CN114173334A - Method for accessing AP, AP and storage medium - Google Patents
Method for accessing AP, AP and storage medium Download PDFInfo
- Publication number
- CN114173334A CN114173334A CN202111250101.0A CN202111250101A CN114173334A CN 114173334 A CN114173334 A CN 114173334A CN 202111250101 A CN202111250101 A CN 202111250101A CN 114173334 A CN114173334 A CN 114173334A
- Authority
- CN
- China
- Prior art keywords
- mic
- key
- client
- ptk
- snonce
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000012795 verification Methods 0.000 claims abstract description 23
- 238000009434 installation Methods 0.000 claims description 30
- 238000012545 processing Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 9
- 230000009471 action Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 238000009795 derivation Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present specification provides a method of accessing an AP, and a storage medium, the method including: receiving a first message which is sent to an AP by a client and carries a client random number SNonce and a first MIC, generating a first secret key PTK by using the SNonce and the random number ANonce of the AP, obtaining a second MIC by using the first PTK, verifying the first MIC by using the second MIC, and if the verification is successful, installing the target PTK in the AP so that the client is accessed to the AP. By the method, the roaming packet loss rate of the client can be reduced.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method for accessing an AP, and a storage medium.
Background
User roaming refers to the process of transferring access of a WLAN client from one AP to another AP in an ESS area, and the IP address, authorization information, etc. of the client remain unchanged during roaming.
The 802.11i protocol adopts AKM (Authentication and Key Management) to authenticate the validity of the user identity and dynamically manage the generation and update of the Key. AKM is classified into three modes of 802.1X, Private-PSK and PSK.
For enterprises, governments and other organizations with higher safety requirement standards, the authentication server is recommended to be used for identity authentication of the client in an 802.1X authentication mode.
For home users with lower safety requirement standards and the like, a PSK mode is recommended to be used for authenticating the client. The PSK authentication mode needs to input a pre-shared Key in advance at the AP side, the Key is manually input in the client-side association process, the AP and the client-side verify the validity of the pre-shared Key of the client-side through four-way handshake Key negotiation, and if the PTK (Pairwise Transient Key) negotiation is successful, the user is proved to be legal, so that the authentication purpose is achieved
Under a common PSK encryption mode, in a RSN (Robust Security Network) Security mode key negotiation process, a unicast key and a multicast key are negotiated through four handshakes, which results in a loss of an interactive data packet between a terminal and an AP during the session. With the higher and higher requirements of the client on the quality of the network connection, the client needs to be guaranteed to have the same use experience during roaming and non-roaming, and the packet loss rate of the client during roaming is reduced.
Disclosure of Invention
The present disclosure provides a method for accessing an AP, and a storage medium, by which a roaming packet loss rate of a client when accessing the AP can be reduced.
The present disclosure provides a method for accessing an AP, the method including:
receiving a first message which is sent to an AP by a client and carries a client random number SNonce and a first MIC;
generating a first key PTK by using the SNonce and the random number ANonce of the AP, and obtaining a second MIC by using the first PTK;
verifying the first MIC by using the second MIC;
and if the verification is successful, installing the target PTK in the AP so that the client accesses the AP.
The method for obtaining the first message comprises the following steps:
and sending a second message carrying the ANonce to the client so that the client generates a second key PTK according to the ANonce and the SNonce of the client, and obtaining a first MIC by using the second key PTK.
Generating a first key PTK by using the SNonce and the random number ANonce of the AP, and obtaining a second MIC by using the first PTK, wherein the method comprises the following steps:
and the AC connected with the AP receives the SNonce, generates a first key PTK by using the random number ANonce of the AP, and obtains a second MIC by using the first PTK.
Wherein the verifying the first MIC with the second MIC comprises:
the AC judges whether a second MIC is matched with the first MIC;
if the matching is successful, the verification is successful, otherwise, the verification is not successful.
When the verification is passed, the method further comprises:
the AC sends key installation information to the AP, the key installation information including: a first PTK, a second MIC, a unicast key ID, an association ID, a CCMP key, and key length information.
The AC sending key installation information to the AP, including:
and the AC sends the key installation information to the AP by using a CAPWAP message through a CAPWAP tunnel.
An embodiment of the present disclosure further provides an AP, where the AP includes:
the receiving module is used for receiving a first message which is sent to the AP by the client and carries the client random number SNonce and the first MIC;
the processing module is used for generating a first key PTK by using the SNonce and the random number ANonce of the AP and obtaining a second MIC by using the first PTK;
a verification module for verifying the first MIC using the second MIC;
and the installation module is used for installing the target PTK in the AP after the verification is successful so that the client accesses the AP.
Optionally, the AP further includes:
and the sending module is used for sending a second message carrying the ANonce to the client so that the client generates a second key PTK according to the ANonce and the SNonce of the client, and obtains the first MIC by using the second key PTK.
An embodiment of the present disclosure further provides an AP, where the AP includes: a memory, a processor, and a program stored on the memory and executable on the processor, the program when executed by the processor implementing the method of any of the implementations described above.
A computer-readable storage medium having a program stored thereon, the program, when executed by a processor, implementing the method of any of the implementations described above.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a schematic flowchart of a handshake between a client and an AP according to an embodiment of the present disclosure.
Fig. 2 is a flowchart illustrating a method for accessing an AP according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
As shown in fig. 1, a key negotiation process between a Client and an AP in an RSN (Robust Security Network) mode is provided, which includes the following steps:
the AP sends a first EAPOL-Key Message1 carrying a random number ANonce to the client.
The client receives the Message1, generates a PTK (palirwise Transient Key) through a Key derivation algorithm by using a random number ANonce sent by the AP, a random number SNonce of the client and a PMK (palirwise Master Key) generated by identity authentication, generates a MIC (Message Integrity Check) by using a KCK (EAPOL-Key configuration Key) in the PTK, fills the MIC into a Message 2 Message, and then sends a second EAPOL-Key Message 2 carrying the ANonce and the MIC to the AP.
And the AP receives the Message 2, generates a PTK by using SNonce, ANonce and PMK generated by identity authentication through a key derivation algorithm, generates an MIC by using KCK in the PTK, performs MIC verification on the Message 2 Message, compares the MIC generated by the AP end with the MIC in the Message, and if the two MICs are the same, indicates that the MIC verification is successful, otherwise, fails. And after the MIC is successfully verified, generating a GTK through a random value GMK and the MAC address of the AP through a Key derivation algorithm, and sending a third EAPOL-Key Message 3 carrying a Key installation mark informing the client of installation, the MIC and the GTK to the client.
The client receives the Message 3, firstly performs MIC (much analysis) on the Message, installs the unicast Key TK and the multicast Key TK after the MIC is successfully verified, and then sends a fourth EAPOL-Key Message 4 carrying the MIC to the AP.
And the AP receives the Message 4, firstly carries out MIC verification on the Message, and installs the key unicast key PTK and the multicast key GTK after successful verification.
Through the interaction process, the client needs to undergo 4 interactions when accessing the AP, and the situation that the client sends a service packet to the AP exists before the 4 interactions are completed, and at this time, the AP cannot process the service packet sent by the client because the client has not completed 4 interactions with the AP.
In order to solve the above technical problem, the present disclosure provides a method for accessing an AP, as shown in fig. 2, the method including:
s201, receiving a first message which is sent to an AP by a client and carries a client random number SNonce and a first MIC;
s202, generating a first key PTK by using the SNonce and the random number ANonce of the AP, and obtaining a second MIC by using the first PTK;
s203, verifying the first MIC by using the second MIC;
and S204, if the verification is successful, installing the target PTK in the AP so that the client can access the AP.
In step S201, before the client sends the first message to the AP, the AP sends a second message carrying a random number ANonce of the AP itself to the client (the random number ANonce may be allocated to the AP by the AC or generated by the AP itself), so that the client generates a second Key PTK according to the ANonce and an SNonce of the client (specifically, the second PTK is generated by the ANonce, the SNonce and a PMK generated by identity authentication through a Key derivation algorithm), generates a first MIC by using a KCK (EAPOL-Key configuration, Key Confirmation) in the second Key PTK, and sends the first message carrying the first MIC to the AP.
In this embodiment, the AP may be FATAP or FITAP, and management of the network may be implemented in the FITAP in combination with the AC.
In step S202, if the AP is a tap, the AP may generate a first key PTK and a multicast key GTK by using the SNonce and a random number ANonce of the AP, and obtain a second MIC by using the first PTK.
The tap is notified that step S203 can be performed.
In another embodiment, if the AP is a FITAP, in step S202, an AC connected to the AP receives an SNonce of a client and an ANonce of the AP, generates a first PTK using the SNonce and the SNonce, and obtains a second MIC using the first PTK.
When step S203 is executed, two cases may be used, where in case that an AP is a tap, the AP may directly execute step S203; in the second case, if the AP is AC + FITAP, the AC performs step S203, that is, it determines whether the second MIC matches the first MIC, if so, the verification is passed, otherwise, the verification is not passed.
After the FATAP completes the verification, the FATAP can encapsulate the key installation information and inform the kernel of the installation key, wherein the key installation information comprises: the first PTK, the second MIC, the ID of the unicast key WEP key, the association ID, the CCMP key and the key length information.
In another example, when the AC completes authentication, the AC may encapsulate the key installation information and send the key installation information to the AP (FITAP) using a CAPWAP message via a CAPWAP tunnel.
Specifically, the AC encapsulates the key installation message through the CAPWAP message and sends the key installation message to the AP through the CAPWAP tunnel, in one implementation, the AC loads the key installation message into an ACTION message and sends the key installation message to the AP, and after receiving the key installation message encapsulation message sent by the AC through the CAPWAP tunnel, the AP can judge whether the AP supports the installation of the unicast key in advance, and if the AP supports the installation of the unicast key, the AP de-encapsulates the key installation message and encapsulates all the information to inform the kernel of installing the key information. After receiving the message, the kernel 1 sends the driver to finish the unicast key installation, 2 informs the driver to send out the unicast data message without encryption
Or the AP receives an ACTION message which is sent by the AC and carries the key installation message, judges whether the message is an appointed unicast ACTION message or not, and does not process the message if the judgment result is negative; and if so, judging whether the current FATAP supports the installation of the unicast key in advance. If not, directly discarding the ACTION message; if yes, the unicast key information in the ACTION message is taken out, 1, the driver is issued to complete unicast key installation, and 2, the driver is informed to send out the unicast data message without encryption.
It can be seen from the foregoing embodiments that, compared with the existing method that 4 times of handshake interaction is required when the client accesses the AP, the scheme in this embodiment enables the AP to configure the relevant key after the client completes 2 times of interaction with the AP, so as to process the service packet sent by the client.
That is to say, the AP installs the PTK in advance, so that the unicast data packet sent by the client can be decrypted more quickly, and meanwhile, the data packet sent to the client during this period is guaranteed not to be encrypted, thereby reducing the packet loss rate. After the four handshakes are finished, the message sent to the client by the AP is normally encrypted.
Based on the foregoing method embodiments, the present disclosure further provides an AP, where the AP includes:
the receiving module is used for receiving a first message which is sent to the AP by the client and carries the client random number SNonce and the first MIC;
the processing module is used for generating a first key PTK by using the SNonce and the random number ANonce of the AP and obtaining a second MIC by using the first PTK;
a verification module for verifying the first MIC using the second MIC;
and the installation module is used for installing the target PTK in the AP after the verification is successful so that the client accesses the AP.
The AP further comprises: and the sending module is used for sending a second message carrying the ANonce to the client so that the client generates a second key PTK according to the ANonce and the SNonce of the client, and obtains the first MIC by using the second key PTK.
The embodiment of the present disclosure further provides an AP, which includes a memory, a processor, and a program stored on the memory and executable on the processor, and when the program is executed by the processor, the AP implements the above embodiments.
Embodiments of the present disclosure also provide a computer-readable storage medium, on which a program is stored, and the program implements the above embodiments when executed by a processor.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (10)
1. A method for accessing an AP, the method comprising:
receiving a first message which is sent to an AP by a client and carries a client random number SNonce and a first MIC;
generating a first key PTK by using the SNonce and the random number ANonce of the AP, and obtaining a second MIC by using the first PTK;
verifying the first MIC by using the second MIC;
and if the verification is successful, installing the target PTK in the AP so that the client accesses the AP.
2. The method of claim 1, wherein obtaining the first packet comprises:
and sending a second message carrying the ANonce to the client so that the client generates a second key PTK according to the ANonce and the SNonce of the client, and obtaining a first MIC by using the second key PTK.
3. The method of claim 1, wherein generating a first key PTK by using the SNonce and a random number ANonce of the AP, and obtaining a second MIC by using the first PTK comprises:
and the AC connected with the AP receives the SNonce, generates a first key PTK by using the random number ANonce of the AP, and obtains a second MIC by using the first PTK.
4. The method of claim 3, wherein the verifying the first MIC with the second MIC comprises:
the AC judges whether a second MIC is matched with the first MIC;
if the matching is successful, the verification is successful, otherwise, the verification is not successful.
5. The method of claim 4, wherein after the verification passes, the method further comprises:
the AC sends key installation information to the AP, the key installation information including: the first PTK, the second MIC, the ID of the unicast key WEP key, the association ID, the CCMP key and the key length information.
6. The method of claim 5, wherein the AC sending key installation information to the AP comprises:
and the AC sends the key installation information to the AP by using a CAPWAP message through a CAPWAP tunnel.
7. An AP, the AP comprising:
the receiving module is used for receiving a first message which is sent to the AP by the client and carries the client random number SNonce and the first MIC;
the processing module is used for generating a first key PTK by using the SNonce and the random number ANonce of the AP and obtaining a second MIC by using the first PTK;
a verification module for verifying the first MIC using the second MIC;
and the installation module is used for installing the target PTK in the AP after the verification is successful so that the client accesses the AP.
8. The AP of claim 7, further comprising:
and the sending module is used for sending a second message carrying the ANonce to the client so that the client generates a second key PTK according to the ANonce and the SNonce of the client, and obtains the first MIC by using the second key PTK.
9. An AP, the AP comprising: memory, processor and program stored on the memory and executable on the processor, which when executed by the processor implements the method steps of any of claims 1 to 6.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a program which, when being executed by a processor, carries out the method steps of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111250101.0A CN114173334A (en) | 2021-10-26 | 2021-10-26 | Method for accessing AP, AP and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111250101.0A CN114173334A (en) | 2021-10-26 | 2021-10-26 | Method for accessing AP, AP and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114173334A true CN114173334A (en) | 2022-03-11 |
Family
ID=80477360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111250101.0A Withdrawn CN114173334A (en) | 2021-10-26 | 2021-10-26 | Method for accessing AP, AP and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114173334A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102883316A (en) * | 2011-07-15 | 2013-01-16 | 华为终端有限公司 | Connection establishing method, terminal and access point |
| WO2016184351A1 (en) * | 2015-05-21 | 2016-11-24 | 阿里巴巴集团控股有限公司 | Ip address allocation method and system for wireless network |
| CN107690138A (en) * | 2016-08-05 | 2018-02-13 | 华为技术有限公司 | A kind of method for fast roaming, device, system, access point and movement station |
| CN108023731A (en) * | 2016-11-04 | 2018-05-11 | 汤姆逊许可公司 | Apparatus and method for client device authentication |
-
2021
- 2021-10-26 CN CN202111250101.0A patent/CN114173334A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102883316A (en) * | 2011-07-15 | 2013-01-16 | 华为终端有限公司 | Connection establishing method, terminal and access point |
| WO2016184351A1 (en) * | 2015-05-21 | 2016-11-24 | 阿里巴巴集团控股有限公司 | Ip address allocation method and system for wireless network |
| CN107690138A (en) * | 2016-08-05 | 2018-02-13 | 华为技术有限公司 | A kind of method for fast roaming, device, system, access point and movement station |
| CN108023731A (en) * | 2016-11-04 | 2018-05-11 | 汤姆逊许可公司 | Apparatus and method for client device authentication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3550783B1 (en) | Internet of things device burning verification method and apparatus | |
| CN106603485B (en) | Key agreement method and device | |
| KR100704675B1 (en) | authentication method and key generating method in wireless portable internet system | |
| US20200344063A1 (en) | Authentication method, authentication apparatus, and authentication system | |
| WO2018076365A1 (en) | Key negotiation method and device | |
| EP3723399A1 (en) | Identity verification method and apparatus | |
| US20200162913A1 (en) | Terminal authenticating method, apparatus, and system | |
| CN110192381B (en) | Key transmission method and device | |
| CN108353279B (en) | Authentication method and authentication system | |
| CN107820239B (en) | Information processing method and device | |
| JP2014112969A (en) | Negotiation with secure authentication capability | |
| CN109314693B (en) | Method and apparatus for authenticating a key requestor | |
| US20230076147A1 (en) | Method and apparatus for authenticating terminal, computer device and storage medium | |
| US11848926B2 (en) | Network authentication | |
| CN113556227A (en) | Network connection management method and device, computer readable medium and electronic equipment | |
| WO2016179923A1 (en) | Method and apparatus for processing encrypted call, terminal, and kmc | |
| US20160344744A1 (en) | Application protocol query for securing gba usage | |
| CN113316149A (en) | Identity security authentication method, device, system, wireless access point and medium | |
| CN109561431B (en) | WLAN access control system and method based on multi-password identity authentication | |
| CN108012269B (en) | Wireless access method, device and equipment | |
| WO2018099407A1 (en) | Account authentication login method and device | |
| CN108243416B (en) | User equipment authentication method, mobile management entity and user equipment | |
| CN106454826B (en) | Method and device for AP to access AC | |
| WO2019192275A1 (en) | Authentication method and network element | |
| CN114173334A (en) | Method for accessing AP, AP and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220311 |