[go: up one dir, main page]

CN101013940A - Identity authentication method compatible 802.11i with WAPI - Google Patents

Identity authentication method compatible 802.11i with WAPI Download PDF

Info

Publication number
CN101013940A
CN101013940A CN 200610105243 CN200610105243A CN101013940A CN 101013940 A CN101013940 A CN 101013940A CN 200610105243 CN200610105243 CN 200610105243 CN 200610105243 A CN200610105243 A CN 200610105243A CN 101013940 A CN101013940 A CN 101013940A
Authority
CN
China
Prior art keywords
message
authentication
wapi
eap
sta
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200610105243
Other languages
Chinese (zh)
Other versions
CN100586067C (en
Inventor
李兴华
马建峰
曹春杰
杨力
杨超
沈玉龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN200610105243A priority Critical patent/CN100586067C/en
Publication of CN101013940A publication Critical patent/CN101013940A/en
Application granted granted Critical
Publication of CN100586067C publication Critical patent/CN100586067C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种兼容802.11i及WAPI身份认证的方法,以解决国外无线产品不支持WAPI而不能进入中国市场的问题。本发明的交互过程是:移动站STA向接入点AP发送扩展认证协议EAP开始消息,AP向STA发送时戳请求消息,如果STA支持WAPI则向AP返回时戳应答消息,发送其身份和接入请求时间,AP对该消息进行签名并发送给ASU,如果ASU支持WAPI的认证,则ASU与STA进行WAI中的密钥协商,并向AP发送密钥传输消息,如果STA或WAPI不支持WAPI的认证,则STA与ASU进行802.11i的认证,最后由STA与AP进行四步握手协议。本发明具有兼容802.11i与WAPI的优点,可用于无线局域网中的身份认证。

Figure 200610105243

The invention discloses a method for identity authentication compatible with 802.11i and WAPI to solve the problem that foreign wireless products do not support WAPI and cannot enter the Chinese market. The interaction process of the present invention is: the mobile station STA sends the extended authentication protocol EAP start message to the access point AP, and the AP sends a time stamp request message to the STA, and if the STA supports WAPI, it returns a time stamp response message to the AP, and sends its identity and access information to the AP. The AP signs the message and sends it to the ASU. If the ASU supports WAPI authentication, the ASU and the STA perform key negotiation in WAI and send a key transmission message to the AP. If the STA or WAPI does not support WAPI authentication, the STA and the ASU perform 802.11i authentication, and finally the STA and the AP perform a four-step handshake protocol. The invention has the advantage of being compatible with 802.11i and WAPI, and can be used for identity authentication in the wireless local area network.

Figure 200610105243

Description

一种兼容802.11i及WAPI的身份认证方法A Identity Authentication Method Compatible with 802.11i and WAPI

技术领域technical field

本发明属于无线通信技术领域,涉及无线局域网的安全技术,具体地说是针对国际无线局域网安全标准802.11i与中国无线局域网安全标准WAPI不相兼容的问题,提出一种兼容两者的认证方案,以解决国外无线产品进入中国市场时的身份认证及密钥协商问题。The present invention belongs to the technical field of wireless communication, and relates to the security technology of wireless local area network, and specifically aims at the problem that the international wireless local area network security standard 802.11i is not compatible with the Chinese wireless local area network security standard WAPI, and proposes an authentication scheme compatible with both, To solve the identity authentication and key negotiation problems when foreign wireless products enter the Chinese market.

背景技术Background technique

随着无线局域网WLAN的迅速发展及普及,其安全问题越来越引起人们的关注。IEEE802.11工作组致力于制订被称为802.11i的新一代安全标准,这种安全标准增强了WLAN的数据加密和认证性能,并且针对以前加密机制WEP的缺陷做了多方面的改进。该标准已于2004年6月获得批准,作为无线局域网中的标准安全解决方案使用。With the rapid development and popularization of wireless local area network (WLAN), its security issues have aroused more and more people's attention. The IEEE802.11 working group is committed to formulating a new generation of security standards called 802.11i. This security standard enhances the data encryption and authentication performance of WLAN, and has made many improvements to the defects of the previous encryption mechanism WEP. The standard was approved in June 2004 as a standard security solution for wireless LANs.

为了解决无线局域网中的安全问题,2003年中国也推出了自己的无线局域网国家标准GB15629.11。其安全机制WAPI由认证基础设施WAI和保密基础设施WPI两个模块组成,它们分别实现对用户身份的认证和对传输数据加密的功能。2004年,全国信息技术标准化技术委员会宽带无线IP标准工作组颁布了该国标的实施指南,对原WAI中的安全缺陷进行了修订。2006年1月,国家有关部门明确规定:在政府采购中,要优先采购符合国家局域网安全标准GB 15629.11/1102并通过产品认证的产品;对于国家有特殊信息安全要求的项目则必须采购认证产品。In order to solve the security problem in the wireless local area network, China also launched its own wireless local area network national standard GB15629.11 in 2003. Its security mechanism WAPI is composed of two modules, the authentication infrastructure WAI and the security infrastructure WPI, which respectively realize the authentication of the user's identity and the encryption of the transmitted data. In 2004, the Broadband Wireless IP Standard Working Group of the National Information Technology Standardization Technical Committee promulgated the implementation guide of the national standard, and revised the security defects in the original WAI. In January 2006, relevant state departments clearly stipulated that in government procurement, products that meet the national LAN security standard GB 15629.11/1102 and have passed product certification should be purchased first; for projects with special national information security requirements, certified products must be purchased.

但802.11i和WAPI这两种标准是不相兼容的,这样国外厂商生产的无线产品,如:采用802.11i技术的笔记本电脑、PDA就不能够进入到中国市场。由此所带来的一系列问题成为WLAN领域所关注的焦点。在目前来说,两种方案不太可能存在着一方取代另外一方的情况。为了扩大无线局域网的推广和使用,必须考虑奖这两种方案如何进行兼容。But the two standards of 802.11i and WAPI are incompatible, so wireless products produced by foreign manufacturers, such as notebook computers and PDAs using 802.11i technology, cannot enter the Chinese market. A series of problems caused by this have become the focus of attention in the WLAN field. At present, it is unlikely that one of the two options will replace the other. In order to expand the promotion and use of wireless local area networks, it is necessary to consider how these two programs are compatible.

1.无线局域网国际安全标准802.11i1. Wireless LAN international security standard 802.11i

无线局域网国际标准802.11i基于两种安全协议:扩展认证协议EAP和基于IEEE 802.1X的认证框架。The international standard 802.11i for wireless LAN is based on two security protocols: the Extended Authentication Protocol (EAP) and the authentication framework based on IEEE 802.1X.

扩展认证协议EAP最初是针对点对点协议PPP协议制定的,其目的是把PPP在链路控制协议LCP阶段的认证机制选择延迟到可选的PPP认证阶段,这就允许认证系统在决定具体的认证机制以前能够请求更多的信息。扩展认证协议EAP并不是真正的认证协议,而仅仅是一种认证协议的封装格式,通过使用封装,客户端和认证服务器能够实现对具体认证协议的动态协商。The Extended Authentication Protocol (EAP) was originally formulated for the Point-to-Point Protocol (PPP). Its purpose is to delay the selection of the authentication mechanism of PPP in the link control protocol LCP stage to the optional PPP authentication stage, which allows the authentication system to decide on the specific authentication mechanism. Previously it was possible to request more information. The Extended Authentication Protocol (EAP) is not a real authentication protocol, but only an encapsulation format of an authentication protocol. Through the use of encapsulation, the client and the authentication server can realize dynamic negotiation on specific authentication protocols.

IEEE 802.1X是基于端口的访问控制框架。在该框架中存在三类实体:移动站STA,认证器Authenticator以及认证服务器AS。移动站STA是一个希望使用网络资源的用户,认证器Authenticator是一个将移动站STA和网络分开的设备,用来防止非授权的访问,通常是接入点AP。认证服务器AS是一个后端的设备,它用来完成对移动站STA的认证,并决定允许或者是拒绝其访问请求。IEEE 802.1X is a port-based access control framework. There are three types of entities in this framework: mobile station STA, authenticator Authenticator and authentication server AS. The mobile station STA is a user who wants to use network resources, and the authenticator is a device that separates the mobile station STA from the network to prevent unauthorized access, usually an access point AP. The authentication server AS is a back-end device, which is used to complete the authentication of the mobile station STA, and decide to allow or deny its access request.

IEEE 802.1X消息利用两种EAP方式传输:(1)在移动站STA和接入点AP之间的链路上运行EAPOL协议。(2)接入点AP和AS之间的同样运行EAP协议,但该协议被封装到高层协议中。对于该连接,IEEE并没有定义它自己的协议,但现在大部分都采用EAP on RADIUS标准。图1给出了一个典型的IEEE 802.1X/EAP中的实体。IEEE 802.1X messages are transmitted in two EAP ways: (1) Run the EAPOL protocol on the link between the mobile station STA and the access point AP. (2) The EAP protocol is also run between the access point AP and the AS, but this protocol is encapsulated into a high-level protocol. For this connection, IEEE does not define its own protocol, but most of them now adopt the EAP on RADIUS standard. Figure 1 shows the entities in a typical IEEE 802.1X/EAP.

在一个典型的802.1X/EAP认证过程中,移动站STA首先向接入点AP发送EAP开始消息:EAPOL-start,表明自己希望加入网络中。当收到该消息后,接入点AP向移动站STA发送EAP身份请求消息:EAP-Req/Identity,要求移动站STA发送其身份。移动站STA在收到该消息后,必须返回一条EAP身份应答消息:EAP-Resp/Idemity,来对身份请求消息做出应答。在收到该应答消息后,接入点AP将该消息发送给认证服务器AS。此后,移动站STA和认证服务器AS之间便开始认证消息的交互。认证消息交互的细节取决于实际所采用的认证协议。虽然认证消息都经过接入点AP,但它不需要了解认证消息的含义。在认证过程结束后,认证服务器AS决定允许还是拒绝移动站STA的访问,认证服务器AS通过EAP-Success或者是EAP-Failure来通知移动站STA最后的结果。在接入点AP转发EAP-Success或EAP-Failure消息时,它也根据此消息来允许或者是阻止移动站STA通过它的数据流。如果认证成功,移动站STA和认证服务器AS会得到一个主密钥MK,接入点AP会同移动站STA共享一个初级主密钥PMK。In a typical 802.1X/EAP authentication process, the mobile station STA first sends an EAP start message: EAPOL-start to the access point AP, indicating that it wishes to join the network. After receiving the message, the access point AP sends an EAP identity request message: EAP-Req/Identity to the mobile station STA, requesting the mobile station STA to send its identity. After receiving the message, the mobile station STA must return an EAP identity response message: EAP-Resp/Idemity to respond to the identity request message. After receiving the response message, the access point AP sends the message to the authentication server AS. Thereafter, the exchange of authentication messages starts between the mobile station STA and the authentication server AS. The details of the exchange of authentication messages depend on the actual authentication protocol used. Although the authentication messages go through the access point AP, it does not need to understand the meaning of the authentication message. After the authentication process is over, the authentication server AS decides whether to allow or deny the access of the mobile station STA, and the authentication server AS notifies the mobile station STA of the final result through EAP-Success or EAP-Failure. When the access point AP forwards the EAP-Success or EAP-Failure message, it also allows or blocks the data flow of the mobile station STA to pass through it according to this message. If the authentication is successful, the mobile station STA and the authentication server AS will get a master key MK, and the access point AP will share a primary master key PMK with the mobile station STA.

在IEEE 802.11i的认证结束后,接入点AP与移动站STA进行四条消息的交互(四步握手协议)。通过该过程,移动站STA和接入点AP可以相互确认对方的存在性及新鲜性,并且可以同步会话密钥,并将初级主密钥PMK绑定到移动站STA的物理地址上。同时四步握手也实现了密钥的层次化,能够更好的保护好加密秘钥。After the IEEE 802.11i authentication is completed, the access point AP and the mobile station STA perform four message interactions (four-step handshake protocol). Through this process, the mobile station STA and the access point AP can mutually confirm the existence and freshness of each other, and can synchronize session keys, and bind the primary master key PMK to the physical address of the mobile station STA. At the same time, the four-step handshake also realizes the hierarchy of keys, which can better protect the encryption keys.

2.中国无线局域网安全标准WAPI2. China's wireless LAN security standard WAPI

中国无线局域网安全标准WAPI由认证基础设施WAI和保密基础设施WPI两个模块组成,分别实现对用户身份的认证和对传输数据加密的功能。认证基础设施WAI采用类似于IEEE802.1X结构的基于端口的认证模型,整个系统由移动站STA、接入点AP和认证服务单元ASU组成。认证服务单元ASU是认证基础设施WAI中最为重要的组成部分,它的基本功能是实现对用户证书的管理和用户身份的鉴别等。China's WLAN security standard WAPI consists of two modules, the authentication infrastructure WAI and the confidentiality infrastructure WPI, which respectively implement the functions of authenticating user identities and encrypting transmitted data. The authentication infrastructure WAI adopts a port-based authentication model similar to the IEEE802.1X structure, and the whole system is composed of a mobile station STA, an access point AP, and an authentication service unit ASU. The authentication service unit ASU is the most important part of the authentication infrastructure WAI. Its basic function is to realize the management of user certificates and the identification of user identities.

认证基础设施WAI采用公钥证书进行认证和密钥协商。目标在于实现移动站STA与接入点AP间的双向鉴别,对于采用“假”接入点AP的攻击方式具有很强的抵御能力。WAI的交互过程如图2所示,它主要有证书鉴别和密钥协商两部分组成。Authentication infrastructure WAI uses public key certificates for authentication and key agreement. The goal is to realize the two-way authentication between the mobile station STA and the access point AP, and it has a strong resistance to the attack method using the "false" access point AP. The interactive process of WAI is shown in Figure 2. It mainly consists of two parts: certificate authentication and key agreement.

1.证书鉴别过程1. Certificate identification process

(1)接入点AP向移动站STA发送鉴别激活请求;(1) The access point AP sends an authentication activation request to the mobile station STA;

(2)在接入鉴别请求中,移动站STA将自己的公钥证书和接入请求时间提交给接入点AP;(2) In the access authentication request, the mobile station STA submits its own public key certificate and access request time to the access point AP;

(3)在证书鉴别请求中,接入点AP将移动站STA的证书、接入请求时间和接入点AP自己的证书,以及它对这三个部分的签名发给认证服务单元ASU;(3) In the certificate authentication request, the access point AP sends the certificate of the mobile station STA, the time of the access request, the certificate of the access point AP itself, and its signature on these three parts to the authentication service unit ASU;

(4)当认证服务单元ASU收到接入点AP发送来的证书鉴别请求之后,首先验证接入点AP的签名和证书。当鉴别成功之后,进一步验证移动站STA的证书;之后,认证服务单元ASU对移动站STA和接入点AP证书的鉴别结果以及移动站STA的接入请求时间用自己的私钥进行签名,并将这个签名连同证书验证结果发回给接入点AP。(4) After the authentication service unit ASU receives the certificate authentication request sent by the access point AP, it first verifies the signature and certificate of the access point AP. After the identification is successful, further verify the certificate of the mobile station STA; after that, the authentication service unit ASU signs the identification result of the mobile station STA and the access point AP certificate and the access request time of the mobile station STA with its own private key, and This signature is sent back to the access point AP together with the certificate verification result.

(5)接入点AP对收到的证书鉴别响应进行验证,并得到对移动站STA证书的鉴别结果。同时接入点AP需要将认证服务单元ASU的验证结果转发给移动站STA,移动站STA也要对认证服务单元ASU的签名进行验证,并得到认证服务单元ASU对接入点AP证书的鉴别结果。(5) The access point AP verifies the received certificate authentication response, and obtains the authentication result of the certificate of the mobile station STA. At the same time, the access point AP needs to forward the verification result of the authentication service unit ASU to the mobile station STA, and the mobile station STA also needs to verify the signature of the authentication service unit ASU, and obtain the authentication result of the authentication service unit ASU on the access point AP certificate .

2.密钥协商过程2. Key negotiation process

首先我们对所用符号进行说明。First we explain the symbols used.

PKA代表A的公钥;PK A represents the public key of A;

ENC(PKA,m)代表用A的公钥PKA对消息m进行加密;ENC(PK A , m) means to encrypt message m with A's public key PK A ;

SigA(m)代表A用私钥对消息m进行数字签名。Sig A (m) represents that A digitally signs message m with the private key.

国标实施指南中的密钥协商过程如图3所示,其具体过程如下:The key negotiation process in the national standard implementation guide is shown in Figure 3, and the specific process is as follows:

(1)实施指南中的密钥协商请求规定必须由接入点AP发出,在该请求中接入点AP选择一个随即数r1,用移动站STA的公钥PKSTA加密,然后利用移动站STA的访问请求时间,以及移动站STA和接入点AP的介质访问地址(MAC地址)来计算安全参数索引SPI。最后,接入点AP对加密后的随机数以及安全参数索引SPI计算数字签名;(1) The key agreement request in the implementation guide stipulates that it must be sent by the access point AP. In this request, the access point AP selects a random number r 1 , encrypts it with the public key PK STA of the mobile station STA, and then uses the mobile station STA The access request time of the STA, and the medium access address (MAC address) of the mobile station STA and the access point AP to calculate the security parameter index SPI. Finally, the access point AP calculates the digital signature for the encrypted random number and the security parameter index SPI;

(2)移动站STA在收到密钥协商请求后,首先检查安全参数索引SPI以及接入点AP的签名是否正确,如果正确,则解密ENC(PKSTA,r1)得到r1,然后移动站STA也生成自己的一个随即数r2,并将r1与r2按位异或运算得到长度为16个八位位组的单播主密钥k=r1r2,然后利用KD-HMAC-SHA256算法对其进行扩展,生成48个八位位组的单播会话密钥(前16个八位位组为单播加密密钥kd,中间16个八位位组为单播完整性校验密钥,最后16个八位位组为消息鉴别密钥da)。之后,用接入点AP的公钥PKAP对r2进行公钥加密,最后STA利用ka通过HMAC-SHA256算法对SPI和ENC(PKAP,r2)计算一个消息认证码。(2) After receiving the key agreement request, the mobile station STA first checks whether the security parameter index SPI and the signature of the access point AP are correct, and if they are correct, decrypt ENC(PK STA , r 1 ) to obtain r 1 , and then move The station STA also generates its own random number r 2 , and performs a bitwise XOR operation on r 1 and r 2 to obtain a unicast master key k=r 1 r 2 with a length of 16 octets, and then uses KD -The HMAC-SHA256 algorithm extends it to generate a 48-octet unicast session key (the first 16 octets are the unicast encryption key k d , and the middle 16 octets are the unicast Integrity verification key, the last 16 octets are the message authentication key d a ). After that, use the public key PK AP of the access point AP to encrypt r 2 with the public key. Finally, the STA uses k a to calculate a message authentication code for SPI and ENC (PK AP , r 2 ) through the HMAC-SHA256 algorithm.

(3)接入点AP收到密钥协商应答后,首先解密ENC(PKAP,r2)得到r2,然后利用和移动站STA一样的密钥生成算法计算加密密钥kd,完整性校验密钥以及消息鉴别密钥ka。最后验证移动站STA发送过来的消息认证码。如果正确,则允许移动站STA对网络的访问;否则丢弃该消息,并阻止移动站STA的访问。(3) After the access point AP receives the key agreement response, it first decrypts ENC(PK AP , r 2 ) to obtain r 2 , and then uses the same key generation algorithm as the mobile station STA to calculate the encryption key k d , the integrity A verification key and a message authentication key k a . Finally, verify the message authentication code sent by the mobile station STA. If correct, the mobile station STA's access to the network is allowed; otherwise, the message is discarded and the mobile station STA's access is blocked.

发明的内容content of the invention

本发明的目的在于克服上述802.11i及WAPI互不兼容的缺陷,提出一种可以兼容802.11i及WAPI的认证方法,以解决无线局域网中的身份认证问题。The purpose of the present invention is to overcome the above-mentioned defect that 802.11i and WAPI are not compatible with each other, and propose an authentication method compatible with 802.11i and WAPI, so as to solve the identity authentication problem in the wireless local area network.

本发明的目的是这样实现的:The purpose of the present invention is achieved like this:

1.方法主框架1. Method main frame

1)移动站STA向接入点AP发送EAP开始消息EAPOL-Start;1) The mobile station STA sends an EAP start message EAPOL-Start to the access point AP;

2)接入点AP向移动站STA发送时戳请求消息EAP-Req/WTS,请求移动站STA发送身份和接入请求时间;2) The access point AP sends a timestamp request message EAP-Req/WTS to the mobile station STA, requesting the mobile station STA to send the identity and access request time;

3)根据移动站STA是否支持WAPI协议选择应答消息的方式,如果移动站STA支持WAPI的认证,则向接入点AP返回时戳应答消息EAP-Resp/WTS,其消息内容包括移动站STA的身份和接入请求时间;3) Select the response message mode according to whether the mobile station STA supports the WAPI protocol, if the mobile station STA supports the authentication of WAPI, then return the timestamp response message EAP-Resp/WTS to the access point AP, and its message content includes the mobile station STA's Identity and access request time;

4)接入点AP对所述的时戳应答消息EAP-Resp/WTS进行签名,通过接入请求消息将其发送给认证服务单元ASU;4) The access point AP signs the time stamp response message EAP-Resp/WTS, and sends it to the authentication service unit ASU through the access request message;

5)收到接入请求消息后,认证服务单元ASU根据自身是否支持WAPI选择应答方式,如果支持WAPI的认证,则向移动站STA发送WAPI密钥协商请求消息,进行WAPI的认证;5) After receiving the access request message, the authentication service unit ASU selects a response method according to whether it supports WAPI, and if it supports WAPI authentication, it sends a WAPI key negotiation request message to the mobile station STA to perform WAPI authentication;

6)移动站STA向认证服务单元ASU发送WAPI密钥协商应答消息,同ASU进行WAPI的认证;6) The mobile station STA sends a WAPI key negotiation response message to the authentication service unit ASU, and performs WAPI authentication with the ASU;

7)WAPI认证结束后,认证服务单元ASU向接入点AP发送EAP-success及密钥传输消息;7) After the WAPI authentication is completed, the authentication service unit ASU sends EAP-success and key transmission messages to the access point AP;

8)接入点AP向移动站STA转发认证服务单元ASU发送的认证成功消息EAP-success;8) The access point AP forwards the authentication success message EAP-success sent by the authentication service unit ASU to the mobile station STA;

9)移动站STA与接入点AP进行四步握手协议的交互,即交互结束。9) The mobile station STA and the access point AP perform a four-step handshake protocol interaction, that is, the interaction ends.

2.根据1中所述的框架,其特征在于步骤3)中所说的移动站STA根据是否支持WAPI协议选择应答消息的方式,如果移动站STA不支持WAPI,则向接入点AP返回Nak消息,该消息Nak为EAP框架RFC3748中规定的消息,之后接入点AP首先向移动站STA发送身份请求消息EAP-Req/ID,请求移动站STA发送其身份;然后移动站STA与认证服务单元ASU进行802.11i认证算法的协商和认证;最后移动站STA与接入点AP进行四步握手协议的交互,即交互结束。2. according to the framework described in 1, it is characterized in that said mobile station STA in step 3) according to the mode that supports WAPI protocol selection response message, if mobile station STA does not support WAPI, then returns Nak to access point AP The message Nak is the message specified in the EAP framework RFC3748, and then the access point AP first sends an identity request message EAP-Req/ID to the mobile station STA, requesting the mobile station STA to send its identity; then the mobile station STA communicates with the authentication service unit The ASU conducts negotiation and authentication of the 802.11i authentication algorithm; finally, the mobile station STA and the access point AP perform a four-step handshake protocol interaction, that is, the interaction ends.

3.根据1中所述的框架,其特征在于步骤5)中所说的认证服务单元ASU收到接入请求消息后,根据自身是否支持WAPI选择应答方式,如果认证服务单元ASU不支持WAPI的认证,则认证服务单元ASU首先与移动站STA进行802.11i认证算法的协商和认证;然后移动站STA与接入点AP进行四步握手协议的交互,即交互结束。3. According to the framework described in 1, it is characterized in that after the said authentication service unit ASU in step 5) receives the access request message, it selects the response mode according to whether it supports WAPI itself, if the authentication service unit ASU does not support WAPI Authentication, the authentication service unit ASU first negotiates and authenticates the 802.11i authentication algorithm with the mobile station STA; then the mobile station STA and the access point AP perform a four-step handshake protocol interaction, that is, the interaction ends.

本发明具有以下优点The present invention has the following advantages

在本发明中,采用了兼容方案的移动设备既可以进行802.11i的认证,又能够进行WAPI的认证,解决了国外厂商生产的移动设备不能够进入中国市场的问题;而且即使国外的无线局域网不支持WAPI认证,国内的移动设备由于能够支持802.11i,在国外也可以使用。In the present invention, the mobile equipment adopting the compatibility scheme can not only carry out the authentication of 802.11i, but also can carry out the authentication of WAPI, which solves the problem that the mobile equipment produced by foreign manufacturers cannot enter the Chinese market; Support WAPI authentication, domestic mobile devices can also be used abroad because they can support 802.11i.

同时由于本发明最大限度的保持了认证基础设施WAI中密钥协商协议,尽可能减少了对WAPI所做的改动,容易做到同WAPI的兼容。Simultaneously, because the present invention maintains the key negotiation protocol in the authentication infrastructure WAI to the greatest extent, the modification to WAPI is reduced as much as possible, and the compatibility with WAPI is easy to be achieved.

此外,本发明基本上保持了802.11i的框架不变,只是在初始阶段添加了扩展认证协议EAP一个证书请求消息EAP-Req/WTS;并将认证基础设施WAI中的密钥协商协议作为802.11i框架下的一个实施方案,这样就保持了802.11i协议灵活性的优点,主要表现一是无需事先不指定移动站STA同认证服务器具体的认证协议,而是在协议执行过程中由它们动态地协商;二是兼容方案中,在移动站STA支持WAPI认证的情况下,认证服务单元ASU可以根据具体应用的要求选择使用WAPI的认证或者802.11i的认证。In addition, the present invention basically keeps the framework of 802.11i unchanged, but adds a certificate request message EAP-Req/WTS of the extended authentication protocol EAP at the initial stage; and uses the key agreement agreement in the authentication infrastructure WAI as 802.11i An implementation scheme under the framework, which maintains the advantages of the flexibility of the 802.11i protocol. The main performance is that it is not necessary to specify the specific authentication protocol between the mobile station STA and the authentication server in advance, but to negotiate dynamically between them during the protocol execution process. ; Second, in the compatible scheme, when the mobile station STA supports WAPI authentication, the authentication service unit ASU can choose to use WAPI authentication or 802.11i authentication according to specific application requirements.

总之,本发明的兼容方案对802.11i及WAPI做了尽可能小的修改,既保持了802.11i的框架和灵活性的优点,同时又保持了WAPI的特点,,具有很强的兼容性。In a word, the compatibility scheme of the present invention makes as little modification as possible to 802.11i and WAPI, which not only maintains the advantages of 802.11i framework and flexibility, but also maintains the characteristics of WAPI, and has strong compatibility.

附图说明Description of drawings

图1为IEEE 802.1X/EAP中的实体图Figure 1 is the entity diagram in IEEE 802.1X/EAP

图2为WAPI实施方案中的WAI图Figure 2 is the WAI diagram in the WAPI implementation

图3为WAPI实施方案中密钥协商图Figure 3 is a key negotiation diagram in the WAPI implementation

图4为兼容方案协议执行流程图Figure 4 is a flow chart for the execution of the compatibility scheme protocol

图5为兼容方案执行WAPI的协议交互过程图Figure 5 is a protocol interaction process diagram for implementing WAPI in a compatible solution

图6为EAP-Req/WTS消息图Figure 6 is the EAP-Req/WTS message diagram

图7为EAP-Resp/WTS消息图Figure 7 is a message diagram of EAP-Resp/WTS

图8为接入请求消息图Figure 8 is a diagram of an access request message

图9为密钥协商请求消息图Figure 9 is a key agreement request message diagram

图10为密钥协商应答消息图Figure 10 is a key agreement response message diagram

图11为EAP-Success及密钥传输消息图Figure 11 is a message diagram of EAP-Success and key transmission

图12为EAP-Success消息图Figure 12 is the EAP-Success message diagram

图13为EAP-Failure消息图Figure 13 is the EAP-Failure message diagram

图14为EAP-Req/ID消息图Figure 14 is the EAP-Req/ID message diagram

具体实施方式Detailed ways

以下结合兼容方案执行的流程图4及其执行WAPI的协议交互过程5,对本发明的方法进行详细的描述:The following is a detailed description of the method of the present invention in conjunction with the flow chart 4 of compatible scheme execution and the protocol interaction process 5 of executing WAPI:

1.移动站STA向接入点AP发送EAP开始消息EAPOL-Start。1. The mobile station STA sends an EAP start message EAPOL-Start to the access point AP.

该消息表明移动站STA请求进行EAP身份认证,其具体的消息格式采用802.11i中EAPOL-Start的定义。This message indicates that the mobile station STA requests EAP identity authentication, and its specific message format adopts the definition of EAPOL-Start in 802.11i.

2.接入点AP向移动站STA发送时戳请求消息EAP-Req/WTS。2. The access point AP sends a timestamp request message EAP-Req/WTS to the mobile station STA.

通过时戳请求消息EAP-Req/WTS,接入点AP请求移动站STA发送其身份和当前访问时间。由于目前的EAP消息中并没有该消息类型,就需要在EAP消息中增加一个新的消息类型type:WAPI-WTS。该消息的格式如图6所示。Through the time stamp request message EAP-Req/WTS, the access point AP requests the mobile station STA to send its identity and current access time. Since there is no such message type in the current EAP message, a new message type type: WAPI-WTS needs to be added to the EAP message. The format of this message is shown in Figure 6.

图6所示的消息格式根据EAP框架中的规定(IETF RFC3748)来定义,该消息由四部分来组成,其中第一部分“1”代表该消息是EAP请求消息,第二部分消息标示符identifier对每条EAP消息来说都是唯一的,其具体的值由运行时候来确定,一般是一个随机值,第三部分消息长度Length代表整个消息的长度,而第四部分EAP-WTS是新添加的一个EAP类型值。The message format shown in Figure 6 is defined according to the regulations in the EAP framework (IETF RFC3748). The message is composed of four parts, wherein the first part "1" represents that the message is an EAP request message, and the second part of the message identifier is for Each EAP message is unique, its specific value is determined by the runtime, generally a random value, the third part of the message length Length represents the length of the entire message, and the fourth part EAP-WTS is newly added An EAP type value.

3.根据移动站STA是否支持WAPI选择消息应答方式。3. Select a message response method according to whether the mobile station STA supports WAPI.

如果移动站STA支持WAPI的认证,则移动站STA向接入点AP返回EAP时戳应答消息EAP-Resp/WTS,发送自己的身份和访问时间,其消息格式如图7所示。该消息由六部分组成,第一部分中的“2”代表该消息是对时戳请求消息EAP-Req/WTS的应答;第二部分消息标示符identifier是该消息的标示符;第三部分消息长度length代表整个消息的长度;第四部分EAP-WTS是新添加的一个EAP类型type值,该值和时戳请求消息EAP-Req/WTS中的EAP类型保持一致;第五部分为STA的身份;第六部分为STA的访问时间。If the mobile station STA supports WAPI authentication, the mobile station STA returns an EAP time stamp response message EAP-Resp/WTS to the access point AP, sending its own identity and access time. The message format is shown in Figure 7. The message consists of six parts. The "2" in the first part means that the message is a response to the time stamp request message EAP-Req/WTS; the second part of the message identifier is the identifier of the message; the third part of the message length length represents the length of the entire message; the fourth part EAP-WTS is a newly added EAP type type value, which is consistent with the EAP type in the timestamp request message EAP-Req/WTS; the fifth part is the identity of the STA; The sixth part is the access time of STA.

如果移动站STA不支持WAPI,则按照以下步骤来执行:If the mobile station STA does not support WAPI, follow the steps below:

(1)移动站STA向接入点AP返回Nak消息。该消息Nak为EAP框架RFC3748中规定的消息。(1) The mobile station STA returns a Nak message to the access point AP. The message Nak is a message specified in the EAP framework RFC3748.

(2)接入点AP向移动站STA发送EAP身份请求消息EAP-Req/ID,请求移动站STA发送其身份。该身份请求消息格式如图14所示,其中第一部分中的“1”代表该消息是请求消息,第二部分消息标示符identifier和第三部分消息长度length的定义和图6中的定义一样,第四部分EAP-Identify=“1”代表接入点AP请求移动站STA发送身份。(2) The access point AP sends an EAP identity request message EAP-Req/ID to the mobile station STA, requesting the mobile station STA to send its identity. The format of the identity request message is shown in Figure 14, where "1" in the first part represents that the message is a request message, the definition of the message identifier in the second part and the length of the message in the third part are the same as those in Figure 6, The fourth part EAP-Identify="1" represents that the access point AP requests the mobile station STA to send the identity.

(3)认证服务单元ASU同移动站STA进行802.11i认证。认证服务单元ASU同移动站STA首先进行802.11i认证协议的协商,然后根据选择的认证协议进行身份认证和密钥协商。(3) The authentication service unit ASU conducts 802.11i authentication with the mobile station STA. The authentication service unit ASU first negotiates with the mobile station STA on the 802.11i authentication protocol, and then conducts identity authentication and key negotiation according to the selected authentication protocol.

(4)移动站STA与认证服务单元ASU进行四步握手协议的交互,协议交互结束。该四步握手协议的执行过程采用802.11i中的定义进行。(4) The mobile station STA and the authentication service unit ASU perform a four-step handshake protocol interaction, and the protocol interaction ends. The execution process of the four-step handshake protocol adopts the definition in 802.11i.

4.接入点AP向认证服务单元ASU发送EAP接入请求消息。4. The access point AP sends an EAP access request message to the authentication service unit ASU.

接入点AP首先检查STA发送的时戳应答消息中接入请求时间是否正确,如果正确则计算对移动站STA的身份,以及移动站STA的访问请求时间的一个签名,最后将该签名及接入点AP的身份加入到EAP-Resp/WTS消息中,并向认证服务单元ASU发送EAP接入请求消息。该消息的其格式如图8所示,其中AP的签名采用WAPI中规定的签名算法。The access point AP first checks whether the access request time in the time stamp response message sent by the STA is correct, and if it is correct, calculates a signature for the identity of the mobile station STA and the access request time of the mobile station STA, and finally combines the signature and the access request time. The identity of the access point AP is added to the EAP-Resp/WTS message, and sends an EAP access request message to the authentication service unit ASU. The format of the message is shown in Figure 8, where the AP's signature adopts the signature algorithm specified in WAPI.

5.根据是否支持WAPI的认证,认证服务单元ASU来选择进行WAPI的认证还是进行802.11i的认证。5. According to whether WAPI authentication is supported, the authentication service unit ASU chooses whether to perform WAPI authentication or 802.11i authentication.

当认证服务单元ASU收到接入请求消息后,首先查看该消息的EAP类型,如果是EAP-WTS,则检查自己是否支持WAPI的认证,如果支持,则和移动站STA进行WAPI的认证。认证服务单元ASU首先对AP的签名进行鉴别,并检查STA的证书是否有效,如果这两项检查都通过,则向移动站STA发送密钥协商请求消息。由于目前802.11i不支持WAPI认证方式,因此需要在EAP消息的类型type域中添加一个新的认证类型EAP-WAPI。在密钥协商请求及应答中都需要将EAP消息的type域置为该值,密钥协商请求消息的消息格式如图9所示。该消息由八部分构成。第一部分中的“1”表明该消息是请求消息;第二部分中的消息标示符identifier为该消息的标示符;第三部分消息长度length为整个消息的长度;第四部分是新添加的一个EAP类型EAP-WAPI,该类型表明移动站STA同认证服务单元ASU进行WAPI的认证;第五部分为安全参数索引SPI,它由STA的访问请求时间、STA的MAC地址以及AP的基本服务组标示BSSID组成;第六部分为ENC(PKSTA,r1),r1为认证服务单元选择的一个随机数,认证服务单元用移动站STA的公钥PKSTA对r1进行加密,加密算法采用WAPI中规定的算法;第七部分为STA的访问时间;第八部分为ASU对整个消息的签名,其签名算法采用WAPI中规定的算法。When the authentication service unit ASU receives the access request message, it first checks the EAP type of the message, if it is EAP-WTS, checks whether it supports WAPI authentication, and if so, performs WAPI authentication with the mobile station STA. The authentication service unit ASU first authenticates the AP's signature and checks whether the STA's certificate is valid. If both checks pass, it sends a key negotiation request message to the mobile station STA. Since 802.11i does not support WAPI authentication currently, a new authentication type EAP-WAPI needs to be added in the type field of the EAP message. The type field of the EAP message needs to be set to this value in both the key agreement request and the response, and the message format of the key agreement request message is shown in FIG. 9 . The message consists of eight parts. "1" in the first part indicates that the message is a request message; the message identifier in the second part is the identifier of the message; the length of the message in the third part is the length of the entire message; the fourth part is a newly added one EAP type EAP-WAPI, which indicates that the mobile station STA performs WAPI authentication with the authentication service unit ASU; the fifth part is the security parameter index SPI, which is marked by the access request time of the STA, the MAC address of the STA, and the basic service group of the AP Composed of BSSID; the sixth part is ENC (PK STA , r 1 ), r 1 is a random number selected by the authentication service unit, and the authentication service unit encrypts r 1 with the public key PK STA of the mobile station STA, and the encryption algorithm adopts WAPI The algorithm specified in ; the seventh part is the access time of STA; the eighth part is the signature of the whole message by ASU, and its signature algorithm adopts the algorithm specified in WAPI.

如果认证服务单元ASU不支持WAPI的认证,则按如下过程进行:If the authentication service unit ASU does not support WAPI authentication, proceed as follows:

(1)认证服务单元ASU同移动站STA进行802.11i认证。认证服务单元ASU同移动站STA首先进行802.11i认证协议的协商,然后根据选择的认证协议进行身份认证和密钥协商。(1) The authentication service unit ASU conducts 802.11i authentication with the mobile station STA. The authentication service unit ASU first negotiates with the mobile station STA on the 802.11i authentication protocol, and then conducts identity authentication and key negotiation according to the selected authentication protocol.

(2)移动站STA同认证服务单元ASU进行四步握手协议的交互,协议交互结束。(2) The mobile station STA performs a four-step handshake protocol interaction with the authentication service unit ASU, and the protocol interaction ends.

该四步握手协议的执行过程采用802.11i中的定义进行。The execution process of the four-step handshake protocol adopts the definition in 802.11i.

6.移动站STA在收到ASU发送的WAPI密钥协商请求后,向认证服务单元ASU返回密钥协商应答消息。6. After receiving the WAPI key negotiation request sent by the ASU, the mobile station STA returns a key negotiation response message to the authentication service unit ASU.

该密钥协商应答消息格式如图10所示,该消息由六部分组成,其中ENC(PKASU,r2)与HMAC-SHA256ka(SPI,PKAP(r2))的计算方法与WAPI中的计算方法一样。接入点STA计算会话密钥k=r1r2,该密钥作为移动站STA和认证服务单元ASU共享的主密钥MK。而移动站STA和接入点AP共享的密钥初级主密钥PMK则可以通过下面的公式得到:The key agreement response message format is shown in Figure 10. The message consists of six parts, where the calculation methods of ENC (PK ASU , r 2 ) and HMAC-SHA256 ka (SPI, PK AP (r 2 )) are the same as those in WAPI calculation method is the same. The access point STA calculates the session key k=r 1 r 2 as the master key MK shared by the mobile station STA and the authentication service unit ASU. The key primary master key PMK shared by the mobile station STA and the access point AP can be obtained by the following formula:

PMK=prf(MK,STA-MAC-address‖AP-MAC-address)    (1)PMK=prf(MK,STA-MAC-address‖AP-MAC-address) (1)

其中,prf为一个伪随机生成函数,可以采用SHA1算法。STA-MAC-address为STA的MAC地址,AP-MAC-address为AP的MAC地址。Among them, prf is a pseudo-random generating function, and the SHA1 algorithm can be used. STA-MAC-address is the MAC address of the STA, and AP-MAC-address is the MAC address of the AP.

7.ASU向AP发送EAP-Success及密钥传输消息。7. ASU sends EAP-Success and key transmission message to AP.

如果WAPI认证成功,则由认证服务单元ASU计算其本身与移动站STA的共享密钥MK以及给接入点AP发送的初级主密钥PMK,该计算方法与步骤六中的计算方法相同。之后,认证服务单元ASU再给接入点AP发送EAP-Success及密钥传输消息,以通知接入点AP认证成功和给接入点AP发送初级主密钥PMK,该密钥用在其后接入点AP与移动站STA的四步握手中,并在EAP-Success及密钥传输消息中添加一个认证服务单元ASU的签名来保证其安全性。该消息格式如图11所示,由七部分组成,其中第一部分为Success=“3”,表明移动站STA与认证服务单元ASU认证成功;第二部分消息标示符identifier为该消息的唯一标示符,第三部分长度消息长度length为该消息的整个长度,第四部分ENC(PKAP,PMK)为认证服务单元ASU用接入点AP的公钥PKAP对初级主密钥PMK进行公钥加密,所采用的加密算法为WAPI中规定的加密算法;第五部分为STA的访问时间;第六部分为AP的身份;第七部分为认证服务单元ASU对整个消息的签名。If the WAPI authentication is successful, the authentication service unit ASU calculates the shared key MK between itself and the mobile station STA and the primary master key PMK sent to the access point AP. The calculation method is the same as the calculation method in step 6. Afterwards, the authentication service unit ASU sends EAP-Success and key transmission messages to the access point AP to notify the access point AP of successful authentication and sends the primary master key PMK to the access point AP, which will be used later In the four-step handshake between the access point AP and the mobile station STA, a signature of the authentication service unit ASU is added to the EAP-Success and key transmission messages to ensure its security. The message format is shown in Figure 11 and consists of seven parts, wherein the first part is Success="3", indicating that the mobile station STA and the authentication service unit ASU have successfully authenticated; the second part of the message identifier is the unique identifier of the message , the third part length message length length is the entire length of the message, the fourth part ENC (PK AP , PMK) is the authentication service unit ASU uses the public key PK AP of the access point AP to perform public key encryption on the primary master key PMK , the encryption algorithm adopted is the encryption algorithm specified in WAPI; the fifth part is the access time of STA; the sixth part is the identity of AP; the seventh part is the signature of the authentication service unit ASU on the whole message.

如果认证失败,则认证服务单元ASU向AP和STA发送EAP-Failure消息,其消息格式如图12所示。该消息由三部分组成,第一部分Failure=“4”表明认证失败,第二部分为消息标示符identifier,第三部分为整个消息的长度Length。If the authentication fails, the authentication service unit ASU sends an EAP-Failure message to the AP and the STA, and its message format is shown in FIG. 12 . The message consists of three parts, the first part Failure="4" indicates authentication failure, the second part is the message identifier, and the third part is the length of the entire message.

8.接入点AP向移动站STA发送EAP-Success消息。8. The access point AP sends an EAP-Success message to the mobile station STA.

该消息格式如图13所示,其中“3”代表认证成功消息,消息标示符identifier和消息长度length的定义和图6中的定义一样。The message format is shown in FIG. 13 , where “3” represents an authentication success message, and the definitions of the message identifier and the message length are the same as those in FIG. 6 .

9.移动站STA与认证服务单元ASU进行四步握手协议的交互,协议交互结束。该四步握手协议的执行过程按802.11i中的定义进行。9. The mobile station STA and the authentication service unit ASU perform a four-step handshake protocol interaction, and the protocol interaction ends. The execution process of the four-step handshake protocol is carried out according to the definition in 802.11i.

利用上述方法就可以实现对802.11i及WAPI的兼容,解决了国外无线产品由于不支持WAPI而不能够进入到中国市场的问题。The above method can be used to achieve compatibility with 802.11i and WAPI, which solves the problem that foreign wireless products cannot enter the Chinese market because they do not support WAPI.

符号说明:Symbol Description:

WAPI:中国无线局域网安全标准;WAPI: China wireless local area network security standard;

WAI:无线局域网认证基础设施;WAI: Wireless LAN Authentication Infrastructure;

WPI:无线局域网保密基础设施;WPI: WLAN Privacy Infrastructure;

EAP:扩展认证协议;EAP: Extended Authentication Protocol;

PPP:点对点协议;PPP: point-to-point protocol;

LCP:链路控制协议;LCP: Link Control Protocol;

STA:移动站;STA: mobile station;

AP:接入点;AP: access point;

Authenticator:认证器;Authenticator: authenticator;

AS:认证服务器;AS: authentication server;

EAPOL:链路层上的扩展认证协议;EAPOL: Extended Authentication Protocol on Link Layer;

RADIUS:远程鉴别拨号用户服务;RADIUS: Remote Authentication Dial-in User Service;

EAPOL-start:EAP开始消息;EAPOL-start: EAP start message;

EAP-Req/Identity:EAP身份请求消息;EAP-Req/Identity: EAP identity request message;

EAP-Resp/Identity:EAP身份应答消息;EAP-Resp/Identity: EAP identity response message;

EAP-Success:EAP成功消息;EAP-Success: EAP success message;

EAP-Failure:EAP失败消息;EAP-Failure: EAP failure message;

MK:移动站与认证服务器之间共享的主密钥;MK: the master key shared between the mobile station and the authentication server;

PMK:移动站与接入点共享的初级主密钥;PMK: the primary master key shared by the mobile station and the access point;

PKA:A的公钥;PKA: A's public key;

ENC(PKA,m):用A的公钥PKA对消息m进行加密;ENC(PK A , m): use A's public key PK A to encrypt message m;

SigA(m):A用私钥对消息m进行数字签名;Sig A (m): A uses the private key to digitally sign the message m;

MAC地址:介质访问地址;MAC address: medium access address;

EAP-Req/WTS:时戳请求消息;EAP-Req/WTS: time stamp request message;

EAP-Resp/WTS:时戳应答消息;EAP-Resp/WTS: Timestamp response message;

type:EAP的类型;type: EAP type;

identifier:消息标示符;identifier: message identifier;

Length:消息长度;Length: message length;

EAP-WTS:新添加的一个EAP类型,代表进行WAPI的时戳和身份的交互;EAP-WTS: A newly added EAP type, which represents the interaction between WAPI timestamp and identity;

Nak:消极应答消息;Nak: Negative response message;

prf:伪随机生成函数;prf: pseudorandom generator function;

STA-MAC-address:STA的MAC地址;STA-MAC-address: MAC address of STA;

AP-MAC-address:AP的MAC地址。AP-MAC-address: MAC address of the AP.

Claims (7)

1. the identity identifying method of compatible WAPI and 802.11i, carry out according to the following procedure:
1) mobile radio station STA begins message EAPOL-Start to access point AP transmission EAP;
2) access point AP sends time stamp request message EAP-Req/WTS to mobile radio station STA, and request mobile radio station STA sends identity and inserts request time;
3) whether support the WAPI agreement to select the mode of response message according to mobile radio station STA, if mobile radio station STA supports the authentication of WAPI, then return time stamp response message EAP-Resp/WTS to access point AP, its message content comprises the identity of mobile radio station STA and inserts request time;
4) access point AP signs to described time stamp response message EAP-Resp/WTS, sends it to authentication service unit ASU by inserting request message;
5) receive insert request message after, authentication service unit ASU if support the authentication of WAPI, then sends WAPI key negotiation request message to mobile radio station STA according to self whether supporting WAPI to select response mode, carries out the authentication of WAPI;
6) mobile radio station STA sends WAPI key agreement response message to authentication service unit ASU, carries out the authentication of WAPI with ASU;
7) after the WAPI authentication finished, authentication service unit ASU sent EAP-success and cipher key delivery message to access point AP;
8) access point AP transmits the authentication success message EAP-success that authentication service unit ASU sends to mobile radio station STA;
9) mobile radio station STA and access point AP carry out the mutual of four way handshake protocols, promptly finish alternately.
2. identity identifying method according to claim 1, it is characterized in that whether supporting the WAPI agreement to select the mode of response message according to mobile radio station STA described in the step 3), if mobile radio station STA does not support WAPI, then return passive response message Nak to access point AP, this message Nak is the message of stipulating among the Extensible Authentication Protocol EAP framework RFC3748, afterwards, access point AP at first sends identity request message EAP-Req/ID to mobile radio station STA, and request mobile radio station STA sends its identity; Mobile radio station STA and authentication service unit ASU carry out the negotiation and the authentication of 802.11i identifying algorithm then; Last mobile radio station STA and access point AP carry out the mutual of four way handshake protocols, promptly finish alternately.
3. identity identifying method according to claim 1, after its spy just is being that said authentication service unit ASU receives the access request message in the step 5), according to self whether supporting WAPI to select response mode, if authentication service unit ASU does not support the authentication of WAPI, then authentication service unit ASU at first carries out the negotiation and the authentication of 802.11i identifying algorithm with mobile radio station STA; Mobile radio station STA and access point AP carry out the mutual of four way handshake protocols then, promptly finish alternately.
4. authentication according to claim 1 and key agreement protocol method is characterized in that step 2) described in time stamp request message EAP-Req/WTS, this request message is made up of four parts, it is request message that this message is represented in " 1 " in the first; Second portion message indications identifier is the indications of this message, and its concrete value the time is determined by operation, generally is a random value; Third part message-length length represents the length of whole message; And the 4th part EAP-WTS is a new Extensible Authentication Protocol EAP types value that adds.
5. authentication according to claim 1 and key agreement protocol method, it is characterized in that the time stamp response message EAP-Resp/WTS described in the step 3), this response message is made up of six parts, and it is replying time stamp request message EAP-Req/WTS that this message is represented in " 2 " in the first; Second portion message indications identifier is the indications of this message; Third part message-length length represents the length of whole message; The 4th part EAP-WTS is a new EAP types value that adds, and the EAP type among this value and the time stamp request message EAP-Req/WTS is consistent, and shows that mobile radio station STA returns the identity of mobile radio station STA and inserts request time to access point AP; The 5th part is the identity of STA; The 6th part is the access time of STA.
6. authentication according to claim 1 and key agreement protocol method is characterized in that the WAPI key negotiation request message described in the step 5), and this message is made of eight parts." 1 " in the first shows that this message is request message; Message indications identifier in the second portion is the indications of this message; Third part message-length length is the length of whole message; The 4th part is a new EAP type EAP-WAPI who adds, and the type shows that mobile radio station STA carries out the authentication of WAPI with authentication service unit ASU; The 5th part is Security Parameter Index SPI, and it is made up of the access request time of mobile radio station STA, the MAC Address of STA and the basic service sets sign BSSID of AP; The 6th part is ENC (PK STA, r 1), r 1Be the random number that authentication service unit is selected, the authentication service unit PKI PK of mobile radio station STA STATo r 1Encrypt, cryptographic algorithm adopts the algorithm of stipulating among the WAPI; The 7th part is the access time of STA; The 8th part is the signature of ASU to whole message, and its signature algorithm adopts the algorithm of stipulating among the WAPI.
7. authentication according to claim 1 and key agreement protocol method is characterized in that EAP-success described in the step 7) and cipher key delivery message, and this message is made up of seven parts.First is Success=" 3 ", shows mobile radio station STA and authentication service unit ASU authentication success; Second portion message indications identifier is unique indications of this message, and third part length message length l ength is the whole length of this message, the 4th part ENC (PK AP, PMK) be the PKI PK of authentication service unit ASU with access point AP APElementary master key PMK is carried out public key encryption, and the cryptographic algorithm that is adopted is the cryptographic algorithm of stipulating among the WAPI; The 5th part is the access time of STA; The 6th part is the identity of AP; The 7th part is the signature of authentication service unit ASU to whole message, and wherein the computational methods of elementary master key PMK are as follows:
PMK=prf(MK,STA-MAC-address‖AP-MAC-address)
Wherein, prf is a pseudorandom generating function, can adopt the SHA1 algorithm.MK is the master key of sharing between STA and the authentication service unit ASU, and STA-MAC-address is the MAC Address of STA, and AP-MAC-address is the MAC Address of AP.
CN200610105243A 2006-12-22 2006-12-22 A Identity Authentication Method Compatible with 802.11i and WAPI Expired - Fee Related CN100586067C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200610105243A CN100586067C (en) 2006-12-22 2006-12-22 A Identity Authentication Method Compatible with 802.11i and WAPI

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610105243A CN100586067C (en) 2006-12-22 2006-12-22 A Identity Authentication Method Compatible with 802.11i and WAPI

Publications (2)

Publication Number Publication Date
CN101013940A true CN101013940A (en) 2007-08-08
CN100586067C CN100586067C (en) 2010-01-27

Family

ID=38701247

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610105243A Expired - Fee Related CN100586067C (en) 2006-12-22 2006-12-22 A Identity Authentication Method Compatible with 802.11i and WAPI

Country Status (1)

Country Link
CN (1) CN100586067C (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010097003A1 (en) * 2009-02-27 2010-09-02 西安西电捷通无线网络通信股份有限公司 Method for realizing integration of wapi and capwap by split mac mode
WO2010096996A1 (en) * 2009-02-27 2010-09-02 西安西电捷通无线网络通信股份有限公司 Method for realizing integration of wapi and capwap in local mac mode
WO2010124490A1 (en) * 2009-04-30 2010-11-04 中兴通讯股份有限公司 Wireless local area network authentication and privacy infrastructure certificate obtaining method and system
WO2010130121A1 (en) * 2009-05-15 2010-11-18 中兴通讯股份有限公司 Method and system for accessing 3rd generation network
CN101651682B (en) * 2009-09-15 2012-08-29 杭州华三通信技术有限公司 Method, system and device of security certificate
CN101730097B (en) * 2009-11-18 2012-10-10 中兴通讯股份有限公司 Method and system for accessing wireless terminal to wireless network
CN102823280A (en) * 2010-03-29 2012-12-12 诺基亚公司 Authentication key generation arrangement
CN103139770A (en) * 2013-01-30 2013-06-05 中兴通讯股份有限公司 Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system
CN103312495A (en) * 2013-06-25 2013-09-18 杭州华三通信技术有限公司 Grouped connectivity association (CA) forming method and device
CN103391543A (en) * 2012-05-07 2013-11-13 中兴通讯股份有限公司 Method and device for achieving roaming switch
CN104158653A (en) * 2014-08-14 2014-11-19 华北电力大学句容研究中心 Method of secure communication based on commercial cipher algorithm
WO2015103748A1 (en) * 2014-01-08 2015-07-16 华为技术有限公司 Authentication association method and system
EP2403313A4 (en) * 2009-02-27 2017-05-24 China Iwncomm Co., Ltd Method for implementing a convergent wireless local area network (wlan) authentication and privacy infrastructure (wapi) network architecture in a local mac mode
CN107769914A (en) * 2016-08-17 2018-03-06 华为技术有限公司 Protect the method and the network equipment of data transmission security
CN109565441A (en) * 2016-08-11 2019-04-02 格马尔托股份有限公司 A method of for configuring the first communication equipment by using the second communication equipment
CN114040400A (en) * 2021-10-22 2022-02-11 广西电网有限责任公司 Method for preventing DOS attack for WAPI authentication server
WO2024026735A1 (en) * 2022-08-03 2024-02-08 Oppo广东移动通信有限公司 Authentication method and apparatus, device, and storage medium

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010097003A1 (en) * 2009-02-27 2010-09-02 西安西电捷通无线网络通信股份有限公司 Method for realizing integration of wapi and capwap by split mac mode
WO2010096996A1 (en) * 2009-02-27 2010-09-02 西安西电捷通无线网络通信股份有限公司 Method for realizing integration of wapi and capwap in local mac mode
EP2403313A4 (en) * 2009-02-27 2017-05-24 China Iwncomm Co., Ltd Method for implementing a convergent wireless local area network (wlan) authentication and privacy infrastructure (wapi) network architecture in a local mac mode
WO2010124490A1 (en) * 2009-04-30 2010-11-04 中兴通讯股份有限公司 Wireless local area network authentication and privacy infrastructure certificate obtaining method and system
WO2010130121A1 (en) * 2009-05-15 2010-11-18 中兴通讯股份有限公司 Method and system for accessing 3rd generation network
US8769647B2 (en) 2009-05-15 2014-07-01 Zte Corporation Method and system for accessing 3rd generation network
CN101651682B (en) * 2009-09-15 2012-08-29 杭州华三通信技术有限公司 Method, system and device of security certificate
CN101730097B (en) * 2009-11-18 2012-10-10 中兴通讯股份有限公司 Method and system for accessing wireless terminal to wireless network
CN102823280A (en) * 2010-03-29 2012-12-12 诺基亚公司 Authentication key generation arrangement
CN102823280B (en) * 2010-03-29 2016-04-20 诺基亚技术有限公司 Authenticate key generates to be disposed
CN103391543A (en) * 2012-05-07 2013-11-13 中兴通讯股份有限公司 Method and device for achieving roaming switch
WO2013166934A1 (en) * 2012-05-07 2013-11-14 中兴通讯股份有限公司 Method and apparatus for performing roaming handover
CN103391543B (en) * 2012-05-07 2016-11-02 南京中兴软件有限责任公司 A kind of method and apparatus realizing roaming switch
WO2014117524A1 (en) * 2013-01-30 2014-08-07 中兴通讯股份有限公司 Method and system for transmitting pairwise master key in wlan access network
CN103139770B (en) * 2013-01-30 2015-12-23 中兴通讯股份有限公司 The method and system of pairwise master key is transmitted in WLAN access network
CN103139770A (en) * 2013-01-30 2013-06-05 中兴通讯股份有限公司 Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system
CN103312495A (en) * 2013-06-25 2013-09-18 杭州华三通信技术有限公司 Grouped connectivity association (CA) forming method and device
CN103312495B (en) * 2013-06-25 2016-07-06 杭州华三通信技术有限公司 The forming method of a kind of CA in groups and device
WO2015103748A1 (en) * 2014-01-08 2015-07-16 华为技术有限公司 Authentication association method and system
US10187796B2 (en) 2014-01-08 2019-01-22 Huawei Technologies Co., Ltd. Authentication and association method and system
CN104158653A (en) * 2014-08-14 2014-11-19 华北电力大学句容研究中心 Method of secure communication based on commercial cipher algorithm
CN104158653B (en) * 2014-08-14 2017-08-25 北京华电天益信息科技有限公司 A kind of safety communicating method based on the close algorithm of business
CN109565441A (en) * 2016-08-11 2019-04-02 格马尔托股份有限公司 A method of for configuring the first communication equipment by using the second communication equipment
CN109565441B (en) * 2016-08-11 2021-10-08 格马尔托股份有限公司 Method for configuring a first communication device by using a second communication device
CN107769914A (en) * 2016-08-17 2018-03-06 华为技术有限公司 Protect the method and the network equipment of data transmission security
US11146952B2 (en) 2016-08-17 2021-10-12 Huawei Technologies Co., Ltd. Data transmission security protection method and network device
CN114040400A (en) * 2021-10-22 2022-02-11 广西电网有限责任公司 Method for preventing DOS attack for WAPI authentication server
CN114040400B (en) * 2021-10-22 2023-12-29 广西电网有限责任公司 Method for preventing DOS attack by WAPI authentication server
WO2024026735A1 (en) * 2022-08-03 2024-02-08 Oppo广东移动通信有限公司 Authentication method and apparatus, device, and storage medium

Also Published As

Publication number Publication date
CN100586067C (en) 2010-01-27

Similar Documents

Publication Publication Date Title
CN100586067C (en) A Identity Authentication Method Compatible with 802.11i and WAPI
CN112887338B (en) A kind of identity authentication method and system based on IBC identification password
US9392453B2 (en) Authentication
JP4286224B2 (en) Method for secure and confidential communication used in a wireless local area network (WLAN)
CN100558035C (en) A two-way authentication method and system
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
WO2006086932A1 (en) An access authentication method suitable for the wire-line and wireless network
JP2000083018A (en) Method for transmitting information needing secrecy by first using communication that is not kept secret
CN102045716B (en) Method and system for safe configuration of station (STA) in wireless local area network (WLAN)
CN100358282C (en) Key agreement method in WAPI authentication mechanism
CN110087240B (en) Wireless network security data transmission method and system based on WPA2-PSK mode
CN103988480A (en) Systems and methods for authentication
Nguyen et al. Enhanced EAP-based pre-authentication for fast and secure inter-ASN handovers in mobile WiMAX networks
CN103795728A (en) EAP authentication method capable of hiding identities and suitable for resource-constrained terminal
CN114386020B (en) Quantum-safe fast secondary identity authentication method and system
Sun et al. Secure and fast handover scheme based on pre-authentication method for 802.16/WiMAX infrastructure networks
CN112399407B (en) 5G network authentication method and system based on DH ratchet algorithm
CN100525182C (en) Authentication and encryption method for wireless network
CN101610507A (en) A method for accessing 3G-WLAN Internet
CN117278330A (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
CN100488281C (en) Method for acquring authentication cryptographic key context from object base station
WO2012040949A1 (en) Method for fast handing over extensible authentication protocol (eap) authentication in mobile worldwide interoperability for microwave access (wimax) network
CN100456884C (en) Re-authentication method in wireless communication system
CN101784048A (en) Method and system for dynamically updating identity authentication and secret key agreement of secret key
CN213938340U (en) 5G Application Access Authentication Network Architecture

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100127

Termination date: 20151222

EXPY Termination of patent right or utility model