CN107690138B - Fast roaming method, device, system, access point and mobile station - Google Patents

Abstract

The invention discloses a fast roaming method, a device, a system, an access point and a mobile station, belonging to the technical field of networks. The method comprises the following steps: the fast roaming device acquires the characteristic information of the first AP; after determining that the STA is accessed to the second AP, the fast roaming device sends the characteristic information of the first AP to the STA; the STA generates and sends a random number and generates a PTK; the fast roaming device acquires the feature information of the STA; the fast roaming device sends the feature information of the STA to the first AP; the first AP generates a PTK, and link authentication, access authentication and key agreement are completed; after determining to switch to the first AP, the STA sends a data message encrypted by the PTK to the first AP; the first AP decrypts the encrypted data message by adopting the PTK; and the first AP completes association according to whether the internal information of the decrypted data message is consistent. The invention can reduce the time of roaming switching to 0.

Description

A fast roaming method, apparatus, system, access point and mobile station

technical field

The present invention relates to the field of network technologies, and in particular, to a fast roaming method, device, system, access point and mobile station.

Background technique

Roaming (English: roaming) refers to the handover of a mobile station (English: station, abbreviated: STA) from a wireless access point (English: Access Point, abbreviated: AP) of a wireless local area network (English: Wireless Local Area Networks, abbreviated: WLAN) To another AP, the WLAN can still provide the function of service to it.

Currently, AP handover requires four processes of link authentication, association (English: Association), access authentication, and key negotiation through multiple interactions between the STA and the AP. If the above four processes are carried out separately, the time consumed by the entire roaming process will reach several hundreds of milliseconds. In the standard 802.11r developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless local area networks (English: Wireless Local Area Networks, abbreviated: WLAN), the interaction process is reduced by increasing the information load. During the authentication process, key negotiation is performed to reduce the roaming time to less than 100 milliseconds and realize fast roaming.

In the process of realizing the present invention, the inventor found that the prior art has at least the following problems:

In the standard defined by the International Telecommunication Union (English: International Telecommunication Union, referred to as: International Telecommunication Union), taking Voice over Internet Protocol (English: Voice over Internet Protocol, referred to as: VoIP) as an example, one-way delay is required to be less than 200ms, jitter less than 40ms. The time spent in roaming in 802.11r is usually 50ms to 80ms. If the communication network has a delay of about 160ms and jitter of about 30ms due to the burstiness of traffic, the maximum one-way delay in roaming is 160ms+80ms=240ms>200ms , the jitter is 30ms+80ms=110ms>40ms, which cannot meet the service requirements such as VoIP.

SUMMARY OF THE INVENTION

In order to solve the problem that the prior art cannot meet service requirements such as VoIP, the embodiments of the present invention provide a fast roaming method, device, system, access point and mobile station. The technical solution is as follows:

In a first aspect, an embodiment of the present invention provides a fast roaming method, and the method includes:

The fast roaming device acquires feature information of a first access point AP, where the feature information of the first AP includes a medium access control MAC address of the first AP and a random number generated by the first AP;

After determining that the mobile station STA accesses the second AP, the fast roaming device sends the feature information of the first AP to the STA, where the first AP is a neighbor of the second AP;

The STA generates and sends a random number, and generates a paired temporary key PTK based on the random number generated by the STA, the MAC address of the STA, the paired master key PMK, and the feature information of the first AP;

The fast roaming apparatus acquires characteristic information of the STA, where the characteristic information of the STA includes the MAC address of the STA, the random number generated by the STA, and the characteristic value of the PMK;

sending, by the fast roaming device, the characteristic information of the STA to the first AP;

The first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication, and key negotiation between the STA and the first AP Finish;

After the STA determines to switch to the first AP, send the data packet encrypted by the PTK to the first AP;

The first AP uses the PTK to decrypt the encrypted data message;

The first AP completes the association between the STA and the first AP according to whether the internal information of the decrypted data packet is consistent.

In the case that it is determined that the STA has accessed the second AP, considering that the STA can only access the second AP through the link authentication and access authentication of the second AP, it can be determined that the STA has passed the authentication at this time, and it is legal Sex is initially guaranteed. In order to avoid a lot of time consuming to achieve access authentication due to multiple packet negotiation, the present invention simplifies the process of the STA switching from the second AP to the first AP: before the STA switches to the first AP, the STA and In the information exchange between the first AP, the STA and the first AP both obtain the MAC address of the other party, configure the PMK, and generate a PTK to complete the link authentication, access authentication, and key between the STA and the first AP. Negotiation; after the STA determines to switch to the first AP, the first AP completes the association between the STA and the first AP according to whether the internal information of the first data packet sent by the STA to the first AP is consistent.

After the STA accesses the second AP, the information such as the MAC address, PMK, and PTK of the wireless link is exchanged between the STA and the first AP, which is a neighbor of the second AP, to complete the link in the process of the STA accessing the first AP. It supports route authentication, access authentication, and key negotiation, greatly reducing the time spent exchanging information during STA roaming. At the same time, when the STA determines to switch to the first AP, the AP completes the association between the STA and the first AP according to whether the internal information of the first data packet sent by the STA to the AP is consistent, so that there is no time limit during the roaming process of the STA. Consumption (that is, the time of roaming switching is reduced to 0), and the switching process is fast, which can fully meet the needs of VoIP and other services, and effectively guarantee the user experience.

In a possible implementation manner of the first aspect, the data packet includes data and a data digest, and the first AP completes the process between the STA and the data packet according to whether the internal information of the decrypted data packet is consistent. The association between the first APs, including:

The first AP uses a data digest algorithm to calculate the decrypted data to obtain a calculated data digest;

The first AP compares the calculated data digest with the decrypted data digest;

When the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.

The first AP uses the existing data digest algorithm to detect whether the data in the data packet is consistent with the data digest, and applies it to the association process: completes the communication between the STA and the AP by verifying the correctness of the digest in the first data packet. Association, there is no independent association packet, on the basis of completing link authentication, access authentication and key negotiation through two exchanges, the roaming time between AP and STA is reduced to 0 to ensure user experience.

In another possible implementation manner of the first aspect, the fast roaming device is set on an AP or an access controller AC, where the AC is used to control and manage the AP.

The fast roaming device is realized by improving the existing equipment, and the realization cost is low.

In yet another possible implementation manner of the first aspect, the feature information of the first AP further includes an encryption method of the first AP, a frequency point of the first AP, and a bandwidth of the first AP. at least one.

The feature information of the first AP may be adaptively adjusted according to information required for accessing the AP.

In a second aspect, an embodiment of the present invention provides a fast roaming method, the method includes:

The fast roaming device obtains feature information of a first access point AP, where the feature information of the first AP includes a medium access control MAC address of the first AP and a random number generated by the first AP;

After determining that the mobile station STA accesses the second AP, the fast roaming device sends the feature information of the first AP to the STA, where the first AP is a neighbor of the second AP, and causes the STA to generate and send a random number, and generate a paired temporary key PTK based on the random number generated by the STA, the MAC address of the STA, the paired master key PMK, and the feature information of the first AP;

The fast roaming apparatus acquires characteristic information of the STA, where the characteristic information of the STA includes the MAC address of the STA, the random number generated by the STA, and the characteristic value of the PMK;

The fast roaming device sends the feature information of the STA to the first AP, so that the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, the STA and the feature information of the first AP generate the PTK. Link authentication, access authentication, and key negotiation between the first APs are completed.

After the STA accesses the second AP, the information such as the MAC address, PMK, and PTK of the wireless link is exchanged between the STA and the first AP, which is a neighbor of the second AP, to complete the link in the process of the STA accessing the first AP. It supports route authentication, access authentication, and key negotiation, greatly reducing the time spent exchanging information during STA roaming.

In a possible implementation manner of the second aspect, the fast roaming device is set on an AP or an access controller AC, where the AC is used to control and manage the AP.

The fast roaming device is realized by improving the existing equipment, and the realization cost is low.

In a third aspect, an embodiment of the present invention provides a fast roaming method, the method includes:

The first access point AP completes link authentication, access authentication, and key negotiation with the mobile station STA, and obtains the MAC address of the STA, the paired master key PMK, and the paired temporary key PTK;

receiving, by the first AP, a data packet encrypted by the PTK and sent by the STA after determining to switch from the second AP to the first AP, where the first AP is a neighbor of the second AP;

The first AP uses the PTK to decrypt the encrypted data message;

The first AP completes the association between the STA and the first AP according to whether the internal information of the decrypted data packet is consistent.

Before the STA determines to switch from the second AP to the AP, complete the link authentication, access authentication, and key negotiation with the STA to obtain the MAC address, PMK, and PTK of the STA, and then the STA determines to switch from the second AP. After arriving at the AP, receive the data packet sent by the STA encrypted with PTK, decrypt the encrypted data packet using PTK, and complete the communication between the STA and the first AP according to whether the internal information of the decrypted data packet is consistent. The association between the STAs makes the roaming process of the STA without time consumption (that is, the roaming handover time is reduced to 0), and the handover process is fast, which can fully meet the needs of VoIP and other services, and effectively guarantee the user experience.

In a possible implementation manner of the third aspect, the data packet includes data and a data digest, and the first AP completes the STA and the data packet according to whether the internal information of the decrypted data packet is consistent. The association between the first APs, including:

The first AP uses a data digest algorithm to calculate the decrypted data to obtain a calculated data digest;

The first AP compares the calculated data digest with the decrypted data digest;

When the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.

The first AP completes the association between the STA and the AP by verifying the correctness of the digest in the first data packet. There is no independent association packet. The link authentication, access authentication and key negotiation are completed through two exchanges. , reduce the roaming time between AP and STA to 0 to ensure user experience.

In a fourth aspect, an embodiment of the present invention provides a fast roaming method, the method includes:

After the mobile station STA accesses the second access point AP, it completes link authentication, access authentication, and key negotiation with the first AP, and obtains the MAC address of the first AP and the paired master key PMK and pairwise temporary key PTK, the first AP is the neighbor of the second AP;

After determining to switch to the first AP, the STA sends a data packet encrypted by using the PTK to the first AP.

By completing link authentication, access authentication, and key negotiation with the first AP before the STA determines to switch from the second AP to the first AP, the MAC address, PMK, and PTK of the first AP are obtained, and the STA determines After switching from the second AP to the AP, send the data packet encrypted with PTK to the STA, so that the first AP uses PTK to decrypt the encrypted data packet, and according to whether the internal information of the decrypted data packet is consistent , complete the association between the STA and the first AP, so that there is no time consumption in the roaming process of the STA (that is, the time of roaming handover is reduced to 0), the handover process is fast, and the service requirements such as VoIP can be fully met, and the user experience can be effectively guaranteed.

In a fifth aspect, an embodiment of the present invention provides a fast roaming system, where the system includes a device for implementing the method described in the first aspect, such as a fast roaming device, a mobile station STA, a second access point AP, First AP.

In a sixth aspect, an embodiment of the present invention provides a fast roaming device, the device includes a unit for implementing the method described in the second aspect above, such as an AP information acquisition unit, an AP information transmission unit, a STA information acquisition unit, STA information sending unit.

In a seventh aspect, an embodiment of the present invention provides an access point AP, where the AP includes a unit for implementing the method described in the third aspect, such as an access preparation unit, a packet receiving unit, a decryption unit, a determination unit unit.

In an eighth aspect, an embodiment of the present invention provides a mobile station STA, where the STA includes a unit for implementing the method described in the fourth aspect above, such as an access preparation unit and an access completion unit.

In a ninth aspect, an embodiment of the present invention provides a fast roaming device, the device includes: a memory and a processor connected to the memory, where the memory is used to store software programs and modules, when the processor is used for running or executing The method described in the second aspect can be executed when the software programs and modules are stored in the memory.

In a tenth aspect, an embodiment of the present invention further provides a computer-readable medium for storing program codes for execution by a terminal, where the program codes include instructions for executing the method described in the second aspect.

In an eleventh aspect, an embodiment of the present invention provides an access point AP, where the AP includes: a memory and a processor connected to the memory, where the memory is used to store software programs and modules, and when the processor is used to run Or when executing software programs and modules stored in the memory, the method described in the third aspect can be executed.

In a twelfth aspect, an embodiment of the present invention further provides a computer-readable medium for storing program codes for execution by a terminal, where the program codes include instructions for executing the method described in the third aspect.

In a thirteenth aspect, an embodiment of the present invention provides a mobile station STA, where the STA includes: a memory and a processor connected to the memory, where the memory is used to store software programs and modules, when the processor is used to run or The method described in the fourth aspect can be performed when the software programs and modules stored in the memory are executed.

In a fourteenth aspect, an embodiment of the present invention further provides a computer-readable medium for storing program codes for execution by a terminal, where the program codes include instructions for executing the method described in the fourth aspect.

The beneficial effects brought by the technical solutions provided in the embodiments of the present invention are:

After the STA accesses the second AP, the information such as the MAC address, PMK, and PTK of the wireless link is exchanged between the STA and the first AP, which is a neighbor of the second AP, to complete the link in the process of the STA accessing the first AP. It supports route authentication, access authentication, and key negotiation, greatly reducing the time spent exchanging information during STA roaming. At the same time, when the STA determines to switch to the first AP, the AP completes the association between the STA and the first AP according to whether the internal information of the first data packet sent by the STA to the AP is consistent, so that there is no time limit during the roaming process of the STA. Consumption (that is, the time of roaming switching is reduced to 0), and the switching process is fast, which can fully meet the needs of VoIP and other services, and effectively guarantee the user experience.

Description of drawings

In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

1 is an application scenario diagram of a fast roaming method provided by an embodiment of the present invention;

2 is a network architecture diagram for realizing AP handover provided by an embodiment of the present invention;

3 is a hardware structure diagram of a fast roaming device provided by an embodiment of the present invention;

4 is a hardware structure diagram of a first AP provided by an embodiment of the present invention;

5 is a hardware structure diagram of a STA provided by an embodiment of the present invention;

6 is a flowchart of a fast roaming method provided by an embodiment of the present invention;

7 is an interaction process diagram of a STA accessing a second AP according to an embodiment of the present invention;

8a and 8b are schematic diagrams of a process for a STA to discover a second AP according to an embodiment of the present invention;

9a and 9b are schematic diagrams of link authentication between a STA and a second AP according to an embodiment of the present invention;

FIG. 10 is a schematic diagram of associating a STA with a second AP according to an embodiment of the present invention;

FIG. 11a and FIG. 11b are schematic diagrams of performing access authentication between a STA, an AC, and a RADIUS server according to an embodiment of the present invention;

12a and 12b are schematic diagrams of key negotiation between an STA and a second AP according to an embodiment of the present invention;

13 is a schematic structural diagram of a PTK provided by an embodiment of the present invention;

14a and 14b are interaction process diagrams of another fast roaming method provided by an embodiment of the present invention;

15 is a schematic structural diagram of feature information of an AP provided by an embodiment of the present invention;

16 is a schematic structural diagram of a message carrying a random number generated by an STA provided by an embodiment of the present invention;

17 is a schematic structural diagram of a key in 802.11r provided by an embodiment of the present invention;

18 is a schematic diagram of a data message generation process provided by an embodiment of the present invention;

19 is a schematic structural diagram of a fast roaming device according to an embodiment of the present invention;

FIG. 20 is a schematic structural diagram of an access point provided by an embodiment of the present invention;

21 is a schematic structural diagram of a mobile station according to an embodiment of the present invention;

22a and 22b are schematic structural diagrams of a fast roaming system according to an embodiment of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

Mobile office is the office staff at any time (English: Anytime), any place (English: Anywhere) to deal with any business-related things (English: Anything), also known as "3A office". This new office model frees office workers from the constraints of time and space, and can access the corporate network at any location to complete their work.

FIG. 1 is a schematic diagram of applying a fast roaming method provided by an embodiment of the present invention to a mobile office scenario. Referring to FIG. 1 , the first AP 10 and the second AP 20 access the same enterprise network 30, and the enterprise network 30 is essentially a wireless local area network (English: Wireless Local Are Networks, WLAN for short). The enterprise network 30 , the network 41 where the customer is located, and the data center 42 are respectively connected to the operator network 50 . The STA 60 is currently located in the service area of the second AP 20 (the service area of each AP is represented by an ellipse in FIG. 1 ), the STA 60 accesses the second AP 20 (the second AP 20 is called the current AP of the STA 60 ), and the second AP 20 Access to the enterprise network 30, through the operator network 50, can realize access to the network 41 where the customer is located, and the data center 42; then the STA 60 moves to the service area of the first AP 10 (FIG. 1 uses a straight line with an arrow to indicate the STA's moving direction), the STA 60 switches to the first AP 10 (the first AP 10 is called the target AP of the STA 60), the first AP 10 also accesses the enterprise network 30, and the STA 60 can continue to access the network 41 where the customer is located, and the data center 42, Realize mobile office. In the process of switching from the second AP 20 to the first AP 10, the STA 60 adopts the method provided by the embodiment of the present invention to implement fast roaming.

FIG. 2 is a network architecture diagram that specifically implements AP handover in the application scenario shown in FIG. 1 . As shown in FIG. 2 , the three first APs 10 and the second AP 20 are arranged in different positions, and the three first APs 10 are neighbors of the second AP 20 . The two APs that are neighbors to each other are controlled by the same access controller (English: Access Controller, AC for short) and have the same Service Set Identifier (English: Service Set Identifier, SSID for short). STAs can roam between APs that are neighbors, that is, handover from one AP to another. The number of the first APs shown in FIG. 2 is only an example, which is not limited in this embodiment of the present invention.

In FIG. 2 , the STA 60 is currently accessing the second AP 20 , and the STA 60 may switch to a certain first AP 10 after moving. The second AP 20 and all the first APs 10 are connected to an access controller (English: Access Controller, AC for short) 70 (usually wired connection), and the AC 70 performs configuration, radio frequency, user access, etc. of each AP. management and control. The AC 70 is also connected with a Remote Authentication Dial-In User Service (English: Remote Authentication Dial-In User Service, RADIUS for short) server 80 (usually using a wired connection), and the RADIUS server 80 is used for authentication, authorization and accounting (English: Authentication , Authorization, Accounting, referred to as: AAA) server, to achieve user access authentication.

The present invention adds a fast roaming device 90 to the above-mentioned network architecture, and mainly realizes the information exchange between the STA 60 and the first AP 10 before the STA 60 switches to the first AP 10 . Specifically, the fast roaming device can be set on the AC 70 or on each AP, and can also be set independently of the AC 70 and the AP. In FIG. 2 , the fast roaming device 90 is exemplarily described as being set independently of the AC and the AP. In practical applications, the fast roaming device 90 may also be set on the AC or each AP.

In a specific implementation, the STA 60 is generally a client, which may be a computer equipped with a wireless network card, or a smartphone or tablet computer equipped with a wireless fidelity (English: Wireless-Fidelity, Wi-Fi for short) module. Wait. The first AP 10, the second AP 20, and the AC 70 are all network devices, such as routers.

It should be noted that the architectures shown in FIG. 1 and FIG. 2 are only examples, and the present invention is not limited thereto.

The following describes the implementation of the fast roaming device, the first AP, and the STA provided by the embodiment of the present invention with reference to the specific hardware structure.

Referring to FIG. 3 , the fast roaming apparatus 90 may be a network device such as a router. The fast roaming device 9 may include a processor 91 of one or more processing cores, a memory 92 of one or more computer-readable storage media, and a communication interface 93 and other components, and the processor 91 may use a bus 94 to communicate with the memory 92 and the communication interface. 93 connected. Those skilled in the art can understand that the structure shown in FIG. 3 does not constitute a limitation on the device, and may include more or less components than those shown, or combine some components, or arrange different components. in:

The processor 91 is the control center of the fast roaming device 90, and uses various interfaces and lines to connect various parts of the entire fast roaming device 90, by running or executing the software programs and/or modules stored in the memory 92, and calling the stored in the memory. 92 , perform various functions of the fast roaming device 90 and process data, so as to monitor the fast roaming device 90 as a whole. Optionally, the processor 91 may include one or more processing units, and the processing unit may be a central processing unit (English: Central Processing Unit, referred to as: CPU) or a network processor (English: Network Processor, referred to as: NP), etc. .

The memory 92 may be used to store software programs, which may be executed by the processor 91 . The memory 92 may mainly include a stored program area and a stored data area, wherein the stored program area can store the operating system, the AP information acquisition module, the AP information transmission module, the STA information acquisition module, and the STA information transmission module; The use of the nomadic device 90 creates data such as pairwise master keys, pairwise ephemeral keys, and the like. Additionally, memory 92 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 92 may also include a memory controller to provide processor 91 access to memory 92 .

The communication interface 93 may include at least one of a wired network interface (such as an Ethernet interface) and a wireless network interface (such as a WLAN interface). When the fast roaming device 90 is added on the AC or independent of the AC and the AP, the communication interface 93 includes a wired network interface; when the fast roaming device 90 is added on the AP, the communication interface includes a wired network interface and a wireless network interface. The communication interface 93 is controlled by the processor 91 .

Optionally, the fast roaming apparatus 90 may further include an output device 95 and an input device 96 . An output device 95 and an input device 96 are connected to the processor 91 . The output device 95 may be a display for displaying information, a power amplifier device or a printer for playing sound, etc. The output device 95 may also include an output controller for providing output to a display screen, a power amplifier device or a printer. Input device 96 may be a device such as a mouse, keyboard, electronic stylus, or touch panel for user input, and may also include an output controller for receiving and processing data from the mouse, keyboard, Input from devices such as an electronic stylus or touch panel.

Referring to FIG. 4 , the first AP 10 may be a network device such as a router. The first AP 10 may include a processor 11 of one or more processing cores, a memory 12 of one or more computer-readable storage media, and a communication interface 13 and other components, and the processor 11 may use a bus 14 to communicate with the memory 12 and the communication interface. 13 connected. Those skilled in the art can understand that the structure shown in FIG. 4 does not constitute a limitation to the device, and may include more or less components than those shown, or combine some components, or arrange different components. in:

The processor 11 is the control center of the first AP 10, and uses various interfaces and lines to connect various parts of the entire first AP 10, by running or executing the software programs and/or modules stored in the memory 12, and calling the software programs and/or modules stored in the memory 12. 12, perform various functions of the first AP 10 and process data, so as to monitor the first AP 10 as a whole. Optionally, the processor 11 may include one or more processing units, and the processing unit may be a central processing unit (English: Central Processing Unit, referred to as: CPU) or a network processor (English: Network Processor, referred to as: NP), etc. .

The memory 12 may be used to store software programs, which may be executed by the processor 11 . The memory 12 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, an access preparation module, a message receiving module, a decryption module, and a determination module; Use created data such as pairwise master keys, pairwise ephemeral keys, etc. Additionally, memory 12 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 12 may also include a memory controller to provide access to the memory 12 by the processor 11 .

The communication interface 13 may include a wired network interface (such as an Ethernet interface) and a wireless network interface (such as a WLAN interface). The communication interface 13 is controlled by the processor 11 .

Optionally, the first AP 10 may further include an output device 15 and an input device 16 . An output device 15 and an input device 16 are connected to the processor 11 . The output device 15 may be a display for displaying information, a power amplifier device or a printer for playing sound, etc. The output device 15 may also include an output controller for providing output to a display screen, a power amplifier device or a printer. Input device 16 may be a device such as a mouse, keyboard, electronic stylus, or touch panel for user input, and may also include an output controller for receiving and processing data from the mouse, keyboard, Input from devices such as an electronic stylus or touch panel.

FIG. 5 shows a hardware structure for implementing an STA provided by an embodiment of the present invention. STA60 can be a smartphone, tablet, laptop, etc. Taking a smartphone as an example, the STA 60 may include a radio frequency (Radio Frequency, RF for short) circuit 61, a memory 62 including one or more computer-readable storage media, an input unit 63, a display unit 64, a sensor 65, an audio circuit 66, A wireless fidelity (wireless fidelity, WiFi for short) module 67 includes a processor 68 having one or more processing cores, a power supply 69 and other components. Those skilled in the art can understand that the hardware structure shown in FIG. 5 does not constitute a limitation on the STA, and may include more or less components than the one shown, or combine some components, or arrange different components. in:

The processor 68 is the control center of the STA 60, using various interfaces and lines to connect various parts of the entire STA 60, by running or executing the software programs and/or modules stored in the memory 62, and calling the data stored in the memory 62. Various functions of the STA 60 and processing data to monitor the STA 60 as a whole. Optionally, the processor 68 may include one or more processing cores; preferably, the processor 68 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, and application programs, etc. , the modem processor mainly deals with wireless communication. It can be understood that the above-mentioned modulation and demodulation processor may not be integrated into the processor 68 .

The memory 62 can be used to store various data, such as various configuration parameters, and to store software programs and modules. The processor 68 executes various functional applications and data processing by running the software programs and modules stored in the memory 62 . The memory 62 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, an access preparation module, and an access completion module; the storage data area may store data created according to the use of the STA 60, such as Pairs of master keys, paired ephemeral keys, etc. Additionally, memory 62 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 62 may also include a memory controller to provide processor 68 and input unit 63 access to memory 62 .

The RF circuit 61 can be used to receive and transmit signals during the process of sending and receiving information or talking. In particular, the downlink information of the base station is received and then processed by one or more processors 68 . Generally, the RF circuit 61 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, a low noise amplifier (Low Noise Amplifier, referred to as LNA), duplexer, etc. In addition, the RF circuit 61 can also communicate with the network and other devices through wireless communication. The wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (GSM for short), General Packet Radio Service (GPRS for short), Code Division Multiple Access (CDMA for short). Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc. .

Referring to FIG. 6 , it shows a fast roaming method provided by an embodiment of the present invention. In the application scenario shown in FIG. 1 , the method adopts the network architecture shown in FIG. 2 to implement fast roaming. As shown in Figure 6, the method includes:

Step S301: The STA accesses the second AP.

In this embodiment, referring to FIG. 7 , step S301 may include:

Step S301a, the STA discovers the second AP;

Step S301b, the STA and the second AP perform link authentication;

Step S301c, after the link authentication is passed, the STA associates with the second AP;

Step S301d, the AC uses the RADIUS server to perform access authentication on the STA;

Step S301e, after the access authentication is passed, the STA and the second AP perform key negotiation.

Among them, the AC is used to manage and control the AP.

Link authentication is that the AP allows the STA to use the wireless link between the two.

Association is to negotiate the configuration parameters of the wireless link and establish a wireless link that meets the data transmission requirements.

Access authentication is to verify the identity of the STA and obtain the pairwise master key (English: Pairwise Master Key, referred to as: PMK) corresponding to the STA and the AP. The PMK is the source of all keys used for communication between the STA and the AP. . For example, STA1 and AP1 use PMK1 to generate a key for mutual communication, STA1 and AP2 use PMK2 to generate a key for mutual communication, STA2 and AP1 use PMK3 to generate a key for mutual communication, and STA2 and AP2 use PMK4 to generate a key for mutual communication.

The key negotiation is to obtain a paired temporary key (English: Pairwise Temporal Key, PTK for short) based on the information exchanged between the STA and the AP and the PMK, and the PTK is used to encrypt the data transmitted between the STA and the AP.

In an implementation manner of this embodiment, referring to FIG. 8a, the step S301a may include:

1. The STA sends a probe request (English: Probe Request) on the supported channel in sequence;

2. The second AP receives the probe request and sends a probe response (English: Probe Response) to the STA.

In this implementation, the STA actively scans the APs that can be accessed around to determine the APs that can be accessed around, and finds the APs faster.

Further, the probe request may include the service set identifier (English: Service Set Identifier, SSID for short) of the AP, and each AP that receives the probe request will compare the SSID in the probe request with its own SSID, if the two SSDIs are the same Then, a probe response is sent to the STA. Therefore, only the AP whose SSID is the same as the SSID in the probe request will send a response to the STA, so that the STA can discover the required AP.

In another implementation manner of this embodiment, referring to FIG. 8b, the step S301a may include:

1. The second AP sends a beacon (English: Beacon) frame every set period;

2. The STA receives the beacon frame sent by the second AP.

In this implementation, the STA passively waits for beacon frames sent by nearby accessible APs to determine nearby accessible APs. Compared with actively sending probe requests, passively receiving beacon frames can greatly save the STA consumption. The characteristics of power saving and power saving also make this realization method widely used.

In a specific implementation, the set period may be 100ms, and the beacon frame may include the SSID of the AP, the supported rate, and the like.

In an implementation manner of this embodiment, referring to FIG. 9a, the step S301b may include:

1. The STA sends a link authentication request to the second AP;

2. The second AP sends a link authentication response to the STA.

This implementation method is called Open System Authentication (English: Open System Authentication). As long as the STA sends an authentication request, the AP will allow the authentication to succeed, and is currently widely used.

In another implementation manner of this embodiment, referring to FIG. 9b, the step S301b may include:

1. The STA sends a link authentication request to the second AP;

2. The second AP generates a challenge phrase and sends it to the STA;

3. The STA encrypts the challenge phrase with a preconfigured key, and sends the encrypted challenge phrase to the second AP;

4. The second AP uses a preconfigured key to encrypt the challenge phrase sent to the STA, and compares the obtained encrypted challenge phrase with the received encrypted challenge phrase;

5. When the two challenge phrases are the same, the second AP sends a link authentication response to the STA.

In practical applications, when the pre-configured key is a symmetric key (both parties sending and receiving data must use the same key to encrypt and decrypt the plaintext), the second AP can also perform operations in step 4. The encrypted challenge phrase is decrypted using a preconfigured key, and the decrypted challenge phrase is compared with the challenge phrase sent to the STA, and link authentication can also be implemented.

This implementation is called shared-key authentication (English: Shared-key Authentication). Only the keys preconfigured in the STA and the second AP are the same, the link authentication can be passed, and the security is high.

Optionally, referring to FIG. 10 , this step S301c may include:

1. The STA sends an association request to the second AP;

2. The second AP receives the association request and sends an association response to the STA.

The association request includes a supported rate, a channel, a quality of service (English: Quality of Service, QoS for short), an access authentication method, an encryption algorithm, and the like of the STA. Generally, if the AP can meet the requirements of the STA in the association request, it sends an association response to the STA, and transmits data according to the requirements of the STA in the association request, so as to ensure that the data can be transmitted accurately and securely. Understandably, after the association, the establishment of the wireless link between the STA and the AP is completed.

In an implementation manner of this embodiment, referring to FIG. 11a, the step S301d may include:

1. The STA sends an access authentication request to the AC;

2. The AC receives the authentication request and sends an identity request to the STA;

3. The STA receives the identity request and sends the STA's identity information to the AC, where the identity information includes the user ID;

4. The AC forwards the STA's identity information to the RADIUS server;

5. The RADIUS server receives the identity information and sends the certificate of the server including the public key to the AC;

6. The AC forwards the certificate of the server including the public key to the STA;

7. STA receives the certificate of the server including the public key, and verifies the certificate of the server. After the verification is successful, a random password string (also known as the pre-master key (English: pre-master-secret)) is generated, and the public key is used. The key encrypts the random cipher string, and generates a PMK based on the random cipher string;

8. The STA sends the STA's certificate and the encrypted random password string to the AC;

9. The AC forwards the STA's certificate and the encrypted random password string to the RADIUS server;

10. The RADIUS server verifies the STA's certificate. After the verification is successful, the encrypted random password string is decrypted with the private key, and a PMK is generated based on the random password string;

11. The RADIUS server sends an access authentication response and a PMK to the AC, and the AC obtains the PMK;

12. The AC forwards the access authentication response to the STA.

In another implementation manner of this embodiment, referring to FIG. 11b, the step S301d may include:

1. The STA sends an access authentication request to the AC;

2. The AC receives the authentication request and sends an identity request to the STA;

3. The STA receives the identity request and sends the STA's identity information to the AC, where the identity information includes the user ID;

4. The AC forwards the STA's identity information to the RADIUS server;

5. The RADIUS server receives the identity information and sends an authentication start message to the AC;

6. The AC forwards the authentication start message to the STA;

7. The STA receives the authentication start message, and sends the authentication message to the AC. The authentication message includes the encryption algorithm list, Transport Layer Security (English: Transport Layer Security, TLS for short) protocol version, session identifier, etc.;

8. The AC forwards the authentication message to the RADIUS server;

9. The RADIUS server receives the authentication information and sends the server certificate including the public key to the AC;

10. The AC forwards the certificate of the server including the public key to the STA;

11. STA receives the certificate of the server including the public key, verifies the certificate of the server, generates a random password string after the verification is successful, and encrypts the random password string with the public key, and generates a PMK based on the random password string;

12. The STA sends the STA's certificate and the encrypted random password string to the AC;

13. The AC forwards the STA's certificate and the encrypted random password string to the RADIUS server;

14. The RADIUS server verifies the STA's certificate. After the verification is successful, the encrypted random password string is decrypted with the private key, and a PMK is generated based on the random password string;

15. The RADIUS server sends an access authentication response and a PMK to the AC, and the AC obtains the PMK;

16. The AC forwards the access authentication response to the STA.

It should be noted that, after the AC obtains the PMK, it can inform the corresponding AP of the PMK. Therefore, the PMK is finally set on both the AP and the STA.

Further, taking the certificate of the verification server as an example, the verification of the certificate can be implemented in the following manner:

The RADIUS server encrypts the description information with the private key and obtains the signature, and the description information includes the issuing authority, expiration time, etc.;

RADIUS sends the description information, the public key matching the private key and the signature to form a digital certificate to the STA;

STA receives the digital certificate, uses the public key in the digital certificate to decrypt the signature in the digital certificate, and compares the decryption result with the description information in the digital certificate;

When the decryption result is consistent with the description information in the digital certificate, the verification is successful;

When the decryption result is different from the description information in the digital certificate, the verification fails.

It can be understood that verifying the STA's certificate may be similar to the above process, and will not be described in detail here.

Optionally, referring to Fig. 12a, this step S301e may include:

1. The STA and the second AP generate random numbers respectively;

2. The second AP sends the random number generated by the second AP to the STA;

3. Based on the random number generated by the second AP, the media access control (English: Media Access Control, referred to as: MAC) address of the second AP, the random number generated by the STA, the MAC address of the STA, and the PMK, a hash (English: Hash) algorithm to generate PTK;

4. The STA sends the random number generated by the STA to the second AP;

5. The second AP uses a hash algorithm to generate the PTK based on the random number generated by the STA, the MAC address of the STA, the random number generated by the second AP, the MAC address of the second AP, and the PMK;

6. The second AP sends a notification of installing the PTK to the STA;

7. The STA receives the notification of installing the PTK, installs the PTK and sends the notification for installing the PTK to the second AP;

8. The second AP receives the notification to install the PTK and installs the PTK.

FIG. 13 is a schematic diagram of the structure of PTK. As shown in Figure 13, when the Counter Cipher Block Chaining Message Authentication Code Protocol (English: Counter Cipher Block Chaining Message Authentication Code Protocol, CCMP for short) is adopted, bits 0 to 127 (English: bit) of the PTK are the key confirmation password. Key (English: Key Confirmation Key, referred to as: KCK), 128 to 255 bits for the key encryption key (English: Key Encryption Key, referred to as: KEK), 256 to 383 bits for the temporary encryption key (English: Temporal Encryption Key , referred to as: TEK); when using the Temporal Key Integrity Protocol (English: Temporal Key Integrity Protocol, referred to as: TKIP), the 0-127 bits of the PTK are KCK, the 128-255 bits are KEK, and the 256-383 bits are TEK , 384 to 511 bits are the temporary message integrity check key (English: Temporal Message Integrity Check Key, referred to as: TMK).

Preferably, referring to Fig. 12b, this step S301e may further include:

1. The second AP generates a group master key (English: Group Master Key, referred to as: GMK), calculates a group temporary key (English: Group Transient Key, referred to as: GTK) based on GMK, and uses PTK to encrypt GTK;

2. The second AP sends the encrypted GTK to the STA;

3. STA uses PTK to decrypt the encrypted GTK, obtain GTK and install it;

4. The STA sends a notification indicating the installation of GTK to the second AP;

5. The second AP receives the notification instructing to install GTK, and installs GTK.

Among them, GMK is a set of random numbers used to generate GTK; GTK is used to encrypt multicast and broadcast packets; PTK is used to encrypt unicast packets.

It should be noted that, in the STA and AP, the installation of keys such as PTK and GTK refers to storing the keys in the device for use at any time.

Since the STA accesses the second AP through five complete processes of service discovery, link authentication, association, access authentication, and key negotiation, the second AP is usually the AP that the STA accesses for the first time in the WLAN.

After step S301, the STA has accessed an AP (the second AP in this embodiment) in the WLAN, which means that the STA has passed the access authentication of the WLAN, and the legitimacy of the STA has been preliminarily guaranteed. In order to avoid a lot of time spent on access authentication due to multiple packet negotiation, when the STA switches to other APs in the WLAN due to its location movement, the STA access process will be simplified. A wireless link for safe and accurate data transmission is established between the switched APs. Specifically, during the roaming process in this embodiment, the fast roaming device is used to realize the information exchange between the STA and the AP before the STA switches to the AP. Both the STA and the AP obtain the MAC address of the other party, configure the PMK, and generate the PTK. , complete the link authentication, access authentication, and key negotiation between the STA and the AP; in addition, after the STA determines to switch to the AP, the AP determines whether the internal information of the first data packet sent by the STA to the AP is consistent, Complete the association between the STA and the AP. See below for details:

Step S302: The first AP sends the feature information of the first AP to the fast roaming device. The steps S302 and S301 are executed in no order.

In this embodiment, the first AP is a neighbor of the second AP. The characteristic information of the first AP includes a MAC address of the first AP and a random number (English: Nonce) generated by the first AP. The random number is generated by the first AP for the STA to access next.

Optionally, the feature information of the first AP may further include an encryption algorithm, bandwidth, and frequency point adopted by the first AP, which may be specifically set according to the information exchanged by the STA to access the AP.

In a specific implementation, this step S302 may include:

The fast roaming device determines that the STA accesses the second AP;

The fast roaming device determines all the first APs according to the positions of the respective APs, and sends a feature information acquisition request to all the first APs;

The first AP receives the feature information acquisition request, and sends its own feature information to the fast roaming device.

Specifically, when the fast roaming device is added to the AC, the AC is wired to the second AP and can control and manage the second AP. Therefore, the AC can determine that the STA accesses the second AP by actively querying the second AP. It may also be determined by receiving the information reported by the second AP that the STA accesses the second AP.

At the same time, since the AC controls and manages the APs, the AC knows the locations of the APs, determines all the first APs that are neighbors of the second AP, sends feature information acquisition requests to the first APs, and receives the first APs. The feature information that the AP replies after receiving the feature information acquisition request.

When the fast roaming device is added on the AP, the fast roaming device added on the second AP can of course determine that the STA accesses the second AP.

At the same time, because the second AP is wired to the AC, the AC can control and manage each AP and learn the locations of all APs. Therefore, the second AP can obtain all the first neighbors that are neighbors of the second AP by sending a request to the AC. The AP, and each AP are also connected by wire, and then can send a feature information acquisition request to each first AP, and receive the feature information replied by the first AP after receiving the feature information acquisition request.

When the fast roaming device is set independently of the AC and AP, the fast roaming device can be wired with the AC and each AP, and by sending a request to the AC, it is determined that the STA accesses the second AP and obtains all the neighbors of the second AP. The first AP can also determine by sending to each AP that the STA accesses the second AP and obtains all the first APs that are neighbors of the second AP, and then sends a feature information acquisition request to each first AP, and Receive the feature information that the first AP replies after receiving the feature information acquisition request.

FIG. 6 is a schematic diagram of the process of realizing fast roaming of a STA from the second AP to the first AP when the fast roaming device is independent of the AC and AP; when the fast roaming device is set on the AC, the process of realizing fast roaming Refer to FIG. 14a; in the case that the fast roaming device is set on each AP, the process of realizing fast roaming can refer to FIG. 14b.

Step S303: The fast roaming device forwards the feature information of the first AP to the STA. This step S303 is performed after step S301.

Specifically, when the fast roaming device is added on the AC or is set independently of the AC and AP, the AC sends the feature information of the first AP to the second AP, and the second AP sends it to the STA; when the fast roaming device is added on the AP When , the fast roaming device on the second AP directly sends the feature information of the first AP to the STA.

In a specific implementation, the feature information of the first AP sent by the fast roaming device may include an AP identifier, physical features, security features, radio frequency features, and random numbers. For example, referring to FIG. 15 , the feature information of a first AP sent by the fast roaming device is AP ID1 (AP identification), MAC1 (physical feature), Advanced Encryption Standard (English: Advanced Encryption Standard, AES for short) encryption (security feature) , frequency point 2.418G (radio frequency feature), Nounce1 (random number); the feature information of another first AP sent by the fast roaming device includes AP ID2 (AP identification), MAC2 (physical feature), AES encryption (security feature), Frequency point 2.438G (radio frequency characteristic), Nounce2 (random number).

Step S304: The STA generates a random number and sends it to the fast roaming device.

Specifically, when the fast roaming device is added on the AC or is set independently of the AC and the AP, the STA sends the random number generated by the STA to the second AP, and the second AP forwards the random number generated by the STA to the AC; When the device is added on the AP, the STA directly sends the random number generated by the STA to the fast roaming device added on the second AP.

It should be noted that there may be multiple first APs that are neighbors of the second AP. In this case, the STA will generate a random number for each first AP and send it to the corresponding first AP. The random numbers corresponding to the first APs may be the same or different. During implementation, since the random number generated by the STA will carry the MAC address of the first AP when it is sent to the first AP, the fast roaming device can distinguish the first AP corresponding to each random number according to the carried MAC address of the first AP.

In a specific implementation, the message sent for each first AP may include an AP identifier and a random number. For example, referring to FIG. 16 , the messages sent for one first AP are AP ID1 (AP identification), Nounce1 (random number); the messages sent for another first AP are AP ID2 (AP identification), Nounce2 (random number) .

Step S305: The STA determines the PMK of each first AP, and calculates the PTK based on the PMK of each first AP.

As mentioned above, the PMK corresponds to the STA and the AP. Since only one STA is involved in this embodiment, the AP is directly used to distinguish each PMK.

Optionally, the STA determines the PMK of the first AP, which may include:

The STA determines, according to the MAC address of the first AP, whether a PMK security association (English: PMK Security Association, abbreviated as: PMKSA) of the first AP is cached;

When the STA caches the PMKSA of the first AP, obtains the cached PMKID of the first AP;

When the STA does not cache the PMKSA of the first AP, the PMK of the first AP is determined through the 802.1X negotiation step.

In practical applications, since obtaining the PMK through the 802.1X negotiation step involves multiple frame exchanges and takes a long time, the STA will cache the obtained PMK to avoid performing the 802.1X negotiation step again. The STA specifically caches the PMKSA. The PMKSA includes the MAC address of the AP, the life cycle of the PMK, and the PMK identifier (English: PMK Identifier, referred to as: PMKID). The PMKID is obtained by hashing the PMK, the MAC address of the AP, and the MAC address of the STA.

In the 802.11r standard, referring to Figure 17, the keys are divided into three layers, and the three layers of keys are PMK_R0, PMK_R1, and PTK respectively. PMK_R0 is the second layer key, and the PMK_R0 of each AP is the same; PMK_R1 is the first layer key, and PMK_R1 is calculated based on PMK_R0 and the information with different values of each AP (such as the ID of the AP), and the PMK_R1 of each AP is different. ; PTK is the second layer key, and PTK is calculated based on PMK_R1. In this way, on the one hand, when the STA roams, the PMK_R1 is transmitted. Since the PMK_R1 of each AP is different, even if the PMK_R1 is cracked, it will only affect one AP, and the security is high; on the other hand, if an AP is known In the case of PMK_R1, PMK_R0 can be obtained, and then based on PMK_R0 and the information of another AP, the PMK_R1 of the AP can be obtained, and then the PTK can be negotiated based on PMK_R1 to avoid time-consuming 802.1x authentication and shorten the handover time.

In the above situation, the STA determines the PMK of the first AP, which may include:

The STA calculates the PMK_R1 of the first AP based on the PMK_R0 and the identifier of the first AP.

For example, the key generation function (English: Key DerivationFunction, referred to as: KDF) defined in 802.11r can be used, based on the length of the access service set identifier (English: Service Set Identifier, referred to as: SSID), SSID, message digest algorithm Identifier (English: Message Digest Algorithm Identifier, referred to as: MDID), the length of the PMK_R0 carrying container, the identification of the PMK_R0 carrying container, etc., to calculate the PMK_R0; and then use the KDF defined in 802.11r, based on PMK_R0, the identification of the container carrying PMK_R1 and other information, calculate PMK_R1.

Specifically, calculating the PTK based on the PMK of each first AP may include:

The STA uses a hash algorithm to calculate the PTK based on the MAC address of the first AP, the random number generated by the first AP, the MAC address of the STA, the random number generated by the STA, and the PMK of the first AP.

As mentioned above, when switching from an accessed AP to another AP, the process can be simplified, and it is only necessary to obtain some necessary parameters to establish a wireless link for safe and accurate data transmission. In practical applications, the STA will establish The cache list records the parameters required to establish a wireless link, as shown in Table 1 below:

Table I

The table lists the MAC address of each first AP, the random number generated by the STA, the random number generated by the first AP, PMKID, PMK_R1, encryption key, digest key, and valid time. The encryption key is TEK in PTK, and the digest key is TMK in PTK. It should be noted that the items in the table can be deleted according to the parameters actually required for accessing the AP.

Step S306: the fast roaming device acquires the characteristic information of the STA.

In this embodiment, the characteristic information of the STA includes the MAC address of the STA, the random number generated by the STA, and the characteristic value of the PMK generated by the STA for the first AP.

In a specific implementation, the random number generated by the STA is sent by the STA to the fast roaming device, and the packet carrying the random number generated by the STA will carry the MAC address of the STA, and the fast roaming device can obtain the MAC address of the STA from the packet. In addition, the fast roaming device may also determine the MAC address of the STA through the second AP. The characteristic value of the PMK generated by the STA for the first AP is usually the PMKID of the first AP or the PMK_R1 of the first AP. The RADIUS server can determine that the STA generates the first AP in the same way as the STA in step S305 to determine the PMK of the first AP. The eigenvalue of the PMK is sent to the AC. If the fast roaming device is added on the AC, the feature value of the PMK generated by the STA for the first AP can be directly obtained; if the fast roaming device is added on the AP or set independently of the AC and the AP, the STA can be obtained through interaction with the AC The eigenvalues of the PMK generated for the first AP.

Step S307: The fast roaming device sends the feature information of the STA to the first AP.

Specifically, the wired connection between each AP, the wired connection between each AP and the AC, and the fast roaming device set on the AC or the AP can directly send the feature information of the STA to the AP. When the fast roaming device is set independently of the AC and AP, the fast roaming device is wired to the AC and each AP, and can directly send the feature information of the STA to the AP.

Step S308: The first AP receives the characteristic information of the STA, and calculates the PTK based on the characteristic information of the STA.

Specifically, this step S308 may include:

The first AP uses a hash algorithm to calculate the PTK based on the MAC address of the first AP, the random number generated by the first AP, the MAC address of the STA, the random number generated by the STA, and the PMK of the STA and the first AP.

In practical applications, the AP also has a cache list, as shown in Table 2 below:

Table II

The table lists the MAC address of the STA, the random number generated by the STA, the random number generated by the first AP, PMKID, PMK_R1, encryption key, digest key, and valid time. The encryption key is TEK in PTK, and the digest key is TMK in PTK. It should be noted that the items in the table can be deleted according to the parameters actually required for accessing the AP.

In practical applications, if each entry in the cache list is recorded, it indicates that the link authentication, access authentication and key negotiation between the STA and the AP are completed. The STA and AP can also be notified by the fast roaming device that link authentication, access authentication and key negotiation are completed.

As mentioned above, this embodiment simplifies the access process during the roaming process, utilizes the fast roaming device to realize the information exchange between the STA and the AP, obtains the MAC address of the other party, configures the PMK, and generates the PTK. It is easy to know that link authentication, access authentication, and key negotiation have been completed through the information exchange between the fast roaming device and the STA and each AP in the above steps S302-S308.

Step S309: After the STA determines to switch from the second AP to the first AP, the STA encrypts the data packet by using the PTK, and sends the encrypted data packet to the first AP.

In this embodiment, the data message includes a data digest and data. Data digest is to achieve data signature, data integrity check and other functions by extracting fingerprint information from all data. Data digest algorithms are called hash algorithms and hash algorithms. Common algorithms include Cyclic Redundancy Check (English: Cyclic Redundancy Check, referred to as: CRC), message digest algorithm version 5 (English: Message-Digest Algorithm 5, referred to as: CRC) : MD5), Secure Hash Algorithm (English: SecureHash Algorithm, referred to as: SHA).

Specifically, in the Advanced Encryption Standard (English: Advanced Encryption Standard, AES for short), a Cipher Block Chaining Message Authentication Code (English: Cipher Block Chaining Message Authentication Code, CBC-MAC for short) can be used as the digest.

Further, referring to Figure 18, the generation process of the data message is as follows:

The data is calculated by the data digest algorithm, and the data digest is obtained and added to the back of the data;

Add the 802.11 header in front of the data;

A frame check sequence (English: Frame Check Sequence, abbreviated as: FCS) is added after the data digest.

In practical applications, the STA may determine whether to switch the AP and the AP to which to switch based on the signal strength or the busyness of the channel.

Specifically, the STA uses PTK to encrypt data packets, which may include:

The data packet is encrypted by using the PTK of the first AP that is determined to be switched to.

Step S310: The first AP receives the encrypted data packet, and uses PTK to decrypt the encrypted data packet to obtain decrypted data and a data digest.

Specifically, this step S310 may include:

According to the MAC address of the STA, the PTK is selected to decrypt the encrypted data packet, and the decrypted data digest and data are obtained.

Step S311: The first AP uses a data digest algorithm to calculate the decrypted data, and compares the calculated data digest with the decrypted data digest.

As mentioned above, in the roaming process in this embodiment, the association can be simplified as the data transmitted between the STA and the AP is accurate. When the calculated data digest is consistent with the decrypted data digest, it means that the wireless link between the STA and the first AP can transmit data safely and accurately. Therefore, the association between the STA and the first AP is completed, and the STA accesses the first AP. an AP.

In this embodiment of the present invention, after the STA accesses the second AP, the information such as the MAC address, PMK, and PTK for establishing a wireless link is exchanged between the STA and the first AP, which is a neighbor of the second AP, to complete the STA's access to the first AP. Link authentication, access authentication, and key negotiation in the process greatly reduce the time spent by STAs exchanging information during roaming. At the same time, when the STA determines to switch to the first AP, the AP completes the association between the STA and the first AP according to whether the internal information of the first data packet sent by the STA to the AP is consistent, so that there is no time limit during the roaming process of the STA. Consumption (that is, the time of roaming switching is reduced to 0), and the switching process is fast, which can fully meet the needs of VoIP and other services, and effectively guarantee the user experience.

The execution of the above steps may be performed by the base station according to the aforementioned software program. For example, step S302 is performed by the fast roaming device according to the AP information acquisition module in FIG. 3 , step S303 is performed by the fast roaming device according to the AP information sending module in FIG. 3 , and steps S304 and S305 are performed by the STA according to the access module in FIG. 6 The preparation module is executed, step S306 is executed by the fast roaming device according to the STA information acquisition module in FIG. 3 , step S307 is executed by the fast roaming device according to the STA information sending module in FIG. 3 , and step S308 is executed by the first AP according to the receiving module in FIG. 4 . Step S309 is performed by the STA according to the access completion module in FIG. 5 , Step S310 is performed by the first AP according to the packet receiving module and decryption module in FIG. 4 , and Step S311 is performed by the first AP according to the The deterministic module executes.

Referring to FIG. 19 , an embodiment of the present invention provides a fast roaming device, which can be implemented as all or a part of a base station through software, hardware, or a combination of the two. The apparatus includes: an AP information obtaining unit 602 , an AP information sending unit 603 , a STA information obtaining unit 604 and a STA information sending unit 605 .

The AP information obtaining unit 602 is configured to obtain feature information of the first AP, where the feature information of the first AP includes a MAC address of the first AP and a random number generated by the first AP. The AP information sending unit 603 is configured to send the feature information of the first AP to the STA after it is determined that the STA accesses the second AP. The first AP is a neighbor of the second AP, and the STA generates and sends a random number based on the random number generated by the STA. A PTK is generated based on the number, the MAC address of the STA, the PMK, and the characteristic information of the first AP. The STA information acquiring unit 604 is configured to acquire characteristic information of the STA, where the characteristic information of the STA includes the MAC address of the STA, the random number generated by the STA, and the characteristic value of the PMK. The STA information sending unit 605 is configured to send the feature information of the STA to the first AP, so that the first AP generates a PTK based on the feature information of the STA and the feature information of the first AP, and the link authentication and access between the STA and the first AP are performed. Authentication, and key agreement are completed.

Optionally, the apparatus may be set on the AP or on the access controller AC, where the AC is used to control and manage the AP.

In this embodiment of the present invention, after the STA accesses the second AP, the information such as the MAC address, PMK, and PTK for establishing a wireless link is exchanged between the STA and the first AP, which is a neighbor of the second AP, to complete the STA's access to the first AP. Link authentication, access authentication, and key negotiation in the process greatly reduce the time spent by STAs exchanging information during roaming.

Referring to FIG. 20 , an embodiment of the present invention provides an AP, and the AP can be implemented as all or a part of a base station through software, hardware, or a combination of the two. The AP includes: an access preparation unit 701 , a packet receiving unit 702 , a decryption unit 703 and a determination unit 704 .

The access preparation unit 701 is configured to complete link authentication, access authentication, and key negotiation with the STA, and obtain the MAC address, PMK and PTK of the STA. The packet receiving unit 702 is configured to receive a data packet encrypted with PTK sent by the STA after determining to switch from the second AP to the AP, where the AP is a neighbor of the second AP. The decryption unit 703 is configured to use PTK to decrypt the encrypted data packet. The determining unit 704 is configured to complete the association between the STA and the AP according to whether the internal information of the decrypted data packet is consistent.

Optionally, the determining unit 704 can be configured to use a data digest algorithm to calculate the decrypted data to obtain a calculated data digest; compare the calculated data digest with the decrypted data digest; when the calculated data digest is When consistent with the decrypted data digest, the association between the STA and the first AP is completed.

This embodiment of the present invention obtains the MAC address, PMK, and PTK of the STA by completing link authentication, access authentication, and key negotiation with the STA before the STA determines to switch from the second AP to the AP. After the second AP switches to the AP, it receives the data packet encrypted by the STA using PTK, decrypts the encrypted data packet using PTK, and completes the STA and the data packet according to whether the internal information of the decrypted data packet is consistent. The association between the first APs makes the STA's roaming process without time consumption (ie, the roaming handover time is reduced to 0), and the handover process is fast, which can fully meet service requirements such as VoIP, and effectively guarantee user experience.

Referring to FIG. 21 , an embodiment of the present invention provides an STA, and the STA can be implemented as all or a part of a base station through software, hardware, or a combination of the two. The STA includes: an access preparation unit 801 and an access completion unit 803 .

The access preparation unit 801 is configured to complete link authentication, access authentication, and key negotiation with the first AP after accessing the second AP, and obtain the MAC address, PMK and PTK of the first AP, and the first AP. One AP is a neighbor of the second AP. The access completion unit 803 is configured to send the data packet encrypted by using the PTK to the first AP after it is determined to switch to the first AP.

This embodiment of the present invention obtains the MAC address, PMK, and PTK of the first AP by completing link authentication, access authentication, and key negotiation with the first AP before the STA determines to switch from the second AP to the first AP. , after the STA determines to switch from the second AP to the AP, send the data packet encrypted with PTK to the STA, so that the first AP uses PTK to decrypt the encrypted data packet, and according to the decrypted data packet Whether the internal information is consistent, the association between the STA and the first AP is completed, so that there is no time consumption during the roaming process of the STA (that is, the time for roaming handover is reduced to 0), the handover process is fast, and it can fully meet the needs of VoIP and other services. Effective Guarantee user experience.

Referring to FIG. 22a and FIG. 22b, it shows a fast roaming system provided by an embodiment of the present invention. The system includes a fast roaming apparatus 901, a STA 902, at least one first AP 904, and a second AP 903, where the first AP 904 is the first AP 904. Two neighbors of AP 903.

Specifically, the fast roaming apparatus 901 may be the same as the fast roaming apparatus provided in the embodiment shown in FIG. 19 , the STA 902 may be the same as the STA provided in the embodiment shown in FIG. 21 , and the first AP 904 may be the same as that provided in the embodiment shown in FIG. 20 . The AP is the same and will not be described in detail here.

Optionally, when the fast roaming device 901 is set on the AC or is independent of the AC and the AP, the fast roaming device 901 is wired to the first AP 904 and the second AP 903, and the first AP 904 is wired to the second AP 903, The STA902 is wirelessly connected to the first AP 904; when the fast roaming device 901 is set on the AP, the first AP 904 is wired to the second AP 903, and the STA902 is wirelessly connected to the first AP 904.

In this embodiment of the present invention, after the STA accesses the second AP, the information such as the MAC address, PMK, and PTK for establishing a wireless link is exchanged between the STA and the first AP, which is a neighbor of the second AP, to complete the STA's access to the first AP. Link authentication, access authentication, and key negotiation in the process greatly reduce the time spent by STAs exchanging information during roaming. At the same time, when the STA determines to switch to the first AP, the AP completes the association between the STA and the first AP according to whether the internal information of the first data packet sent by the STA to the AP is consistent, so that there is no time limit during the roaming process of the STA. Consumption (that is, the time of roaming switching is reduced to 0), and the switching process is fast, which can fully meet the needs of VoIP and other services, and effectively guarantee the user experience.

It should be noted that: when the fast roaming device and the fast roaming system provided in the above embodiments are used for fast roaming, only the division of the above functional modules is used for illustration. Module completion means dividing the internal information structure of the device and the system into different functional modules to complete all or part of the functions described above. In addition, the fast roaming device, the fast roaming system and the fast roaming method embodiments provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, which will not be repeated here.

The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages or disadvantages of the embodiments.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium. The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, etc.

The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims (10)

1. A fast roaming method, characterized in that the method comprises:

the method comprises the steps that a fast roaming device obtains feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Medium Access Control (MAC) address of the first AP and a random number generated by the first AP;

after determining that a mobile Station (STA) accesses a second AP, the fast roaming device sends characteristic information of a first AP to the STA, wherein the first AP is a neighbor of the second AP;

the STA generates and sends a random number, and generates a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the characteristic information of the first AP;

the fast roaming device acquires the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, the random number generated by the STA and the feature value of the PMK;

the fast roaming device sends the feature information of the STA to the first AP;

the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed;

after determining to switch to the first AP, the STA sends a data message encrypted by the PTK to the first AP, wherein the data message comprises data and a data abstract;

the first AP decrypts the encrypted data message by adopting the PTK;

the first AP calculates the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;

the first AP compares the calculated data abstract with the decrypted data abstract;

when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.

2. The method according to claim 1, wherein the characteristic information of the first AP further includes at least one of an encryption scheme of the first AP, a frequency point of the first AP, and a bandwidth of the first AP.

3. A fast roaming method, characterized in that the method comprises:

the method comprises the steps that a fast roaming device obtains feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Medium Access Control (MAC) address of the first AP and a random number generated by the first AP;

after determining that a mobile Station (STA) accesses a second AP, the fast roaming device sends feature information of a first AP to the STA, wherein the first AP is a neighbor of the second AP, the STA generates and sends a random number, and a Pairwise Temporary Key (PTK) is generated based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the feature information of the first AP;

the fast roaming device acquires the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, the random number generated by the STA and the feature value of the PMK;

the fast roaming device sends the feature information of the STA to the first AP, so that the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed.

4. A fast roaming method, characterized in that the method comprises:

the first access point AP generates a pairwise temporary key PTK based on the characteristic information of the mobile station STA and the characteristic information of the first AP, completes link authentication, access authentication and key negotiation with the STA to obtain the MAC address of the STA, a pairwise master key PMK and the PTK, wherein the STA characteristic information is transmitted by a fast roaming device, the STA characteristic information comprises the STA MAC address, the random number generated and transmitted by the STA, and the characteristic value of the PMK, the PTK is generated by the STA based on the random number generated by the STA, the MAC address of the STA, the PMK and the characteristic information of the first AP, the characteristic information of the first AP is transmitted to the STA by the fast roaming device after determining that the STA accesses the second AP, the characteristic information of the first AP comprises a MAC address of the first AP and a random number generated by the first AP;

the first AP receives a data message which is sent by the STA after the STA is determined to be switched from a second AP to the first AP and encrypted by the PTK, wherein the first AP is a neighbor of the second AP, and the data message comprises data and a data abstract;

the first AP decrypts the encrypted data message by adopting the PTK;

the first AP calculates the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;

the first AP compares the calculated data abstract with the decrypted data abstract;

when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.

5. A fast roaming system is characterized in that the system comprises a fast roaming device, a mobile station STA, a first access point AP and a second AP, wherein the first AP is a neighbor of the second AP;

the fast roaming device is configured to acquire feature information of a first AP, and send the feature information to the STA after determining that the STA accesses a second AP, where the feature information of the first AP includes a MAC address of the first AP and a random number generated by the first AP;

the STA is used for generating and sending a random number, and generating a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the characteristic information of the first AP;

the fast roaming device is further configured to obtain feature information of the STA and send the feature information to the first AP, where the feature information of the STA includes an MAC address of the STA, a random number generated by the STA, and a feature value of the PMK;

the first AP is used for generating the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed;

the STA is further configured to send a data packet encrypted by using the PTK to the first AP after the STA is determined to be switched to the first AP, where the data packet includes data and a data digest;

the first AP is further used for decrypting the encrypted data message by adopting the PTK; calculating the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract; comparing the calculated data digest with the decrypted data digest; when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.

6. The system according to claim 5, wherein the characteristic information of the first AP further includes at least one of an encryption scheme of the first AP, a frequency point of the first AP, and a bandwidth of the first AP.

7. A fast roaming apparatus, characterized in that the apparatus comprises:

an AP information obtaining unit, configured to obtain feature information of a first AP, where the feature information of the first AP includes a MAC address of the first AP and a random number generated by the first AP;

an AP information sending unit, configured to send feature information of a first AP to a mobile Station (STA) after the STA is determined to access a second AP, where the first AP is a neighbor of the second AP, enable the STA to generate and send a random number, and generate a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK), and the feature information of the first AP;

an STA information obtaining unit, configured to obtain feature information of the STA, where the feature information of the STA includes an MAC address of the STA, a random number generated by the STA, and a feature value of the PMK;

an STA information sending unit, configured to send feature information of the STA to the first AP, so that the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication, and key agreement between the STA and the first AP are completed.

8. A first access point, AP, wherein the first AP comprises:

an access preparation unit, configured to generate a pairwise temporary key PTK based on the feature information of the mobile station STA and the feature information of the first AP, complete link authentication, access authentication, and key agreement with the STA, and obtain a MAC address of the STA, a pairwise master key PMK, and the PTK, wherein the STA characteristic information is transmitted by a fast roaming device, the STA characteristic information comprises the STA MAC address, the random number generated and transmitted by the STA, and the characteristic value of the PMK, the PTK is generated by the STA based on the random number generated by the STA, the MAC address of the STA, the PMK and the characteristic information of the first AP, the characteristic information of the first AP is transmitted to the STA by the fast roaming device after determining that the STA accesses the second AP, the characteristic information of the first AP comprises a MAC address of the first AP and a random number generated by the first AP;

a message receiving unit, configured to receive a data message encrypted by using the PTK and sent by the STA after determining that the STA is switched from a second AP to the first AP, where the first AP is a neighbor of the second AP, and the data message includes data and a data digest;

the decryption unit is used for decrypting the encrypted data message by adopting the PTK;

the determining unit is used for calculating the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract; comparing the calculated data digest with the decrypted data digest; when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.

9. A fast roaming apparatus, characterized in that the apparatus comprises a processor, a memory and a communication interface; the memory is used for storing software programs, and the processor realizes the following by running or executing the software programs stored in the memory:

acquiring feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Media Access Control (MAC) address of the first AP and a random number generated by the first AP;

after determining that a mobile Station (STA) accesses a second AP, transmitting characteristic information of the first AP to the STA, wherein the first AP is a neighbor of the second AP, enabling the STA to generate and transmit a random number, and generating a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the characteristic information of the first AP;

acquiring the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, a random number generated by the STA and a feature value of the PMK;

and sending the feature information of the STA to the first AP, enabling the first AP to generate the PTK based on the feature information of the STA and the feature information of the first AP, and completing link authentication, access authentication and key agreement between the STA and the first AP.

10. A first access point, AP, wherein the first AP comprises a processor, a memory, and a communication interface; the memory is used for storing software programs, and the processor realizes the following by running or executing the software programs stored in the memory:

generating a pairwise temporary key PTK based on the characteristic information of the STA and the characteristic information of the first AP, completing link authentication, access authentication and key agreement with the STA, obtaining the MAC address of the STA, a pairwise master key PMK and the PTK, wherein the STA characteristic information is transmitted by a fast roaming device, the STA characteristic information comprises the STA MAC address, the random number generated and transmitted by the STA, and the characteristic value of the PMK, the PTK is generated by the STA based on the random number generated by the STA, the MAC address of the STA, the PMK and the characteristic information of the first AP, the characteristic information of the first AP is transmitted to the STA by the fast roaming device after determining that the STA accesses the second AP, the characteristic information of the first AP comprises a MAC address of the first AP and a random number generated by the first AP;

receiving a data message which is sent by the STA after the STA is determined to be switched from a second AP to the first AP and encrypted by the PTK, wherein the first AP is a neighbor of the second AP, and the data message comprises data and a data abstract;

decrypting the encrypted data message by using the PTK;

calculating the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;

comparing the calculated data digest with the decrypted data digest;

when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.

Images