CN101695165A - Switching method, device and system - Google Patents
Switching method, device and system Download PDFInfo
- Publication number
- CN101695165A CN101695165A CN200910091942A CN200910091942A CN101695165A CN 101695165 A CN101695165 A CN 101695165A CN 200910091942 A CN200910091942 A CN 200910091942A CN 200910091942 A CN200910091942 A CN 200910091942A CN 101695165 A CN101695165 A CN 101695165A
- Authority
- CN
- China
- Prior art keywords
- authentication
- eap
- user terminal
- bag
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides switching method, device and system, wherein the switching method comprises the following steps: a target AP receives an authentication request frame sent from a user terminal and carrying an EAP starting reauthentication package and sends the EAP starting reauthentication package carried by the authentication request frame to an ERP server; the target AP acquires a reauthentication main session key and an EAP ending reauthentication package from a data package sent from the ERP server and sends an authentication response frame carrying the EAP ending reauthentication package; the target AP receives a reassociated request frame sent from the user terminal and sends a reassociated response frame to the user terminal; and the target AP uses the reauthentication main session key to derive a key used for realizing data communication with the user terminal after successful switching. The technical scheme of the information not only ensures key safety and less authentication delay, but also reduces the cost on key management and avoids network size limitation and other problems, thereby realizing quick and safe switching.
Description
Technical field
The present invention relates to communication technique field, be specifically related to handoff technique.
Background technology
(WLAN (wireless local area network), WLAN) technology is owing to have high data transmission rate and be easy to advantage such as deployment and be widely used gradually for Wireless Local Area Network.Popularize on a large scale in the process in the WLAN technology, user terminal is that fail safe and the authentication time delay in WLAN UE (WLAN subscriber equipment, the following UE of the abbreviating as) handoff procedure receives much attention.
Present changing method is: UE finishes Extensible AuthenticationFramework (but extended authentication framework for the first time in mobile domains, EAP) after the authentication, UE and Home AAA Server (home domain aaa server, HAAA) each self-generating Master Session Key (master session key, MSK), initial Access Point (access point, AP) MSK of reception HAAA transmission of inserting.Initial insert AP and UE utilize respectively MSK derive Pairwise Master Key-R0 (to master key-R0, PMK-R0), initially insert AP can be called PMK-R0Key Holder (PMK-R0 key holder, R0KH).Afterwards, initially insert AP and derive from PMK-R1, and to other AP distributions PMK-R1, other AP can be called PMK-R1 Key Holder (PMK-R1 key holder) according to PMK-R0.When switching, UE and new AP (being target AP) derive Pairwise Transient Key (to temporary key PTK) according to PMK-R1 respectively, and by the data communication between PTK protection UE and the new AP.
The inventor finds: because each AP may participate in the master session key management, therefore, the key management of this method is very complicated, and the key management expense is big; Because PMK-R1 is distributed by initial access AP, rather than by the aaa server distribution, therefore, for guaranteeing the PMK-R1 secure distribution, need between two AP, set up security association, may have the situation that all needs to set up security association between any two AP thus, make network size limited.In addition, because the physical security of AP is difficult to guarantee usually, therefore, be to push away to AP under the MSK to have risk with root key, if root key is revealed because of AP captures, then all derivative key all can be revealed.
Summary of the invention
The changing method that embodiment of the present invention provides, device and system when having guaranteed that key safety and authentication time delay are little, have reduced the key management expense, have avoided the limited problem of network size, have realized switching fast and safely.
A kind of changing method that embodiment of the present invention provides comprises:
In handoff procedure, target access AP receives the authentication request frames that user terminal sends, and begins the re-authentication bag but carry extended authentication framework EAP in the described authentication request frames;
But described target AP sends the EAP that carries in the described authentication request frames to extended authentication framework re-authentication agreement ERP server begins the re-authentication bag;
Described target AP obtains the re-authentication master session key from the packet that described ERP server sends and EAP finishes the re-authentication bag, and sends the authentication response frames that carries described EAP end re-authentication bag to described user terminal;
Described target AP receives the reassociation requests frame that described user terminal sends, and sends the re-association response frame to described user terminal;
Described target AP utilizes described re-authentication master session key to derive to be used for the key that carries out data communication with described user terminal behind the handover success.
A kind of switching device shifter that embodiment of the present invention provides comprises:
Receiver module, be used for being received in authentication request frames and the reassociation requests frame that the handoff procedure user terminal sends, but and the packet that sends of reception extended authentication framework re-authentication agreement ERP server, begin the re-authentication bag but carry extended authentication framework EAP in the described authentication request frames;
Sending module, be used for sending the EAP that described authentication request frames carries and begin the re-authentication bag to described ERP server, from the packet that described ERP server sends, obtain re-authentication master session key and EAP and finish the re-authentication bag, and send to described user terminal and to be packaged with the authentication response frames that described EAP finishes the re-authentication bag, and send the re-association response frame to described user terminal;
Cipher key module is used to utilize described re-authentication master session key to derive and is used for the key that carries out data communication with described user terminal behind the handover success.
A kind of switched system that embodiment of the present invention provides comprises:
Target access AP, but be used to receive the authentication request frames that extended authentication framework EAP begins the re-authentication bag that carries that user terminal sends, but and send the EAP that carries in the described authentication request frames to extended authentication framework re-authentication agreement ERP server and begin the re-authentication bag, from the packet that described ERP server sends, obtain re-authentication master session key and EAP and finish the re-authentication bag, and send to described user terminal and to be packaged with the authentication response frames that described EAP finishes the re-authentication bag, receive the reassociation requests frame that described user terminal sends, and send the re-association response frame, and utilize described re-authentication master session key to obtain to be used for the key that carries out data communication with user terminal behind the handover success to described user terminal;
The ERP server, be used to receive the EAP that described target AP sends and begin the re-authentication bag, the information that begins to carry in the re-authentication bag according to described EAP begins the re-authentication bag to described EAP and carries out the message integrity checking, sends to described target AP by the back in checking and carries the packet that re-authentication master session key and EAP finish the re-authentication bag.
The another kind of changing method that embodiment of the present invention provides comprises:
In handoff procedure, but user terminal carries the authentication request frames that extended authentication framework EAP begins the re-authentication bag to target access AP transmission;
Described user terminal receive that described target AP sends be packaged with the authentication response frames that EAP finishes the re-authentication bag after, send the reassociation requests frame to described target AP;
Described user terminal is behind the re-association response frame that receives described target AP transmission, according to utilizing derivative key of re-authentication master session key and described target AP to carry out data communication.
A kind of user terminal that embodiment of the present invention provides comprises:
The terminal sending module, be used at handoff procedure, but carry the authentication request frames that extended authentication framework EAP begins the re-authentication bag to target access AP transmission, and after EAP finishes the authentication response frames of re-authentication bag, send the reassociation requests frame to described target AP terminal receiver module carrying of receiving that described target AP sends;
The terminal receiver module is used to receive described target AP re-association response frame that sends and the authentication response frames that carries EAP end re-authentication bag;
Communications Processor Module, be used to calculate the re-authentication master session key, derive the key that is used for carrying out data communication according to described re-authentication master session key with described target AP, and after described terminal receiver module receives described re-association response frame, carry out data communication according to described derivative key and described target AP.
Description by technique scheme as can be known, target AP in the embodiment of the invention can get access to the re-authentication master session key to sending in the authentication response frames process from the ERP server receiving authentication request frames, and, target AP can with user terminal carries out utilizing the re-authentication master session key to derive in the least possible reciprocal process and be used to switch the back and user terminal carries out data communication key, be used in not only that to carry out the acquisition process of key of data communication succinct as much as possible with user terminal, guaranteed that the authentication time delay is little, and, also avoided root key to be handed down to AP and the key leakage problem that causes, each AP may participate in key management and the big problem of key management expense that causes, and set up security association between two AP and problem such as the network size that causes is limited; Thereby realized switching fast and safely.
Description of drawings
Figure 1A is the changing method flow chart of the embodiment of the invention one;
Figure 1B is the ERP cell structure schematic diagram of the embodiment of the invention one;
Fig. 2 is the changing method flow chart of the embodiment of the invention two;
Fig. 3 is the changing method flow chart of the embodiment of the invention three;
Fig. 4 is the changing method flow chart of the embodiment of the invention four;
Fig. 5 is the changing method flow chart of the embodiment of the invention five;
Fig. 6 is the switching device shifter schematic diagram of the embodiment of the invention six;
Fig. 7 is the switched system schematic diagram of the embodiment of the invention seven;
Fig. 8 is the user terminal schematic diagram of the embodiment of the invention eight.
Embodiment
Embodiment one, changing method.The flow process of this changing method is shown in accompanying drawing 1A.
In Figure 1A, S100, in handoff procedure, target AP receives the authentication request frames that user terminal sends.Carry EAP in the authentication request frames here and begin the re-authentication bag, and this EAP begins the re-authentication bag can be with Extensible Authentication Framework Re-authentication ProtocolInformation Element (ERPIE, but extended authentication framework re-authentication protocol information element or ERP cell or ERP information element) form be carried in the authentication request frames, carry the ERP cell in the authentication authorization and accounting claim frame, be packaged with EAP in this ERP cell and begin the re-authentication bag.A concrete example of ERP cell is shown in accompanying drawing 1B.
The territory that ERP cell among Figure 1B comprises is: component identification territory, length field and ERP territory.Component identification territory wherein can be eight hytes, represents the type of information element, promptly represents the cell of ERP type; Length field also can be eight hytes, the length of expression information element, and what encapsulate in the ERP territory is the ERP packet.
S110, target AP send the EAP that carries in the authentication request frames to the ERP server and begin the re-authentication bag.
Specifically, target AP is obtained EAP and is begun the re-authentication bag from the authentication request frames that receives, and based on the agreement of ERP server support described EAP is begun the re-authentication bag and encapsulate again, then, and the packet of target AP after the ERP server sends encapsulation.When the aaa server in ERP server and the network was positioned at same physical entity, target AP can begin EAP the re-authentication bag and be encapsulated as the AAA packet, and then, target AP sends the AAA packet to the ERP server.
S120, target AP receive the packet that carries re-authentication master session key and EAP end re-authentication bag that the ERP server sends, from this packet, obtain re-authentication master session key and EAP and finish the re-authentication bag, and send the authentication response frames that carries EAP end re-authentication bag to user terminal.
Packet among the S120 is after the ERP server obtains described EAP and begins the re-authentication bag, begins the re-authentication bag based on this EAP and carries the packet that re-authentication master session key and EAP finish the re-authentication bag to what target AP was returned.Concrete, the ERP server can receive after EAP begins the re-authentication bag, EAP is begun the re-authentication bag carry out the message integrity checking, for example, the ERP server begins to carry in the re-authentication bag according to EAP authenticating tag begins the re-authentication bag to EAP and carries out the message integrity checking, after checking is passed through, the ERP server is that target AP generates the re-authentication master session key, and be that target AP is constructed EAP end re-authentication bag, afterwards re-authentication master session key and EAP are finished re-authentication and seal and install in the packet (as the AAA packet), and send this packet to target AP.
The ERP server be target AP generate the re-authentication master session key process can for: the ERP server is that target AP generates the re-authentication master session key according to the re-authentication root key of its storage.The re-authentication root key here can be that the ERP server obtains in the first access authentication procedure of user terminal and stores.Present embodiment does not limit the ERP server and obtains the re-authentication root key and utilize the re-authentication root key to derive the specific implementation process of re-authentication master session key.
Target AP has been obtained re-authentication master session key and EAP end re-authentication bag the information that the packet that sends from the ERP server carries after, at this user terminal storage re-authentication master session key, target AP finishes the re-authentication bag with EAP and is carried in the authentication response frames, and sends authentication response frames to user terminal.
S130, target AP receive the reassociation requests frame that user terminal sends, and send the re-association response frame to user terminal.
Reassociation requests frame in this step is after user terminal receives authentication response frames, the Frame that returns to target AP at this authentication response frames.Concrete, user terminal can be after receiving the authentication response frames that target AP sends, from authentication response frames, obtain EAP and finish the re-authentication bag, this EAP is finished the re-authentication bag carry out the message integrity checking, for example, user terminal finishes the re-authentication bag according to the authenticating tag that carries in the EAP end re-authentication bag to EAP and carries out the message integrity checking.After checking was passed through, user terminal calculate to obtain the re-authentication master session key, and derived according to the re-authentication master session key and to be used for handover success is finished after and key that target AP is carried out data communication, and this key can be called temporary key; User terminal calculates the MIC (message integrity code, message integrity code) of reassociation requests frame, and this message integrity code is carried in the reassociation requests frame sends to target AP.
Target AP can be after receiving the reassociation requests frame, this reassociation requests frame is carried out the message integrity checking, for example, carry out the message integrity checking according to the information of carrying in the reassociation requests frame (as the MIC among the quick switching information element FTIE) counterweight association request frame, after checking was passed through, target AP sent the re-association response frame to user terminal.
S140, target AP utilize the re-authentication master session key to derive to be used for the key that carries out data communication with user terminal after handover success is finished, and this key can be called temporary key.Promptly after switching was finished, the data communications security between user terminal and the target AP was by temporary key is guaranteed.
After deriving temporary key, target AP can be utilized temporary key and user terminal are carried out safe data communication, and handover success is finished.
Target AP utilizes the re-authentication master session key to derive: PTK=KDF-PTKLen (rMSK, " FT-PTK ", SNonce ‖ ANonce ‖ BSSID ‖ STA-ADDR);
Wherein, PTK is to temporary key, KDF-PTKLen is the key derivative function, rMSK is the re-authentication master session key, promptly the ERP server is the key that target AP generates in the ERP process, the 256 bit random bit strings that SNonce provides for user terminal, the 256 bit random bit strings that ANonce provides for target AP, BasicService Set Identifier (basic service set identification, BSSID) be the BSSID of target AP, STA-ADDR is that (‖ represents that character string connects for media interviews control, MAC) address for the Medium Access Control of user terminal.SNonce here and STA-ADDR get access to authentication request frames that target AP is sent from the user terminal information of carrying.
Need to prove that the embodiment of the invention not limited target AP utilizes the re-authentication master session key to derive specific implementation process to temporary key.In addition, can not have the restriction of execution sequence between S140 and the S130, for example, target AP just utilizes the re-authentication master session key to derive temporary key after receiving the reassociation requests frame; Again for example, after the message integrity code checking of target AP in receiving reassociation requests frame and counterweight association request frame passed through, utilize the re-authentication master session key to derive again to temporary key; Again for example, target AP also can derive the re-authentication master session key again when needs carry out data communication with user terminal.Also have, in the description of present embodiment, some information of carrying in the message and some associative operations in the handoff procedure etc. have been omitted, for example, authentication information and concrete authentication operation etc. can be added on the relevant information that comprises in the real network and associative operation in the flow process that the foregoing description describes.
From the description of the foregoing description one as can be seen, target AP among the embodiment one can get access to the re-authentication master session key to sending in the authentication response frames process from the ERP server receiving authentication request frames, and, target AP can with user terminal carries out utilizing the re-authentication master session key to derive in the least possible reciprocal process and be used to switch the back and user terminal carries out data communication key, be used in not only that to carry out the acquisition process of key of data communication succinct as much as possible with user terminal, guaranteed that the authentication time delay is little, and, also avoided root key to be handed down to AP and the key leakage problem that causes, each AP may participate in key management and the big problem of key management expense that causes, and set up security association between two AP and problem such as the network size that causes is limited; Thereby realized switching fast and safely.
Embodiment two, changing method.The flow process of this changing method as shown in Figure 2.
In Fig. 2, S200, in handoff procedure, user terminal send to target AP and carry the authentication request frames that EAP begins the re-authentication bag.
Specifically, user terminal begins the re-authentication bag with EAP and is carried in the authentication request frames with the form of ERP cell, carries in the authentication authorization and accounting claim frame to comprise the ERP cell that EAP begins the re-authentication bag.Among a concrete example of the ERP cell that carries in the authentication request frames such as the above-mentioned embodiment at the description of Figure 1B, in this no longer repeat specification.
S210, user terminal after EAP finishes the authentication response frames of re-authentication bag, send reassociation requests frame to target AP carrying of receiving that target AP sends.
Concrete, user terminal is after receiving the authentication response frames that target AP sends, can finish the re-authentication bag to EAP according to the information that the end of the EAP in authentication response frames re-authentication bag carries and carry out the message integrity checking, for example, user terminal finishes the re-authentication bag according to the authenticating tag that carries in the EAP end re-authentication bag to EAP and carries out the message integrity checking; After checking was passed through, user terminal sent the reassociation requests frame to target AP.
To be target AP receiving authentication request frames and finishing under the situation of packet of re-authentication bag to carry re-authentication master session key and EAP that the ERP server sends that EAP in the authentication request frames begins the re-authentication bag and receive that the ERP server sends authentication response frames in this step, carries the authentication response frames that EAP finishes the re-authentication bag to what user terminal returned.
S220, user terminal are after receiving the re-association response frame that target AP sends, according to temporary key and target AP are carried out data communication.Here be user terminal according to the derivative key that carries out data communication with target AP of re-authentication master session key to temporary key, and the re-authentication master session key here can be user terminal derive from according to the re-authentication root key of its storage.The re-authentication root key can be that user terminal obtains and storage in first access authentication procedure.Present embodiment not limited subscriber terminal obtains the re-authentication root key and utilizes the re-authentication root key to derive the specific implementation process of re-authentication master session key.
Concrete, user terminal is after receiving the re-association response frame that target AP sends, can carry out the message integrity checking according to the information counterweight association response frame of carrying in the re-association response frame, for example, user terminal carries out the message integrity checking according to the MIC counterweight association response frame among the FTIE of re-association response frame; After the checking of counterweight association response frame was passed through, user terminal can be according to temporary key and target AP are carried out safe data communication.
Re-association response frame among the S220 is the Frame that target AP is returned to user terminal at the reassociation requests frame that receives.When the checking of user terminal counterweight association response frame is passed through, can represent handover success, handoff procedure is finished.Need to prove, the process that user terminal derives from temporary key can realize in the many moment after user terminal is verified EAP end re-authentication bag, for example, user terminal finishes the checking of re-authentication bag and passes through to EAP after, user terminal just derives re-authentication master session key rMSK according to the re-authentication root key, and utilizes re-authentication master session key rMSK to derive temporary key; Again for example, after the checking of user terminal counterweight association response frame was passed through, user terminal derived the re-authentication master session key according to the re-authentication root key again, and utilizes the re-authentication master session key to derive temporary key; Also have, user terminal derives the re-authentication master session key and also can separate discontinuous execution to the process of temporary key, there is the user terminal can be when needs carry out data communication with target AP again, derives the re-authentication master session key again and temporary key or the like.
User terminal utilizes the re-authentication master session key to derive: PTK=KDF-PTKLen (rMSK, " FT-PTK ", SNonce ‖ ANonce ‖ BSSID ‖ STA-ADDR);
Wherein, PTK is to temporary key, KDF-PTKLen is the key derivative function, rMSK is the re-authentication master session key, promptly the ERP server is the key that target AP generates in the ERP process, user terminal can calculate rMSK according to the re-authentication root key of its storage, the 256 bit random bit strings that SNonce provides for user terminal, the 256 bit random bit strings that ANonce provides for target AP, (basic service set identification BSSID) is the BSSID of target AP to Basic Service Set Identifier, and STA-ADDR is Medium Access Control (the media interviews control of user terminal, MAC) address, ‖ represents that character string connects.ANonce here and BSSID get access to authentication response frames that user terminal sends from the target AP information of carrying.
The embodiment of the invention not limited subscriber terminal derives re-authentication master session key and user terminal according to the re-authentication root key and derives specific implementation process to temporary key according to the re-authentication master session key.In addition, in the description of present embodiment, some information of carrying in the message and some associative operations in the handoff procedure etc. have been omitted, for example, authentication information and authentication operation etc. can be added on relevant information and the associative operation that comprises in the real network in the flow process of the foregoing description description.
From the description of the foregoing description two as can be seen, user terminal among the embodiment two carries the authentication request frames that EAP begins the re-authentication bag by sending to target AP, and from the authentication response frames that receives, obtain ERP and finish the re-authentication bag, user terminal can carried out in the least possible reciprocal process with target AP, utilize the re-authentication master session key to derive to be used to and switch the back and key that user terminal carries out data communication, be used in that to carry out the acquisition process of key of data communication succinct as much as possible with target AP; Thereby realized switching fast and safely.
Embodiment three, changing method.The process that user terminal UE switches to AP2 from AP1 as shown in Figure 3.
In Fig. 3, S300, UE and AP1 carry out secure data transmission.
S310, UE are after decision switches to AP2 from AP1, and UE sends Authentication Request (authentication request) frame to AP2.Carry FT AuthenticationAlgorithm (FT identifying algorithm in this Authentication Request frame, FTAA), Mobility Domain Information Element (mobile domains information element, MDIE), Fast Transition Information Element (the quick switching information element, FTIE) and ERPIE.SNonce (the 256 bit random bit strings that provide as user terminal) is provided among the FTIE, includes EAP Initiate Re-auth (EAP begins re-authentication) bag among the ERPIE.
S320, AP2 receive the Authentication Request frame that UE sends, and from this frame, resolve acquisition EAP Initiate Re-auth and wrap, AP2 sends the AAA packet to ERP Server after EAP Initiate Re-auth bag is encapsulated as the AAA packet again.
After S330, ERP Server receive the AAA packet, resolve from this packet and obtain EAP InitiateRe-auth bag, ERP Server carries out the message integrity checking.After checking was passed through, ERP Server sent the response data packet that carries rMSK and EAP Finish Re-auth (EAP finishes re-authentication) bag to AP2.RMSK is ERP Server according to the MSK between itself and the UE is the key that AP2 generates.
After S340, AP2 receive the response data packet of ERP Server transmission, from this response data packet, resolve and obtain rMSK and EAP Finish Re-auth bag.Afterwards, AP2 seals EAP Finish Re-auth and installs in Authentication Response (authentication response) frame, and sends Authentication Response frame to UE.Carry FTAA, MDIE, FTIE and ERPIE in this Authentication Response frame.Wherein, include ANonce (the 256 bit random bit strings that provide as target AP) and SNonce (the 256 bit random bit strings that provide as user terminal) among the FTIE, include EAP Finish Re-auth bag among the ERPIE.
After S350, UE received the Authentication Response frame that AP2 sends, UE resolved from this Authentication Response frame and obtains EAP Finish Re-auth.UE is after carrying out message integrity checking and passing through to EAP FinishRe-auth, calculate rMSK (re-authentication master session key) according to the re-authentication root key between itself and the ERP Server, UE derives PTK (to temporary key) from rMSK, and calculates the MIC among the FTIE.Afterwards, UE structure Reassociation Request (reassociation requests) frame, and to AP2 transmission Reassociation Request frame.The information of carrying in this Reassociation Request frame comprises MDIE, RIC-Request (resource information container request) and FTIE.MIC, the ANonce that UE calculates (the 256 bit random bit strings that provide as target AP) and SNonce (the 256 bit random bit strings that provide as user terminal) etc. are provided among the FTIE.
S360, AP2 derive PTK from rMSK after receiving Reassociation Request frame, and the MIC among the FTIE is verified.AP2 constructs Reassociation Response (re-association response) frame after definite MIC checking is passed through, and sends Reassociation Response frame to UE.The information of carrying in the ReassociationResponse frame comprises MDIE, FTIE and RIC-Response, wherein, include MIC, the ANonce that AP2 calculates (the 256 bit random bit strings that provide as AP2), SNonce (the 256 bit random bit strings that provide as user terminal) and GTK[N among the FTIE] (group temporary key).
After S370, UE receive Reassociation Response frame, from the information that Reassociation Response frame carries, resolve and obtain MIC, and MIC verified, under the situation that checking is passed through, then handoff procedure is finished, and can carry out safe data communication based on PTK between UE and the AP2.
In each step that includes checking of foregoing description,, then can no longer continue the operation of subsequent step if checking is not passed through.
From the description of the foregoing description three as can be seen, because AP2 can get access to the re-authentication master session key to sending in the authentication response frames process from the ERP server receiving authentication request frames, and, AP2 can be at the PTK that carries out utilizing in the least possible reciprocal process data communication after rMSK obtains to be used to switch with user terminal, not only make the acquisition process of PTK succinct as much as possible, guaranteed that the authentication time delay is little, and, also avoided root key MSK to be handed down to AP and the key leakage problem that causes, each AP may participate in key management and the big problem of key management expense that causes, and set up security association between two AP and problem such as the network size that causes is limited; Thereby realized switching fast and safely.In addition, the technical scheme of embodiment three records had both gone for also going under the applied environment of WLAN and other network interconnections under the applied environment of the independent WLAN of deployment.Also have, the deployment way of ERP Server in the present embodiment is very flexible, ERP Server can be an independent physical entity, also can be arranged in other network equipments, it is the shared same physical entity of ERP Server and other logic entities, for example, shared same physical entity of ERP Server and 3GPPProxy (agency) entity etc.
Embodiment four, changing method.Under WLAN and the interconnected situation of 3G, UE inserts AP1 by AP1 EAP-AKA verification process when initial the access, and UE need switch to AP2 afterwards, and its main flow process as shown in Figure 4.Above-mentioned WLAN and 3G interconnected as 3GPP WLAN Interworking (3GPP WLAN is interconnected, 3GPP I-WLAN) or System Architecture Evolution (System Architecture Evolution, SAE) etc.ERP server in the present embodiment and Visited AAA Server (visited domain aaa server, VAAA) a shared physical entity.UE among Fig. 4 includes Universal Subscriber IdentityModule (USIM, subscriber identity module), is used to realize functions such as UE authentication.
In Fig. 4, S401, UE are that AP1 sends Authentication Request frame to initial access AP, do not carry EAP Initiate Re-auth bag in this Authentication Request frame.At this moment, AP1 serves as authenticator's role.
S402, AP1 return the AuthenticationResponse frame to UE after receiving Authentication Request frame.
After S403, UE receive the Authentication Response frame that AP1 returns, send Reassociation Request frame to AP1.
S404, AP1 return the ReassociationResponse frame to UE after receiving Reassociation Request frame.
Optionally, S405, UE send EAP over LAN-Start (EAPOL-Start, the Extensible Authentication Protocol on the local area network (LAN) begins) to AP1.
S406, AP1 send EAPOL:EAP Request Identity (EAP identity request) to UE.
S407, UE are after receiving EAPOL:EAP Request Identity, return EAPOL:EAPReponse Identity (EAP identity response) to AP1, and the ERP Server Transport of this EAPOL:EAP Reponse Identity in the access domain network is to the EAP server of UE home domain network.
After the EAP server of S408, home domain network receives EAPOL:EAP Reponse Identity, send Authentication Data Request (authentication data request) to HSS (home subscriber server).
After S409, HSS receive Authentication Data Request, return Authentication Data Response (verify data response) to the EAP of home domain network server.
Be transferred to AP1 behind S410, the ERP server of this Authentication Data Response in the EAP of home domain network server and accesses network.
After S411, AP1 receive Authentication Data Response, send EAPOL:EAPRequest/AKA Challenge (EAP request/AKA challenge, AKA is Authentication and KeyAgreement, Authentication and Key Agreement) to UE.
After S412, UE receive EAPOL:EAP Request/AKA Challenge, return EAPOL:EAP Response/AKA Challenge (EAP response/AKA challenge) to AP1, this EAPOL:EAPResponse AKA Challenge is through the EAP server of the ERP Server Transport in the accesses network to home network.
After the EAP server of S413, home domain network receives EAPOL:EAP Response AKAChallenge, send the AAA packet to the ERP server, carry in this AAA packet MSK, Domain Specific Root Key (the territory root key, DSRK) and EAP successful information etc.
After S414, ERP server receive the AAA packet, resolve and obtain and store DSRK, and send the AAA packet that carries MSK and EAP successful information to AP1.After AP1 receives the AAA packet, resolve and obtain also store M SK, and send EAPOL:EAP Success to UE.
S415, UE and AP1 all obtain to be used for carrying out between UE and the AP1 PTK of data communication through after the four step handshake procedure.Afterwards, UE and AP1 can use PTK to carry out safe data communication.When UE need be when AP1 switches to AP2, to S416.
S416, UE send Authentication Request frame to AP2, carry EAP Initiate Re-auth bag in this Authentication Request frame.At this moment, AP2 serves as new authenticator's role.
After S417, AP2 received Authentication Request frame, the ERP server in accesses network sent and carries the AAA packet that EAP begins the re-authentication bag.
ERP server in S418, the accesses network returns the AAA packet that carries rMSK and EAP end re-authentication to AP2 after receiving the AAA packet.
After S419, AP2 receive the AAA packet, resolve acquisition and storage rMSK, and return Authentication Response frame to UE.
After S420, UE receive Authentication Response frame, calculate rMSK, and derive PTK between itself and the AP2 according to rMSK, UE sends Reassociation Request frame to AP2.
After S421, AP2 receive Reassociation Request frame, derive PTK between itself and the UE, and return Reassociation Response frame to UE according to rMSK.After UE received the ReassociationResponse frame, handover success was finished, and carried out safe data communication according to PTK between UE and the AP2.
Embodiment five, changing method.Under the situation that WLAN independently disposes, UE can be not limited to by AP1 EAP-AKA verification process and insert AP1 when initial the access, and UE need switch to AP2 afterwards, and its main flow process as shown in Figure 5.In the present embodiment, ERP server and Visited AAA Server (visited domain aaa server, VAAA) a shared physical entity.UE among Fig. 5 serves as supplicant (applicant's) role at verification process.
