the device information at least includes: device name and device serial number.
On the other hand, the invention also provides a device for realizing the admission control of the home base station based on the online certificate status query protocol OCSP, which comprises the following steps:
a third sending module, configured to send an OCSP certificate status query request to an OCSP proxy server, where the OCSP certificate status query request includes a base station certificate to be verified, and the base station certificate includes device information of a femtocell to be verified;
a third receiving module, configured to receive final OCSP certificate status query response information sent by the OCSP proxy server, where the final OCSP certificate status query response information is generated by the OCSP proxy server according to the certificate status query response information received from the OCSP server and the device admission query response information received from the device admission control unit;
and the judging module is used for inquiring the response information according to the final OCSP certificate state and judging whether the femtocell to be verified meets the admission condition.
Optionally, the determining module is configured to:
and when the base station certificate to be verified recorded in the final OCSP certificate state query response message is in a valid state and the device access query result is allowed to be accessed, judging that the home base station meets the access condition.
On the other hand, the invention also provides a device for realizing the admission control of the home base station based on the online certificate status query protocol OCSP, which comprises the following steps:
a fourth receiving module, configured to receive an equipment admission query request sent by an OCSP proxy server, where the equipment admission query request includes: equipment information of the home base station to be verified;
the query processing module is used for performing equipment access query on the femtocell to be verified according to the equipment information and a preset access rule and generating equipment access query response information;
and the fourth sending module is used for sending the equipment admission query response information to the OCSP proxy server.
Optionally, the query processing module is configured to:
according to the equipment information and a blacklist or a white list set according to the preset admission rule, equipment admission inquiry is carried out on the femtocell to be verified;
when the equipment information does not exist in the blacklist or the equipment information exists in the white list, generating equipment admission inquiry response information allowing access;
and when the equipment information exists in the blacklist or the equipment information does not exist in the white list, generating equipment admission inquiry response information which is not allowed to be accessed.
Optionally, the device admission query response information generated by the query processing module includes: the device access method comprises the steps of inquiring response time, a device access inquiring result and a generation reason when the device access inquiring result is not allowed to be accessed.
On the other hand, the invention also provides a system for realizing the admission control of the home base station based on the online certificate status query protocol OCSP, which comprises the following steps: the device for realizing the admission control of the home base station based on the OCSP, the other device for realizing the admission control of the home base station based on the OCSP and the other device for realizing the admission control of the home base station based on the OCSP are also disclosed.
The invention has the beneficial effects that:
according to the scheme, the OCSP certificate state query response information and the equipment admission query response information are combined to calculate and generate the final OCSP query response information, and the final response information is returned to the security gateway.
Drawings
FIG. 1 shows a schematic flow chart of a first embodiment of the present invention;
FIG. 2 shows a schematic flow chart of a second embodiment of the present invention;
FIG. 3 shows a schematic flow chart of a third embodiment of the present invention;
FIG. 4 shows a schematic block diagram of a fourth embodiment of the invention;
FIG. 5 shows a schematic block diagram of a fifth embodiment of the invention;
FIG. 6 shows a schematic block diagram of a sixth embodiment of the invention;
fig. 7 shows an overall timing diagram of implementing admission control of the home base station based on OCSP in the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
First embodiment
As shown in fig. 1 and 7, the present invention discloses a method for implementing admission control of a home base station based on an online certificate status query protocol OCSP, which is applied to an OCSP proxy server. The method comprises the following steps:
The OCSP certificate status query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of the home base station to be verified.
And step 102, sending the OCSP certificate status query request to an OCSP server.
In the step, after receiving a query request sent by the security gateway, the query request is forwarded to the OCSP server, where the valid state of the home base station certificate is mainly queried, and the specific content includes querying information such as the name, the purpose, and the validity period of the base station certificate.
Step 103, parsing the device information in the OCSP certificate status query request, and sending a device admission query request to a device admission control unit according to the device information.
In the step, after receiving the query request sent by the security gateway, the device information in the OCSP certificate status query request is analyzed, and the device admission query request is sent to the device admission control unit according to the device information, where the result of whether the home base station is allowed to enter or not considering other factors is mainly queried. The device information may be information such as a device name, a device serial number, etc.
The other factors include, but are not limited to, security of the femtocell device, tariff payment condition of the device, admission time limit condition, and the like.
And step 104, receiving the OCSP certificate state query response information issued after the OCSP server acquires the OCSP certificate state query request, and receiving the equipment admission query response information issued after the equipment admission control unit acquires the equipment admission query request.
In this step, after the OCSP certificate status query request is sent to the OCSP server and the device admission query request is sent to the device admission control unit, response contents of both OCSP certificate status query response information fed back by the OCSP server and device admission query response information fed back by the device admission control unit are correspondingly received.
And 105, generating final OCSP certificate state query response information according to the OCSP certificate state query response information and the equipment admission query response information, and sending the final OCSP certificate state query response information to the security gateway.
In this step, according to step 104, the obtained OCSP certificate status query response information and the device admission query response information are acquired, the two pieces of information are integrated, and a final OCSP certificate status query response information is acquired and sent to the security gateway, so as to finally respond to the OCSP certificate status query request of the security gateway. Specifically, the certificate state query result in the OCSP certificate state query response message and the admission query in the device admission query response message are encapsulated and integrated to form a new response message.
In the method, a query request needs to be sent to an OCSP server and an equipment admission control unit respectively, a query response result is received and processed, a final OCSP query response message is generated by combining the query response messages in two aspects, and the final response message is returned to a security gateway, the process constructs a proxy role of the OCSP server to respond to the OCSP certificate state query request of the security gateway, the process combines the original OCSP server query processing process, the equipment admission query process is added when the OCSP certificate state query request is queried, the effective authentication control of a base station certificate and the equipment admission control related to other factors of the equipment are combined, the base station is subjected to admission control by combining the effective authentication control of the base station certificate and the equipment admission control, the frequent certificate revoking is not needed, the process of reapplication of a large amount of certificates is avoided, and the flexible equipment admission control is realized, and the OCSP server does not need to be changed, only needs to follow the prior technical specification, and is easy to implement.
Further, a preferred implementation process for generating the final OCSP certificate status query response information according to the OCSP certificate status query response information and the device admission query response information is described herein.
Generating final OCSP certificate state query response information according to the OCSP certificate state query response information and the equipment admission query response information, wherein the method comprises the following steps:
analyzing the equipment access inquiry response information to obtain an equipment access inquiry result; and adding the admission inquiry result of the equipment to the OCSP certificate state inquiry response information, and replacing the signature information of the OCSP certificate state inquiry response information with new signature information according to the signature certificate obtained by applying to a Certificate Authority (CA) mechanism to obtain the final OCSP certificate state inquiry response information.
In the process, the device admission query result from the device admission control unit and the OCSP certificate state query response information from the OCSP server need to be combined and recalculated to generate final query response information. The process of recalculating and generating the final OCSP query response information is as follows: firstly, a signature certificate is required to be applied to a CA (certificate authority) for issuing an OCSP (online charging and protection) query response, the signature certificate is applied once, and the equipment admission query result is added into the OCSP certificate state query response information and is encapsulated and integrated again. In the process of encapsulation and integration, the device admission query result can be represented by 0 and 1, specifically, the device admission query result can be represented by 0 as not allowing access, the device admission query result is represented by 1 as allowing access, after the signature certificate is obtained, the signature certificate obtained by applying for can be used for signing the new OCSP certificate state query response information after encapsulation and integration, and the original signature information can be replaced, wherein the signature information comprises attributes such as a signature main body and a signature algorithm, so as to obtain the final OCSP certificate state query response information.
Further, after the step of obtaining the result of the device admission query, the method further includes: judging whether the access inquiry result of the equipment is not allowed to be accessed or not; if so, acquiring the generation reason of the access non-permission according to the equipment access inquiry response information; and adding the generation reason to the OCSP certificate state query response information while adding the equipment admission query result to the OCSP certificate state query response information. And when the equipment admission inquiry result in the equipment admission inquiry response information is that the access is not allowed, simultaneously carrying the reason of the access not allowed in the final certificate state inquiry response information so as to remind the security gateway side and the home base station side.
Specifically, the device information at least includes: the device name and the device serial number are used as the key words and query basis for the device access control unit to perform the device access query.
Second embodiment
As shown in fig. 2 and fig. 7, this embodiment discloses another method for implementing admission control of a home base station based on an online certificate status query protocol OCSP, which is applied to a security gateway. The method comprises the following steps:
step 201: and sending an OCSP certificate status inquiry request to the OCSP proxy server.
The OCSP certificate state query request comprises a base station certificate to be verified, and the base station certificate to be verified comprises equipment information of the femtocell to be verified.
Before this step, the security gateway needs to receive the IKE _ AUTH message sent by the home base station, parse the base station certificate from the message, and generate an OCSP certificate status query request according to the base station certificate.
In step 201, the sending of the query request uses the address information of the OCSP proxy server, and the base station certificate usually carries the address of the OCSP server, but does not carry the address of the OCSP proxy server. The security gateway can pre-configure the address of the OCSP proxy server, and if the base station certificate does not carry the address of the OCSP proxy server, the pre-configured address of the OCSP proxy server is used. After receiving an IKE _ AUTH message sent by a home base station, a base station certificate is analyzed from the message, and then an OCSP certificate status query request is sent to an OCSP proxy server. The certificate of the base station needs to contain equipment information, such as equipment name, equipment serial number, and the like.
Step 202: and receiving the final OCSP certificate state query response information issued by the OCSP proxy server.
And the final OCSP certificate state query response information is generated by the OCSP proxy server according to the certificate state query response information received from the OCSP server and the equipment admission query response information received from the equipment admission control unit. The final OCSP certificate status query response message combines the validity status of the base station certificate and information on whether the base station is allowed to access, which is determined by other factors.
Step 203: and inquiring response information according to the final OCSP certificate state, and judging whether the femtocell to be verified meets the admission condition.
The security gateway sends an OCSP certificate state query request to the OCSP proxy server, receives the final OCSP certificate state query response information, judges whether the equipment is allowed to be accessed according to two contents in the final OCSP certificate state query response information, sends result information to the home base station, and the equipment authentication process is finished.
In the method, the security gateway does not judge and control the admission of the home base station only aiming at the effective state of the base station certificate of the home base station any more, so that the control process of forbidding the base station to access the network is not required to be realized by revoking the certificate all the time, and when the base station does not allow the base station to access the network due to other factors, the certificate application is not required to be repeated, thereby saving time and resources.
Specifically, the step of judging whether the femtocell to be verified meets the admission condition according to the final OCSP certificate status query response information includes: and when the base station certificate to be verified recorded in the OCSP certificate state query response message is in a valid state and the device access query result is allowed to be accessed, judging that the femtocell meets the access condition.
And if the base station certificate is valid and the equipment access control unit allows equipment to be accessed, the security gateway continues to process and responds to the IKE _ AUTH message, the authentication is successful, otherwise the equipment authentication fails, and the authentication process is ended.
Third embodiment
As shown in fig. 3 and fig. 7, this embodiment discloses another method for implementing admission control of a home base station based on an online certificate status query protocol OCSP, which is applied to an equipment admission control unit. The method comprises the following steps:
step 301: and receiving a device admission inquiry request sent by the OCSP proxy server.
The device admission inquiry request comprises the following steps: and the equipment information of the home base station to be verified.
Step 302: and according to the equipment information and a preset admission rule, carrying out equipment admission inquiry on the femtocell to be verified and generating equipment admission inquiry response information.
In the step, according to the equipment information in the received equipment admission query request, the query judgment is carried out according to the preset admission rule, the equipment admission query result is obtained, and the equipment admission query response information is generated. The preset admission rule may be a white list mode or a black list mode established according to the device admission information such as package, tariff, and the like, but is not limited to these two modes.
Here, it is mainly to perform query management of admission restriction related to the femtocell apparatus, which is caused by other factors, including but not limited to security of the femtocell apparatus, payment condition of charges of the apparatus, admission time limit condition, and the like. When the base station equipment is invaded or frequently attacks the network, the safety of the base station is considered to be poor, the equipment information of the home base station is recorded, and the relevant admission inquiry result is obtained through the inquiry of the equipment admission control unit to limit the admission of the home base station.
Step 303: and sending the equipment admission inquiry response information to the OCSP proxy server.
The method can reduce the requirement of certificate revoking, when the base station equipment is invaded or frequently attacks the network or the charge is insufficient, except the situation that the base station certificate is stolen, the certificate is not required to be revoked, and only the corresponding equipment information is required to be synchronized to the equipment access control unit, so the equipment can be refused to be accessed during access authentication; if the equipment is repaired and allowed to be accessed, the equipment can be successfully accessed only by synchronizing the repaired equipment information to the equipment access control unit when access authentication is carried out on the equipment, and flexible equipment access control can be realized. The base station equipment does not need to be modified and only needs to follow the existing standard.
Further, according to the device information and according to a preset admission rule, performing device admission query on the femtocell to be verified and generating device admission query response information, including: and according to the equipment information and a blacklist or a white list set according to a preset admission rule, carrying out equipment admission inquiry on the femtocell to be verified. When the equipment information does not exist in the blacklist or the equipment information exists in the white list, generating equipment admission inquiry response information allowing access; and when the equipment information exists in the blacklist or the equipment information does not exist in the white list, generating equipment admission inquiry response information which is not allowed to be accessed.
If the white list mode is adopted, each record in the white list contains data such as equipment information, equipment validity period, time for equipment to be added into the white list and the like, if the equipment information in the equipment admission inquiry request is in the white list, the equipment is allowed to be accessed, otherwise, the equipment is not allowed to be accessed. If the blacklist mode is adopted, each record in the blacklist contains data such as equipment information, time and reason for adding the equipment into the blacklist, if the equipment information in the query request is in the blacklist, the equipment is not allowed to be accessed, otherwise, the equipment is allowed to be accessed. The white list or the black list can be maintained and updated according to the specific situation of the home base station, and the update maintenance can be performed by an administrator or synchronized through an information interface.
Specifically, in the step of generating the device admission query response information, the generated device admission query response information includes: the device access method comprises the steps of inquiring response time, a device access inquiring result and a generation reason when the device access inquiring result is not allowed to be accessed.
Specifically, the device information at least includes: the device name and the device serial number are used as the key words and query basis for the device access control unit to perform the device access query.
Fourth embodiment
As shown in fig. 4, this embodiment discloses an apparatus for implementing admission control of a home base station based on an online certificate status query protocol OCSP, where the apparatus includes: a first receiving module 401, a first sending module 402, a second sending module 403, a second receiving module 404 and a generating module 405.
The first receiving module 401 is configured to receive an OCSP certificate status query request sent by a security gateway, where the OCSP certificate status query request includes a base station certificate to be verified, and the base station certificate includes device information of a femtocell to be verified.
A first sending module 402, configured to send the OCSP certificate status query request to an OCSP server.
A second sending module 403, configured to parse the device information in the OCSP certificate status query request, and send a device admission query request to a device admission control unit according to the device information.
A second receiving module 404, configured to receive OCSP certificate status query response information issued after the OCSP server obtains the OCSP certificate status query request, and receive equipment admission query response information issued after the equipment admission control unit obtains the equipment admission query request.
And a generating module 405, configured to generate final OCSP certificate status query response information according to the OCSP certificate status query response information and the device admission query response information, and send the final OCSP certificate status query response information to the security gateway.
Wherein the generating module 405 is configured to: analyzing the equipment access inquiry response information to obtain an equipment access inquiry result; and adding the equipment admission inquiry result to the OCSP certificate state inquiry response information, and replacing the signature information of the OCSP certificate state inquiry response information with new signature information according to the signature certificate obtained by applying to a Certificate Authority (CA) so as to obtain the final OCSP certificate state inquiry response information.
Wherein the generating module 405 is further configured to: judging whether the equipment access inquiry result is not allowed to be accessed; if so, acquiring a generation reason of disallowed access according to the equipment access inquiry response information; and in the step of adding the device admission query result to the OCSP certificate state query response message, adding the generation reason to the OCSP certificate state query response message.
Wherein the device information at least includes: device name and device serial number.
The device needs to respectively send a query request to an OCSP server and a device admission control unit, receive and process the query response result, combine the query response information of the two aspects to calculate and generate a final OCSP query response information, and return the final response information to a security gateway, the process constructs a proxy role of the OCSP server to respond to the OCSP certificate state query request of the security gateway, the device combines the original OCSP server query processing process, adds the device admission query process when querying the OCSP certificate state query request, combines the effective authentication control of the base station certificate with the device admission control related to other factors of the device, combines the two processes to carry out admission control on the base station, does not need to frequently revoke the certificate, avoids the process of reapplication of the certificate, and realizes flexible device admission control, and the OCSP server does not need to be changed, only needs to follow the prior technical specification, and is easy to implement.
The device for realizing the admission control of the home base station based on the OCSP in the embodiment is specifically an OCSP proxy server.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the above-described device may refer to the corresponding process of the first embodiment in the foregoing method embodiment, and is not described herein again.
Fifth embodiment
As shown in fig. 5, this embodiment discloses an apparatus for implementing admission control of a home base station based on an online certificate status query protocol OCSP, where the apparatus includes: a third sending module 501, a third receiving module 502 and a judging module 503.
A third sending module 501, configured to send an OCSP certificate status query request to an OCSP proxy server, where the OCSP certificate status query request includes a base station certificate to be verified, and the base station certificate includes device information of a femtocell to be verified.
A third receiving module 502, configured to receive final OCSP certificate status query response information sent by the OCSP proxy server, where the final OCSP certificate status query response information is generated by the OCSP proxy server according to the certificate status query response information received from the OCSP server and the device admission query response information received from the device admission control unit.
And a judging module 503, configured to query the response information according to the final OCSP certificate state, and judge whether the femtocell to be verified meets an admission condition.
The determining module 503 is configured to: and when the base station certificate to be verified recorded in the final OCSP certificate state query response message is in a valid state and the device access query result is allowed to be accessed, judging that the home base station meets the access condition.
The device for realizing the admission control of the home base station based on the OCSP in the embodiment is specifically a security gateway.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the above-described device may refer to the corresponding process of the second embodiment in the foregoing method embodiment, and is not described herein again.
Sixth embodiment
As shown in fig. 6, this embodiment discloses an apparatus for implementing admission control of a home base station based on an online certificate status query protocol OCSP, where the apparatus includes: a fourth receiving module 601, a query processing module 602, and a fourth sending module 603.
A fourth receiving module 601, configured to receive an apparatus admission query request sent by an OCSP proxy server, where the apparatus admission query request includes: and the equipment information of the home base station to be verified.
And the query processing module 602 is configured to perform, according to the device information and according to a preset admission rule, device admission query on the femtocell to be verified and generate device admission query response information.
A fourth sending module 603, configured to send the device admission query response message to the OCSP proxy server.
Wherein, the query processing module 602 is configured to: according to the equipment information and a blacklist or a white list set according to the preset admission rule, equipment admission inquiry is carried out on the femtocell to be verified; when the equipment information does not exist in the blacklist or the equipment information exists in the white list, generating equipment admission inquiry response information allowing access; and when the equipment information exists in the blacklist or the equipment information does not exist in the white list, generating equipment admission inquiry response information which is not allowed to be accessed.
The device admission query response information generated by the query processing module 602 includes: the device access method comprises the steps of inquiring response time, a device access inquiring result and a generation reason when the device access inquiring result is not allowed to be accessed.
The device for realizing the admission control of the home base station based on the OCSP in the embodiment is specifically a device admission control unit.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the above-described device may refer to the corresponding process of the third embodiment in the foregoing method embodiment, and is not described herein again.
The invention also discloses a system for realizing the admission control of the home base station based on the online certificate status query protocol OCSP, which comprises the following steps: the device for implementing admission control of the home base station based on the OCSP as described in the fourth embodiment, the device for implementing admission control of the home base station based on the OCSP as described in the fifth embodiment, and the device for implementing admission control of the home base station based on the OCSP as described in this embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
While the preferred embodiments of the present invention have been described, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the following claims.
Claims (17)
1. A method for realizing home base station admission control based on an online certificate status query protocol (OCSP) is applied to an OCSP proxy server, and is characterized by comprising the following steps:
receiving an OCSP certificate status query request sent by a security gateway, wherein the OCSP certificate status query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of a home base station to be verified;
sending the OCSP certificate status query request to an OCSP server;
analyzing the equipment information in the OCSP certificate state query request, and sending an equipment admission query request to an equipment admission control unit according to the equipment information;
receiving OCSP certificate state query response information issued after the OCSP server acquires the OCSP certificate state query request and receiving equipment admission query response information issued after the equipment admission control unit acquires the equipment admission query request;
and generating final OCSP certificate state query response information according to the OCSP certificate state query response information and the equipment admission query response information, and sending the final OCSP certificate state query response information to the security gateway.
2. The method of claim 1, wherein generating the final OCSP certificate status query response message according to the OCSP certificate status query response message and the device admission query response message comprises:
analyzing the equipment access inquiry response information to obtain an equipment access inquiry result;
and adding the equipment admission inquiry result to the OCSP certificate state inquiry response information, and replacing the signature information of the OCSP certificate state inquiry response information with new signature information according to the signature certificate obtained by applying to a Certificate Authority (CA) so as to obtain the final OCSP certificate state inquiry response information.
3. The method of claim 2, wherein after the step of obtaining the result of the device admission query, the method further comprises:
judging whether the equipment access inquiry result is not allowed to be accessed;
if so, acquiring a generation reason of disallowed access according to the equipment access inquiry response information;
and in the step of adding the device admission query result to the OCSP certificate state query response message, adding the generation reason to the OCSP certificate state query response message.
4. The method of claim 1, wherein the device information comprises at least: device name and device serial number.
5. A method for realizing home base station admission control based on an online certificate status query protocol (OCSP) is applied to a security gateway, and is characterized in that the method comprises the following steps:
sending an OCSP certificate status query request to an OCSP proxy server, wherein the OCSP certificate status query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of a home base station to be verified;
receiving final OCSP certificate state query response information issued by the OCSP proxy server, wherein the final OCSP certificate state query response information is generated by the OCSP proxy server according to the certificate state query response information received from the OCSP server and equipment admission query response information received from an equipment admission control unit;
and inquiring response information according to the final OCSP certificate state, and judging whether the femtocell to be verified meets the admission condition.
6. The method according to claim 5, wherein the determining whether the femtocell to be verified satisfies the admission condition according to the final OCSP certificate status query response information comprises:
and when the base station certificate to be verified recorded in the final OCSP certificate state query response message is in a valid state and the device access query result is allowed to be accessed, judging that the home base station meets the access condition.
7. A method for realizing home base station admission control based on an online certificate status query protocol (OCSP) is applied to an equipment admission control unit, and is characterized in that the method comprises the following steps:
receiving an equipment admission query request sent by an OCSP proxy server, wherein the equipment admission query request comprises: equipment information of the home base station to be verified;
according to the equipment information and a preset access rule, equipment access inquiry is carried out on the femtocell to be verified and equipment access inquiry response information is generated, wherein the equipment access inquiry response information comprises the following steps: according to the equipment information and a blacklist or a white list set according to the preset admission rule, equipment admission inquiry is carried out on the femtocell to be verified; when the equipment information does not exist in the blacklist or the equipment information exists in the white list, generating equipment admission inquiry response information allowing access; when the equipment information exists in the blacklist or the equipment information does not exist in the white list, generating equipment admission inquiry response information which is not allowed to be accessed;
and sending the equipment admission inquiry response information to the OCSP proxy server.
