CN112565199B

CN112565199B - Network connection method, device, network equipment and storage medium

Info

Publication number: CN112565199B
Application number: CN202011259973.9A
Authority: CN
Inventors: 赵乾; 盛禹
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-11-12
Filing date: 2020-11-12
Publication date: 2023-06-16
Anticipated expiration: 2040-11-12
Also published as: CN112565199A

Abstract

The embodiment of the application discloses a network connection method, a device, a network device and a storage medium, wherein the embodiment of the application can receive a network connection request sent by a terminal, and the network connection request carries terminal information of the terminal; carrying out compression mapping processing on the terminal information to obtain compressed information conforming to a preset data format; acquiring a first pre-shared key identifier from a first database based on the compressed information; checking the network connection request according to the first pre-shared key identifier, and acquiring a second pre-shared key identifier from a second database based on the terminal information when the checking fails; and verifying the network connection request according to the second pre-shared key identifier, and establishing network connection with the terminal when the verification is passed. The efficiency of network connection is improved.

Description

Network connection method, device, network equipment and storage medium

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a network connection method, a device, a network device, and a storage medium.

Background

With the continuous development of technology, wireless networks are becoming more and more popular, wherein Wi-Fi network security access (Wi-Fi Protected Access, WPA) is a system for protecting wireless computer network (Wi-Fi) security, and has two standards, WPA and WPA 2. The encryption mode can comprise WPA pre-shared Key (WPA-pre-shared Key, WPA-PSK), WPA2 (enhanced version of WPA), WPA2-PSK, WPA private pre-shared Key (WPA-Private PreShared Key, WPA-PPSK) and the like.

Currently, existing wireless network systems generally employ a wireless controller (Wireless Access Point Controller, AC) and a wireless network Access Point (AP) architecture, and WPA/WPA2-PSK and WPA/WPA2-PPSK authentication are generally completed in the AC, that is, WPA/WPA2-PSK and WPA/WPA2-PPSK services are generally deployed on the AC, where a large number of Pre-Shared keys (PSK) are required to be stored. In the process of wireless network connection, an AP receives a handshake packet (which may be referred to as EAPol Key or connection request) sent by a terminal to be connected, and then transmits the handshake packet to an AC through a tunnel to perform authentication. Because it is impossible to determine which PSK is used to generate the check code by the EAPol Key of the terminal, the AC sequentially checks the received EAPol Key by traversing all PSK stored in the PSK library, and if the check is passed, network connection is established.

But in wireless network systems without a central AC, the WPA/WPA2-PSK authentication procedure needs to be completed directly at the AP. And because of cost limitation, the performance of the AP is generally weaker, so that the performance pressure of the AP is high by traversing all PSKs in a PSK library to verify in order to support WPA/WPA2-PPSK authentication. Particularly, in the case of a connection request by multiple terminals, the terminal may reinitiate the connection request due to excessively long authentication time, so that the network is deteriorated, and the terminal cannot complete WPA/WPA2-PPSK authentication. Because the wireless network systems of the AC and the AP architecture or the wireless network system without the central AC need to traverse all PSKs in the PSK library to check the connection request, the checking process needs to take more time, so that the network connection speed is low, and the connection efficiency is greatly reduced.

Disclosure of Invention

The embodiment of the application provides a network connection method, a network connection device, network equipment and a storage medium, which can improve the efficiency of network connection.

In order to solve the technical problems, the embodiment of the application provides the following technical scheme:

the embodiment of the application provides a network connection method, which comprises the following steps:

receiving a network connection request sent by a terminal, wherein the network connection request carries terminal information of the terminal;

Carrying out compression mapping processing on the terminal information to obtain compressed information conforming to a preset data format;

acquiring a first pre-shared key identifier from a first database based on the compressed information, wherein the first database comprises a mapping relation between preset compressed information and the pre-shared key identifier;

checking the network connection request according to the first pre-shared key identifier, and acquiring a second pre-shared key identifier from a second database based on the terminal information when the checking fails, wherein the second database comprises a mapping relation between preset terminal information and the pre-shared key identifier;

and verifying the network connection request according to the second pre-shared key identifier, and establishing network connection with the terminal when the verification is passed.

According to an aspect of the present application, there is also provided a network connection device, including:

the receiving unit is used for receiving a network connection request sent by a terminal, wherein the network connection request carries terminal information of the terminal;

the processing unit is used for carrying out compression mapping processing on the terminal information to obtain compressed information conforming to a preset data format;

The first acquisition unit is used for acquiring a first pre-shared key identifier from a first database based on the compressed information, wherein the first database comprises a mapping relation between preset compressed information and the pre-shared key identifier;

the second acquisition unit is used for checking the network connection request according to the first pre-shared key identification, and acquiring a second pre-shared key identification from a second database based on the terminal information when the checking fails, wherein the second database comprises a mapping relation between preset terminal information and the pre-shared key identification;

and the establishing unit is used for checking the network connection request according to the second pre-shared key identifier, and establishing network connection with the terminal when the checking is passed.

According to an aspect of the present application, there is also provided a network device, including a processor and a memory, where the memory stores a computer program, and when the processor invokes the computer program in the memory, any one of the network connection methods provided in the embodiments of the present application is executed.

According to an aspect of the present application, there is also provided a storage medium for storing a computer program loaded by a processor to perform any of the network connection methods provided by the embodiments of the present application.

The embodiment of the application can receive the network connection request carrying the terminal information sent by the terminal and perform compression mapping processing on the terminal information to obtain compressed information conforming to a preset data format; then, a first pre-shared key identifier can be obtained from a first database based on the compressed information, wherein the first database comprises a mapping relation between the pre-compressed information and the pre-shared key identifier; checking the network connection request according to the first pre-shared key identifier, and when the checking is not passed, acquiring a second pre-shared key identifier from a second database based on the terminal information, wherein the second database comprises a mapping relation between preset terminal information and the pre-shared key identifier; and checking the network connection request according to the second pre-shared key identifier, and establishing network connection with the terminal when the checking is passed. According to the scheme, the pre-shared key identification can be rapidly acquired from the first database storing the mapping relation between the pre-compressed information and the pre-shared key identification or from the second database storing the mapping relation between the pre-shared key identification, so that the network connection request is checked without traversing all pre-shared keys, the checking speed is improved, and the network connection efficiency is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic view of a network connection system according to an embodiment of the present application;

fig. 2 is a schematic flow chart of a network connection method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of acquiring PSKID based on a terminal MAC address according to an embodiment of the present application;

FIG. 4 is a schematic diagram of pre-shared key generation provided by an embodiment of the present application;

FIG. 5 is a schematic diagram of a second database store provided by an embodiment of the present application;

fig. 6 is another flow chart of a network connection method according to an embodiment of the present application;

fig. 7 is another flow chart of a network connection method according to an embodiment of the present application;

fig. 8 is a schematic diagram of a network connection device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a network device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.

The embodiment of the application provides a network connection method, a network connection device, network equipment and a storage medium.

Referring to fig. 1, fig. 1 is a schematic view of a scenario of a network connection system provided in an embodiment of the present application, where the network connection system may include a network connection device, where the network connection device may be specifically integrated in a network device 10, where the network device 10 may be a wireless network access point, a router, a server, etc., and the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content distribution networks (Content Delivery Network, CDN), and big data and artificial intelligent platforms, etc., but is not limited thereto.

The network device 10 and the terminal 20 may be directly or indirectly connected through wired or wireless communication, which is not limited herein. The terminal 20 may be a cell phone, tablet computer, notebook computer, desktop computer, television, refrigerator, air conditioner, or wearable device, etc.

The network device 10 may be configured to receive a network connection request carrying terminal information sent by the terminal 20, and perform compression mapping processing on the terminal information to obtain compressed information that conforms to a predetermined data format. And then, acquiring a first pre-shared key identifier from the first database based on the compressed information, acquiring a first pre-shared key according to the first pre-shared key identifier, generating a first message integrity check code according to the first pre-shared key, and checking the network connection request according to the first message integrity check code. And when the verification fails, a second pre-shared key identifier can be obtained from a second database based on the terminal information, a second pre-shared key is obtained according to the second pre-shared key identifier, a second message integrity verification code is generated based on the second pre-shared key, and the network connection request is verified according to the second message integrity verification code. The network connection request is checked based on the second pre-shared key identification and when the check passes, a network connection with the terminal 20 may be established and the first database updated. For example, the network device 10 may return a network connection response to the terminal 20, and establish a network connection with the terminal 20 based on the network connection response. Therefore, the pre-shared key identification can be quickly acquired from the first database or the second database to generate the message integrity check code to check the network connection request, so that the check speed is improved, and the network connection efficiency is improved.

The specific implementation of each of the above operations may be referred to the following examples, and will not be described herein.

It should be noted that, the schematic view of the network connection system shown in fig. 1 is only an example, and the network connection system and the scenario described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided in the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network connection system and the appearance of a new service scenario, the technical solutions provided in the embodiments of the present application are equally applicable to similar technical problems.

The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.

In the present embodiment, description will be made from the viewpoint of a network connection device, which may be integrated in a network apparatus in particular.

Referring to fig. 2, fig. 2 is a flow chart of a network connection method according to an embodiment of the present application. The network connection method may include:

s101, receiving a network connection request sent by a terminal, wherein the network connection request carries terminal information of the terminal.

The network connection request may carry terminal information of the terminal, and may also carry other information, where the terminal information may include a physical address (Media Access Control Address, MAC) of the terminal, a random number generated by the terminal, a message integrity check code (Message Integrity Code, MIC), and the like. Of course, the network connection request carries other information, and the specific content is not limited herein.

When the terminal needs to connect to the network, the network connection request sent by the terminal can be received, for example, the network connection request sent by the terminal can be directly received based on the response of the terminal to the connection operation, or the network connection request sent by the terminal can be directly received at fixed time, or the network connection request forwarded by the terminal through the transfer device can be received, and the transfer device can be flexibly set according to actual needs.

S102, carrying out compression mapping processing on the terminal information to obtain compressed information conforming to a preset data format.

The compression mapping processing mode and the predetermined data format can be flexibly set according to actual needs, for example, the compression mapping processing mode can include hash operation, compression operation and the like, and the predetermined data format can include decimal or binary data and the like. In order to compress the storage length of the terminal information to be shorter, the terminal information can be extracted from the network connection request, and compression mapping processing is performed on the terminal information to obtain compressed information conforming to a predetermined data format.

In an embodiment, the terminal information includes a physical address of the terminal, and performing compression mapping processing on the terminal information to obtain compressed information meeting a predetermined data format may include: performing hash operation on the physical address to obtain a hash value; and performing compression operation on the hash value to obtain compressed information conforming to a preset data format.

In order to improve convenience of compression mapping processing and reliability of compressed information acquisition, hash operation, compression operation and the like can be performed on a physical address of a terminal to obtain compressed information. Specifically, the physical address may be extracted from the terminal information, and the hash operation may be performed on the physical address. Since the performance of the central processing unit (central processing unit, CPU) of the network device may be relatively weak, the random access memory (Random Access Memory, RAM) space is small, so that a Hash Function (Hash Function) algorithm can be selected that is relatively simple to calculate and has a short Hash value length. For example, the cyclic redundancy algorithm (Cyclic redundancy check, CRC) algorithm, which is a HASH algorithm with simple implementation, is simple in calculation method and is very friendly to low-performance equipment. At this time, a HASH value (which may be referred to as HASH value) may be obtained by performing a HASH operation on the physical address using a CRC algorithm. Then, the hash value may be subjected to a compression operation to obtain compressed information conforming to a predetermined data format.

In an embodiment, performing a compression operation on the hash value to obtain compressed information that conforms to a predetermined data format may include: extracting a high preset bit number and a low preset bit number of the hash value; and carrying out logic operation on the high preset bit number and the low preset bit number to obtain compressed information conforming to a preset data format.

In order to improve the flexibility and accuracy of the acquisition, the hash value may be extracted by a preset number of bits and subjected to a logic operation, specifically, a high preset number of bits and a low preset number of bits of the hash value may be extracted, which may be flexibly set according to actual needs, for example, a high 16 number of bits and a low 16 number of bits of the hash value may be extracted, or a high 8 number of bits and a low 8 number of bits of the hash value may be extracted, and so on. Then, a logic operation may be performed on the high preset bit number and the low preset bit number to obtain compressed information conforming to a predetermined data format (for example, binary), where the logic operation may be flexibly set according to actual needs, for example, the logic operation may be an exclusive or operation, an and operation, a non-operation, a nand operation, a nor operation, or the like.

For example, a CRC-32 algorithm of CRC algorithms may be used, the number of bits of which may be 32 bits, the 32 bits may be indexed by 2 ³² Mapping relationship of = 4294967296 MAC addresses and pre-shared key identification (i.e. PSKID). If the PSKID corresponding to the indexed MAC address is stored using the 4Byte length int type requires 2 ³² X 4 byte=16 GB of memory space, which may be unacceptable for embedded devices with smaller RAM, and therefore the CRC-32 algorithm may exclusive-or the upper 16 bits and the lower 16 bits of the HASH value calculated based on the MAC address, as follows:

KEY＝CRC32(MAC)＞＞16⊕CRC32(MAC)&0xFFFF

wherein KEY may represent compressed information (which may also be referred to as a new HASH value),>>representing the right shift operation, the e may represent an exclusive or operation,&the new HASH value can be expressed and calculated, the new HASH value can be 16 bits in length and can be used as an index of the MAC address of the terminal to the PSKID, and the 16 bits can be indexed by 2 ¹⁶ Mapping relation of 65536 MAC addresses and PSKID. PSKID storing MAC index (i.e., compressed information) using int type of 4Byte length only needs 2 ¹⁶ X 4 byte=256 KB of memory space. For a single network device (i.e., AP), the number of active terminals is substantially impossible to break, and a HASH Table (HASH Table) of 64K is sufficient to be used, so that a HASH algorithm of 16bit length is suitable from the practical use situation and the hardware performance situation of the network device.

It should be noted that, in this embodiment, the HASH Table is a CRC32 algorithm, and other HASH algorithms may be adopted when performance and HASH length are considered during implementation, or implemented directly using other memory K-V databases, or using some relational databases with HASH caching mechanisms.

As shown in fig. 3, for example, the MAC address of the terminal to be connected is ec:87:95:ed:ab:48, a hash operation is performed on the MAC address to obtain a hash value, and the upper 16 bits and the lower 16 bits of the hash value are extracted to perform an exclusive-or operation, so that the compressed information KEY is 0, as follows:

key=crc 32 (ec: 87:95:ed: ab: 48) > 16 CRC32 (ec: 87:95:ed: ab: 48) &0 xffff=0 the first Pre-Shared KEY identification (i.e., PSKID) stored in the 0 th bit of the HASH Table (HASH Table) can be extracted from the first database (may be referred to as HASH Table Cache) to be 999, and then the first Pre-Shared KEY (PSK) corresponding to the PSKID can be read for verification (may also be referred to as verification), if the verification is passed, the verification indicates that the PSK used by the terminal connection is correct, and the authentication is completed.

It should be noted that if there is no caching mechanism in the first database, the 0 th bit to 998 th bit PSKID needs to be verified in turn, so as to obtain PSK corresponding to the PSKID, and the authentication can not be completed until the verification is completed to 999 bits PSK. If the terminal is not first connected, but the PSK corresponding to the PSKID obtained from the first database fails to verify, a HASH collision may occur in the first database, for example, KEYs of 38:6a:7c:09:18:e2 and ec:87:95:ed:ab:48 are all 0, so that the PSKID is also 999 when read from the HASH Table, but because PSK used by 38:6a:7c:09:18:e2 is different from PSK used by ec:87:95:ed:ab:48, authentication fails, and further PSKID needs to be acquired from the second database to complete authentication based on the PSKID corresponding to acquire the corresponding PSK.

7.8 collisions per 1000 different terminal dates can be calculated according to a collision calculation formula, wherein the collision calculation formula can be as follows:

C＝n-(k-ke ^-n/k )

where n may represent the number of HASH values and k may represent the table length of the HASH table.

S103, acquiring a first pre-shared key identification from a first database based on the compressed information.

The first database (may be referred to as HASH Table Cache, also may be referred to as HASH Cache, and may be referred to as HASH Cache) may include a mapping relationship between the preset compressed information and the pre-shared key identifier, where the mapping relationship may be stored in a HASH Table (HASH Table) or stored in another manner. The first database may be a data structure that is directly accessed based on a key value (e.g., a compressed hash value, i.e., compressed information), and the record is accessed by mapping the key value to a location in a table to increase the speed of the lookup, and this mapping function is called a hash function, and the array in which the record is stored is called a hash table (i.e., a hash table).

The preset compressed information may include compressed information obtained by performing compression mapping processing on the terminal information, the preset compressed information may include a plurality of compressed information, and the pre-shared key identifier may include a plurality of pre-shared key identifiers, for example, the pre-shared key identifier may include a first pre-shared key identifier, a second pre-shared key identifier, and the like. That is, the first database may include a plurality of mappings between compressed information and respective pre-shared key identifications, for example, a mapping between compressed information 1 and pre-shared key identification 1, a mapping between compressed information 2 and pre-shared key identification 2, a mapping between compressed information 3 and pre-shared key identification 3, and so on.

After the compressed information is obtained, the pre-shared key identifier corresponding to the compressed information can be queried from the first database based on the compressed information, and the first pre-shared key identifier is obtained.

In an embodiment, verifying the network connection request according to the first pre-shared key identification may include: acquiring a first pre-shared key from a third database according to the first pre-shared key identifier; generating a first message integrity check code according to the first pre-shared key; and checking the network connection request according to the first message integrity check code.

Wherein the third database may store a plurality of different mappings between pre-shared key identifications and pre-shared keys (PSK). The generation mode of the pre-shared key can be flexibly set according to actual needs, for example, the pre-shared key can be generated by deriving a key algorithm (Password-Based Key Derivation Function, PBKDF 2) through a pseudo-random function, the principle of the PBKDF2 can be as shown in fig. 4, the Password (Password) and the Salt value (Salt) can be derived into a key 1 through an HMAC algorithm, the derived key is then used as a new Salt value (Salt), the HMAC algorithm is reused, and finally the key is intercepted according to the required length. The Password may be a Password allocated to the user account of the terminal when the terminal registers the user account. For the PBKDF2 algorithm in WPA/WPA2-PSK authentication, the Password can be Passphrase (private key Password), the Salt can be a service set identifier (Service Set Identifier, SSID), key derivation can be performed according to the negotiated HMAC algorithm, the loop can be performed for 4096 times, and the final key length can be 32Byte. Thus if WPA/WPA2-PPSK is supported, the network device needs to derive multiple PSK's for subsequent use in authentication.

To improve the accuracy and reliability of the verification, the network connection request may be verified based on a message integrity check code (MIC). Specifically, after the first pre-shared key identifier is obtained, the pre-shared key corresponding to the first pre-shared key identifier may be queried from the third database according to the first pre-shared key identifier to obtain the first pre-shared key.

It should be noted that, when the first database stores a plurality of different pre-shared key identifiers and mapping relations between the pre-shared keys, after the first pre-shared key identifier is obtained, the first pre-shared key may be obtained from the first database according to the first pre-shared key identifier.

After the first pre-shared key is obtained, a first message integrity check code may be generated from the first pre-shared key.

In an embodiment, the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and generating the first message integrity check code according to the first pre-shared key may include: acquiring a routing address and a routing random number; generating a first pairing temporary key based on the first pre-shared key, the physical address, the terminal random number, the routing address and the routing random number; a first message integrity check code is generated from the first pairwise temporal key.

In order to improve the accuracy and flexibility of the first message integrity check code generation, the routing address (i.e. the MAC address of the network device) and the routing random number (i.e. the random number generated by the network device may be referred to as SNonce) of the network device may be obtained, and since the received network connection request may include the MAC address carrying the terminal and the terminal random number (i.e. the random number generated by the terminal may be referred to as ANonce), the first pairing temporary key may be generated based on the first pre-shared key, the physical address, the terminal random number, the routing address, the routing random number, and the like. The terminal random number and the network device random number can be flexibly set according to actual needs, and the specific generation mode is not limited here.

For example, the first pairwise temporary key PTK may be generated by a Pseudo-random Function (PRF) based on a preset string (e.g., a pairing key string), a first pre-shared key, a physical address, a terminal random number, a routing address, a routing random number, etc., which may be flexibly set according to actual needs, for example, may be generated based on the WPA protocol, where the PRF algorithm may be as follows:

PTK＝PRF-X(PSK,"Pairwisekeyexpansion"||Min(AA,SPA)||Max(AA,SPA)||Min(ANonce,SNonce)||Max(ANonce,SNonce))

Wherein, the PTK may represent a first pairing temporary key, the PRF may represent a pseudo random function algorithm, the PAK may represent a first pre-shared key, the pair keyxpansion may represent a preset string, the AA may represent a MAC address of the terminal, the SPA may represent a MAC address of the network device, the ANonce may represent a random number generated by the terminal, and the SNonce may represent a random number generated by the network device.

The generated PTKs may include validation keys (Key Confirmation Key, KCK), encryption keys (Key Encryption Key, KEK), temporary encryption keys (Temporal Encryption Key, TEK), MIC keys (TMK) used in the temporary Key integrity protocol (Temporal Key Integrity Protocol, TKIP), and the like.

After obtaining the first pairwise transient key, a first message integrity check code (MIC) may be generated from the first pairwise transient key.

In an embodiment, generating the first message integrity check code from the first pairwise transient key may include: extracting a first validation key from the first pairing temporary key; and calculating the first confirmation key, the physical address and the terminal random number through a message digest algorithm to obtain a first message integrity check code.

In order to improve the accuracy and reliability of the first message integrity check code generation, a first confirmation key (KCK) may be extracted from the first Pairwise Temporary Key (PTK), and then the first confirmation key, the physical address, and the terminal random number may be operated by a message digest algorithm to obtain a first message integrity check code (MIC). For example, the MIC generation formula may be as follows:

MIC＝HMAC(KCK,msg)

where MIC may represent a first message integrity check code, HMAC may represent a message digest algorithm, KCK may represent a first acknowledgement key, msg may include a MAC address of the terminal and a terminal-generated random number, etc.

After the first message integrity check code is obtained, the network connection request can be checked according to the first message integrity check code, for example, the calculated first message integrity check code can be compared with the message integrity check code carried in the network connection request, and if the calculated first message integrity check code is not matched with the message integrity check code carried in the network connection request, the network connection request is determined to be checked to be failed. And if the calculated first message integrity check code is matched with the message integrity check code carried in the network connection request, determining that the network connection request is checked to pass.

When the network connection request is checked to pass according to the first message integrity check code, WPA/WPA2-PSK authentication is completed, network connection can be established between the network equipment and the terminal, and data transmission can be performed between the network equipment and the terminal. The method comprises the steps of calculating a corresponding HASH value through a MAC address carried in a network connection request, reading PSKID from a first database HASH Cache according to the HASH value, acquiring PSK based on the PSKID, generating MIC by PSK for verification, and if verification is passed, finishing authentication and establishing network connection with a terminal.

And S104, checking the network connection request according to the first pre-shared key identification, and acquiring a second pre-shared key identification from a second database based on the terminal information when the checking is not passed.

The terminal information may include a MAC address of the terminal, the preset terminal information may include terminal information of the terminal that sends the network connection request, and the pre-shared key identifier may include a first pre-shared key identifier, a second pre-shared key identifier, and the like. The second database (may be referred to as B-Tree Cache or btreecache) may include a mapping relationship between preset terminal information and a pre-shared key identifier, and a storage manner of the mapping relationship in the second database may be flexibly set according to actual needs, for example, the mapping relationship may be stored in a Tree structure in the second database. The second database may store a plurality of mappings between different preset terminal information and the pre-shared key identifier, for example, a mapping between the terminal information 1 and the pre-shared key identifier 1, a mapping between the terminal information 2 and the pre-shared key identifier 2, a mapping between the terminal information 3 and the pre-shared key identifier 3, and so on.

When the network connection request is not checked to pass according to the first message integrity check code, the network connection request is determined to be checked to pass according to the first pre-shared key identification, and at the moment, a second pre-shared key identification can be acquired from a second database based on the terminal information.

In an embodiment, the terminal information includes a physical address, the second database includes a tree structure, the tree structure includes at least one layer of storage space, the storage space stores values and identifiers, and obtaining the second pre-shared key identifier in the second database based on the terminal information may include: converting the data format of the physical address to obtain a target value conforming to the target data format; matching the target value with the value stored in the storage space in the tree structure based on a predetermined hierarchical order; when a storage space successfully matched with the target numerical value exists, acquiring an identifier stored in the matched storage space; and determining a second pre-shared key identification according to the identification stored in the storage space.

In order to improve the flexibility of the second database storage and improve the convenience and efficiency of querying the second pre-shared key identifier in the second database, the second database may be stored in a Tree structure, that is, the second database may include a Tree structure, the Tree structure may multiplex a B Tree (B-Tree) in a Tree, and the use of the B-Tree structure may significantly reduce intermediate processes undergone in locating the record, thereby improving the access speed, and the Tree structure may include at least one layer of storage space, where the storage space may store information such as a value and an identifier, where the second database may be referred to as a B-Tree Cache.

In the process of inquiring the second pre-shared key identification in the second database, firstly, the MAC address of the terminal can be extracted from the network connection request, the MAC address is subjected to data format conversion to obtain a target numerical value conforming to a target data format, the target data format can be flexibly set according to actual needs, and for example, the target data format can be decimal, binary or the like. The target values may then be matched with the values stored in the memory space in the tree structure based on a predetermined hierarchical order, which may be flexibly set according to actual needs, e.g. the predetermined hierarchical order may be set to match from the first level to the last level. For example, the target value may be matched in a first layer of storage space of the tree structure, and when the target value is not matched in the first layer of storage space, the target pointer is determined according to the size of the target value, and the target value is matched in a second layer of storage space of the tree structure according to the pointing direction of the target pointer, so as to perform multi-path searching until the target value is matched or the tree structure is traversed.

