CN100586067C - Identity authentication method with compatible 802.11i and WAPI - Google Patents

Identity authentication method with compatible 802.11i and WAPI Download PDF

Info

Publication number
CN100586067C
CN100586067C CN200610105243A CN200610105243A CN100586067C CN 100586067 C CN100586067 C CN 100586067C CN 200610105243 A CN200610105243 A CN 200610105243A CN 200610105243 A CN200610105243 A CN 200610105243A CN 100586067 C CN100586067 C CN 100586067C
Authority
CN
China
Prior art keywords
message
mobile radio
radio station
wapi
eap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200610105243A
Other languages
Chinese (zh)
Other versions
CN101013940A (en
Inventor
李兴华
马建峰
曹春杰
杨力
杨超
沈玉龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN200610105243A priority Critical patent/CN100586067C/en
Publication of CN101013940A publication Critical patent/CN101013940A/en
Application granted granted Critical
Publication of CN100586067C publication Critical patent/CN100586067C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses one method combined with 802.11i and WAPI identification, which comprises the following steps: mobile station STA to interface point AP extensive certificate agreement EAP initial information and the AP sending STA to time stamp information; if the STA supports WAPI to AP for answer information and sending identification and interface require time for signature; if the ASU supports WAPI then processing codes negotiating and sending AP to key transmission information; if the STA or WAPI not supporting identification then processing 802.11i; finally processing hand holding agreement by STA and AP.

Description

The identity identifying method of a kind of compatible 802.11i and WAPI
Technical field
The invention belongs to wireless communication technology field, the safe practice that relates to WLAN (wireless local area network), specifically at the international wireless LAN safety standard 802.11i problem not compatible mutually with Chinese wireless LAN secure standard WAPI, both certificate schemes of a kind of compatibility are proposed, authentication and key agreement problem when entering Chinese market to solve external wireless product.
Background technology
Along with the developing rapidly and popularizing of WLAN (wireless local area network) WLAN, its safety problem more and more causes people's attention.IEEE802.11 working group is devoted to work out the safety standard of new generation that is called as 802.11i, and this safety standard has strengthened data encryption and the authentication performance of WLAN, and has done many-sided improvement at the defective of former encryption mechanism WEP.This standard gets the Green Light in June, 2004, uses as the standard security solution in the WLAN (wireless local area network).
In order to solve the safety problem in the WLAN (wireless local area network), China in 2003 have also released the WLAN (wireless local area network) standard GB 15629.11 of oneself.Its security mechanism WAPI is made up of authentication infrastructures WAI and two modules of secret infrastructure WPI, and they are realized respectively to the authentication of user identity with to the function of transmission data encipher.2004, national information technology standard technical committee wide-band wireless IP standard operation group was issued the implementation guide of this GB, and the safety defect among the former WAI is revised.In January, 2006, national departments concerned is clearly stipulated: in government procurement, preferentially purchase and meet national local area network (LAN) safety standard GB 15629.11/1102 and the product by product certification; The then necessary procurement authentication product of project that the specific information safety requirements is arranged for country.
But these two kinds of standards of 802.11i and WAPI are compatible mutually, the wireless product produced of foreign vendor like this, as: notebook computer, the PDA of employing 802.11i technology just can not enter into Chinese market.A series of problems of being brought thus become the focus that the WLAN field is paid close attention to.Present, two kinds of schemes unlikely exist the situation that a side replaces an other side.For popularization and the use that enlarges WLAN (wireless local area network), must consider how these two kinds of schemes of prize carry out compatibility.
1. WLAN (wireless local area network) international safety standard 802.11i
WLAN (wireless local area network) international standard 802.11i is based on two kinds of security protocols: Extensible Authentication Protocol EAP and based on the authentication framework of IEEE 802.1X.
Extensible Authentication Protocol EAP formulates at the point-to-point protocol ppp protocol at first, its objective is PPP is selected to be deferred to optional PPP authentication phase at the authentication mechanism in LCP LCP stage that this just allows Verification System can ask more information before the concrete authentication mechanism of decision.Extensible Authentication Protocol EAP is not real authentication protocol, and only is a kind of encapsulation format of authentication protocol, and by using encapsulation, client and certificate server can be realized the dynamic negotiation to concrete authentication protocol.
IEEE 802.1X is based on the access control framework of port.In this framework, there are three class entities: mobile radio station STA, authenticator Authenticator and certificate server AS.Mobile radio station STA is a user who wish to use Internet resources, and authenticator Authenticator is the equipment that mobile radio station STA and network are separated, and is used for preventing unauthorized visit, normally access point AP.Certificate server AS is the equipment of a rear end, and it is used for finishing the authentication to mobile radio station STA, and decision allows or refuse its access request.
IEEE 802.1X message utilizes two kinds of EAP modes to transmit: (1) moves the EAPOL agreement on the link between mobile radio station STA and the access point AP.(2) the same operation EAP agreement between access point AP and the AS, but this agreement is packaged in the upper-layer protocol.Connect for this, IEEE does not define its agreement, but major part all adopts EAP on radius standard now.Fig. 1 has provided the entity among the typical IEEE 802.1X/EAP.
In a typical 802.1X/EAP verification process, mobile radio station STA at first sends EAP to access point AP and begins message: EAPOL-start shows and oneself wishes to add in the network.After receiving this message, access point AP sends the EAP identity request message to mobile radio station STA: EAP-Req/Identity requires mobile radio station STA to send its identity.Mobile radio station STA must return EAP identity response message a: EAP-Resp/Identity after receiving this message, come identity request message made and reply.After receiving this response message, access point AP sends to certificate server AS with this message.After this, just begin the mutual of authentication message between mobile radio station STA and the certificate server AS.The mutual details of authentication message depends on the actual authentication protocol that is adopted.Though authentication message is all passed through access point AP, it does not need to understand the implication of authentication message.After verification process finished, certificate server AS decision allowed or refuses the visit of mobile radio station STA, and certificate server AS notifies mobile radio station STA last result by EAP-Success or EAP-Failure.When access point AP transmitted EAP-Success or EAP-Failure message, it also allowed according to this message or stops the data flow of mobile radio station STA by it.If authentication success, mobile radio station STA and certificate server AS can obtain a master key MK, and access point AP shares an elementary master key PMK together with mobile radio station STA.
After the authentication of IEEE 802.11i finished, access point AP and mobile radio station STA carried out mutual (four way handshake protocols) of four message.By this process, mobile radio station STA and access point AP can confirm the other side's existence and freshness mutually, and can the simultaneous session key, and elementary master key PMK is tied on the physical address of mobile radio station STA.Four steps shook hands and have also realized the stratification of key simultaneously, can better protection encrypt secret key well.
2. Chinese wireless LAN secure standard WAPI
China's wireless LAN secure standard WAPI is made up of authentication infrastructures WAI and two modules of secret infrastructure WPI, realizes respectively to the authentication of user identity with to the function of transmission data encipher.Authentication infrastructures WAI adopts the authentication model based on port that is similar to the IEEE802.1X structure, and whole system is made up of mobile radio station STA, access point AP and authentication service unit ASU.Authentication service unit ASU is an of paramount importance part among the authentication infrastructures WAI, and its basic function is to realize the management of user certificate and the discriminating of user identity etc.
Authentication infrastructures WAI adopts public key certificate to carry out Authentication and Key Agreement.Target is to realize the two-way discriminating between mobile radio station STA and access point AP, has very strong defensive ability/resistance ability for the attack pattern that adopts " vacation " access point AP.The reciprocal process of WAI as shown in Figure 2, it mainly contains, and certificate is differentiated and key agreement two parts composition.
1. certificate discrimination process
(1) access point AP sends the request of activation of differentiating to mobile radio station STA;
(2) in inserting the request of discriminating, mobile radio station STA submits to access point AP with oneself public key certificate and access request time;
(3) in request of certificate authentication, access point AP is with the certificate of certificate, access request time and the access point AP oneself of mobile radio station STA, and it issues authentication service unit ASU to the signature of these three parts;
(4) after authentication service unit ASU receives the request of certificate authentication that access point AP sends, at first verify signature and the certificate of access point AP.After differentiating successfully, further verify the certificate of mobile radio station STA; Afterwards, authentication service unit ASU signs with the private key of oneself to the identification result of mobile radio station STA and access point AP certificate and the access request time of mobile radio station STA, and this signature is sent back to access point AP together with certificate verification result.
(5) access point AP differentiates to respond to the certificate of receiving and verifies, and obtains the identification result to mobile radio station STA certificate.Access point AP need be transmitted to mobile radio station STA with the checking result of authentication service unit ASU simultaneously, and mobile radio station STA also will verify the signature of authentication service unit ASU, and obtain the identification result of authentication service unit ASU to access point AP certificate.
2. cipher key agreement process
At first we describe used symbol.
PK ARepresent the PKI of A;
ENC (PK A, m) the representative PKI PK of A AMessage m is encrypted;
Sig A(m) represent A message m to be carried out digital signature with private key.
Cipher key agreement process in the GB implementation guide as shown in Figure 3, its detailed process is as follows:
(1) regulation of the key negotiation request in the implementation guide must be sent by access point AP, and access point AP selects a random number r in this request 1, with the PKI PK of mobile radio station STA STAEncrypt, utilize the access request time of mobile radio station STA then, and computationally secure parameter reference SPI is come in the medium access address (MAC Address) of mobile radio station STA and access point AP.At last, access point AP calculates digital signature to random number after encrypting and Security Parameter Index SPI;
(2) mobile radio station STA checks at first whether the signature of Security Parameter Index SPI and access point AP is correct after receiving key negotiation request, if correct, then deciphers ENC (PK STA, r 1) obtain r 1, mobile radio station STA also generates the random number r of oneself then 2, and with r 1With r 2The step-by-step XOR obtains the clean culture master key that length is 16 eight hytes k = r 1 ⊕ r 2 , Utilize the KD-HMAC-SHA256 algorithm that it is expanded then, (preceding 16 eight hytes are unicast encryption key k to the unicast session key of 48 eight hytes of generation d, middle 16 eight hytes are clean culture completeness check key, last 16 eight hytes are message authentication key k a).Afterwards, use the PKI PK of access point AP APTo r 2Carry out public key encryption, last STA utilizes k aBy the HMAC-SHA256 algorithm to SPI and ENC (PK AP, r 2) message authentication code of calculating.
(3) after access point AP receives that key agreement is replied, at first decipher ENC (PK AP, r 2) obtain r 2, utilize the key schedule the same to calculate encryption key k then with mobile radio station STA d, completeness check key and message authentication key k aVerify the message authentication code that mobile radio station STA sends at last.If correct, then allow the visit of mobile radio station STA to network; Otherwise abandon this message, and stop the visit of mobile radio station STA.
The content of invention
The objective of the invention is to overcome above-mentioned 802.11i and the incompatible defective of WAPI, propose a kind of can compatible 802.11i and the authentication method of WAPI, to solve the Verify Your Identity questions in the WLAN (wireless local area network).
The object of the present invention is achieved like this:
1. method main frame
1) mobile radio station STA begins message EAPOL-Start to access point AP transmission EAP;
2) access point AP sends time stamp request message EAP-Req/WTS to mobile radio station STA, and request mobile radio station STA sends identity and inserts request time;
3) whether support the WAPI agreement to select the mode of response message according to mobile radio station STA, if mobile radio station STA supports the authentication of WAPI, then return time stamp response message EAP-Resp/WTS to access point AP, its message content comprises the identity of mobile radio station STA and inserts request time;
4) access point AP signs to described time stamp response message EAP-Resp/WTS, sends it to authentication service unit ASU by inserting request message;
5) receive insert request message after, authentication service unit ASU if support the authentication of WAPI, then sends WAPI key negotiation request message to mobile radio station STA according to self whether supporting WAPI to select response mode, carries out the authentication of WAPI;
6) mobile radio station STA sends WAPI key agreement response message to authentication service unit ASU, carries out the authentication of WAPI with ASU;
7) after the WAPI authentication finished, authentication service unit ASU sent EAP-success and cipher key delivery message to access point AP;
8) access point AP transmits the authentication success message EAP-success that authentication service unit ASU sends to mobile radio station STA;
9) mobile radio station STA and access point AP carry out the mutual of four way handshake protocols, promptly finish alternately.
2. according to the framework described in 1, it is characterized in that said mobile radio station STA is according to whether supporting the WAPI agreement to select the mode of response message in the step 3), if mobile radio station STA does not support WAPI, then return Nak message to access point AP, this message Nak is the message of stipulating among the EAP framework RFC3748, access point AP at first sends identity request message EAP-Req/ID to mobile radio station STA afterwards, and request mobile radio station STA sends its identity; Mobile radio station STA and authentication service unit ASU carry out the negotiation and the authentication of 802.11i identifying algorithm then; Last mobile radio station STA and access point AP carry out the mutual of four way handshake protocols, promptly finish alternately.
3. according to the framework described in 1, after it is characterized in that said authentication service unit ASU receives the access request message in the step 5), according to self whether supporting WAPI to select response mode, if authentication service unit ASU does not support the authentication of WAPI, then authentication service unit ASU at first carries out the negotiation and the authentication of 802.11i identifying algorithm with mobile radio station STA; Mobile radio station STA and access point AP carry out the mutual of four way handshake protocols then, promptly finish alternately.
The present invention has the following advantages
In the present invention, adopted the mobile device of compatible scheme both can carry out the authentication of 802.11i, can carry out the authentication of WAPI again, the mobile device that has solved foreign vendor's production can not enter the problem of Chinese market; Even external WLAN (wireless local area network) is not supported the WAPI authentication, domestic mobile device also can use abroad owing to can support 802.11i.
Because the present invention has kept key agreement protocol among the authentication infrastructures WAI to greatest extent, reduced the change that WAPI is done as far as possible simultaneously, accomplished compatibility easily with WAPI.
In addition, the present invention has kept the framework of 802.11i constant basically, has just added certificate request message EAP-Req/WTS of Extensible Authentication Protocol EAP in the starting stage; And with the key agreement protocol among the authentication infrastructures WAI as an embodiment under the 802.11i framework, the advantage that has so just kept the 802.11i protocol flexibility, main performance one is to need not specify the authentication protocol of mobile radio station STA with the authentication service implement body in advance, but is dynamically consulted by them in protocol implementation; The 2nd, in the compatible scheme, support at mobile radio station STA under the situation of WAPI authentication that authentication service unit ASU can select to use the authentication of WAPI or the authentication of 802.11i according to the requirement of concrete application.
In a word, compatible scheme of the present invention has been made as far as possible little modification to 802.11i and WAPI, has both kept the framework of 802.11i and the advantage of flexibility, has kept the characteristics of WAPI simultaneously again,, have very strong compatibility.
Description of drawings
Fig. 1 is the sterogram among the IEEE 802.1X/EAP
Fig. 2 is the WAI figure in the WAPI embodiment
Fig. 3 is key agreement figure in the WAPI embodiment
Fig. 4 is compatible scheme protocol flowchart
Fig. 5 is the protocol interaction procedure chart that compatible scheme is carried out WAPI
Fig. 6 is the EAP-Req/WTS message diagram
Fig. 7 is the EAP-Resp/WTS message diagram
Fig. 8 is for inserting request message figure
Fig. 9 is the key negotiation request message diagram
Figure 10 is key agreement response message figure
Figure 11 is EAP-Success and cipher key delivery message diagram
Figure 12 is the EAP-Success message diagram
Figure 13 is the EAP-Failure message diagram
Figure 14 is the EAP-Req/ID message diagram
Embodiment
Flow chart of carrying out below in conjunction with compatible scheme 4 and the protocol interaction process 5 of carrying out WAPI thereof are described in detail method of the present invention:
1. mobile radio station STA begins message EAPOL-Start to access point AP transmission EAP.
This message shows mobile radio station STA request carrying out EAP authentication, and its concrete message format adopts the definition of EAPOL-Start among the 802.11i.
2. access point AP sends time stamp request message EAP-Req/WTS to mobile radio station STA.
By time stamp request message EAP-Req/WTS, access point AP request mobile radio station STA sends its identity and current accessed time.Owing to do not have this type of message in the present EAP message, just need in EAP message, increase a new type of message type:WAPI-WTS.The form of this message as shown in Figure 6.
Message format shown in Figure 6 defines according to the regulation in the EAP framework (IETF RFC3748), this message is made up of four parts, wherein first " 1 " to represent this message be the EAP request message, second portion message indications identifier is unique concerning every EAP message, its concrete value the time is determined by operation, it generally is a random value, third part message-length Length represents the length of whole message, and the 4th part EAP-WTS is a new EAP types value that adds.
3. whether support WAPI to select the acknowledgement messaging mode according to mobile radio station STA.
If mobile radio station STA supports the authentication of WAPI, then mobile radio station STA returns EAP time stamp response message EAP-Resp/WTS to access point AP, sends identity and the access time of oneself, and its message format as shown in Figure 7.This message is made up of six parts, and it is replying time stamp request message EAP-Req/WTS that this message is represented in " 2 " in the first; Second portion message indications identifier is the indications of this message; Third part message-length length represents the length of whole message; The 4th part EAP-WTS is a new EAP type type value of adding, and the EAP type among this value and the time stamp request message EAP-Req/WTS is consistent; The 5th part is the identity of STA; The 6th part is the access time of STA.
If mobile radio station STA does not support WAPI, then carry out according to following steps:
(1) mobile radio station STA returns Nak message to access point AP.This message Nak is the message of stipulating among the EAP framework RFC3748.
(2) access point AP sends EAP identity request message EAP-Req/ID to mobile radio station STA, and request mobile radio station STA sends its identity.This identity request message form as shown in figure 14, wherein to represent this message be request message to " 1 " in the first, second portion message indications identifier is the same with the definition among Fig. 6 with the definition of third part message-length length, and on behalf of access point AP request mobile radio station STA, the 4th part EAP-Identify=" 1 " send identity.
(3) authentication service unit ASU carries out the 802.11i authentication with mobile radio station STA.Authentication service unit ASU at first carries out the negotiation of 802.11i authentication protocol with mobile radio station STA, carries out authentication and key agreement according to the authentication protocol of selecting then.
(4) mobile radio station STA and authentication service unit ASU carry out the mutual of four way handshake protocols, and protocol interaction finishes.The implementation of this four way handshake protocol adopts the definition among the 802.11i to carry out.
4. access point AP sends EAP to authentication service unit ASU and inserts request message.
Access point AP checks at first whether insert request time in the time stamp response message that STA sends correct, if it is correct then calculate identity to mobile radio station STA, and the signature of the access request time of mobile radio station STA, to sign at last and the identity of access point AP joins in the EAP-Resp/WTS message, and send EAP to authentication service unit ASU and insert request message.Its form of this message as shown in Figure 8, wherein the signature of AP adopts the signature algorithm of stipulating among the WAPI.
5. according to the authentication of whether supporting WAPI, the authentication of 802.11i is still carried out in the authentication that authentication service unit ASU selects to carry out WAPI.
After authentication service unit ASU receives to insert request message, at first check the EAP type of this message, if EAP-WTS checks then whether oneself supports the authentication of WAPI,, then carry out the authentication of WAPI with mobile radio station STA if support.Authentication service unit ASU at first differentiates the signature of AP, and whether the certificate of inspection STA is effective, if these two inspections are all passed through, then sends key negotiation request message to mobile radio station STA.Because 802.11i does not support the WAPI authentication mode at present, therefore need in the type type territory of EAP message, add a new auth type EAP-WAPI.All need the type territory of EAP message is changed to this value in key negotiation request and in replying, the message format of key negotiation request message as shown in Figure 9.This message is made of eight parts." 1 " in the first shows that this message is request message; Message indications identifier in the second portion is the indications of this message; Third part message-length length is the length of whole message; The 4th part is a new EAP type EAP-WAPI who adds, and the type shows that mobile radio station STA carries out the authentication of WAPI with authentication service unit ASU; The 5th part is Security Parameter Index SPI, and it is made up of the access request time of STA, the MAC Address of STA and the basic service sets sign BSSID of AP; The 6th part is ENC (PK STA, r 1), r 1Be the random number that authentication service unit is selected, the authentication service unit PKI PK of mobile radio station STA STATo r 1Encrypt, cryptographic algorithm adopts the algorithm of stipulating among the WAPI; The 7th part is the access time of STA; The 8th part is the signature of ASU to whole message, and its signature algorithm adopts the algorithm of stipulating among the WAPI.
If authentication service unit ASU does not support the authentication of WAPI, then carry out according to the following procedure;
(1) authentication service unit ASU carries out the 802.11i authentication with mobile radio station STA.Authentication service unit ASU at first carries out the negotiation of 802.11i authentication protocol with mobile radio station STA, carries out authentication and key agreement according to the authentication protocol of selecting then.
(2) mobile radio station STA carries out the mutual of four way handshake protocols with authentication service unit ASU, and protocol interaction finishes.The implementation of this four way handshake protocol adopts the definition among the 802.11i to carry out.
6. mobile radio station STA consults response message to authentication service unit ASU " return " key" after receiving the WAPI key negotiation request that ASU sends.
This key agreement response message form as shown in figure 10, this message is made up of six parts, wherein ENC (PK ASU, r 2) with
Figure C20061010524300131
Computational methods the same with computational methods among the WAPI.Access point STA session key k = r 1 ⊕ r 2 , this key is as mobile radio station STA and the shared master key MK of authentication service unit ASU.The elementary master key PMK of mobile radio station STA and access point AP cipher key shared then can obtain by following formula:
PMK=prf(MK,STA-MAC-address||AP-MAC-address) (1)
Wherein, prf is a pseudorandom generating function, can adopt the SHA1 algorithm.STA-MAC-address is the MAC Address of STA, and AP-MAC-address is the MAC Address of AP.
7.ASU send EAP-Success and cipher key delivery message to AP.
If the WAPI authentication success then calculates itself with the shared key MK of mobile radio station STA and give access point AP the elementary master key PMK of transmission by authentication service unit ASU, these computational methods are identical with computational methods in the step 6.Afterwards, authentication service unit ASU sends EAP-Success and cipher key delivery message for access point AP again, send elementary master key PMK with notice access point AP authentication success with to access point AP, this key is used in thereafter during four steps of access point AP and mobile radio station STA shake hands, and the signature that adds an authentication service unit ASU in EAP-Success and cipher key delivery message guarantees its fail safe.This message format is made up of seven parts as shown in figure 11, and wherein first is Success=" 3 ", shows mobile radio station STA and authentication service unit ASU authentication success; Second portion message indications identifier is unique indications of this message, and third part length message length l ength is the whole length of this message, the 4th part ENC (PK AP, PMK) be the PKI PK of authentication service unit ASU with access point AP APElementary master key PMK is carried out public key encryption, and the cryptographic algorithm that is adopted is the cryptographic algorithm of stipulating among the WAPI; The 5th part is the access time of STA; The 6th part is the identity of AP; The 7th part is the signature of authentication service unit ASU to whole message.
If authentification failure, then authentication service unit ASU sends EAP-Failure message to AP and STA, and its message format as shown in figure 12.This message is made up of three parts, and the Failure=of first " 4 " shows authentification failure, and second portion is message indications identifier, and third part is the length L ength of whole message.
8. access point AP sends EAP-Success message to mobile radio station STA.
This message format as shown in figure 13, wherein " 3 " represent authentication success message, the definition of message indications identifier and message-length length is the same with the definition among Fig. 6.
9. mobile radio station STA and authentication service unit ASU carry out the mutual of four way handshake protocols, and protocol interaction finishes.The implementation of this four way handshake protocol is undertaken by the definition among the 802.11i.
Utilize said method just can realize compatibility, solved external wireless product owing to do not support WAPI and can not enter into the problem of Chinese market 802.11i and WAPI.
Symbol description:
WAPI: Chinese wireless LAN safety standard;
WAI: wireless local area network (WLAN) verification infrastructure;
WPI: wireless local area network security infrastructure;
EAP: Extensible Authentication Protocol;
PPP: point-to-point protocol;
LCP: LCP;
STA: movement station;
AP: access point;
Authenticator: authenticator;
AS: certificate server;
EAPOL: the Extensible Authentication Protocol on the link layer;
RADIUS: long-range discriminating dial-in user service;
EAPOL-start:EAP begins message;
The EAP-Req/Identity:EAP identity request message;
EAP-Resp/Identity:EAP identity response message;
The EAP-Success:EAP success message;
The EAP-Failure:EAP failed message;
MK: the master key of sharing between mobile radio station and the certificate server;
PMK: the elementary master key that mobile radio station and access point are shared;
PK A: the PKI of A;
ENC (PK A, m): with the PKI PK of A AMessage m is encrypted;
Sig A(m): A carries out digital signature with private key to message m;
MAC Address: medium access address;
EAP-Req/WTS: time stamp request message;
EAP-Resp/WTS: time stamp response message;
The type of type:EAP;
Identifier: message indications;
Length: message-length;
EAP-WTS: a new EAP type of adding, representative are carried out the mutual of the time stamp of WAPI and identity;
Nak: passive response message;
Prf: pseudorandom generating function;
The MAC Address of STA-MAC-address:STA;
The MAC Address of AP-MAC-address:AP.

Claims (7)

1. the identity identifying method of compatible WAPI and 802.11i, carry out according to the following procedure:
1) mobile radio station STA begins message EAPOL-Start to access point AP transmission EAP;
2) access point AP sends time stamp request message EAP-Req/WTS to mobile radio station STA, and request mobile radio station STA sends identity and inserts request time;
3) whether support the WAPI agreement to select the mode of response message according to mobile radio station STA, if mobile radio station STA supports the authentication of WAPI, then return time stamp response message EAP-Resp/WTS to access point AP, its message content comprises the identity of mobile radio station STA and inserts request time;
4) access point AP signs to described time stamp response message EAP-Resp/WTS, sends it to authentication service unit ASU by inserting request message;
5) receive insert request message after, authentication service unit ASU if support the authentication of WAPI, then sends WAPI key negotiation request message to mobile radio station STA according to self whether supporting WAPI to select response mode, carries out the authentication of WAPI;
6) mobile radio station STA sends WAPI key agreement response message to authentication service unit ASU, carries out the authentication of WAPI with ASU;
7) after the WAPI authentication finished, authentication service unit ASU sent EAP-success and cipher key delivery message to access point AP;
8) access point AP transmits the authentication success message EAP-success that authentication service unit ASU sends to mobile radio station STA;
9) mobile radio station STA and access point AP carry out the mutual of four way handshake protocols, promptly finish alternately.
2. identity identifying method according to claim 1, it is characterized in that whether supporting the WAPI agreement to select the mode of response message according to mobile radio station STA described in the step 3), if mobile radio station STA does not support WAPI, then return passive response message Nak to access point AP, this message Nak is the message of stipulating among the Extensible Authentication Protocol EAP framework RFC3748, afterwards, access point AP at first sends identity request message EAP-Req/ID to mobile radio station STA, and request mobile radio station STA sends its identity; Mobile radio station STA and authentication service unit ASU carry out the negotiation and the authentication of 802.11i identifying algorithm then; Last mobile radio station STA and access point AP carry out the mutual of four way handshake protocols, promptly finish alternately.
3. identity identifying method according to claim 1, after it is characterized in that said authentication service unit ASU receives the access request message in the step 5), according to self whether supporting WAPI to select response mode, if authentication service unit ASU does not support the authentication of WAPI, then authentication service unit ASU at first carries out the negotiation and the authentication of 802.11i identifying algorithm with mobile radio station STA; Mobile radio station STA and access point AP carry out the mutual of four way handshake protocols then, promptly finish alternately.
4. identity identifying method according to claim 1 is characterized in that step 2) described in time stamp request message EAP-Req/WTS, this request message is made up of four parts, it is request message that this message is represented in " 1 " in the first; Second portion message indications identifier is the indications of this message, is a random value; Third part message-length length represents the length of whole message; And the 4th part EAP-WTS is a new Extensible Authentication Protocol EAP types value that adds.
5. identity identifying method according to claim 1, it is characterized in that the time stamp response message EAP-Resp/WTS described in the step 3), this response message is made up of six parts, and it is replying time stamp request message EAP-Req/WTS that this message is represented in " 2 " in the first; Second portion message indications identifier is the indications of this message; Third part message-length length represents the length of whole message; The 4th part EAP-WTS is a new EAP types value that adds, and the EAP type among this value and the time stamp request message EAP-Req/WTS is consistent, and shows that mobile radio station STA returns the identity of mobile radio station STA and inserts request time to access point AP; The 5th part is the identity of STA; The 6th part is the access time of STA.
6. identity identifying method according to claim 1 is characterized in that the WAPI key negotiation request message described in the step 5), and this message is made of eight parts, and " 1 " in the first shows that this message is request message; Message indications identifier in the second portion is the indications of this message; Third part message-length length is the length of whole message; The 4th part is a new EAP type EAP-WAPI who adds, and the type shows that mobile radio station STA carries out the authentication of WAPI with authentication service unit ASU; The 5th part is Security Parameter Index SPI, and it is made up of the access request time of mobile radio station STA, the MAC Address of STA and the basic service sets sign BSSID of AP; The 6th part is ENC (PK STA, r 1), r 1Be the random number that authentication service unit is selected, the authentication service unit PKI PK of mobile radio station STA STATo r 1Encrypt, cryptographic algorithm adopts the algorithm of stipulating among the WAPI; The 7th part is the access time of STA; The 8th part is the signature of ASU to whole message, and its signature algorithm adopts the algorithm of stipulating among the WAPI.
7. identity identifying method according to claim 1, it is characterized in that EAP-success described in the step 7) and cipher key delivery message, this message is made up of seven parts, and first is Success=" 3 ", shows mobile radio station STA and authentication service unit ASU authentication success; Second portion message indications identifier is unique indications of this message, and third part message-length length is the whole length of this message, the 4th part ENC (PK AP, PMK) be the PKI PK of authentication service unit ASU with access point AP APElementary master key PMK is carried out public key encryption, and the cryptographic algorithm that is adopted is the cryptographic algorithm of stipulating among the WAPI; The 5th part is the access time of STA; The 6th part is the identity of AP; The 7th part is the signature of authentication service unit ASU to whole message, and wherein the computational methods of elementary master key PMK are as follows:
PMK=prf(MK,STA-MAC-address||AP-MAC-address)
Wherein, prf is a pseudorandom generating function, adopts the SHA1 algorithm, and MK is the master key of sharing between STA and the authentication service unit ASU, and STA-MAC-address is the MAC Address of STA, and AP-MAC-address is the MAC Address of AP.
CN200610105243A 2006-12-22 2006-12-22 Identity authentication method with compatible 802.11i and WAPI Expired - Fee Related CN100586067C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200610105243A CN100586067C (en) 2006-12-22 2006-12-22 Identity authentication method with compatible 802.11i and WAPI

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610105243A CN100586067C (en) 2006-12-22 2006-12-22 Identity authentication method with compatible 802.11i and WAPI

Publications (2)

Publication Number Publication Date
CN101013940A CN101013940A (en) 2007-08-08
CN100586067C true CN100586067C (en) 2010-01-27

Family

ID=38701247

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610105243A Expired - Fee Related CN100586067C (en) 2006-12-22 2006-12-22 Identity authentication method with compatible 802.11i and WAPI

Country Status (1)

Country Link
CN (1) CN100586067C (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101646171B (en) * 2009-02-27 2011-08-17 西安西电捷通无线网络通信股份有限公司 Method for realizing integration of WAPI and CAPWAP by separation MAC mode
CN101577978B (en) * 2009-02-27 2011-02-16 西安西电捷通无线网络通信股份有限公司 Method for realizing convergence WAPI network architecture in local MAC mode
CN101577916B (en) * 2009-02-27 2011-07-06 西安西电捷通无线网络通信股份有限公司 Method for realizing convergence of WAPI and CAPWAP in local MAC mode
CN101540679B (en) * 2009-04-30 2011-09-21 中兴通讯股份有限公司 Method for acquiring WLAN authentication and privacy infrastructure certificate and system thereof
CN101562814A (en) 2009-05-15 2009-10-21 中兴通讯股份有限公司 Access method and system for a third-generation network
CN101651682B (en) * 2009-09-15 2012-08-29 杭州华三通信技术有限公司 Method, system and device of security certificate
CN101730097B (en) * 2009-11-18 2012-10-10 中兴通讯股份有限公司 Method and system for accessing wireless terminal to wireless network
US8804957B2 (en) * 2010-03-29 2014-08-12 Nokia Corporation Authentication key generation arrangement
CN103391543B (en) * 2012-05-07 2016-11-02 南京中兴软件有限责任公司 A kind of method and apparatus realizing roaming switch
CN103139770B (en) * 2013-01-30 2015-12-23 中兴通讯股份有限公司 The method and system of pairwise master key is transmitted in WLAN access network
CN103312495B (en) * 2013-06-25 2016-07-06 杭州华三通信技术有限公司 The forming method of a kind of CA in groups and device
WO2015103748A1 (en) * 2014-01-08 2015-07-16 华为技术有限公司 Authentication association method and system
CN104158653B (en) * 2014-08-14 2017-08-25 北京华电天益信息科技有限公司 A kind of safety communicating method based on the close algorithm of business
EP3282638A1 (en) * 2016-08-11 2018-02-14 Gemalto Sa A method for provisioning a first communication device by using a second communication device
CN107769914B (en) 2016-08-17 2021-02-12 华为技术有限公司 Method and network device for protecting data transmission security
CN114040400B (en) * 2021-10-22 2023-12-29 广西电网有限责任公司 Method for preventing DOS attack by WAPI authentication server
WO2024026735A1 (en) * 2022-08-03 2024-02-08 Oppo广东移动通信有限公司 Authentication method and apparatus, device, and storage medium

Also Published As

Publication number Publication date
CN101013940A (en) 2007-08-08

Similar Documents

Publication Publication Date Title
CN100586067C (en) Identity authentication method with compatible 802.11i and WAPI
US8726022B2 (en) Method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
CN100558035C (en) A kind of mutual authentication method and system
CN100358282C (en) Key agreement method in WAPI authentication mechanism
CN101160924B (en) Method for distributing certificates in a communication system
CN102315937B (en) System and method for secure transaction of data between wireless communication device and server
CN100452697C (en) Conversation key safety distributing method under wireless environment
CN101005359B (en) Method and device for realizing safety communication between terminal devices
CN103095696B (en) A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system
CN109347809A (en) A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN100512182C (en) Fast switch method and system in wireless local area network
CN103532939A (en) Key generation in a communication system
CN101807998A (en) Authentication
CN101562814A (en) Access method and system for a third-generation network
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN101980558A (en) Method for encryption authentication on Ad hoc network transmission layer protocol
CN101478388B (en) Multi-stage security mobile IPSec access authentication method
CN110247803A (en) A kind of protocol optimization framework and its method for Network Management Protocols SNMP v3
CN100544253C (en) The safe re-authentication method of mobile terminal of wireless local area network
CN102404329A (en) Method for validating and encrypting interaction between user terminal and virtual community platform
CN101394395B (en) Authentication method, system and device
CN106992866B (en) Wireless network access method based on NFC certificateless authentication
Malgaonkar et al. Research on Wi-Fi Security Protocols
CN101394281A (en) Wireless mesh network access security authentication method based on WLAN
CN101478389B (en) Multi-stage security supporting mobile IPSec transmission authentication method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100127

Termination date: 20151222

EXPY Termination of patent right or utility model