CN1553730A - Key consulting method for switching mobile station in wireless local network - Google Patents
Key consulting method for switching mobile station in wireless local network Download PDFInfo
- Publication number
- CN1553730A CN1553730A CNA031363555A CN03136355A CN1553730A CN 1553730 A CN1553730 A CN 1553730A CN A031363555 A CNA031363555 A CN A031363555A CN 03136355 A CN03136355 A CN 03136355A CN 1553730 A CN1553730 A CN 1553730A
- Authority
- CN
- China
- Prior art keywords
- access point
- key
- travelling carriage
- information
- master key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000010586 diagram Methods 0.000 claims description 5
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 230000006854 communication Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000000205 computational method Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 102000036770 Islet Amyloid Polypeptide Human genes 0.000 description 1
- 108010041872 Islet Amyloid Polypeptide Proteins 0.000 description 1
- PLOPBXQQPZYQFA-AXPWDRQUSA-N amlintide Chemical compound C([C@@H](C(=O)NCC(=O)N[C@@H](C)C(=O)N[C@@H]([C@@H](C)CC)C(=O)N[C@@H](CC(C)C)C(=O)N[C@@H](CO)C(=O)N[C@@H](CO)C(=O)N[C@@H]([C@@H](C)O)C(=O)N[C@@H](CC(N)=O)C(=O)N[C@@H](C(C)C)C(=O)NCC(=O)N[C@@H](CO)C(=O)N[C@@H](CC(N)=O)C(=O)N[C@@H]([C@@H](C)O)C(=O)N[C@@H](CC=1C=CC(O)=CC=1)C(N)=O)NC(=O)[C@H](CC(N)=O)NC(=O)[C@H](CC(N)=O)NC(=O)[C@H](CO)NC(=O)[C@H](CO)NC(=O)[C@H](CC=1NC=NC=1)NC(=O)[C@@H](NC(=O)[C@H](CC(C)C)NC(=O)[C@H](CC=1C=CC=CC=1)NC(=O)[C@H](CC(N)=O)NC(=O)[C@H](C)NC(=O)[C@H](CC(C)C)NC(=O)[C@H](CCCNC(N)=N)NC(=O)[C@H](CCC(N)=O)NC(=O)[C@@H](NC(=O)[C@H](C)NC(=O)[C@H]1NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H](C)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H](CC(N)=O)NC(=O)[C@@H](NC(=O)[C@@H](N)CCCCN)CSSC1)[C@@H](C)O)C(C)C)C1=CC=CC=C1 PLOPBXQQPZYQFA-AXPWDRQUSA-N 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A crypto key negotiation method used in switching mobile station in WLAN includes: presets the authentication counting information and authentication crypto key information on the mobile station and authentication server; the authentication server calculates the authentication counting information and the authentication crypto key information for the neighboring access point of the current access point of the mobile station, and transmits the authentication counting information and authentication crypto key information to the neighboring access point; the neighboring access point sets the authentication counting information for the mobile station, and uses the received server authentication counting information to renew the authentication counting information of new access point; waits for mobile station access; after confirming the access point the mobile station receives the authentication counting information of access point and the authentication crypto key, compares them with the authentication counting information and the authentication information generated from the mobile station itself, if they are identity, then finishes the negotiation, otherwise makes crypto key negotiation according to the crypto negotiation method of first access.
Description
Technical field
The present invention relates to the WLAN communication technology, be specifically related to be used in a kind of WLAN (wireless local area network) the cryptographic key negotiation method that travelling carriage switches.
Background technology
Along with the WLAN development of Communication Technique, the user needs safe, efficient, seamless wireless communication solution.Strengthen draft agreement (IEEE 802.11i Draft 3.0) regulation according to wireless LAN safety, the switching of travelling carriage between diverse access point comprises travelling carriage search fresh target access point and two processes of key agreement.Search fresh target access point refers to the neighboring access point of travelling carriage search current access point, thereby determines the process of next roaming target access; Key agreement referred between travelling carriage and the access point before the professional transmission of beginning the session key agreement that must carry out, produce session key by session key agreement, verify travelling carriage and the access point true and false each other, thereby guarantee the fail safe of WLAN (wireless local area network) message transmission.Key agreement is the important component part that safety strengthens in the WLAN (wireless local area network).
Key agreement can be divided into the key agreement that key agreement that travelling carriage carried out during access network first and travelling carriage are carried out again in the diverse access point handoff procedure.The key agreement that travelling carriage is carried out during access network first is the process of brand-new, complete authentication and key agreement once; The key agreement that travelling carriage is carried out in the diverse access point handoff procedure both can be once brand-new, the complete authentication and the process of key agreement, also can be by the certain master key of negotiation in advance agreement, before travelling carriage switching access point, produce standby master key in advance, finish the process of generation master key consuming time.
Authentication and Key Agreement mode that travelling carriage can adopt when roaming into new access point with access network is identical for the first time and new access point arranging key, but, this scheme is placed on whole work of key agreement when switching and finishes, and is very big to the switch speed influence.Travelling carriage adopts the technology of consulting master key in advance can finish generation master key process consuming time in the process that roams into new access point before travelling carriage switches to new access point, can improve the travelling carriage switch speed under the premise that security is guaranteed, reduce to switch influence, thereby realize safe, efficient, seamless WLAN communication service continuity.At present, the method for consulting master key in advance mainly contains following two kinds:
First method: when travelling carriage roams into the overlay region of current access point and new access point and new access point consult master key in advance.The scheme of the use pre-authentication that is proposed according to IEEE 802.11i agreement, travelling carriage directly carries out IEEE 802.1X-EAP authentication and produces standby master key after finding new access point, before travelling carriage switches, finish the process of authentication consuming time and generation master key, improve switch speed.But there is certain limitation in this method: at first, the prerequisite of using this pre-authentication method is that the coverage of diverse access point exists more overlapping, before switching, finish pre-authentication to guarantee travelling carriage, but the Radio Resource of the big waste of overlapped coverage is just many, certainly will strengthen the wireless network organizing cost; On the other hand, when the pre-authentication scheme of IEEE 802.11i protocol definition requires travelling carriage to roam into new access point and certificate server carry out two-way authentication again, still, this two-way authentication again is not necessary in the practical communication process.
Second method: travelling carriage is finished the master key negotiation before roaming into the fresh target access point between current access point and fresh target access point.In the relevant motion of IEEE 802.11i agreement, the someone has proposed to consult in advance the method for master key between current access point and new access point.According to this method, handoff procedure no longer need be produced the master key of neighboring access point and is distributed to neighboring access point by certificate server, but consults standby master key by the current access point of travelling carriage and other access points that are adjacent according to access point interconnection protocol (IAPP:Inter Access Point Protocol).Travelling carriage goes out the standby master key of corresponding target access with the algorithm computation that consults in advance after determining the roaming target access, and whether checking is consistent with the standby master key that target access has produced, in case be proved to be successful, then continue session key agreement, produce session key, finish the handoff procedure of travelling carriage between diverse access point.Though this method can solve the requirement of quick switching to the access point coverage, but can not provide complete forward security, if promptly the current access point is to forge access point, because verification process is without certificate server, therefore will directly influence the safety of next fresh target access point master key, can not guarantee that travelling carriage switches the fail safe of access point process; In addition, because verification process is without certificate server, in order further to guarantee that the current access point with the fail safe of consulting standby master key between its neighboring access point, must revise the generation structure of existing key, increased the complexity of authentication and key agreement design between access point.
In sum, though proposed the implementation method of consulting master key in advance that travelling carriage switches in the above-mentioned WLAN (wireless local area network) at present, but they have certain defective separately, therefore need a kind of travelling carriage switch speed that improves under the premise that security is guaranteed, reduce to switch influence, thereby realize the solution of safe, efficient, seamless WLAN communication service continuity.
Summary of the invention
At above situation, the purpose of this invention is to provide in a kind of new WLAN (wireless local area network) and be used for the cryptographic key negotiation method that travelling carriage switches, make it can guarantee the fail safe that travelling carriage switches, can improve the travelling carriage switch speed again, reduce handoff delay.
Above-mentioned purpose of the present invention is achieved by the following technical solutions:
Be used for the cryptographic key negotiation method that travelling carriage switches in a kind of WLAN (wireless local area network), comprise the steps: at least
A. at travelling carriage and certificate server identical authentication count information and approval-key information are set in advance;
B. certificate server is that the neighboring access point of travelling carriage current access point is calculated authentication count information and approval-key information, and will authenticate count information and approval-key information sends to neighboring access point;
C. the neighboring access point setting is at the authentication count information of this travelling carriage, and uses the certificate server authentication count information that receives to upgrade the access point authentication count information, waits for that travelling carriage inserts;
D. after travelling carriage is determined the roaming target access, receive access point authentication count information and certificate server approval-key information from target access, and and the authentication count information that self produces according to same rule and approval-key information relatively, if unanimity then continue to finish session key agreement; Otherwise produce master key by certificate server with IEEE 802.1X-EAP agreement between travelling carriage and the target access, finish session key agreement then.
In above-mentioned cryptographic key negotiation method, the authentication count information is meant the master key refresh counter that is used to write down each travelling carriage master key update times.
In above-mentioned cryptographic key negotiation method, the generation rule of authentication count information is: the initial value that the master key refresh counter is set is zero, and after travelling carriage roamed into a new access point, the value of the master key refresh counter of certificate server and travelling carriage self added 1.
In above-mentioned cryptographic key negotiation method, the generation rule of approval-key information is: with seed key, arthmetic statement symbol, current master key, master key refresh counter, the MAC Address of access point and the MAC Address of travelling carriage is parameter, obtains approval-key information by pseudo random number algorithm.
In above-mentioned cryptographic key negotiation method, step b further comprises: certificate server begins the neighboring access point of travelling carriage current access point is calculated authentication count information and approval-key information after the notice of the professional transmission of beginning that receives the transmission of travelling carriage current access point.
In above-mentioned cryptographic key negotiation method, step b further comprises: certificate server is determined all neighboring access point of travelling carriage current access point by inquiry access point topology diagram, and notify all neighboring access point to ask master key in advance, after receiving the master key of the negotiation in advance solicited message of neighboring access point, calculate authentication count information and approval-key information for the neighboring access point of the request of receiving.
Ask in advance in the method for master key in above-mentioned neighboring access point, further comprise: neighboring access point is after receiving the announcement information of certificate server, judge self whether to support to consult in advance master key, if, consult the master key solicited message in advance to the certificate server transmission, and the authentication count information is set at access point, and do not consult the master key solicited message in advance otherwise do not send to certificate server, the authentication count information is not set at access point yet.
In above-mentioned cryptographic key negotiation method, steps d further comprises: travelling carriage is after determining the roaming target access, send connection request to target access, target access sends one to travelling carriage and comprises the connection response of whether supporting to consult in advance master key information, if master key is consulted in the target access support in advance, travelling carriage receives access point authentication count information and certificate server approval-key information, and compares according to authentication count information and approval-key information that same rule produces with self; Otherwise directly finish key agreement between travelling carriage and the target access by IEEE 802.1X-EAP authentication.
In above-mentioned cryptographic key negotiation method, steps d further comprises: if the authentication count information of travelling carriage and access point and approval-key information are through relatively all consistent then continue to finish session key agreement, otherwise produce master key by certificate server with IEEE 802.1X-EAP agreement between travelling carriage and the target access, finish session key agreement then.
In above-mentioned cryptographic key negotiation method, further be included in certificate server approval-key information life cycle timer is set, if approval-key information arrives the timing of life cycle timer, regenerate approval-key information between certificate server and the travelling carriage, and again execution in step b to steps d.
In above-mentioned cryptographic key negotiation method, comprise that further access point is provided with an approval-key information life cycle timer when upgrading the authentication count information at travelling carriage, if described approval-key information is cited in life cycle, then approval-key information life cycle timer restarts counting; Otherwise the approval-key information that access point deletion is preserved at this travelling carriage and the authentication count information of its correspondence.
The present invention distributes master key in advance by certificate server, has avoided existing scheme one for realizing switching fast the requirement to the access point coverage.Use the master key of distribution in advance, also avoided carrying out in the roaming needs of IEEE 802.1X-EAP authentication consuming time, improved the roaming switch speed.Use the authentication count information, as: the master key refresh counter, simplified the synchronous determining step of master key.Simultaneously, master key is produced respectively by certificate server and travelling carriage, and complete forward security can be provided.To authenticate count information and the combination of key life cycle, and avoid access point or travelling carriage to suffer the attack of expired master key to a certain extent.Therefore, the present invention has not only improved the speed of switching, and has guaranteed system safety.
Description of drawings
Fig. 1 is that wireless lan network is formed structural representation;
Fig. 2 is that access point covers distribution map;
Fig. 3 is an access point topological structure schematic diagram;
Fig. 4 is that key of the present invention is consulted flow chart in advance.
Embodiment
The present invention will be described in more detail below in conjunction with the drawings and specific embodiments.
Consult the related network of method of master key in the WLAN (wireless local area network) of the present invention in advance and form structure as shown in Figure 1, form in the structural representation at this network, access point (AP:Access Point) A, B, C, D, E are a group of access point that adjoins each other, wherein, access point A is the current access point of travelling carriage (STA:Station), access point B, E are the neighboring access point of current access point A, and certificate server (AS:Authentication Server) links to each other with each access point.Figure 2 shows that the covering distribution map of this group access point correspondence.Figure 3 shows that the topological structure schematic diagram of this group access point correspondence.The information that each access point covers interconnective topological structure between distribution and access point is kept in the certificate server, each access point can send query requests to certificate server, knows and whole access points of this adjacency of access points and relevant address information thereof.
In the present embodiment, for the purpose that realizes improving the travelling carriage switch speed under the safe prerequisite, reducing handoff delay, introduce the authentication count information, adopt master key refresh counter (RKC:ReKey Counter) in the present embodiment, finish master key and consult in advance.The master key refresh counter has write down the number of times that each travelling carriage approval-key information is upgraded, and the counter initial value is 0.Adopt master key as approval-key information in the present embodiment.In certificate server, preserve a RKC counter (RKC for each travelling carriage
AS), each access point is that current each travelling carriage of having registered master key is preserved a RKC counter (RKC
AP), travelling carriage self also has a RKC counter (RKC
STA).The main effect of master key refresh counter is the synchronous of master key when guaranteeing travelling carriage and access point consulting session key, can prevent that the malice access point from using the master key that lost efficacy to attack travelling carriage simultaneously to a certain extent.
The present invention introduces process that key that the master key refresh counter realizes that travelling carriage switches consults in advance as shown in Figure 4, comprises the steps:
Step 401: current access point A finish and travelling carriage between session key agreement, and the notification authentication server has begun to carry out business transmission with travelling carriage.
Step 402: the access point topology diagram that certificate server notified back inquiry is preserved, select neighboring access point B and the E of access point A, and notify neighboring access point B and E can ask master key in advance.
After step 403: neighboring access point B and E receive the notice of certificate server, judge whether to support to consult in advance master key,, and master key refresh counter RKC is set at access point if support just to send the request that sends master key in advance to certificate server
AP, execution in step 404 then; If certain neighboring access point does not support to consult in advance master key, transfer execution in step 406 to for the processing of this neighboring access point.
Step 404: if receive the master key of the transmission in advance request that neighboring access point is sent, certificate server is just to being kept at certificate server to master key refresh counter RKC that should travelling carriage
ASAdd 1, and produce the standby master key PMK that algorithm calculates corresponding each this travelling carriage of neighboring access point respectively by the pseudo random number that consults with travelling carriage
APCertificate server is with the standby master key PMK of corresponding each neighboring access point
APAnd master key refresh counter RKC
ASSend to each neighboring access point respectively.If certificate server is not received the master key request of certain access point, think that then this access point do not support to distribute in advance master key, be not that it produces master key.
Master key PMK
APComputational methods be that the pseudo random number that consults by certificate server and travelling carriage produces algorithm (PRF:Pseudo-Random Function) and calculates.
PMK
AP=PRF(MK,LABEL,PMK
0||RKC
AS||AP
mac||STA
mac)
(1)
As shown in Equation 1, to the standby master key PMK of certain access point that should travelling carriage
APBe with seed key MK, arthmetic statement symbol LABEL, current master key PMK
0, master key refresh counter RKC
AS, this target access MAC Address AP
MacMAC Address STA with travelling carriage
MacBe parameter, algorithm computation drew in generation through pseudo random number.Wherein, seed key MK (Master Key) is shared by certificate server and travelling carriage; Arthmetic statement symbol LABEL is a character string of describing the algorithm purposes; Current master key PMK
0Be to be kept at master key between current access point on the certificate server and travelling carriage; Master key refresh counter RKC
ASFor be kept on the certificate server to master key refresh counter that should travelling carriage; AP
MacMAC Address for the neighboring access point of current access point; The MAC Address STA of travelling carriage
MacBe stored on the certificate server.
Step 405: after each neighboring access point is received the master key of the transmission in advance request response of certificate server, note to standby master key PMK that should travelling carriage
AP, and by certificate server send to master key refresh counter RKC that should travelling carriage
ASRenewal be kept at neighboring access point to master key refresh counter RKC that should travelling carriage
AP, begin then to wait for that travelling carriage inserts.
Step 406: travelling carriage is determined roaming target access, the master key refresh counter RKC that self preserves
STAAdd 1, and produce algorithm computation by the pseudo random number that consults with certificate server and go out the corresponding master key PMK that newly roams target access
STA
Master key PMK
STAComputational methods be that the pseudo random number that consults by certificate server and travelling carriage produces algorithm computation and draws.
PMK
STA=PRF(MK,LABEL,PMK
0||RKC
STA||AP
mac||STA
mac)
(2)
As shown in Equation 2, travelling carriage calculate to roaming the master key PMK of target access
STABe with seed key MK, arthmetic statement symbol LABEL, current master key PMK
0, master key refresh counter RKC
STA, the roaming target access MAC Address AP
MacMAC Address STA with travelling carriage
MacBe parameter, algorithm computation drew in generation through pseudo random number.Wherein, seed key MK (Master Key) is shared by certificate server and travelling carriage; Arthmetic statement symbol LABEL is a character string of describing the algorithm purposes; Current master key PMK
0Be to be kept at master key between current access point on the travelling carriage and travelling carriage; Master key refresh counter RKC
STAFor being kept at the master key refresh counter on the travelling carriage; AP
MacMAC Address for the roaming target access; STA
MacMAC Address for travelling carriage.
Step 407: travelling carriage sends connection request to the fresh target access point, and the fresh target access point sends connection response after receiving connection request.Whether explanation supports to consult in advance master key in connection request and the connection response.If master key is distributed in the support of fresh target access point in advance, then execution in step 408; If the fresh target access point is not supported to consult in advance master key and is just forwarded step 412 to.
Step 408: this target access is sent article one message of session key agreement to travelling carriage, comprising the master key refresh counter RKC of the corresponding current mobile station of access point record
APBe distributed to the standby master key PMK of this access point in advance with certificate server
AP
Step 409: after travelling carriage is received session key agreement article one message that target access sends, relatively be recorded in the master key refresh counter RKC corresponding to this travelling carriage of fresh target access point
APWith the master key refresh counter RKC that is recorded in travelling carriage
STAWhether equate, if equate that then execution in step 410; If the master key refresh counter RKC that is recorded in the fresh target access point relatively corresponding to this travelling carriage
APWith the master key refresh counter RKC that is recorded in travelling carriage
STAUnequal, then forward step 412 to.
Step 410: travelling carriage continues session key agreement, the master key PMK of the corresponding target access that the comparison travelling carriage calculates
STABe distributed to the standby master key PMK of this access point in advance with certificate server
APWhether consistent, if consistent then execution in step 411, if the master key PMK of the corresponding target access that travelling carriage relatively calculates
STABe distributed to the standby master key PMK of this access point in advance with certificate server
APInconsistent, then forward step 412 to.
Step 411: further session key agreement, produce session key PTK, and then finish session key agreement, finish the overall process that travelling carriage switches the key agreement of access point.
Step 412: produce master key by certificate server with the IEEE802.1X-EAP agreement between travelling carriage and the target access.
Step 413: further session key agreement, produce session key PTK, and then finish session key agreement, finish the overall process that travelling carriage switches the key agreement of access point.
In the key agreement that travelling carriage switches, all keys all can have a life cycle to guarantee the fail safe and the validity of key, that is to say, switch in the process of access point at travelling carriage, the generation of the master key of fresh target access point all is that the master key of an above access point is a parameter generating, through certain cycle, for fail safe and the validity that guarantees key agreement, certificate server need be with carrying out brand-new authentication and key agreement by IEEE 802.1X-EAP authentication protocol between the travelling carriage.For this reason, certificate server is provided with master key life cycle timer, with the effective life cycle that decides key.When the master key life cycle timer of certificate server determines that the current master key of travelling carriage has reached its life cycle, travelling carriage needs more new master key, certificate server and travelling carriage carry out brand-new authentication and key agreement by the IEEE802.1X-EAP authentication protocol, calculate the master key PMK ' that makes new advances respectively; And upgrade the master key refresh counter RKC that is kept at travelling carriage respectively
STABe kept on the certificate server to master key refresh counter RKC that should travelling carriage
ASSimultaneously, certificate server upgrades the standby master key and the master key refresh counter RKC that is kept on the neighboring access point of distribution in advance for each neighboring access point
AP, just restart cipher key agreement process of the present invention.
Access point is after being provided with the master key refresh counter at the travelling carriage that may switch to this access point, in order to optimize the access point internal information, for not switching to this access point in the certain hour or having switched to the travelling carriage of this access point a period of time, access point can be deleted the master key refresh counter that is provided with at this travelling carriage.For this reason, access point is provided with standby master key life cycle timer for each standby master key, with the life cycle that decides standby master key.If standby master key is cited in life cycle, then standby master key life cycle timer restarts counting; If this standby master key is not cited in standby master key life cycle, then access point is deleted this standby master key and its corresponding master key refresh counter.
The present invention distributes master key in advance by certificate server, has avoided existing scheme one for realizing switching fast the requirement to the access point coverage.Use the master key of distribution in advance, also avoided carrying out in the roaming needs of IEEE 802.1X-EAP authentication consuming time, improved the roaming switch speed.Use the master key refresh counter, simplified the synchronous determining step of master key.Simultaneously, master key is produced respectively by certificate server and travelling carriage, and complete forward security can be provided.With master key refresh counter and the combination of key life cycle, avoided access point or travelling carriage to suffer the attack of expired master key to a certain extent.Therefore, the present invention has not only improved the speed of switching, and has guaranteed system safety.
Certainly; can also come further assurance to consult the fail safe of master key process in advance by the extended authentication count information as required; in a word; above-described only is the preferable embodiment of the present invention with the master key refresh counter as the method that authenticates count information; but protection scope of the present invention is not limited thereto; any people who is familiar with this area is in technical scope disclosed in this invention, and the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.
Claims (10)
1. be used for the cryptographic key negotiation method that travelling carriage switches in a WLAN (wireless local area network), it is characterized in that, comprise the steps: at least
A. at travelling carriage and certificate server identical authentication count information and approval-key information are set in advance;
B. certificate server is the neighboring access point calculating authentication count information and the approval-key information of travelling carriage current access point, and described authentication count information and approval-key information are sent to described neighboring access point;
C. the neighboring access point setting is at the authentication count information of this travelling carriage, and uses the certificate server authentication count information that receives to upgrade the access point authentication count information, waits for that travelling carriage inserts;
D. after travelling carriage is determined the roaming target access, receive access point authentication count information and certificate server approval-key information from described target access, and and the described authentication count information that self produces according to same rule and approval-key information relatively, if unanimity then continue to finish session key agreement; Otherwise produce master key by certificate server with IEEE 802.1X-EAP agreement between travelling carriage and the target access, and finish session key agreement according to described master key.
2. cryptographic key negotiation method as claimed in claim 1 is characterized in that, described authentication count information is the master key refresh counter that is used to write down each travelling carriage master key update times.
3. cryptographic key negotiation method as claimed in claim 2, it is characterized in that, the generation rule of described authentication count information is: the initial value that the master key refresh counter is set is zero, after travelling carriage roamed into a new access point, the value of the master key refresh counter of certificate server and travelling carriage self added 1.
4. cryptographic key negotiation method as claimed in claim 1, it is characterized in that, the generation rule of described approval-key information is: with seed key, arthmetic statement symbol, current master key, master key refresh counter, the MAC Address of access point and the MAC Address of travelling carriage is parameter, obtains approval-key information by pseudo random number algorithm.
5. cryptographic key negotiation method as claimed in claim 1, it is characterized in that, step b further comprises: certificate server begins the neighboring access point of travelling carriage current access point is calculated authentication count information and approval-key information after the notice of the professional transmission of beginning that receives the transmission of travelling carriage current access point.
6. cryptographic key negotiation method as claimed in claim 1, it is characterized in that, step b further comprises: certificate server is determined all neighboring access point of travelling carriage current access point by inquiry access point topology diagram, and notify all neighboring access point to ask master key in advance, receive neighboring access point described consult the master key solicited message in advance after, calculate authentication count information and approval-key information for the neighboring access point of the request of receiving.
7. cryptographic key negotiation method as claimed in claim 6, it is characterized in that, neighboring access point is after receiving the described announcement information of certificate server, judge self whether to support to consult in advance master key, if, send the described master key solicited message of consulting in advance to certificate server, and the authentication count information is set at access point; Describedly do not consult the master key solicited message in advance and the authentication count information is not set otherwise do not send at access point to certificate server.
8. cryptographic key negotiation method as claimed in claim 1, it is characterized in that, steps d further comprises: travelling carriage is after determining the roaming target access, send connection request to described target access, target access sends one to travelling carriage and comprises the connection response of whether supporting to consult in advance master key information, if master key is consulted in the target access support in advance, travelling carriage receives access point authentication count information and certificate server approval-key information, and compares according to authentication count information and approval-key information that same rule produces with self; Otherwise produce master key by certificate server with IEEE 802.1X-EAP agreement between travelling carriage and the target access, and finish session key agreement according to described master key.
9. cryptographic key negotiation method as claimed in claim 1, it is characterized in that, this method further is included in certificate server approval-key information life cycle timer is set, if approval-key information arrives the timing of described life cycle timer, regenerate approval-key information between certificate server and the travelling carriage, and again execution in step b to steps d.
10. cryptographic key negotiation method as claimed in claim 1, it is characterized in that, this method comprises that further access point is provided with an approval-key information life cycle timer when upgrading the authentication count information at travelling carriage, if described approval-key information is cited in life cycle, then approval-key information life cycle timer restarts counting; Otherwise the approval-key information that access point deletion is preserved at this travelling carriage and the authentication count information of its correspondence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03136355 CN1290362C (en) | 2003-05-30 | 2003-05-30 | Key consulting method for switching mobile station in wireless local network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03136355 CN1290362C (en) | 2003-05-30 | 2003-05-30 | Key consulting method for switching mobile station in wireless local network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1553730A true CN1553730A (en) | 2004-12-08 |
| CN1290362C CN1290362C (en) | 2006-12-13 |
Family
ID=34323311
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 03136355 Expired - Fee Related CN1290362C (en) | 2003-05-30 | 2003-05-30 | Key consulting method for switching mobile station in wireless local network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1290362C (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007022727A1 (en) * | 2005-08-24 | 2007-03-01 | Huawei Technologies Co., Ltd. | A method and system for transmitting authorization key context information |
| WO2007121669A1 (en) * | 2006-04-20 | 2007-11-01 | Huawei Technologies Co., Ltd. | Method and device and system for establishing wireless connection |
| CN100428715C (en) * | 2005-01-13 | 2008-10-22 | 华为技术有限公司 | Wireless LAN and method for implementing quick switching between mobile stations |
| WO2009152759A1 (en) * | 2008-06-16 | 2009-12-23 | 华为技术有限公司 | Method and device for preventing loss of network security synchronization |
| CN1997213B (en) * | 2006-01-05 | 2010-11-24 | 华为技术有限公司 | Method for security information acquisition of the switched target base station in the wireless communication system |
| CN101232419B (en) * | 2008-01-18 | 2010-12-08 | 西安西电捷通无线网络通信股份有限公司 | Wireless local area network access method based on primitive |
| CN101931950A (en) * | 2009-06-19 | 2010-12-29 | 大唐移动通信设备有限公司 | Method, system and device for acquiring key in switching process |
| CN101156412B (en) * | 2005-02-11 | 2011-02-09 | 诺基亚公司 | Method and apparatus for providing bootstrapping procedures in a communication network |
| CN101212798B (en) * | 2006-12-26 | 2011-07-20 | 中兴通讯股份有限公司 | Pre-authentication process that supports quick switching |
| CN101292558B (en) * | 2005-10-18 | 2011-12-07 | Lg电子株式会社 | Method of providing security for relay station |
| CN101394664B (en) * | 2007-09-19 | 2012-01-04 | 华为技术有限公司 | Mobile node, method and system for implementing media irrelevant switching |
| CN101088300B (en) * | 2004-12-22 | 2012-07-04 | 艾利森电话股份有限公司 | Distributed pico-cell mobility |
| US8948395B2 (en) | 2006-08-24 | 2015-02-03 | Qualcomm Incorporated | Systems and methods for key management for wireless communications systems |
| CN106454835A (en) * | 2015-08-04 | 2017-02-22 | 中兴通讯股份有限公司 | Wireless accessing method and apparatus |
| CN107070846A (en) * | 2006-08-14 | 2017-08-18 | 西门子公司 | The method and system of the specific key of access is provided |
| CN108964881A (en) * | 2017-05-18 | 2018-12-07 | 上海连尚网络科技有限公司 | A kind of method and apparatus issuing data |
| CN113141674A (en) * | 2021-04-08 | 2021-07-20 | 成都极米科技股份有限公司 | Link configuration method, device, system and storage medium in multi-link system |
-
2003
- 2003-05-30 CN CN 03136355 patent/CN1290362C/en not_active Expired - Fee Related
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101088300B (en) * | 2004-12-22 | 2012-07-04 | 艾利森电话股份有限公司 | Distributed pico-cell mobility |
| CN100428715C (en) * | 2005-01-13 | 2008-10-22 | 华为技术有限公司 | Wireless LAN and method for implementing quick switching between mobile stations |
| CN101156412B (en) * | 2005-02-11 | 2011-02-09 | 诺基亚公司 | Method and apparatus for providing bootstrapping procedures in a communication network |
| WO2007022727A1 (en) * | 2005-08-24 | 2007-03-01 | Huawei Technologies Co., Ltd. | A method and system for transmitting authorization key context information |
| CN101292558B (en) * | 2005-10-18 | 2011-12-07 | Lg电子株式会社 | Method of providing security for relay station |
| CN1997213B (en) * | 2006-01-05 | 2010-11-24 | 华为技术有限公司 | Method for security information acquisition of the switched target base station in the wireless communication system |
| CN101060712B (en) * | 2006-04-20 | 2011-08-24 | 华为技术有限公司 | Wireless connecting establishment method |
| WO2007121669A1 (en) * | 2006-04-20 | 2007-11-01 | Huawei Technologies Co., Ltd. | Method and device and system for establishing wireless connection |
| CN107070846A (en) * | 2006-08-14 | 2017-08-18 | 西门子公司 | The method and system of the specific key of access is provided |
| US8948395B2 (en) | 2006-08-24 | 2015-02-03 | Qualcomm Incorporated | Systems and methods for key management for wireless communications systems |
| CN101212798B (en) * | 2006-12-26 | 2011-07-20 | 中兴通讯股份有限公司 | Pre-authentication process that supports quick switching |
| CN101394664B (en) * | 2007-09-19 | 2012-01-04 | 华为技术有限公司 | Mobile node, method and system for implementing media irrelevant switching |
| CN101232419B (en) * | 2008-01-18 | 2010-12-08 | 西安西电捷通无线网络通信股份有限公司 | Wireless local area network access method based on primitive |
| US8984287B2 (en) | 2008-01-18 | 2015-03-17 | China Iwncomm Co., Ltd. | Wireless personal area network access method based on primitive |
| CN101610506B (en) * | 2008-06-16 | 2012-02-22 | 上海华为技术有限公司 | Method and device for preventing network safety from desynchronizing |
| WO2009152759A1 (en) * | 2008-06-16 | 2009-12-23 | 华为技术有限公司 | Method and device for preventing loss of network security synchronization |
| CN101931950A (en) * | 2009-06-19 | 2010-12-29 | 大唐移动通信设备有限公司 | Method, system and device for acquiring key in switching process |
| CN101931950B (en) * | 2009-06-19 | 2014-02-05 | 电信科学技术研究院 | Method, system and device for acquiring key in switching process |
| CN106454835A (en) * | 2015-08-04 | 2017-02-22 | 中兴通讯股份有限公司 | Wireless accessing method and apparatus |
| CN108964881A (en) * | 2017-05-18 | 2018-12-07 | 上海连尚网络科技有限公司 | A kind of method and apparatus issuing data |
| CN108964881B (en) * | 2017-05-18 | 2021-05-07 | 上海尚往网络科技有限公司 | Method and equipment for issuing data |
| CN113141674A (en) * | 2021-04-08 | 2021-07-20 | 成都极米科技股份有限公司 | Link configuration method, device, system and storage medium in multi-link system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1290362C (en) | 2006-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1290362C (en) | Key consulting method for switching mobile station in wireless local network | |
| CN100341290C (en) | Authentication method for fast handover in a wireless local area network | |
| US7624270B2 (en) | Inter subnet roaming system and method | |
| US20190028889A1 (en) | Method and apparatus for new key derivation upon handoff in wireless networks | |
| KR100813295B1 (en) | Method for security association negotiation with Extensible Authentication Protocol in wireless portable internet system | |
| JP4303752B2 (en) | Secure intra-domain and inter-domain handover | |
| CN102395166B (en) | System and method for fast network re-entry in a broadband wireless access communication system | |
| CN101083839B (en) | Cipher key processing method for switching among different mobile access systems | |
| CN101006682B (en) | Fast network attchment | |
| CN101102600B (en) | Secret key processing method for switching between different mobile access systems | |
| CN1649436A (en) | Method for performing handoff in wireless network | |
| US20180167913A1 (en) | Communication method and related apparatus | |
| CN1960567A (en) | Communication method for terminal to enter to and exit from idle mode | |
| JP2012217207A (en) | Exchange of key material | |
| Purkhiabani et al. | Enhanced authentication and key agreement procedure of next generation 3GPP mobile networks | |
| CN112332901B (en) | Heaven and earth integrated mobile access authentication method and device | |
| CN1819698A (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN1921682A (en) | Method for enhancing key negotiation in universal identifying framework | |
| CN115396887A (en) | Rapid and safe switching authentication method, device and system for high-speed mobile terminal | |
| CN103402201A (en) | Pre-authentication-based authentication method for WiFi-WiMAX (wireless fidelity-worldwide interoperability for microwave access) heterogeneous wireless network | |
| CN1801705A (en) | Pre-authentication method | |
| CN101026866A (en) | AK context cache method for wireless communication system | |
| JP2004304240A (en) | Method for authenticating mobile communication terminal in wireless lan communication system, the wireless lan communication system, and program | |
| CN114501438A (en) | Enhanced EAP identity authentication method for electric power wireless private network | |
| CN112653506B (en) | Block chain-based handover flow method for spatial information network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: HUAWEI DIGITAL TECHNOLOGY CO. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20081010 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20081010 Address after: No. 3, information road, Haidian District, Beijing Patentee after: Huawei Digit Technology Co., Ltd. Address before: Shenzhen HUAWEI service building, science and Technology Park, Guangdong Patentee before: Huawei Technologies Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100085 Beijing, Haidian District on the road, No. 3 Patentee after: Beijing Huawei Digital Technology Co.,Ltd. Address before: 100085 Beijing, Haidian District on the road, No. 3 Patentee before: Huawei Digit Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20061213 Termination date: 20200530 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |