A kind of method of wireless local area network authentication infrastructure timeout treatment and device
Technical field
The present invention relates to the wireless local area network authentication infrastructure field, be specifically related to a kind of wireless local area network authentication infrastructure timeout treatment method and device.
Background technology
(WLAN Authentication and PrivacyInfrastructure WAPI) is a kind of host-host protocol in the wireless lan (wlan) to WAPI.It is more close with existing 802.11B host-host protocol, WAPI obtains approval by the IEEE RegistrationAuthority examination that ISO/IEC authorizes, the technology that its difference with the 802.11B maximum is a safety encipher is different: what WAPI used is the security protocol of a kind of " WLAN (wireless local area network) is differentiated and secret architecture (WAPI) " by name, and 802.11B then adopts " wired reinforcement equivalent privacy (WEP) " security protocol.
WAPI is by the autonomous encryption core technology of grasping of China; do not utilize WLAN to steal country or trade secret information so just be afraid of the foreigner; and its encryption technology is more more advanced than 802.11B; WAPI adopts the elliptic curve cryptography of RSA arithmetic of State Secret Code Regulatory Commission Office's approval and the block cipher of privacy key system, has realized identity discriminating, link verification, access control and the user profile encipherment protection under transmission of status of equipment.
In addition, WAPI is divided into single-point type and centralized two kinds from application model, can thoroughly reverse present WLAN and adopt multiple security mechanism and deposit and incompatible present situation, fundamentally solves safety problem and compatibility issue.So China forcibly requires relative commercial mechanism to carry out the more effectively safety of protected data of WAPI standard.
WAPI by wireless local area network authentication infrastructure (WLAN AuthenticationInfrastructure, WAI) and wireless local area network security foundation structure (WLAN PrivacyInfrastructure WPI) forms.The identity that the former is used between terminal and the wireless aps differentiates that the latter is used for the data encryption of wireless data transmission and maintains secrecy.
WLAN terminal inserts identification flow figure shown in 1, and idiographic flow is as follows:
Step 101, differentiate to activate: related or when being associated to AP (access point) again when the STA terminal, send to STA by AP and to differentiate and activate to start whole discrimination process;
Step 102 inserts discriminating and asks: STA and differentiates to AP transmission access and ask that the current system time of STA certificate and STA is issued AP, and wherein system time is called access discriminating request time;
Step 103, after request of certificate authentication: AP receives that request is differentiated in the access of STA, at first record inserts and differentiates request time, send request of certificate authentication to ASU (asu (authentication service unit)) then, soon the private key of STA certificate, access discriminating request time, AP certificate and AP sends to ASU to their signature formation request of certificate authentication.
Step 104, certificate is differentiated response: after ASU receives the request of certificate authentication of AP, the signature of checking AP and the validity of AP certificate, if it is incorrect, then discrimination process failure, otherwise further verify the STA certificate, after verifying, ASU returns STA certificate identification result information, AP certificate identification result information and ASU to them signature constitutes certificate and differentiates that response sends back to AP;
Step 105 inserts and differentiates that response: AP carries out signature verification to the certificate discriminating response that ASU returns, and obtains the identification result of STA certificate, according to this result STA is carried out access control.AP differentiates that with the certificate of receiving response is recycled to STA.Behind the signature of STA checking ASU, obtain the identification result of AP certificate, whether decision inserts this AP according to identification result.
Standard GB 15629.11-2003 is in the definition said process, considered after terminal is sent discriminating access request, if not receiving to insert differentiates that terminal need be provided with timer in the response, in official hour, send the request of access of differentiating again in official hour.
Terminal inserts and differentiates the timeout treatment scheme as shown in Figure 2 in the prior art, comprising:
Step 201, wireless aps have been initiated one and have been differentiated activation, and this is a broadcast;
Step 202, terminal STA receive and differentiate when activating message that time-out time T=2s is set, and initialization is provided with number of retransmissions N=0 in the terminal protocol stack.
Step 203, terminal inserts the request of discriminating according to initiating one shown in the step 102 among Fig. 1;
Step 204, the starting terminal overtime timer, it is T that overtime timing is set, and number of retransmissions N is added 1 automatically.
Step 205 judges at T whether receive in the time that inserting discriminating responds, if, execution in step 207, otherwise, execution in step 206;
Step 206, if do not receive in the time that at T inserting discriminating responds, whether terminal checks number of retransmissions N greater than maximum retransmission (as 6 times), if greater than maximum retransmission, execution in step 207; If N smaller or equal to maximum retransmission, returns step 203;
Step 207, flow process finishes, and specifically is divided into:
1) receive that response finishes, if promptly receiving in the time to insert at T differentiates response, so whole timeout treatment mechanism finishes;
2) number of retries finishes greater than 6, if promptly number of retransmissions is greater than maximum retransmission, terminal is not received to insert and differentiated response, abnormal ending, and the while user manually initiates WAPI next time and connects.
From above-mentioned flow process, can see, what be provided with in standard GB 15629.11-2003 is the timer of fixing, such as 2s, a setting like this is to influence very much efficient, each all is the transmission of fixed interval time, may cause original more congested when busy of network state, also may cause a processing time can't correctly finish greater than the request of the time of timer setting.Just in time will handle 3s sometime such as a request, the each 2s of terminal just retransmits so, can cause terminal can't receive response forever like this.Set up in the process at the WAPI security association, there is similar problem in the timeout treatment between other request messages and the response message.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of wireless local area network authentication infrastructure timeout treatment method and device, avoids causing in the timeout treatment process network congestion or the correct problem of process ends.
In order to solve the problems of the technologies described above, the invention provides a kind of wireless local area network authentication infrastructure timeout treatment method, first communication node and second communication node are set up when carrying out interacting message in the secure association procedure, first communication node sends a request message to the second communication node, if in the time-out time of this request message correspondence, do not receive the response message of second communication node, then retransmit this request message; After the retransmission request message,, then retransmit this request message once more if in its corresponding time-out time, do not receive response message; Number of retransmissions is no more than maximum retransmission; Wherein, its corresponding time-out time of each request message that sends or retransmit is not identical entirely.
Further, said method also can have following characteristics, during each retransmission request message, and the time-out time that is provided with when once sending a request message before its corresponding time-out time is not less than.
Further, said method also can have following characteristics, and a number of retransmissions N is set, and when sending a request message, its corresponding time-out time T=2 is set at every turn
N, N=0 when sending a request message first, during each retransmission request message, N value increase by 1.
Further, said method also can have following characteristics, exists a time-out time to be not less than the processing time of described second communication node to this request message at least.
Further, said method also can have following characteristics, and described first communication node is a terminal, and described second communication node is access point or other-end, and described request message is differentiated request message for inserting, and described response message is for inserting identification response message.
The present invention also provides a kind of wireless local area network authentication infrastructure timeout treatment device, is positioned at first communication node, and described device comprises transmitting element and overtime timer, wherein:
Transmitting element is used to send a request message to the second communication node, retransmits this request message when also being used for also not receiving the response message of second communication node after overtime timer is overtime, and the number of retransmissions of this request message is no more than maximum retransmission;
Overtime timer is used for picking up counting when transmitting element transmission or retransmission request message, when arriving corresponding time-out time, and the notice transmitting element, wherein, its corresponding time-out time of each request message of transmission or re-transmission is not identical entirely.
Further, said apparatus also can have following characteristics, during each retransmission request message, and the time-out time that is provided with when once sending this request message before the time-out time of described overtime timer setting is not less than.
Further, said apparatus also can have following characteristics, and described device also comprises the number of retransmissions unit, is used to be provided with a number of retransmissions N, N=0 when sending a request message first, and during each retransmission request message, N value increase by 1;
Described overtime timer also is used for the number of retransmissions according to described number of retransmissions unit, and time-out time T=2 is set
N
Further, said apparatus also can have following characteristics, when described overtime timer is provided with time-out time, exists a time-out time to be not less than the processing time of described second communication node to this request message at least.
Further, said apparatus also can have following characteristics, and described first communication node is a terminal, and described second communication node is access point or other-end, and described request message is differentiated request message for inserting, and described response message is for inserting identification response message.
The timeout treatment method that the present invention proposes compared to existing scheme, can not cause terminal can't receive response forever, and no longer increase the burden of network in the process of network congestion.
Description of drawings
Fig. 1 is that existing terminal inserts the discrimination process flow chart;
The existing terminal of Fig. 2 inserts overtime processing method in the discrimination process;
Fig. 3 terminal of the present invention inserts overtime processing method in the discrimination process.
Embodiment
Central idea of the present invention is, in retransmission processes, revocable time-out time is set, and better adapts to network demand.
Technical scheme of the present invention is, first communication node and second communication node are set up when carrying out interacting message in the secure association procedure, first communication node sends a request message to the second communication node, if in the time-out time of this request message correspondence, do not receive the response message of second communication node, then retransmit this request message; After the retransmission request message, if do not receive response message in the time-out time of the request message correspondence that retransmits, then retransmit this request message once more, number of retransmissions is no more than maximum retransmission; Wherein, its corresponding time-out time of each request message that sends or retransmit is not identical entirely.First communication node and second communication node can be terminal, AP or ASU.
The timeout treatment method illustrates the present invention in the discrimination process below by inserting, but the invention is not restricted to this, and the processing procedure of other message is similar.
Figure 3 shows that the present invention inserts timeout treatment method in the discrimination process, specifically comprises:
Step 301, wireless aps side have been initiated one and have been differentiated activation, and this is a broadcast;
Step 302, terminal STA receive and differentiate when activating that time-out time T=1s is set, and initialization is provided with number of retransmissions N=0 in the terminal protocol stack;
Step 303, terminal send and insert the request of discriminating to access point or other terminal;
Step 304, the starting terminal overtime timer, it is T that overtime timing is set, and number of retransmissions N is added 1 automatically;
Step 305 judges at T whether receive in the time that inserting discriminating responds, if, execution in step 308, otherwise, execution in step 306;
Step 306, if do not receive in the time that at T inserting discriminating responds, whether terminal checks number of retransmissions N greater than maximum retransmission (as 6 times) so, if greater than maximum retransmission, execution in step 308; If N is smaller or equal to maximum retransmission, execution in step 307;
Step 307 is provided with T=2
NS promptly is provided with T and is 2 Nth power, changes step 303;
The value of N in flow process of the present invention is 0,1,2,3,4,5,6, and the value of T corresponds to 1s, 2s, 4s, 8s, 16s, 32s, 64s respectively so.
Wherein, in each time-out time, exist a time-out time to be not less than the Correspondent Node of this terminal (access point or other-end) at least to inserting the processing time of differentiating request message.
Step 308, flow process finishes, and specifically is divided into:
1) receive that response finishes, if promptly receiving in the time to insert at T differentiates response, so whole timeout treatment mechanism finishes;
2) number of retries finishes greater than maximum retransmission, if promptly number of retransmissions is greater than maximum retransmission, terminal is not received to insert and differentiated response, abnormal ending, and the user manually initiates next time simultaneously.
The value of N is a retry time algorithm in the step 307, but the invention is not restricted to this time algorithm, can time-out time T be set according to the actual treatment time of current network condition, access discriminating request, and following distortion can be arranged:
1) setting of time-out time T is not limited to T=2
N, can increase the value of T according to the increase of number of retransmissions, each value that increases does not limit.Promptly guarantee each the re-transmission when inserting the discriminating request message, once send before its corresponding time-out time is not less than and insert the time-out time that is provided with when differentiating request message.
2) all reset time-out time T in the time of can retransmitting access discriminating request at every turn, such as every re-transmission time-out time T is set one time for twice, perhaps, every re-transmission is provided with time-out time T for three times one time, or the like;
3) a fixing time-out time T can be set, this fixing time-out time T is not less than to insert and differentiates request processing time.
In addition, the invention is not restricted to insert the timeout treatment of differentiating request message, also can be other message, such as the timeout treatment of request of certificate authentication message.
The present invention also is not limited to the timeout treatment of end, also can be the timeout treatment at access point, asu (authentication service unit) place, promptly is applicable between terminal and AP, terminal and terminal, AP and terminal, AP and AP, AP and the ASU timeout treatment when mutual.
Timeout treatment method of the present invention, by revocable time-out time is set, increase gradually such as time-out time, make when network is busy, reduce network congestion, and owing to exist at least one time-out time to be not less than the processing time of Correspondent Node to request message, the problem that terminal can not receive response message forever can not appear.
The present invention also provides a kind of wireless local area network authentication infrastructure timeout treatment device, is positioned at first communication node, and described device comprises transmitting element, number of retransmissions unit and overtime timer, wherein:
Transmitting element is used to send a request message to the second communication node, retransmits this request message when also being used for also not receiving the response message of second communication node after overtime timer is overtime, and the number of retransmissions of this request message is no more than maximum retransmission;
The number of retransmissions unit is used to be provided with a number of retransmissions N, N=0 when sending a request message first, and during each retransmission request message, N value increase by 1;
Overtime timer is used for picking up counting when transmitting element transmission or retransmission request message, when arriving corresponding time-out time, and the notice transmitting element, wherein, its corresponding time-out time of each request message of transmission or re-transmission is not identical entirely.During each retransmission request message, the time-out time that is provided with when once sending this request message before the time-out time of described overtime timer setting is not less than.Preferably, described overtime timer also is used for the number of retransmissions according to described number of retransmissions unit, and time-out time T=2 is set
NPreferably, when described overtime timer is provided with time-out time, exist a time-out time to be not less than the processing time of described second communication node at least to this request message.
Described first communication node is terminal, access point or ASU, and described second communication node is access point or other-end or ASU, and described request message can be differentiated request message for inserting, and described response message can be for inserting identification response message.