8. The method according to claim 7, wherein in the step of generating device admission query response information, the generated device admission query response information includes: the device access method comprises the steps of inquiring response time, a device access inquiring result and a generation reason when the device access inquiring result is not allowed to be accessed.
9. An apparatus for implementing admission control of a home base station based on an online certificate status query protocol (OCSP), the apparatus comprising:
the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving an OCSP certificate state query request sent by a security gateway, the OCSP certificate state query request comprises a base station certificate to be verified, and the base station certificate comprises equipment information of a home base station to be verified;
the first sending module is used for sending the OCSP certificate status inquiry request to an OCSP server;
a second sending module, configured to parse the device information in the OCSP certificate status query request, and send a device admission query request to a device admission control unit according to the device information;
a second receiving module, configured to receive OCSP certificate status query response information issued after the OCSP server obtains the OCSP certificate status query request, and receive equipment admission query response information issued after the equipment admission control unit obtains the equipment admission query request;
and the generating module is used for generating final OCSP certificate state query response information and sending the final OCSP certificate state query response information to the security gateway according to the OCSP certificate state query response information and the equipment admission query response information.
10. The apparatus of claim 9, wherein the generation module is configured to:
analyzing the equipment access inquiry response information to obtain an equipment access inquiry result;
and adding the equipment admission inquiry result to the OCSP certificate state inquiry response information, and replacing the signature information of the OCSP certificate state inquiry response information with new signature information according to the signature certificate obtained by applying to a Certificate Authority (CA) so as to obtain the final OCSP certificate state inquiry response information.
11. The device of claim 10, wherein the generation module is further configured to:
judging whether the equipment access inquiry result is not allowed to be accessed;
if so, acquiring a generation reason of disallowed access according to the equipment access inquiry response information;
and in the step of adding the device admission query result to the OCSP certificate state query response message, adding the generation reason to the OCSP certificate state query response message.
12. The device of claim 9, wherein the device information comprises at least: device name and device serial number.
13. An apparatus for implementing admission control of a home base station based on an online certificate status query protocol (OCSP), the apparatus comprising:
a third sending module, configured to send an OCSP certificate status query request to an OCSP proxy server, where the OCSP certificate status query request includes a base station certificate to be verified, and the base station certificate includes device information of a femtocell to be verified;
a third receiving module, configured to receive final OCSP certificate status query response information sent by the OCSP proxy server, where the final OCSP certificate status query response information is generated by the OCSP proxy server according to the certificate status query response information received from the OCSP server and the device admission query response information received from the device admission control unit;
and the judging module is used for inquiring the response information according to the final OCSP certificate state and judging whether the femtocell to be verified meets the admission condition.
14. The apparatus of claim 13, wherein the determining module is configured to:
and when the base station certificate to be verified recorded in the final OCSP certificate state query response message is in a valid state and the device access query result is allowed to be accessed, judging that the home base station meets the access condition.
15. An apparatus for implementing admission control of a home base station based on an online certificate status query protocol (OCSP), the apparatus comprising:
a fourth receiving module, configured to receive an equipment admission query request sent by an OCSP proxy server, where the equipment admission query request includes: equipment information of the home base station to be verified;
the query processing module is used for performing equipment access query on the femtocell to be verified according to the equipment information and a preset access rule and generating equipment access query response information;
a fourth sending module, configured to send the device admission query response message to the OCSP proxy server;
the query processing module is configured to:
according to the equipment information and a blacklist or a white list set according to the preset admission rule, equipment admission inquiry is carried out on the femtocell to be verified;
when the equipment information does not exist in the blacklist or the equipment information exists in the white list, generating equipment admission inquiry response information allowing access;
and when the equipment information exists in the blacklist or the equipment information does not exist in the white list, generating equipment admission inquiry response information which is not allowed to be accessed.
16. The apparatus of claim 15, wherein the apparatus admission query response information generated by the query processing module comprises: the device access method comprises the steps of inquiring response time, a device access inquiring result and a generation reason when the device access inquiring result is not allowed to be accessed.
17. A system for realizing home base station admission control based on an online certificate status query protocol (OCSP), which is characterized by comprising: an apparatus for implementing admission control of a home base station based on OCSP according to any one of claims 9-12, an apparatus for implementing admission control of a home base station based on OCSP according to any one of claims 13-14 and an apparatus for implementing admission control of a home base station based on OCSP according to any one of claims 15-16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610197304.0A CN107295510B (en) | 2016-03-31 | 2016-03-31 | Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610197304.0A CN107295510B (en) | 2016-03-31 | 2016-03-31 | Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107295510A CN107295510A (en) | 2017-10-24 |
| CN107295510B true CN107295510B (en) | 2020-01-03 |
Family
ID=60086763
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610197304.0A Active CN107295510B (en) | 2016-03-31 | 2016-03-31 | Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107295510B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113175B (en) * | 2018-02-01 | 2021-11-09 | 华为技术有限公司 | Network security access method and home network equipment |
| TWI718033B (en) * | 2020-03-18 | 2021-02-01 | 中華電信股份有限公司 | System and method for online certificate status query responder |
| CN112994897A (en) * | 2021-03-22 | 2021-06-18 | 杭州迪普科技股份有限公司 | Certificate query method, device, equipment and computer readable storage medium |
| CN114640467A (en) * | 2022-03-15 | 2022-06-17 | 微位(深圳)网络科技有限公司 | Service-based digital certificate query method and system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6970862B2 (en) * | 2001-05-31 | 2005-11-29 | Sun Microsystems, Inc. | Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL) |
-
2016
- 2016-03-31 CN CN201610197304.0A patent/CN107295510B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101002420A (en) * | 2003-12-19 | 2007-07-18 | 摩托罗拉公司(在特拉华州注册的公司) | Mobile device and method for providing certificate based cryptography |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107295510A (en) | 2017-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| KR102018971B1 (en) | Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium | |
| JP5629788B2 (en) | Facilitating authentication of access terminal identification information | |
| CN101616410B (en) | Access method and access system for cellular mobile communication network | |
| CN114268943B (en) | Authorization method and device | |
| CN110267270B (en) | Identity authentication method for sensor terminal access edge gateway in transformer substation | |
| US20130080779A1 (en) | Indentifiers in a communication system | |
| CN107864475B (en) | WiFi (Wireless Fidelity) shortcut authentication method based on Portal + dynamic password | |
| CN109314693B (en) | Method and apparatus for authenticating a key requestor | |
| US12041452B2 (en) | Non-3GPP device access to core network | |
| CN107295510B (en) | Method, equipment and system for realizing access control of home base station based on OCSP (online charging protocol) | |
| WO2015100974A1 (en) | Terminal authentication method, device and system | |
| US11917416B2 (en) | Non-3GPP device access to core network | |
| CN111601280A (en) | Access verification method and device | |
| WO2008009232A1 (en) | A method system and device for determining the mobile ip key and notifying the mobile ip type | |
| CN1921682B (en) | Method for enhancing key negotiation in universal identifying framework | |
| CN104518874A (en) | Network access control method and system | |
| CN115278676A (en) | WAPI certificate application method, wireless terminal and certificate discriminator | |
| CN101742507B (en) | System and method for accessing Web application site for WAPI terminal | |
| CN115314895A (en) | WAPI user identification method, system and access area AS | |
| CN107426724B (en) | Method and system for accessing intelligent household electrical appliance to wireless network, terminal and authentication server | |
| JP4009273B2 (en) | Communication method | |
| CN115412909A (en) | Communication method and device | |
| KR20140095050A (en) | Method and apparatus for supporting single sign-on in a mobile communication system | |
| CN115022850B (en) | Authentication method, device and system for D2D communication, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |