CN100455120C - Message safety transmitting method befor set-up of link in heterogeneous network switch-over - Google Patents
Message safety transmitting method befor set-up of link in heterogeneous network switch-over Download PDFInfo
- Publication number
- CN100455120C CN100455120C CNB2005101325302A CN200510132530A CN100455120C CN 100455120 C CN100455120 C CN 100455120C CN B2005101325302 A CNB2005101325302 A CN B2005101325302A CN 200510132530 A CN200510132530 A CN 200510132530A CN 100455120 C CN100455120 C CN 100455120C
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- message
- request
- primitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000004044 response Effects 0.000 claims abstract description 86
- 230000000977 initiatory effect Effects 0.000 claims description 31
- 230000009471 action Effects 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 abstract description 14
- 230000008569 process Effects 0.000 abstract description 6
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000002195 synergetic effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Abstract
The present invention discloses a safe message transmitting method before establishing links in heterogeneous network switching. The method comprises the following steps: a first terminal sends enciphering requests to a second terminal; the second terminal sends encrypting response to the first terminal; the first terminal sends message authentication requests to the second terminal; the second terminal carries out authentication according to the message authentication requests and sends message authentication response to the first terminal; the first terminal and the second terminal send messages. The present invention provides a negotiation mechanism for authenticating commands, events, information, etc. Before establishing the links, and thereby, illegal messages are stopped. An encrypting negotiation mechanism in command, event, information, etc. sending processes before establishing the links stops maliciously attacking the messages.
Description
Technical field
The present invention relates to the heterogeneous network handoff technique, the message safety transmitting method during particularly a kind of heterogeneous network switches before the link establishment.
Background technology
Exist the network of many different frameworks in the existing communication system, as 802.11,802.16,3GPP (3rd Generation Partnership Project, 3rd Generation Partnership Project) network such as, yet, in above-mentioned heterogeneous network, be difficult in and switch easily under the condition that guarantees business continuance and roam.
Just be based on above reason, producing IEEE 802.21 (media-independent switching) agreement.This agreement in heterogeneous network by the link layer information network information relevant with other being offered the standard of upper strata optimize to switch.Be used to satisfy the requirement of between different medium, carrying out the software and hardware switching and realize corresponding handover mechanism, its target is finally to make client device can select top-quality network connection type and access point automatically when internetwork roaming, and can need not realize seamless switching under the situation of user intervention, strengthen the user experience of mobile device by supporting the switching between heterogeneous network.
IEEE 802.21 agreements are supported multiple heterogeneous network, comprise IEEE 802.3, IEEE 802.11, IEEE 802.16 and 3GPP, 3GPP2 etc.; Support the synergistic application of switching, support terminal equipment and the network equipment of mobile and fixed-line subscriber simultaneously.
IEEE 802.21 protocol definitions MN (Mobile Node, mobile node), the framework of transparent continuous sex service, the mobility management protocol stack of this node to support in the network element to switch can be provided when the link layer of isomery switches.Wherein, define one group in the mobility management protocol stack and switched relevant function and new entity, MIHF (Media Independent HandoverFunction, media-independent handoff functionality); Defined irrelevant SAPs (the ServiceAccess Point of a group media, Service Access Point) with the relevant primitive that inserts MIHF, described relevant primitive comprises: MIES (Media Independent Event Services, the media-independent Event Service), MICS (Media Independent Command Services, the media-independent command service), MIIS (Media Independent Information Service, media-independent service); Defined extra MAC (Medium Access Control at every kind of specific access technology, the medium access control) layer SAPs and relevant primitive, MIHF carries out message by SAPs with other layer and function plane, as shown in Figure 1, each SAP specifies the primitive of exchange message and the form of exchange message to be formed by one group, helps to gather link layer information and control link behavior when switching.
Wherein, MIHF provides synchronously or asynchronous service for its levels by excellent interface.The position of MIHF and key service network are as shown in Figure 2, MIHF is positioned at the upper strata (more than three layers and three layers, for example session initiation protocol SIP, this 4MIPV4 of hierarchical mobile IP, this 6MIPV6 of hierarchical mobile IP, home domain IP HIP) and (two layers and with lower floor of bottoms, as 802.3,802.11,802.16, third generation partner plans 3GPP and third generation partner plans 23GPP2) between, the link layer event that bottom sends is converted to the media-independent handover event through the MIHF layer and sends to the upper strata; The media-independent switching command that the upper strata sends is converted to the link layer order through the MIHF layer and sends to bottom.For example, L3MP (3 layer-two mobility management agreement) can utilize MIH (Media IndependentHandover, media-independent switches) incident, order and the information service that provides to manage, determine and control the state of physical layer interface.The reference model network configuration of MIH layer as shown in Figure 3, terminal with media-independent switching capability connects with 4 different Access Networks (WLAN (wireless local area network), Wimax, cellular network and wired connection 802.3) respectively, can be by the service that the MIH layer provides in the continuity that keeps service, adapt to the variation of service quality, the flying power of managing electrical power, aspects such as network discovery and network selecting provide the help to L3MP and other protocol layer; And help mobile device between heterogeneous network, to carry out seamless switching, can support upper-layer protocol such as Mobile IP to guarantee to switch and the continuity of conversation procedure.The reference model network layer of MIH layer as shown in Figure 4, subscriber terminal side and network side switch by media-independent.In addition, the portable terminal of having disposed the MIH service will receive from the asynchronous operation of low layer and instruct, as Event Service.
Wherein, MIES supports the remote events of local event and medium type of the same race.Local event propagates into the MIH or the L3MP of native protocol stack by MAC or Radio Link etc., and the native protocol stack can be positioned at access point such as the AP (Access Point, access point) or the BS (Base Station, base station) etc. of mobile terminal side or network side.Remote events propagates into the MIH or the L3MP layer of opposite end from MIH or L3MP, and the remote events between the different media protocol stacks is unassisted.Incident can be used to refer to the change of data link layer transport behavior in the medium access control or the transition of predicted state, or the administration behaviour of indication network side or order.The end that rises of incident comprises that data link layer in the medium access control, PHY or MIHF, destination comprise the MIH of native protocol stack and/or the MIH of remote protocol stack etc.The destination of incident adopts dynamic registration mechanism, can register particular event.Incident can be carried additional context data, important incident comprises: Link Up (link establishment indication incident, when being linked at, a media access control layer sends this notice when the LI(link interface) foundation of appointment and L3MP and other high levels can send high-rise bag), Link Down (the link indication incident of breaking sends this notice when LI(link interface) that a media access control layer is linked at appointment breaks and do not wrap in when sending on the link of appointment), Link Detected (finding a new link), LinkHandover Imminient (switch and to begin) etc. at once.
Wherein, the media-independent command service is used for user's control of giving an order and switches relevant link behavior, is meant the reference model order that sends to low layer on the middle and senior level.Comprise: the order of (L3MP to MIH or policy engine to MIH) from the high level to MIH, the order of (MIH to MAC or MIH to PHY) from MIH to its low layer, order can send to the MIH entity of far-end from the MIH entity of this locality.Mainly comprise high-rise decision-making in the order to local device entity and remote end entity low layer, in order to the behavior of control low layer, important order comprises: MIH Capability Discover (be used to obtain without link MIH ability), MIH Poll (being used for obtaining available link information in the current connection or potential) by the upper strata, MIH Switch (being used for the session of an activation from a link switchover to the another one link) by the upper strata, MIH Configure (initiating to control the behavior of bottom by the upper strata), MIH Scan (being found adjacent POA information with making a return journey) etc. by the upper strata.
Wherein, the media-independent service mainly provides one group of information element, the representation of the queries/requests of message structure and message transmission mechanism.Information can be stored in the MIHF entity or MIHF can the information server of access in.Network information service ability can be carried out access by specific form, and the structure of this form and definition can be represented with a kind of high-level language, as XML.Information service can the report of access neighbor information etc. at interior static information, these information help network to find; Also can provide multidate information to optimize the connection of link layer between heterogeneous networks, comprise link layer parameter, as channel information, MAC Address and security information etc., important information comprises: Data_Rates (data transfer rate), Location_LatLong (geographical position of POA, longitude and latitude coordinate information), Networks_supported (the network type that POA supports, as 802.3,802.11a, 802.11b, 802.11g, 802.16a, 802.16d, 802.16e, GSM, GPRS, W-CDMA, CDMA2000, etc.), Quality_of_Service (qos parameter) etc.
Single network of planting of prior art can only guarantee that such as 802.11 it is safe being successfully associated the frame that the back sends at STA and AP.Therefore 802.11 pairs of various frames transmit and are divided into three kinds of ranks: State1 is designated as Unauthenticated, Unassociated; State2 is designated as Authenticated, Unassociated; State3 is designated as Authenticated, Associated, then the Class1 frame can transmit at State1, State2, State3, and the Class2 frame can only transmit at State2 and State3, and the Class3 frame can only transmit at State3.By classification, thereby not having to carry out safeguard protection for the frame that sends before the association, can send before association as the Beacon frame among the Class1, itself is exactly the forms of broadcasting.
In present 802.21, since switching finish be successfully associated after, the security mechanism that the message of concrete link transmits is to be determined by the concrete agreement that link adopts, such as if 802.11 links, just guarantee that by security protocol in 802.11 message transmits safety, therefore, can only guarantee STA (Station, work station) and POA (Point of Attachment, attachment point) be successfully associated the back message transmission be safe.Yet, 802.21 be the switching between the heterogeneous network, the order that existence much need send before association, incident, information etc.,, all can't guarantee in the transmission of STA and incident, order and informational message before POA is related safe, such as being intercepted and captured modification by the people halfway.
In addition, because the initiation of handoff association process all is to be initiated by terminal at present, current agreement has only defined STA and has gone authentication to POA, and does not consider that POA also can send out authentication message to STA, and therefore previously presented authentication command all is unidirectional.Yet message transfer mechanism such as order in 802.21, incident, information all is two-way.