When the values stored in the storage space are not matched with the target values after all the levels are searched, the fact that the second pre-shared secret key matched with the MAC address of the terminal cannot be found in the second database is indicated, and the pre-shared secret key in the third database can be traversed to check later. When the numerical value stored in the storage space successfully matched with the target numerical value exists, the identification stored correspondingly in the matched storage space can be obtained, so that the second pre-shared key identification can be determined according to the identification stored in the storage space. The identifier may be flexibly set according to actual needs, for example, the identifier stored in the storage space corresponding to the identifier may be used as the second pre-shared key identifier, or operations such as conversion or processing may be performed on the identifier stored in the storage space corresponding to the identifier, so as to obtain the second pre-shared key identifier.

As will be described in detail below, as shown in fig. 5, in order to solve the problem that the first database HASH Table Cache of the first layer needs to traverse all PSK to complete authentication due to HASH collision, the second database of the second layer may be solved by using B-Tree directly using the MAC address as an index. In fig. 5, the second database may be a layer 3B-Tree storing 22 pieces of MAC-PSKID buffer information.

For example, a terminal with a MAC address of 00:00:00:00:00:63 may enter a second database B-Tree Cache for query due to failure of PSKID verification retrieved from the first database for some reason. Converting the MAC address 00:00:00:00:00:63 into 10 scale to obtain a target value of 99, searching a storage space of the first layer for a value matched with 99, wherein 17 and 35 are stored in the storage space of the first layer, so that the corresponding MAC address (99 +.17 or 35) is not matched in the first layer of the B-Tree, and the pointer P3 can enter the second layer of the B-Tree along the first layer because of the fact that the target value is 99. Similarly 99+.65 or 87 and 99>87, so proceed along the second layer pointer p3 into the third layer of the B-Tree. At this time, a match to 99 was made in the third pass, and 6 passes were made. The stored PSKID may be extracted from the data of the 99 corresponding memory space to obtain PSK for verification based on the PSKID.

It should be noted that the time complexity of the B-Tree is O (log N), and is affected by the buffer number, such as a three-way B-Tree storing 10000 mapping relations between MAC addresses and PSKID, with depth of

The worst comparison times are as follows18 times. Because the time required by B-Tree query and comparison is far less than one complete PSK traversal verification, and almost all terminals can directly hit PSKID stored in the first database HASH Table Cache, the combination of the first database and the second database can effectively reduce authentication time. In addition, the B-Tree adopted by the second database can be realized in the memory by itself or by using other databases with B-Tree structures.

In an embodiment, the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and verifying the network connection request according to the second pre-shared key identifier may include: acquiring a routing address and a routing random number; acquiring a second pre-shared key from a third database according to the second pre-shared key identifier; generating a second pairwise temporary key based on the second pre-shared key, the physical address, the terminal random number, the routing address, and the routing random number; generating a second message integrity check code according to the second pairwise temporary key; and checking the network connection request according to the second message integrity check code.

Wherein the third database may store a plurality of different mappings between pre-shared key identifications and pre-shared keys (PSK). To improve the accuracy and reliability of the verification, the network connection request may be verified based on a message integrity check code (MIC). Specifically, after the second pre-shared key identifier is obtained, the pre-shared key corresponding to the second pre-shared key identifier may be queried from the third database according to the second pre-shared key identifier to obtain the second pre-shared key. After the second pre-shared key is obtained, a second message integrity check code may be generated from the second pre-shared key.

It should be noted that, when the second database stores a plurality of different pre-shared key identifiers and mapping relations between the pre-shared keys, after the second pre-shared key identifier is obtained, the second pre-shared key may be obtained from the second database according to the second pre-shared key identifier.

In order to improve the accuracy and flexibility of the second message integrity check code generation, the routing address (i.e. the MAC address of the network device) and the routing random number (i.e. the random number generated by the network device) of the network device may be obtained, and since the received network connection request may include the MAC address of the terminal and the terminal random number (i.e. the random number generated by the terminal), the second pairwise temporary key may be generated based on the second pre-shared key, the physical address, the terminal random number, the routing address, the routing random number, and the like. The terminal random number and the network device random number can be flexibly set according to actual needs, and the specific generation mode is not limited here.

For example, the second pairwise temporary key PTK may be generated by a Pseudo-random Function (PRF) based on a preset string (e.g., a pairing string), a second pre-shared key, a physical address, a terminal random number, a routing address, a routing random number, etc., which may be flexibly set according to actual needs, for example, may be generated based on the WPA protocol. After obtaining the second pairwise transient key, a second message integrity check code (MIC) may be generated from the second pairwise transient key.

In order to improve the accuracy and reliability of the second message integrity check code generation, a second confirmation key (KCK) may be extracted from the second Pairwise Temporary Key (PTK), and then the second confirmation key, the physical address, and the terminal random number may be operated by a message digest algorithm to obtain a second message integrity check code (MIC).

After the second message integrity check code is obtained, the network connection request can be checked according to the second message integrity check code, for example, the calculated second message integrity check code can be compared with the message integrity check code carried in the network connection request, and if the calculated second message integrity check code is not matched with the message integrity check code carried in the network connection request, the network connection request is determined to be checked to be failed. And if the calculated second message integrity check code is matched with the message integrity check code carried in the network connection request, determining that the network connection request is checked to pass.

S105, checking the network connection request according to the second pre-shared key identification, and establishing network connection with the terminal when the checking is passed.

When the network connection request is checked and passed according to the second message integrity check code, the network connection request is checked and passed according to the second pre-shared key identification, and WPA/WPA2-PSK authentication is completed at this time, the network equipment can establish network connection with the terminal, and data transmission can be performed between the network equipment and the terminal.

In an embodiment, the network connection request is verified according to the second pre-shared key identifier, and when the verification passes, after establishing the network connection with the terminal, the network connection method may further include: establishing a target mapping relation between the second pre-shared key identification and the compressed information; and updating the first database according to the target mapping relation.

In order to update the first database in time, so that the data stored in the first database is more accurate and comprehensive, after the network connection request is checked and passed according to the second pre-shared key identifier, and the network connection is established between the network device and the terminal, a target mapping relationship between the second pre-shared key identifier (PSKID) and the compressed information (for example, a 16-bit hash value) may be established, and the target mapping relationship is written into the first database, and the first database is updated in time.

According to the first database queried at the first layer of the embodiment, the Hash algorithm is adopted to realize the quick hit of the O (1) level, the second database queried at the second layer adopts the B tree storage scheme to realize the quick hit of the O (log N) level, so that performance loss caused by the Hash conflict at the first layer can be avoided, the connection performance of the terminal after the first connection is basically consistent with that of single PSK matching is finally realized, and the time of connection authentication is greatly saved. By adopting HASH Table and B-Tree to carry out multistage cache on the MAC address and PSK of the terminal which is successfully connected, PSK hit efficiency can be effectively improved, authentication time is saved to the greatest extent, and authentication speed which is almost consistent with WPA/WPA2-PPSK and WPA-PSK authentication can be realized for the connected terminal, so that WPA/WPA2-PPSK can be realized in a pure AP wireless network system without central AC. For example, WPA/WPA2-PPSK authentication can be realized in wireless network systems such as cloud AP and the like without center AC or with low configuration AC, so that the cost of purchasing an AC controller is saved, and cloud AP products adopting the WPA/WPA2-PPSK scheme are more attractive compared with the traditional 802.11X scheme needing to deploy a Radius authentication server.

In an embodiment, the network connection method may further include: when the network connection request is not checked according to the second pre-shared key identification, traversing the pre-shared keys in the third database in sequence, and generating a message integrity check code according to the pre-shared keys; checking the network connection request according to the message integrity check code; when the verification passes, establishing network connection with the terminal, and updating the first database and the second database based on the verified message integrity verification code.

In order to improve the reliability of verification, when the network connection request is not verified according to the second pre-shared key identifier, a PSK verification error indicating that the first database and the second database are both missed or hit is indicated, and all PSK in the third database needs to be traversed for verification. Specifically, the pre-shared key PSK in the third database may be traversed sequentially, and the message integrity check code MIC is generated according to the pre-shared key PSK in the above manner, and the network connection request is checked according to the message integrity check code MIC. When the network connection request is checked and passed according to the message integrity check code MIC, the terminal is indicated to be in first connection or PSK is replaced by the terminal, the original PSK is already revoked, at this time, the first database HASH Table Cache and the second database B-Tree Cache can be updated, so that the authentication speed can be directly hit and accelerated after the next connection, for example, PSKID corresponding to the PSK which passes the check can be obtained from a third database, the mapping relation between the PSKID and compressed information of the terminal is established, the mapping relation between the PSKID and the MAC of the terminal is established, the first database is updated based on the mapping relation between the PSKID and the compressed information of the terminal, and the second database is updated based on the mapping relation between the PSKID and the MAC of the terminal. When the network connection request is verified according to the message integrity check code MIC, the network device may establish a network connection with the terminal. And when the network connection request is not verified according to the message integrity verification code MIC, indicating that the PSK used by the terminal is wrong, and the network connection of the terminal fails.

In an embodiment, traversing the pre-shared secret keys in the third database in turn, generating a message integrity check code according to each pre-shared secret key, and checking the network connection request according to the message integrity check code may include: sending a network connection request to a server; traversing the pre-shared secret key in the third database in sequence through the server, generating a message integrity check code according to the pre-shared secret key, and comparing the message integrity check code with a target message integrity check code in the network connection request; and when the message integrity check code is matched with the target message integrity check code, receiving a check passing message returned by the server.

In order to improve the verification efficiency, the verification can be performed through a server with better performance, and the server can be pre-stored with a third database, so that the third database does not need to be stored on the network equipment, and the storage space of the network equipment is saved. When the third database needs to be traversed for verification, the network device can send a network connection request to the server, so that the server can sequentially traverse the pre-shared secret key in the third database, generate a message integrity check code according to the pre-shared secret key, and compare the message integrity check code with a target message integrity check code in the network connection request. When the message integrity check code is matched with the target message integrity check code, the check passing message returned by the server is received, and network connection can be established with the terminal based on the check passing message. When the message integrity check code is not matched with the target message integrity check code, the check returned by the receiving server does not pass the message.

It should be noted that, the server may store the first database, the second database, the third database, and the like in advance, when receiving the network connection request for transmission, the network device may directly send the network connection request to the server, so that the server may perform compression mapping processing on terminal information of the terminal carried in the network connection request to obtain compressed information conforming to the predetermined data format, and obtain the first pre-shared key identifier from the first database based on the compressed information; when the network connection request is checked to pass according to the first pre-shared key identification, establishing network connection with the terminal; checking the network connection request according to the first pre-shared key identifier, and acquiring a second pre-shared key identifier from a second database based on terminal information when the checking fails; checking the network connection request according to the second pre-shared key identifier, establishing network connection with the terminal when the checking is passed, and updating the first database; when the network connection request is not checked according to the second pre-shared key identification, traversing the pre-shared key in the third database in sequence, and checking the network connection request; when the verification passes, establishing network connection with the terminal, and updating the first database and the second database based on the message integrity verification code passing the verification; when the verification fails, the network connection with the terminal fails.

And in order to realize the sharing of a plurality of network devices, after the server completes authentication (namely verification), the terminal information and the used PSK information can be returned to the plurality of network devices which are responsible for authentication and management by the server, so that the plurality of network devices can update the stored Hash Cache, BTreecache and the like, different network devices can share the Hash Cache, the BTreecache and the like, and therefore after the terminal completes connection from one network device, the terminal can directly use the Hash Cache or the BTreecache to complete authentication when being connected with other network devices, and the authentication process of traversing a third database is avoided.

The method described in the above embodiments is described in further detail below by way of example.

In this embodiment, as an example, a network connection device is integrated in a network device, please refer to fig. 6, and fig. 6 is a flow chart of a network connection method provided in the embodiment of the present application. The method flow may include:

s201, the terminal generates a terminal random number.

S202, the network equipment generates a route random number.

In the process that the terminal accesses the network, the terminal can scan the network and send a routing request to the network equipment after the network is scanned, the network equipment returns a supported encryption algorithm to the terminal based on the routing request, the terminal sends an authentication request to the network equipment based on the encryption algorithm, the network equipment returns an open network to the terminal based on the authentication request, the terminal sends a self-supported security key to the network equipment based on the open network, and the network equipment sends a connection establishment request to the terminal based on the security key so as to facilitate the terminal to establish network connection. The network device may respond to the Probe Response (Probe Response) and the connection request initiated by the terminal (Association Request) including the connection mode and the encryption mode supported by the network device and the terminal, and after the two parties obtain the connection mode and the encryption mode supported by the peer and complete the connection, the WPA/WPA2-PSK authentication process may begin, where the WPA/WPA2-PSK authentication may include four handshakes.

The terminal and the network device first generate a pre-shared key (i.e., PSK) from the assigned secret (i.e., passphrase), which PSK is to be used as a pairwise master key (i.e., PMK) in the authentication process of the WPA/WPA 2-PSK. And the terminal and the network device each need to generate a random number, i.e. the terminal generates a terminal random number (i.e. SNonce), and the network device generates a routing random number ANonce.

It should be noted that the execution sequence of the step S201 and the step S202 may be flexibly set according to actual needs, for example, the step S201 may be executed first and then the step S202 may be executed, the step S202 may be executed first and then the step S201 may be executed, or the step S201 and the step S202 may be executed simultaneously.

And S203, the network equipment sends the route random number to the terminal.

After the preparation is completed, the network device (may be called an Authenticator) initiates a first handshake (sends a handshake packet EAPol Key to the terminal) and unicasts a routing random number ANonce to the terminal (may be called a Supplicant).

S204, the terminal generates a PTK based on the route random number and generates an MIC based on the PTK.

After receiving the ANonce, the terminal generates a PTK (i.e. a pairwise temporary key) by using a PRF algorithm, which may be consistent with the foregoing, and is not described herein. MIC may be generated based on the PTK in the manner described above, i.e., the MIC generation formula may be consistent with the above.

S205, the terminal sends a network connection request carrying the terminal random number, the MAC address and the MIC to the network equipment.

After the PTK is generated, the terminal initiates a second handshake, the random number SNonce generated by the terminal is sent to the network equipment, the sent message is encrypted by using the KCK, and the network equipment is sent together as the MIC, namely, the terminal sends a network connection request carrying the random number of the terminal, the MAC address and the MIC to the network equipment.

S206, the network equipment processes the MAC address of the terminal to obtain a compressed HASH value.

As shown in fig. 7, the network device extracts the MAC address of the terminal from the network connection request, calculates the HASH value based on the MAC address, for example, calculates the MAC address by using the CRC32 algorithm to obtain the HASH value, and then extracts the upper 16 bits and the lower 16 bits of the HASH value to perform the exclusive-or operation to obtain the compressed HASH value.

S207, the network equipment acquires PSKID from the first database HASH Cache based on the compressed HASH value, acquires PSK from the third database based on the PSKID, and generates MIC based on PSK.

After the network device receives the second handshake, the network device obtains the MAC addresses of the two parties and the generated random number, and generates the PTK (i.e., the pairwise temporary key) by using the negotiated encryption algorithm. And performing MIC verification on the EAPol Key of the received handshake packet by using KCK, and if the calculated MIC is consistent with the received MIC, indicating that the authentication is passed.

For example, as shown in fig. 7, the network device obtains a PSKID from the HASH Cache of the first database based on the compressed HASH value, obtains PSK from the third database based on the PSKID, generates a PTK based on a preset string (e.g., a pairing string), PSK, a MAC address of the terminal, a terminal random number, a MAC address of the network device, a routing random number, etc., extracts KCK from the PTK, and generates a MIC based on KCK through a message digest algorithm.

S208, the network equipment performs MIC verification.

After the MIC is obtained, the network connection request may be verified according to the MIC, for example, the calculated MIC may be compared with the MIC carried in the network connection request, and if the calculated MIC is not matched with the MIC carried in the network connection request, it is determined that the verification of the network connection request is not passed. And if the calculated MIC is matched with the MIC carried in the network connection request, determining that the network connection request is checked to pass.

And S209, when the verification fails, the network equipment acquires PSKID from the Btree Cache of the second database based on the MAC address, acquires PSK from the third database based on the PSKID, and generates MIC based on PSK.

When the network connection request is checked and passed according to the MIC, WPA/WPA2-PSK authentication is completed, the network equipment can establish network connection with the terminal, and data transmission can be performed between the network equipment and the terminal.

When the network connection request is not verified according to the MIC, as shown in fig. 7, the network device obtains the PSKID from the second database btreecache based on the MAC address, for example, the MAC address may be subjected to data format conversion to obtain a decimal target value, and the target value is matched with a storage value of a storage space in a tree structure of the second database based on a predetermined hierarchical order; and when the storage space successfully matched with the target value exists, acquiring the identification stored in the matched storage space, obtaining PSKID, and acquiring PSK from a third database based on the PSKID. At this time, the PTK may be generated based on a preset string (e.g., a pair string), PSK, a MAC address of a terminal, a terminal random number, a MAC address of a network device, a routing random number, etc. through a pseudo-random function algorithm, the KCK may be extracted from the PTK, and the MIC may be generated based on the KCK through a message digest algorithm.

S210, the network equipment performs MIC verification.

And S211, when the verification fails, the network equipment traverses PSK in the third database to generate MIC, and verifies the MIC.

As shown in fig. 7, when the network connection request is verified according to the MIC, WPA/WPA2-PSK authentication is completed, the network device may establish a network connection with the terminal, and update the first database, at which time data transmission may be performed between the network device and the terminal.

And when the verification of the network connection request according to the MIC is not passed, the network equipment traverses PSK in the third database to generate the MIC, and the verification of the network connection request is carried out based on the MIC.

And S212, when the verification is passed, the network equipment updates the first database and the second database.

As shown in fig. 7, when the verification of the network connection request according to the MIC fails, the network connection fails. When the network connection request is verified according to the MIC, the network device may establish a network connection with the terminal and update the first database and the second database.

S213, the network equipment sends a verification passing message carrying the PTK and the GTK to the terminal.

S214, the terminal installs the PTK and the GTK.

The network device encrypts the GTK by using the KEK, generates the MIC by using the KCK and sends the MIC to the terminal to complete the third handshake. After receiving the EAPol Key of the third handshake packet, the terminal uses the KCK to check the MIC, uses the KEK to decrypt the GTK, and installs the PTK and the GTK.

S215, the terminal sends an acknowledgement frame to the network equipment.

After the installation is completed, the terminal replies a network device confirmation frame to complete the fourth handshake.

S216, the network equipment installs the PTK.

S217, data transmission is carried out between the network equipment and the terminal.

After the network device receives the acknowledgement frame, the PTK is installed. And opening a data port to allow the data frame to pass, finishing WPA/WPA2-PSK authentication, and starting data transmission by both the network equipment and the terminal.

In the foregoing embodiments, the descriptions of the embodiments are focused on, and the portions of a certain embodiment that are not described in detail may be referred to the detailed description of the network connection method above, which is not repeated herein.

Compared with the WPA/WPA2-PSK mode, the WPA/WPA2-PPSK can allocate an independent PSK key for each user, and only the terminal supports the WPA-PSK, no extra modification is needed during connection, and user safety is greatly improved. Enterprises need not purchase Radius servers that support 802.11X authentication for security of wireless network systems. Moreover, WPA/WPA2-PPSK authentication can be realized in wireless network systems such as cloud AP and the like without center AC or with low configuration AC, so that the cost of purchasing an AC controller is saved, and cloud AP products adopting the WPA/WPA2-PPSK scheme are more attractive compared with the traditional 802.11X scheme requiring deployment of a Radius authentication server.

The WPA/WPA2-PPSK connection mode is not different from the traditional WPA/WPA2-PSK authentication mode for network equipment, so that all the equipment supporting the WPA/WPA2-PSK can be connected with a server supporting the WPA/WPA-PPPSK authentication. Because each user account is assigned with a password, PSK is unique, and WPA/WPA2-PPSK does not bring any performance consumption to the terminal.

The authentication logic of WPA/WPA2-PSK and WPA/WPA2-PPSK is basically consistent for network devices, and two parts of the second handshake before the handshake of WPA/WPA2-PSK and the receipt are mainly modified. Conventional WPA/WPA2-PSK stores only a single secret code in the network device, which only needs to be assigned PSK before handshaking. In WPA/WPA2-PPSK, each user is assigned a secret code, and the network device needs to derive all secret codes as PSK.

Because the WPA/WPA2-PPSK is one-person-secret, the method is mainly applied to enterprise networks like an 802.11X authentication scheme, a separate key is allocated to each authorized user account, and the key of each authorized user can be used at a limited station terminal. Therefore, the terminals connected to the wireless network are basically fixed, the addition of new terminals does not occur frequently, and once the new terminals are added to the network, the terminals are connected for a plurality of times afterwards. According to the locality principle, the overall connection speed can be effectively improved by optimizing the subsequent connection of the connected terminals in the network.

In order to protect the security of connection and the privacy of a terminal, the information which can distinguish the terminal and is obtained by a network equipment side in the handshake process only has an MAC address, so that the MAC address of the terminal which is connected with the terminal is mapped with the PSK used by the terminal, and a MAC-PSK Cache scheme is designed. The MAC-PSK Cache scheme adopts a layering idea, and the mapping relation between the MAC and the PSK is stored by combining HASH Table and B-Tree. When the terminal is connected, the network device sequentially inquires whether PSK (pre-shared key) information used by the last connection exists in the HASH Table and the B-Tree according to the MAC address of the terminal. If so, firstly verifying whether the PSK is correct, avoiding traversing to verify all PSK, and accelerating the authentication speed.

By adopting the HASH Table as the storage mode of the data in the first database, the time complexity is O (1), the query speed is not influenced by the number of the MAC addresses of the cached terminals, and the hit speed of the first database is not reduced after a large number of terminals are accessed. But HASH Table has the problem of HASH collision, that is, different MAC addresses may obtain the same Key value through HASH, resulting in hit PSK errors.

In order to solve the HASH collision problem existing in the first database, the second database uses a B-Tree to save the mapping relation between the terminal MAC address and PSK (or PSKID). Although the time complexity of the B-Tree is O (log n), the query speed is affected by the number of caches, since the query time of the B-Tree is far less than the time taken to traverse all PSK, generate the PTK, and check the MIC, even if the HASH collision occurs in the first layer, hit and authentication can be completed quickly.

By combining HASH Table and B-Tree, PSK key hit efficiency can be effectively improved, and authentication time is saved to the greatest extent. Besides, the B-Tree can realize persistence by using a database such as SQLite, and the problem of cache loss of the AP equipment after restarting is solved.

If the first database and the second database are both missed or hit PSK verification errors occur, then all PSK needs to be traversed for authentication. If the final authentication passes through the explanation that the terminal is connected for the first time or the user changes PSK, the original PSK is revoked, and the HASH Table Cache and the B-Tree Cache are updated at the moment, so that the next connection can be directly hit to accelerate the authentication speed. And if the final authentication fails, indicating that the PSK used by the terminal is wrong.

According to the embodiment, the HASH Table and the B-Tree are adopted to carry out multi-level cache on the MAC address and PSK (or PSKID) of the terminal which is successfully connected, so that the authentication speed of WPA/WPA2-PPSK and WPA-PSK authentication is almost consistent for the connected terminal, and the WPA/WPA2-PPSK can be realized in a pure AP wireless network system without a central AC.

Aiming at the problem that PPSK is difficult to realize by a low-performance AP, a secret key used when the terminal is connected is cached in a grading way, the first layer adopts a Hash algorithm to realize the quick hit of an O (1) level, the second layer adopts a B-tree storage scheme to realize the quick hit of an O (log N) level, so that performance loss caused by the Hash conflict of the first layer is avoided, the connection performance of the terminal after the first connection is basically consistent with that of a single PSK is finally realized, the connection authentication time is greatly saved, and the low-performance AP can support WPA/WPA2-PPSK authentication in a wireless network system without a central AC.

Taking an AP (i.e. network device) using a 560MHz single core MIPS CPU as an example, authentication takes time without a cache mechanism as shown in table 1.

TABLE 1 time consuming corresponding to AP in case of different data PSK

Time/quantity	10PSK	150PSK	300PSK	1000PSK
					Worst time (ms)	2.5	34.0	67.1	226.0
Average time (ms)	1.25	17.0	33.6	113.0

Considering the problem of AP cache persistence, the B-Tree is realized by SQLite. The authentication performance of reading PSK under 10000 terminals of the inspection sheet AP buffer is shown in table 2. Considering the problem of AP restarting cache loss, the B-Tree cache is realized by using SQLite in the test.

Table 2. Read PSK complete authentication performance under ap cache 10000 terminals

Time/cache	HASH Cache	B-Tree (Cold reading)
			Average time (ms)	0.8	7.0

In the extreme case of 10000 terminals, all connections are made, according to the HASH collision calculation formula, 10000 HASH collisions 742.1 times, where C represents the number of collisions.

The 64000 represents the capacity of the HASH Cache, and since the generated HASH value may be 16 bits in length, the capacity of the HASH Cache may be 2ζ6=65536, that is, 64K, which is 64000 for easy calculation. 92.5% of terminals hit the HASH cache, the average authentication time is 0.8ms,7.5% of terminals need to read from the B-Tree due to HASH collision, the average authentication time is 7ms, and the final average time is 1.265ms.

T(10000)＝92.5％×0.8+7.5％×7.0＝1.265

Since PPSK needs to allocate a key to each user, 1 PSK can be allocated to 10 terminals for use, that is, 1000PSK supports 10000 terminals, so that the terminals connected to the AP are also basically fixed, and it can be assumed that 80% of the terminals are connected, and at this time, the average connection time is:

t (80% connected) =1.265×80++113×20% = 23.612

Wherein, 113 represents the average use of 1000PSK in table 1, it can be seen that the adoption of the multi-layer buffer mode can very quickly complete hit PSK even under the extreme condition of 10000 terminals, so that WPA/WPA2-PSK can be effectively deployed in a pure AP wireless network system without a central AC.

In order to facilitate better implementation of the network connection method provided by the embodiment of the application, the embodiment of the application also provides a device based on the network connection method. Where the meaning of a noun is the same as in the network connection method described above, specific implementation details may be referred to in the description of the method embodiment.

Referring to fig. 8, fig. 8 is a schematic structural diagram of a network connection device according to an embodiment of the present application, where the network connection device may include a receiving unit 301, a processing unit 302, a first obtaining unit 303, a second obtaining unit 304, an establishing unit 305, and so on.

The receiving unit 301 is configured to receive a network connection request sent by a terminal, where the network connection request carries terminal information of the terminal.

And the processing unit 302 is configured to perform compression mapping processing on the terminal information to obtain compressed information that accords with a predetermined data format.

The first obtaining unit 303 is configured to obtain a first pre-shared key identifier from a first database based on the compressed information, where the first database includes a mapping relationship between the pre-compressed information and the pre-shared key identifier.

The second obtaining unit 304 is configured to verify the network connection request according to the first pre-shared key identifier, and when the verification fails, obtain a second pre-shared key identifier in a second database based on the terminal information, where the second database includes a mapping relationship between preset terminal information and the pre-shared key identifier.

And the establishing unit 305 is configured to verify the network connection request according to the second pre-shared key identifier, and establish a network connection with the terminal when the verification passes.

In an embodiment, the processing unit 302 may include:

the hash operation subunit is used for carrying out hash operation on the physical address to obtain a hash value;

and the compression mapping operation subunit is used for carrying out compression operation on the hash value to obtain compressed information conforming to a preset data format.

In an embodiment, the compression map operator subunit may be specifically configured to: extracting a high preset bit number and a low preset bit number of the hash value; and carrying out logic operation on the high preset bit number and the low preset bit number to obtain compressed information conforming to a preset data format.

In an embodiment, the network connection device may further include:

a third obtaining unit, configured to obtain a first pre-shared key from a third database according to the first pre-shared key identifier;

a first generating unit, configured to generate a first message integrity check code according to a first pre-shared key;

and the first verification unit is used for verifying the network connection request according to the first message integrity verification code.

In an embodiment, the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and the generating unit may include:

the acquisition subunit is used for acquiring the routing address and the routing random number;

a first generation subunit configured to generate a first pairing temporary key based on the first pre-shared key, the physical address, the terminal random number, the routing address, and the routing random number;

a second generation subunit, configured to generate a first message integrity check code according to the first pairing temporary key.

In one embodiment, the second generating subunit is specifically configured to: extracting a first validation key from the first pairing temporary key; and calculating the first confirmation key, the physical address and the terminal random number through a message digest algorithm to obtain a first message integrity check code.

In an embodiment, the terminal information includes a physical address, the second database includes a tree structure, the tree structure includes at least one layer of storage space, the storage space stores a value and an identifier, and the second obtaining unit 304 is specifically configured to: converting the data format of the physical address to obtain a target value conforming to the target data format; matching the target value with the value stored in the storage space in the tree structure based on a predetermined hierarchical order; when a storage space successfully matched with the target numerical value exists, acquiring an identifier stored in the matched storage space; and determining a second pre-shared key identification according to the identification stored in the storage space.

In an embodiment, the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and the network connection device may further include:

a fourth obtaining unit, configured to obtain a routing address and a routing random number, and obtain a second pre-shared key from a third database according to a second pre-shared key identifier;

A second generation unit configured to generate a second pairwise temporary key based on a second pre-shared key, a physical address, a terminal random number, a routing address, and a routing random number;

a third generating unit, configured to generate a second message integrity check code according to the second pairwise temporary key;

and the second checking unit is used for checking the network connection request according to the second message integrity check code.

In an embodiment, the network connection device further includes:

and the first updating unit is used for establishing a target mapping relation between the second pre-shared key identification and the compressed information and updating the first database according to the target mapping relation.

In an embodiment, the network connection device further includes:

the traversing unit is used for traversing the preshared key in the third database in sequence when the network connection request is not checked to pass according to the second preshared key identification, and generating a message integrity check code according to the preshared key;

the third checking unit is used for checking the network connection request according to the message integrity check code;

and the second updating unit is used for establishing network connection with the terminal when the verification passes and updating the first database and the second database based on the message integrity verification code passing the verification.

In one embodiment, the traversing unit is specifically configured to: the network connection request is sent to a server, the server traverses the pre-shared secret key in the third database in sequence, and a message integrity check code is generated according to the pre-shared secret key;

the third checking unit is specifically configured to: comparing the message integrity check code with a target message integrity check code in the network connection request; and when the message integrity check code is matched with the target message integrity check code, receiving a check passing message returned by the server.

In the embodiment of the present application, the receiving unit 301 may receive a network connection request carrying terminal information sent by a terminal, and the processing unit 302 performs compression mapping processing on the terminal information to obtain compressed information meeting a predetermined data format; then, the first obtaining unit 303 may obtain, based on the compressed information, a first pre-shared key identifier from a first database, where the first database includes a mapping relationship between the pre-compressed information and the pre-shared key identifier; checking the network connection request according to the first pre-shared key identifier, and when the checking fails, acquiring a second pre-shared key identifier in a second database based on the terminal information by a second acquisition unit 304, wherein the second database comprises a mapping relation between preset terminal information and the pre-shared key identifier; the network connection request is verified based on the second pre-shared key identification, and when the verification passes, a network connection with the terminal can be established by the establishing unit 305. According to the scheme, the pre-shared key identification can be rapidly acquired from the first database storing the mapping relation between the pre-compressed information and the pre-shared key identification or from the second database storing the mapping relation between the pre-shared key identification, so that the network connection request is checked without traversing all pre-shared keys, the checking speed is improved, and the network connection efficiency is improved.

The embodiment of the application also provides a network device, as shown in fig. 9, which shows a schematic structural diagram of the network device according to the embodiment of the application, specifically:

the network device may include one or more processors 401 of a processing core, memory 402 of one or more computer readable storage media, power supply 403, and input unit 404, among other components. Those skilled in the art will appreciate that the network device structure shown in fig. 9 is not limiting of the network device and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components. Wherein:

the processor 401 is a control center of the network device, connects various parts of the entire network device using various interfaces and lines, and performs various functions of the network device and processes data by running or executing software programs and/or modules stored in the memory 402, and calling data stored in the memory 402, thereby performing overall monitoring of the network device. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user interface, an application program, etc., and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 401.

The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by executing the software programs and modules stored in the memory 402. The memory 402 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the network device, etc. In addition, memory 402 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 with access to the memory 402.

The network device further comprises a power supply 403 for supplying power to the various components, and preferably the power supply 403 may be logically connected to the processor 401 by a power management system, so that functions of charge, discharge, and power consumption management are performed by the power management system. The power supply 403 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

The network device may also include an input unit 404, which input unit 404 may be used to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the network device may further include a display unit or the like, which is not described herein. In this embodiment, the processor 401 in the network device loads executable files corresponding to the processes of one or more application programs into the memory 402 according to the following instructions, and the processor 401 executes the application programs stored in the memory 402, so as to implement various functions as follows:

the method comprises the steps of receiving a network connection request carrying terminal information sent by a terminal, and carrying out compression mapping processing on the terminal information to obtain compressed information conforming to a preset data format; the first pre-shared key identifier can be obtained from a first database based on the compressed information, and the first database comprises a mapping relation between the pre-compressed information and the pre-shared key identifier; checking the network connection request according to the first pre-shared key identifier, and when the checking is not passed, acquiring a second pre-shared key identifier from a second database based on the terminal information, wherein the second database comprises a mapping relation between preset terminal information and the pre-shared key identifier; and checking the network connection request according to the second pre-shared key identifier, and establishing network connection with the terminal when the checking is passed.

In an embodiment, the terminal information includes a physical address of the terminal, and when performing compression mapping processing on the terminal information to obtain compressed information conforming to a predetermined data format, the processor 401 may be configured to perform: performing hash operation on the physical address to obtain a hash value; and performing compression operation on the hash value to obtain compressed information conforming to a preset data format.

In an embodiment, when performing a compression operation on the hash value to obtain compressed information conforming to a predetermined data format, the processor 401 may be configured to perform: extracting a high preset bit number and a low preset bit number of the hash value; and carrying out logic operation on the high preset bit number and the low preset bit number to obtain compressed information conforming to a preset data format.

In an embodiment, in verifying the network connection request according to the first pre-shared key identification, the processor 401 may be configured to perform: acquiring a first pre-shared key from a third database according to the first pre-shared key identifier; generating a first message integrity check code according to the first pre-shared key; and checking the network connection request according to the first message integrity check code.

In an embodiment, the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and the processor 401 may be configured to perform: acquiring a routing address and a routing random number; generating a first pairing temporary key based on the first pre-shared key, the physical address, the terminal random number, the routing address and the routing random number; a first message integrity check code is generated from the first pairwise temporal key.

In an embodiment, in generating the first message integrity check code from the first pairwise transient key, the processor 401 may be configured to perform: extracting a first validation key from the first pairing temporary key; and calculating the first confirmation key, the physical address and the terminal random number through a message digest algorithm to obtain a first message integrity check code.

In an embodiment, where the terminal information includes a physical address, the second database includes a tree structure including at least one layer of storage space, where the storage space stores values and identifiers, the processor 401 may be configured to perform, when acquiring the second pre-shared key identifier in the second database based on the terminal information: converting the data format of the physical address to obtain a target value conforming to the target data format; matching the target value with the value stored in the storage space in the tree structure based on a predetermined hierarchical order; when a storage space successfully matched with the target numerical value exists, acquiring an identifier stored in the matched storage space; and determining a second pre-shared key identification according to the identification stored in the storage space.

In an embodiment, the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and the processor 401 may be configured to perform, when verifying the network connection request according to the second pre-shared key identifier: acquiring a routing address and a routing random number, and acquiring a second pre-shared key from a third database according to the second pre-shared key identifier; generating a second pairwise temporary key based on the second pre-shared key, the physical address, the terminal random number, the routing address, and the routing random number; generating a second message integrity check code according to the second pairwise temporary key; and checking the network connection request according to the second message integrity check code.

In an embodiment, the verification of the network connection request according to the second pre-shared key identifier, and when the verification passes, after establishing the network connection with the terminal, the processor 401 may be configured to perform: establishing a target mapping relation between the second pre-shared key identification and the compressed information; and updating the first database according to the target mapping relation.

In an embodiment, the processor 401 may be configured to perform: when the network connection request is not checked according to the second pre-shared key identification, traversing the pre-shared keys in the third database in sequence, and generating a message integrity check code according to the pre-shared keys; checking the network connection request according to the message integrity check code; when the verification passes, establishing network connection with the terminal, and updating the first database and the second database based on the verified message integrity verification code.

In one embodiment, when traversing the pre-shared secret keys in the third database in turn, and generating a message integrity check code according to each pre-shared secret key, the processor 401 may be configured to perform: sending a network connection request to a server; traversing the pre-shared secret key in the third database in sequence through the server, generating a message integrity check code according to the pre-shared secret key, and comparing the message integrity check code with a target message integrity check code in the network connection request; and when the message integrity check code is matched with the target message integrity check code, receiving a check passing message returned by the server.

According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the network device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the network device performs the methods provided in the various alternative implementations of the above embodiments.

Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by computer instructions, or by control of associated hardware, which may be stored in a computer readable storage medium and loaded and executed by a processor. To this end, the embodiments of the present application provide a storage medium having stored therein a computer program comprising computer instructions that can be loaded by a processor to perform any of the network connection methods provided by the embodiments of the present application.

The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.

Wherein the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.

Because the computer instructions stored in the storage medium may execute steps in any network connection method provided in the embodiments of the present application, the beneficial effects that any network connection method provided in the embodiments of the present application may be achieved, which are detailed in the previous embodiments and are not described herein.

The foregoing describes in detail a network connection method, apparatus, network device and storage medium provided in the embodiments of the present application, and specific examples are applied to illustrate the principles and implementations of the present application, where the foregoing description of the embodiments is only used to help understand the method and core idea of the present application; meanwhile, those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, and the present description should not be construed as limiting the present application in view of the above.

Claims

1. A method of network connection, comprising:

acquiring a first pre-shared key identifier from a first database based on the compressed information, wherein the first database comprises a mapping relation between preset compressed information and the pre-shared key identifier, and the first database stores the pre-shared key identifier by mapping the preset compressed information to a position in a table so as to form a data structure for accessing the preset shared key identifier according to the preset compressed information;

checking the network connection request according to the first pre-shared key identification, and when the checking fails, acquiring a second pre-shared key identification from a second database based on the terminal information, wherein the second database comprises a mapping relation between preset terminal information stored in a tree structure and the pre-shared key identification, the tree structure comprises at least one layer of storage space, and the second pre-shared key identification is obtained by determining the identification stored in the storage space matched with the terminal information and acquired from the tree structure through a preset hierarchy sequence;

2. The network connection method according to claim 1, wherein the terminal information includes a physical address of the terminal, and the performing compression mapping processing on the terminal information to obtain compressed information conforming to a predetermined data format includes:

performing hash operation on the physical address to obtain a hash value;

and performing compression operation on the hash value to obtain compressed information conforming to a preset data format.

3. The network connection method according to claim 2, wherein the compressing the hash value to obtain compressed information conforming to a predetermined data format includes:

extracting a high preset bit number and a low preset bit number of the hash value;

and carrying out logic operation on the high preset bit number and the low preset bit number to obtain compressed information conforming to a preset data format.

4. The network connection method of claim 1, wherein the verifying the network connection request according to the first pre-shared key identification comprises:

Acquiring a first pre-shared key from a third database according to the first pre-shared key identifier;

generating a first message integrity check code according to the first pre-shared key;

and checking the network connection request according to the first message integrity check code.

5. The network connection method of claim 4, wherein the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and wherein generating a first message integrity check code from the first pre-shared key comprises:

acquiring a routing address and a routing random number;

generating a first pairwise temporary key based on the first pre-shared key, the physical address, the terminal random number, the routing address, and the routing random number;

and generating a first message integrity check code according to the first pairing temporary key.

6. The network connection method of claim 5, wherein the generating a first message integrity check code from the first pairwise temporal key comprises:

extracting a first validation key from the first pairing temporary key;

and calculating the first confirmation key, the physical address and the terminal random number through a message digest algorithm to obtain a first message integrity check code.

7. The network connection method according to claim 1, wherein the terminal information includes a physical address, the storage space stores a value and an identification, and the acquiring the second pre-shared key identification in the second database based on the terminal information includes:

converting the data format of the physical address to obtain a target value conforming to a target data format;

matching the target value with a value stored in a storage space in the tree structure based on a predetermined hierarchical order;

when a storage space successfully matched with the target numerical value exists, acquiring an identification stored in the matched storage space;

and determining a second pre-shared key identifier according to the identifier stored in the storage space.

8. The network connection method according to claim 1, wherein the terminal information includes a physical address of the terminal and a terminal random number generated by the terminal, and the verifying the network connection request according to the second pre-shared key identifier includes:

acquiring a routing address and a routing random number;

acquiring a second pre-shared key from a third database according to the second pre-shared key identifier;

Generating a second pairwise temporary key based on the second pre-shared key, the physical address, the terminal random number, a routing address, and a routing random number;

generating a second message integrity check code according to the second pairwise temporary key;

and checking the network connection request according to the second message integrity check code.

9. The network connection method according to any one of claims 1 to 8, characterized in that after the establishment of the network connection with the terminal, the network connection method further comprises:

establishing a target mapping relation between the second pre-shared key identifier and the compressed information;

and updating the first database according to the target mapping relation.

10. The network connection method according to any one of claims 1 to 8, characterized in that the network connection method further comprises:

when the network connection request is not checked according to the second pre-shared key identification, traversing the pre-shared keys in a third database in sequence, and generating a message integrity check code according to the pre-shared keys;

checking the network connection request according to the message integrity check code;

When the verification passes, establishing network connection with the terminal, and updating the first database and the second database based on the verified message integrity verification code.

11. The method of claim 10, wherein traversing the pre-shared keys in the third database in turn and generating a message integrity check code from each pre-shared key, and verifying the network connection request based on the message integrity check code comprises:

the network connection request is sent to a server;

traversing the pre-shared secret key in the third database in sequence through the server, generating a message integrity check code according to the pre-shared secret key, and comparing the message integrity check code with a target message integrity check code in the network connection request;

and when the message integrity check code is matched with the target message integrity check code, receiving a check passing message returned by the server.

12. A network connection device, comprising:

a first obtaining unit, configured to obtain a first pre-shared key identifier from a first database based on the compressed information, where the first database includes a mapping relationship between preset compressed information and the pre-shared key identifier, and the first database stores the pre-shared key identifier by mapping the preset compressed information to a position in a table, so as to form a data structure for accessing the preset shared key identifier according to the preset compressed information;

the second obtaining unit is used for verifying the network connection request according to the first pre-shared key identification, and when the verification fails, obtaining a second pre-shared key identification from a second database based on the terminal information, wherein the second database comprises a mapping relation between preset terminal information stored in a tree structure and the pre-shared key identification, the tree structure comprises at least one layer of storage space, and the second pre-shared key identification is obtained by determining the identification stored in the storage space matched with the terminal information and obtained from the tree structure through a preset hierarchy sequence;

13. A network device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the network connection method of any of claims 1 to 11 when invoking the computer program in the memory.

14. A storage medium storing a computer program to be loaded by a processor to perform the network connection method of any one of claims 1 to 11.