CN101567786A - Method and system for accessing access authentication of global interoperating system by microwaves - Google Patents
Method and system for accessing access authentication of global interoperating system by microwaves Download PDFInfo
- Publication number
- CN101567786A CN101567786A CNA2008100940609A CN200810094060A CN101567786A CN 101567786 A CN101567786 A CN 101567786A CN A2008100940609 A CNA2008100940609 A CN A2008100940609A CN 200810094060 A CN200810094060 A CN 200810094060A CN 101567786 A CN101567786 A CN 101567786A
- Authority
- CN
- China
- Prior art keywords
- base station
- subscriber station
- digital certificate
- information message
- authentication information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/047—Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
- H04W12/0471—Key exchange
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/062—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a method for accessing an access authentication of a global interoperating system by microwaves, which is used for the access authentication treatment between a subscriber station and a base station. The method comprises the steps: the subscriber station is connected with the base station in a wireless mode; the base station is used for receiving a first identification message from the subscriber station and obtaining a digital certification of the subscriber station, which is carried in the first identification message; the base station checks the validity of the digital certification of the subscriber station; under the condition that the digital certification of the subscriber station is checked to be effective, the base station uses a public key and an elliptical curve algorithm supplied by the digital certification of the subscriber station to encrypt an authorized secret key, and the encrypted authorized secret key is returned to the subscriber station. The invention leads an ECC public key encryption mechanism into a WiMAX access authentication process, the shorter secret key is used in order to quicken the operating and treating speed, and moreover, the safety is higher.
Description
Technical field
The present invention relates to wireless access wide band technology, particularly, relate to inserting of microwave whole world interoperability (Worldwide Interoperability for Microwave Access, abbreviate WiMAX as) the wireless metropolitan area network technology, especially, relate to the method and system in the WiMAX system based on the access authentication of elliptic curve encryption algorithm (Elliptic Curves Encryption abbreviates ECC as).
Background technology
WiMAX (Worldwide Interoperability for Microwave Access, micro-wave access global inter communication) is a kind of new air-interface standard of supporting mobility that proposes at microwave and millimeter wave frequency band, also be at a kind of standard that data service is provided in the metropolitan area scope in the IEEE802 standard simultaneously, it has merged wireless, the broadband, with mobile three big characteristics, can be used as cable and DSL (Digital Subscriber Line, Digital Subscriber Line) wireless extensions technology, be used for 802.11 wireless access focuses are connected to the Internet, also environment such as company and family can be connected to the wired backbone circuit, thereby the WiMAX of realizing " last kilometer " inserts.
WiMAX mainly contains 802.16d and two versions of 802.16e, and wherein, the 802.16d version is at the fixed network business, and the 802.16e version is at mobile communication business.The key technology of WiMAX comprises: OFDM (Orthogonal Frequency DivisionMultiplexing, OFDM)/OFDMA (Orthogonal FrequencyDivision Multiple Access, OFDM), MIMO (Multiple InputMultiple Output, multiple-input and multiple-output), HARQ (Hybrid Automatic RepeatRequest, mix automatic repeat requests), AMC (Adaptive Modulation andCoding, Adaptive Modulation and Coding) etc.With the main candidate technologies of OFDM+MIMO technology as LTE (Long Term Evolution, Long Term Evolution) research, this will become one of key technology of following wireless broadband access system/cellular mobile system of future generation to 3GPP.
Because the opening of wireless transmission medium, at the beginning of the WiMAX technology proposed, its safety problem just became its successfully commercialization and the key that can run.The security threat of wireless network comprises network interception, use service without permission, denial of service (Denial of Service abbreviates DoS as) attack, illegal base station, illegal altered data, Replay Attack etc.In view of above-mentioned security threat, the emphasis of WiMAX safe practice is at identification authentication and mandate, the confidentiality of data and the aspects such as integrity protection of data of user and equipment, to guarantee the legal use of Internet resources.The WiMAX security strategy embodies a concentrated reflection of supports fixing 802.16d that inserts and support to move in the Security Sublayer of two standards of 802.16e that insert.
Authentication comprises entity authentication and information authentication: entity authentication mainly is the checking identity that the sender of the message claimed, to guarantee the authenticity of communicating pair entity, i.e. authentication; Authentification of message is mainly used in the reliability in authorization information source and the information integrality in transmission course, general message authentication code (the Message Authentication Code that uses, abbreviate MAC as) and message detection sign indicating number (Message Detection Code abbreviates MDC as).
At present, Chang Yong method for authenticating is the authentication method that adopts based on digital certificate.By (the Certficate Authority of third party authoritative institution, abbreviating CA as) digital certificate issued is that private key with CA is the result behind user's the public key digital signature, comprise client public key, MAC (Media Access Control in the digital certificate, the medium access control) information such as address is then held by the user with the corresponding private key of PKI.
RSA Algorithm is a public key algorithm commonly used at present, use adjustable length key, can be used for data encryption, also can be used for digital signature, this algorithm proposed the difficulty that its fail safe is decomposed based on big integer by the R.Rivest of the Massachusetts Institute of Technology, A.Shamir and L.Adleman in 1977.802.16 series standard has adopted the access authentication method of " X.509 public key certificate+RSA public key encryption algorithm " to confirm connector's legal identity, and the cipher key change between protection subscriber station SS and the base station BS.
As mentioned above, the fail safe of RSA public key algorithm depends on big number and decomposes, at present, be proved to be unsafe less than 1024 N, in the process of implementing technical solution of the present invention, the present inventor finds, because what RSA Algorithm carried out all is that big number calculates, processing speed the fastest when causing adopting RSA is also than DES (Data EncryptionStandard, data encryption standard) slow several times, therefore, amount of calculation is excessive, key length is oversize to be the defective of RSA public key algorithm maximum, and this defective makes RSA can only be used to encrypt low volume data or encryption key usually.
Summary of the invention
Consider that the encryption that the employing RSA public key algorithm that exists in the correlation technique carries out the authentication access procedure exists amount of calculation excessive, thereby cause the slow problem of processing speed and propose the present invention, for this reason, the present invention aims to provide the access authentication method and the system of a kind of WiMAX system, in order to address the above problem.
According to an aspect of the present invention, provide the access authentication method of a kind of WiMAX system, the access authentication that is used between subscriber station and base station is handled.
Access authentication method according to the embodiment of the invention comprises following processing: wireless connections are set up in subscriber station and base station, and the base station receives the first authentication information message from subscriber station, and obtain the digital certificate of the subscriber station that carries in the first authentication information message; The validity of the digital certificate of base station checking subscriber station; Digital certificate at the checking subscriber station is under the effective situation, and PKI and elliptic curve that the base station uses the digital certificate of subscriber station to provide are encrypted authorization key, and the authorization key of encrypting is returned subscriber station.
Preferably, digital certificate at the checking subscriber station is under the effective situation, and before encrypted authorization key the base station, this method further comprised: the base station sends the second authentication information message to subscriber station, wherein, carry the digital certificate of base station in the second authentication information message.
Based on foregoing, preferably, this method further comprises following processing: subscriber station receives the second authentication information message, and obtains the digital certificate of the base station of carrying in the second authentication information message; The validity of the digital certificate of subscriber station checking base station; Digital certificate in the checking base station is under the effective situation, and subscriber station is agreed access base station.
Wherein, subscriber station agrees that the operation of access base station is specially: subscriber station sends authorization request message to the base station.Correspondingly, the operation of the authorization key of encrypting being returned subscriber station is specially: the base station sends authorization response message to subscriber station, and carries the authorization key of encryption in authorization response message.
According to a further aspect in the invention, a kind of access authentication method of microwave cut-in global interoperating system is provided, the access authentication that is used between subscriber station and base station is handled, it is characterized in that, this method comprises: subscriber station sends the first authentication information message to the base station, and carries the digital certificate of subscriber station in the first authentication information message; Subscriber station receives the second authentication information message from the base station, and obtains the digital certificate of the base station of carrying in the second authentication information message; The validity of the digital certificate of subscriber station checking base station, and be verified as under the effective situation, agree access base station; Subscriber station receives the authorization key from the encryption of base station, and wherein, authorization key uses the PKI and the elliptic curve of subscriber station encrypted in base station side.
According to a further aspect in the invention, provide a kind of microwave cut-in global interoperating system access authentication system, this system comprises subscriber station and base station.
In the microwave cut-in global interoperating system access authentication system according to the embodiment of the invention, subscriber station comprises: the first authentication information message transmission module is used for sending to the base station the first authentication information message of the digital certificate carry subscriber station; The base station comprises: second authentication module, be used to receive the first authentication information message, and obtain the digital certificate of the subscriber station in the first authentication information message, and the validity of the digital certificate of checking subscriber station; The authorization key encrypting module, the PKI and the elliptic curve that are used to use the digital certificate of subscriber station to provide are encrypted authorization key, and the authorization key of encrypting is sent to subscriber station.
Preferably, above-mentioned base station further comprises: the second authentication information message transmission module, be connected to second authentication module, the digital certificate that is used at second authentication module checking subscriber station is under the effective situation, send the second authentication information message to subscriber station, wherein, carry the digital certificate of base station in the second authentication information message; Above-mentioned subscriber station further comprises: first authentication module, be used to receive the second authentication information message, obtain the digital certificate of the base station of carrying in the second authentication information message, and the validity of the digital certificate of checking base station, digital certificate in the checking base station is under the effective situation, allows the subscriber station access base station.
By above-mentioned at least one technical scheme provided by the invention, by the ECC public-key cryptography scheme is introduced the WiMAX access authentication process, than prior art, owing to used short key, therefore computing and processing speed ratio is very fast, and has higher fail safe.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in the specification of being write, claims and accompanying drawing.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used from explanation the present invention with embodiments of the invention one, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 be according to the increase of the embodiment of the invention based on the WiMAX access authentication and the licensing process schematic diagram of the access authentication method of ECC;
Fig. 2 is the flow chart according to the access authentication method of the inventive method embodiment one;
Fig. 3 is the flow chart of the preferred embodiment of method shown in Figure 2;
Fig. 4 is the WiMAX access authentication process schematic diagram based on RSA according to correlation technique;
Fig. 5 is the flow chart according to the access authentication method of the inventive method embodiment two;
Fig. 6 is the structured flowchart of the access authentication system of system according to the invention embodiment.
Embodiment
For this reason, the present invention aims to provide a kind of method of the WiMAX access authentication based on curve public key algorithm (ECC), as replenishing of existing WiMAX access authentication based on the RSA public key algorithm, is particularly suitable for the key management of cordless communication network.
At first the ECC public key algorithm is done an explanation.The elliptic curve theory is a crosspoint of a plurality of branch of mathematics such as algebraically, how much, number theory, the history in existing more than 100 year.1985, N.Koblitz and V.Miller introduce cryptography with elliptic curve, make it become a strong instrument of structure conbined public or double key cryptographic system, and public key cryptography mechanism (Elliptic Curves Crypto system based on elliptic curve proposed, abbreviate ECC as), this mechanism is based on a kind of asymmetric cryptography secure scheme of elliptic curve discrete logarithm problem (ECDLP), have advantages such as key is short and small, fast operation, there are a large amount of different elliptic curves in it on same finite field, this has increased extra assurance for fail safe.
Elliptic curve cryptosystem is suitable for the occasion that all public-key cryptosystems are suitable for as a kind of public-key cryptosystem.In general, the typical case of ECC uses and comprises following scene:
1, smart card (Smart Card)
Smart card becomes the good carrier of various proofs of identification, evidence for payment because of characteristics such as its volume is little, portable, low in energy consumption, anti-tamper, fail safe height, numerous areas such as citizenship, medical insurance, ecommerce, mobile communication have been widely used in, use for these, need provide safe authentication service by digital signature.ECC provides this type of security service will have following advantage: short and small relatively key and certificate length only need less EEPROM memory space and shorter transmission time; Amount of calculation less relatively needs increases extra " password coprocessor ", and cost is lower.Therefore, ECC is applied to field of intelligent cards and will provides convenient, safe identity documents and evidence for payment for the user.
2, wireless telecommunications
Current, wireless communication technology has become the focus of IT industry development, as 3G (Third Generation) Moblie (3G), wireless lan (wlan), inserting of microwave whole world interoperability (WiMAX).Because ECC has characteristics such as security intensity height, key length weak point, low bandwidth needs and makes it be more suitable for being applied to wireless environment, the limited wireless device of computational resource of mobile phone, personal digital assistant (Personal Digital Assistant abbreviates PDA as), contact type intelligent card and so on particularly.So far, the ECC algorithm is formally adopted by wireless security standards such as WAPI.
Fig. 1 be according to the increase of the embodiment of the invention based on the WiMAX access authentication and the licensing process schematic diagram of the access authentication method of ECC.The security architecture of WiMAX network wireless side is followed the definition in the Security Sublayer (Security Sublayer) in the IEEE802.16e standard, provides authentication, cipher key change and encryption and decryption to handle.802.16e Security Sublayer be divided into two parts, that is, encrypt tunneling and IKMP:
(1) encrypts tunneling and defined a series of encryption and authentication arithmetic, the for example RSA Algorithm of public-key cryptosystem, data encryption standard (DES), Advanced Encryption Standard (Advanced Encryption Standard, abbreviate AES as) etc., also defined the rule of these algorithm application simultaneously to MAC PDU (Protocol Data Unit, protocol Data Unit) load.
(2) IKMP (Privacy Key Management abbreviates PKM as) is the core of security framework, and safe cipher key exchange mechanism is provided, and supports periodic reauthentication and key updating.The IEEE802.16e Security Sublayer is supported PKMv1 and two versions of PKMv2, PKMv2 has mainly increased newly broadcasting and multicast service (Multi-BroadcastService, abbreviate MBS as) support, and the contents such as mutual device authentication of MSS and BS (Base Station, base station).PKM comprises two parts function:
Authentication, authorization function: comprise the RSA authentication and the newly-increased EAP extended authentication agreement of IEEE802.16e that define among the IEEE802.16-2004, BS uses this agreement to carry out access network business with good conditionsi; The key distribution management function: provide safe from BS distributed key data to MS.By IKMP, synchronisation key data between MS and the BS.
On the basis of foregoing, as shown in Figure 1, the embodiment of the invention has increased the access authentication authentication based on the ECC public key encryption algorithm in the 802.16e security framework.
Based on above content, describe the present invention in detail below in conjunction with accompanying drawing.
Method embodiment one
According to the embodiment of the invention, the access authentication method of a kind of WiMAX system is provided, the access authentication that is used between SS and BS is handled.
Fig. 2 is the flow chart according to the access authentication method of the WiMAX system of the embodiment of the invention, and as shown in Figure 2, this method may further comprise the steps:
Step S202, SS and BS set up wireless connections, and BS receives the first authentication information message from SS, and obtains the digital certificate of the SS that carries in the first authentication information message;
Step S204, the validity of the digital certificate of BS checking SS;
Step S206 is under the effective situation at the digital certificate of verifying SS, and PKI and elliptic curve that BS uses the digital certificate of SS to provide are encrypted authorization key, and the authorization key of encrypting is returned SS.
