CN101765110A - Dedicated encryption protection method between user and wireless access point - Google Patents

Dedicated encryption protection method between user and wireless access point Download PDF

Info

Publication number
CN101765110A
CN101765110A CN200910259638A CN200910259638A CN101765110A CN 101765110 A CN101765110 A CN 101765110A CN 200910259638 A CN200910259638 A CN 200910259638A CN 200910259638 A CN200910259638 A CN 200910259638A CN 101765110 A CN101765110 A CN 101765110A
Authority
CN
China
Prior art keywords
user
frame
encryption protection
dedicated encryption
access point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910259638A
Other languages
Chinese (zh)
Other versions
CN101765110B (en
Inventor
邓宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SUZHOU HANMING TECHNOLOGY CO LTD
Original Assignee
SUZHOU HANMING TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SUZHOU HANMING TECHNOLOGY CO LTD filed Critical SUZHOU HANMING TECHNOLOGY CO LTD
Priority to CN2009102596386A priority Critical patent/CN101765110B/en
Publication of CN101765110A publication Critical patent/CN101765110A/en
Application granted granted Critical
Publication of CN101765110B publication Critical patent/CN101765110B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a dedicated encryption protection method between a user and a wireless access point. The dedicated encryption protection method comprises the following steps: when a user and a wireless access point is in an unauthenticated and unassociated state, joining in the process of handshaking of specific user identification in dedicated encryption protection, i.e. before authentication of the unauthenticated and unassociated state, the user encrypts and sends a specific user identification code in the dedicated encryption protection, after decryption by the wireless access point, judging whether the identification code is correct, if so, entering user authentication state, if not, discarding. The dedicated encryption protection method greatly improves the condition that the password is cracked in the traditional encryption mode widely-used at present so as to cause the network resource is stolen. After the dedicated encryption protection method is applied, even if the network password is cracked, and as a cracker can not send an identification authentication packet containing specific encryption protection identification, the wireless access point can not identify the specific user identification code in the dedicated encryption protection, the network can not be accessed still, thus preventing the network resource from being stolen.

Description

Dedicated encryption protection method between a kind of user and the WAP (wireless access point)
Technical field
The present invention relates to WLAN (wireless local area network) (WLAN; Wireless Local Area Network) user (STA in; Station) and WAP (wireless access point) (AP; Access Point) link between relates in particular between a kind of user (STA) and the WAP (wireless access point) (AP) and prevents the stolen dedicated encryption protection method of taking of Internet resources.
Background technology
WLAN (wireless local area network) WLAN provides a kind of wireless connections service of local area network (LAN), WAP (wireless access point) (AP) is the wireless transmitting-receiving equipments in the WLAN (wireless local area network), being used for will be from cable network, become wireless signal to send such as the data transaction that receives among the internet Internet, convert the wireless signal that receives to data, and be forwarded to cable network.
As shown in Figure 1, user (STA) can be via connecting WAP (wireless access point) (AP) access of radio network.In the WLAN that does not contain the radius server authentication, authentication for the user is by cryptographic algorithm mostly, such as WEP (Wired Equivalent Privacy, Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), WPA2 wait and realize, but for cryptographic algorithm, when always being cracked, and with the crack method wide-scale distribution.
Along with wireless lan (wlan) being used more and more widely, cryptographic algorithm such as WEP, WPA, WPA2 are cracked in succession, cause the legal Internet resources of user stolen, cause network quality to descend, and distribute big slightly for network, the a fairly large number of place of WAP (wireless access point), this phenomenon is especially obvious.Just at present, still there is not especially effectively to protect the stolen method of wireless network resource to occur.
Summary of the invention
The technical problem to be solved in the present invention is: the dedicated encryption protection method between a kind of user (STA) and the WAP (wireless access point) (AP) is provided; can prevent from effectively greatly to improve the network condition and the interests of validated user because network cipher is cracked and causes the stolen situation of Internet resources.
Technical scheme of the present invention can realize in the following manner:
Dedicated encryption protection method between a kind of user and the WAP (wireless access point) comprises the steps:
Step S1: user and WAP (wireless access point) are all opened the dedicated encryption protection function;
Step S2: the user sends the frame of seeking that contains the dedicated encryption protection sign;
Step S3: the WAP (wireless access point) of having opened dedicated encryption protection recognizes that the user sends seek frame after, loopback contains the response frame of seeking frame of dedicated encryption protection sign;
Step S4: the user sends encrypted, as to contain the distinctive user ID of dedicated encryption protection frame;
Step S5: WAP (wireless access point) is decrypted the User Identity sign indicating number in the frame that contains the distinctive user ID of dedicated encryption protection, and whether differentiate user ID legal, if illegal, and dropping packets then; If legal, then contain the response frame of the frame of the distinctive user ID of dedicated encryption protection, and enter step S6 to user's loopback;
Step S6: enter common authentication phase between user and the WAP (wireless access point).
More detailed technical scheme of the present invention is:
Contain dedicated encryption protection sign seek frame, seek frame response frame, contain the frame of the distinctive user ID of dedicated encryption protection; and the response frame that contains the frame of the distinctive user ID of dedicated encryption protection uses the frame format of IEEE 802.11 frames, and the subtype (Sub type) of its control frame (Frame Control) field adopt be not defined 0110,0111,1101,1110 as the signs of differentiating different frame types.
Further, the described frame of seeking that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0110; The response frame of seeking frame that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0111; The frame that contains the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1101; The response frame that contains the frame of the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1110.
Described user sends to be contained through frame that encrypt, the distinctive user ID of dedicated encryption protection, and the password encryption that the user is set up on their own generates the identify label sign indicating number, and identify label is piled up in the frame main body (Frame Body) of IEEE802.11 management frames.
The frame that contains the distinctive user ID of dedicated encryption protection that the user sends, the cryptographic algorithm of its identify label sign indicating number is as follows:
(1) password that the user is set is converted into the numerical value of ASC II, supposes the total N position of password that the user sets, and the ASC II numerical value that the password conversion on the n position obtains is A n, n=1,2 ..., N;
(2) to A nDo numerical transformation: s n=A n* 2 n+ n;
(3) the value s that the inquiry previous step calculates suddenly on the random cipher basis nPairing value S n
(4) use S 1S 2S 3S NAs the User Identity sign indicating number of encrypting.
WAP (wireless access point) is after receiving through the frame of encrypting that contains the distinctive user ID of dedicated encryption protection; it is decrypted; decrypting process is to use algorithm identical with the cryptographic algorithm of identify label sign indicating number and random cipher originally, thereby reckoning obtains User Identity sign indicating number sequence.
Described random cipher originally can regularly replace, or changes as the case may be.
Advantage of the present invention is: the method for this invention has added the distinctive user identity identification handshake procedure of dedicated encryption protection; can be used as replenishing of at present common authentication; improved conventional cryptography mode passwords such as the WEP that extensively exists at present and WPA greatly and be cracked and cause the stolen situation of Internet resources, be specially adapted in the demanding environment of wireless network secure.In the WAP (wireless access point) of having used this invention; even network cipher is cracked; because the people who cracks can not send the authentication bag that contains the dedicated encryption protection sign; thereby causing WAP (wireless access point) not identify distinctive user identification code to dedicated encryption protection discerns; still can't access network, thus the stolen situation of Internet resources stoped.In addition, method of the present invention can be applied to contain the environment of certificate server, also can be applied to not contain the environment of certificate server.
Description of drawings
Below in conjunction with drawings and Examples the present invention is further described:
Fig. 1 is wireless local network connecting point and user's basic network topology figure;
Fig. 2 is the flow chart of embodiments of the invention;
The frame structure that Fig. 3 uses for embodiments of the invention.
Embodiment
Embodiment: mention in " 802.11 wireless networks authority guide ", in the network development of IEEE 802.11, have three phases between user and the WAP (wireless access point): phase I, unauthenticated and association status not as yet; Second stage, authenticated but association status not as yet; Phase III, authenticated and association status.The user of present embodiment and the dedicated encryption protection method between the WAP (wireless access point); be in the phase I user and WAP (wireless access point); be unverified and not during association status; add the distinctive user identity identification handshake procedure of dedicated encryption protection; promptly before the authentication of phase I; the user send through encryption, contain the distinctive user identification code of dedicated encryption protection; by judging whether this identification code is legal after the WAP (wireless access point) deciphering; if the legal user authentication status that then enters, incorrectly then abandon.
Before using the method, network manager will be opened the network protection option of user and WAP (wireless access point) earlier, determines to use this dedicated encryption protection.User and WAP (wireless access point) all are equipped with the program that can carry out dedicated encryption protection in advance; the part that on the basis of existing program, adds dedicated encryption protection; can be to adopting or not adopting this dedicated encryption protection to select, the rule of communication of setting in the program of client is with reference to the standard of IEEE802.11.The user can send the frame of seeking that contains the dedicated encryption protection sign to WAP (wireless access point); contain the frame that passes through the distinctive identify label content of dedicated encryption protection of encrypting with transmission; make WAP (wireless access point) can respond the frame that the user sends, and return corresponding response frame.Equally; also can not adopt this dedicated encryption protection; if do not adopt; identical with regard to complete with common WLAN cut-in method; both differences only are that dedicated encryption protection of the present invention has added the handshake procedure of protectiveness, and after this handshake procedure, still are to enter common access procedure; still with reference to the IEEE802.11 standard, and the realization of these options all realizes by revising corresponding program.The program that those skilled in the art can be improved according to the present invention at an easy rate.
The frame structure of IEEE 802.11 standards is adopted in dedicated encryption protection communication between user and the WAP (wireless access point), as shown in Figure 3.Can distinguish the frame of the dedicated encryption protection of common frame and present embodiment according to subtype (Sub type) content in control frame (Frame Control) field, the remainder of frame is basic identical.In normal frames; 0110, is not defined in the subtype (Sub type) of 0111,1101 and 1110 control frames (Frame Control) field at IEEE 802.11 frames; used frame has adopted this 4 subtypes that are not defined just in the user of present embodiment and the dedicated encryption protection method between the WAP (wireless access point); can be used to differentiate different frame types; comprise contain dedicated encryption protection sign seek frame, seek frame response frame, contain the frame of the distinctive user ID of dedicated encryption protection, and the response frame that contains the frame of user ID.Be specially:
At first; the user sends the frame of seeking that contains the dedicated encryption protection sign to WAP (wireless access point); subtype in the control frame field of IEEE802.11 frame adopt be not defined 0110; this principle of seeking frame is identical with the frame principle of existing IEEE 802.11; only subtype definition difference; be used to distinguish the common frame of seeking, as shown in Figure 3.
Then; WAP (wireless access point) is after opening dedicated encryption protection; can discern the frame of seeking that contains dedicated encryption protection sign, and loopback contains the response frame of seeking frame of dedicated encryption protection sign, in the Frame Control field of response frame Sub type subtype for be not defined 0111.
Then; after the user receives the response frame of seeking frame that WAP (wireless access point) returns; then send the frame that contains through the distinctive identify label content of dedicated encryption protection of encrypting; in its Frame Control field Sub type subtype for be not defined 1101; the password that the user is set up on their own generates user's identify label sign indicating number by encryption, and identify label is piled up in the frame main body (FrameBody) of IEEE 802.11 management frames.
The cryptographic algorithm of identify label sign indicating number is as follows:
(1) password that the user is set is converted into the numerical value of ASC II, supposes the total N position of password that the user sets, and the ASC II numerical value that the password conversion on the n position obtains is A n, n=1,2 ..., N;
(2) to A nDoing following numerical transformation calculates: s n=A n* 2 n+ n;
(3) the value s that the inquiry previous step calculates suddenly on the random cipher basis nPairing value S n
(4) use S 1S 2S 3S NAs the User Identity sign indicating number of encrypting.
For example: user cipher is that 111222,1 ASC II sign indicating number is that 49,2 ASCII character is 50, through calculating s 1=99, s 2=198, s 3=395, s 4=804, s 5=1605, s 6=3206, on the random cipher basis, inquire about the value S of 99,198,395,804,1605,3206 correspondences then 1, S 2, S 3, S 4, S 5, S 6, and be arranged in order, as the identify label sign indicating number of encrypting.
Wherein, used random cipher originally can regularly be changed, or changes according to different situations, thereby strengthens secret effect.
Subsequently, WAP (wireless access point) is after receiving the frame that contains the distinctive identify label of dedicated encryption protection, decipher the identify label content through encrypting in this frame that contains the distinctive identify label of dedicated encryption protection, and whether check is the legal users sign, if legal users sign, WAP (wireless access point) is returned the response frame that contains the user ID frame, adopt Sub type subtype in the Frame Control field to distinguish for 1110 IEEE 802.11 frames that are not defined, enter normal authenticating phase, subsequent process is identical with IEEE 802.11 standards thereupon; If disabled user's sign is then done discard processing, stop it to continue follow-up normal flow.
WAP (wireless access point) to the process that is decrypted through the frame of encrypting that contains the distinctive user ID of dedicated encryption protection is: use algorithm identical with the cryptographic algorithm of identify label sign indicating number and random cipher originally, thereby reckoning obtains the user cipher sequence.
For example: according to random cipher originally, inquire S 1, S 2, S 3... S 6Corresponding value is respectively 99,198,395,804,1605,3206, according to algorithm s n=A n* 2 n+ n obtains A 1=A 2=A 3=1, A 4=A 5=A 6=2, then the original subscriber's identification code after the deciphering is 111222.
The present invention is by the behavior of shaking hands of design detection packet and dedicated encryption protection identify label bag, thereby the password that prevents common authentication is cracked and causes the stolen situation of Internet resources.
The above only is the preferred embodiments of the present invention, can not limit scope of the invention process with this, and all simple conversion of doing according to claim of the present invention and description all should still belong to the protection range that the present invention covers.

Claims (7)

1. the dedicated encryption protection method between user and the WAP (wireless access point) is characterized in that comprising the steps:
Step S1: user and WAP (wireless access point) are all opened the dedicated encryption protection function;
Step S2: the user sends the frame of seeking that contains the dedicated encryption protection sign;
Step S3: the WAP (wireless access point) of having opened dedicated encryption protection recognizes that the user sends seek frame after, loopback contains the response frame of seeking frame of dedicated encryption protection sign;
Step S4: the user sends encrypted, as to contain the distinctive user ID of dedicated encryption protection frame;
Step S5: WAP (wireless access point) is decrypted the User Identity sign indicating number in the frame that contains the distinctive user ID of dedicated encryption protection, and whether differentiate user ID legal, if illegal, and dropping packets then; If legal, then contain the response frame of the frame of the distinctive user ID of dedicated encryption protection, and enter step S6 to user's loopback;
Step S6: enter common authentication phase between user and the WAP (wireless access point).
2. according to the dedicated encryption protection method between user described in the claim 1 and the WAP (wireless access point); it is characterized in that: contain dedicated encryption protection sign seek frame, contain right dedicated encryption protection sign the response frame of seeking frame, contain the frame of the distinctive user ID of dedicated encryption protection; and the response frame that contains the frame of the distinctive user ID of dedicated encryption protection uses the frame format of IEEE 802.11 frames, and the subtype of its control frame field adopt be not defined 0110,0111,1101,1110 as the signs of differentiating different frame types.
3. according to the dedicated encryption protection method between user described in the claim 2 and the WAP (wireless access point), it is characterized in that:
The described frame of seeking that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0110;
The described response frame of seeking frame that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0111;
The described frame that contains the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1101;
The described response frame that contains the frame of the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1110.
4. according to the dedicated encryption protection method between user described in the claim 1 and the WAP (wireless access point); it is characterized in that: described user sends to be contained through frame that encrypt, the distinctive user ID of dedicated encryption protection; the password encryption that the user is set up on their own generates the identify label sign indicating number, and identify label is piled up in the frame main body of IEEE 802.11 management frames.
5. according to the dedicated encryption protection method between user described in the claim 4 and the WAP (wireless access point), it is characterized in that: the frame that contains the distinctive user ID of dedicated encryption protection that the user sends, the cryptographic algorithm of its identify label sign indicating number is as follows:
(1) password that the user is set is converted into the numerical value of ASC II, supposes the total N position of password that the user sets, and the ASC II numerical value that the password conversion on the n position obtains is A n, n=1,2 ..., N;
(2) to A nDo numerical transformation: s n=A n* 2 n+ n;
(3) the value s that the inquiry previous step calculates suddenly on the random cipher basis nPairing value S n
(4) use S 1S 2S 3S NAs the User Identity sign indicating number of encrypting.
6. according to the dedicated encryption protection method between user described in the claim 5 and the WAP (wireless access point); it is characterized in that: WAP (wireless access point) is after receiving through the frame of encrypting, contain the distinctive user ID of dedicated encryption protection; it is decrypted; decrypting process is to use algorithm identical with the cryptographic algorithm of identify label sign indicating number and random cipher originally, thereby reckoning obtains User Identity sign indicating number sequence.
7. according to the special nail encryption protecting method between user described in claim 5 or 6 and the WAP (wireless access point), it is characterized in that: described random cipher originally can regularly replace, or changes as the case may be.
CN2009102596386A 2009-12-21 2009-12-21 Dedicated encryption protection method between user and wireless access point Expired - Fee Related CN101765110B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102596386A CN101765110B (en) 2009-12-21 2009-12-21 Dedicated encryption protection method between user and wireless access point

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102596386A CN101765110B (en) 2009-12-21 2009-12-21 Dedicated encryption protection method between user and wireless access point

Publications (2)

Publication Number Publication Date
CN101765110A true CN101765110A (en) 2010-06-30
CN101765110B CN101765110B (en) 2012-11-21

Family

ID=42496067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102596386A Expired - Fee Related CN101765110B (en) 2009-12-21 2009-12-21 Dedicated encryption protection method between user and wireless access point

Country Status (1)

Country Link
CN (1) CN101765110B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007163A (en) * 2015-07-15 2015-10-28 普联技术有限公司 Pre-shared key (PSK) transmitting and acquiring methods and transmitting and acquiring devices
CN106572469A (en) * 2015-10-13 2017-04-19 中国电信股份有限公司 WiFi terminal network access method and system
CN105025472B (en) * 2014-04-25 2018-09-18 Tcl集团股份有限公司 A kind of WIFI access points enciphering hiding and the method and its system of discovery
CN109286637A (en) * 2018-11-19 2019-01-29 南京邮电大学 A kind of defence method of D-Link Dir series router configuration interface loophole

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100456726C (en) * 2007-03-15 2009-01-28 北京安拓思科技有限责任公司 Network system and method for realizing the Internet access authentication based on WAPI
CN101335621B (en) * 2007-06-26 2011-03-16 中国科学院声学研究所 802.11i key management method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105025472B (en) * 2014-04-25 2018-09-18 Tcl集团股份有限公司 A kind of WIFI access points enciphering hiding and the method and its system of discovery
CN105007163A (en) * 2015-07-15 2015-10-28 普联技术有限公司 Pre-shared key (PSK) transmitting and acquiring methods and transmitting and acquiring devices
CN105007163B (en) * 2015-07-15 2018-07-31 普联技术有限公司 Transmission, acquisition methods and the transmission of wildcard, acquisition device
CN106572469A (en) * 2015-10-13 2017-04-19 中国电信股份有限公司 WiFi terminal network access method and system
CN109286637A (en) * 2018-11-19 2019-01-29 南京邮电大学 A kind of defence method of D-Link Dir series router configuration interface loophole
CN109286637B (en) * 2018-11-19 2021-05-14 南京邮电大学 Defense method for D-LinkDir series router configuration interface loophole

Also Published As

Publication number Publication date
CN101765110B (en) 2012-11-21

Similar Documents

Publication Publication Date Title
EP1891791B1 (en) Protection for wireless devices against false access-point attacks
AU2008213766B2 (en) Method and system for registering and verifying the identity of wireless networks and devices
US7734280B2 (en) Method and apparatus for authentication of mobile devices
KR101047641B1 (en) Enhance security and privacy for security devices
CN105828332B (en) improved method of wireless local area network authentication mechanism
EP2208330B1 (en) Method and apparatuses for determining whether femtocell is authorized to provide wireless connectivity to a mobile unit
Frankel et al. Establishing wireless robust security networks: a guide to IEEE 802.11 i
CN101600203B (en) Control method for security service and terminal of wireless local area network
US20090191845A1 (en) Network enforced access control for femtocells
CN107005927A (en) Cut-in method, equipment and the system of user equipment (UE)
CN101848463A (en) Method for protecting access of legal user based on wireless access point
CN100579012C (en) Method for terminal user safety access soft handoff network
CN101765110B (en) Dedicated encryption protection method between user and wireless access point
CN101877852A (en) User access control method and system
CN109743716A (en) A kind of Wireless LAN Verification System and method based on NFC
CN106411939A (en) Enterprise information intranet WI-FI access security reinforcing authentication method
CN101247443B (en) Method for operating a voip terminal device and a voip terminal device
KR100527632B1 (en) System and method for user authentication of ad-hoc gateway in ad-hoc network
CN101815288A (en) Method for accessing encryption protection between user and wireless access point by using E-CARD
Li et al. Wireless network security detection system design based on client
CN102612027B (en) Safety transmission method of data in wireless communication system
WO2005091159A1 (en) Authentication system being capable of controlling authority based of user and authenticator.
KR101532117B1 (en) System and method for supporting emergency call after the access fail
PETRICĂ A Study on Password Strength in Wireless Encryption Protocols
Frankel et al. SP 800-97. establishing wireless robust security networks: A guide to IEEE 802.11 i

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121121

Termination date: 20141221

EXPY Termination of patent right or utility model