CN101448262A - WAPI-based authentication method of wireless mesh network - Google Patents

WAPI-based authentication method of wireless mesh network Download PDF

Info

Publication number
CN101448262A
CN101448262A CN200810220006.4A CN200810220006A CN101448262A CN 101448262 A CN101448262 A CN 101448262A CN 200810220006 A CN200810220006 A CN 200810220006A CN 101448262 A CN101448262 A CN 101448262A
Authority
CN
China
Prior art keywords
node
accessed network
certificate
request
session key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200810220006.4A
Other languages
Chinese (zh)
Inventor
周绍午
吴月辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GCI Science and Technology Co Ltd
Original Assignee
GCI Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GCI Science and Technology Co Ltd filed Critical GCI Science and Technology Co Ltd
Priority to CN200810220006.4A priority Critical patent/CN101448262A/en
Publication of CN101448262A publication Critical patent/CN101448262A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a WAPI-based authentication method of a wireless mesh network. The method comprises the following steps: an identification and authentication server intensively identifies various nodes to realize centralized management, after an association process of a request node and a node which is accessed to the network is completed, the node which is accessed to the network sends authentication activation information to the request node, subsequent processes of certificate authentication and shared key establishment by a session key are started, the shared key is established between the request node and the node which is accessed to the network, thus organically combining WAPI with the wireless mesh network, and after the shared key is established by the request node and the node which is accessed to the network through a key agreement, a data communication process can be completed according to the shared key to realize safe communication process.

Description

Authentication method based on the wireless mesh network of WAPI
Technical field
The present invention relates to moving communicating field, the authentication method in particularly a kind of wireless mesh network.
Background technology
The growing of the network communications technology provided convenience for people can freely obtain Internet resources, yet, this mode of freely obtaining Internet resources, fail safe is had higher requirement, the disappearance of security guarantee will make the easy to implement of network illegal operation and and then influence the safety of upper layer communication content, influence user's use rights and interests.
WAPI (Wide Authentication and Privacy Infrastructure, general suitable authentication and confidentiality foundation structure) be a kind of two-way authentication between communication node and the network carrying node and secret that realizes, be applicable to the security system framework of main flow network physical topology form, be the various safety defects that exist in the present WLAN (wireless local area network) international standard, and take into full account and take into account security technique solution and the code requirement that proposes on the basis of WLAN (wireless local area network) product intercommunication, it not only has safe efficiently authentication scheme, key management technology flexibly, and can realize the concentrated user management of whole basic network, thereby satisfying more users and more complicated security requirement, is a kind of security architecture system that generally is suitable for type.
WAPI is by WAI (WLAN Authentication Infrastructure, wireless local area network authentication infrastructure) and WPI (WLAN Privacy Infrastructure, wireless local area network security foundation structure) forms, WAI is responsible for that the user is carried out identity and differentiates, be the basis of realizing WAPI, WPI is responsible for the transmission data are carried out encryption.WAPI because realized really that two-way discriminating, discrimination process are simple, characteristics such as structure and expanded application facility, in WLAN (wireless local area network), obtained extensive use.
In the application of WAPI, issue certificate by public affairs letter third party (differentiating certificate server AS) unification for each portable terminal and WAP (wireless access point), between portable terminal and the WAP (wireless access point) according to certification authentication the other side's that AS issued legitimacy, not only WAP (wireless access point) can be verified the legitimacy of portable terminal, portable terminal also can be verified the legitimacy of WAP (wireless access point), to guarantee fail safe.
Wireless mesh network (Wireless Mesh Network, WMN) be a kind of multi-hop, have a broadband wireless network structure of self-organizing and self-healing characteristics, it is the distributed network of a kind of high power capacity, two-forty, the new network structural form different with traditional wireless network, that it combines the advantage of WLAN (single-hop) and mobile Ad hoc network (multi-hop) and has given full play to both advantages.
Referring to shown in Figure 1, it is the schematic network structure of wireless mesh network, it generally includes three category nodes: a class is for only supporting netted interconnected MP (Mesh point, the Mesh node), one class is netted interconnected and insert the MAP (Mesh Access Point) of website for supporting, also have a class for support netted interconnected and with the gateway node MPP (Mesh Point with a Portal) of outer net interconnecting.
Because wireless mesh network is a kind of distributed network, there is not central point, and be between its each WAP (wireless access point) by wireless interconnective, it is a kind of loose annexation, add that client node generally has mobility, make it very easily suffer interference, the eavesdropping of other malicious nodes, influence Network Communicate Security, make safety problem become one of extensive problem of implementing of restriction wireless mesh network.
Although the WAPI that is applied in the WLAN (wireless local area network) has good security feature, yet, because WLAN (wireless local area network) is after website inserts WAP (wireless access point), directly be connected to the discriminating certificate server by WAP (wireless access point) by wired mode, when carrying out the safety discriminating by WAPI, be directly to carry out website, ternary verification process between WAP (wireless access point) and the discriminating certificate server, and the network architecture of wireless mesh network obviously than the WLAN (wireless local area network) complexity many, not only has the MAP that inserts website, support netted interconnected and with the gateway node MPP of outer net interconnecting, also has the netted interconnected MP of realization, when concrete communication, transfer of data once need be passed through a plurality of different nodes, thereby can't directly use above-mentioned ternary verification process, the WAPI directly transplanting that is applied to WLAN (wireless local area network) can't be applied in the wireless mesh network, if WAPI can be applied to wireless mesh network, the safety issue of wireless mesh network is improved, the application scheme appearance that WAPI is applied to wireless mesh network is not arranged in the prior art as yet.
Summary of the invention
At above-mentioned problems of the prior art, the object of the present invention is to provide a kind of authentication method of the wireless mesh network based on WAPI, to improve the safety issue of wireless mesh network effectively.
For achieving the above object, the present invention by the following technical solutions:
A kind of authentication method of the wireless mesh network based on WAPI comprises step:
Requesting node is finished related with the node of accessed network;
The node of described accessed network sends first to the described request node and differentiates active information;
The described request node receives described first and differentiates active information, differentiates request to node transmission first access of described accessed network;
The node of described accessed network receives described first and inserts the request of discriminating, to differentiating that certificate server sends first request of certificate authentication;
Described discriminating certificate server receives described first request of certificate authentication, constructs first certificate and differentiates response, and send described first certificate discriminating response to the node of described accessed network;
The node of described accessed network receives described first certificate and differentiates response, differentiates that according to described first certificate response generates first and inserts and differentiate response, and will described first inserts and differentiate to respond and send to the described request node;
The node of described accessed network and described request node are set up by session key agreement and are shared key.
Scheme according to the invention described above, it is differentiated each node by the unification of discriminating certificate server, realize centralized management, after the node of requesting node and accessed network is finished association process, the node of accessed network sends to this requesting node and differentiates active information, start the process that follow-up certificate is differentiated and set up shared key by session key agreement subsequently, between the node of requesting node and accessed network, set up and share key, thereby WAPI is organically combined with wireless mesh network, after the node of requesting node and accessed network has been set up shared key by key agreement, promptly can finish data communication process, realize the fail safe of communication process according to this shared key.
Description of drawings
Fig. 1 is the schematic network structure of wireless mesh network;
Fig. 2 is the schematic flow sheet of the inventive method embodiment one;
Fig. 3 is the schematic flow sheet of the inventive method embodiment two;
Fig. 4 is the wherein a kind of exemplary plot of wireless mesh network that is applied in the inventive method;
Fig. 5 is that the inventive method is the schematic flow sheet of example three;
Fig. 6 is the another kind of exemplary plot that is applied to the wireless mesh network in the inventive method.
Embodiment
Below be described in detail at each specific embodiment of the authentication method of the wireless mesh network based on WAPI of the present invention, in the applied method of the present invention, differentiate that certificate server AS is connected by wired mode with the MPP node of wireless mesh network.
In following explanation, for the ease of distinguishing, the node that request is authenticated is called requesting node, the node of finishing verification process is called the node of accessed network.
Embodiment one:
Referring to shown in Figure 2, be the schematic flow sheet of the authentication method embodiment one of the wireless mesh network based on WAPI of the present invention.
In the present embodiment, be to have issued corresponding certificate for each MPP, MP, MAP node with the default certificate server AS that differentiates, these MPP, MP, MAP have also installed separately by differentiating that certificate server AS is presented to their certificate and differentiates that certificate server is in the position that can be routed in the cable network and describes.
As shown in Figure 2, the method in the present embodiment comprises step:
Step S101: requesting node and the node of accessed network are finished related, enter step S102;
Step S102: the node of accessed network sends to this requesting node and differentiates active information, wherein, the information such as certificate that specifically can comprise the node of differentiating active information sign, the identity information of differentiating certificate server, this accessed network in this discriminating active information, because the discrimination process of WAPI adopts ellipse curve signature algorithm, therefore, can also comprise the parameter of ECDH (elliptic curve) in this discriminating active information, enter step S103 subsequently;
Step S103: requesting node receives the above-mentioned discriminating active information of the node transmission of above-mentioned accessed network, node to this accessed network sends the request of discriminating that inserts, the information such as signature of identity information, ECDH parameter and this requesting node of the node of the certificate that can comprise the key data that inserts the challenge of differentiating request mark information, this requesting node, this requesting node, this requesting node in the request, this accessed network are differentiated in this access, enter step S104;
Step S104: the node of described accessed network receives above-mentioned access and differentiates request, whether the identity information of checking the node that inserts the accessed network in the request of discriminating is with own consistent, the ECDH parameter whether with differentiate active information in consistent, and whether the signature of requesting node is correct or the like, if there is any one not meet, then abandon this access discrimination request grouping, if above-mentioned condition all meets, then the node of this accessed network is to differentiating that certificate server sends request of certificate authentication, can comprise allocation index in this request of certificate authentication, the challenge of requesting node, the challenge of the node of accessed network, the information such as certificate of the certificate of requesting node and the node of this accessed network enter step S105;
Step S105: differentiate that certificate server receives the above-mentioned request of certificate authentication of the node transmission of accessed network, above-mentioned certificate is differentiated the certificate of the requesting node in the certificate request, the certificate of the node of accessed network is verified, if can't verify to certificate, to verify that then the result is changed to indeterminate or can't verifies, if checking is passed through, construct certificate according to the checking result and differentiate response, this certificate is differentiated in the response and is comprised allocation index, the checking result of the certificate of requesting node, information such as the checking result of the certificate of the node of accessed network, and, enter step S106 with of the node transmission of this certificate discriminating response signature back to described accessed network;
Step S106: the node of described accessed network receives described certificate and differentiates response, whether the signature of checking the discriminating certificate server AS in this certificate discriminating response is correct, if the signature of AS is incorrect, then this certificate can be differentiated that response is abandoned, if the signature of AS is correct, according to the checking result of AS to the certificate of requesting node, if the certification authentication of requesting node is unsuccessful, then the node of this accessed network is set the access result of this requesting node for unsuccessful, if the certification authentication of requesting node success, differentiate that according to described certificate response generates the access identification response message, wherein, can comprise in this access identification response message inserting and differentiate response identification, the challenge of this requesting node, the access result of this requesting node, the identity information of this requesting node, the key data of this requesting node, the challenge of the node of this accessed network, the key data of this accessed network node, the information such as signature of the identity information of the node of this accessed network and the node of this accessed network, and described access differentiated that response sends to the described request node, enters step S107;
Step S107: the node of described accessed network and described request node are set up by session key agreement and are shared key.
After above-mentioned verification process is finished, after communication process in, the node of this requesting node and this accessed network communicates by the key of setting up of should sharing.
Wherein, the shared key of setting up by session key agreement between the node of accessed network described in the above-mentioned steps S107 and the requesting node can only be to set up singlecast key, also when setting up singlecast key, also set up multicast/key between standing, when the shared key of setting up between the node of accessed network and the requesting node was singlecast key, the then above-mentioned mode of setting up singlecast key by session key agreement specifically can comprise:
The node of described accessed network sends the session key request message to the described request node, the information such as challenge that wherein, can comprise the node of unicast session key request mark, base key sign, unicast session key index and allocation index, this accessed network in this session key request message;
The described request node receives described session key request message, node to described accessed network sends the session key response message, the information such as challenge, WAPI information element that this requesting node is selected and Message Authentication Code of node that wherein, can comprise challenge, this accessed network of unicast session key response identification, base key sign, unicast session key index, allocation index, this requesting node in this session key response message;
The node of described accessed network receives described session key response message, send the session key acknowledge message to the described request node, set up singlecast key with the described request node, wherein, this session key acknowledge message can comprise that unicast session key confirms information such as the WAPI information element of node selection of the challenge of sign, base key sign, unicast session key index, allocation index, requesting node, accessed network and Message Authentication Code.
After having set up singlecast key, according to application need, can also between the node of accessed network and requesting node, can set up multicast/key between standing, promptly make and set up singlecast key and multicast/key between standing simultaneously between the node of accessed network and the requesting node, when setting up the key of multicast/between standing between the two, set up by session key agreement that multicast/mode of key specifically can comprise between standing:
The node of described accessed network sends multicast/session key notice message between standing to the described request node, wherein, this multicast/can comprise in the session key notice message between standing multicast/session key notice message sign, multicast session key index/information such as session key index, unicast session key index, allocation index, digital number, key announce sign, key data and Message Authentication Code between standing between standing;
The described request node receives described multicast/session key notice message between standing, node to described accessed network sends multicast/session key response message between standing, and the node of described accessed network is set up multicast/key between standing, wherein, session key index, unicast session key index, allocation index, the key announce of the session key response message sign of this multicast/can comprise in the session key response message between standing multicast/between standing, multicast session key index/between stand identifies and information such as Message Authentication Code.
Wherein, receive after the access that is sent by the node of accessed network differentiates response at requesting node, whether the identity of verifying the requesting node in this access discriminating response is with own identical, whether the identity of the identity of the node of accessed network when oneself send to insert differentiating request be identical, whether identical in the request differentiated in the access that the challenge of requesting node sends with oneself, whether identical in the request differentiated in the access that the key data of requesting node sends with oneself, and whether the signature of the node of accessed network is correct or the like, if there is any one condition not meet, then abandons this access and differentiate response.
Wherein, in above-mentioned steps, finish related process between the node of requesting node and accessed network and can specifically can be with of the prior art identical:
Requesting node sends to the node of accessed network and inquires after request, the node of accessed network receives this inquire after request after, send to this requesting node and to inquire after response;
Subsequently, requesting node sends the link verification request to the node of this accessed network, and the node of accessed network receives the back to this requesting node return link auth response;
This requesting node sends related request to the node of accessed network, and the node of accessed network receives the back and sends associated response to requesting node, finishes association process.
Certificate in the above-mentioned steps is differentiated and set up the detailed process of sharing key by session key agreement can be identical with the mode of WAPI of the prior art, do not repeat them here.
Wherein, above-mentioned requesting node can be MP, MAP or MPP, and the node of above-mentioned accessed network can be MP, MAP or MPP.
Embodiment two:
Referring to shown in Figure 3, be the schematic flow sheet of authentication method embodiment two that the present invention is based on the wireless mesh network of WAPI, in this embodiment, mainly be the explanation of the verification process during at the website access network.
As shown in Figure 3, it specifically comprises step:
Step S201: website is finished association with the MAP node of any one accessed network, enters step S202;
Step S202: the MAP node of accessed network sends to this website and differentiates active information, wherein, the information such as certificate that specifically can comprise the MAP node of differentiating active information sign, the identity information of differentiating certificate server, this accessed network in this discriminating active information, because the discrimination process of WAPI adopts ellipse curve signature algorithm, therefore, can also comprise the parameter of ECDH (elliptic curve) in this discriminating active information, enter step S203 subsequently;
Step S203: website receives the above-mentioned discriminating active information of the MAP node transmission of above-mentioned accessed network, send the request of discriminating that inserts to the MAP of this accessed network node, the information such as signature of identity information, ECDH parameter and this website of the MAP node of the certificate that can comprise the key data that inserts the challenge of differentiating request mark information, this website, this website, this website in the request, this accessed network are differentiated in this access, enter step S204;
Step S204: the MAP node of described accessed network receives above-mentioned access and differentiates request, check that whether the identity information that inserts the MAP in the request of discriminating is with own consistent, the ECDH parameter whether with differentiate active information in consistent, and whether the signature of website is correct etc., if there is any one not meet, then abandon this access and differentiate request, if above-mentioned condition all meets, then this MAP is to differentiating that certificate server sends request of certificate authentication, can comprise allocation index in this request of certificate authentication, the challenge of website, the challenge of the MAP node of this accessed network, the information such as certificate of the MAP node of the certificate of website and this accessed network enter step S205;
Step S205: differentiate that certificate server receives the above-mentioned request of certificate authentication of the MAP node transmission of accessed network, above-mentioned certificate is differentiated the certificate of the website in the certificate request, the certificate of the MAP node of accessed network is verified, if can't verify to certificate, to verify that then the result is changed to indeterminate or can't verifies, if checking is passed through, construct certificate according to the checking result and differentiate response, this certificate is differentiated in the response and is comprised allocation index, the checking result of the certificate of website, the information such as checking result of the certificate of the MAP node of accessed network, and, enter step S206 with sending to the MAP of described accessed network node behind this certificate discriminating response signature;
Step S206: the MAP node of described accessed network receives described certificate and differentiates response, whether the signature of checking the discriminating certificate server AS in this certificate discriminating response is correct, if differentiate that the signature of certificate server AS is incorrect, then this certificate can be differentiated that response is abandoned, if differentiate that the signature of certificate server AS is correct, according to differentiating the certificate verification result of certificate server AS to website, if the certification authentication of website is unsuccessful, then MAP sets the access result of website for unsuccessful, if the certification authentication of website success, differentiate that according to described certificate response generates the access identification response message, wherein, can comprise in this access identification response message inserting and differentiate response identification, the challenge of this website, the access result of this website, the key data of this website, the identity information of this website, the challenge of the MAP of this accessed network, the key data of the MAP of this accessed network, the information such as signature of the identity information of the MAP node of this accessed network and the MAP node of this accessed network, and described access differentiated that response sends to described website, enters step S207;
Step S207: the MAP node of described accessed network and described website are set up by session key agreement and are shared key.
After above-mentioned verification process is finished, after communication process in, the MAP node of this website and this accessed network communicates by the key of setting up of should sharing.
Wherein, the shared key of setting up by session key agreement between the MAP node of above-mentioned accessed network and the described website can be that key of multicast/between standing and singlecast key exist simultaneously, when setting up singlecast key between the MAP of accessed network node and the website, the then above-mentioned mode of setting up singlecast key by session key agreement specifically can comprise:
The MAP node of described accessed network sends the session key request message to described website, wherein, the information such as challenge that comprise the MAP node of unicast session key request mark, base key sign, unicast session key index and allocation index, this accessed network in this session key request message;
Described website receives described session key request message, send the session key response message to the MAP of described accessed network node, the information such as challenge, WAPI information element that website is selected and Message Authentication Code of MAP that wherein, can comprise challenge, the accessed network of unicast session key response identification, base key sign, unicast session key index, allocation index, website in this session key response message;
The MAP node of described accessed network receives described session key response message, send the session key acknowledge message to described website, set up singlecast key with described website, wherein, this session key acknowledge message can comprise that unicast session key confirms information such as the WAPI information element of MAP selection of the challenge of sign, base key sign, unicast session key index, allocation index, website, this accessed network and Message Authentication Code.
After having set up singlecast key, can also set up multicast/key between standing between the MAP node of this accessed network and the website, make and have singlecast key and multicast/key between standing simultaneously between the MAP node of this accessed network and the website, when setting up the key of multicast/between standing between the two, above-mentionedly set up by session key agreement that multicast/mode of key specifically can comprise between standing:
The MAP node of described accessed network sends multicast/session key notice message between standing to described website, wherein, this multicast/can comprise in the session key notice message between standing multicast/session key notice message sign, multicast session key index/information such as session key index, unicast session key index, allocation index, digital number, key announce sign, key data and Message Authentication Code between standing between standing;
Described website receives described multicast/session key notice message between standing, send multicast/session key response message between standing to the MAP of described accessed network node, and the MAP node of described accessed network is set up multicast/key between standing, wherein, session key index, unicast session key index, allocation index, the key announce of the session key response message sign of this multicast/can comprise in the session key response message between standing multicast/between standing, multicast session key index/between stand identifies and information such as Message Authentication Code.
Wherein, receive after the access that is sent by the MAP node of accessed network differentiates response at website, whether the identity of verifying the website in this access discriminating response is with own identical, whether the identity of the identity of the MAP node of this accessed network when oneself send to insert differentiating request be identical, whether identical in the request differentiated in the access that the challenge of this website sends with oneself, whether identical in the request differentiated in the access that the key data of this website sends with oneself, and whether the signature of the MAP node of this accessed network is correct or the like, if there is any one condition not meet, then abandons this access and differentiate response.
Wherein, in above-mentioned steps, finish related process between the MAP node of website and accessed network and can specifically can be with of the prior art identical:
Website sends to the MAP of accessed network node and inquires after request, the MAP node of accessed network receives this inquire after request after, send to this website and to inquire after response;
Subsequently, website sends the link verification request to the MAP of this accessed network node, and the MAP node of accessed network receives the back to this website return link auth response;
Website sends related request to the MAP of this accessed network node, and the MAP node of this accessed network receives the back and sends associated response to this website, finishes association process.
Certificate in the above-mentioned steps is differentiated and set up the detailed process of sharing key by session key agreement can be identical with the mode of WAPI of the prior art, do not repeat them here.
At above-mentioned two kinds of execution modes of the present invention, below describe with a concrete example.Referring to shown in Figure 4, it is the wherein a kind of exemplary plot of wireless mesh network that is applied in the inventive method, suppose all nodes and website in this network, comprise that MAP, MP, MPP and website are all from differentiating that certificate server AS has obtained by the certificate of differentiating that certificate server AS is issued, and these nodes and website have all installed separately by the certificate of differentiating that certificate server AS is presented to them, suppose node M PP1 access network simultaneously.In following explanation, with the website is STA, between the node of requesting node and accessed network, and the shared key of setting up between the MAP node of STA and accessed network is that singlecast key describes, need to prove, this explanation is not in order between the node that limits requesting node and accessed network, can only set up singlecast key between the MAP node of STA and accessed network, can only just set up singlecast key between the node of requesting node and accessed network, also can after setting up singlecast key, also set up multicast/key between standing, can after setting up singlecast key, also set up multicast/key between standing between the MAP node of STA and accessed network, make that singlecast key and multicast/key exists simultaneously between standing.
Shown in Fig. 4, when node M P1 and MP2 need access network, can be undertaken by following manner:
At first, node M P1, MP2 respectively with node M PP1 finish related after, node M PP1 sends the discriminating active information to MP1 and MP2 respectively, it can be in no particular order in proper order that node M PP1 sends the process of differentiating active information to MP1, MP2, wherein, specifically can comprise active information sign, the identity information of differentiating certificate server, the information such as certificate of this node M PP1 differentiated in this discriminating active information, because the discrimination process of WAPI adopts ellipse curve signature algorithm, the parameter that therefore, can also comprise ECDH (elliptic curve) in this discriminating active information;
Node M P1, MP2 receive the discriminating active information that above-mentioned MPP1 sends respectively, send the request of discriminating that inserts to this MPP1 respectively, the information such as signature of identity information, ECDH parameter and this MP1 or MP2 of certificate, this MPP1 of key data, this MP1 or the MP2 that can comprise the challenge, this MP1 or the MP2 that insert discriminating request mark information, this MP1 or MP2 in the request are differentiated in this accesss;
MPP1 receives above-mentioned access respectively and differentiates request, check that whether the identity information that inserts the MPP1 in the request of discriminating is with own consistent, the ECDH parameter whether with differentiate active information in consistent, and whether the signature of MP1 or MP2 is correct etc., if there is any one not meet, request is differentiated in the access that then abandons this correspondence, if above-mentioned condition all meets, then respectively to differentiating that certificate server sends request of certificate authentication, can comprise allocation index respectively in this request of certificate authentication, the certificate of MP1 or MP2, the challenge of MP1 or MP2, the challenge of MPP1 and the information such as certificate of MPP1;
Differentiate that certificate server AS receives the above-mentioned request of certificate authentication that MPP1 sends, respectively above-mentioned certificate is differentiated that MP1 in the certificate request or the certificate of MP2, the certificate of MPP1 verify, and construct certificate respectively according to the checking result and differentiate response, this certificate is differentiated in the response and is comprised allocation index, and comprise checking result respectively to the certificate of MP1 and MPP1, to the information such as checking result of the certificate of the certificate of MP2 and MPP1, and this certificate differentiated that response signature back sends to MPP1;
MPP1 receives above-mentioned certificate and differentiates response, whether the signature of checking the discriminating certificate server AS in this certificate discriminating response respectively is correct, if the signature of AS is incorrect, then certificate that should correspondence can be differentiated that response is abandoned, if the signature of AS is correct, according to the checking result of AS to the certificate of MP1 or MP2, if the certification authentication of MP1 or MP2 is unsuccessful, then MPP1 sets the access result of corresponding MP1 or MP2 for unsuccessful, if the certification authentication of MP1 or MP2 success, differentiate that according to described certificate response generates the access identification response message respectively, wherein, can comprise respectively in this access identification response message inserting and differentiate response identification, the challenge of this MP1 or MP2, the access result of this MP1 or MP2, the key data of this MP1 or MP2, the identity information of this MP1 or MP2, the challenge of this MPP1, the key data of this MPP1, the identity information of this MPP1 and the information such as signature of this MPP1, and will insert accordingly and differentiate that response is respectively to MP1, MP2 sends;
MPP1 sends the session key request message to MP1, MP2 respectively;
MP1, MP2 receive described session key request message respectively, send the session key response message to MPP1 respectively;
MPP1 receives each session key response message, sends the session key acknowledge message to MP1, MP2 respectively, sets up with MP1, MP2 respectively and shares key.
MP1 and MPP1 have set up shared key, finished verification process, behind the access network, node M P1 is to finishing related MAP1 with this MP1, MP2 and MP4 send and differentiate active information, node M P1 is to MAP1, MP2, it can be in no particular order in proper order that MP4 sends the process of differentiating active information, wherein, specifically can comprise in this discriminating active information and differentiate the active information sign, differentiate the identity information of certificate server, the information such as certificate of this node M P1, because the discrimination process of WAPI adopts ellipse curve signature algorithm, the parameter that therefore, can also comprise ECDH (elliptic curve) in this discriminating active information;
Node M AP1, MP2, MP4 receive the discriminating active information that above-mentioned MP1 sends respectively, send the request of discriminating that inserts to this MP1 respectively, the certificate of identity information, ECDH parameter and this MAP1 of the key data that can comprise the challenge, this MAP1 or MP2 or the MP4 that insert discriminating request mark information, this MAP1 or MP2 or MP4 in the request, this MP1 and signature or the certificate of MP2 and signature or the certificate of MP4 and the information such as signature of MP4 of MP2 of this MAP1 are differentiated in this accesss;
MP1 receives above-mentioned access respectively and differentiates request, check that respectively whether each identity information that inserts the MP1 in the request of discriminating is with own consistent, the ECDH parameter whether with differentiate active information in consistent, and whether the signature of MAP1 or MP2 or MP4 is correct etc., if there is any one not meet, request is differentiated in the access that then abandons this correspondence, if above-mentioned condition all meets, respectively to differentiating that certificate server sends request of certificate authentication, can comprise allocation index respectively in this request of certificate authentication, the challenge of MAP1 or MP2 or MP4, the challenge of MP1, the certificate of the certificate of MAP1 or the certificate of MP2 or MP4, and the information such as certificate of MP1;
Differentiate that certificate server AS receives the above-mentioned request of certificate authentication that MP1 sends, respectively above-mentioned certificate is differentiated that the certificate of the MP1 in the certificate request and the certificate of MAP1 or the certificate of MP1 and MP2 or the certificate of MP1 and MP4 verify, and construct certificate respectively according to the checking result and differentiate response, this certificate is differentiated can comprise allocation index respectively in the response, to the checking result of the certificate of MP1, to the information such as checking result of the certificate of MAP1 or MP2 or MP4, and this certificate differentiated that response signature back send to MP1;
MP1 receives above-mentioned certificate and differentiates response, whether the signature of checking the discriminating certificate server AS in this certificate discriminating response respectively is correct, if the signature of AS is incorrect, then certificate that should correspondence can be differentiated that response is abandoned, if the signature of AS is correct, according to the certificate verification result of AS to MAP1 or MP2 or MP4, if the certification authentication of MAP1 or MP2 or MP4 is unsuccessful, then MP1 sets the access result of corresponding MAP1 or MP2 or MP4 for unsuccessful, if the certification authentication of MAP1 or MP2 or MP4 success, differentiate that according to each described certificate response generates the access identification response message respectively, wherein, can comprise in this access identification response message inserting and differentiate response identification, the challenge of this MAP1 or MP2 or MP4, the key data of this MAP1 or MP2 or MP4, the access result of this MAP1 or MP2 or MP4, the identity information of this MAP1 or MP2 or MP4, the challenge of this MP1, the key data of this MP1, the identity information of this MP1 and the information such as signature of this MP1, and will insert accordingly and differentiate that response is respectively to MAP1, MP2, MP4 sends;
MP1 sends the session key request message to MAP1, MP2, MP4 respectively;
MAP1, MP2, MP4 receive described session key request message respectively, send the session key response message to MP1 respectively;
MP1 receives each session key response message, sends session key to MAP1, MP2, MP4 respectively and determines message, sets up with MAP1, MP2, MP4 respectively and shares key.
MP2 and MPP1 have set up shared key, finished verification process, behind the access network, node M P2 is to finishing related MP1 with this MP2, MP3 and MP4 send and differentiate active information, node M P2 is to MP1, MP3, it can be in no particular order in proper order that MP4 sends the process of differentiating active information, wherein, specifically can comprise in this discriminating active information and differentiate the active information sign, differentiate the identity information of certificate server, the information such as certificate of this node M P2, because the discrimination process of WAPI adopts ellipse curve signature algorithm, the parameter that therefore, can also comprise ECDH (elliptic curve) in this discriminating active information;
Node M P1, MP3, MP4 receive the discriminating active information that above-mentioned MP2 sends respectively, send the request of discriminating that inserts to this MP2 respectively, the certificate of identity information, ECDH parameter and this MP1 of the key data that can comprise the challenge, this MP1 or MP3 or the MP4 that insert discriminating request mark information, this MP1 or MP3 or MP4 in the request, this MP2 and signature or the certificate of MP3 and signature or the certificate of MP4 and the information such as signature of MP4 of MP3 of this MP1 are differentiated in this accesss;
MP2 receives above-mentioned access respectively and differentiates request, check that respectively whether the identity that inserts the MP2 in the request of discriminating is with own consistent, the ECDH parameter whether with differentiate active information in consistent, and whether the signature of MP1 or MP3 or MP4 is correct or the like, if there is any one condition not meet, request is differentiated in the access that then abandons this correspondence, if above-mentioned condition all meets, then respectively to differentiating that certificate server sends request of certificate authentication, can comprise allocation index respectively in this request of certificate authentication, the challenge of MP1 or MP3 or MP4, the challenge of MP2, the certificate of MP1 or MP3 or MP4 and the information such as certificate of MP2;
Differentiate that certificate server AS receives the above-mentioned request of certificate authentication that MP2 sends respectively, respectively the certificate of the MP2 in the above-mentioned certificate discriminating certificate request and the certificate of MP1 or MP3 or MP4 are verified, and construct certificate according to the checking result respectively and differentiate response, this certificate is differentiated can comprise allocation index respectively in the response, to the checking result of the certificate of MP2 and to the information such as checking result of the certificate of MP1 or MP3 or MP4, and respectively this certificate is differentiated that response signature back send to MP2;
MP2 receives above-mentioned certificate and differentiates response, whether the signature of checking the discriminating certificate server AS in this each certificate discriminating response respectively is correct, if the signature of AS is incorrect, then certificate that should correspondence can be differentiated that response is abandoned, if the signature of AS is correct, according to the certificate identification result of AS to MP1 or MP3 or MP4, if the certification authentication of MP1 or MP3 or MP4 is unsuccessful, then MP2 sets the access result of corresponding MP1 or MP3 or MP4 for unsuccessful, if the certification authentication of MP1 or MP3 or MP4 success, differentiate that according to described certificate response generates the access identification response message respectively, wherein, can comprise respectively in this access identification response message inserting and differentiate response identification, the challenge of this MP1 or MP3 or MP4, the key data of this MP1 or MP3 or MP4, the access result of this MP1 or MP3 or MP4, the identity information of this MP1 or MP3 or MP4, the challenge of this MP2, the key data of this MP2, the identity information of this MP2 and the information such as signature of this MP2, and will insert accordingly and differentiate that response is respectively to MP1, MP3, MP4 sends;
MP2 sends the session key request message to MP1, MP3, MP4 respectively;
MP1, MP3, MP4 receive described session key request message respectively, send the session key response message to MP2 respectively;
MP2 receives each session key response message, sends the session key acknowledge message to MP1, MP3, MP4 respectively, sets up with MP1, MP3, MP4 respectively and shares key.
Wherein, in above-mentioned steps, MP1, MP2 send the order of differentiating active information to the node related with it respectively can be in no particular order, difference according to above-mentioned actual authentication situation, also can be node M P2 earlier to finish related node M P1, MP3 with it, MP4 sends and differentiates active information, again by node M P1 to finishing related node M AP1, MP2, MP4 transmission discriminating active information with it.
Subsequently, node M AP1 sends the discriminating active information to finishing related STA with this MAP1, wherein, specifically can comprise active information sign, the identity information of differentiating certificate server, the information such as certificate of this node M AP1 differentiated in this discriminating active information, because the discrimination process of WAPI adopts ellipse curve signature algorithm, the parameter that therefore, can also comprise ECDH (elliptic curve) in this discriminating active information;
STA receives the discriminating active information that above-mentioned MAP1 sends, send the request of discriminating that inserts to this MAP1, the certificate of identity information, ECDH parameter and this STA of the key data that can comprise the challenge that inserts discriminating request mark information, this STA, this STA in the request, MAP1 and the signature of this STA are differentiated in this accesss;
MAP1 receives above-mentioned access and differentiates request, the identity information of check to insert differentiating the MAP1 in the request whether with own consistent, ECDH parameter whether with the discriminating active information in unanimity and the signature of STA whether correct etc., if there is any one not meet, then abandon this access and differentiate request, if above-mentioned condition all meets, to differentiating that certificate server sends request of certificate authentication, can comprise the challenge of allocation index, STA, the challenge of MAP1, the certificate of STA and the information such as certificate of MAP1 in this request of certificate authentication;
Differentiate that certificate server AS receives the above-mentioned request of certificate authentication that MAP1 sends, the certificate of STA in the above-mentioned certificate discriminating certificate request and the certificate of MAP1 are verified, and construct certificate according to the checking result and differentiate response, this certificate is differentiated the information such as checking result of the certificate of the certificate that comprises allocation index, STA in the response and MAP1, and this certificate is differentiated that response signature back send to MAP1;
MAP1 receives above-mentioned certificate and differentiates response, whether the signature of checking the discriminating certificate server AS in this certificate discriminating response is correct, if the signature of AS is incorrect, then this certificate can be differentiated that response is abandoned, if the signature of AS is correct, according to the certificate verification result of AS to STA, if the certification authentication of STA is unsuccessful, then MAP1 sets the access result of this STA for unsuccessful, if the certification authentication of STA success, differentiate that according to described certificate response generates the access identification response message, wherein, can comprise in this access identification response message inserting and differentiate response identification, the access result of this STA, the challenge of this STA, the key data of this STA, the identity information of this STA, the challenge of this MAP1, the key data of this MAP1, the identity information of this MAP1 and the information such as signature of this MAP1, and will insert accordingly and differentiate that response sends to STA;
MAP1 sends the session key request message to STA;
STA receives described session key request message, sends the session key response message to MAP1;
MAP1 receives the session key response message, sends the session key acknowledge message to STA, sets up with STA and shares key.
Wherein, difference according to application need, the solution of the present invention both can be at all nodes after all access network, networking are finished, begin to insert website again, promptly begin to send the discriminating active information to website, as long as also can be after the MAP access network is arranged, when the networking process is not finished as yet fully, promptly can begin the access procedure of receiving station, promptly begin to send the discriminating active information to website.
In addition, as mentioned above, MP1 to the node M P2 related with it send differentiate active information after, MP2 also might send to MP1 and differentiate active information, thereby the process that repeats to authenticate has appearred, generation for fear of this situation that repeats to authenticate, can take corresponding avoidance mechanism to reduce as far as possible and repeat authentication, can also be after node has received the discriminating active information, in subsequent process, need to send when differentiating active information, sent the discriminating active information to it by inquiry, or it had sent the requesting node that inserts the request of discriminating, thereby no longer send and differentiate active information to the requesting node that has begun verification process with it, for example: in said process, at MP1 after MP2 sent the discriminating active information, this MP2 will be sends that the node of differentiating active information register or has sent to MP1 at this MP2 to it and registered after discriminating access is asked, thereby, when MP2 need send the discriminating active information to other node, can send the discriminating active information to sending node or its node that had sent discriminating access request of differentiating active information to it, avoid the generation of repetition verification process.
Embodiment three:
Referring to shown in Figure 5, be the schematic flow sheet of authentication method embodiment three that the present invention is based on the wireless mesh network of WAPI, in this embodiment, mainly be that the new node at new adding network describes.
As shown in Figure 5, it specifically comprises step:
Step S301: new node is finished association with the node of each accessed network, and it both can be in no particular order in proper order that this new node is finished related process to the node of each accessed network respectively, entered step S302;
Step S302: respectively the node of this accessed network sends to this new node respectively and differentiates active information, wherein, the information such as certificate that specifically can comprise the node of differentiating active information sign, the identity information of differentiating certificate server, this accessed network in this discriminating active information, because the discrimination process of WAPI adopts ellipse curve signature algorithm, therefore, can also comprise the parameter of ECDH (elliptic curve) in this discriminating active information, enter step S303 subsequently;
Step S303: new node receives the discriminating active information of the node transmission of above-mentioned each accessed network, node to this each accessed network sends the request of discriminating that inserts respectively, the information such as signature of identity information, ECDH parameter and this new node of the node of the certificate that can comprise the key data that inserts the challenge of differentiating request mark information, this new node, this new node, this new node in the request respectively, this accessed network are differentiated in this access, enter step S304;
Step S304: the node of each described accessed network receives the access discriminating request that new node sends respectively, check that respectively the access received differentiates that whether the identity information of node of the accessed network in the request is with own consistent, the ECDH parameter whether with differentiate active information in consistent, and whether the signature of new node is correct etc., if there is any one not meet, then abandon this access discrimination request grouping, if above-mentioned condition all meets, then the node of this accessed network is respectively to differentiating that certificate server sends request of certificate authentication, can comprise allocation index respectively in this request of certificate authentication, the challenge of this new node, the certificate of this new node, the challenge of the node of this accessed network, the information such as certificate of the node of this accessed network enter step S305;
Step S305: differentiate that certificate server receives the above-mentioned request of certificate authentication of the node transmission of each accessed network, respectively to the new node certificate in each above-mentioned certificate discriminating certificate request, the node certificate of accessed network is verified, if can't verify to certificate, then be changed to the checking result of correspondence indeterminate or can't verify, if checking is passed through, construct corresponding certificate according to the checking result respectively and differentiate response, this certificate is differentiated in the response can comprise allocation index respectively, the new node certificate verification result, information such as the node certificate checking result of this accessed network, and, enter step S306 with of the node transmission of this certificate discriminating response signature back to this accessed network of correspondence;
Step S306: the node of each accessed network acceptance certificate is respectively differentiated response, whether the signature of checking the discriminating certificate server AS in this certificate discriminating response respectively is correct, if differentiate that the signature of certificate server AS is incorrect, then certificate that should correspondence can be differentiated that response is abandoned, if differentiate that the signature of certificate server AS is correct, according to differentiating the certificate verification result of certificate server AS to new node, if the certification authentication of new node is unsuccessful, then the node of this accessed network is set the access result of this new node for unsuccessful, if the certification authentication of new node success, differentiate that according to certificate response generates the access identification response message respectively, wherein, can comprise respectively in this access identification response message inserting and differentiate response identification, the challenge of this new node, the key data of this new node, the access result of this new node, the identity information of this new node, the challenge of the node of this accessed network, the key data of the node of this accessed network, the information such as signature of the identity information of the node of this accessed network and the node of this accessed network, and described access differentiated that response sends to described new node respectively, enters step S307;
Step S307: the node of each described accessed network is set up by session key agreement with described new node respectively and is shared key.
After above-mentioned verification process is finished, after communication process in, this new node communicates by the shared key of setting up each other respectively with the node of this accessed network respectively.
Wherein, the shared key of setting up by session key agreement between the node of each described accessed network and the new node among the above-mentioned steps S307 can only be to set up singlecast key, also when setting up singlecast key, also set up multicast/key between standing, when the shared key of setting up between the node of accessed network and the new node was singlecast key, the then above-mentioned mode of setting up singlecast key by session key agreement specifically can comprise:
The node of each described accessed network sends the session key request message to described new node respectively, the information such as challenge that wherein, can comprise the node of unicast session key request mark, base key sign, unicast session key index and allocation index, this accessed network in this session key request message;
Described new node receives described session key request message, node to each described accessed network sends the session key response message respectively, the information such as challenge, WAPI information element that new node is selected and Message Authentication Code of node that wherein, can comprise challenge, this accessed network of unicast session key response identification, base key sign, unicast session key index, allocation index, new node in this session key response message;
The node of each described accessed network receives described session key response message respectively, send the session key acknowledge message to described new node respectively, set up singlecast key with described new node, wherein, this session key acknowledge message can comprise respectively that unicast session key confirms information such as the WAPI information element of node selection of the challenge of sign, base key sign, unicast session key index, allocation index, new node, accessed network and Message Authentication Code.
After having set up singlecast key, according to application need, can also between the node of accessed network and new node, can set up multicast/key between standing, promptly make and set up singlecast key and multicast/key between standing simultaneously between the node of new node and accessed network, when setting up the key of multicast/between standing between the two, set up by session key agreement that multicast/mode of key specifically can comprise between standing:
The node of each described accessed network sends multicast/session key notice message between standing to described new node respectively, wherein, this multicast/can comprise in the session key notice message between standing multicast/session key notice message sign, multicast session key index/information such as session key index, unicast session key index, allocation index, digital number, key announce sign, key data and Message Authentication Code between standing between standing;
Described new node receives each described multicast/session key notice message between standing, node to each described accessed network sends multicast/session key response message between standing respectively, respectively and the node of each described accessed network set up multicast/key between standing, wherein, session key index, unicast session key index, allocation index, the key announce of the session key response message sign of this multicast/can comprise in the session key response message between standing multicast/between standing, multicast session key index/between stand identifies and information such as Message Authentication Code.
Wherein, receive after the access that is sent by the node of accessed network differentiates response at new node, whether the identity of verifying the new node in this access discriminating response is with own identical, whether the identity of the identity of the node of this accessed network when oneself send to insert differentiating request be identical, whether identical in the request differentiated in the access that the challenge of this new node sends with oneself, whether identical in the request differentiated in the access that the key data of this new node sends with oneself, and whether the signature of the node of this accessed network is correct or the like, if there is any one condition not meet, then abandons this access and differentiate response.
Wherein, in above-mentioned steps, finish related process between the node of new node and accessed network and can specifically can be with of the prior art identical:
New node sends to the node of accessed network and inquires after request, the node of accessed network receives this inquire after request after, send to this new node and to inquire after response;
Subsequently, new node sends the link verification request to the node of this accessed network, and the node of accessed network receives the back to this new node return link auth response;
New node sends related request to the node of this accessed network, and the node of this accessed network receives the back and sends associated response to this new node, finishes association process.
Certificate in the above-mentioned steps is differentiated and set up the detailed process of sharing key by session key agreement can be identical with the mode of WAPI of the prior art, do not repeat them here.
Wherein, above-mentioned new node can be MP, MAP or MPP, and the node of above-mentioned accessed network can be MP, MAP or MPP.
Referring to shown in Figure 6, it is the another kind of exemplary plot of wireless mesh network that is applied in the inventive method, suppose in this network, node M AP3 is the new node that newly adds network, other nodes have all been finished authentication and have been inserted network, and differentiate that certificate server AS has issued certificate for this new node MAP3.Following example is that singlecast key describes with the shared key between the node of new node and accessed network.
Shown in Fig. 5, when new node MAP3 needs access network, can be undertaken by following manner:
At first, new node MAP3 finishes related with node M P4, MAP1, MAP2 respectively;
After finishing association, node M P4, MAP1, MAP2 send to MAP3 respectively and differentiate active information, wherein, specifically can comprise the information such as certificate of differentiating the active information sign, differentiating identity information, this MP4 or the MAP1 or the MAP2 of certificate server in this discriminating active information, because the discrimination process of WAPI adopts ellipse curve signature algorithm, the parameter that therefore, can also comprise ECDH (elliptic curve) in this discriminating active information;
MAP3 receives the discriminating active information of MP4, MAP1, MAP2 transmission respectively, send the request of discriminating that inserts to MP4, MAP1, MAP2 respectively, can comprise the information such as signature of identity, ECDH parameter and this MAP3 of key data, this MP4 or this MAP1 or this MAP2 of challenge, this MAP3 of certificate, this MAP3 of this MAP3 during this accesss is differentiated and asked;
MP4, MAP1, MAP2 receives the access discriminating request that MAP3 sends respectively, check that respectively whether the identity information that inserts in the request of discriminating is with own consistent, the ECDH parameter whether with differentiate active information in consistent, and whether the signature of MAP3 is consistent or the like, if there is any one not meet, then abandon this access and differentiate request, if above-mentioned condition all meets, respectively to differentiating that certificate server AS sends request of certificate authentication, wherein, this request of certificate authentication can comprise allocation index respectively, the challenge of this MP4 or MAP1 or MAP2, the challenge of this MAP3, the certificate of this MP4 or MAP1 or MAP2, and the information such as certificate of MAP3;
Differentiate that certificate server AS receives the above-mentioned request of certificate authentication of MP4, MAP1, MAP2 transmission respectively, respectively the certificate of the MAP3 in each above-mentioned certificate discriminating certificate request and the certificate of MP4 or MAP1 or MAP2 are verified, and construct certificate respectively according to the checking result and differentiate response, this certificate is differentiated can comprise allocation index respectively in the response, to the checking result of the certificate of MAP3, to the information such as checking result of the certificate of MP4 or MAP1 or MAP2, send to MP4, MAP1, the MAP2 of correspondence respectively after will this certificate differentiating the response signature;
MP4, MAP1, MAP2 receives corresponding certificate respectively and differentiates response, whether the signature of checking the discriminating certificate server AS in this certificate discriminating response respectively is correct, if the signature of AS is incorrect, then this certificate can be differentiated that response is abandoned, if the signature of AS is correct, according to the certificate verification result of AS to MAP3, if the certification authentication of MAP3 is unsuccessful, MP4 then, MAP1, MAP2 sets the access result of this MAP3 for unsuccessful, if the certification authentication of MAP3 success, differentiate that according to described certificate response generates the access identification response message respectively, wherein, can comprise in this access identification response message inserting and differentiate response identification, the challenge of this MAP3, the key data of this MAP3, the access result of this MAP3, the identity information of this MAP3, the challenge of this MP4 or MAP1 or MAP2, the key data of this MP4 or MAP1 or MAP2, the information such as signature of the identity information of this MP4 or MAP1 or MAP2 and this MP4 or MAP1 or MAP2, and respectively the access that oneself generates is differentiated that response sends to MAP3;
MP4, MAP1, MAP2 send the session key request message to MAP3 respectively;
MAP3 receives the session key request message that is sent by MP4, MAP1, MAP2 respectively, sends the session key response message to MP4, MAP1, MAP2 respectively;
MP4, MAP1, MAP2 receive the session key response message respectively, send session key to MAP3 respectively and determine message, set up with MAP3 respectively and share key;
Among new node MAP3 and MP4, MAP1, the MAP2 any one set up shared key, finished verification process after, get final product access network.
Wherein, receive after the access that is sent by MP4 or MAP1 or MAP2 differentiates response at MAP3, whether the identity of verifying the new node in this access discriminating response is with own identical, whether the identity of the identity of this MP4 or MAP1 or MAP2 when oneself send to insert differentiating request be identical, whether identical in the request differentiated in the access that the challenge of this new node sends with oneself, whether identical in the request differentiated in the access that the key data of this new node sends with oneself, and whether the signature of this MP4 or MAP1 or MAP2 is correct or the like, if there is any one condition not meet, then abandons this access and differentiate response.
According to the solution of the present invention, all nodes in the wireless mesh network and the website that inserts this wireless mesh network, all need to follow the node that is associated with it to set up and share key, therefore, in communication process, institute's information transmitted is every through a node, and the process that all needs to carry out encryption and decryption has been guaranteed the fail safe in the communication process.
Simultaneously, transmit through a node owing to every, all need to carry out the process of encryption and decryption, and the encryption and decryption operation can produce certain time-delay, and along with the increase of network, time-delay also can correspondingly increase to some extent, therefore, method among the present invention is specially adapted to the situation that middle-size and small-size wireless mesh network and node initially insert wireless mesh network, according to the time-delay degree that can accept, applied wireless mesh network can have different application scales.
Above-described embodiments of the present invention only are the explanations that several embodiment is wherein done, and do not constitute the qualification to protection range of the present invention.Any modification of being done within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within the claim protection range of the present invention.

Claims (12)

1, a kind of authentication method of the wireless mesh network based on WAPI is characterized in that, comprises step:
Requesting node is finished related with the node of accessed network;
The node of described accessed network sends first to the described request node and differentiates active information;
The described request node receives described first and differentiates active information, differentiates request to node transmission first access of described accessed network;
The node of described accessed network receives described first and inserts the request of discriminating, to differentiating that certificate server sends first request of certificate authentication;
Described discriminating certificate server receives described first request of certificate authentication, constructs first certificate and differentiates response, and send described first certificate discriminating response to the node of described accessed network;
The node of described accessed network receives described first certificate and differentiates response, differentiates that according to described first certificate response generates first and inserts and differentiate response, and will described first inserts and differentiate to respond and send to the described request node;
The node of described accessed network and described request node are set up by session key agreement and are shared key.
2, the authentication method of the wireless mesh network based on WAPI according to claim 1 is characterized in that, the node of described accessed network and described request node are set up the mode of sharing key by session key agreement and comprised:
The node of described accessed network sends the first session key request message to the described request node;
The described request node receives the described first session key request message, sends the first session key response message to the node of described accessed network;
The node of described accessed network receives the described first session key response message, sends the first session key acknowledge message to the described request node, sets up singlecast key with the described request node.
3, the authentication method of the wireless mesh network based on WAPI according to claim 2 is characterized in that, the node of described accessed network and described request node are set up the mode of sharing key by session key agreement and also comprised:
The node of described accessed network sends the second session key notice message to the described request node;
The described request node receives the described second session key notice message, send the second session key response message to the node of described accessed network, and the node of described accessed network is set up multicast/key between standing.
4, according to the authentication method of claim 1 or 2 or 3 described wireless mesh networks based on WAPI, it is characterized in that:
When new node added described wireless mesh network, it is related that described new node and the node of at least one described accessed network are finished, and the node of each described accessed network sends second to described new node respectively and differentiates active information;
Described new node receives described second and differentiates active information, sends second respectively to the node of each described accessed network and inserts the request of discriminating;
The node of each described accessed network receives described second and inserts the request of discriminating, to differentiating that certificate server sends second request of certificate authentication;
Described discriminating certificate server receives each described second request of certificate authentication respectively, constructs second certificate respectively and differentiates response, and send each described second certificate to the node of each described accessed network respectively and differentiate response;
The node of each described accessed network receives described second certificate discriminating and responds, and differentiates according to described second certificate to respond the generation second access discriminating response, and the described second access discriminating is responded to described new node transmission;
The node of each described accessed network is set up by session key agreement with described new node respectively and is shared key.
5, the authentication method of the wireless mesh network based on WAPI according to claim 4 is characterized in that, the node of each described accessed network is set up the mode of sharing key with described new node by session key agreement respectively and comprised:
The node of each described accessed network sends the 3rd session key request message to described new node respectively;
Described new node receives described the 3rd session key request message, and the node to each described accessed network sends the 3rd session key response message respectively;
The node of each described accessed network receives described the 3rd session key response message respectively, sends the 3rd session key acknowledge message to described new node respectively, sets up singlecast key with described new node respectively.
6, the authentication method of the wireless mesh network based on WAPI according to claim 5 is characterized in that, the node of each described accessed network and described new node are set up the mode of sharing key by session key agreement and also comprised:
The node of each described accessed network sends the 4th session key notice message to described new node respectively;
Described new node receives described the 4th session key notice message, and the node to each described accessed network sends the 4th session key response message respectively, respectively and the node of each described accessed network set up multicast/key between standing.
7, according to the authentication method of any described wireless mesh network based on WAPI of claim 1 to 6, it is characterized in that:
The described request node comprises MP node, MAP node, MPP node;
The node of described accessed network comprises MP node, MAP node, MPP node.
8, according to the authentication method of claim 4 or 5 or 6 described wireless mesh networks based on WAPI, it is characterized in that:
Described new node comprises MP node, MAP node, MPP node.
9, according to the authentication method of any described wireless mesh network based on WAPI of claim 1 to 6, it is characterized in that, also comprise:
Website is finished related with the MAP of any one accessed network;
The MAP of described accessed network sends the 3rd to described website and differentiates active information;
Described website receives the described the 3rd and differentiates active information, sends the 3rd to the MAP of described accessed network and inserts the request of discriminating;
The MAP of described accessed network receives the described the 3rd and inserts the request of discriminating, sends the 3rd request of certificate authentication to described discriminating certificate server;
Described discriminating certificate server receives described the 3rd request of certificate authentication, constructs the 3rd certificate and differentiates response, and the 3rd certificate is differentiated that response sends to the MAP of described accessed network;
The MAP of described accessed network receives described the 3rd certificate discriminating and responds, and differentiates according to described the 3rd certificate to respond generation the 3rd access discriminating response, and described the 3rd access discriminating is responded to described website transmission;
The MAP of described accessed network and described website are set up by session key agreement and are shared key.
10, the authentication method of the wireless mesh network based on WAPI according to claim 9 is characterized in that, the MAP of described accessed network and described website are set up the mode of sharing key by session key agreement and comprised:
The MAP of described accessed network sends the 5th session key request message to described website;
Described website receives described the 5th session key request message, sends the 5th session key response message to the MAP of described accessed network;
The MAP of described accessed network receives described the 5th session key response message, sends the 5th session key acknowledge message to described website, sets up singlecast key with described website.
11, the authentication method of the wireless mesh network based on WAPI according to claim 10 is characterized in that, the MAP of described accessed network and described website are set up the mode of sharing key by session key agreement and also comprised:
The MAP of described accessed network sends the 6th session key notice message to described website;
Described website receives described the 6th session key notice message, sends the 6th session key response message to the MAP of described accessed network, and the MAP of described accessed network sets up multicast/key between standing.
12, the authentication method of the wireless mesh network based on WAPI according to claim 9 is characterized in that:
After any one node had all been set up shared key with the node of at least one described accessed network, the MAP of described accessed network sent the described the 3rd to website again and differentiates active information;
Perhaps
After having at least one MAP node to set up shared key with the node of described accessed network, promptly begin to send the described the 3rd and differentiate active information to website.
CN200810220006.4A 2008-12-15 2008-12-15 WAPI-based authentication method of wireless mesh network Pending CN101448262A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810220006.4A CN101448262A (en) 2008-12-15 2008-12-15 WAPI-based authentication method of wireless mesh network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810220006.4A CN101448262A (en) 2008-12-15 2008-12-15 WAPI-based authentication method of wireless mesh network

Publications (1)

Publication Number Publication Date
CN101448262A true CN101448262A (en) 2009-06-03

Family

ID=40743589

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810220006.4A Pending CN101448262A (en) 2008-12-15 2008-12-15 WAPI-based authentication method of wireless mesh network

Country Status (1)

Country Link
CN (1) CN101448262A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011020279A1 (en) * 2009-08-19 2011-02-24 西安西电捷通无线网络通信股份有限公司 Public key certificate-based identity authentication method and system thereof
WO2011143945A1 (en) * 2010-05-20 2011-11-24 西安西电捷通无线网络通信股份有限公司 Method, system, and apparatus for establishing end-to-end shared key
CN102421095A (en) * 2011-11-30 2012-04-18 广州杰赛科技股份有限公司 Access authentication method for wireless mesh network
CN104519517A (en) * 2013-09-30 2015-04-15 深圳市群云网络有限公司 Method and system for automatically configuring wireless access points AP in wireless local area networks
CN104519547A (en) * 2013-09-30 2015-04-15 深圳市群云网络有限公司 WLAN (wireless local area network)-based communication method and system
CN104519546A (en) * 2013-09-30 2015-04-15 深圳市群云网络有限公司 WLAN (wireless local area network)-based communication method and system
WO2017129089A1 (en) * 2016-01-29 2017-08-03 腾讯科技(深圳)有限公司 Wireless network connecting method and apparatus, and storage medium
CN109245886A (en) * 2018-11-02 2019-01-18 美的集团股份有限公司 Cryptographic key negotiation method, equipment, storage medium and system

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011020279A1 (en) * 2009-08-19 2011-02-24 西安西电捷通无线网络通信股份有限公司 Public key certificate-based identity authentication method and system thereof
WO2011143945A1 (en) * 2010-05-20 2011-11-24 西安西电捷通无线网络通信股份有限公司 Method, system, and apparatus for establishing end-to-end shared key
CN102421095A (en) * 2011-11-30 2012-04-18 广州杰赛科技股份有限公司 Access authentication method for wireless mesh network
CN102421095B (en) * 2011-11-30 2014-04-02 广州杰赛科技股份有限公司 Access authentication method for wireless mesh network
CN104519517A (en) * 2013-09-30 2015-04-15 深圳市群云网络有限公司 Method and system for automatically configuring wireless access points AP in wireless local area networks
CN104519547A (en) * 2013-09-30 2015-04-15 深圳市群云网络有限公司 WLAN (wireless local area network)-based communication method and system
CN104519546A (en) * 2013-09-30 2015-04-15 深圳市群云网络有限公司 WLAN (wireless local area network)-based communication method and system
CN104519517B (en) * 2013-09-30 2018-07-06 深圳市群云网络有限公司 The method and system that wireless access point AP automatically configures in WLAN
CN104519547B (en) * 2013-09-30 2018-08-14 深圳市群云网络有限公司 A kind of based on WLAN communication means and system
WO2017129089A1 (en) * 2016-01-29 2017-08-03 腾讯科技(深圳)有限公司 Wireless network connecting method and apparatus, and storage medium
US10638321B2 (en) 2016-01-29 2020-04-28 Tencent Technology (Shenzhen) Company Limited Wireless network connection method and apparatus, and storage medium
CN109245886A (en) * 2018-11-02 2019-01-18 美的集团股份有限公司 Cryptographic key negotiation method, equipment, storage medium and system

Similar Documents

Publication Publication Date Title
CN101222772B (en) Wireless multi-hop network authentication access method based on ID
CN101232378B (en) Authentication accessing method of wireless multi-hop network
Zhang et al. Security-aware and privacy-preserving D2D communications in 5G
CN101500229B (en) Method for establishing security association and communication network system
CN101222325B (en) Wireless multi-hop network key management method based on ID
CN103686709B (en) A kind of wireless mesh network authentication method and system
CN101448262A (en) WAPI-based authentication method of wireless mesh network
CN101222331B (en) Authentication server, method and system for bidirectional authentication in mesh network
CN102111766B (en) Network accessing method, device and system
CN109644134A (en) System and method for the certification of large-scale Internet of Things group
CN101442749B (en) Authentication method for wireless netted network based on WAPI
CN102421095B (en) Access authentication method for wireless mesh network
CN101516090B (en) Network authentication communication method and mesh network system
CN101621434A (en) Wireless mesh network system and method for key distribution
KR20100085185A (en) Inter-working function for a communication system
US9509670B2 (en) System and method for managing secure communications in an Ad-Hoc network
CN101951590A (en) Authentication method, device and system
CN101394270B (en) Wireless mesh network link layer ciphering method based on modularized routing
CN101635922B (en) Safety communication method of wireless mesh network
CN101527907A (en) Wireless local area network access authentication method and wireless local area network system
CN101394281A (en) Wireless mesh network access security authentication method based on WLAN
KR20090002328A (en) Method for joining new device in wireless sensor network
CN101296107A (en) Safe communication method and device based on identity identification encryption technique in communication network
Haq et al. Towards Robust and Low Latency Security Framework for IEEE 802.11 Wireless Networks
Shah et al. A novel symmetric key cryptographic authentication for cooperative communication in cognitive radio networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20090603