Summary of the invention
The problem to be solved in the present invention provides the message safety transmitting method before the link establishment in a kind of heterogeneous network switching, and the related transmission of incident, order and informational message before with POA of STA all is to guarantee safe defective in the prior art to solve.
For addressing the above problem, the invention provides the message safety transmitting method before the link establishment in a kind of heterogeneous network switching, may further comprise the steps:
A, first terminal send the request of encryption by the encrypted negotiation primitive based on IEEE 802.21 agreements to second terminal;
B, described second terminal send encrypted response by the encrypted negotiation primitive based on IEEE 802.21 agreements to described first terminal;
C, described first terminal send the message authentication request by consulting primitive based on the message authentication of IEEE 802.21 agreements to described second terminal;
D, described second terminal authenticate according to described message authentication request, and send the message authentication response by consulting primitive based on the message authentication of IEEE802.21 agreement to described first terminal;
E, described first terminal and described second terminal are carried out message and are transmitted.
Described encrypted negotiation primitive comprises: encrypted negotiation request primitive and encrypted negotiation response primitive.
Comprise in the described encrypted negotiation request primitive: request initiating terminal through taking identifier, request receiving terminal identifier, action symbol and primitive mode accord with.
Described encrypted negotiation response primitive comprises: response originating end identifier, response receiving terminal identifier, result code, result action, primitive mode and support the primitive mode as a result.
Among the step B, described second terminal sends to described first terminal and comprises the cryptographic protocol type that itself supports in the encrypted response.
Described message authentication comprises: order authentication, incident authentication and authentification of message.
Described order authentication is consulted primitive by order class message authentication and is realized; Described incident authentication is consulted primitive by the event class authentication and is realized; Described authentification of message is consulted primitive by the info class message authentication and is realized.
Described order class message authentication negotiation primitive comprises: the authentication of order class is consulted to ask, is ordered the class authentication to consult to confirm, order class cancellation authentication to consult request and orders class cancellation authentication to consult to confirm.
Described order class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, command type and filter parameter;
Described order class authentication is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code;
Described order class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, command type and filter parameter;
Described order class is nullified authentication and is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code.
Described event class message authentication is consulted primitive and comprised: the event class authentication consults that request, event class authentication are consulted to confirm, event class is nullified authentication and consulted request and event class and nullify authentication and consult to confirm.
Described event class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, event type and filter parameter;
Described event class authentication is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code;
Described event class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, event type and filter parameter;
Described event class is nullified authentication and is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code.
Described info class message authentication is consulted primitive: the info class authentication consults that request, info class authentication are consulted to confirm, info class is nullified authentication and consulted request and info class and nullify authentication and consult to confirm.
Described info class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, information type and filter parameter;
Described info class authentication is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code;
Described info class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, information type and filter parameter;
Described info class is nullified authentication and is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code.
After the authentication, pass through this message authentication among the step D at the terminal record.
Described first terminal is that work station, described second terminal are attachment point; Or described first terminal is that attachment point, described second terminal are work station, wherein, it all is two-way encrypting and authenticating negotiation, work station and attachment point can both initiate and respond, and state information is kept at the work station place when initiating the attachment point response when work station, and attachment point is initiated work station responsive state information and is kept at the attachment point place.
The present invention also provides the message safety transmitting method before the link establishment in a kind of heterogeneous network switching, may further comprise the steps:
A, described first terminal send the message authentication request by consulting primitive based on the message authentication of IEEE 802.21 agreements to described second terminal;
B, described second terminal authenticate according to described message authentication request, and send the message authentication response by consulting primitive based on the message authentication of IEEE802.21 agreement to described first terminal;
C, described first terminal and described second terminal are carried out message and are transmitted.
Described message authentication comprises: order authentication, incident authentication and authentification of message.
Described order authentication is consulted primitive by order class message authentication and is realized; Described incident authentication is consulted primitive by the event class authentication and is realized; Described authentification of message is consulted primitive by the info class message authentication and is realized.
The present invention provides the message safety transmitting method before the link establishment in a kind of heterogeneous network switching again, may further comprise the steps:
(1) first terminal sends the request of encryption by the encrypted negotiation primitive based on IEEE 802.21 agreements to second terminal, encrypts in the request to comprise the cryptographic protocol type;
(2) second terminals are encrypted message according to the cryptographic protocol type, and send encrypted response by the encrypted negotiation primitive based on the IEEE802.21 agreement to first terminal;
(3) described first terminal and described second terminal are carried out the message transmission.
Described encrypted negotiation primitive comprises: encrypted negotiation request primitive and encrypted negotiation response primitive.
Comprise in the described encrypted negotiation request primitive: request initiating terminal through taking identifier, request receiving terminal identifier, action symbol and primitive mode accord with.
Described encrypted negotiation response primitive comprises: response originating end identifier, response receiving terminal identifier, result code, result action, as a result the primitive mode, support the primitive mode.
Compared with prior art, the present invention has the following advantages:
The invention provides message authentication negotiation mechanisms such as order before link establishment, incident, information, stopped invalid message; And the encrypted negotiation mechanism in the message transport process such as order before link establishment, incident, information has been stopped message by malicious attack.
Further, the security negotiation mechanism that the present invention proposes is a two-way process, STA can send message to POA, POA also can send message to STA, therefore, the initiation/response of encrypted negotiation, authentication initiation/response all should be two-way, be that encrypted negotiation and authentication all both can be initiated by STA, also can initiate by POA.So two-way request and response STA and the POA of just being meant can initiate concerning safety.
Further, the present invention promptly is not simple only in the STA information of POA side reservation by authentication and encrypted negotiation, in STA, also can keep simultaneously POA information, thereby also can provide safety transmission security mechanism message such as the order that is sent to STA from POA, incident, information by authentication and encrypted negotiation.
Description of drawings
Fig. 1 is a heterogeneous network hierarchical chart in the prior art.
Fig. 2 is position and the key service network diagram of MIHF.
Fig. 3 is a MIH reference model network structure.
Fig. 4 is the network layer figure of MIH reference model.
Fig. 5 is a preferred embodiment of the invention flow chart.
Fig. 6 is typical preferred embodiment flow chart among the present invention.
Fig. 7 is another preferred embodiment flow chart of the present invention.
Fig. 8 is another preferred embodiment flow chart of the present invention.
Embodiment
Following the present invention will be in conjunction with the accompanying drawings, and optimum implementation of the present invention is described in detail.
The flow process of a preferred embodiment of the message safety transmitting method during heterogeneous network of the present invention switches before the link establishment may further comprise the steps as shown in Figure 5:
Step s101, first terminal sends the request of encryption to second terminal.Wherein, can comprise the cryptographic protocol type in the encryption request.
Step s102, second terminal sends encrypted response to first terminal, first terminal makes a policy according to encrypted response, such as, first terminal can send the encryption type of first terminal request to second terminal, if second terminal is not supported the encryption type of first terminal request, then notify first terminal can't realize encrypting, and notify the cryptographic protocol type that to support.
Step s103, first terminal sends the message authentication request to second terminal.When before association, during message such as first terminal (STA or POA) will say the word to second terminal (POA or STA), incident, information, at first will be above the other side sends out corresponding separately authentication primitives, have only the message of consulting just can obtain the other side's approval, otherwise will be dropped by authentication.By the introducing of authentication mechanism, can also solve invalid message and attack problem.
Step s104, request authenticates second terminal according to message authentication, and sends the message authentication response to first terminal.If authentication is unsuccessful, then notify first terminal; If authentication success then change step s105.
Step s105, first terminal and second terminal are carried out message and are transmitted.
In step s101 and s102, first terminal and second terminal are carried out the encrypted negotiation that message transmits by encrypted negotiation primitive.Encrypted negotiation primitive comprises: encrypted negotiation request primitive Encrypt.request (SourceIdentifier, DestinationIdentifier, Action, EncryptMethod) and encrypted negotiation response primitive Encrypt.response (SourceIdentifier, DestinationIdentifier, ResultCode, ResultAction, ResultEncryptMethod, SupportedEncryptMethod).Wherein, comprise in the encrypted negotiation request primitive: request initiating terminal through taking identifier SourceIdentifier, request receiving terminal identifier DestinationIdentifier, action symbol Action and primitive mode accord with EncryptMethod, the Action value is ON/OFF, and expression is adopted cryptographic algorithm or do not adopted; EncryptMethod represents to wish the cryptographic algorithm that adopts.
The encrypted negotiation response primitive comprises: response originating end identifier SourceIdentifier, response receiving terminal identifier DestinationIdentifier, result code ResultCode, result action ResultAction, as a result primitive mode ResultEncryptMethod, support primitive mode SupportedEncryptMethod.Wherein, ResultCode represents whether to agree the other side's negotiation request; ResultAction represents to adopt cryptographic algorithm or do not adopt; ResultEncryptMethod represents to adopt the cryptographic algorithm that proposes among which kind of Encrypt.request; SupportedEncryptMethod: which cryptographic algorithm is the expression peers include both support here.
Message authentication among the step s104 comprises: order authentication, incident authentication and authentification of message.The order authentication is consulted primitive by order class message authentication and is realized; The incident authentication is consulted primitive by the event class authentication and is realized; Authentification of message is consulted primitive by the info class message authentication and is realized.
Wherein, order class message authentication is consulted primitive and comprised: request Command_AUTHENTICATE.request (SourceIdentifier is consulted in the authentication of order class, DestinationIdentifier, CommandType, FilterParameters), the authentication of order class consults to confirm Command_AUTHENTICATE.confirm (SourceIdentifier, DestinationIdentifier, ResultCode), the order class is nullified authentication and is consulted request Command_DEAUTHENTICATE.request (SourceIdentifier, DestinationIdentifier, CommandType, FilterParameters), the order class is nullified authentication and is consulted to confirm Command_DEAUTHENTICATE.confirm (SourceIdentifier, DestinationIdentifier, ResultCode).The authentication of order class is consulted to comprise in the request: request initiating terminal through taking identifier SourceIdentifier, request receiving terminal identifier DestinationIdentifier, command type CommandType, order as MIH, order of L2 layer or ALL, represent that all types of orders all authenticate simultaneously, filter parameter FilterPamaters, can specifically specify which order by authentication.The authentication of order class is consulted to confirm to comprise: response originating end identifier SourceIdentifier, response receiving terminal identifier DestinationIdentifier, result code ResultCode, whether expression agrees the other side's authentication negotiation request, if refusal can explain the reason.The order class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier SourceIdentifier, request receiving terminal identifier DestinationIdentifier, command type CommandType, order as MIH, the order of L2 layer. or ALL, expression to all types of orders all nullify simultaneously, filter parameter FilterPamaters, can specifically specify and nullify which order.The order class is nullified authentication and is consulted to confirm to comprise: response originating end identifier SourceIdentifier, response receiving terminal identifier DestinationIdentifier, result code ResultCode, whether expression agrees to nullify the other side's the order by authenticating, if refusal can explain the reason.
The event class message authentication is consulted primitive and comprised: request Event_AUTHENTICATE.request (SourceIdentifier is consulted in the event class authentication, DestinationIdentifier, EventType, FilterParameters), the event class authentication consults to confirm Event_AUTHENTICATE.confirm (SourceIdentifier, DestinationIdentifier, ResultCode), event class is nullified authentication and is consulted request Event_DEAUTHENTICATE.request (SourceIdentifier, DestinationIdentifier, EventType, FilterParameters), event class is nullified authentication and is consulted to confirm Event_DEAUTHENTICATE.confirm (SourceIdentifier, DestinationIdentifier, ResultCode).Wherein, event class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier SourceIdentifier, request receiving terminal identifier DestinationIdentifier, event type EventType, as the MIH incident, L2 layer incident. or ALL, represent that all types of incidents all authenticate simultaneously, filter parameter FilterPamaters, can specifically specify which incident by authentication.The event class authentication is consulted to confirm to comprise: response originating end identifier SourceIdentifier, response receiving terminal identifier DestinationIdentifier, result code ResultCode, whether expression agrees the other side's authentication negotiation request, if refusal can explain the reason.Event class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier SourceIdentifier, request receiving terminal identifier DestinationIdentifier, event type EventType, as the MIH incident, L2 layer incident. or ALL, expression to all types of incidents all nullify simultaneously, filter parameter FilterPamaters, can specifically specify which incident of nullifying.Event class is nullified authentication and is consulted to confirm to comprise: response originating end identifier SourceIdentifer, response receiving terminal identifier DestinationIdentifier, result code ResultCode, whether expression agrees to nullify the other side's the incident by authenticating, if refusal can explain the reason.
The info class message authentication is consulted primitive and comprised: request Information_AUTHENTICATE.request (SourceIdentifier is consulted in the info class authentication, DestinationIdentifier, InformationType, FilterParameters), the info class authentication consults to confirm Information_AUTHENTICATE.confirm (SourceIdentifier, DestinationIdentifier, ResultCode), info class is nullified authentication and is consulted request Information_DEAUTHENTICATE.request (SourceIdentifier, DestinationIdentifier, InformationType, FilterParameters), info class is nullified authentication and is consulted to confirm Information_DEAUTHENTICATE.confirm (SourceIdentifier, DestinationIdentifier, ResultCode).
Wherein, info class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier SourceIdentifier, request receiving terminal identifier DestinationIdentifier, information type InformationType, as MIH information, L2 layer information or ALL, represent that all types of information all authenticate simultaneously, filter parameter FilterPamaters, can specifically specify which information by authentication.
The info class authentication is consulted to confirm to comprise: response originating end identifier SourceIdentifier, response receiving terminal identifier DestinationIdentifier, result code ResultCode, whether expression agrees the other side's authentication negotiation request, if refusal can explain the reason.
Info class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier SourceIdentifier, request receiving terminal identifier DestinationIdentifier, information type InformationType, the information type of authentication is nullified in definition, as MIH information, L2 layer information or ALL, expression to all types of information all nullify simultaneously, filter parameter FilterPamaters, can specifically specify which information of nullifying.
Info class is nullified authentication and is consulted to confirm to comprise: response originating end identifier SourceIdentifier, response receiving terminal identifier DestinationIdentifier, result code ResultCode, whether expression agrees to nullify the other side's the information by authenticating, if refusal can explain the reason.
Illustrate to use the security mechanism that increases newly how to ensure that it is safe that related preceding message sends with another relatively more typical example below, as shown in Figure 6:
(1) STA and POA both sides carry out the encrypted negotiation that message transmits by Encrypt.request and Encrypt.response primitive: STA sends Encrypt.request (STAMac, POAMac, ON, WEP) primitive, request POA transmits message and adopts the WEP cryptographic protocol, POA returns Encrypt.response (POAMac, STAMac, Success, ON, WEP, WEPTKIPCCMP), expression POA agrees to adopt the WEP cryptographic protocol, tells the STA itself to support WEP, TKIP and CCMP cryptographic protocol simultaneously.
(2) STA sends Event_Authecate.request (STAMac, POAMac, MIH Event, Link_Up) primitive, request POA is by the authentication of Link_Up incident, and POA returns Event_Authecate.confirm (POAMac, STAMac, Success) agree the authentication of Link_Up incident, and can on state machine own, store the Link_Up incident and pass through this thing of authentication.
(3) STA sends Command_Authecate.request (STAMac, POAMac, MIH_Command, Link_Event_Register) primitive, request POA is by the authentication of Link_Event_Register order, and POA returns Command_Authecate.confirm (POAMac, STAMac, Success) expression is by the authentication of Link_Event_Register order, and can store this thing of Link_Event_Register order having passed through authentication on state machine own.
(4) STA and POA just can use Link_Event_Register.request (EventSource, Link_Up) and Link_Event_Register.confirm (EventSource Link_Up) finishes the Link_Up register of event.
(5) STA can send Information_Authecate.request (STAMac, POAMac, MIH_Information, MIH_Info) primitive, the authentication that request POA obtains by MIH_Info information, POA returns Information_Authecate.confirm (POAMac, STAMac, Success) the expression authentication of obtaining by MIH_Info information, and can on state machine own, carry out store M IH_Info information and obtain and passed through this thing of authentication.
(6) STA and the handover decisions information of POA by using MIH_Info.request and MIH_Info.response to obtain relevantly.
(7) POA can send Command_Authecate.request (POAMac, MIH_Command, MIH_Handover_Initiate) primitive, request STA is by the authentication of MIH_Handover_Initiate order, STA is by returning Command_Authecate.confirm (STAMac, Success) authentication of MIH_Handover_Initiate order represented to pass through in primitive, and can carry out this thing of store M IH_Handover_Initiate order having passed through authentication on state machine own.
(8) decision information that just can on take all factors into consideration, obtain of POA, and after which kind of handover decisions decision adopt, send the MIH_Handover_Initiate order request to STA and begin to switch (situation that side Network Based is initiated handover decisions).
(9) the Link_Up incident can trigger later in new link establishment, by POA notice STA.
This example not only complete description newly add related before message transmit the flow process of safety assurance mechanism, and well embody and solved message amphicheirality's problem of in heterogeneous network switches, using.
The present invention gives the message safety transmitting method before the link establishment in a kind of heterogeneous network switching, as described in Figure 7, may further comprise the steps:
Step s201, described first terminal sends the message authentication request to described second terminal.Wherein, message authentication comprises: order authentication, incident authentication and authentification of message, order authentication are consulted primitive by order class message authentication and are realized; The incident authentication is consulted primitive by the event class authentication and is realized; Authentification of message is consulted primitive by the info class message authentication and is realized.
Step s202, described second terminal authenticates according to described message authentication request, and sends the message authentication response to described first terminal;
Step s203, described first terminal and described second terminal are carried out message and are transmitted.
The present invention also provides the message safety transmitting method before the link establishment in a kind of heterogeneous network switching, as shown in Figure 8, may further comprise the steps:
Step s301, first terminal sends the request of encryption to second terminal, encrypts in the request to comprise the cryptographic protocol type.Described first terminal and described second terminal are carried out the encrypted negotiation that message transmits by encrypted negotiation primitive, and described encrypted negotiation primitive comprises: encrypted negotiation request primitive and encrypted negotiation response primitive.Comprise in the described encrypted negotiation request primitive: request initiating terminal through taking identifier, request receiving terminal identifier, action symbol and primitive mode accord with; Described encrypted negotiation response primitive comprises: response originating end identifier, response receiving terminal identifier, result code, result action, as a result the primitive mode, support the primitive mode.
Step s302, second terminal is encrypted message according to the cryptographic protocol type, and sends encrypted response to first terminal.
Step s303, first terminal and second terminal are carried out message and are transmitted.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (22)
1, the message safety transmitting method during a kind of heterogeneous network switches before the link establishment is characterized in that, may further comprise the steps:
A, first terminal send the request of encryption by the encrypted negotiation primitive based on IEEE 802.21 agreements to second terminal;
B, described second terminal send encrypted response by the encrypted negotiation primitive based on IEEE 802.21 agreements to described first terminal;
C, described first terminal send the message authentication request by consulting primitive based on the message authentication of IEEE 802.21 agreements to described second terminal;
D, described second terminal authenticate according to described message authentication request, and send the message authentication response by consulting primitive based on the message authentication of IEEE802.21 agreement to described first terminal;
E, described first terminal and described second terminal are carried out message and are transmitted.
2, the message safety transmitting method during heterogeneous network switches according to claim 1 before the link establishment is characterized in that described encrypted negotiation primitive comprises: encrypted negotiation request primitive and encrypted negotiation response primitive.
3, switch as heterogeneous network as described in the claim 2 in message safety transmitting method before the link establishment, it is characterized in that comprise in the described encrypted negotiation request primitive: request initiating terminal through taking identifier, request receiving terminal identifier, action symbol and primitive mode accord with.
4, switch as heterogeneous network as described in the claim 2 in message safety transmitting method before the link establishment, it is characterized in that described encrypted negotiation response primitive comprises: response originating end identifier, response receiving terminal identifier, result code, result action, primitive mode and support the primitive mode as a result.
5, the message safety transmitting method during heterogeneous network switches according to claim 1 before the link establishment is characterized in that, among the step B, described second terminal comprises the cryptographic protocol type that itself supports in the encrypted response that described first terminal sends.
6, the message safety transmitting method during heterogeneous network switches according to claim 1 before the link establishment is characterized in that described message authentication comprises: order authentication, incident authentication and authentification of message.
7, switch as heterogeneous network as described in the claim 6 in message safety transmitting method before the link establishment, it is characterized in that described order authentication is consulted primitive by order class message authentication and realized; Described incident authentication is consulted primitive by the event class authentication and is realized; Described authentification of message is consulted primitive by the info class message authentication and is realized.
8, switch as heterogeneous network as described in the claim 7 in message safety transmitting method before the link establishment, it is characterized in that described order class message authentication negotiation primitive comprises: the authentication of order class is consulted to ask, is ordered the class authentication to consult to confirm, order class cancellation authentication to consult request and orders class cancellation authentication to consult to confirm.
9, switch as heterogeneous network as described in the claim 8 in message safety transmitting method before the link establishment, it is characterized in that described order class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, command type and filter parameter;
Described order class authentication is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code;
Described order class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, command type and filter parameter;
Described order class is nullified authentication and is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code.
10, switch as heterogeneous network as described in the claim 7 in message safety transmitting method before the link establishment, it is characterized in that described event class message authentication is consulted primitive and comprised: the event class authentication consults that request, event class authentication are consulted to confirm, event class is nullified authentication and consulted request and event class and nullify authentication and consult to confirm.
11, switch as heterogeneous network as described in the claim 10 in message safety transmitting method before the link establishment, it is characterized in that described event class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, event type and filter parameter;
Described event class authentication is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code;
Described event class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, event type and filter parameter;
Described event class is nullified authentication and is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code.
12, switch as heterogeneous network as described in the claim 7 in message safety transmitting method before the link establishment, it is characterized in that described info class message authentication is consulted primitive and comprised: the info class authentication consults that request, info class authentication are consulted to confirm, info class is nullified authentication and consulted request and info class and nullify authentication and consult to confirm.
13, switch as heterogeneous network as described in the claim 12 in message safety transmitting method before the link establishment, it is characterized in that described info class authentication negotiation request packet is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, information type and filter parameter;
Described info class authentication is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code;
Described info class is nullified the authentication negotiation request packet and is drawn together: request initiating terminal through taking identifier, request receiving terminal identifier, information type and filter parameter;
Described info class is nullified authentication and is consulted to confirm to comprise: response originating end identifier, response receiving terminal identifier and result code.
14, the message safety transmitting method during heterogeneous network switches according to claim 1 before the link establishment is characterized in that, after the authentication, passes through this message authentication at the terminal record among the step D.
15, the message safety transmitting method during heterogeneous network switches according to claim 1 before the link establishment is characterized in that described first terminal is that work station, described second terminal are attachment point; Or described first terminal is that attachment point, described second terminal are work station, wherein, it all is two-way encrypting and authenticating negotiation, work station and attachment point can both initiate and respond, and state information is kept at the work station place when initiating the attachment point response when work station, and attachment point is initiated work station responsive state information and is kept at the attachment point place.
16, the message safety transmitting method during a kind of heterogeneous network switches before the link establishment is characterized in that, may further comprise the steps:
A, first terminal send the message authentication request by consulting primitive based on the message authentication of IEEE 802.21 agreements to second terminal;
B, described second terminal authenticate according to described message authentication request, and send the message authentication response by consulting primitive based on the message authentication of IEEE802.21 agreement to described first terminal;
C, described first terminal and described second terminal are carried out message and are transmitted.
17, switch as heterogeneous network as described in the claim 16 in message safety transmitting method before the link establishment, it is characterized in that described message authentication comprises: order authentication, incident authentication and authentification of message.
18, switch as heterogeneous network as described in the claim 17 in message safety transmitting method before the link establishment, it is characterized in that described order authentication is consulted primitive by order class message authentication and realized; Described incident authentication is consulted primitive by the event class authentication and is realized; Described authentification of message is consulted primitive by the info class message authentication and is realized.
19, the message safety transmitting method during a kind of heterogeneous network switches before the link establishment is characterized in that, may further comprise the steps:
(1) first terminal sends the request of encryption by the encrypted negotiation primitive based on IEEE 802.21 agreements to second terminal, encrypts in the request to comprise the cryptographic protocol type;
(2) second terminals are encrypted message according to the cryptographic protocol type, and send encrypted response by the encrypted negotiation primitive based on the IEEE802.21 agreement to first terminal;
(3) described first terminal and described second terminal are carried out the message transmission.
20, switch as heterogeneous network as described in the claim 19 in message safety transmitting method before the link establishment, it is characterized in that described encrypted negotiation primitive comprises: encrypted negotiation request primitive and encrypted negotiation response primitive.
21, switch as heterogeneous network as described in the claim 20 in message safety transmitting method before the link establishment, it is characterized in that comprise in the described encrypted negotiation request primitive: request initiating terminal through taking identifier, request receiving terminal identifier, action symbol and primitive mode accord with.
22, switch as heterogeneous network as described in the claim 21 in message safety transmitting method before the link establishment, it is characterized in that described encrypted negotiation response primitive comprises: response originating end identifier, response receiving terminal identifier, result code, result action, as a result the primitive mode, support the primitive mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101325302A CN100455120C (en) | 2005-12-26 | 2005-12-26 | Message safety transmitting method befor set-up of link in heterogeneous network switch-over |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101325302A CN100455120C (en) | 2005-12-26 | 2005-12-26 | Message safety transmitting method befor set-up of link in heterogeneous network switch-over |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1852600A CN1852600A (en) | 2006-10-25 |
| CN100455120C true CN100455120C (en) | 2009-01-21 |
Family
ID=37134063
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101325302A Expired - Fee Related CN100455120C (en) | 2005-12-26 | 2005-12-26 | Message safety transmitting method befor set-up of link in heterogeneous network switch-over |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100455120C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101600200B (en) * | 2008-06-02 | 2012-10-17 | 华为技术有限公司 | Method for switching among heterogeneous networks, mobile node and authentication access point |
| CN101303720B (en) * | 2008-06-25 | 2011-05-18 | 华为终端有限公司 | Built-in equipment, method and system for protecting encipherment of built-in equipment software |
| CN102026190B (en) * | 2011-01-05 | 2013-06-12 | 西安电子科技大学 | Rapid and safe heterogeneous wireless network switching method |
| CN114051244A (en) * | 2021-11-10 | 2022-02-15 | 杭州萤石软件有限公司 | Authentication method and system between terminal side equipment and network side equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004034637A1 (en) * | 2002-10-09 | 2004-04-22 | Zte Corporation | A method and system of teleservice interworking of broadband heterogeneous networks |
| CN1652499A (en) * | 2004-02-07 | 2005-08-10 | 华为技术有限公司 | Method for implementing information transmission |
| CN1668005A (en) * | 2005-02-21 | 2005-09-14 | 西安西电捷通无线网络通信有限公司 | An access authentication method suitable for wired and wireless network |
-
2005
- 2005-12-26 CN CNB2005101325302A patent/CN100455120C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004034637A1 (en) * | 2002-10-09 | 2004-04-22 | Zte Corporation | A method and system of teleservice interworking of broadband heterogeneous networks |
| CN1652499A (en) * | 2004-02-07 | 2005-08-10 | 华为技术有限公司 | Method for implementing information transmission |
| CN1668005A (en) * | 2005-02-21 | 2005-09-14 | 西安西电捷通无线网络通信有限公司 | An access authentication method suitable for wired and wireless network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1852600A (en) | 2006-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8549293B2 (en) | Method of establishing fast security association for handover between heterogeneous radio access networks | |
| CN103686890B (en) | The method and system of wireless local network wireless terminal roaming switching | |
| CN102687537B (en) | The safety of media independent handoff protocol | |
| EP2278840B1 (en) | Handover in a communication network comprising plural heterogeneous access networks | |
| TWI393414B (en) | Secure session keys context | |
| KR101538005B1 (en) | Data stream transmission method and related device and system | |
| KR101467780B1 (en) | Method for handover between heterogeneous radio access networks | |
| EP2103077B1 (en) | Method and apparatus for determining an authentication procedure | |
| CN101557592B (en) | STA roaming switching method for completing WPI by AC in convergent-type WLAN and system thereof | |
| CN101300877A (en) | System and method for optimizing a wireless connection between wireless devices | |
| CN100558187C (en) | A kind of radio switch-in method and access controller | |
| CN101562812B (en) | STA switching method when WPI is finished by AC in convergence type WLAN and system thereof | |
| CN103384365A (en) | Method and system for network access, method for processing business and equipment | |
| CN100455120C (en) | Message safety transmitting method befor set-up of link in heterogeneous network switch-over | |
| CN101562811A (en) | STA roaming switching method when WPI is finished by WTP in convergence type WLAN and system thereof | |
| WO2010130198A1 (en) | Method, system and equipment for handover between access networks | |
| Mohamed et al. | Technology Integration Framework for Fast and Low Cost Handovers—Case Study: WiFi-WiMAX Network | |
| KR20150034147A (en) | NETWORK SYSTEM FOR PROVIDING SERVICE INFORMATION USING IPSec PROTOCOL AND TRANSMITTING METHOD OF SERVICE INFORMATION USING IPSec PROTOCOL | |
| CN116057982A (en) | Non-3 GPP handover preparation | |
| KR101575578B1 (en) | NETWORK SYSTEM FOR PROVIDING ADDITIONAL SERVICE INFORMATION USING IPSec SECURITY TUNNELING AND TRANSMITTING METHOD OF ADDITIONAL SERVICE INFORMATION USING IPSec SECURITY TUNNELING | |
| CN114765827A (en) | Safety protection method, device and system | |
| Nazari | Seamless Multimedia over Heterogeneous Wireless Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090121 |