CN101656962B - Method and system for debugging equipment based on wireless local area network security foundation structure - Google Patents
Method and system for debugging equipment based on wireless local area network security foundation structure Download PDFInfo
- Publication number
- CN101656962B CN101656962B CN2009102037669A CN200910203766A CN101656962B CN 101656962 B CN101656962 B CN 101656962B CN 2009102037669 A CN2009102037669 A CN 2009102037669A CN 200910203766 A CN200910203766 A CN 200910203766A CN 101656962 B CN101656962 B CN 101656962B
- Authority
- CN
- China
- Prior art keywords
- message
- debugging
- mpdu
- unit
- wpi
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
Abstract
The invention relates to a method and a system for debugging equipment based on a wireless local area network security foundation structure. The method comprises the following steps: WAPI protocol authentication and key negotiation process is performed between master debugging equipment and debugged equipment, a session key is obtained through negotiation in the process; the master debugging equipment transmits a debugging command message to the debugged equipment through a wireless local area network to start and control the debugging process; after the debugging process is started, the debugged equipment transmits a debugging information message to the master debugging equipment, the master debugging equipment performs the debugging analysis through debugging information in the debugging information message, wherein the master debugging equipment packages the debugging command message into an MPDU for transmission after the debugging command message is encrypted by using the session key through the master debugging equipment; and the debugged equipment packages at least one debugging information message into the MPDU to transmit the master debugging equipment by adopting a clear-text way.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of apparatus debugging method and system based on wireless local area network security foundation structure.
Background technology
At present, in the research and development of communication equipments such as portable terminal, particularly field testing process, need to from the Debugging message of network system and communication equipment self Debugging message analyze and handle.In this case, usually need by UART (Universal AsynchronousReceiver/Transmitter, universal asynchronous reception/dispensing device, be called for short serial ports) or USB (Universal Serial Bus, USB) interface is with debugged communication equipment and PC (Personal Computer, PC) links to each other, and Debugging message is sent to PC, on PC, Debugging message is analyzed and handled.
Fig. 1 is the structural representation of communication equipment debug system of the prior art, as shown in Figure 1, debugged communication equipment (abbreviating debugged apparatus as) by the external data interface data wire (for example, UART or USB interface data wire) link to each other with UART or USB interface on the PC, Debugging message is sent to the PC end, and carry out the analysis and the processing of Debugging message at PC end, finish the debugging of communication equipment or communication network.
When adopting system configuration shown in Figure 1 to debug, owing to need corresponding physical connection between debugged apparatus and the PC, mobility is poor, and is very inconvenient, when particularly carrying out the actual measurement of mobile environment in the outfield, needs PC to move with debugged apparatus; In addition, because the limited amount of the available external data interface on the debugged apparatus, debugged apparatus can only be connected with a small amount of PC usually, is not easy to multiple pc and receives Debugging message in the different location simultaneously, and Debugging message is analyzed and handled.
At present, the dual mode communication equipment that possesses the wireless lan (wlan) function is more and more universal, for example, the dual-mode handset that possesses TD-SCDMA wireless communication abilities such as (Time Division-Synchronous CDMA, Time Division-Synchronous Code Division Multiple Access) and WLAN function is about to large scale investment market.When this type of communication equipment is debugged or by this type of communication equipment communication network is debugged, the PC end can send debug command to debugged communication equipment by WLAN (wireless local area network), and receives the Debugging message that debugged communication equipment sends by WLAN (wireless local area network).
Support many commissioning devices to receive the Debugging message that debugged communication equipment sends simultaneously based on the debug system that WLAN (wireless local area network) makes up, and in debug process, do not influence the mobility of communication equipment.But because WLAN (wireless local area network) do not need physical connection can carry out the transmitting-receiving of data, the communication security that therefore how to guarantee debug system is unusual important problem.
In order to improve the fail safe of WLAN (wireless local area network), associated mechanisms has proposed WAPI (WLAN Authentication and Privacy Infrastructure is called for short WAPI) agreement.WAPI is at (the Wried Equivalent Privacy of WEP among the IEEE802.11, wired equivalent privacy) safety problem of agreement such as, through proving repeatedly in many ways, take into full account various application models, the wlan security solution that in Chinese WLAN (wireless local area network) standard GB 15629.11, proposes.
The WAPI agreement is mainly by WAI (WLAN Authentication Infrastructure, wireless local area network authentication infrastructure) negotiation of the discriminating of agreement regulation and the cipher key agreement process access authentication and the key that carry out portable terminal, and by WPI (WLAN Privacy Infrastructure, wireless local area network security foundation structure) the encryption and decryption process of agreement regulation is finished the encrypted transmission (be link layer encryption transmission) of data at MAC (Media AccessControl, medium access control) layer.
Fig. 2 is based on the communication equipment adjustment method flow chart of WAPI; Wherein, all comprise the WAPI communication module in the commissioning devices such as debugged apparatus and PC, can set up WLAN (wireless local area network) between the two and connect, and connect the transmission that realizes debugging command message, debugging response message and Debugging message message by WLAN (wireless local area network).As shown in Figure 2, this method comprises:
201: successfully carry out between debugged apparatus and the commissioning device link verification and related after, finish the discriminating and the cipher key agreement process of WAPI agreement;
Debugged apparatus is derived base key (BK) with the identical wildcard (PSK) that commissioning device can use both sides to store in advance respectively in discriminating and cipher key agreement process, use base key to finish the negotiation of unicast session key then, between debugged apparatus and commissioning device, negotiate unicast session key.
Link verification can be with reference to the WAPI agreement with related and discriminating and the related ins and outs of cipher key agreement process.
202: carry out the transmission of debugging command message and debugging response message between debugged apparatus and the commissioning device; Wherein, adopt the unicast session key of consulting to obtain in the step 201 debugging command message and debugging response message to be carried out the encrypted transmission of link layer between debugged apparatus and the commissioning device.
Debugging command message sends to debugged apparatus by commissioning device, comprising: module select command (being used for selecting the debugged module of debugged apparatus), parameter are provided with order (being used for debugged module is carried out the parameter setting), debugging starting command (being used to start the debug process of debugged module), debugging the finish command (being used to stop the debug process of debugged module) etc.
The debugging response message sends to commissioning device by debugged apparatus, be used for the debug command that commissioning device sends (is for example made corresponding response, success response, failure response etc.), comprising: debugging module is selected to respond, parameter is provided with response, debug the startup response, the debugging end responds etc.
203: after debug process started, debugged apparatus sent the Debugging message message to commissioning device; Wherein, debugged apparatus adopts the unicast session key of consulting to obtain in the step 201 the debugging infomational message to be carried out the encrypted transmission of link layer.
Comprise in the Debugging message message: the wireless communication module of debugged apparatus (for example, the state information such as (for example, adjacent cell lists) of the data that the TD-SCDMA module) current running status, the wireless communication module of debugged apparatus receive and send, the cordless communication network at debugged apparatus place.
After this, in the transmission course of Debugging message, can carry out the transmission of debug command and debugging response between debugged apparatus and the commissioning device at any time.
By above description as can be known, the WAPI agreement is introduced debug system, can greatly strengthen communication security, trade secrets such as system parameters of having avoided unauthorized user to obtain comprising in the Debugging message and device parameter based on the debug system of WLAN (wireless local area network).But said method also has the following disadvantages:
1) because the data volume of the Debugging message of debugged apparatus transmission is very big, Debugging message is carried out the processing load that encrypted transmission has increased the weight of debugged apparatus, can influence the normal operation of debugged apparatus when serious; For for the debugging of time correlation, a large amount of Debugging message are encrypted the accuracy that the time-delay that is caused also may influence debug results.
2) owing to the random number of the unicast session key between debugged apparatus and the commissioning device by base key and each self-generating of both sides generates, therefore when many commissioning devices are debugged debugged apparatus simultaneously, need between many commissioning devices, share unicast session key all commissioning devices can both correctly be deciphered Debugging message.And many shared unicast session key of commissioning devices may cause many commissioning devices all to send debug command to debugged apparatus, cause confusion easily, are unfavorable for the centralized control and the management of debug process.
Summary of the invention
Technical problem to be solved by this invention is, overcomes the deficiencies in the prior art, and a kind of apparatus debugging method and system based on WAPI is provided, to reduce the processing load and the hardware and software cost of debugged apparatus and commissioning device.
In order to address the above problem, the invention provides a kind of communication equipment adjustment method based on wireless local area network security foundation structure, this method comprises:
Carry out the discriminating and the cipher key agreement process of wireless local area network security foundation structure WAPI agreement between homophony examination equipment and the debugged apparatus, and in this process, consult to obtain session key;
Homophony examination equipment sends debugging command message by WLAN (wireless local area network) to debugged apparatus, to start and the control debug process;
After debug process started, debugged apparatus sent the Debugging message message to homophony examination equipment, and homophony examination equipment uses the Debugging message in the Debugging message message to debug analysis;
Wherein, after homophony examination equipment uses described session key that described debugging command message is encrypted, it is encapsulated among the media access control protocol data cell MPDU transmits; Debugged apparatus adopts clear-text way to be encapsulated at least one Debugging message message and sends to homophony examination equipment among the MPDU.
In addition, described session key comprises: unicast session key and multicast session key;
Homophony examination equipment and debugged apparatus also send to described multicast session key from commissioning device after consulting to obtain described session key;
Homophony examination equipment uses described unicast session key that described debugging command message is carried out described encryption; After debugged apparatus uses described multicast session key that at least one Debugging message message is encrypted, it is encapsulated in sends to homophony examination equipment among the MPDU and from commissioning device; Homophony is tried equipment and is used described multicast session key to being decrypted through encrypting the Debugging message message from commissioning device.
In addition, debugged apparatus all adopts clear-text way to be encapsulated among the MPDU all Debugging message messages to transmit; Or
Debugged apparatus is selected current Debugging message message encrypted or adopt clear-text way to be encapsulated among the MPDU to transmit at random; Or
Debugged apparatus is resolved the heading of debugging infomational message, this message is encrypted or be encapsulated among the MPDU with clear-text way according to the encryption indication field in the heading and transmit.
In addition, comprise the plaintext transmission sign among the MPDU that debugged apparatus sends, be used for representing whether the Debugging message message of this MPDU adopts the clear-text way encapsulation.
In addition, the bit of the n1 in the reserved field of MPDU is identified as described plaintext transmission; Or
N2 bit in the 2nd in the session key index field of MPDU to the 8th bit identified as described plaintext transmission;
Wherein, 1≤n1≤8,1≤n2≤7.
In addition, the packet sequence number field of MPDU is identified as described plaintext transmission, when the value of described plaintext transmission sign is 1, represent the audio, video data message to be encapsulated among the MPDU with clear-text way; When being 0, the value of described plaintext transmission sign represents the audio, video data message to be encapsulated among the MPDU with cipher mode.
The present invention also provides a kind of communication equipment debug system based on wireless local area network security foundation structure, and this system comprises: commissioning device and debugged apparatus; Be provided with in the commissioning device: debugging control and analysis module, the first wireless local area network authentication infrastructure WAI unit and the first wireless local area network security foundation structure WPI unit; Be provided with in the debugged apparatus: debugged module, debug information collection module, the 2nd WAI unit and the 2nd WPI unit; Wherein:
A described WAI unit and the 2nd WAI unit are used for finishing alternately the discriminating and the cipher key agreement process of WAPI agreement, and the session key that will consult respectively to generate in this process sends to a described WPI unit and the 2nd WPI unit;
Described debugging control and analysis module are used for sending debugging command message by a described WPI unit to described debugged apparatus, to start and the control debug process;
A described WPI unit is used to use described session key that the debugging command message that described debugging control and analysis module send is encrypted, and after the encryption it is encapsulated in and sends to described debugged apparatus among the MPDU;
Described the 2nd WPI unit is used to receive the described MPDU that a described WPI unit sends, and uses described session key that the debugging command message of wherein encapsulation is decrypted, and after the deciphering debugging command message is sent to described debug information collection module;
Described debug information collection module is used for gathering the Debugging message that described debugged module generates according to the debug command of described debugging command message, Debugging message is encapsulated in sends to described the 2nd WPI unit in the Debugging message message;
At least one Debugging message message that described the 2nd WPI unit also is used for described debug information collection module is sent adopts clear-text way to be encapsulated in MPDU and sends to described commissioning device;
A described WPI unit also is used for: receive the described MPDU that described the 2nd WPI unit sends, if whether the Debugging message message of judging wherein encapsulation through encrypt, then uses described session key deciphering through encrypting; To send to described debugging control and analysis module through deciphering or the Debugging message message that is encapsulated among the described MPDU with clear-text way;
Described debugging control and analysis module also are used for the Debugging message of the Debugging message message that receives is debugged analysis.
In addition, described the 2nd WPI unit all Debugging message messages that described debug information collection module is sent all adopt clear-text way to be encapsulated in and send to described debugged apparatus among the MPDU; Or
Described the 2nd WPI unit is selected the Debugging message message with the current transmission of described debug information collection module to use described session key or adopts clear-text way to be encapsulated in to send to described debugged apparatus among the MPDU at random; Or
Resolve the heading of the Debugging message message that described debug information collection module sends described the 2nd WPI unit, according to the encryption indication field in the heading this message is used described session key or adopts clear-text way to be encapsulated in to send to described debugged apparatus among the MPDU.
In addition, described the 2nd WPI unit also is used at the MPDU of its transmission the plaintext transmission sign being set, and is used for representing whether the Debugging message message of this MPDU adopts the clear-text way encapsulation.
In addition, described the 2nd WPI unit identifies the bit of the n1 in the reserved field of MPDU as described plaintext transmission; Or
Described the 2nd WPI unit identifies n2 bit in the 2nd in the session key index field of MPDU to the 8th bit as described plaintext transmission; Or
Described the 2nd WPI unit identifies the packet sequence number field of MPDU as described plaintext transmission;
Wherein, 1≤n1≤8,1≤n2≤7.
In sum, the present invention adopts when communicating between debugged apparatus and commissioning device One-Way Encryption and selective encryption to reduce the processing load of debugged apparatus and commissioning device, has improved the accuracy of debug results.
Description of drawings
Fig. 1 is the structural representation of communication equipment debug system of the prior art;
Fig. 2 is based on the communication equipment adjustment method flow chart of WAPI;
Fig. 3 is the MPDU encapsulating structure schematic diagram of WPI;
Fig. 4 is the communication equipment adjustment method flow chart of the embodiment of the invention based on WAPI;
Fig. 5 is the data structure schematic diagram of embodiment of the invention debugging message;
Fig. 6 is the communication equipment debug system structural representation of the embodiment of the invention based on wireless local area network security foundation structure.
Embodiment
Core concept of the present invention is, WPI unit in the debugged apparatus is being encapsulated into MPDU (MAC Protocol Data Unit with Debugging message message and debugging response message, the media access control protocol data cell) preceding, debugging infomational message and debugging response message are carried out selective encryption (or being called the part encryption), promptly part Debugging message message and debugging response message are encrypted, another part adopts clear-text way directly to be encapsulated in data (PDU) field of MPDU and sends to commissioning device.
The MPDU encapsulating structure of WPI as shown in Figure 3, wherein:
The length of MAC field is 24 bytes or 30 bytes;
Session key index field length is 1 byte, expression USKID (unicast session key index) or MSKID (multicast session key index) or STAKeyID (cipher key index between standing) value, i.e. and the index of the employed session key of this MPDU is encrypted in expression;
The length of reserved field is 1 byte;
The length of PN (packet sequence number) field is 16 bytes, required IV (initial vector) when the value of this field can be used as data encrypting and deciphering;
PDU (data) field is packaged with the MPDU data, and maximum length is 2278 bytes, wherein is packaged with the upper-layer protocol data message, comprises debugging command message, debugging response message, Debugging message message;
The length of MIC (completeness check code) field is 16 bytes;
The length of FCS field is 4 bytes, is the Frame Check Sequence of mac frame form.
In addition, also show the packaged type of a kind of debugging command message, debugging response message and Debugging message message among Fig. 3.Wherein, debugging command message, debugging response message and Debugging message message are referred to as the debugging message, are made up of debugging heading and tune-up data.
The debugging message can be encapsulated in TCP (Transfer Control Protocol, transmission control protocol) message or UDP (User Datagram Protocol, the User Datagram Protoco (UDP)) message and transmit.
TCP message and UDP message can be encapsulated in IP (Internet Protocol, the Internet Protocol) message and transmit.The information such as IP address that in the IP head, include debugged apparatus/commissioning device.The IP address can be a unicast address, also can be multicast address.
It should be noted that the packaged type of debugging message in the PDU field shown in Figure 3 only is a kind of example, also can adopt other packaged type.
Describe the present invention below in conjunction with drawings and Examples.
Fig. 4 is the communication equipment adjustment method flow chart of the embodiment of the invention based on WAPI; Wherein, all comprise the WAPI communication module in debugged apparatus and the commissioning device, can set up WLAN (wireless local area network) between the two and connect, and connect the transmission that realizes debugging command message, debugging response message and Debugging message message by WLAN (wireless local area network).As shown in Figure 4, this method comprises:
401: debugged apparatus and commissioning device successfully carry out link verification and related after, the discriminating and the cipher key agreement process of WAPI agreement are finished in the WAI unit of debugged apparatus and commissioning device;
In discriminating and cipher key agreement process, debugged apparatus is derived identical base key (BK) with the identical wildcard (PSK) that commissioning device can use both sides to store in advance respectively, use base key to finish the negotiation of unicast session key, multicast session key then, between debugged apparatus and commissioning device, negotiate session keys such as unicast session key, multicast session key.
402: commissioning device sends debug command to debugged apparatus, with select in the debugged apparatus debugging module, debugged module is carried out the parameter setting, finally start and control debug process; Wherein, after WPI unit in the commissioning device uses the session key that negotiates in the step 401 that link layer encryption is carried out in debug command, it is encapsulated in the PDU field of MPDU transmits.
Fig. 5 is the data structure schematic diagram of embodiment of the invention debugging message; As shown in Figure 5, the debugging message is divided into: debugging heading and tune-up data two large divisions.
Comprise in the debugging heading: type of message, message length, Key Tpe, encryption indication; Wherein:
Type of message comprises: debugging command message, debugging response message and Debugging message message three classes.
Message length is used to indicate the total length of whole debugging message.
Key Tpe is an Optional Field, the Key Tpe that the Key Tpe that debugging control in the commissioning device and analysis module should use when using the WPI unit of this field notice bottom to carry out link layer encryption or the WPI unit of the notice of the debug information collection module in debugged apparatus bottom should use when carrying out link layer encryption; Key Tpe comprises: unicast session key and multicast session key.
Encryption is designated as Optional Field, and the debug information collection module in the debugged apparatus uses the WPI unit of this field notice bottom whether to carry out link layer encryption.
403: debugged apparatus returns corresponding debugging response message to commissioning device, informs that commissioning device received the debug command of its transmission, and has carried out corresponding processing; Wherein, WPI unit in the debugged apparatus can adopt clear-text way will debug response message and be encapsulated among the MPDU and transmit, after also can using the session key that negotiates in the step 401 that the debugging response message is carried out link layer encryption, it is encapsulated among the MPDU transmits.
Whether the WPI unit can carry out the link layer encryption transmission to the debugging response message according to following policy selection:
A: all debugging response messages are not carried out link layer encryption, directly be encapsulated among the MPDU and transmit with clear-text way;
B: select at random current debugging response message is carried out link layer encryption or with the clear-text way encapsulated delivery; For example, per 10 debugging 7 in the response messages with the clear-text way transmission, are carried out encapsulated delivery after the link layer encryption to remaining 3;
C: the debugging heading is resolved, judge whether this message is carried out link layer encryption according to encrypting indication field (as shown in Figure 5) in the debugging heading; The value of this field is provided with by the debug information collection module on upper strata.
404: after debug process started, debugged apparatus sent the Debugging message message to commissioning device; Equally, WPI unit in the debugged apparatus can be encapsulated in the Debugging message message among the MPDU with clear-text way and transmit, after also can using the session key that negotiates in the step 401 that the debugging infomational message is carried out link layer encryption, it is encapsulated in the PDU field of MPDU transmits.
Whether the WPI unit can carry out the link layer encryption transmission to the debugging infomational message according to following policy selection:
A: all Debugging message messages are not carried out link layer encryption, directly be encapsulated among the MPDU and transmit with clear-text way;
B: select at random current Debugging message message is carried out link layer encryption or with the clear-text way encapsulated delivery; For example, with 3 in per 10 Debugging message messages with clear-text way transmission, carry out encapsulated delivery after the link layer encryption to remaining 7;
C: the debugging heading is resolved, judge whether this message is carried out link layer encryption according to encrypting indication field (as shown in Figure 5) in the debugging heading; The value of this field is provided with by the debug information collection module on upper strata.
Identify the debugging message that encapsulates among this MPDU for the ease of commissioning device and whether passed through link layer encryption, debugged apparatus can be in the following manner be provided with the plaintext transmission sign in it sends to the MPDU of commissioning device:
1) the individual bit of the n1 in the reserved field among the MPDU (1≤n1≤8) is identified as plaintext transmission, for example, the value of plaintext transmission sign is set to the MPDU of 1 expression plaintext transmission, and the plaintext transmission sign is set to the MPDU of 0 expression encrypted transmission;
2) with the bit 1 of session cipher key index field to bit 7 (i.e. the 2nd to the 8th bit, untapped bit position in the WAPI agreement) the individual bit of the n2 in (1≤n2≤7) identifies as plaintext transmission, represent the MPDU of plaintext transmission greater than 0 the time when the value of plaintext transmission sign, when the value of plaintext transmission sign equals 0, represent the MPDU of encrypted transmission;
The bit 0 that it should be noted that the session key index field is the bit that cipher key index takies between unicast session key index or multicast session key index or station.
3) except that the plaintext transmission sign is set in above position, because PN (packet sequence number) field need not to use when plaintext transmission MPDU, therefore the plaintext transmission sign also can be arranged on the position of PN field, the MPDU that when the value of PN field is 1, represents plaintext transmission, the MPDU that represents encrypted transmission when the value of PN field is 0 is (according to the regulation of WAPI agreement, when in ciphering process the value of PN field being used as IV, the value of this field can not be 0 and 1).
405: after the WPI unit in the commissioning device receives the MPDU that is packaged with the Debugging message message, judge wherein whether the Debugging message message of encapsulation has passed through link layer encryption: if passed through link layer encryption, then the Debugging message message is sent to debugging control and analysis module is analyzed and handled after the deciphering, if do not pass through link layer encryption, then directly the Debugging message message is sent to debugging control and analysis module is analyzed and handled.
In this step, commissioning device can also judge whether this MPDU is the MPDU of plaintext transmission by the form of resolving the data that encapsulate in the PDU field except knowing by the plaintext transmission sign whether this MPDU is the MPDU of plaintext transmission; For example, check whether the value of IP head correct, and if incorrect would think IP encrypted, and then judge that this MPDU is not the MPDU of plaintext transmission.
According to basic principle of the present invention, the foregoing description can also have multiple mapping mode, for example:
(1) when many commissioning devices is debugged same debugged apparatus, can there be one to carry out described discriminating of step 201 and key agreement in many commissioning devices as homophony examination equipment and debugged apparatus, after negotiating unicast session key and multicast session key, the approach (for example, by direct physical connection) of multicast session key by safety sent to from commissioning device; In this case, homophony examination equipment can indicate debugged apparatus to use multicast key that the debugging infomational message is carried out the link layer encryption transmission by debug command.
For to the debug process centralized control, homophony examination equipment should use unicast session key that link layer encryption is carried out in debug command; Debugged apparatus also should only use unicast session key that the MPDU message that receives is decrypted.
(2) homophony examination equipment can switch between multicast session key and unicast session key by debug command indication debugged apparatus in debug process; After debug information collection module in the debugged apparatus receives this indication, can use the session key of corresponding types by the Key Tpe field indication WPI unit of debugging heading.
(3) it should be noted that, because the debugging command message that commissioning device sends has been passed through the encryption of link layer, generally speaking, if can not correctly decipher debugging command message, promptly allow to get access to all Debugging message messages, also be difficult to understand the implication of this message.Therefore, under some debugging scene not high, can all adopt clear-text way encapsulation and transmission to all Debugging message messages and debugging response message to security requirement.The WPI unit of commissioning device can need not to carry out the parsing of application layer heading (debugging heading) in this case, to judge according to encryption indication field wherein whether the debugging message passes through link layer encryption.
In sum, on debugged apparatus, adopt part encryption/selective cryptographic method of the present invention, can greatly reduce the processing load of debugged apparatus, and improve the accuracy of debug results.
Fig. 6 is the communication equipment debug system structural representation of the embodiment of the invention based on wireless local area network security foundation structure; This system comprises: commissioning device, debugged apparatus.
Be provided with in the commissioning device: debugging control and analysis module, WAPI communication module (can be called a WAPI communication module); Comprise in the one WAPI communication module: WAI unit (can be called a WAI unit) and WPI unit (can be called a WPI unit).
Be provided with in the debugged apparatus: debugged module, debug information collection module, WAPI communication module (can be called the 2nd WAPI communication module); Comprise in the 2nd WAPI communication module: WAI unit (can be called the 2nd WAI unit) and WPI unit (can be called the 2nd WPI unit).
Debugging control and analysis module are used for: send debugging command message by a WAPI communication module to debugged apparatus, to select the debugging module in the debugged apparatus, debugged module is carried out the parameter setting, finally start and control debug process; Receive debugging response message and the Debugging message message that debugged apparatus sends by a WAPI communication module, content according to the debugging response message (is for example handled accordingly, resend debugging command message etc.), the Debugging message that comprises in the debugging infomational message is analyzed and handled.
The one WAI unit is used for carrying out finishing the discriminating and the cipher key agreement process of WAPI agreement alternately with the 2nd WAI unit, and the session key that will consult to generate sends to a WPI unit.
The one WPI unit is used for: receive the debugging command message that debugging control and analysis module send, it is carried out being encapsulated in after the link layer encryption sending to debugged apparatus among the MPDU; Receive the MPDU that debugged apparatus sends, whether Debugging message message or the debugging response message of judging wherein encapsulation have passed through link layer encryption, if passed through link layer encryption, then after the deciphering Debugging message message or debugging response message are sent to debugging control and analysis module is analyzed and handled, if do not pass through link layer encryption, then directly Debugging message message or debugging response message are sent to debugging control and analysis module is analyzed and handled.
The debug information collection module is used for receiving commissioning device by the 2nd WAPI communication module and sends debug command, and selects (startup) debugged module according to debug command, and the parameter of debugged module is set; And return corresponding debugging response message to commissioning device by the 2nd WAPI communication module; After debug process starts, gather the Debugging message that debugged module generates, Debugging message is encapsulated in the Debugging message message sends to commissioning device by the 2nd WAPI communication module.
The 2nd WAI unit is used for carrying out finishing the discriminating and the cipher key agreement process of WAPI agreement alternately with a WAI unit, and the session key that will consult to generate sends to the 2nd WPI unit.
The 2nd WPI unit is used for: receive Debugging message message and debugging response message that the debug information collection module sends, the part message is encapsulated in clear-text way sends to debugged apparatus among the MPDU, another part message is carried out being encapsulated in after the link layer encryption sending to debugged apparatus among the MPDU; Receive the MPDU that commissioning device sends, send to the debug information collection module after the debugging command message that wherein encapsulates is decrypted and carry out follow-up processing.
In addition, whether the 2nd WPI unit further carries out link layer encryption to debugging response message and Debugging message message according to step 403 and 404 described policy selection.
In addition, the 2nd WPI unit also is used for being provided with the plaintext transmission sign of MPDU.
Claims (11)
1. communication equipment adjustment method based on wireless local area network security foundation structure is characterized in that this method comprises:
Carry out the discriminating and the cipher key agreement process of WAPI WAPI agreement between homophony examination equipment and the debugged apparatus, and in this process, consult to obtain session key;
Homophony examination equipment sends debugging command message by WLAN (wireless local area network) to debugged apparatus, to start and the control debug process;
After debug process started, debugged apparatus sent the Debugging message message to homophony examination equipment, and homophony examination equipment uses the Debugging message in the Debugging message message to debug analysis;
Wherein, after homophony examination equipment uses described session key that described debugging command message is encrypted, it is encapsulated among the media access control protocol data cell MPDU transmits; Debugged apparatus adopts clear-text way to be encapsulated at least one Debugging message message and sends to homophony examination equipment among the MPDU.
2. the method for claim 1 is characterized in that,
Described session key comprises: unicast session key and multicast session key;
Homophony examination equipment and debugged apparatus also send to described multicast session key from commissioning device after consulting to obtain described session key;
Homophony examination equipment uses described unicast session key that described debugging command message is carried out described encryption; After debugged apparatus uses described multicast session key that at least one Debugging message message is encrypted, it is encapsulated in sends to homophony examination equipment among the MPDU and from commissioning device; Homophony examination equipment and the Debugging message message that uses described multicast session key that process is encrypted from commissioning device are decrypted.
3. the method for claim 1 is characterized in that,
Debugged apparatus all adopts clear-text way to be encapsulated among the MPDU all Debugging message messages to transmit;
Or
Debugged apparatus is selected current Debugging message message encrypted or adopt clear-text way to be encapsulated among the MPDU to transmit at random; Or
Debugged apparatus is resolved the heading of debugging infomational message, this message is encrypted or be encapsulated among the MPDU with clear-text way according to the encryption indication field in the heading and transmit.
4. method as claimed in claim 2 is characterized in that,
Debugged apparatus is selected current Debugging message message encrypted or adopt clear-text way to be encapsulated among the MPDU to transmit at random; Or
Debugged apparatus is resolved the heading of debugging infomational message, this message is encrypted or be encapsulated among the MPDU with clear-text way according to the encryption indication field in the heading and transmit.
5. method as claimed in claim 1 or 2 is characterized in that,
Comprise the plaintext transmission sign among the MPDU that debugged apparatus sends, be used for representing whether the Debugging message message of this MPDU adopts the clear-text way encapsulation.
6. method as claimed in claim 5 is characterized in that,
N1 in the reserved field of a MPDU bit is identified as described plaintext transmission; Or
N2 bit in the 2nd in the session key index field of MPDU to the 8th bit identified as described plaintext transmission;
Wherein, 1≤n1≤8,1≤n2≤7.
7. method as claimed in claim 5 is characterized in that,
The packet sequence number field of MPDU is identified as described plaintext transmission, when the value of described plaintext transmission sign is 1, represent the audio, video data message to be encapsulated among the MPDU with clear-text way; When being 0, the value of described plaintext transmission sign represents the audio, video data message to be encapsulated among the MPDU with cipher mode.
8. communication equipment debug system based on wireless local area network security foundation structure, this system comprises: commissioning device and debugged apparatus; It is characterized in that, be provided with in the commissioning device: debugging control and analysis module, the first wireless local area network authentication infrastructure WAI unit and the first wireless local area network security foundation structure WPI unit; Be provided with in the debugged apparatus: debugged module, debug information collection module, the 2nd WAI unit and the 2nd WPI unit; Wherein:
A described WAI unit and the 2nd WAI unit are used for finishing alternately the discriminating and the cipher key agreement process of WAPI agreement, and the session key that will consult respectively to generate in this process sends to a described WPI unit and the 2nd WPI unit;
Described debugging control and analysis module are used for sending debugging command message by a described WPI unit to described debugged apparatus, to start and the control debug process;
A described WPI unit is used to use described session key that the debugging command message that described debugging control and analysis module send is encrypted, and after the encryption it is encapsulated in and sends to described debugged apparatus among the MPDU;
Described the 2nd WPI unit is used to receive the described MPDU that a described WPI unit sends, and uses described session key that the debugging command message of wherein encapsulation is decrypted, and after the deciphering debugging command message is sent to described debug information collection module;
Described debug information collection module is used for gathering the Debugging message that described debugged module generates according to the debug command of described debugging command message, Debugging message is encapsulated in sends to described the 2nd WPI unit in the Debugging message message;
At least one Debugging message message that described the 2nd WPI unit also is used for described debug information collection module is sent adopts clear-text way to be encapsulated in MPDU and sends to described commissioning device;
A described WPI unit also is used for: receive the described MPDU that described the 2nd WPI unit sends, if whether the Debugging message message of judging wherein encapsulation through encrypt, then uses described session key deciphering through encrypting; To send to described debugging control and analysis module through deciphering or the Debugging message message that is encapsulated among the described MPDU with clear-text way;
Described debugging control and analysis module also are used for the Debugging message of the Debugging message message that receives is debugged analysis.
9. system as claimed in claim 8 is characterized in that,
All Debugging message messages that described the 2nd WPI unit sends described debug information collection module all adopt clear-text way to be encapsulated in and send to described debugged apparatus among the MPDU; Or
Described the 2nd WPI unit is selected the Debugging message message with the current transmission of described debug information collection module to use described session key or adopts clear-text way to be encapsulated in to send to described debugged apparatus among the MPDU at random; Or
Resolve the heading of the Debugging message message that described debug information collection module sends described the 2nd WPI unit, according to the encryption indication field in the heading this message is used described session key or adopts clear-text way to be encapsulated in to send to described debugged apparatus among the MPDU.
10. system as claimed in claim 8 or 9 is characterized in that,
Described the 2nd WPI unit also is used at the MPDU of its transmission the plaintext transmission sign being set, and is used for representing whether the Debugging message message of this MPDU adopts the clear-text way encapsulation.
11. system as claimed in claim 10 is characterized in that,
Described the 2nd WPI unit identifies the bit of the n1 in the reserved field of MPDU as described plaintext transmission; Or
Described the 2nd WPI unit identifies n2 bit in the 2nd in the session key index field of MPDU to the 8th bit as described plaintext transmission; Or
Described the 2nd WPI unit identifies the packet sequence number field of MPDU as described plaintext transmission;
Wherein, 1≤n1≤8,1≤n2≤7.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102037669A CN101656962B (en) | 2009-06-12 | 2009-06-12 | Method and system for debugging equipment based on wireless local area network security foundation structure |
| PCT/CN2010/072192 WO2010142170A1 (en) | 2009-06-12 | 2010-04-26 | Device debugging method based on wlan privacy infrastructure and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102037669A CN101656962B (en) | 2009-06-12 | 2009-06-12 | Method and system for debugging equipment based on wireless local area network security foundation structure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101656962A CN101656962A (en) | 2010-02-24 |
| CN101656962B true CN101656962B (en) | 2011-12-07 |
Family
ID=41710991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102037669A Expired - Fee Related CN101656962B (en) | 2009-06-12 | 2009-06-12 | Method and system for debugging equipment based on wireless local area network security foundation structure |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101656962B (en) |
| WO (1) | WO2010142170A1 (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656962B (en) * | 2009-06-12 | 2011-12-07 | 中兴通讯股份有限公司 | Method and system for debugging equipment based on wireless local area network security foundation structure |
| CN101986726B (en) * | 2010-10-25 | 2012-11-07 | 西安西电捷通无线网络通信股份有限公司 | Method for protecting management frame based on wireless local area network authentication and privacy infrastructure (WAPI) |
| CN102299809A (en) * | 2011-09-16 | 2011-12-28 | 迈奔灵动科技(北京)有限公司 | Internet protocol (IP)-multicast-technology-based wireless connection method and system |
| DE102012220784A1 (en) * | 2012-11-14 | 2014-05-15 | Robert Bosch Gmbh | Method for transmitting data packets between two communication modules and communication module for sending data packets and communication module for receiving data packets |
| US9053343B1 (en) * | 2012-11-14 | 2015-06-09 | Amazon Technologies, Inc. | Token-based debugging of access control policies |
| US10225152B1 (en) | 2013-09-30 | 2019-03-05 | Amazon Technologies, Inc. | Access control policy evaluation and remediation |
| US10320624B1 (en) | 2013-09-30 | 2019-06-11 | Amazon Technologies, Inc. | Access control policy simulation and testing |
| GB2518469B (en) * | 2014-04-02 | 2016-03-16 | Photonstar Led Ltd | Wireless nodes with security key |
| CN106254098B (en) * | 2016-07-22 | 2020-02-21 | 纳瓦电子(上海)有限公司 | Debugging data acquisition method and system and embedded wireless system |
| CN110457171A (en) * | 2019-08-08 | 2019-11-15 | 浙江大华技术股份有限公司 | A kind of embedded apparatus debugging method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1700649A (en) * | 2004-05-17 | 2005-11-23 | 华为技术有限公司 | A charging method based on WLAN authentication and privacy infrastructure certificate |
| CN101079891A (en) * | 2007-06-15 | 2007-11-28 | 清华大学 | Wireless switching network re-authentication method based on wireless LAN secure standard WAPI |
| CN101114906A (en) * | 2006-07-26 | 2008-01-30 | 北京中电华大电子设计有限责任公司 | Method and device for managing WPI cipher key in 802.11 chips |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100505658C (en) * | 2004-09-02 | 2009-06-24 | 北京握奇数据系统有限公司 | Method for realizing wireless LAN accessing |
| CN101656962B (en) * | 2009-06-12 | 2011-12-07 | 中兴通讯股份有限公司 | Method and system for debugging equipment based on wireless local area network security foundation structure |
-
2009
- 2009-06-12 CN CN2009102037669A patent/CN101656962B/en not_active Expired - Fee Related
-
2010
- 2010-04-26 WO PCT/CN2010/072192 patent/WO2010142170A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1700649A (en) * | 2004-05-17 | 2005-11-23 | 华为技术有限公司 | A charging method based on WLAN authentication and privacy infrastructure certificate |
| CN101114906A (en) * | 2006-07-26 | 2008-01-30 | 北京中电华大电子设计有限责任公司 | Method and device for managing WPI cipher key in 802.11 chips |
| CN101079891A (en) * | 2007-06-15 | 2007-11-28 | 清华大学 | Wireless switching network re-authentication method based on wireless LAN secure standard WAPI |
Non-Patent Citations (1)
| Title |
|---|
| 王欣欣等.无线控制器上对WAPI数据处理与实现.《重庆工学院学报(自然科学)》.2008,第22卷(第11期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101656962A (en) | 2010-02-24 |
| WO2010142170A1 (en) | 2010-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101656962B (en) | Method and system for debugging equipment based on wireless local area network security foundation structure | |
| CN101562813B (en) | Method for implementing real-time data service, real-time data service system and mobile terminal | |
| CN102130768B (en) | Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof | |
| CN101778382B (en) | Apparatus, method and system for extending transport layer security protocol for power-efficient wireless security processing | |
| WO2017041675A1 (en) | Method for sending and acquiring wifi networking information and corresponding apparatus | |
| EP3057351B1 (en) | Access method, system, and device of terminal, and computer storage medium | |
| CN103945369B (en) | A kind of length by checking WIFI packets realizes the Internet-surfing configuration method of WIFI equipment | |
| CN102035845B (en) | Switching equipment for supporting link layer secrecy transmission and data processing method thereof | |
| US20100119069A1 (en) | Network relay device, communication terminal, and encrypted communication method | |
| CN109413627A (en) | A kind of smart home device matches network method and distribution network systems | |
| CN107005927A (en) | Cut-in method, equipment and the system of user equipment (UE) | |
| CN105554907A (en) | General method for configuring WiFi device to make same to connect WiFi router | |
| CN110636052B (en) | Power consumption data transmission system | |
| CN103581901A (en) | Method and device for processing Wi-Fi wireless network access configuration information | |
| CN102695168A (en) | Terminal equipment, encrypted gateway and method and system for wireless network safety communication | |
| CN104812093B (en) | Method and device for accessing WIFI equipment of smart home to network | |
| CN104618899A (en) | ZigBee router with built-in safety module | |
| CN102612033B (en) | Mobile phone with thin wireless access point and communication method for mobile phone | |
| CN104038931B (en) | Adapted electrical communication system and its communication means based on LTE network | |
| US20200288331A1 (en) | Method and apparatus for connecting to access point in wlan network | |
| CN108966217B (en) | Secret communication method, mobile terminal and secret gateway | |
| CN104796891B (en) | One kind realizes security certification system and corresponding method using carrier network | |
| CN102215483A (en) | Method and device for performing negotiation according to Wi-Fi protected setup (WPS) protocol | |
| US8369530B2 (en) | Network set-up device | |
| CN109756451A (en) | A kind of information interacting method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information |
Inventor after: Li Yanru Inventor after: Luo Saiyan Inventor after: Han Chunmei Inventor before: Wu Zhou Inventor before: Hu Yimu Inventor before: Hu Qiulin |
|
| CB03 | Change of inventor or designer information | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170322 Address after: 100000 Beijing, Haidian District, No. ten on the ground floor, No. 1, building 5, floor 519, 3 Patentee after: Beijing morning boat Technology Co., Ltd. Address before: 518057 Nanshan District high tech Industrial Park, Guangdong, South Road, science and technology, ZTE building, legal department Patentee before: ZTE Corporation |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111207 Termination date: 20200612 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |