CN101420694A

CN101420694A - WAPI-XG1 access and fast switch authentication method

Info

Publication number: CN101420694A
Application number: CNA2008102397087A
Authority: CN
Inventors: 马建峰; 曹春杰; 杨超; 刘文菊; 王赜; 柯永振; 时珍全; 张艳
Original assignee: Tianjin Polytechnic University; Xidian University
Current assignee: Tianjin Polytechnic University; Xidian University
Priority date: 2008-12-16
Filing date: 2008-12-16
Publication date: 2009-04-29

Abstract

The invention provides a method used for authentificating the access and quick switching over of WAPI-XG1, belonging to the field of wireless communication. The method comprises the steps as follows: an authentication protocol is accessed and used for establishing a connection between an STA and a first AP, the session key with the first AP is established, and keys used for quick switching over with an ASU are established; when the STA moves to the control domain of a second AP, a safety correlation establishing protocol and a unicall session key updating protocol under quick switching over are carried out. The method can solve the problems that the WAPI-XG1 can not support the quick switching over and the forward secrecy can not be ensured and the offline dictionary attack can not be resisted under a pre-shared key authentication mode; meanwhile, the method needs not change the authentication framework of the WAPI-XG1needs not changing, the two authentication modes based on the certificate and shared key are integrated into one authentication proposal; furthermore, when the switching over occurs on the client terminal, only the quick switching over safety correlation establishment protocol runs with the destination access point for the authentication mode based on the certificate, without re-authentication or pre-authentication.

Description

A kind of WAPI-XG1 inserts and quick switching authentication method

Technical field

The invention belongs to field of wireless communication, be specifically related to a kind of WAPI-XG1 and insert and quick switching authentication method.

Background technology

China formally implements on November 1st, 2003 at first standard GB 15629.11-2003 in wireless lan (wlan) field, and security solution wherein is called WLAN authentication and secret infrastructure (WAPI).In March, 2004, the national wide-band wireless IP standard operation group (BWIPS) of Chinese IT technical committee for standardization (TCST) has been issued the embodiment of WAPI, and some safety defects of former national standard WAPI are revised.Consider different wlan security solutions (as IEEE 802.11i) and deposit, people such as Lai Xiaolong have proposed new wlan security solution on the basis of WAPI and embodiment thereof, and are published as new standard GB 15629.11-2003/XG1-2006 (WAPI-XG1) on July 31st, 2006 by Chinese wide-band wireless IP standard operation group.New safety approach is made up of following several sections: (1) is based on the authentication phase of certificate, finish access device (Station, STA) and access point (Access Point, AP) bidirectional identity authentication between, and generate between the two base key (Base Key, BK); (2) the unicast key agreement stage, utilize BK consulting session key between STA and AP; (3) optional group key advertisement phase, announcement AP is used for the group key of group communication.And WAPI-XG1 supports that (when collecting seed this authentication mode, PSK directly carries out unicast key agreement as the seed of BK for Pre-Shared Key, authentication mode PSK) based on wildcard between STA and the AP.National regulation at the beginning of 2006: government procurement and communal facility must adopt WAPI.2008 Olympic Games and National Library also will adopt the WAPI net in addition, and China Mobile is also trying hard to recommend WAPI.

WAPI-XG1 has very strong fail safe and flexibility.In authentication phase, adopted public key certificate and signature to realize authentication, Diffie-Hellman (DH) exchange realizes key agreement.DH exchange based on signature is authentication and a key agreement technology very ripe and the process formal proof; In the unicast key agreement stage, PSK can be directly carries out authentication and key agreement based on wildcard as the seed of BK.PSK is a kind of very widely authentication mode among the WLAN, and cost is low, realizes simply, and this has brought great flexibility for deployment of WLAN.In addition, IEEE 802.11i has identical safety certification framework with WAPI-XG1, can be easy to realize two kinds of switchings between the authentication mode under the EAP framework.

Security association in switching fast is very important problem among the WLAN, also is a problem that presses for solution.IEEE 802.11r is one of IEEE 802.11 series standards, is devoted to the quick switching problem among the WLAN.Prior art related to the present invention has following several:

(1) prior art one: WAPI-XG1

In basic service set (BSS, Basic Service Set), related or when being associated to AP again as STA, must carry out mutual identity and differentiate (by asu (authentication service unit) ASU).If differentiate successfully, then AP allows STA to insert, otherwise removes its link verification.WAPI-XG1 relates generally to and differentiates and key agreement protocol, comprises two types: based on the discriminating of certificate and key management, based on the discriminating and the key management of wildcard.Realize by three processes: certificate discriminating, unicast key agreement and multicast key notification.Whole discriminating and cipher key agreement process as shown in Figure 1, three processes are as follows:

(1) WAPI-XG1 authentication protocol

This agreement is finished the bidirectional identification of STA and AP and is differentiated by ASU.As shown in Figure 2.

Differentiate to activate grouping: related or be associated to AP/STA again as STA, ASUE (residing among the STA) and AE (residing among the AP) select to adopt certificate to differentiate and key management method, or the local policy of AE requires to carry out again the certificate discrimination process, or AE receives when the pre-discriminating of ASUE begins to divide into groups that AE sends challenge SNonce and the certificate Cert of oneself to ASUE _AEAs differentiating that the activation grouping activates ASUE and carries out two-way certificate discriminating.

Access discrimination request grouping: ASUE produces the temporary private x that is used for elliptic curve DH (ECDH) and exchanges, interim PKI xP and random number N after receiving the discriminating activation grouping that is sent by AE _ASUE, together with the certificate Cert of oneself _ASUE, AE challenge SNonce and the signature Sig _ASUEAs inserting discrimination request grouping.Wherein, Sig _ASUEBe that ASUE is to SNonce, N _ASUE, xP and Cert _ASUESignature.

Request of certificate authentication grouping: AE checks SNonce and Sig after receiving the access discrimination request grouping that ASUE sends _ASUEValidity.After checking, AE generates random number N _AE, and construct certificate by Fig. 2 and differentiate grouping.Wherein, ADDID is the MAC Address of STA and AP.

After certificate authentication response packet: ASU received request of certificate authentication grouping, the certificate of checking AE and the certificate of ASUE were according to the checking of the certificate of the certificate of AE and ASUE Res as a result, structure certificate authentication response packet, and additional corresponding signature Sig _ASUSend to AE.

After access authentication response packet: AE receives the certificate authentication response packet, check random number N _AEWith signature Sig _ASUValidity.Checking generates temporary private y and the interim PKI yP that is used for the ECDH exchange by the back, use temporary private y of oneself and the interim PKI xP of ASUE to carry out ECDH calculating, obtain key seed xyP, utilizing key to derive algorithm KD-HMAC-SHA256 expands it, promptly by BK=KD-HMAC-SHA256 (xyP, N _AE| N _ASUE) generate base key BK, setting then and inserting the result is successfully.

After ASUE receives and inserts authentication response packet, the checking random number N _ASUE, signature Sig _ASUEAnd Sig _ASUEValidity with certificate verification result Res.After checking is passed through, use temporary private x of oneself and the interim PKI yP of AE to carry out ECDH calculating, obtain key seed xyP, utilize key to derive algorithm KD-HMAC-SHA256 it is expanded, promptly by BK=KD-HMAC-SHA256 (xyP, N _AE| N _ASUE) generation base key BK.So far AE and ASUE have set up the security association of base key.

(2) unicast key agreement agreement

This agreement on the basis of certificate authentication protocol, the protection key of unicast data when not only negotiating AP and STA session, but also will negotiate the protection key and the authentication key of the employed multicast key of conversation procedure.As shown in Figure 3.

Unicast key agreement request grouping: after setting up effective base key security association, AE sends unicast key agreement request grouping to ASUE to begin to carry out unicast key agreement with ASUE.Comprise in this grouping: MAC Address ADDID, the AE inquiry N of base key sign BKID, ASUE and AE ₁

After unicast key agreement respond packet: ASUE receives the unicast key agreement request grouping that sends with AE, utilize tandom number generator to produce ASUE inquiry N ₂, utilize base key BK, AE inquiry N1 and ASUE inquiry N then ₂, adopt key to derive algorithm KD-HMAC-SHA256, i.e. UMK=KD-HMAC-SHA256 (BK, ADDID|N ₁| N ₂) generate unicast session master key UMK, and it is expanded generation unicast session key USK (the encryption key UEK that comprises unicast data, the authentication key UTK of unicast data, the encryption key KEK of multicast key and protocol message authentication key MAK).Utilize this cipher key calculation Message Authentication Code MIC _ASUE=HMAC-SHA256 (MAK, BKID|ADDID|N ₁| N ₂), and structure unicast key agreement respond packet mails to AE.

Unicast key agreement is confirmed grouping: after AE receives the unicast key agreement respond packet, check AE challenge value N ₁Whether correct, if correct then utilize base key BK, AE inquiry N by same mode ₁And ASUE inquiry N ₂, algorithm KD-HMAC-SHA256 generates unicast session key.And the Message Authentication Code MIC in the checking unicast key agreement respond packet _ASUE, checking is by then calculating MIC _AE=HMAC-SHA256 (MAK, BKID|ADDID|N ₂), and the structure unicast key agreement confirms that grouping sends to ASUE.

After ASUE receives the unicast key agreement affirmation grouping of AE, checking ASUE inquiry N ₂Whether consistent and unicast key agreement with the own value that sends in the unicast key agreement respond packet confirm the validity of the Message Authentication Code in the grouping, and checking is by then carrying out next step operation, otherwise the de-links checking.

(3) multicast key notification process

This subprocess is based upon on the basis of unicast key agreement subprocess, finishes the announcement of AP multicast key.As shown in Figure 4.

The multicast key notification grouping: after unicast key agreement was successful, the multicast key encryption key KEK that AP consults the multicast master key utilization that the random number generating algorithm produces encrypted, and announces multicast key by the multicast key notification grouping to STA.Wherein, USKID is the unicast session key sign, and random number Knonce is the key announce sign, and KDE is the multicast key of encrypting with KEK, MIC ₁=HMAC-SHA256 (MAK, USKID|ADDID|KDE|Knonce).

After multicast key respond packet: ASUE receives the multicast key notification grouping of AE transmission, utilize the message authentication key checking MIC of USKID sign ₁Validity.After checking was passed through, deciphering KDE obtained the multicast master key, and expanded generation multicast encryption key and completeness check key.Calculate MIC then ₂(MAK USKID|ADDID|Knonce), and generates the multicast key respond packet to=HMAC-SHA256, sends to AE, and the state of controlled ports is set to On simultaneously.

After AE receives the multicast key respond packet of ASUE transmission, utilize the message authentication key checking MIC of USKID sign ₂Validity with Knonce.After checking was passed through, the state of controlled ports was set to On.

After three subprocess completed successfully, both sides all opened controlled ports, allowed the clean culture or the multicast key of communication data utilization negotiation or announcement to protect transmission.

The shortcoming of prior art one is: the security association in switching fast is very important problem among the WLAN, also is a problem that presses for solution.But at present the security association that switches fast of WAPI-XG1 does not partly have effective solution, but the foundation of security association by pre-authentication or during authentication realizes switching fast again.And in the practical application, the mobile route of STA has its uncertainty, and this mode that causes pre-authentication is not very effective.So can only authenticate again, but the cost of authentication is need to interrupt current business again, waits for one section the time delay of length be could continue to manage business after the operation of complete verification process success.Again authenticating the time delay of bringing is intolerable for some real time business.And why WAPI-XG1 and series standard thereof can not set up safety management in switching fast, main cause is: STA is to authenticate and negotiate session key with AP when inserting WLAN, can not produce to be used for switching fast the key (handover key) of setting up security association.Three class entities in WLAN (STA, AP, ASU) in, the entity that can support STA to set up security association in the fast moving between different AP can only be ASU.Therefore need improve WAPI-XG1, make and to set up handover key between STA and the ASU, thereby better support to switch fast.

In addition, the authentication protocol based on PSK among the WAPI-XG1 can not guarantee forward secrecy (PFS).Forward secrecy is meant: the session key that relies on long term keys foundation is under the situation that long term keys exposes, and this session key remains safe.It is the very important security attribute of key agreement protocol.As shown in table 1, we can see that the certification mode based on PSK among the WAPI-XG1 is not satisfy forward secrecy by simple attack.The direct result that causes like this is exactly the exposure of session key.And then the data of transmitting between all former STA and the AP are all decrypted, and the data in STA and AP transmission also will be cracked after all.Consequence is even more serious for active attack person, means that entity is captured fully because lose long term keys, and active attack person can forge, distort STA and AP between all data.

Table 1

In addition, when using password, utilize the information that intercepts in the above-mentioned attack just can carry out the off-line dictionary attack as PSK.This is a very crucial problem, because concerning people's brain, remembers more than the password of 20 characters very difficult.And be not easy to remember, and often cause when configuration network, makeing mistakes with the words of random string as password.Therefore, the probability that appears in the dictionary of password is very big.In actual WLAN configuration, normal conditions are to adopt single password in whole extended service set (ESS).Present a lot of wlan products also only allow the single password of configuration, can not accomplish that each STA shares different passwords with AP.Will expect the session key of certain STA and AP like this, the assailant only needs simple passive wiretapping protocol message to obtain two MAC Address (ADDID) and nonce (N ₁, N ₂), and then by formula UEK|UTK|MAK|KEK=KD-HMAC-SHA256 (PSK, ADDID|N ₁| N ₂) obtain the session key that needs.Though each STA will carry out key agreement with corresponding AP and obtains session key in ESS, this protocol interaction does not have meaning.Because each STA among the ESS or AP can obtain among the ESS other unicast session key according to top mode.Therefore, in case the PSK victim obtains, whole ESS will be captured.

(2) prior art two: another security solution among the WLAN is IEEE802.11i, adopt IEEE 802.311r to solve the quick switching problem of mobile device simultaneously, then finish by four way handshake protocols that define among the 11i for the access authentication problem in the piece switching.

IEEE 802.11i is the amendment that IEEE formulates for the safety encipher function (WEP, WiredEquivalent Privacy) that remedies 802.11 fragilities, finishes in July, 2004.Wherein defined brand-new cryptographic protocol CCMP (CTR with CBC-MAC Protocol) based on AES, and the cryptographic protocol TKIP of compatible RC4 (Temporal Key Integrity Protocol) forward.In WLAN, user's access authentication is based on 802.1x-EAP, and Fig. 5 has provided the step that a user who prepares to insert current WLAN need finish.Wherein the user is as Supplicant, and access point is as Authenticator.

In the authentication and key management of IEEE 802.11i, when mobile subscriber (STA) and WAP (wireless access point) (AP) obtain to share to master key (PMK-Pairwise Master Key) after need to carry out that four way handshake protocols (4-way handshake brief note is 4WHS) carry out that session key is confirmed and related works such as key agreement.Four way handshake protocols are carrying out having played important effect aspect authentication, key agreement and the key management.When between the mobile subscriber nets, switching in addition, can finish new authentication and key agreement with less time and expense by this agreement.

In the verification process of IEEE 802.11i, after STA has passed through the authentication of 802.1x, AP can obtain a Session Key identical with STA, AP and STA with this Session Key as PMK (for the mode of using wildcard, PSK is exactly PMK).AP and STA carry out four step handshake procedures by EAPOL-KEY subsequently, as shown in Figure 6.And this agreement is also as the safe access protocol in the fast handover procedures.In this process, AP has confirmed all with STA whether the other side holds and own consistent PMK, and as inconsistent, four step handshake procedures just fail.For the integrality that guarantees to transmit, authentication techniques in handshake procedure, have been used based on MAC.Go on foot in the process of shaking hands four, AP and STA calculate one 512 PTK (Pairwise Transient Key) through consulting, and this PTK are resolved into the key of various different purposes.

The shortcoming of prior art two is: (1) IEEE 802.11i and 11r and WAPI are diverse safety standards.Wherein the safe access protocol of 11r is used to solve the switching problem based on the WLAN of IEEE 802.11 technology, adopts the key hierarchy of 802.11i and the secure fields of definition thereof, the authentication protocol of incompatible WAPI.If the words that adopt this agreement to solve the switching problem among the WAPI then need WAPI is carried out basic modification, lose more than gain.Therefore 11i and 11r can not be used for solving the problem of WAPI.(2) four way handshake protocols can not guarantee forward secrecy.Four way handshake protocols have consulting session key PTK between three purpose: STA and the AP; Employing is used for carrying out between STA and the AP access authentication and key agreement during based on the authentication mode of wildcard; Access authentication when terminal is switched fast.But all message all are plaintext transmission in this agreement, comprise that the random number that is used to produce session key also is a plaintext transmission.Therefore for second kind of situation, in case long-term wildcard is lost, direct result is exactly the exposure of all session keys.And then the data of transmitting between all former even later STA and the AP are all decrypted.Consequence is even more serious for active attack person, means that entity is captured fully because lose long term keys, and active attack person can forge, distort STA and AP between all data.(3) authentication and key agreement efficient are relatively poor.In the 802.11i system, the safe access authentication of STA can be divided into authentication and the PMK key agreement stage of two stage: STA and AS; The authentication of STA and AP and PTK key agreement stage.And these two stages finish by different security protocols respectively, wireless access point AP has only played transfer message in first stage, participation agreement is not carried out.But from access authentication target and the final authentication result that realizes of IEEE 802.11i of WLAN, the safe access of WLAN need be finished STA and AS, the authentication between STA and the AP.Therefore might realize this target by a single tripartite agreement fully, this will reduce the complexity of design of protocol greatly, shorten the terminal access delay, improve access efficiency.(4) lack effective user identity protection mechanism.In all EAP authentication modes of 802.11i, EAP-TLS is most widely used, but it can not protect user's identity information.And PEAP authenticates the user set up an encryption channel by EAP-TLS after, so PEAP can protect subscriber identity information, but its poor efficiency.Therefore 802.11i lacks effective user identity protection mechanism.In wireless network, because user's mobility is more intense, mobile subscriber's identity information and access history thereof are even more important, and press for protection.(5) also there are some other problem in IEEE 802.11i and 11r, the DoS attack in shaking hands as safe, four steps of management frames and lack fault recovering mechanism etc.

(3) prior art three: be used for the verification method of switching fast in the WLAN (wireless local area network)

This method is Samsung is used to authenticate mobile node in a kind of WLAN (wireless local area network) that proposed in 2003 a method.Comprise at least two access points and authentication server in the WLAN (wireless local area network).Related with first access point and when carrying out initial authentication when mobile node, mobile node is by using by first private key that secret key produced previous and that authentication server is shared, receive first session key that is used for secure communication from authentication server, first access point receives first session key by using second private key previous and that authentication server is shared from authentication server.When mobile node switches to second access point and carries out re-examination when card from first access point, mobile node receives second session key that is used for secure communication by using the 3rd private key from authentication server, described the 3rd private key is to use formerly institute during the checking to generate and produces with authorization information that authentication server is shared, and second access point received second session key by second private key that had used before and authentication server is shared from authentication server.

Concrete grammar is as follows: in wireless environment, mobile node roams into another place from a place, for the safe and continuous of seamless communication, is necessary to reduce the required signaling load of checking mutually between the supervisory signal of layer 2 and layer 3 and network and the mobile node.Especially, this scheme relates to minimizing and carries out carrying out signaling load required when verifying after related between network and mobile node.Information in this scheme is described as follows:

S: by mobile node and the shared secret of authentication server;

E_k: the symmetric key cipher algorithm, use k as the private key between mobile node and the authentication server;

E_k _AP: symmetric key cipher algorithm, the private key k that uses access point and authentication server to share.P；

H (): hash function;

Sk: the session key that is used for secure communication between mobile node and the access point;

TID: temporary identifier;

PID: persistent identifier;

Nonce: the random number that mobile node produces.

Suppose that the initial performed checking of first access point that inserts of mobile node is defined as initial authentication (i=0, wherein i represents to be used to identify the index of checking), the performed checking of access point that mobile node inserts subsequently owing to switch is defined as re-examination card (i ≠ 0).In this case, the information that proof procedure is required, E_k _AP, H () and PID are constant, yet, E_k, Sk is variable when TID and nonce verify at every turn.

Fig. 7 is the message flow chart of initial authentication operation.Here, authentication server is represented the local authentication server under the mobile node, if mobile node is positioned at access region, proof procedure will be carried out by external authentication server.In addition, authentication server is shared private key K with related with it access point _AP, so that the intercommunication mutually between them.

Detected at first access point AP1 sets up wireless association after mobile node MN and its start, carries out pre-authentication with authentication server AS subsequently.When mobile node is communicated by letter with authentication server, need carry out pre-authentication, and password, user biological information (iris information or finger print information), the smart card that can use the user to input wait and carry out pre-authentication.This pre-authentication can be finished according to known indentification protocol.Mobile node and authentication server are shared secret key S by pre-authentication.Mobile node and authentication server use and receive the hash function H of secret key S as input, obtain to be used for carrying out between them the private key k0=H (S) of message.

After finishing pre-authentication, mobile node produces the authorization information that will use, i.e. temporary identifier: TID1, password Y1 and random number nonce1 during checking request next time.Utilize private key k0 that the authorization information that is produced is encrypted subsequently, generate thus encrypting messages B0=E_k0 (TID1, Y1, nonce1).For requests verification, encrypting messages B0 is sent to authentication server AS through access point AP1.At this moment, in step 200, the persistent identifier PID of mobile node can be sent with encrypting messages B0.

After receiving encrypting messages B0, authentication server AS utilizes private key k0 that the encrypting messages B0 that is received is decrypted, and the temporary identifier TID1 of the authorization information that obtains from decrypted result is stored in the database relevant with mobile node with password Y1.This is in order to use during checking next time.In addition, authentication server AS produces session key Sk0, this key Sk0 is used for the packet from mobile node is encrypted, and use private key k0 that session key Sk0 that is generated and the random number nonce1 that obtains from encrypting messages B0 are encrypted subsequently, generate thus encrypting messages A0=E_k0 (nonce1, Sk0).Owing to generated encrypting messages A0, so that allow to carry out the checking of mobile node and transmit session key Sk0.When expectation reduces proof procedure, can from encrypting messages A0, remove random number nonce1.

In addition, authentication server As produces encrypting messages: P0=E_k by encrypting the session key Sk0 that is generated _AP(Sk0, nonce1, PID).The private key km that the persistent identifier PID of random number nonce1 that obtains from encrypting messages B0 and mobile node and being used for communicates by letter with access point also can remove random number nonce1 and persistent identifier PID if desired from encrypting messages P0.Encrypting messages P0 is used to notify the checking of access point permission mobile node, and transmits session key Sk0 to access point, and all access points that insert authentication server AS have private key k indispensably _APIn step 210, encrypting messages A0 and P0 are sent to access point AP1.

Access point AP1 uses the private key k that shares with authentication server AS _APP0 is decrypted to encrypting messages, and storage is from the persistent identifier PID and the session key Sk0 of decrypted result acquisition.Thus, in step 220, access point AP is sent to mobile node with encrypting messages .A0.

Mobile node MN obtains random number nonce1 and session key Sk0 by utilizing private key k0 that encrypting messages A0 is decrypted.If the random number noncel that obtains from decrypted result is identical with the random number that generates step 200, mobile node MN just uses session key Sk0 to carry out secure communication determine the effective situation of session key Sk0 that obtains from decrypted result under.When expectation reduced proof procedure, in step 230, mobile node MN used session key Sk0 to replace relatively random number.

Fig. 8 is that mobile node owing to switch is attempted to carry out under the situation that the series of fortified passes joins with new access point after the initial association, again the message flow chart of verification operation.Equally, will suppose that here mobile node uses local authentication server directly to carry out proof procedure in the local zone, and authentication server and the shared private key k that is used for their intercommunication of related with it access point _AP

When mobile node MN inserts the second access point AP2 owing to switching, mobile node MN obtains to be used for carrying out with authentication server the private key k1=H (Y1) of message by using the input as hash function with the previous password Y1 that had been produced during access point A1 had verified.In addition, mobile node MN produces the authorization information that will use during checking request next time, be temporary identifier TID2, password y2 and random number nonce2, the temporary identifier TID1 that produces during utilizing private key k1 to the authorization information that produced and checking formerly subsequently encrypts, generate encrypting messages B1=E_k1 (T ' ID1 thus, TID2, Y2, nonce2).Encrypting messages B1 is sent to authentication server AS with temporary identifier TID1 through access point AP2.In case of necessity, in step 240, previous unencrypted temporary identifier TID also can be sent out with encrypting messages B1.

After receiving encrypting messages B1, authentication server AS by priority of use before during the checking password Y1 that received obtain to be used for carrying out the private key k1=H (Y1) of message as the input of hash function with mobile node.Authentication server As utilizes private key k1 that the encrypting messages B1 that is received is decrypted, and the temporary identifier TID2 of the authorization information that obtains from decrypted result is stored in the database relevant with mobile node with password Y2.

In addition, authentication server AS produces and is used for encrypted session key Sk1 is carried out in the packet from mobile node, use private key k1 that session key Sk1 that generates and the random number nonce2 that obtains from encrypting messages B1 are encrypted subsequently, generate thus encrypting messages A1=E_k1 (nonce2, Sk1).Encrypting messages A1 can not comprise random number nonce2.In addition, authentication server AS is used for the private key k that communicates with access point by use _APRandom number nonce2 that obtains to the session key Sk1 that generated, from encrypting messages B1 and previous temporary identifier TID1 encrypt, and generate encrypting messages P1=E_k _AP(Sk1, nonce2, TID1).In other cases, encrypting messages P1 does not comprise random number nonce2 and previous temporary identifier TID1.In step 250, encrypting messages A1 and P1 are sent to access point AP2.

Access point AP2 uses the private key k that shares with authentication server As _APP1 is decrypted to encrypting messages, and the temporary identifier TID1 of storage mobile node and the session key Sk1 that obtains from decrypted result.Thus, in step 260, access point AP2 is sent to mobile node with encrypting messages A1.

Mobile node MN utilizes private key k1 that encrypting messages A1 is decrypted, and obtains random number nonce2 and session key Sk1.If the random number nonce2 that obtains from decrypted result is identical with the random number that is generated in step 240, mobile node MN uses session key Sk1 to carry out secure communication determine the effective situation of session key Sk1 that obtains from decrypted result under.When expectation reduced proof procedure, in step 270, mobile node MN used session key Sk1 to replace relatively random number.

Switch to continuously at mobile node under the situation of third and fourth access point, utilize and finish checking with identical as mentioned above process.Whereby, access point obtains to be used for carrying out the essential session key of data communication with mobile node, and need not to carry out with another node the burden of checking.

The shortcoming of prior art three is: (1) this scheme and WAPI are diverse safety approachs.WAPI is based on PKI and Elliptic Curve Cryptography, and this scheme is not support PKI's and be based on symmetric cryptography, and both adopt diverse security framework.Therefore can't be with solving the problem that exists among the WAPI-XG1.(2) pre-authenticating method more complicated.Because the variety of problems that PKI exists, the method that adopts in the pre-authentication process of this scheme is the identification of biological information, password etc.Present biometric information authentication mode is had relatively high expectations to terminal, has increased the cost of terminal, uses also not extensive.And it is also remarkable to implement the relative PKI of difficulty.And based on the authentication mode level of security of password not high and management more complicated, be mainly used among the small-sized WLAN.(3) man-in-the-middle attack.The initial authentication agreement that this scheme proposes is initiated challenge by portable terminal, is responded by AS then and can finish access authentication procedure.This is an asymmetric authentication structures, and certificate server can not confirm that the client of initiating to challenge is legal.Lift a simple example: an illegal AP can claim to certain terminal provides access service, intercepts and captures the authentication request of this terminal then, is transmitted to certificate server, and certificate server upgrades relevant information afterwards.During original like this legal terminal request access network because what use is out-of-date data, can't access network.(4) lack integrity protection.In the authentication protocol in initial authentication agreement that this scheme proposes and the switching; all message all are to encrypt and do not have an integrity protection; any modification all can cause the key between server and the user inconsistent to the assailant to message, and then can not communicate by letter normally afterwards.(5) K0 is a long-term shared secret key, has the problem of forward secrecy equally.The key seed that agreement in the scheme is used all is to encrypt the back through K0 to send.Therefore, in case K0 loses, all session keys all can be revealed.Need the participation of AS when (6) switching, time delay is bigger.Switching is to need to certificate server place request handover key, and certificate server may be distant with current AP distance, and communication delay is bigger, so this can cause great influence to quick switching.

By above-mentioned analysis as can be seen, the quick security association part of switching of WAPI-XG1 does not also have effective solution at present.

Summary of the invention

The objective of the invention is to solve a difficult problem that exists in the above-mentioned prior art, the security association establishment method in a kind of quick switching is provided on the WAPI-XG1 basis, be intended to solve the quick switching problem among the WLAN under the WAPI series standard.In addition, the certification mode based on PSK among the WAPI-XG1 can not guarantee forward secrecy, and this can cause the assailant can decode before and all afterwards message.And when password as PSK the time, the threat of off-line dictionary attack is also bigger.Therefore the present invention has proposed a kind of improved access authentication scheme on the WAPI-XG1 basis, can effectively address the above problem, and can guarantee the compatibility of itself and other scheme simultaneously.

The present invention is achieved by the following technical solutions:

A kind of WAPI-XG1 inserts and rapid authentication method, and the entity that this method relates to comprises wireless access point AP, wireless mobile node STA, asu (authentication service unit) ASU and authenticating device TAE trusty.Wherein, described authenticating device TAE trusty is used to manage its wireless access point AP on every side, and accepts the management of asu (authentication service unit) ASU.On wireless access point AP, be provided with discriminator entity A E, on wireless mobile node STA, be provided with identification requester entity ASUE.Described method comprises:

(1) access authentication agreement, set up being connected between STA and the AP: and an AP sets up session key, and sets up with ASU and to be used for the key that switches fast.Described access authentication agreement adopts ECDH (based on the Diffie-Hellman of elliptic curve) exchange to generate new session key;

(2) when STA moves in the 2nd AP control domain, for described access authentication agreement based on the certificate verification pattern, the security association under operation is switched is fast set up agreement; For described access authentication pattern, rerun described access authentication agreement based on wildcard;

(3) when unicast session key was exposed the situation generation, the operation unicast session key is New Deal more.

Wherein, the access authentication agreement is supported to comprise based on the certification mode of certificate with based on the certification mode of wildcard:

(11) authentication and key agreement step;

(12) optional multicast key notification step, its multicast key notification step with WAPI-XG1 is identical.

Described access authentication agreement supports that simultaneously both differences only are the generating mode difference of authentication field based on the certification mode of certificate with based on the certification mode of wildcard.

Specifically, described access authentication agreement based on the certificate verification pattern adopts the SIG-MAC authentication method, and described authentication and key agreement step comprise following interacting message:

A. differentiate that activating message: AE produces the temporary private y that is used for the ECDH exchange, interim PKI yP and random number N _AEThen with disposable challenge numerical value Snonce, disposable random number N _AE, the common parameter yP of ECDH, the identity ID of oneself _AE, the common parameter zP of ASU and the certificate Cert of oneself _AEAs differentiating that activating message sends to ASUE, activate ASUE and carry out two-way certificate discriminating;

B. after access differentiates that request message: ASUE receives the discriminating activation message that is sent by AE, produce the temporary private x that is used for ECDH and exchanges, interim PKI xP and random number N _ASUECalculate then and expand unicast session key USK (UEK, UTK, KEK and MAK) and quick handover key HK, produce authentication information Auth simultaneously _ASUE, message authentication code MIC _ASUE-ASUAnd MIC _ASUE-AE, then with SNonce, random number N _ASUEIdentity ID with NAE, interim PKI xP, AE _AE, the identity ID of oneself _ASUETogether with the certificate Cert of oneself _ASUE, authentication field Auth _ASUEAnd message authentication code MIC _ASUE-ASUAnd MIC _ASUE-AEDifferentiate that as inserting request message sends to AE;

C. after request of certificate authentication message: AE receives that request message is differentiated in access that ASUE sends, check the validity of SNonce, and produce USK by identical mode, and checking MIC _ASUE-AEAnd Auth _ASUEValidity.After all checkings were all passed through, AE structure request of certificate authentication message sent to ASU, and described request of certificate authentication message comprises: ADDID, SNonce, N _ASUE, N _AE, xP, Cert _ASUE, Cert _AEAnd MIC _ASUE-ASUWherein, ADDID is the MAC Address of STA and AP;

D. after certificate identification response message: ASU receives request of certificate authentication message, the certificate of checking AE and the certificate of ASUE, and produce checking Res as a result respectively _ASUEAnd Res _AECalculate HK by the mode identical then with ASUE, and checking MIC _ASUE-ASUValidity; Checking sends to AE by back structure certificate identification response message, and described certificate identification response message comprises: ADDID, N _ASUE, N _AE, ReS _ASUE, Res _AE, Sig _ASUAnd MIC _ASUE-ASU

E. after inserting identification response message: AE and receiving the certificate identification response message, check random number N _AE, certificate verification result Res and the signature Sig _ASUValidity; Checking is calculated USK by the back by the mode identical with ASUE.Produce authentication information Auth _AEWith message authentication code MIC _AEThen with random number N _ASUE, ASUE identity ID _ASUE, AE identity ID _AE, certificate verification result ReS _ASUEAnd Res _AE, ASU signature Sig _ASUAnd MIC _ASUWith the authentication field Auth of oneself _AEAnd message authentication code MIC _AESend to ASUE as inserting identification response message together, setting then and inserting the result is successfully; As required, in described access identification response message, select whether to send the group key NMK that encrypts with KEK;

After f.ASUE receives and inserts identification response message, the checking random number N _ASUE, certificate verification result Res _ASUEAnd Res _AE, the signature Sig _ASUAnd Auth _AEAnd message authentication code MIC _ASUAnd MIC _AEValidity, the checking by then AE and ASUE have set up security association.

For described access authentication agreement based on the wildcard certification mode, described authentication and key agreement step comprise following interacting message:

A. differentiate that activating message: AE produces the temporary private y that is used for the ECDH exchange, interim PKI yP and random number N _AEThen with disposable challenge numerical value SNonce, disposable random number N _AE, the common parameter yP of ECDH, the identity ID of oneself _AEAs differentiating that activating message sends to ASUE, activates ASUE and carries out two-way discriminating;

B. after access differentiates that request message: ASUE receives the discriminating activation message that is sent by AE, produce the temporary private x that is used for ECDH and exchanges, interim PKI xP and random number N _ASUECalculate then and expand unicast session key USK (UEK, UTK, KEK and MAK), produce authentication information Auth simultaneously _ASUE, message authentication code MIC _ASUE-AE, then with SNonce, random number N _ASUEAnd N _AE, interim PKI xP, AE identity ID _AE, the identity ID of oneself _ASUE, authentication field Auth _ASUEAnd message authentication code MIC _ASUE-AEDifferentiate that as inserting request message sends to AE;

C. insert identification response message: AE receive insert to differentiate request message after, described access is differentiated that request message verifies that checking is calculated USK by the back by the mode identical with ASUE.Produce authentication information Auth _AEWith message authentication code MIC _AEThen with random number N _ASUE, the authentication field Auth of oneself _AEAnd message authentication code MIC _AESend to ASUE as inserting identification response message, setting then and inserting the result is successfully; As required, in described access identification response message, select whether to send the group key NMK that encrypts with KEK;

After d.ASUE receives and inserts identification response message, the checking random number N _ASUE, Auth _AEAnd message authentication code MIC _AEValidity, the checking by then AE and ASUE have set up security association.

Two kinds of certification modes adopt same access authentication agreement to realize, have greatly reduced the complexity of design of protocol.

When STA moves in the 2nd AP control domain,, rerun described access authentication agreement for described access authentication pattern based on wildcard; For described access authentication agreement based on the certificate verification pattern, the security association under the quick switching described in operation the present invention is set up agreement, and it comprises following interacting message:

When a.STA switched to the 2nd AP control domain, ASUE will send handoff request message to the 2nd AE, and described handoff request message is drawn together: handover key sign HKID, disposable random number N ₁If ASUE does not wish that ASU or the AP that inserted in the past obtain the content that it will be communicated by letter, and then also need to send the interim common parameter aP that is used for ECDH;

B.AE produces random number N after receiving the handoff request grouping ₂And together with HKID and N ₁Send to ASUE as switching response message together; Equally, if ASUE has sent aP in its message, then AE also will produce and send its interim common parameter bP that is used for ECDH;

After c.ASUE receives switching response message, at first verify HKID and N ₁Validity; Checking calculates interim handover key HTK by the back and session key USK (comprises unicast encryption key UEK, clean culture completeness check key UTK, the encryption key KEK of multicast key, protocol message subtract other key MAK), and authentication information and message authentication code MIC _ASUEThen HKID, ADDID, N ₂And MIC _ASUESend to AE as the request key message;

D.AE asks this security association to select corresponding key information and security parameter according to HKID and ADDID to TAE/ASU after receiving the request key message; If this HKID is effective security association, then TAE/ASU calculates new interim handover key and returns to AE by the mode identical with ASUE; The interacting message that carries out in this step is to finish under the protection of the safe lane between AE and the TAE/ASU;

After e.AE receives new interim handover key, by the mode session key identical and verify MIC with ASUE _ASUEValidity, the message authentication code MIC of oneself is calculated in checking by the back _AESend the response message that allows access to ASUE then, the response message that described permission inserts comprises HKID, ADDID and MIC _AE

F.ASUE verifies described MIC after receiving and allowing to insert response message _AEValidity, checking is by laggard row data communication.

Described unicast session key is upgraded agreement and is comprised following interacting message:

A. unicast session key update request: ASUE identifies USKID with unicast session key, random number N ₁Send to AE as the key updating request message; The words of forward secrecy then comprise the common parameter aP that is used for the DH exchange in described key updating request message if desired;

B. unicast session key is upgraded response: after AE receives the key updating request message, at first check the validity of USKID, if effective words then produce random number N ₂And calculate new session key; Use new session-key computation message authentication code MIC then _AE, then with USKID, N ₁, N ₂And MIC _AESend to ASUE as the key updating response message; If comprise common parameter aP in the key updating request message, then AE comprises the common parameter bP of oneself in the key updating response message;

C. unicast session key is confirmed: after ASUE receives the key updating response message, and checking USKID and N ₁Validity, the checking by the back calculate new session key by same mode, verify MIC then _AE, checking is calculated message authentication code MIC by the back _ASUE, then with USKID, ADDID, N ₂, MIC _ASUESend to ASUE as the key updating acknowledge message;

After d.AE receives the key updating acknowledge message, verify USKID respectively, N ₂And MIC _ASUEValidity, next then key updating success after checking is passed through communicates with new session key.

Compared with prior art, the invention has the beneficial effects as follows: (1) has solved WAPI-XG1 and has not supported can not guarantee forward secrecy and the problem that can not resist the off-line dictionary attack under quick problem of switching and the wildcard certification mode.(2) do not need to change the authentication framework of WAPI-XG1, and based on certificate and two kinds of certification mode unifications of shared key in same certificate scheme.(3) to certification mode based on certificate, when client switches, only need to move the related agreement of setting up of quick handover security with the purpose access point, do not need to authenticate again and pre-authentication.

Description of drawings

Below in conjunction with accompanying drawing the present invention is described in further detail:

Fig. 1 is that prior art one WAPI-XG1 differentiates and cipher key agreement process

Fig. 2 is that prior art one WAPI-XG1 differentiates (access authentication) agreement

Fig. 3 is prior art one a WAPI-XG1 unicast key agreement agreement

Fig. 4 is prior art one a WAPI-XG1 multicast key notification agreement

Fig. 5 is that the user inserts the process that need finish among the prior art two IEEE 802.11i

Fig. 6 is the safe access protocol (four way handshake protocols) during prior art two 11r switch fast

Fig. 7 is the flow chart of prior art three initial authentication

Fig. 8 is the re-examination card message flow chart under prior art three is switched fast

Fig. 9 is an access authentication flow chart of the present invention

Figure 10 is the access authentication flow chart based on the certificate verification pattern of the present invention

Figure 11 is the access authentication flow chart based on the PSK authentication pattern of the present invention

Figure 12 is that the security association under the quick switching of the present invention is set up flow chart

Figure 13 is a key updating flow chart of the present invention

Figure 14 is an agreement of the embodiment of the invention being carried out safety analysis

In addition, are defined as follows abbreviation among the present invention and crucial belonging to:

WAPI---WLAN authentication and secret infrastructure

WAPI-XG1---WAPI revises for No. 1 single

BWIPS---wide-band wireless IP standard operation group

DH——Diffie-Hellman

PSK---wildcard

BK---base key

BSS---basic service set

ASU---asu (authentication service unit)

AP---(wireless) access point

STA---(wireless) mobile node

AE---discriminator entity

ASUE---identification requester entity

MIC---message integrity check sign indicating number

KD-HMAC-SHA256---key derivation algorithm

HMAC-SHA256---message authentication code calculation

ECDH---based on the DH of elliptic curve

UMK---unicast session master key

USK---unicast session key

UEK---unicast encryption key

UTK---clean culture completeness check key

The encryption key of KEK---multicast key

MAK---protocol message authentication key

Embodiment

As shown in Figure 9, access authentication method WAPI-XG1 of the present invention ⁺Be to realize mutual authentication between STA, AP and the ASU by protocol interaction.Owing to do not have direct trusting relationship between STA and the AP, therefore need believable third party ASU to confirm that also devolved authentication information reaches mutual trust.To the certification mode based on certificate, agreement has been carried out different DH cipher key change twice at STA and AP between STA and the ASU, is respectively applied for the shared key USK that produces between STA and the AP, the shared key HK between STA and the ASU.To certification mode based on PSK, agreement has also realized the explicit key authentication between STA and AP and STA and the ASU, therefore after a STA is linked into WLAN by new authentication protocol, no longer need to carry out between STA and the AP based on the explicit key authentication of sharing key, shortened equipment greatly and inserted the time that needs.New access authentication agreement can support simultaneously that difference only is the generating mode difference of authentication field based on certificate with based on the certification mode of PSK (wildcard).Therefore two kinds of certification mode employings is that same access authentication agreement realizes, greatly reduces the complexity of design of protocol.In order better agreement to be analyzed, below reach the necessary message of provable security only for the agreement of sening as an envoy to.

In Fig. 9, [...] is Optional Field.In access authentication method, related or will finish by two processes when being associated to AP again: authentication and key agreement, optional multicast key notification as STA.Described multicast key notification process is optionally to mean that the multicast key notification process is not essential, that is to say if having only the unicast communication mode, do not have the multicast key notification process can not influence the realization of described access authentication method; The cast communication mode then will add the multicast key protection transmission that the multicast key notification process is consulted or announced to allow the communication data utilization if desired.Same WAPI-XG1 of described multicast key notification stage.And WAPI-XG1 ⁺Can support two kinds of different certification modes simultaneously: based on certificate with based on the authentication of PSK.Respectively two kinds of certification modes are described below.

(1) based on the WAPI-XG1 of certificate verification pattern ⁺

As shown in figure 10, described WAPI-XG1 based on the certificate verification pattern ⁺Comprise following interacting message:

A. differentiate that activating message: AE produces the temporary private y that is used for the ECDH exchange, interim PKI yP and random number N _AEThen with disposable challenge numerical value Snonce, disposable random number N _AE, the common parameter yP of ECDH, the identity ID of oneself _AE, the common parameter zP of ASU and the certificate Cert of oneself _AEAs differentiating that activating message sends to ASUE, activate ASUE and carry out two-way certificate discriminating; Described Snonce is meant only expendable numerical value, and type comprises time stamp, big random number and sequence number.

B. after access differentiates that request message: ASUE receives the discriminating activation message that is sent by AE, produce the temporary private x that is used for ECDH and exchanges, interim PKI xP and random number N _ASUECalculate then and expand unicast session key USK (UEK, UTK, KEK and MAK) and quick handover key HK:

Wherein, zP is the open parameter that is used for ECDH of ASU.Produce authentication information Auth simultaneously _ASUE, message authentication code MIC _ASUE-ASUAnd MIC _ASUE-AEProducing method is as follows:

Auth _ASUE＝Sig _ASUE{M1}，

MIC _ASUE-ASU＝HMAC-SHA256(HK，M ₁|Auth _ASUE)，

MIC _ASUE-AE＝HMAC-SHA256(MAK，M ₁|Auth _ASUE|

　　　　　　　　MIC _ASUE-ASU)。

Then with SNonce, random number N _ASUEAnd N _AE, interim PKI xP, AE identity ID _AE, the identity ID of oneself _ASUETogether with the certificate Cert of oneself _ASUE, authentication field Auth _ASUEAnd message authentication code MIC _ASUE-ASUAnd MIC _ASUE-AEDifferentiate that as inserting request message sends to AE.

C. after request of certificate authentication message: AE receives that request message is differentiated in access that ASUE sends, check the validity of SNonce, and produce USK by identical mode, and checking MIC _ASUE-AEAnd Auth _ASUEValidity.After all checkings were all passed through, AE structure certificate differentiated that grouping sends to ASU, and described request of certificate authentication message comprises: ADDID, SNonce, N _ASUE, N _AE, xP, Cert _ASUE, Cert _AEAnd MIC _ASUE-ASUWherein, ADDID is the MAC Address of AE.

D. after certificate identification response message: ASU receives request of certificate authentication message, the certificate of checking AE and the certificate of ASUE, and produce checking Res as a result respectively _ASUEAnd Res _AECalculate HK by the mode identical then with ASUE, and checking MIC _ASUE-ASUValidity.Checking sends to AE by back structure certificate identification response message, and described certificate identification response message comprises: ADDID, N _ASUE, N _AE, Res _ASUE, Res _AE, Sig _ASUAnd MIC _ASUE-ASUSig wherein _ASUBe to M ₂=ADDID|N _ASUE| N _AE| Res _ASUE| Res _AEThe information signature that employing is done based on the ECC algorithm, MIC _ASU=HMAC-SHA256 (HK, M ₂| Sig _ASU).

E. after inserting identification response message: AE and receiving the certificate identification response message, check random number N _AE, certificate verification result Res and the signature Sig _ASUValidity, the checking by the back calculate USK by the mode identical with ASUE.Produce authentication information Auth _AEWith message authentication code MIC _AEProducing method is as follows:

Auth _AE＝Sig _AE{M ₃}，

[NMK _KEK，]，

MIC _AE＝HMAC-SHA256(MAK，M ₃|Auth _AE)。

Then with random number N _ASUE, ASUE identity ID _ASUE, AE identity ID _AE, certificate verification result Res _ASUEAnd Res _AE, ASU signature Sig _ASUAnd MIC _ASUWith the authentication field Auth of oneself _AEAnd message authentication code MIC _AESend to ASUE as inserting identification response message together, setting then and inserting the result is successfully.In addition, in this grouping, can select whether to send the group key NMK that encrypts with KEK, in the agreement with NMK _KEK, expression.

After f.ASUE receives and inserts identification response message, the checking random number N _ASUE, certificate verification result Res _ASUEAnd Res _AE, the signature Sig _ASUAnd Auth _AEAnd message authentication code MIC _ASUAnd MIC _AEValidity.Checking is passed through, and then AE and ASUE have set up security association.

For access protocol based on the certificate verification pattern, its Authentication and Key Agreement process all will be passed through ASU, therefore bigger handover delay can occur, therefore need set up quick handover key HK between STA and ASU, thereby better support to switch fast, reduce handover delay.

What adopt based on the authentication protocol of certificate is famous " SIG-MAC " method, and Internet Key Exchange IKE and IKEv2 are this authentication methods that adopts, and this method is through strict proof.

(2) based on the WAPI-XG1 of PSK authentication pattern ⁺

Access authentication method WAPI-XG1 at Fig. 9 ⁺The basis on remove the WAPI-XG1 based on PSK authentication pattern of option below just having obtained ⁺, as shown in figure 11.

WAPI-XG1 based on the PSK authentication pattern ⁺The generating mode of each field is with the authentication protocol based on certificate in the message.Wherein,

USK＝KD-HMAC-SHA256(xyP，ID _ASUE|ID _AE|N _AE|N _ASUE)，

Auth _ASUE＝HMAC-SHA256(PSK，MAK|M ₄)，

MC _ASUE＝HMAC-SHA256(MAK，M ₄|Auth _ASUE)，

Auth _AE＝HMAC-SHA256(PSK，MAK|M ₅)，

M ₅＝SNonce|N _AE|N _ASUE|yP|xP|ID _ASUE|ID _AE，

MIC _AE＝HMAC-SHA256(MAK，M ₅|Auth _AE)。

Realize by identical agreement with certification mode based on the certification mode of PSK, promptly adopt the DH exchange to generate new session key based on certificate.Generation formula USK=KD-HMAC-SHA256 (xyP, ID by session key _ASUE| ID _AE| N _AE| N _ASUE) as can be seen: even the assailant has known the parameters such as random number that shared key PSK and agreement are used, can't calculate xyP owing to face the ECDH problem, so can not obtain session key USK.Therefore agreement satisfies forward secrecy, has also solved the problem of the off-line dictionary attack under the PSK authentication pattern simultaneously.

Just can finish authentication and these two processes of session key agreement fast based on the access authentication agreement of PSK authentication pattern itself, bigger handoff delay can not appear, therefore when STA moves in the new AP control domain, for access authentication agreement, need only the WAPI-XG1 that moves once more based on the PSK authentication pattern based on the PSK authentication pattern ⁺, promptly authentication just can be finished quick switching again.And for the access authentication agreement based on the certificate verification pattern, when STA moved in the new AP control domain, the agreement below needing to carry out was set up security association fast, and need not authenticate again.Security association under switching is fast set up agreement H-WAPI-XG1 ⁺As shown in figure 12.Wherein TAE (trustworthyauthentication equipment) is believable authenticating device, manages the AP around it and accepts the management of ASU, exercises the function of distributing handover key.And there is safe lane between TAE and ASU and the AP that managed thereof.After mobile device certain AP in a TAE management domain inserted, then ASU sent this TAE to handover key by safe lane, and mobile device when mobile, is responsible for giving corresponding AP distribution handover key by TAE in the TAE management domain like this.When mobile device when a TAE management domain switches to another TAE management domain for the first time, then need ASU to distribute handover key, and this key sent to new TAE, when new TAE management domain switches, then be responsible for distributing handover key afterwards by new TAE.In addition, the agreement in the frame of broken lines of right side both can be carried out by the sequential of Figure 12 when the security association under switching is fast set up the agreement operation, also can finish the back at the verification process of Figure 10 and carry out, and directly send to this new AP by TAE/ASU.

As shown in figure 12, the security association under quick the switching is set up agreement H-WAPI-XG1 ⁺Comprise:

A.ASUE switched to for the 2nd AE following time, send handoff request message to the 2nd AE, and this handoff request message is drawn together: handover key sign HKID, disposable random number N ₁If ASUE does not wish that ASU or the AP that inserted in the past obtain the content that it will be communicated by letter, and then also need to send the interim common parameter aP that is used for ECDH.

B.AE produces random number N after receiving the handoff request grouping ₂And together with HKID and N ₁Send to ASUE as switching response message together.Equally, if ASUE has sent aP in its message, then AE also will produce and send its interim common parameter bP that is used for ECDH.

After c.ASUE receives switching response message, at first verify HKID and N ₁Validity.Checking by the interim handover key HTK of back calculating and session key USK (comprise UEK, UTK, KEK, MAK), and authentication information and message authentication code MIC _ASUE, account form is as follows:

HTK＝KD-HMAC-SHA256(HK，ADDID)，

USK＝KD-HMAC-SHA256(HTK，[abP]|ADDID|N ₁|N ₂)。

MIC _ASUE＝HMAC-SHA256(MAK，HKID|ADDID|N ₁|N ₂|[aP|bP])。

Then HKID, ADDID, N ₂And MIC _ASUESend to AE as the request key message.

D.AE asks this security association to select corresponding key information and security parameter according to HKID and ADDID to TAE/ASU after receiving the request key message.If this HKID is effective security association, then TAE/ASU calculates new interim handover key and returns to AE by the mode identical with ASUE.The interacting message that carries out in this step is to finish under the protection of the safe lane between AE and the TAE/ASU.

After e.AE receives new interim handover key, by the mode session key identical and verify MIC with ASUE _ASUEValidity, the message authentication code MIC of oneself is calculated in checking by the back _AEAccount form is as follows:

MIC _AE＝HMAC-SHA256(MAK，HKID|ADDID|N ₂|N ₁|[bP|aP])。

Send the response message that allows access to ASUE then, the response message that described permission inserts comprises HKID, ADDID and MIC _AE

When switching, all want the security of operation association to set up agreement H-WAPI-XG1 at every turn ⁺, in the step C of this agreement, the session key after the switching be based on handover key (HTK) by USK=KD-HMAC-SHA256 (HTK, [abP] | ADDID|N ₁| N ₂) generate, an agreement just can be finished authentication and session key upgrades this two processes by moving like this, and need after authentication is finished, not rerun session key more New Deal carry out key updating, thereby improved the speed of switching.

In order (to expose) demand that can both carry out the renewal of session key under the situation that satisfies the new session key more of what is the need in office such as session key, the present invention also provides more New Deal KU-WAPI-XG1 of an independent unicast session key ⁺

Keep some security associations between STA and the AP, we identify these security associations with USKID.When STA and AP need carry out session key when upgrading, then move more New Deal KU-WAPI-XG1 of unicast session key ⁺, renewal process is carried out under the protection of current USK, and interactive messages all is through current USK encryption and has carried out completeness check in the promptly whole renewal process.In addition, renewal process does not need the participation of ASU.

As shown in figure 13, unicast session key New Deal KU-WAPI-XG1 more ⁺Comprise:

A. unicast session key update request: ASUE identifies USKID with unicast session key, random number N ₁Send to AE as the key updating request message.The words of forward secrecy then comprise the common parameter aP that is used for the DH exchange in described key updating request message if desired.

B. unicast session key is upgraded response: after AE receives the key updating request message, at first check the validity of USKID, if effective words then produce random number N ₂And calculate new session key, and old USK is labeled as USK ', the account form of then new USK is as follows:

USK＝KD-HMAC-SHA256(USK',[abP]|ADDID|N ₁|N ₂)。

Use new session-key computation message authentication code MIC then _AE, account form is as follows:

MIC _AE＝KD-HMAC-SHA256(MAK，USKID|ADDID|N ₂|N ₁|[bP|aP])。

Then with USKID, N ₁, N ₂And MIC _AESend to ASUE as the key updating response message.If comprise common parameter aP in the key updating request message, then AE comprises the common parameter bP of oneself in the key updating response message.

In this step, just it doesn't matter with handover key in the renewal of session key, but with old session key relation is arranged, and it is based on old session key (USK '), by USK=KD-HMAC-SHA256 (USK ', [abP] | ADDID|N ₁| N ₂) generate, set up agreement H-WAPI-XG1 with security association ⁺In the session key renewal process be different.Session key in the time of like this, just will switching upgrades with the session key renewal that need carry out owing to safety problem at ordinary times to be handled respectively.

C. unicast session key is confirmed.After ASUE receives the key updating response message, checking USKID and N ₁Validity, the checking by the back calculate new session key by same mode, verify MIC then _AE, checking is calculated message authentication code by the back:

MIC _ASUE＝KD-HMAC-SHA256(MAK，USKID|ADDID|N ₁|N ₂|[aP|bP])。

Then with USKID, ADDID, N ₂, MIC _ASUESend to ASUE as the key updating acknowledge message.

Concrete analysis to the present embodiment beneficial effect:

(1) protocol security analysis

We are at the thought of identification protocol fail safe: at first identification protocol is AKE safety in AM, and the output after identification protocol compiles through compiler then in AM is undistinguishable with the output in UM.Thereby draw agreement also is AKE safety in UM.

Lemma 1: under the prerequisite of the pseudo-random function safety that the ECDH supposition is set up and selected, agreement WAPI-XG1 ⁺ _AMIn ecotopia AM AKE safety.

Proof: at first we provide the agreement WAPI-XG1 among the AM ⁺ _AMAs shown in figure 14.Below our identification protocol WAPI-XG1 ⁺ _AMSatisfy first condition of AKE safety.Promptly in the reciprocal process of agreement, STA, AP and ASU do not have victim to capture, and have all finished the session of coupling, and then ASUE will export identical session key with AE and ASUE with ASU.As seen from Figure 10, the participant of agreement is with Snonce and disposable random number N _AE, N _ASUEAs session identification, and this sign is unique to each session.Simultaneously the assailant among the AM be can't to message distort etc. the active attack behavior, receive interim common parameter that the other side is used for the ECDH exchange so the agreement participant can both be correct, and then calculate identical session key.Therefore if the three parts all participated in same session (be Snonce, N _AE, N _ASUEAnd Xp, Yp, the unique binding of Zp), the shared key that calculates between ASUE and AE and ASUE and the ASU is consistent certainly so.

In order to prove WAPI-XG1 ⁺ _AMAlso be to satisfy second condition, we adopt reduction to absurdity.Suppose in AM, to exist an assailant E can guess that the value of returning in the test session inquiry is at random or real key with the advantage ε that can not ignore.We just can construct an algorithm D and calculate session key xzP or xyP with the probability success of can not ignore by assailant E so.This obviously and ECDH suppose and run counter to.The building method of D is as shown in table 2.

In this recreation, E has two kinds of possible selection: t=r or t ≠ r to the session t of test.At first we see first kind of situation.Being input as of session r Xp, and Yp, Zp}, so E obtains a value in the test session inquiry to session r.If b=0, then to return to the value of E be real key information to D.If b=1, then to return to the value of E be a random number to D.Simultaneously algorithm D is selecting the true key value or random number is used as its output with 1/2 probability.According to the aufbauprinciple of algorithm D, E guesses that successfully whether the value that obtains is that the probability of real key information just equals D and selects b=0 or the probability of b=1.And because E conjecture probability of successful is ε+1/2, so D calculates xzP or the xyP probability just is ε.

For second kind of situation, E does not select session r as its test session, then D output random value.D just can not get any information that can help it to calculate xzP or xyP there from A so.Because D is base configuration with E, is 0 so D calculates the probability of xzP or xyP.

Below we to above-mentioned two kinds of information summary analyses.Remember that the probability that first kind of situation takes place is Pr ₁, the probability of second kind of situation generation is Pr ₂The probability of two kinds of situation generations is respectively so: Pr ₁=1/1, Pr ₂=1-1/1.Therefore the D probability of successful is: Pr ₁* ε+Pr ₂* 0=ε/1.

Table 2

Lemma 2: through the agreement WAPI-XG1 after the compiler compiling ⁺Output in true environment UM and agreement WAPI-XG1 ⁺ _AMOutput in AM be undistinguishable.

Proof: the CK model not only provides the modular method of design and analysis agreement, and the compiler of some standards also is provided simultaneously.A kind of very famous compiler " SIG-MAC " is wherein arranged.Canetti and Krawczyk have carried out strict proof in 2002 to this compiler.We are to the agreement WAPI-XG1 among the AM ⁺ _AMBy this compiler compile and optimize after obtained the agreement WAPI-XG1 under the UM ⁺, as shown in figure 14.

Theorem 1: for any assailant among the UM, agreement WAPI-XG1 ⁺And H-WAPI-XG1 ⁺Can satisfy following two character:, will export identical session key between STA and AP and STA and the ASU if STA, AP and ASU have not been captured and finished the session of coupling; The assailant carries out the test session inquiry, and the probability that it guesses b right is no more than 1/2+ ε.Therefore, agreement WAPI-XG1 ⁺Be AKE safety.

For agreement H-WAPI-XG1 ⁺Safety analysis.Because agreement H-WAPI-XG1 ⁺Be one two side's agreement (only relating to STA and AP), so can under traditional CK model, carry out for the analysis of this agreement.Agreement H-WAPI-XG1 ⁺Be DH exchange agreement traditional among the AM through an other class standard compiler-obtain based on the compiler compiling of message authentication code (MAC).Wherein the theorem 8 in [12] has provided the general proof procedure of traditional DH exchange agreement among the AM, and [11] have provided how the agreement among the AM is compiled as the agreement of fail safe equivalence among the UM, and has provided simulation process and fail safe proves.Therefore we can directly obtain following theorem 2:

Theorem 2 is for any assailant among the UM, agreement H-WAPI-XG1 ⁺Under the CK model SK safety.

(2) protocol performance analysis

Below we analyze the performance of agreement.We have provided STA sets up security association when being linked into WLAN for the first time and when switching fast performance comparison respectively.In WAPI-XG1: when a STA is linked into WLAN for the first time, need carries out certificate and differentiate and the unicast key agreement process; When STA switched, STA will carry out pre-authentication or authentication again with purpose AP, and then carries out unicast key agreement.And at WAPI-XG1 ⁺In: STA only need finish access authentication when being linked into current WLAN for the first time just can realize authentication and unicast key agreement; When switching, only need the security association that operation is switched fast to set up agreement, and do not need to authenticate again or pre-authentication process.Under the certification mode based on certificate, two agreements performance comparison when STA inserts for the first time and when switching sees Table 3 and table 4, the protocol capabilities contrast when table 3 inserts WLAN for the first time for STA, protocol capabilities contrast when table 4 switches for STA.For the ease of analyzing protocol capabilities, we suppose between AP and the ASU to be a jumping direct link.Wherein send and receive message and be called once alternately, and E represents the module exponent computing, and S represents compute signature, and M represents to calculate message authentication code MIC.The initial access authentication agreement is indeterminate in the scheme of Samsung's proposition in addition, can adopt the schemes such as authentication mode based on biological information, so can't provide its performance specification in the table 3.

Table 3

Table 4

As can be seen from Table 3, WAPI-XG1 ⁺On calculated performance, only increased one-off pattern and referred to computing, but but reduced protocol interaction three times, shortened access delay greatly at STA and ASU end.As can be seen from Table 4, under the preallocated situation of handover key, H-WAPI-XG1 ⁺Be that communication performance or calculated performance all are better than WAPI-XG1, with four the step shake hands and Samsung much at one; When handover key is not carried out preassignment, and need the forward secrecy of session key, H-WAPI-XG1 ⁺Be that communication performance or calculated performance all are better than WAPI-XG1, and it is poor to shake hands than four steps on calculated performance, this is the reasonable cost of security requirement.In sum, the solution of the present invention is better than existing scheme.

Technique scheme is one embodiment of the present invention, for those skilled in the art, on the basis that the invention discloses application process and principle, be easy to make various types of improvement or distortion, and be not limited only to the described method of the above-mentioned embodiment of the present invention, therefore previously described mode is preferably, and does not have restrictive meaning.

Claims

1. a WAPI-XG1 inserts and rapid authentication method, and described method comprises wireless access point AP, wireless mobile node STA, asu (authentication service unit) ASU and authenticating device TAE trusty; Described authenticating device TAE trusty is used to manage its wireless access point AP on every side, and accepts the management of asu (authentication service unit) ASU; On wireless access point AP, be provided with discriminator entity A E, on wireless mobile node STA, be provided with identification requester entity ASUE; It is characterized in that described method comprises:

(1) access authentication agreement, set up being connected between STA and the AP: a STA and an AP set up session key, and set up with ASU and to be used for the key that switches fast; Described access authentication agreement is supported based on the certification mode of certificate or based on the certification mode of wildcard;

(3) when unicast session key was exposed the situation generation, the operation unicast session key is New Deal more; Wherein, described access authentication agreement comprises: (11) authentication and key agreement step;

Described access authentication agreement adopts Diffie-Hellman (the being ECDH) exchange based on elliptic curve to generate new session key; Described access authentication agreement based on the certificate verification pattern adopts the SIG-MAC authentication method.

2. method according to claim 1 is characterized in that, for described access authentication agreement based on the certificate verification pattern, described authentication and key agreement step comprise:

B. after access differentiates that request message: ASUE receives the discriminating activation message that is sent by AE, produce the temporary private x that is used for ECDH and exchanges, interim PKI xP and random number N _ASUECalculate then and expand unicast session key USK (UEK, UTK, KEK and MAK) and quick handover key HK, produce authentication information Auth simultaneously _ASUE, message authentication code MIC _ASUE-ASUAnd MIC _ASUE-AE, then with SNonce, random number N _ASUEAnd N _AE, interim PKI xP, AE identity ID _AE, the identity ID of oneself _ASUETogether with the certificate Cert of oneself _ASUE, authentication field Auth _ASUEAnd message authentication code MIC _ASUE-ASUAnd MIC _ASUE-AEDifferentiate that as inserting request message sends to AE;

C. after request of certificate authentication message: AE receives that request message is differentiated in access that ASUE sends, check the validity of SNonce, and produce USK by identical mode, and checking MIC _ASUE-AEAnd Auth _ASUEValidity; After all checkings were all passed through, AE structure request of certificate authentication message sent to ASU, and described request of certificate authentication message comprises: ADDID, SNonce, N _ASUE, N _AE, xP, Cert _ASUE, Cert _AEAnd MIC _ASUE-ASUWherein, ADDID is the MAC Address of STA and AP;

D. after certificate identification response message: ASU receives request of certificate authentication message, the certificate of checking AE and the certificate of ASUE, and produce checking Res as a result respectively _ASUEAnd Res _AECalculate HK by the mode identical then with ASUE, and checking MIC _ASUE-ASUValidity; Checking sends to AE by back structure certificate identification response message, and described certificate identification response message comprises: ADDID, N _ASUE, N _AE, Res _ASUE, Res _AE, Sig _ASUAnd MIC _ASUE-ASUSig wherein _ASUBe to M ₂=ADDID|N _ASUE| N _AE| Res _ASUE| Res _AEThe information signature that employing is done based on the ECC algorithm, MIC _ASU=HMAC-SHA256 (HK, M ₂| Sig _ASU);

E. after inserting identification response message: AE and receiving the certificate identification response message, check random number N _AE, certificate verification result Res and the signature Sig _ASUValidity; Checking is calculated USK by the back by the mode identical with ASUE; Produce authentication information Auth _AEWith message authentication code MIC _AEThen with random number N _ASUE, ASUE identity ID _ASUE, AE identity ID _AE, certificate verification result Res _ASUEAnd Res _AE, ASU signature Sig _ASUAnd MIC _ASUWith the authentication field Auth of oneself _AEAnd message authentication code MIC _AESend to ASUE as inserting identification response message together, setting then and inserting the result is successfully; As required, in described access identification response message, select whether to send the group key NMK that encrypts with KEK;

3. method according to claim 1 is characterized in that, for described access authentication agreement based on the wildcard certification mode, described authentication and key agreement step comprise:

C. insert identification response message: AE receive insert to differentiate request message after, described access is differentiated that request message verifies that checking is calculated USK by the back by the mode identical with ASUE; Produce authentication information Auth _AEWith message authentication code MIC _AEThen with random number N _ASUE, the authentication field Auth of oneself _AEAnd message authentication code MIC _AESend to ASUE as inserting identification response message, setting then and inserting the result is successfully; As required, in described access identification response message, select whether to send the group key NMK that encrypts with KEK;

4. method according to claim 1 is characterized in that, the security association under the described quick switching is set up agreement and comprised:

5. method according to claim 1 is characterized in that, described unicast session key is upgraded agreement and comprised:

6. according to claim 2 or 3 described methods, it is characterized in that described access authentication agreement comprises (12) multicast key notification step, described multicast key notification step comprises:

The multicast key encryption key KEK that a.AE consults the multicast master key utilization that the random number generating algorithm produces encrypts, and calculates MIC then ₁(MAK USKID|ADDID|KDE|Knonce), and announces multicast key by multicast key notification message to ASUE to=HMAC-SHA256; Described multicast key notification message comprises unicast session key sign USKID, ADDID, for key announce sign random number Knonce, with the multicast key KDE and the message authentication code MIC of KEK encryption ₁

After b.ASUE receives the multicast key notification message of AE transmission, utilize the message authentication key checking MIC of USKID sign ₁Validity; After checking was passed through, deciphering KDE obtained the multicast master key, and expanded generation multicast encryption key and completeness check key; Calculate MIC then ₂=HMAC-SHA256 (MAK, USKID|ADDID|Knonce), and with USKID, ADDID, Knonce and new information authentication code MIC ₂Send to AE as the multicast key response message, the state of controlled ports is set to 0n simultaneously;

After c.AE receives the multicast key response message of ASUE transmission, utilize the message authentication key checking MIC of USKID sign ₂Validity with Knonce.After checking was passed through, the state of controlled ports was set to 0n.