The technique scheme that the embodiment of the invention provides by the ECC public-key cryptography scheme is introduced the WiMAX access authentication process, has been used short key, thereby has been accelerated computing and processing speed, and had higher fail safe.
Need to prove in addition, in the insertion authority method that adopts at present based on RSA Algorithm, employing be the unilateral authentication of BS to SS, and SS can not oppositely authenticate the identity of BS, can only unconditionally trust BS.The assailant can utilize this point to use relevant device to pretend to be legal BS, SS is initiated go-between MITM attack.Recognizing each other card mechanism and can address this problem well between equipment and the BS.At this problem, the present invention has introduced the mutual authentication process of BS and SS.
Particularly, be under the effective situation at the digital certificate of verifying SS, before BS encrypted authorization key, BS can send the second authentication information message to SS, wherein, carried the digital certificate of BS in the second authentication information message.
Based on this, SS receives the second authentication information message, and obtains the digital certificate of the BS that carries in the second authentication information message; The validity of the digital certificate of SS checking BS; The digital certificate of checking BS is under the effective situation, and SS agrees to insert BS (for example, can send authorization request message), otherwise the SS refusal inserts this BS.
The processing according to introducing in the access authentication method of the WiMAX system of the embodiment of the invention after the mutual authentication process of mutual authentication process can be understood with reference to Fig. 3.As shown in Figure 3, may further comprise the steps:
Step S301, SS set up initial wireless with BS and are connected, and SS sends authentication information message (that is, the first authentication information message of above mentioning) to BS, comprise the X.509 digital certificate of SS in the message, and this certificate is distributed by third party's certificate authority (CA);
Step S302, the validity of the certificate information that BS check SS sends;
Step S303, under the situation that the digital certificate authentication of SS passes through, BS sends authentication information message (that is, the second authentication information message of above mentioning) to SS, comprises the X.509 digital certificate of BS in the message, and proceeds to step 404; On the other hand, if the digital certificate authentication of SS does not pass through checking, the then access request of BS refusal SS;
Step S304, the validity of the digital certificate information that SS check BS sends;
Step S305, if the digital certificate authentication of BS passes through, then SS sends authorization request message to BS, request authorization key AK; If the digital certificate authentication of BS does not pass through, then the SS refusal inserts this BS;
Step S306, BS receive the authorization request message from SS, and the PKI and the ECC algorithm for encryption authorization key AK that use the SS digital certificate to provide send to SS with authorization key AK in authorization response message;
The authorization key AK that step S307, SS utilize the ECC private key deciphering of self to obtain from BS.
In contrast, Fig. 4 has provided the access authentication process based on RSA according to correlation technique.As shown in Figure 4, comprise following processing: step S401 based on WiMAX access authentication/licensing process of RSA, when SS and BS set up wireless connections, SS sent to BS with the digital certificate of himself; Step S402, the validity of BS check SS digital certificate; Step S403, if BS is successful to the digital certificate authentication of SS, then BS sends to SS with AK then by the PKI use RSA Algorithm encryption authorization key A K that certificate provides; If unsuccessful, the then access request of BS refusal SS; Step S404, SS utilize the RSA private key deciphering of self just can obtain AK.
Process by contrast Fig. 3 and Fig. 4 as can be seen, by on the basis of introducing the ECC public-key cryptography scheme, further introducing two-way authentication, can prevent man-in-the-middle attack by the mutual authentication between BS and the SS, further improve the fail safe of access authentication/mandate.
Below mainly described the processing of BS side in the access authentication process, below will describe the handling process of access authentication method of another WiMAX system of the embodiment of the invention, wherein described the processing of SS side in detail further combined with embodiment.
Method embodiment two
Fig. 5 is the flow chart according to the access authentication method of the WiMAX system of the embodiment of the invention, and as shown in Figure 5, this method may further comprise the steps:
Step 501, SS sends the first authentication information message to BS, and carries the digital certificate of SS in the first authentication information message;
Step 502, SS receives the second authentication information message from BS, and obtains the digital certificate of the BS that carries in the second authentication information message;
Step 503, the validity of the digital certificate of SS checking BS, and be verified as under the effective situation, agree to insert BS;
Step 504, SS receives the authorization key from the encryption of BS, and wherein, authorization key uses PKI and the elliptic curve of SS encrypted in the BS side.
This process can be understood with reference to the embodiment that provides above, no longer same or similar content is repeated in this description at this.
System embodiment
Fig. 6 shows the structured flowchart according to the microwave cut-in global interoperating system access authentication system of the embodiment of the invention, and as shown in Figure 6, this system comprises SS 10 and BS 20:
Wherein, SS 10 comprises: the first authentication information message transmission module 101 is used for sending to BS the first authentication information message of the digital certificate carry SS;
Wherein, BS 20 comprises: second authentication module 201, be used to receive the first authentication information message, and obtain the digital certificate of the SS in the first authentication information message, and the validity of the digital certificate of checking SS; Authorization key encrypting module 202, the PKI and the elliptic curve that are used to use the digital certificate of SS to provide are encrypted authorization key, and the authorization key of encrypting is sent to SS.
By the above system that provides, the ECC public key encryption algorithm has been introduced the access authentication process of WiMAX system, use short key, thereby accelerated computing and processing speed, and had higher fail safe.
Preferably, on the basis of foregoing, this system can also realize two-way authentication,, realizes the two-way authentication of BS and SS that is.Particularly, as shown in Figure 6, BS also comprises: the second authentication information message transmission module 203, be connected to second authentication module 201, the digital certificate that is used at second authentication module, 201 checking SS is under the effective situation, send the second authentication information message to SS, wherein, carry the digital certificate of BS in the second authentication information message; In addition, SS also comprises: first authentication module 102, be used to receive the second authentication information message from the second authentication information message transmission module 203, obtain the digital certificate of the BS that carries in the second authentication information message, and the validity of the digital certificate of checking BS, digital certificate at checking BS is under the effective situation, allows SS to insert BS.Preferably, first authentication module 102 also is used for sending authorization request message to the base station, for example, and to authorization key encrypting module 202 request authorization keys.
By above scheme, realized the two-way authentication of BS and SS, further improved the fail safe of the access authentication process of WiMAX system.
One of ordinary skill in the art will appreciate that, all or part of step in the foregoing description method can be finished by the relevant hardware of program command, above-mentioned program can be stored in the computer-readable recording medium, and above-mentioned storage medium comprises ROM/RAM, disk, CD etc.This program when carrying out, all or part of step in comprising the steps:
At first, SS sets up initial wireless with BS and is connected, and SS sends authentication information message (that is, the first authentication information message of above mentioning) to BS, comprises the X.509 digital certificate of SS in the message, and this certificate is distributed by third party's certificate authority (CA); The validity of the certificate information that BS check SS sends;
Afterwards, under the situation that the digital certificate authentication of SS passes through, BS sends authentication information message (that is, the second authentication information message of above mentioning) to SS, comprises the X.509 digital certificate of BS in the message; On the other hand, if the digital certificate authentication of SS does not pass through checking, the then access request of BS refusal SS;
The validity of the digital certificate information that SS check BS sends; If the digital certificate authentication of BS passes through, then SS sends authorization request message to BS, request authorization key AK; If the digital certificate authentication of BS does not pass through, then the SS refusal inserts this BS;
BS receives the authorization request message from SS, and the PKI and the ECC algorithm for encryption authorization key AK that use the SS digital certificate to provide send to SS with authorization key AK in authorization response message; At last, SS utilizes the authorization key AK that the ECC private key deciphering of self obtains from BS.
As mentioned above, by means of microwave cut-in global interoperating system access authentication method provided by the invention and/or system, by the ECC public-key cryptography scheme is introduced the WiMAX access authentication process, use short key, thereby accelerated computing and processing speed, and had higher fail safe, in addition, by introducing the mutual authentication process of BS and SS, BS is to the unilateral authentication of SS, the fail safe that has further improved the WiMAX access authentication in the prior art.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1. the access authentication method of a microwave cut-in global interoperating system is used for the access authentication processing between subscriber station and base station, it is characterized in that described method comprises:
Wireless connections are set up in described subscriber station and described base station, and described base station receives the first authentication information message from described subscriber station, and obtain the digital certificate of the described subscriber station that carries in the described first authentication information message;
The validity of the digital certificate of described subscriber station is verified in described base station;
Digital certificate at the described subscriber station of checking is under the effective situation, and PKI and elliptic curve that described base station uses the digital certificate of described subscriber station to provide are encrypted authorization key, and the described authorization key that will encrypt returns described subscriber station.
2. method according to claim 1 is characterized in that, is under the effective situation at the digital certificate of verifying described subscriber station, before encrypt described authorization key described base station, further comprises:
Described base station sends the second authentication information message to described subscriber station, wherein, carries the digital certificate of described base station in the described second authentication information message.
3. method according to claim 2 is characterized in that, further comprises:
Described subscriber station receives the described second authentication information message, and obtains the digital certificate of the described base station of carrying in the described second authentication information message;
Described subscriber station is verified the validity of the digital certificate of described base station;
Digital certificate in the described base station of checking is under the effective situation, and described subscriber station agrees to insert described base station.
4. method according to claim 3 is characterized in that, described subscriber station agrees that the operation that inserts described base station is specially:
Described subscriber station sends authorization request message to described base station.
5. method according to claim 4 is characterized in that, the operation that the described described authorization key that will encrypt returns described subscriber station is specially:
Described base station sends authorization response message to described subscriber station, and carries the authorization key of described encryption in described authorization response message.
6. the access authentication method of a microwave cut-in global interoperating system is used for the access authentication processing between subscriber station and base station, it is characterized in that described method comprises:
Described subscriber station sends the first authentication information message to described base station, and carries the digital certificate of described subscriber station in the described first authentication information message;
Described subscriber station receives the second authentication information message from described base station, and obtains the digital certificate of the described base station of carrying in the described second authentication information message;
Described subscriber station is verified the validity of the digital certificate of described base station, and is being verified as under the effective situation, agrees to insert described base station;
Described subscriber station receives the authorization key from the encryption of described base station, and wherein, described authorization key uses the PKI of described subscriber station and elliptic curve encrypted in base station side.
7. a microwave cut-in global interoperating system access authentication system comprises subscriber station and base station, it is characterized in that:
Described subscriber station comprises:
The first authentication information message transmission module is used for sending to described base station the first authentication information message of the digital certificate that carries described subscriber station;
Described base station comprises:
Second authentication module is used to receive the described first authentication information message, obtains the digital certificate of the described subscriber station in the described first authentication information message, and verifies the validity of the digital certificate of described subscriber station;
The authorization key encrypting module, the PKI and the elliptic curve that are used to use the digital certificate of described subscriber station to provide are encrypted authorization key, and the described authorization key that will encrypt sends to described subscriber station.
8. system according to claim 7 is characterized in that,
Described base station further comprises:
The second authentication information message transmission module, be connected to described second authentication module, be used for verifying that at described second authentication module digital certificate of described subscriber station is under the effective situation, send the second authentication information message to described subscriber station, wherein, carry the digital certificate of described base station in the described second authentication information message;
Described subscriber station further comprises:
First authentication module, be used to receive the described second authentication information message, obtain the digital certificate of the described base station of carrying in the described second authentication information message, and verify the validity of the digital certificate of described base station, digital certificate in the described base station of checking is under the effective situation, allows described subscriber station to insert described base station.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100940609A CN101567786A (en) | 2008-04-25 | 2008-04-25 | Method and system for accessing access authentication of global interoperating system by microwaves |
| PCT/CN2008/073652 WO2009129683A1 (en) | 2008-04-25 | 2008-12-22 | Access authentication method for a worldwide interoperability for microwave access system, apparatus and system using the same |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100940609A CN101567786A (en) | 2008-04-25 | 2008-04-25 | Method and system for accessing access authentication of global interoperating system by microwaves |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101567786A true CN101567786A (en) | 2009-10-28 |
Family
ID=41216405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100940609A Pending CN101567786A (en) | 2008-04-25 | 2008-04-25 | Method and system for accessing access authentication of global interoperating system by microwaves |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101567786A (en) |
| WO (1) | WO2009129683A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702807B (en) * | 2009-11-16 | 2012-07-25 | 东南大学 | Wireless security access authentication method |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084471A (en) * | 2020-07-23 | 2020-12-15 | 于晓璇 | Authentication and authorization system based on brain waves |
| CN113824555B (en) * | 2021-09-13 | 2024-03-19 | 渔翁信息技术股份有限公司 | Key processing method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1260909C (en) * | 2004-09-30 | 2006-06-21 | 西安西电捷通无线网络通信有限公司 | Method for increasing radio city area network safety |
| CN1801704B (en) * | 2004-12-31 | 2010-12-08 | 华为技术有限公司 | Method and system for user access core network |
-
2008
- 2008-04-25 CN CNA2008100940609A patent/CN101567786A/en active Pending
- 2008-12-22 WO PCT/CN2008/073652 patent/WO2009129683A1/en active Application Filing
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101702807B (en) * | 2009-11-16 | 2012-07-25 | 东南大学 | Wireless security access authentication method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009129683A1 (en) | 2009-10-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109559122B (en) | Block chain data transmission method and block chain data transmission system | |
| US7123721B2 (en) | Enhanced subscriber authentication protocol | |
| Gamage et al. | An efficient scheme for secure message transmission using proxy-signcryption | |
| CN102572817B (en) | Method and intelligent memory card for realizing mobile communication confidentiality | |
| JPH10242959A (en) | Method for safely executing communication in communication system | |
| CN102946602A (en) | Mobile information system based privacy protection and encryption method | |
| CN110020524B (en) | Bidirectional authentication method based on smart card | |
| CN103491540A (en) | Wireless local area network two-way access authentication system and method based on identity certificates | |
| CN101931536B (en) | Method for encrypting and authenticating efficient data without authentication center | |
| CN112468305B (en) | Internet of things security authentication method and equipment | |
| CN101296083A (en) | Enciphered data transmission method and system | |
| Jing et al. | A privacy preserving handover authentication scheme for EAP-based wireless networks | |
| CN114650173A (en) | Encryption communication method and system | |
| Sari et al. | Addressing security challenges in WiMAX environment | |
| CN101567786A (en) | Method and system for accessing access authentication of global interoperating system by microwaves | |
| Huang et al. | Improving Security Levels of IEEE802. 16e Authentication by Involving Diffie-Hellman PKDS. | |
| CN101547091A (en) | Method and device for transmitting information | |
| Liu et al. | A WPKI-based security mechanism for IEEE 802.16 e | |
| Jin et al. | An improved mutual authentication scheme in multi-hop WiMax network | |
| EP4208982A1 (en) | Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge | |
| WO2013130218A1 (en) | Communication protocol for secure communications systems | |
| Sridevi et al. | Implementation of secure & cost effective authentication process in IEEE 802.16 e WiMAX | |
| Liu et al. | Extensible authentication protocols for IEEE standards 802.11 and 802.16 | |
| Lang et al. | Research on the authentication scheme of WiMAX | |
| WO2022135404A1 (en) | Identity authentication method and device, storage medium, program, and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20091028 |