In Fig. 5, S501, UE are that AP1 sends Authentication Request frame to initial access AP, do not carry EAP Initiate Re-auth bag in this Authentication Request frame.At this moment, AP1 serves as authenticator's role.
S502, AP1 return the AuthenticationResponse frame to UE after receiving Authentication Request frame.
After S503, UE receive the Authentication Response frame that AP1 returns, send Reassociation Request frame to AP1.
S504, AP1 return the ReassociationResponse frame to UE after receiving Reassociation Request frame.
Optionally, S505, UE send EAPOL-Start to AP1.
S506, AP1 send EAPOL:EAP Request Identity to UE.
S507, UE are after receiving EAPOL:EAP Request Identity, return EAPOL:EAPReponse Identity to AP1, and the ERP Server Transport of this EAPOL:EAP Reponse Identity in the access domain network is to the EAP server of UE home domain network.
After the EAP server of S508, home domain network receives EAPOL:EAP Reponse Identity, carry out the EAP verification process with UE.
S509, after the EAP verification process finishes, the EAP server of home domain network sends the AAA packet to the ERP server, carry in this AAA packet MSK, Domain Specific Root Key (the territory root key, DSRK) and EAP successful information etc.
After S510, ERP server receive the AAA packet, resolve and obtain and store DSRK, and send the AAA packet that carries MSK and EAP successful information to AP1.
After S511, AP1 receive the AAA packet, resolve and obtain also store M SK, and send EAPOL:EAP Success to UE.
S512, UE and AP1 all obtain to be used for carrying out between UE and the AP1 PTK of data communication through after the four step handshake procedure.Afterwards, UE and AP1 can use PTK to carry out safe data communication.When UE need be when AP1 switches to AP2, to S513.
S513, UE send Authentication Request frame to AP2, carry EAP Initiate Re-auth bag in this Authentication Request frame.At this moment, AP2 serves as new authenticator's role.
After S514, AP2 received Authentication Request frame, the ERP server in accesses network sent and carries the AAA packet that EAP begins the re-authentication bag.
ERP server in S515, the accesses network returns the AAA packet that carries rMSK and EAP end re-authentication to AP2 after receiving the AAA packet.
After S516, AP2 receive the AAA packet, resolve acquisition and storage rMSK, and return Authentication Response frame to UE.
After S517, UE receive Authentication Response frame, calculate rMSK, and derive PTK between itself and the AP2 according to rMSK, UE sends Reassociation Request frame to AP2.
After S518, AP2 receive Reassociation Request frame, derive PTK between itself and the UE, and return Reassociation Response frame to UE according to rMSK.After UE received the ReassociationResponse frame, handover success was finished, and carried out safe data communication according to PTK between UE and the AP2.
Embodiment six, switching device shifter.This device can also can be arranged in the network equipment that serves as AP role for serving as AP role's the network equipment.In handoff procedure, this network equipment is a target AP.The structure of this device as shown in Figure 6.Device among Fig. 6 comprises: receiver module 600, sending module 610 and cipher key module 620.Optionally, this device can also comprise authentication module 630.
Receiver module 600 is used for being received in authentication request frames and the reassociation requests frame that the handoff procedure user terminal sends, and receives the packet that the ERP server sends, and carries EAP in the authentication request frames here and begins the re-authentication bag.
Sending module 610, be used for beginning the re-authentication bag to the EAP that ERP server transmission authentication request frames is carried, from the packet that the ERP server sends, obtain re-authentication master session key and EAP and finish the re-authentication bag, and send to user terminal and to be packaged with the authentication response frames that EAP finishes the re-authentication bag, and send the re-association response frame to user terminal.
Cipher key module 620, the re-authentication master session key that is used to utilize sending module 610 to obtain derive and are used for the key that carries out data communication with user terminal behind the handover success, promptly to temporary key.
Authentication module 630, the information counterweight association request frame that the reassociation requests frame that is used for receiving according to receiver module 600 carries carry out the message integrity checking.
Comprise at device under the situation of authentication module 630 that sending module 610 sends the re-association response frame in authentication module 630 checkings by the rear line terminal.
Above-mentioned four modules cooperate realize the detailed process switched can for: in handoff procedure, receiver module 600 receives the authentication request frames that EAP begins the re-authentication bag that carries that user terminals send.Sending module 610 obtains EAP and begins the re-authentication bag from authentication request frames, and based on the agreement of ERP server support EAP is begun the re-authentication bag and encapsulate again, then, and the packet of sending module 610 after the ERP server sends encapsulation.When the aaa server in ERP server and the network was positioned at same physical entity, sending module 610 can begin EAP the re-authentication bag and be encapsulated as the AAA packet, then, sent the AAA packet to the ERP server.Receiver module 600 receives the packet that carries re-authentication master session key and EAP end re-authentication bag that the ERP server sends, sending module 610 obtains the re-authentication master session key from this packet and EAP finishes the re-authentication bag, store the re-authentication master session key at this user terminal, and send the authentication response frames that carries EAP end re-authentication bag to user terminal.This packet that receiver module 600 receives be the ERP server obtain get EAP and begin the re-authentication bag after, begin the re-authentication bag based on this EAP and carry the packet that re-authentication master session key and EAP finish the re-authentication bag to what target AP was returned.The ERP server can receive after EAP begins the re-authentication bag, EAP is begun the re-authentication bag carry out the message integrity checking, for example, the ERP server begins to carry in the re-authentication bag according to EAP authenticating tag begins the re-authentication bag to EAP and carries out the message integrity checking, after checking is passed through, the ERP server is that target AP generates the re-authentication master session key, and be that target AP is constructed EAP end re-authentication bag, afterwards re-authentication master session key and EAP are finished re-authentication and seal and install in the packet (as the AAA packet), and send this packet to target AP.Receiver module 600 receives the reassociation requests frame that user terminal sends, and sending module 610 sends the re-association response frame to user terminal.This reassociation requests frame is after user terminal receives authentication response frames, the Frame that returns to target AP at this authentication response frames.After receiver module 600 receives the reassociation requests frame, 630 pairs of these reassociation requests frames of authentication module carry out the message integrity checking, for example, authentication module 630 carries out the message integrity checking according to the information of carrying in the reassociation requests frame (as the MIC among the quick switching information element FTIE) counterweight association request frame, after checking was passed through, sending module 610 sent the re-association response frame to user terminal.Cipher key module 620 utilizes the re-authentication master session key to derive to be used for the key that carries out data communication with user terminal after handover success is finished, this key can be called temporary key, to the data communications security between temporary key assurance user terminal and the target AP.
Need to prove that the embodiment of the invention does not limit cipher key module 620 and utilizes the re-authentication master session key to derive specific implementation process to temporary key.In addition, cipher key module 620 derive have on opportunity to temporary key multiple, the description among the concrete as above-mentioned method embodiment.
Above-mentioned sending module 610 can comprise: obtain submodule 611 and send submodule 612.
Obtain submodule 611, be used for obtaining EAP and begin the re-authentication bag, obtain re-authentication master session key and EAP the packet that the ERP server that receives from receiver module 600 sends and finish the re-authentication bag from the authentication request frames that receiver module 600 receives.
Send submodule 612, be used for beginning the re-authentication bag and being encapsulated as the AAA packet, and send described AAA packet to the ERP server with obtaining EAP that submodule 611 obtains; Finish the re-authentication bag and be carried in the authentication response frames obtaining EAP that submodule 611 obtains, and send described authentication response frames to user terminal; After receiver module 600 receives the reassociation requests frame, send the re-association response frame to user terminal.
Comprise at device under the situation of authentication module 630, send submodule 612 after the checking of authentication module 630 counterweight association request frame is passed through, send the re-association response frame to user terminal.
Embodiment seven, switched system.The structure of this system as shown in Figure 7.System among Fig. 7 comprises: target AP 700 and ERP server 710.Though only show a target AP 700 among Fig. 7, be understandable that this system can comprise a plurality of target AP 700, thereby provide hand-off process for numerous user terminals.
Target AP 700, be used to receive the authentication request frames that EAP begins the re-authentication bag that carries that user terminal sends, and the EAP that carries in ERP server 710 transmission authentication request frames begins the re-authentication bag, from the packet that ERP server 710 sends, obtain re-authentication master session key and EAP and finish the re-authentication bag, and send to user terminal and to be packaged with the authentication response frames that EAP finishes the re-authentication bag, receive the reassociation requests frame that user terminal sends, and send the re-association response frame, and utilize the re-authentication master session key to obtain to be used for the key that carries out data communication with user terminal behind the handover success to user terminal.
ERP server 710, be used for the EAP that receiving target AP700 sends and begin the re-authentication bag, the information that begins to carry in the re-authentication bag according to EAP begins the re-authentication bag to EAP and carries out the message integrity checking, after checking is passed through, send the packet that carries re-authentication master session key and EAP end re-authentication bag to target AP 700.
Above-mentioned target AP 700 and ERP server 710 cooperate realize the detailed process switched can for: in handoff procedure, target AP 700 receives the authentication request frames that EAP begins the re-authentication bag that carries that user terminals send.Target AP 700 is obtained EAP and is begun the re-authentication bag from authentication request frames, and based on the agreement that ERP server 710 is supported EAP is begun the re-authentication bag and encapsulate again, then, and the packet of target AP 700 after ERP server 710 sends encapsulation.When the aaa server in ERP server 710 and the network was positioned at same physical entity, target AP 700 can begin EAP the re-authentication bag and be encapsulated as the AAA packet, then, sent the AAA packets to ERP server 710.ERP server 710 obtains EAP and begins the re-authentication bag from the packet that receives, 710 couples of EAP of ERP server begin the re-authentication bag and carry out the message integrity checking, for example, ERP server 710 begins to carry in the re-authentication bag according to EAP authenticating tag begins the re-authentication bag to EAP and carries out the message integrity checking, after checking is passed through, ERP server 710 is that target AP 700 generates the re-authentication master session key, and be that target AP is constructed EAP end re-authentication bag, afterwards re-authentication master session key and EAP are finished re-authentication and seal and install in the packet (as the AAA packet), send these packets to target AP 700.Target AP 700 receives the packet that carries re-authentication master session key and EAP end re-authentication bag that ERP server 700 sends, target AP 700 obtains the re-authentication master session key from this packet and EAP finishes the re-authentication bag, store the re-authentication master session key at this user terminal, and send the authentication response frames that carries EAP end re-authentication bag to user terminal.Target AP 700 sends the re-association response frame to user terminal behind the reassociation requests frame that the reception user terminal sends.This reassociation requests frame is after user terminal receives authentication response frames, the Frame that returns to target AP 700 at this authentication response frames.After target AP 700 receives the reassociation requests frame, 700 pairs of these reassociation requests frames of target AP carry out the message integrity checking, for example, target AP 700 is carried out the message integrity checking according to the information of carrying in the reassociation requests frame (as the MIC among the quick switching information element FTIE) counterweight association request frame, after checking was passed through, target AP 700 sent the re-association response frame to user terminal.Target AP 700 utilizes the re-authentication master session key to derive to be used for the key that carries out data communication with user terminal after handover success is finished, and this key can be called temporary key, and temporary key is guaranteed data communications security between user terminal and the target AP.
Need to prove that the embodiment of the invention not limited target AP700 utilizes the re-authentication master session key to derive specific implementation process to temporary key.In addition, target AP 700 derive have on opportunity to temporary key multiple, the description among the concrete as above-mentioned method embodiment.
Among the structure of the target AP 700 in the present embodiment system such as the above-mentioned embodiment six at the description of switching device shifter, in this no longer repeat specification.
Embodiment eight, user terminal.The structure of this user terminal as shown in Figure 8.User terminal among Fig. 8 comprises: terminal sending module 800, terminal receiver module 810 and Communications Processor Module 820.Optionally, user terminal can also comprise terminal authentication module 830.
Terminal sending module 800, be used at handoff procedure, carry the authentication request frames that EAP begins the re-authentication bag to the target AP transmission, and after EAP finishes the authentication response frames of re-authentication bag, send the reassociation requests frame to target AP terminal receiver module 810 carrying of receiving that target AP sends.
Terminal receiver module 810 is used for receiving target AP re-association response frame that sends and the authentication response frames that carries EAP end re-authentication bag.
Communications Processor Module 820, be used to calculate the re-authentication master session key, derive the key that is used for carrying out data communication according to the re-authentication master session key, and after terminal receiver module 810 receives the re-association response frame, carry out data communication according to derivative key and target AP with target AP.
Comprise at user terminal under the situation of terminal authentication module 830, terminal authentication module 830, be used for EAP being finished the re-authentication bag and carry out the message integrity checking, and carry out the message integrity checking according to the information counterweight association response frame of carrying in the re-association response frame according to the information that EAP end re-authentication bag carries.At this moment, terminal sending module 800 sends the reassociation requests frame to target AP after the checking of 830 pairs of EAP end of terminal authentication module re-authentication bag is passed through; And Communications Processor Module 820 carries out data communication according to derivative key and target AP after the checking of terminal authentication module 830 counterweight association response frame is passed through.
Above-mentioned four modules cooperate realize the detailed process switched can for: in handoff procedure, terminal sending module 800 sends to target AP and carries the authentication request frames that EAP begins the re-authentication bag, carries in the authentication request frames as 800 transmissions of terminal sending module to comprise the ERP cell that EAP begins the re-authentication bag.Terminal receiver module 810 carrying of receiving that target AP sends after EAP finishes the authentication response frames of re-authentication bag, the information that terminal authentication module 830 carries according to the end of the EAP in authentication response frames re-authentication bag finishes the re-authentication bag to EAP and carries out the message integrity checking, for example, terminal authentication module 830 finishes the re-authentication bag according to the authenticating tag that carries in the EAP end re-authentication bag to EAP and carries out the message integrity checking; After the checking of 830 pairs of EAP end of terminal authentication module re-authentication bag was passed through, terminal sending module 800 sent the reassociation requests frame to target AP.After terminal receiver module 810 receives the re-association response frame that target AP sends, terminal authentication module 830 can carry out the message integrity checking according to the information counterweight association response frame of carrying in the re-association response frame, for example, terminal authentication module 830 carries out the message integrity checking according to the MIC counterweight association response frame among the FTIE of re-association response frame; After the checking of terminal authentication module 830 counterweight association response frame was passed through, Communications Processor Module 820 was according to temporary key and target AP are carried out data communication.Here be Communications Processor Module 820 according to the derivative key that carries out data communication with target AP of re-authentication master session key to temporary key, and the re-authentication master session key here can be Communications Processor Module 820 derive from according to the re-authentication root key of user terminal storage.The re-authentication root key can be that user terminal obtains and storage in first access authentication procedure.Present embodiment not limited subscriber terminal obtains the re-authentication root key and utilizes the re-authentication root key to derive the specific implementation process of re-authentication master session key.
Need to prove, the process that Communications Processor Module 820 derives from temporary key can realize in the many moment after 830 pairs of EAP end of terminal authentication module re-authentication bag is verified, for example, after the checking of 830 pairs of EAP end of terminal authentication module re-authentication bag is passed through, Communications Processor Module 820 just derives re-authentication master session key rMSK according to the re-authentication root key, and utilizes re-authentication master session key rMSK to derive temporary key; Again for example, after the checking of terminal authentication module 830 counterweight association response frame was passed through, Communications Processor Module 820 derived the re-authentication master session key according to the re-authentication root key again, and utilizes the re-authentication master session key to derive temporary key; Also have, terminal authentication module 830 derives the re-authentication master session key and also can separate discontinuous execution to the process of temporary key, there is the terminal authentication module 830 can be when needs carry out data communication with target AP again, derives the re-authentication master session key again and temporary key or the like.
The embodiment of the invention not limiting terminal authentication module 830 derives re-authentication master session key and terminal authentication module 830 according to the re-authentication root key and derives specific implementation process to temporary key according to the re-authentication master session key.In addition, in the description of present embodiment, some information of carrying in the message and some associative operations in the handoff procedure etc. have been omitted, for example, authentication information and authentication operation etc. can be added on relevant information and the associative operation that comprises in the real network in the flow process of the foregoing description description.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential hardware platform, can certainly all implement, but the former is better execution mode under a lot of situation by hardware.Based on such understanding, all or part of can the embodying that technical scheme of the present invention contributes to background technology with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, and the claim of application documents of the present invention comprises these distortion and variation.
Claims (11)
1. a changing method is characterized in that, comprising:
In handoff procedure, target access AP receives the authentication request frames that user terminal sends, and begins the re-authentication bag but carry extended authentication framework EAP in the described authentication request frames;
But described target AP sends the EAP that carries in the described authentication request frames to extended authentication framework re-authentication agreement ERP server begins the re-authentication bag;
Described target AP obtains the re-authentication master session key from the packet that described ERP server sends and EAP finishes the re-authentication bag, and sends the authentication response frames that carries described EAP end re-authentication bag to described user terminal;
Described target AP receives the reassociation requests frame that described user terminal sends, and sends the re-association response frame to described user terminal;
Described target AP utilizes described re-authentication master session key to derive to be used for the key that carries out data communication with described user terminal behind the handover success.
2. the method for claim 1 is characterized in that, described target AP sends the EAP that carries in the described authentication request frames to the ERP server and begins the re-authentication bag and comprise:
Target AP is obtained EAP and is begun the re-authentication bag from the authentication request frames that receives, described EAP is begun the re-authentication bag be encapsulated as the AAA packet, sends described AAA packet to described ERP server;
And the packet that described ERP server sends is: the ERP server is beginning the AAA packet that carries re-authentication master session key and EAP end re-authentication bag that the checking of re-authentication bag sends by the back to EAP.
3. method as claimed in claim 1 or 2, it is characterized in that, described reassociation requests frame is after to be user terminal to the EAP in the authentication response frames that receives finish the re-authentication bag and carry out the message integrity checking and pass through, the reassociation requests frame that sends to target AP, and describedly send the re-association response frame to described user terminal and comprise:
Described target AP is carried out the message integrity checking according to the information of carrying in the reassociation requests frame to described reassociation requests frame, and sends re-association response frame by the back to described user terminal in checking.
4. a switching device shifter is characterized in that, described device comprises:
Receiver module, be used for being received in authentication request frames and the reassociation requests frame that the handoff procedure user terminal sends, but and the packet that sends of reception extended authentication framework re-authentication agreement ERP server, begin the re-authentication bag but carry extended authentication framework EAP in the described authentication request frames;
Sending module, be used for sending the EAP that described authentication request frames carries and begin the re-authentication bag to described ERP server, from the packet that described ERP server sends, obtain re-authentication master session key and EAP and finish the re-authentication bag, and send to described user terminal and to be packaged with the authentication response frames that described EAP finishes the re-authentication bag, and send the re-association response frame to described user terminal;
Cipher key module is used to utilize described re-authentication master session key to derive and is used for the key that carries out data communication with described user terminal behind the handover success.
5. device as claimed in claim 4 is characterized in that, described sending module comprises:
Obtain submodule, be used for obtaining EAP and begin the re-authentication bag from described authentication request frames; From the packet that described ERP server sends, obtain re-authentication master session key and EAP and finish the re-authentication bag;
Send submodule, be used for that described EAP is begun the re-authentication bag and be encapsulated as the AAA packet, send described AAA packet to the ERP server; Described EAP is finished the re-authentication bag be carried in the authentication response frames, send described authentication response frames, after described receiver module receives described reassociation requests frame, send the re-association response frame to described user terminal to described user terminal.
6. as claim 4 or 5 described devices, it is characterized in that described device also comprises:
Authentication module, the information that the reassociation requests frame that is used for receiving according to described receiver module carries is carried out the message integrity checking to described reassociation requests frame;
And described sending module sends re-association response frame by the back to described user terminal in described authentication module checking.
7. a switched system is characterized in that, comprising:
Target access AP, but be used to receive the authentication request frames that extended authentication framework EAP begins the re-authentication bag that carries that user terminal sends, but and send the EAP that carries in the described authentication request frames to extended authentication framework re-authentication agreement ERP server and begin the re-authentication bag, from the packet that described ERP server sends, obtain re-authentication master session key and EAP and finish the re-authentication bag, and send to described user terminal and to be packaged with the authentication response frames that described EAP finishes the re-authentication bag, receive the reassociation requests frame that described user terminal sends, and send the re-association response frame, and utilize described re-authentication master session key to obtain to be used for the key that carries out data communication with user terminal behind the handover success to described user terminal;
The ERP server, be used to receive the EAP that described target AP sends and begin the re-authentication bag, the information that begins to carry in the re-authentication bag according to described EAP begins the re-authentication bag to described EAP and carries out the message integrity checking, sends to described target AP by the back in checking and carries the packet that re-authentication master session key and EAP finish the re-authentication bag.
8. a changing method is characterized in that, comprising:
In handoff procedure, but user terminal carries the authentication request frames that extended authentication framework EAP begins the re-authentication bag to target access AP transmission;
Described user terminal receive that described target AP sends be packaged with the authentication response frames that EAP finishes the re-authentication bag after, send the reassociation requests frame to described target AP;
Described user terminal is behind the re-association response frame that receives described target AP transmission, according to utilizing derivative key of re-authentication master session key and described target AP to carry out data communication.
9. changing method as claimed in claim 8 is characterized in that, describedly sends the reassociation requests frame to described target AP and comprises:
Described user terminal finishes to carry in the re-authentication bag according to described EAP information finishes the re-authentication bag to described EAP and carries out the message integrity checking, and sends reassociation requests frame by the back to target AP in checking;
And describedly comprise according to utilizing derivative key of re-authentication master session key and described target AP to carry out data communication:
The information counterweight association response frame that described user terminal carries according to the re-association response frame is carried out the message integrity checking, and is verifying by the back according to utilizing derivative key of re-authentication master session key and described target AP to carry out data communication.
10. a user terminal is characterized in that, comprising:
The terminal sending module, be used at handoff procedure, but carry the authentication request frames that extended authentication framework EAP begins the re-authentication bag to target access AP transmission, and after EAP finishes the authentication response frames of re-authentication bag, send the reassociation requests frame to described target AP terminal receiver module carrying of receiving that described target AP sends;
The terminal receiver module is used to receive described target AP re-association response frame that sends and the authentication response frames that carries EAP end re-authentication bag;
Communications Processor Module, be used to calculate the re-authentication master session key, derive the key that is used for carrying out data communication according to described re-authentication master session key with described target AP, and after described terminal receiver module receives described re-association response frame, carry out data communication according to described derivative key and described target AP.
11. user terminal as claimed in claim 10 is characterized in that, also comprises:
The terminal authentication module is used for according to the information that described EAP end re-authentication bag carries EAP being finished the re-authentication bag and carries out the message integrity checking, and carries out the message integrity checking according to the information counterweight association response frame of carrying in the described re-association response frame;
And described terminal sending module sends the reassociation requests frame to described target AP described terminal authentication module finishes the checking of re-authentication bag and passes through to described EAP after;
Described Communications Processor Module carries out data communication according to described derivative key and described target AP after described terminal authentication module passes through described re-association response frame checking.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910091942A CN101695165A (en) | 2009-09-01 | 2009-09-01 | Switching method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910091942A CN101695165A (en) | 2009-09-01 | 2009-09-01 | Switching method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101695165A true CN101695165A (en) | 2010-04-14 |
Family
ID=42094094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910091942A Pending CN101695165A (en) | 2009-09-01 | 2009-09-01 | Switching method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101695165A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103797832A (en) * | 2011-09-12 | 2014-05-14 | 高通股份有限公司 | Wireless communication using concurrent re-authentication and connection setup |
| CN103999495A (en) * | 2011-11-08 | 2014-08-20 | 高通股份有限公司 | Enabling access to key lifetimes for wireless link setup |
| WO2015101040A1 (en) * | 2013-12-31 | 2015-07-09 | 华为技术有限公司 | Switching method and device in wireless local area network |
| CN105657746A (en) * | 2016-01-05 | 2016-06-08 | 上海斐讯数据通信技术有限公司 | Rapid roaming system and method of wireless terminal based on AP adjacent relations |
| CN106211150A (en) * | 2015-04-29 | 2016-12-07 | 中国电信股份有限公司 | The cut-in method of WLAN, AP and WLAN |
| CN106464689A (en) * | 2014-06-03 | 2017-02-22 | 高通股份有限公司 | Systems, methods, and apparatus for authentication during fast initial link setup |
| CN107425961A (en) * | 2011-09-12 | 2017-12-01 | 高通股份有限公司 | The system and method for performing link establishment and certification |
| CN108540493A (en) * | 2018-04-28 | 2018-09-14 | 北京佰才邦技术有限公司 | Authentication method, user equipment, network entity and business side server |
| CN108881103A (en) * | 2017-05-08 | 2018-11-23 | 腾讯科技(深圳)有限公司 | A kind of method and device accessing network |
| CN109906624A (en) * | 2016-10-31 | 2019-06-18 | 瑞典爱立信有限公司 | The method and relevant network node and wireless terminal of certification in support cordless communication network |
-
2009
- 2009-09-01 CN CN200910091942A patent/CN101695165A/en active Pending
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107425961A (en) * | 2011-09-12 | 2017-12-01 | 高通股份有限公司 | The system and method for performing link establishment and certification |
| CN103797832B (en) * | 2011-09-12 | 2018-07-31 | 高通股份有限公司 | The wireless communication established using concurrent re-authentication and connection |
| CN103797832A (en) * | 2011-09-12 | 2014-05-14 | 高通股份有限公司 | Wireless communication using concurrent re-authentication and connection setup |
| CN103999495A (en) * | 2011-11-08 | 2014-08-20 | 高通股份有限公司 | Enabling access to key lifetimes for wireless link setup |
| CN103999495B (en) * | 2011-11-08 | 2017-10-27 | 高通股份有限公司 | Enable the access to the cipher key lifetimes of wireless link |
| WO2015101040A1 (en) * | 2013-12-31 | 2015-07-09 | 华为技术有限公司 | Switching method and device in wireless local area network |
| CN106464689A (en) * | 2014-06-03 | 2017-02-22 | 高通股份有限公司 | Systems, methods, and apparatus for authentication during fast initial link setup |
| CN106211150A (en) * | 2015-04-29 | 2016-12-07 | 中国电信股份有限公司 | The cut-in method of WLAN, AP and WLAN |
| CN105657746A (en) * | 2016-01-05 | 2016-06-08 | 上海斐讯数据通信技术有限公司 | Rapid roaming system and method of wireless terminal based on AP adjacent relations |
| CN105657746B (en) * | 2016-01-05 | 2019-09-13 | 上海斐讯数据通信技术有限公司 | A kind of wireless terminal fast roaming system and method based on AP syntople |
| CN109906624A (en) * | 2016-10-31 | 2019-06-18 | 瑞典爱立信有限公司 | The method and relevant network node and wireless terminal of certification in support cordless communication network |
| US11818569B2 (en) | 2016-10-31 | 2023-11-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods supporting authentication in wireless communication networks and related network nodes and wireless terminals |
| CN108881103A (en) * | 2017-05-08 | 2018-11-23 | 腾讯科技(深圳)有限公司 | A kind of method and device accessing network |
| CN108881103B (en) * | 2017-05-08 | 2020-10-13 | 腾讯科技(深圳)有限公司 | Network access method and device |
| CN108540493A (en) * | 2018-04-28 | 2018-09-14 | 北京佰才邦技术有限公司 | Authentication method, user equipment, network entity and business side server |
| CN108540493B (en) * | 2018-04-28 | 2021-05-04 | 深圳佰才邦技术有限公司 | Authentication method, user equipment, network entity and service side server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101695165A (en) | Switching method, device and system | |
| KR101901448B1 (en) | Method and apparatus for associating statinon (sta) with access point (ap) | |
| EP1972125B1 (en) | Apparatus and method for protection of management frames | |
| US7546459B2 (en) | GSM-like and UMTS-like authentication in a CDMA2000 network environment | |
| US8094817B2 (en) | Cryptographic key management in communication networks | |
| JP5597676B2 (en) | Key material exchange | |
| CN100512182C (en) | Fast switch method and system in wireless local area network | |
| EP3175639B1 (en) | Authentication during handover between two different wireless communications networks | |
| CN101925059B (en) | Method and system for generating keys in switching process | |
| JP2010533390A (en) | Method, system, and apparatus for negotiating security functions when a terminal moves | |
| KR20110053495A (en) | Generating keys for protection in next generation mobile networks | |
| US20170230826A1 (en) | Authentication in a radio access network | |
| US20130196708A1 (en) | Propagation of Leveled Key to Neighborhood Network Devices | |
| CN109391942A (en) | Trigger the method and relevant device of network authentication | |
| WO2009088252A2 (en) | Pre-authentication method for inter-rat handover | |
| EP2648437B1 (en) | Method, apparatus and system for key generation | |
| JP6123035B1 (en) | Protection of WLCP message exchange between TWAG and UE | |
| CN101911742B (en) | Pre-authentication method for inter-rat handover | |
| CN101610507A (en) | A kind of method that inserts the 3G-WLAN internet | |
| Tang et al. | Analysis of authentication and key establishment in inter-generational mobile telephony | |
| US20120254615A1 (en) | Using a dynamically-generated symmetric key to establish internet protocol security for communications between a mobile subscriber and a supporting wireless communications network | |
| US20190149326A1 (en) | Key obtaining method and apparatus | |
| WO2022237561A1 (en) | Communication method and apparatus | |
| Haddar et al. | Securing fast pmipv6 protocol in case of vertical handover in 5g network | |
| Sun et al. | Efficient authentication schemes for handover in mobile WiMAX |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100414 |