CN101009911A - Method and device for realizing the extension authentication protocol in the wireless communication network - Google Patents
Method and device for realizing the extension authentication protocol in the wireless communication network Download PDFInfo
- Publication number
- CN101009911A CN101009911A CNA2006100017563A CN200610001756A CN101009911A CN 101009911 A CN101009911 A CN 101009911A CN A2006100017563 A CNA2006100017563 A CN A2006100017563A CN 200610001756 A CN200610001756 A CN 200610001756A CN 101009911 A CN101009911 A CN 101009911A
- Authority
- CN
- China
- Prior art keywords
- eap
- message
- authentication
- authentication device
- base station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The related method for realizing EAP certification in wireless communication network comprises mainly: BS sends EAP startup message to an authentication device, and begins timekeeping; after preset time, BS re-sends the startup message if it does not receive EAP mark request message from the device. This invention applies re-transmission mechanism to improve EAP certification reliability, as well as the security both on preventing illegal attack to provider, and providing reliable business for user.
Description
Technical field
The present invention relates to wireless communication technology field, relate in particular to and realize EAP authentication technology field in the cordless communication network.
Background technology
In cordless communication network; according to 802.16 agreements as can be known; portable terminal is wanted and base station communication; must set up identical AK (authorization key) context; described AK context comprises: AK; AKID (authorization key sign); AK Sequence Number (authorization key sequence number); AK Lifetime (authorization key life cycle); PMK Sequence Number (antithesis master key sequence number); HMAC/CMAC_KEY_U (uplink message integrity protection key); (uplink message prevents the Replay Attack packet number to HMAC/CMAC_PN_U; be called for short PN_U); HMAC/CMAC_KEY_D (downlinlc message integrity protection key); HMAC/CMAC_PN_D (downlinlc message prevents the Replay Attack packet number, is called for short PM_D); KEK (key-encrypting key); EIK (integrality encryption key).
In the AK context, HMAC/CMAC_KEY_U and HMAC/CMAC_KEY_D are calculated according to AK, terminal MAC (medium access control) address, BSID (Base Station Identification) by the base station, and being respectively applied for provides integrity protection to uplink downlink message.PN_U and PN_D are two 32 digit counters, and when the AK context was set up, the value of these two counters all was 0, and every afterwards use HMAC/CMAC_KEY_U provides integrity protection one time to upstream message, and portable terminal just increases by 1 with the value of PN_U; Every use HMAC/CMAC_KEY_D provides integrity protection one time to downstream message, and the base station just increases by 1 with the value of PN_D.If the numerical space of PN_U or PN_D exhausts (be in these two values any arrive in 2^32-1), or AK expires life cycle in the AK context, mean that all this AK finishes life cycle, should apply for new AK before this.
In cordless communication network, described AK is contextual to set up process as shown in Figure 1, specifically comprises following treatment step:
Step 11: communication link has been set up in terminal and base station;
Step 12: terminal and AAA (authentication, authentication, charging) server is set up shared MSK (master session key) by EAP (Extensible Authentication Protocol) authentication mode in both sides;
Step 13:AAA server passes to authentication device in the ASN of terminal place with MSK;
Step 14: terminal and authentication device carry out following processing respectively after obtaining MSK separately:
Terminal produces PMK from MSK, produces AK from PMK, generates whole AK contexts then;
Authentication device produces PMK from MSK, produces part AK context from PMK, comprising: AK, AK sign, AK sequence number, AK life cycle, PMK sequence number, EIK; Value for HMAC/CMAC_PN_U and HMAC/CMAC_PN_D can be changed to zero or empty at this.
Step 15: authentication device sends to the base station to the part A K context that has produced;
Step 16: the base station produces remainder AK context according to AK, comprising: HMAC/CMAC_KEY_U, HMAC/CMAC_PN_U, HMAC/CMAC_KEY_D, HMAC/CMAC_PN_D, KEK; The value of HMAC/CMAC_PN_U and HMAC/CMAC_PN_D is zero when initial.
Step 17: the idle message in the AK contextual protection subsequent communications that terminal and base station usefulness are set up and the transmission of traffic encryption key.
Set up in the contextual processing procedure above-mentioned, need carry out corresponding EAP authentication, the processing procedure that will authenticate EAP wherein describes below, specifically as shown in Figure 2, comprising:
Carry out corresponding RNG-REQ (paging request)/RSP (response) process between step 21:MSS (move and subscribe to platform) and the BS (base station), and after success, execution in step 22.
Step 22:MSS sends SBC-REQ (subscribing to the request of this ability of stylobate) message to BS, and this message is deferred to the definition in the IEEE802.16e-D12 standard.
After step 23:BS receives described message, send safe mediation parameter request message, be with the delegated strategy support information in the message to authentication device (being Authenticator).
Step 24: the safe mediation parameter that authentication device reports according to BS, select specific safe mediation parameter for it, then, reply safe mediation parameter response message to BS, carrying corresponding delegated strategy support information in the safe mediation parameter in the message.
Described step 23 and 24 is an optional step, divides timing when corresponding safe mediation parameter by BS, then can omit this two step.
After step 25:BS receives described safe mediation parameter response message, send SBC-RSP (subscribing to this capabilities response of stylobate) message to authentication device, same, this message is also deferred to the related definition of IEEE802.16e-D12.
Step 26:MSS indicates beginning EAP verification process to PKM-REQ (Password Management request)/EAP-Start (EAP begins) message that BS sends the IKMP second edition of eating dishes without rice or wine;
This step 26 is optional step.
After step 27:BS identifies the IKMP second edition PKM-REQ/EAP-Start message of eating dishes without rice or wine, will begin message to the EAP that authentication device sends the authentication relay agreement;
When if step 23 and 24 is an optional time, then need to comprise the delegated strategy support information in this message.
Step 28: after authentication device receives that the EAP of authentication relay agreement begins message, note delegated strategy support, MSID (user ID) and the BSID (Base Station Identification) of negotiation;
Then, send EAP-REQ/Identity (EAP identification request) message to MSS, request MSS shows the sign of oneself; When this message is transmitted between authentication device and BS, can be encapsulated in the EAP message transfer of authentication relay agreement.
Step 29:MSS solves EAP-REQ/Identity message, replys EAP-RSP/Identity (NAI) message to authentication device, promptly comprises the EAP identification response message of NAI (network access Identifier);
This message can be encapsulated among the PKMv2 PKM-REQ/EAP-Transfer between MSS and BS and transmit; Between BS and authentication device, then can be encapsulated among the EAP-Transfer of AUTHRELAY (authentication relay agreement) and transmit.
Step 210: authentication device uses RADIUS Access-Request (the access request of remote dial certificate server) to send to AAA Server (aaa server) EAP-RSP/Identity (NAI) message; After this, MSS will begin follow-up EAP process with AAA Server.
Consult the authentication method of use between step 211:MSS and the AAA Server, alternative authentication method has EAP-MD5 (adopting the EAP authentication of md5 encryption algorithm), EAP-SIM (based on the EAP authentication of subscriber identification module), EAP-AKA (authentication and key protocol), EAP-TLS (the EAP transport layer is complete) etc.;
In the described message interaction process, between MSS and BS, message can be encapsulated among the PKMv2 PKM-REQ/EAP-Transfer and transmit; Between BS and authentication device, message can be encapsulated in the EAP message transfer of authentication relay agreement and transmit.
Throw down the gauntlet and verification process between step 212:MSS and the AAA Server, can adopt unidirectional or two-way authentication;
Equally, in the described message interaction process, between MSS and BS, message can be encapsulated among the PKMv2 PKM-REQ/EAP-Transfer and transmit; Between BS and authentication device, message can be encapsulated in the EAP message transfer of authentication relay agreement and transmit.
Step 213: after corresponding authentication success, AAA Server and MSS use the shared secret that presets or consult respectively, and use same algorithm respectively, generate MSK and EMSK (master session key of expansion);
The generating algorithm of described MSK and EMSK, what depend on operator specifically is provided with realization;
AAA Server sends EAP-Success (EAP success) message to authentication device, and this message is used the encapsulation of RADIUS Access-Accept (access of remote dial certificate server is accepted) message, simultaneously, in RADI US Access-Accept message, pass to authentication device to MSK; And, in also will comprising, the NAI of MSS notifies authentication device in the message.
Step 214: authentication device generates the PMK context according to MSK, generates the context of AK then according to the PMK context.
Step 215: authentication device will be with the context of going up AK in the message to the AK message transfer of BS transmission authentication relay agreement.
Step 216:BS is to the AK transmission response message of authentication device answer authentication relay agreement, and the AK message transfer of authentication relay agreement has been received in expression.
The AK context that AK context that step 217:BS basis is received and MSID generate other.
Step 218:MSS generates MSK and EMSK from the EAP process; Generate the PMK context according to MSK, then, generate the AK context according to the PMK context.
Step 219: the base station sends the EAP success message to MSS.
Step 220:, then can initiate the three-way handshake process of SA-TEK (Security Association-Traffic encryption key(TEK)) if on the BS all set behind the AK context.
In addition, at present industry has also proposed the notion of twice EAP authentication based on the processing procedure of above-mentioned single EAP authentication, promptly mainly is to realize the EAP authentication by carrying out twice above-mentioned processing procedure.
For the processing procedure of above-mentioned single EAP authentication shown in Figure 2,, in concrete application process, as adopt above-mentioned processing procedure will have following defective though realized corresponding EAP authentication:
1, if EAP begins message not by the optional reception of authentication device in step 27, does not then have its corresponding measures, and then will cause the EAP authentification failure;
2, the parameter information that needs in the EAP verification process that transmits between each entity is limited, can't finish the EAP authentication well, for example, has only carried the delegated strategy support information in step 23 and 24;
3, at the processing procedure of twice EAP authentication of present proposition, the EAP authentication mode (single EAP authentication or twice EAP authentication) that current needs carry out can't be distinguished in the above-mentioned flow process, whole EAP verification process can't be finished well.
Therefore, in existing cordless communication network, also can't realize corresponding EAP authentication reliably, also just can't guarantee the security performance of network well.
Summary of the invention
The purpose of this invention is to provide a kind of method and device of in cordless communication network, realizing extended authentication protocol, thereby make and in cordless communication network, can realize the EAP authentication processing reliably, with the security performance of effective raising communication network.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides a kind of method that realizes extended authentication protocol in cordless communication network, this method comprises:
A, base station send Extensible Authentication Protocol EAP to authentication device and begin message, and pick up counting;
B, when through behind the preset time, the EAP identification request message that authentication device is sent is not received in the base station, then sends described EAP to authentication device again and begins message.
Among the present invention, before carrying out described steps A, also comprise:
Between base station and authentication device, carry out the mutual of safe mediation parameter request and response message, and in described message, carry message authentication code modes and/or packet number window size information.
The information of carrying in described safe mediation parameter request and the response message also comprises: the delegated strategy support information.
The information of carrying in described safe mediation parameter request and the response message also comprises: the version support of IKMP.
The method of the invention also comprises:
At least one item on authentication device in configure user sign MSID, Base Station Identification BSID, message authentication code modes, packet number window size, delegated strategy support and the EAP authentication number of times record.
It is that the EAP of authentication relay agreement begins message that described EAP begins message, and is carrying user ID MSID in the message.
Method of the present invention also comprises:
When authentication device obtains the MSID of user terminal and network access Identifier NAI information, the corresponding relation of record MSID and NAI on authentication device then.
Method of the present invention also comprises:
When authentication device is received the EAP message packet, according to described corresponding relation described EAP message packet is resolved, and carry out corresponding processing according to resolving the information that obtains.
Method of the present invention also comprises:
After C, authentication device receive that Access-Accept message is accepted in access that aaa server AAA Server sends, check the delegated strategy support information in oneself the recorded information according to MSID and BSID index, and determine that according to described delegated strategy support current EAP authentication is single EAP authentication or twice EAP authentication.
Described step C also comprises:
When being defined as twice EAP authentication, also to authenticating the number of times sign and determine that further current is EAP authentication for the first time or EAP authentication for the second time according to EAP.
Method of the present invention also comprises:
The mutual EAP based on the authentication relay agreement transmits in the EAP-Transfer message and carries MSID information between BS and authentication device.
Method of the present invention also comprises: authentication device directly sends EAP success EAP-Success message to user terminal.
The present invention also provides a kind of device of realizing extended authentication protocol in cordless communication network, comprises first safety management module that is arranged in the base station, and this module specifically comprises:
EAP begins message transmission module: be used for sending EAP to authentication device and begin message;
Regularly the retransmission process module is used for picking up counting after base station transmission EAP begins message, and when not receiving the EAP identification request message that authentication device is sent yet through preset time, triggers EAP again and begin message transmission module.
Described timing retransmission process module specifically comprises:
Timer, timing length are the retransmission interval duration, send in the base station to pick up counting after EAP begins message, and triggering EAP begin message transmission module when overtime;
Judge module: be used for after transmission EAP begins message, judging whether to receive described EAP identification request message, when receiving described message, with the timer zero clearing.
Described device also comprises second safety management module that is arranged on the authentication device, and described device also comprises:
The parameter of mediating fully sending module: be arranged in first or second safety management module on base station and/or the authentication device, be used for to include the version support of message authentication code modes, packet number window size information and/or IKMP, and the safe mediation parameter of delegated strategy support information is transmitted between base station and authentication device.
Described device also comprises:
Memory module: be arranged in second safety management module on the authentication device, be used to write down the corresponding relation of MSID and NAI.
Described device also comprises:
EAP success message sending module: be arranged in second safety management module on the authentication device, be used for directly sending the EAP success message to user terminal.
As seen from the above technical solution provided by the invention, the present invention has carried out perfect to the single EAP authentication processing procedure that has realized in the cordless communication network, make the single EAP authentication process to realize reliably.Therefore, the present invention can effectively improve the service security that cordless communication network provides: can guarantee that the network of operator can not suffer illegal attack on the one hand, effectively safeguard benefits of operators, can also make cordless communication network that the security service of worth user's trust can be provided on the other hand.
Description of drawings
Fig. 1 is the contextual process schematic diagram of setting up of AK;
Fig. 2 is a processing procedure schematic diagram of realizing the EAP authentication in the prior art;
Fig. 3 is the specific implementation process schematic diagram of the method for the invention;
Fig. 4 is the specific implementation structural representation of device provided by the invention.
Embodiment
The present invention has carried out following improvement in the specific implementation process to existing single EAP authentication process:
(1) defined the retransmission mechanism that EAP begins message
The present invention is in the EAP verification process, and definition BS begins the retransmission mechanism of message to looking at the EAP that the power device sends, thereby guarantees that this message can be received by authentication device reliably.Also defined the particular content in EAP-Start (EAP begins) message of AUTHRELAY (authentication relay agreement) among the present invention, for example, the version support of IKMP (PKM Version Support), delegated strategy support (Authorization Policy Support) and MSID (user ID), thus can realize that by described EAP-Start the EAP of single authenticates based on the content of definition.。
(2) defined the content of SNP-REQ and SNP-RSP message
In realizing the single EAP authentication process, also may on authentication device, dispose SNP (safe mediation parameter), be that MSS distributes SNP information by authentication device; If on authentication device, dispose SNP, the SNP-REQ (SNP request) and the SNP-RSP (SNP response) that then adopt the present invention to define carry out alternately, and promptly the information content that comprises of SNP-REQ and SNP-RSP message is: message authentication code modes (MessageAuthentication Code Mode), packet number window size (PN Window Size).
SNP-REQ that comprises the above-mentioned information content and SNP-RSP message based on definition, corresponding processing procedure is: after BS receives SBC-REQ (subscribing to the request of this ability of the stylobate) message that MSS sends, send security negotiation parameter request (being the SNP request) message to authentication device, authentication device is according to the security negotiation parameter that oneself disposes, to the selected corresponding security negotiation parameter of MSS, then, reply selected security negotiation parameter by the SNP response message to BS, issue MSS with SBC-RSP (subscribing to this capabilities response of stylobate) message after BS receives.
(3) preserve each parameter information carry out EAP verification process needs facing on the power device
Be specially: on authentication device, also need configuration to keep MSID, BSID, PKM version and delegated strategy support (Authorization Policy Support) information, can carry out different processing according to corresponding information so that resolve the EAP message that receives.Simultaneously,, also need keep authentication mode (single EAP authentication or twice EAP authentication) at authentication device in order to confirm current EAP authentication mode and residing stage, and current be the identification information of which time EAP authentication.
Therefore, can realize in the present invention, after authentication device is received the Access-Accept message that AAA Server (aaa server) sends, just can at first check the record of oneself, specifically can come index according to MSID and BSID; Afterwards, judge it is single or twice EAP authentication by delegated strategy support (Authorization Policy Support), if twice EAP authentication determines further that according to the sign of described which time EAP authentication current is twice first time or EAP authentication for the second time in the EAP authentication again.
(4) define the message of transmitting between BS and the authentication device and need carry MSID
Among the present invention, for make EAP-Transfer (EAP transmission) message of AUTHRELAY (authentication relay agreement) can be between BS and authentication device encapsulation messages, and can really work, the present invention defines the content in the described AUTHRELAY EAP-Transfer message, has carried MSID in the EAP-Transfer message that requires to transmit between BS and authentication device.
(5) corresponding relation of record MSID and NAI on authentication device
Among the present invention, on authentication device, also need to write down the corresponding relation of MSID and NAI (network access Identifier), thereby make authentication device can discern the MSID information of NAI correspondence, and the NAI information of MSID correspondence.Further having guaranteed on authentication device can be at the EAP message packet of resolving its reception, judges the processing mode that the message at current reception specifically should adopt effectively.
(6) transfer mode of EAP-Success (EAP success) message
Among the present invention,, specifically be directly to be transferred to MSS, and no longer be as prior art, to send MSS to by BS by authentication device for the EAP-Success message that mails to terminal from authentication device.
For the present invention there being further understanding, describe below in conjunction with the specific implementation of accompanying drawing to the method for the invention.
As shown in Figure 3, the specific implementation of complete single EAP authentication process provided by the invention may further comprise the steps:
Carry out the mutual of RNG-REQ/RSP (paging request) message between step 31:MSS and the BS, to realize parameter adjustment, this process is if success then continues execution in step 32.
Step 32:MSS sends SBC-REQ message to BS, and the form of described SBC-REQ message is deferred to the definition in the IEEE802.16e-D12 standard.
After step 33:BS receives described SBC-REQ message, then send the SNP-REQ message of AUTHRELAY to authentication device, need to carry the safe mediation parameter information of MSID and MSS support in this message, described safe mediation parameter comprises: the version support of IKMP, delegated strategy support, message authentication code modes, packet number window size.
Step 34: after authentication received described SNP-REQ message, the safe mediation parameter information that the MSS that reports according to BS supports was for it selects specific safe mediation parameter; Then, reply the SNP-RSP message of AUTHRELAY to BS, the specific safe mediation parameter of carrying MSID in the described message and selecting to determine, described safe mediation parameter comprises: the version support of IKMP, delegated strategy support, message authentication code modes, packet number window size.
Step 35:BS sends SBC-RSP message to authentication device, and described SBC-RSP message is deferred to the definition of IEEE802.16e-D12.
Step 36:MSS sends PKM-REQ (basic master key request)/EAP-Start message of the IKMP second edition eat dishes without rice or wine to BS, and promptly EAP begins message, as the EAP-Start message of AUTHRELAY, and indication beginning EAP verification process;
This step is optional step.
After step 37:BS identifies the IKMP second edition PKM-REQ/EAP-Start message of eating dishes without rice or wine, then will send the EAP-Start message of AUTHRELAY to authentication device;
Be that this message sets retransmits timer on BS, if BS sends in the timer timing length after this message and does not receive EAP-REQ/Identity message, can think that then EAP begins information drop-out, will retransmit EAP and begin message, to guarantee that authentication device receives described EAP reliably and begins message;
Described EAP begins in the message PKM Version Support (support of key management version) and the delegated strategy support (Authorization Policy Support) consulted in the SBC-REQ/RSP process to be with, report to authentication device, if comprise twice EAP authentication in the strategy, also needing indication is the EAP verification process first time.
In step 37, need to prove: if step 33 and step 34 have been carried out, then illustrate and had corresponding message in the authentication device, at this moment, there is no need to be with these two parameters of PKM Version Support and Authorization Policy Support in this message, otherwise, then need to be with this two parameters, so that authentication device can obtain relevant parameter information.
Step 38: authentication device is resolved described message after receiving the EAP-Start message of AUTHRELAY, and notes delegated strategy support (promptly supporting an EAP authentication), MSID and the BSID of negotiation; Then, send EAP-REQ/Identity (EAP identification request) message to MSS, request MSS shows the sign of oneself;
This message is to send to MSS from authentication device via BS, wherein, in the message interaction process between authentication device and BS, described message can be encapsulated in the EAP-Transfer message of AUTHRELAY, and will be with MSID in this message; And in the message interaction process between BS and MSS, then described message can be encapsulated among the PKM-RSP/EAP-Transfer of PKMv2 (second edition key management).
Step 39:MSS parses EAP-REQ/Identity message, and determines to reply EAP-RSP/Identity (EAP identification response) message, the NAI information that is designated in this message to authentication device according to resolving the message content that obtains;
Can be encapsulated in the PKMv2 PKM-REQ/EAP-Transfer message when equally, this message is transmitted between MSS and BS and transmit; And when between BS and authentication device, transmitting, then can be encapsulated in and transmit in the AUTHRELAY/EAP-Transfer message, and will in this message, be with MSID.
Authentication device is resolved the message of receiving, be specially and resolve AUTHRELAY/EAP-Transfer and EAP-RSP/Identity (comprising NAI) message successively, and then parse NAI information, and on authentication device the corresponding relation of record MSID and NAI, so that authentication device can be determined corresponding NAI information according to MSID, and determine corresponding MSID according to NAI.
Step 310: authentication device uses RADIUS Access-Request (the access request of remote dial certificate server) to send to AAA Server (aaa server) EAP-RSP/Identity (NAI) message; After this, MSS will begin follow-up EAP process with AAA Server.
Consult the authentication method of use between step 311:MSS and the AAA Server, wherein, alternative authentication method has the Extensible Authentication Protocol of EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS (EAP with TTLS), PEAP (shielded EAP), EAP-MD5, EAP-OTP EAP such as (EAP one secondary keys);
Message can be encapsulated between MSS and BS in the PKMv2 PKM-REQ/EAP-Transfer message and transmit equally, accordingly; Between BS and authentication device, can be encapsulated in the AUTHRELAY/EAP-Transfer message and transmit, and need in this message, be with MSID.
Throw down the gauntlet and verification process between step 312:MSS and the AAA Server, can adopt unidirectional or two-way authentication;
Equally, for corresponding message interaction process, between MSS and BS, message can be encapsulated among the PKMv2 PKM-REQ/EAP-Transfer; Between BS and authentication device, message can be encapsulated among the AUTHRELAY/EAP-Transfer, and in this message, be with MSID information.
Step 313: after the process authentication success of step 311 and step 312 description, AAA Server and MSS use the shared secret that presets or consult respectively, and use same algorithm respectively, generate MSK and EMSK (MSK of expansion);
The generating algorithm of corresponding M SK and EMSK depends on specifically being provided with of operator and realizes;
AAA Server sends EAP-Success (EAP success) message to authentication device, and this message is used the encapsulation of RADIUS Access-Accept (access of remote dial certificate server is accepted) message, simultaneously, also MSK to be passed to authentication device in RADIUS Access-Accept message, and, the NAI of MSS also will be contained in the message, the notice authentication device.
Step 314: authentication device is resolved RADIUS Access-Accept message, resolves EAP EAP-Success message again, and EAP-Success message is directly sent to MSS;
That is to say, among the present invention, be described EAP-Success message to be sent to MSS, and no longer described EAP-Success message sent to MSS, therefore, no longer need to realize the EAP agreement among the present invention on the BS by BS by authentication device;
Equally, between authentication device and BS, can use the encapsulation of AUTHRELAY EAP-Transfer message; Between BS and MSS, can use the encapsulation of PKMv2 PKM-RSP message.
Step 315: authentication device is checked the delegated strategy support of record, and discovery is a single EAP authentication, then generates the PMK context according to MSK, then, generates the context of AK according to the PMK context;
Wherein, comprise in the AK context: AK, AKID, AK Lifetime, AK Sequence Number; If select context cache when realizing, then also HMAC/CMAC_PN_U and HMAC/CMAC_PN_D should be changed to zero, and be stored in the AK context on the authentication device AK.
Step 316: authentication device sends AUTHRELAY AK-Transfer message to BS, will be in the message with the context of going up AK, and promptly AK, AKID, AK Lifetime, AK Sequence Number information simultaneously, also need to comprise MSID information in described message.
Step 317:BS replys AUTHRELAY AK-Transfer RSP message to authentication device, and AUTHRELAY AK-Transfer message has been received in expression, comprises MSID in the described message.
The AK context that AK context that step 318:BS basis is received and MSID generate other, be specially: HMAC/CMAC_KEY_U, HMAC/CMAC_KEY_D, KEK, HMAC/CMAC_PN_U and HMAC/CMAC_PN_D, wherein the initial value of HMAC/CMAC_PN_U and HMAC/CMAC_PN_D can be changed to zero.
Step 319:MSS generates MSK and EMSK from the EAP process, generate the PMK context according to MSK, generates the AK context according to the PMK context then.
In this step, need to prove: this step can also occur in after the step 312, and MSS does not need to receive EAP Success message, just can execution in step 319.
Step 320:, will initiate the three-way handshake process of SA-TEK (Security Association-Traffic encryption key(TEK)) if on the BS all set behind the AK context.
The present invention also provides a kind of device of realizing extended authentication protocol in cordless communication network, and specific implementation is arranged at first safety management module in the base station as shown in Figure 4, and this module specifically comprises following composition module:
(1) EAP begins message transmission module
This module is arranged in first safety management module in the base station, is used for sending EAP to authentication device and begins message.
(2) timing retransmission process module
This module is provided with in first safety management module in the base station, is used for sending in the base station picking up counting after EAP begins message, and when not receiving the EAP identification request message that authentication device is sent yet through preset time, triggers EAP again and begin message transmission module; And described timing retransmission process module specifically comprises following two modules:
Timer, timing length are the retransmission interval duration, send in the base station to pick up counting after EAP begins message, and triggering EAP begin message transmission module when overtime;
Judge module: be used for after transmission EAP begins message, judging whether to receive described EAP identification request message, when receiving described message, with the timer zero clearing.
(3) the parameter sending module of mediating fully
Be arranged in first or second safety management module on base station and/or the authentication device, be used for to include the version support of message authentication code modes, packet number window size information and/or IKMP, and the safe mediation parameter of delegated strategy support information is transmitted between base station and authentication device.
(4) memory module
Be arranged in second safety management module on the authentication device, be used to write down the corresponding relation of MSID and NAI.
(5) EAP success message sending module
Be arranged in second safety management module on the authentication device, be used for directly sending the EAP success message to user terminal.
The device that provides based on the invention described above just can provide EAP authentication reliably.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (17)
1, a kind of method that realizes extended authentication protocol in cordless communication network is characterized in that, comprising:
A, base station send Extensible Authentication Protocol EAP to authentication device and begin message, and pick up counting;
B, when through behind the preset time, the EAP identification request message that authentication device is sent is not received in the base station, then sends described EAP to authentication device again and begins message.
2, method according to claim 1 is characterized in that, before carrying out described steps A, also comprises:
Between base station and authentication device, carry out the mutual of safe mediation parameter request and response message, and in described message, carry message authentication code modes and/or packet number window size information.
3, method according to claim 2 is characterized in that, the information of carrying in described safe mediation parameter request and the response message also comprises: the delegated strategy support information.
4, method according to claim 3 is characterized in that, the information of carrying in described safe mediation parameter request and the response message also comprises: the version support of IKMP.
5, according to claim 2,3 or 4 described methods, it is characterized in that described method also comprises:
At least one item on authentication device in configure user sign MSID, Base Station Identification BSID, message authentication code modes, packet number window size, delegated strategy support and the EAP authentication number of times record.
According to claim 1,2,3 or 4 described methods, it is characterized in that 6, it is that the EAP of authentication relay agreement begins message that described EAP begins message, and is carrying user ID MSID in the message.
7, method according to claim 6 is characterized in that, described method also comprises:
When authentication device obtains the MSID of user terminal and network access Identifier NAI information, the corresponding relation of record MSID and NAI on authentication device then.
8, method according to claim 7 is characterized in that, described method also comprises:
When authentication device is received the EAP message packet, according to described corresponding relation described EAP message packet is resolved, and carry out corresponding processing according to resolving the information that obtains.
9, method according to claim 6 is characterized in that, described method also comprises:
After C, authentication device receive that Access-Accept message is accepted in access that aaa server AAA Server sends, check the delegated strategy support information in oneself the recorded information according to MSID and BSID index, and determine that according to described delegated strategy support current EAP authentication is single EAP authentication or twice EAP authentication.
10, method according to claim 9 is characterized in that, described step C also comprises:
When being defined as twice EAP authentication, also to authenticating the number of times sign and determine that further current is EAP authentication for the first time or EAP authentication for the second time according to EAP.
11, according to claim 1,2,3 or 4 described methods, it is characterized in that described method also comprises:
The mutual EAP based on the authentication relay agreement transmits in the EAP-Transfer message and carries MSID information between BS and authentication device.
12, according to claim 1,2,3 or 4 described methods, it is characterized in that described method also comprises:
Authentication device directly sends EAP success EAP-Success message to user terminal.
13, a kind of device of realizing extended authentication protocol in cordless communication network is characterized in that comprise first safety management module that is arranged in the base station, this module specifically comprises:
EAP begins message transmission module: be used for sending EAP to authentication device and begin message;
Regularly the retransmission process module is used for picking up counting after base station transmission EAP begins message, and when not receiving the EAP identification request message that authentication device is sent yet through preset time, triggers EAP again and begin message transmission module.
14, device according to claim 13 is characterized in that, described timing retransmission process module specifically comprises:
Timer, timing length are the retransmission interval duration, send in the base station to pick up counting after EAP begins message, and triggering EAP begin message transmission module when overtime;
Judge module: be used for after transmission EAP begins message, judging whether to receive described EAP identification request message, when receiving described message, with the timer zero clearing.
15, according to claim 13 or 14 described devices, it is characterized in that, also comprise second safety management module that is arranged on the authentication device, and described device comprise also:
The parameter of mediating fully sending module: be arranged in first or second safety management module on base station and/or the authentication device, be used for to include the version support of message authentication code modes, packet number window size information and/or IKMP, and the safe mediation parameter of delegated strategy support information is transmitted between base station and authentication device.
16, device according to claim 15 is characterized in that, also comprises:
Memory module: be arranged in second safety management module on the authentication device, be used to write down the corresponding relation of MSID and NAI.
17, device according to claim 15 is characterized in that, also comprises:
EAP success message sending module: be arranged in second safety management module on the authentication device, be used for directly sending the EAP success message to user terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100017563A CN101009911A (en) | 2006-01-25 | 2006-01-25 | Method and device for realizing the extension authentication protocol in the wireless communication network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100017563A CN101009911A (en) | 2006-01-25 | 2006-01-25 | Method and device for realizing the extension authentication protocol in the wireless communication network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101009911A true CN101009911A (en) | 2007-08-01 |
Family
ID=38697965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006100017563A Pending CN101009911A (en) | 2006-01-25 | 2006-01-25 | Method and device for realizing the extension authentication protocol in the wireless communication network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101009911A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102355652A (en) * | 2011-08-01 | 2012-02-15 | 大唐移动通信设备有限公司 | Method and device for making request of obtaining system information |
| CN102577460A (en) * | 2009-07-06 | 2012-07-11 | 英特尔公司 | Method and apparatus of deriving security key(s) |
| CN101790164B (en) * | 2010-01-26 | 2012-10-03 | 华为终端有限公司 | Authentication method, communication system and relevant equipment |
| CN104079813A (en) * | 2013-03-29 | 2014-10-01 | 安科智慧城市技术(中国)有限公司 | Device and method for remotely setting internet protocol camera |
-
2006
- 2006-01-25 CN CNA2006100017563A patent/CN101009911A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102577460A (en) * | 2009-07-06 | 2012-07-11 | 英特尔公司 | Method and apparatus of deriving security key(s) |
| CN102577460B (en) * | 2009-07-06 | 2016-06-29 | 英特尔公司 | The method and apparatus of derivation security key |
| CN101790164B (en) * | 2010-01-26 | 2012-10-03 | 华为终端有限公司 | Authentication method, communication system and relevant equipment |
| CN102355652A (en) * | 2011-08-01 | 2012-02-15 | 大唐移动通信设备有限公司 | Method and device for making request of obtaining system information |
| CN102355652B (en) * | 2011-08-01 | 2014-11-12 | 大唐移动通信设备有限公司 | Method and device for making request of obtaining system information |
| CN104079813A (en) * | 2013-03-29 | 2014-10-01 | 安科智慧城市技术(中国)有限公司 | Device and method for remotely setting internet protocol camera |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100704675B1 (en) | authentication method and key generating method in wireless portable internet system | |
| US8001381B2 (en) | Method and system for mutual authentication of nodes in a wireless communication network | |
| US8627092B2 (en) | Asymmetric cryptography for wireless systems | |
| Seddigh et al. | Security advances and challenges in 4G wireless networks | |
| US8285990B2 (en) | Method and system for authentication confirmation using extensible authentication protocol | |
| EP2702741B1 (en) | Authenticating a device in a network | |
| Mun et al. | 3G-WLAN interworking: security analysis and new authentication and key agreement based on EAP-AKA | |
| US8397071B2 (en) | Generation method and update method of authorization key for mobile communication | |
| KR100924168B1 (en) | Method for generating authorization key and method for negotiating authorization in communication system based frequency overlay | |
| CN101405987B (en) | Asymmetric cryptography for wireless systems | |
| CN101009910A (en) | Method and device for realizing the extended authentication protocol in the wireless network | |
| US8380980B2 (en) | System and method for providing security in mobile WiMAX network system | |
| US20050271209A1 (en) | AKA sequence number for replay protection in EAP-AKA authentication | |
| Nguyen et al. | Enhanced EAP-based pre-authentication for fast and secure inter-ASN handovers in mobile WiMAX networks | |
| US8705734B2 (en) | Method and system for authenticating a mobile terminal in a wireless communication system | |
| US20120254615A1 (en) | Using a dynamically-generated symmetric key to establish internet protocol security for communications between a mobile subscriber and a supporting wireless communications network | |
| CN101009911A (en) | Method and device for realizing the extension authentication protocol in the wireless communication network | |
| KR101286936B1 (en) | Prevention of a bidding-down attack in a communication system | |
| Raja et al. | Reduced overhead frequent user authentication in EAP-dependent broadband wireless networks | |
| Rengaraju et al. | Measuring and analyzing WiMAX security and QoS in testbed experiments | |
| KR20080056055A (en) | Communication inter-provider roaming authentication method and key establishment method, and recording medium storing program including the same | |
| KR101451163B1 (en) | System and method for access authentication for wireless network | |
| Qachri et al. | A formally verified protocol for secure vertical handovers in 4G heterogeneous networks | |
| Bakthavathsalu et al. | Management frame attacks in WiMAX networks: Analysis and prevention | |
| Fan et al. | Re-Authentication Design for PKMv2 of IEEE 802.16 e Standard |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |