CN1455556A - Wireless LAN safety connecting-in control method - Google Patents
Wireless LAN safety connecting-in control method Download PDFInfo
- Publication number
- CN1455556A CN1455556A CN 03113473 CN03113473A CN1455556A CN 1455556 A CN1455556 A CN 1455556A CN 03113473 CN03113473 CN 03113473 CN 03113473 A CN03113473 A CN 03113473A CN 1455556 A CN1455556 A CN 1455556A
- Authority
- CN
- China
- Prior art keywords
- sta
- security association
- request
- authentication
- pmk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
无线局域网安全接入控制方法涉及基于IEEE802.11标准无线局域网的增强型安全接入控制方法,整个安全接入控制过程包括三个阶段:建立连接和安全性能协商,由STA广播连接请求,所在区域的AP向STA发送连接应答消息,并在应答消息中声明所支持的802.1x认证和所有数据保护方法;建立安全关联,AP收到STA的安全关联请求后,向AC发送802.1x认证请求消息,请求AC采用802.1x认证协议,利用AS对STA进行认证;重新建立安全关联,在漫游情况下,当STA从已建立安全关联的AP服务范围内进入AP*的服务范围,STA需要越区切换相关联的接入点,STA与AP*通过第一阶段的步骤建立连接并协商安全性能。
The wireless local area network security access control method involves an enhanced security access control method based on the IEEE802.11 standard wireless local area network. The entire security access control process includes three stages: connection establishment and security performance negotiation, and the STA broadcasts the connection request. The AP sends a connection response message to the STA, and declares the supported 802.1x authentication and all data protection methods in the response message; establishes a security association, and after receiving the security association request from the STA, the AP sends an 802.1x authentication request message to the AC. Request the AC to adopt the 802.1x authentication protocol and use the AS to authenticate the STA; re-establish the security association. In the case of roaming, when the STA enters the service range of the AP * from the service range of the AP with the established security association, the STA needs to perform handover. The connected access point, STA and AP * establish a connection and negotiate security performance through the steps of the first phase.
Description
One, technical field
The present invention relates to enhancement mode secure access control method, especially strengthened the safe access control function of WLAN (wireless local area network) medium access control (MAC) layer, belong to the wireless LAN safety technical field based on IEEE 802.11 standard wireless local area networks.
Two, background technology
WLAN (wireless local area network) (Wireless Local Area Network, WLAN) be the application of Modern wireless communication technology in computer network of high speed development, its adopts the effective means of wireless multiple access channel to support communication between the computer, and provides the means that realize for the mobile of communication, individualized and multimedia application.Yet the demand for security under the radio local network environment will be than more harsh under the cable environment owing to the opening of its data transmission medium.The service area of WLAN (wireless local area network) does not have effective boundary, and the assailant can enter service area very easily and implement illegal attack, and is difficult for being discovered; The assailant not only can implement eavesdropping, intercept and distort Frame, even can implement to attack to management frames and control frame, to cause the paralysis of the stolen or whole network of wireless medium resource; The use of going beyond one's commission of validated user also is one of hidden danger from WLAN (wireless local area network) inside.IEEE 802.11 standards are WLAN (wireless local area network) medium access control (MAC) and physical layer (PHY) standards that IEEE formulates, partly formulated the most basic safe access control business at the management agreement of MAC layer in the standard, can provide and wired identical security performance with hope.In fact; in IEEE 802.11 standards owing to consider the efficiency of wireless channel; more place hope on the authentication function of upper-layer protocol; therefore only adopted the safe access control scheme of simplifying at link level; cause safety function to perform practically no function; fragile wired equal of more feasible basis maintained secrecy, and (Wired Equivalent Privacy, WEP) agreement can't reach the data protection effect of expection.Access control is the basis of data protection, and is just meaningful for the data protection in the legal authorization scope of validated user, and more is not that upper-layer protocol can be realized fully at the access control protection of wireless medium resource.The safe access control business of existing standard can't satisfy the demand for security under the WLAN (wireless local area network) applied environment.This shows that WLAN (wireless local area network) will be referred to as safe WLAN (wireless local area network), must formulate brand-new safe access control operational approach, with the demand for security under the new application conditions of compliant wireless local area networks.Be to strengthen the safe access control function of existing standard, IEEE 802.11 working groups have set up task groups TGi especially, and purpose is " strengthen current 802.11 medium access control function to improve the fail safe of WLAN (wireless local area network) ".(Robust Security Network RSN) is the improved security wireless local area network model that TGi proposes to strong secure network.At present, the formulation work of new standard still is in the draft stage, and in November, 2002, TGi issued up-to-date draft version Draft 3.0, had designed enhancement mode safety access control scheme and Data Protection Scheme in draft.Draft adopts IEEE 802.1x to realize safe access control scheme based on the network insertion control protocol of port, comprises IEEE 802.1x authentication protocol and IEEE 802.1x IKMP.Added port access entity (PAE) module of 802.1x respectively at wireless terminal network interface card and access point, and passed through the RADIUS authentication server and realize authentication.Draft has also been stipulated improved Data Protection Scheme, comprises TKIP, AES-CCM and AES-OCB etc.These have all strengthened IEEE 802.11 original security performances.Yet, in improved process, in order to keep compatible with former protocols having, the safe access control scheme that has still kept former agreement in the draft, but be indifferent to its result, but after original scheme, realize new safe access control scheme, make original scheme process become a kind of waste like this.In addition, owing to be subjected to the limitation of agreement prescribed limit, draft is attempted a regulation wireless network side, and does not relate to the wired network side of compartment system, and this makes agreement not design from the overall structure of system, causes the realization of functions such as roaming to seem burdensome.
Three, summary of the invention
1, technical problem
The objective of the invention is to propose a kind of wireless LAN safety connection control method at IEEE 802.11 standards, the enhancement mode safety access control scheme that proposes among the TGi Draft 3.0 that the method is not only compatible, and in conjunction with the existing function of IEEE 802.11 standards, feasible more convenient to the improvement of existing equipment, reduced new safe access control scheme simultaneously to comprising the influence of the original performance of wireless local area networks in roaming in.
2, technical scheme
The wireless LAN safety connection control method of the present invention's design comprises authentication, key management and mandate three parts on function.Authentication function has realized the mutual authentication between terminal workstation (STA) and the access point (AP), mainly realizes by the mutual authentication of STA and certificate server (AS) and the trusting relationship between AS and the AP; Key management functions refers to that the dynamic key based on authentication is consulted and encryption key distribution between STA and the AP; Authorization function refers to that AP inserts request responding to STA, if set up security association between AP and the STA, then authorizes STA to insert, otherwise the access request of refusal STA.Relate generally to four kinds of equipment in the WLAN (wireless local area network) in the method: the STA of terminal workstation, access point AP, access controller (AC) and certificate server AS.STA is a mobile subscriber terminal equipment, has realized the safe access control function of user side; AP is the supplier of WLAN (wireless local area network) access service, has realized the authorization function and the key management functions of safe access control; AS is a certificate server equipment, and the authentication function of server side safety access control is provided; AC is between AP and the AS, is used for registering once authentication AS to the authentication result of STA and the security association information between STA and the AP.
Wireless LAN safety connection control method of the present invention is characterised in that: when the STA that does not set up security association with any AP enters in a certain AP service range, STA and AP connect and consult security performance, send the request of setting up security association to AP by STA subsequently; Adopt IEEE 802.1x authentication protocol that STA is authenticated by certificate server AS, if authentification failure, the request of setting up security association of AS notice AP refusal STA; If authentication success has been consulted reciprocity master key (PMK) between STA and AS, AS sends to related information and the PMK information that access controller AC registers corresponding STA with PMK; Again PMK is sent to AP by AC, adopt IEEE 802.1x IKMP between STA and the AP according to PMK dynamic negotiation equity temporary key (PTK) and assign group temporary key (GTK); If key agreement is finished, by AP by sending the access of the response message mandate STA that successfully sets up security association.When STA enters another AP service range in the AP service range of setting up security association, STA and new AP connect and consult security performance, send the request that rebulids security association to new AP by STA subsequently; New AP request AC upgrades the related information of corresponding STA and obtains corresponding PMK information; Adopt IEEE 802.1x IKMP according to the new PTK of PMK dynamic negotiation with distribute new GTK between STA and the new AP; If key agreement is finished, by new AP by sending the access of the response message mandate STA that successfully sets up security association.
Whole safe access control process comprises three phases: connect with the security performance negotiation, set up security association and rebulid security association.
Phase I: connect and the security performance negotiation.It is characterized in that: by STA broadcasting connection request, the AP of region sends to STA and connects response message, and states 802.1x authentication and all data guard methods of being supported in response message; STA sends the open system authentication request message of IEEE 802.11 to the AP that connects; AP sends the open system authentication response message of IEEE 802.11 to the SFA that connects; By IEEE 802.11 open system authentication, STA sends the request of setting up security association to AP, and 802.1x authentication and selected data guard method are supported in statement in the security association request message.Be through with thus and connect and stage that security performance is consulted.
The concrete steps feature is as follows:
(1) STA broadcasting connection request message.In IEEE 802.11 standards, stipulated the connection request that management frames ProbeRequest message is used to broadcast STA.
(2) AP sends to STA and connects response message.After AP receives connection request message,, then send the connection response message, and in message, state the RSN information unit if allow STA to connect with it.Stipulated in IEEE 802.11 standards that management frames Probe Response message is used to reply the Probe Request message of STA.The RSN information unit is according to the prescribed form statement 802.1x that AP supported authentication and all data guard methods of TGi draft.
(3) STA sends the open system authentication request message of IEEE 802.11 to AP.
(4) AP sends the open system authentication response message of IEEE 802.11 to STA.Be original regulation in the compatible IEEE802.11 standard, increased this two authentication messages.Support open system authentication and shared key authentication in the primary standard, be forced to open system authentication in the method for the invention.
(5) STA sends the security association request message to AP.If passed through IEEE 802.11 open system authentication, STA sends the security association request message, and states the RSN information unit in message.Stipulated in IEEE 802.11 standards that management frames Association Request message is used to send the security association request.The RSN information unit is according to the prescribed form statement STA support 802.1x authentication of TGi draft with according to data guard method selected in the data guard method that AP provided.
Second stage: set up security association.It is characterized in that: after AP receives the security association request of STA, send the 802.1x authentication request message to AC, request AC adopts the 802.1x authentication protocol, utilize AS that STA is authenticated, if authentication success will be set up mutual trusting relationship between AS and STA, and will set up reciprocity master key PMK, according to by the AS, the AC that have wire protocol to guarantee and the relation of the mutual trust between the AP, realized the mutual authentication between AP and the STA again; AS sends to AC with the PMK of STA, behind the related information and PMK information of AC registration STA, PMK is sent to AP; AP receives four way handshake protocols that adopt the 802.1x IKMP behind the PMK, consults reciprocity temporary key PTK between STA and AP; AP is again by group key distributorship agreement assign group temporary key GTK; If above 802.1x authentication and IKMP success, AP sends security association successful respond message to STA, otherwise AP sends security association failure response message to STA.Be through with thus and set up the stage of security association.
The concrete steps feature is as follows:
(6) AP sends the 802.1x authentication request message to AC.AP adopts the EAPOL-Start message of stipulating in the IEEE 802.1x agreement to initiate the 802.1x authentication protocol.
(7) STA, AC and AS realize 802.1x authentication protocol process.At this moment, STA is that applicant Supplicant, AC in the 802.1x agreement are certificate server for authenticator Authenticator, AS.AP transmits the 802.1x authentication protocol message between AC and the STA.The IEEE802.1x standard code 802.1x authentication protocol process.If the 802.1x authentification failure,
(8 ') AS sends authentification failure message to AC.According to the regulation of 802.1x agreement, if authentification failure, certificate server will send authentification failure message to the authenticator.
(9 ') AC sends authentification failure message to AP.802.1x being used for AC, the EAPOL-Logoff message of agreement regulation sends authentification failure message to AP.
(10 ') AP sends security association failure response message to STA.Stipulated in IEEE 802.11 standards that management frames Association Response is used to send the security association response message.If the 802.1x authentication success,
(8) AS sends PMK to AC, related information and the PMK information of AC registration STA.AS sends PMK by EAP Accept message in the 802.1x agreement to AC.PMK and the related information of AC registration STA, wherein related information refers to that current and STA sets up the information of the AP of security association.
(9) AC sends PMK to AP.AC transmits the PMK of STA by the secure tunnel of setting up between AP and the AC.Secure tunnel between AP and the AC is set up and can be relied on and wired 802.1x agreement, and this moment, AP was that applicant, AC are that authenticator, AS are certificate server.
(10) AP and STA realize the 802.11x IKMP.The TGi draft specifies 802.1x IKMP between AP and the STA, promptly four way handshake protocols are consulted reciprocity temporary key PTK between STA and AP.
(11) AP and STA realize the group key distributorship agreement.The TGi draft specifies group key distributorship agreement between AP and the STA, be used for AP to STA assign group temporary key GTK.
(12) AP sends the security association response message to STA.Stipulated in IEEE 802.11 standards that management frames Association Response message is used to send security association and replys.If four way handshake protocols and the success of group key distributorship agreement, AP sends the access of security association successful respond authorization of messages STA to STA, otherwise sends the access of security association failure response message refusal STA.
Phase III: rebulid security association.It is characterized in that: under roaming condition, when STA enters AP in the AP service range of setting up security association
*Service range in the time, the access point that STA needs handover to be associated.STA and AP
*Step by the phase I connects and consults security performance, and different is that STA is to AP
*The security association request that sends is the request that rebulids security association; Receive the AP that rebulids the security association request
*Request AC upgrades the related information of corresponding STA, and obtains the PMK of STA; STA and AP
*Between adopt 802.1x IKMP dynamic negotiation PTK
*The GTK new with distribution
*If key agreement is finished, by AP
*Rebulid the access of the response message mandate STA of security association by transmission.STA and AP thus are through with
*Rebulid the stage of security association.
The concrete steps feature is as follows:
(13) STA enters AP
*Completing steps after the service range (1)~(4), wherein AP changes into AP
*
(14) STA is to AP
*Transmission rebulids the request message of security association.If passed through the IEEE802.11 open system authentication, STA sends the security association request message, and states the RSN information unit in message.Stipulated in IEEE 802.11 standards that management frames ReassociationRequest message is used for sending the security association request that rebulids.The RSN information unit is according to the prescribed form statement STA support 802.1x authentication of TGi draft with according to AP
*The data guard method of selecting in the data guard method that is provided.
(15) AP
*Send the request of upgrading the STA security association information to AC.AP
*After receiving that STA rebulids the security association request message, request AC is updated to STA and AP with the STA security association information
*Set up security association.
(16) completing steps (9)~(11), wherein AP changes into AP
*, PTK, GTK become PTK
*, GTK
*
(17) AP
*Send the response message that rebulids security association to STA.Having stipulated in IEEE 802.11 standards that management frames Reassociation Response message is used to send rebulids replying of security association.If four way handshake protocols and the success of group key distributorship agreement, AP
*Rebulid the access that security association is successfully answered authorization of messages STA to the STA transmission, otherwise send the access that rebulids security association failure response message refusal STA.
3, beneficial effect
The present invention compared with prior art has the following advantages:
The present invention on the basis of analysing in depth IEEE 802.11 standards and draft, not only compatible original access control scheme, and utilized the state transitions relation of former scheme, make new departure and original scheme organic must in conjunction with.The present invention program is from realizing the angle of whole wireless LAN safety access control system, added the access controller of realizing distribution service in the wired network side, not only implemented in the former agreement regulation, and more succinct roaming scheme is provided distribution service.Utilize access controller to realize the function of the authenticator modules of IEEE 802.1x, also reduced the hardware complexity of access point to a certain extent.Consider that the 802.1x access control protocol has the fail safe of enhancing, the present invention program has adopted this agreement that draft proposes.
Three phases described in the present invention has constituted the secure access control method that STA once authenticates.Wherein phase I and second stage have been finished the security control process that inserts first that STA comprises authentication, security control process that the phase III has been inserted when then having finished the handover of roaming under STA access conditions.Enrollment mechanism by AC, phase III AP directly obtains PMK from AC, and needn't carry out the verification process of unpredictable time delay again to STA, thus make the time delay that handover caused of STA roaming in predictable scope, be unlikely to communication quality to STA and cause significantly and descend.What particularly point out is that STA can switch to AP from AP
*Finish the phase III before, when with AP
*Set up disconnect again after the security association with AP be connected the seamless switching when assurance is distinguished more.
AC that introduces among the present invention and AP have constituted access control system jointly, and software is realized the role of authenticator in the 802.1x authentication protocol on AC, not only reduced the hardware complexity of AP, and provide solution based on IEEE 802.1x agreement for AP and AC set up secure tunnel.This point really is the maximum difference of this method and TGi draft.In addition, making full use of original association service in IEEE 802.11 agreements, propose 802.1x authentication protocol, four way handshake protocols and group key distributorship agreement are included in the process of setting up security association, also is the improvement to the TGi draft.
In addition, adopt four way handshake protocols of 802.1x authentication protocol and 802.1x key management, strengthened the security intensity of authentication and key management, realized dynamic encryption key distribution, and allow not revise under the prerequisite of existing standard MAC layer and introduce stronger certificate scheme, promptly under IP layer on the MAC layer, also be that logic link control (LLC) layer is realized agreement, so not only avoided existing MAC layer hardware technology done too big change, and strengthened the flexibility and the extensibility of authentication and key managing project, be convenient to select the authentication protocol of safety and reliability.
Four, description of drawings
Fig. 1 is a wireless LAN safety connection control method embodiment networking schematic diagram.
Fig. 2 is the tree-shaped device relationships figure of wireless LAN safety connection control method embodiment.The STA of terminal workstation, access point AP, certificate server AS, access controller AC, Basic Service Set BSS, extended service set ESS are wherein arranged.
Fig. 3 is first and second phase messages flow chart of wireless LAN safety connection control method embodiment.
Fig. 4 is a wireless LAN safety connection control method embodiment phase III message flow chart.
Five, embodiment
The invention will be further described below in conjunction with the accompanying drawing illustrated embodiment:
Wireless LAN safety connection control method of the present invention is characterised in that: when the STA that does not set up security association with any AP enters in a certain AP service range, STA and AP connect and consult security performance, send the request of setting up security association to AP by STA subsequently; Adopt IEEE 802.1x authentication protocol that STA is authenticated by certificate server AS, if authentification failure, the request of setting up security association of AS notice AP refusal STA; If authentication success has been consulted reciprocity master key (PMK) between STA and AS, AS sends to related information and the PMK information that access controller AC registers corresponding STA with PMK; Again PMK is sent to AP by AC, adopt IEEE 802.1x IKMP between STA and the AP according to PMK dynamic negotiation equity temporary key (PTK) and assign group temporary key (GTK); If key agreement is finished, by AP by sending the access of the response message mandate STA that successfully sets up security association.When STA enters another AP service range in the AP service range of setting up security association, STA and new AP connect and consult security performance, send the request that rebulids security association to new AP by STA subsequently; New AP request AC upgrades the related information of corresponding STA and obtains corresponding PMK information; Adopt IEEE 802.1x IKMP according to the new PTK of PMK dynamic negotiation with distribute new GTK between STA and the new AP; If key agreement is finished, by new AP by sending the access of the response message mandate STA that successfully sets up security association.
Whole safe access control process comprises three phases: connect with the security performance negotiation, set up security association and rebulid security association.
Phase I: connect and the security performance negotiation.It is characterized in that: by STA broadcasting connection request, the AP of region sends to STA and connects response message, and states 802.1x authentication and all data guard methods of being supported in response message; STA sends the open system authentication request message of IEEE 802.11 to the AP that connects; AP sends the open system authentication response message of IEEE 802.11 to the STA that connects; By IEEE 802.11 open system authentication, STA sends the request of setting up security association to AP, and 802.1x authentication and selected data guard method are supported in statement in the security association request message.Be through with thus and connect and stage that security performance is consulted.
Second stage: set up security association.It is characterized in that: after AP receives the security association request of STA, send the 802.1x authentication request message to AC, request AC adopts the 802.1x authentication protocol, utilize AS that STA is authenticated, if authentication success will be set up mutual trusting relationship between AS and STA, and will set up reciprocity master key PMK, according to by the AS, the AC that have wire protocol to guarantee and the relation of the mutual trust between the AP, realized the mutual authentication between AP and the STA again; AS sends to AC with the PMK of STA, behind the related information and PMK information of AC registration STA, PMK is sent to AP; AP receives four way handshake protocols that adopt the 802.1x IKMP behind the PMK, consults reciprocity temporary key PTK between STA and AP; AP is again by group key distributorship agreement assign group temporary key GTK; If above 802.1x authentication and IKMP success, AP sends security association successful respond message to STA, otherwise AP sends security association failure response message to STA.Be through with thus and set up the stage of security association.
Phase III: rebulid security association.It is characterized in that: under roaming condition, when STA enters AP in the AP service range of setting up security association
*Service range in the time, the access point that STA needs handover to be associated.STA and AP
*Step by the phase I connects and consults security performance, and different is that STA is to AP
*The security association request that sends is the request that rebulids security association; Receive the AP that rebulids the security association request
*Request AC upgrades the related information of corresponding STA, and obtains the PMK of STA; STA and AP
*Between adopt 802.1x IKMP dynamic negotiation PTK
*The GTK new with distribution
*If key agreement is finished, by AP
*Rebulid the access of the response message mandate STA of security association by transmission.STA and AP thus are through with
*Rebulid the stage of security association.
The embodiment of the invention relates to two parts network, i.e. the Access Network of the WLAN (wireless local area network) of STA and AP composition and AP, AC, AS and gateway composition.AP is bearing the effect of bridge joint as the interface of WLAN (wireless local area network) and Access Network, therefore can realize the link level access control function to STA.AC is as the interface of Access Network and the Internet, bearing the access control function of network level, but be mainly used in the authenticator and the security association information of registration STA and the function of PMK that realize the 802.1x authentication protocol in the present invention, realized distribution and association service in the IEEE802.11 standard.AS can be the local authentication server in the Access Network as certificate server or be in remote authentication server in the Internet, generally adopt radius protocol or Diameter.Therefore, STA, AP, AC and AS have constituted tree-shaped device relationships figure.
Fig. 3 and Fig. 4 have showed the message flow of embodiment three phases, have realized secure access control method of the present invention.Corresponding protocols message below in the message flow makes introductions all round:
(1) connection request: IEEE 802.11 Probe Request;
(2) connection is replied+RSN information unit: IEEE 802.11 Probe Response+RSNIE;
(3) 802.11 open system authentication (request): IEEE 802.11 Open Authentication (Request);
(4) 802.11 open system authentication (replying): IEEE 802.11 Open Authentication (Response);
(5) security association request+RSN information unit: IEEE 802.11 AssociationRequest+RSN IE;
(6) 802.1x request: IEEE 802.1x EAPOL-Start;
(7) 802.1x authentication protocol: IEEE 802.1x/EAP;
(8) the 802.1x failure is replied: IEEE 802.1xEAPOL-Logoff;
(9) 802.1x IKMP: TGi Draft 3.0 4-way handshake;
(10) 802.1x group key distributorship agreement: TGi Draft 3.0 Group Key delivery;
(11) security association is replied (success): IEEE 802.11 Association Response (Success);
(12) security association is replied (failure): IEEE 802.11 Association Response (Failure);
(13) rebulid security association request+RSN information unit: IEEE 802.11Reassociation Request+RSN IE;
(14) rebulid security association and reply (success): IEEE 802.11 Association Response (Success);
(15) rebulid security association and reply (failure): IEEE 802.11 Association Response (Failure).
Claims (4)
1, a kind of wireless LAN safety connection control method, it is characterized in that the STA that ought be not set up security association with any AP enters in a certain AP service range, STA and AP connect and consult security performance, send the request of setting up security association to AP by STA subsequently; Adopt IEEE 802.1x authentication protocol that STA is authenticated by certificate server AS, if authentification failure, the request of setting up security association of AS notice AP refusal STA; If authentication success has been consulted reciprocity master key PMK between STA and AS, AS sends to related information and the PMK information that access controller AC registers corresponding STA with PMK; Again PMK is sent to AP by AC, adopt IEEE 802.1x IKMP between STA and the AP according to PMK dynamic negotiation equity temporary key PTK and assign group temporary key GTK; If key agreement is finished, by AP by sending the access of the response message mandate STA that successfully sets up security association, when STA enters another AP service range in the AP service range of setting up security association, STA and new AP connect and consult security performance, send the request that rebulids security association to new AP by STA subsequently; New AP request AC upgrades the related information of corresponding STA and obtains corresponding PMK information; Adopt IEEE 802.1x IKMP according to the new PTK of PMK dynamic negotiation with distribute new GTK between STA and the new AP; If key agreement is finished, by sending the access of the response message mandate STA that successfully sets up security association, whole safe access control process comprises three phases by new AP: connect with the security performance negotiation, set up security association and rebulid security association.
2, wireless LAN safety connection control method according to claim 1, it is characterized in that the phase I promptly connects and the security performance negotiation phase, by STA broadcasting connection request, the AP of region sends to STA and connects response message, and states 802.1x authentication and all data guard methods of being supported in response message; STA sends the open system authentication request message of IEEE 802.11 to the AP that connects; AP sends the open system authentication response message of IEEE 802.11 to the STA that connects; By the IEEE802.11 open system authentication, STA sends the request set up security association to AP, and 802.1x authentication and selected data guard method are supported in statement in the security association request message, is through with thus to connect and stage that security performance is consulted.
3, wireless LAN safety connection control method according to claim 1, it is characterized in that second stage promptly sets up the security association stage, after AP receives the security association request of STA, send the 802.1x authentication request message to AC, request AC adopts the 802.1x authentication protocol, utilize AS that STA is authenticated, if authentication success, to between AS and STA, set up mutual trusting relationship, and set up reciprocity master key PMK, according to by the AS, the AC that have wire protocol to guarantee and the relation of the mutual trust between the AP, realized the mutual authentication between AP and the STA again; AS sends to AC with the PMK of STA, behind the related information and PMK information of AC registration STA, PMK is sent to AP; AP receives four way handshake protocols that adopt the 802.1x IKMP behind the PMK, consults reciprocity temporary key PTK between STA and AP; AP is again by group key distributorship agreement assign group temporary key GTK; If above 802.1x authentication and IKMP success, AP sends security association successful respond message to STA, otherwise AP sends security association failure response message to STA, is through with thus and sets up the stage of security association.
4, wireless LAN safety connection control method according to claim 1 is characterized in that the phase III: rebulid the security association stage, under roaming condition, when STA enters AP in the AP service range of setting up security association
*Service range, the access point that STA needs handover to be associated, STA and AP
*Step by the phase I connects and consults security performance, and different is that STA is to AP
*The security association request that sends is the request that rebulids security association; Receive the AP that rebulids the security association request
*Request AC upgrades the related information of corresponding STA, and obtains the PMK of STA; STA and AP
*Between adopt 802.1x IKMP dynamic negotiation PTK
*The GTK new with distribution
*If key agreement is finished, by AP
*Rebulid the access of the response message mandate STA of security association by transmission, STA and AP thus are through with
*Rebulid the stage of security association.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031134734A CN1186906C (en) | 2003-05-14 | 2003-05-14 | Wireless LAN safety connecting-in control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031134734A CN1186906C (en) | 2003-05-14 | 2003-05-14 | Wireless LAN safety connecting-in control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1455556A true CN1455556A (en) | 2003-11-12 |
| CN1186906C CN1186906C (en) | 2005-01-26 |
Family
ID=29260011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031134734A Expired - Fee Related CN1186906C (en) | 2003-05-14 | 2003-05-14 | Wireless LAN safety connecting-in control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1186906C (en) |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007022727A1 (en) * | 2005-08-24 | 2007-03-01 | Huawei Technologies Co., Ltd. | A method and system for transmitting authorization key context information |
| WO2007031027A1 (en) * | 2005-09-15 | 2007-03-22 | Huawei Technologies Co., Ltd. | A method, system and apparus for negotiating the key between ss and sp |
| CN100352229C (en) * | 2003-12-26 | 2007-11-28 | 华为技术有限公司 | A 802.1x authentication method |
| CN100403719C (en) * | 2006-02-10 | 2008-07-16 | 华为技术有限公司 | Method and device for establishing a virtual link |
| CN100428715C (en) * | 2005-01-13 | 2008-10-22 | 华为技术有限公司 | A wireless local area network and a method for realizing fast switching of a mobile station |
| CN101335621A (en) * | 2007-06-26 | 2008-12-31 | 中国科学院声学研究所 | A 802.11i Key Management Method |
| WO2009003404A1 (en) * | 2007-06-29 | 2009-01-08 | Huawei Technologies Co., Ltd. | A method and an apparatus for fast handover |
| CN100461728C (en) * | 2005-01-04 | 2009-02-11 | 华为技术有限公司 | wireless communication method |
| CN101594645A (en) * | 2008-05-30 | 2009-12-02 | 日电(中国)有限公司 | Access control system and method |
| WO2010066185A1 (en) * | 2008-12-09 | 2010-06-17 | 西安西电捷通无线网络通信有限公司 | Authentication associated suite discovery and negotiation method |
| CN1964253B (en) * | 2005-11-09 | 2010-07-21 | 华为技术有限公司 | A way to regenerate keys after key contamination |
| CN101192929B (en) * | 2006-11-27 | 2010-07-21 | 华为技术有限公司 | An access method, system and device in a short-distance wireless network |
| CN1976309B (en) * | 2006-12-22 | 2010-08-18 | 杭州华三通信技术有限公司 | Method for wireless user inserting network service, access controller and server |
| CN1951067B (en) * | 2004-03-02 | 2010-10-13 | 松下电器产业株式会社 | Negotiation system and method for wireless local area network entity |
| CN101378591B (en) * | 2007-08-31 | 2010-10-27 | 华为技术有限公司 | Method, system and device for security capability negotiation when terminal moves |
| CN101232419B (en) * | 2008-01-18 | 2010-12-08 | 西安西电捷通无线网络通信股份有限公司 | Wireless local area network access method based on primitive |
| CN101917695A (en) * | 2010-09-13 | 2010-12-15 | 上海市共进通信技术有限公司 | Fast Handover Method for Wireless Network Roaming Based on 802.11 Standard |
| CN101951587A (en) * | 2010-09-13 | 2011-01-19 | 上海市共进通信技术有限公司 | Method for realizing fast roaming switch in wireless network in line with 802.11 standard |
| CN1960377B (en) * | 2006-11-28 | 2011-05-18 | 杭州华三通信技术有限公司 | Method for treating connection between AP and AC, AP, computer software product and device |
| CN102065517A (en) * | 2010-11-19 | 2011-05-18 | 清华大学 | Limited sending method for enhancing performance of 802.11 distributed coordination function |
| CN101056177B (en) * | 2007-06-01 | 2011-06-29 | 清华大学 | A wireless mesh network re-authentication method based on WAPI security standard |
| WO2011082529A1 (en) * | 2010-01-08 | 2011-07-14 | 华为技术有限公司 | Method, apparatus and system for updating group transient key |
| CN101044714B (en) * | 2004-10-20 | 2011-09-14 | 汤姆森许可贸易公司 | Method for mobile terminal access to wireless LAN based on access point services and service parameters |
| CN101267631B (en) * | 2008-04-25 | 2011-11-30 | 中兴通讯股份有限公司 | A method for self-adapted configuration of access points at a mobile terminal |
| CN102271125A (en) * | 2010-06-02 | 2011-12-07 | 杭州华三通信技术有限公司 | Method for carrying out 802.1X authentication cross equipment, access equipment and access control equipment |
| CN1681239B (en) * | 2004-04-08 | 2012-01-04 | 华为技术有限公司 | Method for supporting multiple safe mechanism in wireless local network system |
| CN101621802B (en) * | 2009-08-13 | 2012-02-08 | 杭州华三通信技术有限公司 | Entrance authentication method, system and device in wireless network |
| CN101227362B (en) * | 2008-01-18 | 2012-05-23 | 西安西电捷通无线网络通信股份有限公司 | Wireless personal area network access method |
| CN101247218B (en) * | 2008-01-23 | 2012-06-06 | 中兴通讯股份有限公司 | Safety parameter negotiation method and device for implementing media stream safety |
| CN1964254B (en) * | 2005-11-11 | 2012-11-21 | 华为技术有限公司 | A method to refresh secret key |
| CN103200004A (en) * | 2012-01-09 | 2013-07-10 | 中兴通讯股份有限公司 | Method of sending message, method of establishing secure connection, access point and work station |
| CN101288248B (en) * | 2005-10-14 | 2013-07-17 | 三星电子株式会社 | Roaming service method in a mobile broadcasting system, and system thereof |
| CN103281754A (en) * | 2013-04-25 | 2013-09-04 | 深信服网络科技(深圳)有限公司 | Local forwarding mode-based wireless access point information acquisition method and device |
| CN103391542A (en) * | 2012-05-08 | 2013-11-13 | 华为终端有限公司 | EAP authentication triggering method and system, access network equipment and terminal equipment |
| CN104243416A (en) * | 2013-06-17 | 2014-12-24 | 华为技术有限公司 | Encryption communication method and system and related equipment |
| US9071968B2 (en) | 2010-12-09 | 2015-06-30 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for centralized 802.1X authentication in wireless local area network |
| US9572027B2 (en) | 2007-09-29 | 2017-02-14 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| CN106685600A (en) * | 2015-11-05 | 2017-05-17 | 北京中广上洋科技股份有限公司 | A Method of Message Transmission Between Workstations in Local Area Network |
| CN107528857A (en) * | 2017-09-28 | 2017-12-29 | 北京东土军悦科技有限公司 | A kind of authentication method based on port, interchanger and storage medium |
| CN112512041A (en) * | 2019-09-13 | 2021-03-16 | 三星电子株式会社 | Systems, methods, and devices for associating and authenticating multi-access point coordination |
| CN115428502A (en) * | 2020-03-27 | 2022-12-02 | 松下知识产权经营株式会社 | Communication device and communication method |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155092B (en) * | 2006-09-29 | 2010-09-08 | 西安电子科技大学 | Wireless local area network access method, device and system |
-
2003
- 2003-05-14 CN CNB031134734A patent/CN1186906C/en not_active Expired - Fee Related
Cited By (65)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100352229C (en) * | 2003-12-26 | 2007-11-28 | 华为技术有限公司 | A 802.1x authentication method |
| CN1951067B (en) * | 2004-03-02 | 2010-10-13 | 松下电器产业株式会社 | Negotiation system and method for wireless local area network entity |
| CN1681239B (en) * | 2004-04-08 | 2012-01-04 | 华为技术有限公司 | Method for supporting multiple safe mechanism in wireless local network system |
| CN101044714B (en) * | 2004-10-20 | 2011-09-14 | 汤姆森许可贸易公司 | Method for mobile terminal access to wireless LAN based on access point services and service parameters |
| CN100461728C (en) * | 2005-01-04 | 2009-02-11 | 华为技术有限公司 | wireless communication method |
| CN100428715C (en) * | 2005-01-13 | 2008-10-22 | 华为技术有限公司 | A wireless local area network and a method for realizing fast switching of a mobile station |
| WO2007022727A1 (en) * | 2005-08-24 | 2007-03-01 | Huawei Technologies Co., Ltd. | A method and system for transmitting authorization key context information |
| WO2007031027A1 (en) * | 2005-09-15 | 2007-03-22 | Huawei Technologies Co., Ltd. | A method, system and apparus for negotiating the key between ss and sp |
| CN1933395B (en) * | 2005-09-15 | 2010-05-05 | 华为技术有限公司 | Business service body, and consultation method, system and apparatus for providing interbody communication key |
| CN101288248B (en) * | 2005-10-14 | 2013-07-17 | 三星电子株式会社 | Roaming service method in a mobile broadcasting system, and system thereof |
| CN1964253B (en) * | 2005-11-09 | 2010-07-21 | 华为技术有限公司 | A way to regenerate keys after key contamination |
| CN1964254B (en) * | 2005-11-11 | 2012-11-21 | 华为技术有限公司 | A method to refresh secret key |
| CN100403719C (en) * | 2006-02-10 | 2008-07-16 | 华为技术有限公司 | Method and device for establishing a virtual link |
| CN101192929B (en) * | 2006-11-27 | 2010-07-21 | 华为技术有限公司 | An access method, system and device in a short-distance wireless network |
| CN1960377B (en) * | 2006-11-28 | 2011-05-18 | 杭州华三通信技术有限公司 | Method for treating connection between AP and AC, AP, computer software product and device |
| CN1976309B (en) * | 2006-12-22 | 2010-08-18 | 杭州华三通信技术有限公司 | Method for wireless user inserting network service, access controller and server |
| CN101056177B (en) * | 2007-06-01 | 2011-06-29 | 清华大学 | A wireless mesh network re-authentication method based on WAPI security standard |
| CN101335621A (en) * | 2007-06-26 | 2008-12-31 | 中国科学院声学研究所 | A 802.11i Key Management Method |
| WO2009003404A1 (en) * | 2007-06-29 | 2009-01-08 | Huawei Technologies Co., Ltd. | A method and an apparatus for fast handover |
| US10015669B2 (en) | 2007-08-31 | 2018-07-03 | Huawei Technologies Co., Ltd. | Communication method and device |
| US9538373B2 (en) | 2007-08-31 | 2017-01-03 | Huawei Technologies Co., Ltd. | Method and device for negotiating security capability when terminal moves |
| US9497625B2 (en) | 2007-08-31 | 2016-11-15 | Huawei Technologies Co., Ltd. | Method for negotiating security capability when terminal moves |
| US9241261B2 (en) | 2007-08-31 | 2016-01-19 | Huawei Technologies Co., Ltd. | Method, system and device for negotiating security capability when terminal moves |
| US8812848B2 (en) | 2007-08-31 | 2014-08-19 | Huawei Technologies Co., Ltd. | Method, system and device for negotiating security capability when terminal moves |
| US8656169B2 (en) | 2007-08-31 | 2014-02-18 | Huawei Technologies Co., Ltd. | Method, system and device for negotiating security capability when terminal moves |
| US10595198B2 (en) | 2007-08-31 | 2020-03-17 | Huawei Technologies Co., Ltd. | Communication method and device |
| CN101378591B (en) * | 2007-08-31 | 2010-10-27 | 华为技术有限公司 | Method, system and device for security capability negotiation when terminal moves |
| US9572027B2 (en) | 2007-09-29 | 2017-02-14 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| US10548012B2 (en) | 2007-09-29 | 2020-01-28 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| CN101232419B (en) * | 2008-01-18 | 2010-12-08 | 西安西电捷通无线网络通信股份有限公司 | Wireless local area network access method based on primitive |
| US8631232B2 (en) | 2008-01-18 | 2014-01-14 | China Iwncomm Co., Ltd. | Wireless personal area network accessing method |
| CN101227362B (en) * | 2008-01-18 | 2012-05-23 | 西安西电捷通无线网络通信股份有限公司 | Wireless personal area network access method |
| US8984287B2 (en) | 2008-01-18 | 2015-03-17 | China Iwncomm Co., Ltd. | Wireless personal area network access method based on primitive |
| CN101247218B (en) * | 2008-01-23 | 2012-06-06 | 中兴通讯股份有限公司 | Safety parameter negotiation method and device for implementing media stream safety |
| CN101267631B (en) * | 2008-04-25 | 2011-11-30 | 中兴通讯股份有限公司 | A method for self-adapted configuration of access points at a mobile terminal |
| CN101594645A (en) * | 2008-05-30 | 2009-12-02 | 日电(中国)有限公司 | Access control system and method |
| WO2010066185A1 (en) * | 2008-12-09 | 2010-06-17 | 西安西电捷通无线网络通信有限公司 | Authentication associated suite discovery and negotiation method |
| KR101307177B1 (en) * | 2008-12-09 | 2013-09-11 | 차이나 아이더블유엔콤 씨오., 엘티디 | Authentication associated suite discovery and negotiation method |
| US8625801B2 (en) | 2008-12-09 | 2014-01-07 | China Iwncomm Co., Ltd. | Authentication associated suite discovery and negotiation method |
| CN101621802B (en) * | 2009-08-13 | 2012-02-08 | 杭州华三通信技术有限公司 | Entrance authentication method, system and device in wireless network |
| WO2011082529A1 (en) * | 2010-01-08 | 2011-07-14 | 华为技术有限公司 | Method, apparatus and system for updating group transient key |
| US9066231B2 (en) | 2010-06-02 | 2015-06-23 | Hangzhou H3C Technologies Co., Ltd. | Method for 802.1X authentication, access device and access control device |
| WO2011150861A1 (en) * | 2010-06-02 | 2011-12-08 | Hangzhou H3C Technologies Co., Ltd. | Method for 802.1X Authentication, Access Device and Access Control Device |
| CN102271125A (en) * | 2010-06-02 | 2011-12-07 | 杭州华三通信技术有限公司 | Method for carrying out 802.1X authentication cross equipment, access equipment and access control equipment |
| CN101917695A (en) * | 2010-09-13 | 2010-12-15 | 上海市共进通信技术有限公司 | Fast Handover Method for Wireless Network Roaming Based on 802.11 Standard |
| CN101917695B (en) * | 2010-09-13 | 2012-10-24 | 上海市共进通信技术有限公司 | Fast switching method based on roaming of 802.11 standard wireless network |
| CN101951587B (en) * | 2010-09-13 | 2012-11-28 | 上海市共进通信技术有限公司 | Method for realizing fast roaming switch in wireless network in line with 802.11 standard |
| CN101951587A (en) * | 2010-09-13 | 2011-01-19 | 上海市共进通信技术有限公司 | Method for realizing fast roaming switch in wireless network in line with 802.11 standard |
| CN102065517B (en) * | 2010-11-19 | 2013-03-06 | 清华大学 | Limited sending method for enhancing performance of 802.11 distributed coordination function |
| CN102065517A (en) * | 2010-11-19 | 2011-05-18 | 清华大学 | Limited sending method for enhancing performance of 802.11 distributed coordination function |
| US9071968B2 (en) | 2010-12-09 | 2015-06-30 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for centralized 802.1X authentication in wireless local area network |
| CN103200004B (en) * | 2012-01-09 | 2018-11-20 | 中兴通讯股份有限公司 | Send the method for message, the method for establishing secure connection, access point and work station |
| CN103200004A (en) * | 2012-01-09 | 2013-07-10 | 中兴通讯股份有限公司 | Method of sending message, method of establishing secure connection, access point and work station |
| CN103391542B (en) * | 2012-05-08 | 2016-11-23 | 华为终端有限公司 | EAP authentication triggering method and system, access network equipment, terminal unit |
| CN103391542A (en) * | 2012-05-08 | 2013-11-13 | 华为终端有限公司 | EAP authentication triggering method and system, access network equipment and terminal equipment |
| CN103281754B (en) * | 2013-04-25 | 2017-02-22 | 深信服网络科技(深圳)有限公司 | Local forwarding mode-based wireless access point information acquisition method and device |
| CN103281754A (en) * | 2013-04-25 | 2013-09-04 | 深信服网络科技(深圳)有限公司 | Local forwarding mode-based wireless access point information acquisition method and device |
| CN104243416B (en) * | 2013-06-17 | 2018-04-27 | 华为技术有限公司 | Encryption communication method, system and relevant device |
| CN104243416A (en) * | 2013-06-17 | 2014-12-24 | 华为技术有限公司 | Encryption communication method and system and related equipment |
| CN106685600A (en) * | 2015-11-05 | 2017-05-17 | 北京中广上洋科技股份有限公司 | A Method of Message Transmission Between Workstations in Local Area Network |
| CN106685600B (en) * | 2015-11-05 | 2019-09-20 | 北京中广上洋科技股份有限公司 | A Method of Message Transmission Between Workstations in Local Area Network |
| CN107528857A (en) * | 2017-09-28 | 2017-12-29 | 北京东土军悦科技有限公司 | A kind of authentication method based on port, interchanger and storage medium |
| CN112512041A (en) * | 2019-09-13 | 2021-03-16 | 三星电子株式会社 | Systems, methods, and devices for associating and authenticating multi-access point coordination |
| US12375913B2 (en) | 2019-09-13 | 2025-07-29 | Samsung Electronics Co., Ltd. | Systems, methods, and devices for association and authentication for multi access point coordination |
| CN115428502A (en) * | 2020-03-27 | 2022-12-02 | 松下知识产权经营株式会社 | Communication device and communication method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1186906C (en) | 2005-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1186906C (en) | Wireless LAN safety connecting-in control method | |
| US8635444B2 (en) | System and method for distributing keys in a wireless network | |
| US8127136B2 (en) | Method for security association negotiation with extensible authentication protocol in wireless portable internet system | |
| CN1265607C (en) | Method for building up service tunnel in wireless local area network | |
| CN100341290C (en) | An authentication method for fast switching in wireless local area network | |
| TWI293844B (en) | A system and method for performing application layer service authentication and providing secure access to an application server | |
| CN1265676C (en) | Method for realizing roaming user to visit network inner service | |
| CN1298194C (en) | Radio LAN security access method based on roaming key exchange authentication protocal | |
| CN100512182C (en) | Fast switch method and system in wireless local area network | |
| CN1874271A (en) | Protection for wireless devices against false access-point attacks | |
| CN1756156A (en) | Be used for coming at access to netwoks the equipment and the method for authenticated user in communication system | |
| CN1720688A (en) | Key Generation in Communication Systems | |
| CN1726483A (en) | Authentication in communication systems | |
| CN1567868A (en) | Authentication method based on Ethernet authentication system | |
| CN1929371A (en) | Method for User and Peripheral to Negotiate a Shared Key | |
| CN1610319A (en) | Analysis access processing method of selected service in wireless local area network | |
| CN1243434C (en) | Method for implementing EAP authentication in remote authentication based network | |
| CN101039181A (en) | Method for preventing service function entity of general authentication framework from attack | |
| CN101064605A (en) | AAA framework of multi-host network and authentication method | |
| WO2010069202A1 (en) | Authentication negotiation method and the system thereof, security gateway, home node b | |
| CN101150472A (en) | Authentication method, authentication server and terminal in WIMAX | |
| CN1697370A (en) | A method for applying for a certificate by a wireless local area network mobile terminal | |
| CN1225941C (en) | Roaming Access Method of Mobile Node in Wireless IP System | |
| CN1527557A (en) | A method for transparently transmitting 802.1X authentication packets by bridge devices | |
| CN101079786A (en) | Interconnection system and authentication method and terminal in interconnection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |