CN101765110A - Dedicated encryption protection method between user and wireless access point - Google Patents
Dedicated encryption protection method between user and wireless access point Download PDFInfo
- Publication number
- CN101765110A CN101765110A CN200910259638A CN200910259638A CN101765110A CN 101765110 A CN101765110 A CN 101765110A CN 200910259638 A CN200910259638 A CN 200910259638A CN 200910259638 A CN200910259638 A CN 200910259638A CN 101765110 A CN101765110 A CN 101765110A
- Authority
- CN
- China
- Prior art keywords
- user
- frame
- encryption protection
- dedicated encryption
- access point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a dedicated encryption protection method between a user and a wireless access point. The dedicated encryption protection method comprises the following steps: when a user and a wireless access point is in an unauthenticated and unassociated state, joining in the process of handshaking of specific user identification in dedicated encryption protection, i.e. before authentication of the unauthenticated and unassociated state, the user encrypts and sends a specific user identification code in the dedicated encryption protection, after decryption by the wireless access point, judging whether the identification code is correct, if so, entering user authentication state, if not, discarding. The dedicated encryption protection method greatly improves the condition that the password is cracked in the traditional encryption mode widely-used at present so as to cause the network resource is stolen. After the dedicated encryption protection method is applied, even if the network password is cracked, and as a cracker can not send an identification authentication packet containing specific encryption protection identification, the wireless access point can not identify the specific user identification code in the dedicated encryption protection, the network can not be accessed still, thus preventing the network resource from being stolen.
Description
Technical field
The present invention relates to WLAN (wireless local area network) (WLAN; Wireless Local Area Network) user (STA in; Station) and WAP (wireless access point) (AP; Access Point) link between relates in particular between a kind of user (STA) and the WAP (wireless access point) (AP) and prevents the stolen dedicated encryption protection method of taking of Internet resources.
Background technology
WLAN (wireless local area network) WLAN provides a kind of wireless connections service of local area network (LAN), WAP (wireless access point) (AP) is the wireless transmitting-receiving equipments in the WLAN (wireless local area network), being used for will be from cable network, become wireless signal to send such as the data transaction that receives among the internet Internet, convert the wireless signal that receives to data, and be forwarded to cable network.
As shown in Figure 1, user (STA) can be via connecting WAP (wireless access point) (AP) access of radio network.In the WLAN that does not contain the radius server authentication, authentication for the user is by cryptographic algorithm mostly, such as WEP (Wired Equivalent Privacy, Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), WPA2 wait and realize, but for cryptographic algorithm, when always being cracked, and with the crack method wide-scale distribution.
Along with wireless lan (wlan) being used more and more widely, cryptographic algorithm such as WEP, WPA, WPA2 are cracked in succession, cause the legal Internet resources of user stolen, cause network quality to descend, and distribute big slightly for network, the a fairly large number of place of WAP (wireless access point), this phenomenon is especially obvious.Just at present, still there is not especially effectively to protect the stolen method of wireless network resource to occur.
Summary of the invention
The technical problem to be solved in the present invention is: the dedicated encryption protection method between a kind of user (STA) and the WAP (wireless access point) (AP) is provided; can prevent from effectively greatly to improve the network condition and the interests of validated user because network cipher is cracked and causes the stolen situation of Internet resources.
Technical scheme of the present invention can realize in the following manner:
Dedicated encryption protection method between a kind of user and the WAP (wireless access point) comprises the steps:
Step S1: user and WAP (wireless access point) are all opened the dedicated encryption protection function;
Step S2: the user sends the frame of seeking that contains the dedicated encryption protection sign;
Step S3: the WAP (wireless access point) of having opened dedicated encryption protection recognizes that the user sends seek frame after, loopback contains the response frame of seeking frame of dedicated encryption protection sign;
Step S4: the user sends encrypted, as to contain the distinctive user ID of dedicated encryption protection frame;
Step S5: WAP (wireless access point) is decrypted the User Identity sign indicating number in the frame that contains the distinctive user ID of dedicated encryption protection, and whether differentiate user ID legal, if illegal, and dropping packets then; If legal, then contain the response frame of the frame of the distinctive user ID of dedicated encryption protection, and enter step S6 to user's loopback;
Step S6: enter common authentication phase between user and the WAP (wireless access point).
More detailed technical scheme of the present invention is:
Contain dedicated encryption protection sign seek frame, seek frame response frame, contain the frame of the distinctive user ID of dedicated encryption protection; and the response frame that contains the frame of the distinctive user ID of dedicated encryption protection uses the frame format of IEEE 802.11 frames, and the subtype (Sub type) of its control frame (Frame Control) field adopt be not defined 0110,0111,1101,1110 as the signs of differentiating different frame types.
Further, the described frame of seeking that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0110; The response frame of seeking frame that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0111; The frame that contains the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1101; The response frame that contains the frame of the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1110.
Described user sends to be contained through frame that encrypt, the distinctive user ID of dedicated encryption protection, and the password encryption that the user is set up on their own generates the identify label sign indicating number, and identify label is piled up in the frame main body (Frame Body) of IEEE802.11 management frames.
The frame that contains the distinctive user ID of dedicated encryption protection that the user sends, the cryptographic algorithm of its identify label sign indicating number is as follows:
(1) password that the user is set is converted into the numerical value of ASC II, supposes the total N position of password that the user sets, and the ASC II numerical value that the password conversion on the n position obtains is A
n, n=1,2 ..., N;
(2) to A
nDo numerical transformation: s
n=A
n* 2
n+ n;
(3) the value s that the inquiry previous step calculates suddenly on the random cipher basis
nPairing value S
n
(4) use S
1S
2S
3S
NAs the User Identity sign indicating number of encrypting.
WAP (wireless access point) is after receiving through the frame of encrypting that contains the distinctive user ID of dedicated encryption protection; it is decrypted; decrypting process is to use algorithm identical with the cryptographic algorithm of identify label sign indicating number and random cipher originally, thereby reckoning obtains User Identity sign indicating number sequence.
Described random cipher originally can regularly replace, or changes as the case may be.
Advantage of the present invention is: the method for this invention has added the distinctive user identity identification handshake procedure of dedicated encryption protection; can be used as replenishing of at present common authentication; improved conventional cryptography mode passwords such as the WEP that extensively exists at present and WPA greatly and be cracked and cause the stolen situation of Internet resources, be specially adapted in the demanding environment of wireless network secure.In the WAP (wireless access point) of having used this invention; even network cipher is cracked; because the people who cracks can not send the authentication bag that contains the dedicated encryption protection sign; thereby causing WAP (wireless access point) not identify distinctive user identification code to dedicated encryption protection discerns; still can't access network, thus the stolen situation of Internet resources stoped.In addition, method of the present invention can be applied to contain the environment of certificate server, also can be applied to not contain the environment of certificate server.
Description of drawings
Below in conjunction with drawings and Examples the present invention is further described:
Fig. 1 is wireless local network connecting point and user's basic network topology figure;
Fig. 2 is the flow chart of embodiments of the invention;
The frame structure that Fig. 3 uses for embodiments of the invention.
Embodiment
Embodiment: mention in " 802.11 wireless networks authority guide ", in the network development of IEEE 802.11, have three phases between user and the WAP (wireless access point): phase I, unauthenticated and association status not as yet; Second stage, authenticated but association status not as yet; Phase III, authenticated and association status.The user of present embodiment and the dedicated encryption protection method between the WAP (wireless access point); be in the phase I user and WAP (wireless access point); be unverified and not during association status; add the distinctive user identity identification handshake procedure of dedicated encryption protection; promptly before the authentication of phase I; the user send through encryption, contain the distinctive user identification code of dedicated encryption protection; by judging whether this identification code is legal after the WAP (wireless access point) deciphering; if the legal user authentication status that then enters, incorrectly then abandon.
Before using the method, network manager will be opened the network protection option of user and WAP (wireless access point) earlier, determines to use this dedicated encryption protection.User and WAP (wireless access point) all are equipped with the program that can carry out dedicated encryption protection in advance; the part that on the basis of existing program, adds dedicated encryption protection; can be to adopting or not adopting this dedicated encryption protection to select, the rule of communication of setting in the program of client is with reference to the standard of IEEE802.11.The user can send the frame of seeking that contains the dedicated encryption protection sign to WAP (wireless access point); contain the frame that passes through the distinctive identify label content of dedicated encryption protection of encrypting with transmission; make WAP (wireless access point) can respond the frame that the user sends, and return corresponding response frame.Equally; also can not adopt this dedicated encryption protection; if do not adopt; identical with regard to complete with common WLAN cut-in method; both differences only are that dedicated encryption protection of the present invention has added the handshake procedure of protectiveness, and after this handshake procedure, still are to enter common access procedure; still with reference to the IEEE802.11 standard, and the realization of these options all realizes by revising corresponding program.The program that those skilled in the art can be improved according to the present invention at an easy rate.
The frame structure of IEEE 802.11 standards is adopted in dedicated encryption protection communication between user and the WAP (wireless access point), as shown in Figure 3.Can distinguish the frame of the dedicated encryption protection of common frame and present embodiment according to subtype (Sub type) content in control frame (Frame Control) field, the remainder of frame is basic identical.In normal frames; 0110, is not defined in the subtype (Sub type) of 0111,1101 and 1110 control frames (Frame Control) field at IEEE 802.11 frames; used frame has adopted this 4 subtypes that are not defined just in the user of present embodiment and the dedicated encryption protection method between the WAP (wireless access point); can be used to differentiate different frame types; comprise contain dedicated encryption protection sign seek frame, seek frame response frame, contain the frame of the distinctive user ID of dedicated encryption protection, and the response frame that contains the frame of user ID.Be specially:
At first; the user sends the frame of seeking that contains the dedicated encryption protection sign to WAP (wireless access point); subtype in the control frame field of IEEE802.11 frame adopt be not defined 0110; this principle of seeking frame is identical with the frame principle of existing IEEE 802.11; only subtype definition difference; be used to distinguish the common frame of seeking, as shown in Figure 3.
Then; WAP (wireless access point) is after opening dedicated encryption protection; can discern the frame of seeking that contains dedicated encryption protection sign, and loopback contains the response frame of seeking frame of dedicated encryption protection sign, in the Frame Control field of response frame Sub type subtype for be not defined 0111.
Then; after the user receives the response frame of seeking frame that WAP (wireless access point) returns; then send the frame that contains through the distinctive identify label content of dedicated encryption protection of encrypting; in its Frame Control field Sub type subtype for be not defined 1101; the password that the user is set up on their own generates user's identify label sign indicating number by encryption, and identify label is piled up in the frame main body (FrameBody) of IEEE 802.11 management frames.
The cryptographic algorithm of identify label sign indicating number is as follows:
(1) password that the user is set is converted into the numerical value of ASC II, supposes the total N position of password that the user sets, and the ASC II numerical value that the password conversion on the n position obtains is A
n, n=1,2 ..., N;
(2) to A
nDoing following numerical transformation calculates: s
n=A
n* 2
n+ n;
(3) the value s that the inquiry previous step calculates suddenly on the random cipher basis
nPairing value S
n
(4) use S
1S
2S
3S
NAs the User Identity sign indicating number of encrypting.
For example: user cipher is that 111222,1 ASC II sign indicating number is that 49,2 ASCII character is 50, through calculating s
1=99, s
2=198, s
3=395, s
4=804, s
5=1605, s
6=3206, on the random cipher basis, inquire about the value S of 99,198,395,804,1605,3206 correspondences then
1, S
2, S
3, S
4, S
5, S
6, and be arranged in order, as the identify label sign indicating number of encrypting.
Wherein, used random cipher originally can regularly be changed, or changes according to different situations, thereby strengthens secret effect.
Subsequently, WAP (wireless access point) is after receiving the frame that contains the distinctive identify label of dedicated encryption protection, decipher the identify label content through encrypting in this frame that contains the distinctive identify label of dedicated encryption protection, and whether check is the legal users sign, if legal users sign, WAP (wireless access point) is returned the response frame that contains the user ID frame, adopt Sub type subtype in the Frame Control field to distinguish for 1110 IEEE 802.11 frames that are not defined, enter normal authenticating phase, subsequent process is identical with IEEE 802.11 standards thereupon; If disabled user's sign is then done discard processing, stop it to continue follow-up normal flow.
WAP (wireless access point) to the process that is decrypted through the frame of encrypting that contains the distinctive user ID of dedicated encryption protection is: use algorithm identical with the cryptographic algorithm of identify label sign indicating number and random cipher originally, thereby reckoning obtains the user cipher sequence.
For example: according to random cipher originally, inquire S
1, S
2, S
3... S
6Corresponding value is respectively 99,198,395,804,1605,3206, according to algorithm s
n=A
n* 2
n+ n obtains A
1=A
2=A
3=1, A
4=A
5=A
6=2, then the original subscriber's identification code after the deciphering is 111222.
The present invention is by the behavior of shaking hands of design detection packet and dedicated encryption protection identify label bag, thereby the password that prevents common authentication is cracked and causes the stolen situation of Internet resources.
The above only is the preferred embodiments of the present invention, can not limit scope of the invention process with this, and all simple conversion of doing according to claim of the present invention and description all should still belong to the protection range that the present invention covers.
Claims (7)
1. the dedicated encryption protection method between user and the WAP (wireless access point) is characterized in that comprising the steps:
Step S1: user and WAP (wireless access point) are all opened the dedicated encryption protection function;
Step S2: the user sends the frame of seeking that contains the dedicated encryption protection sign;
Step S3: the WAP (wireless access point) of having opened dedicated encryption protection recognizes that the user sends seek frame after, loopback contains the response frame of seeking frame of dedicated encryption protection sign;
Step S4: the user sends encrypted, as to contain the distinctive user ID of dedicated encryption protection frame;
Step S5: WAP (wireless access point) is decrypted the User Identity sign indicating number in the frame that contains the distinctive user ID of dedicated encryption protection, and whether differentiate user ID legal, if illegal, and dropping packets then; If legal, then contain the response frame of the frame of the distinctive user ID of dedicated encryption protection, and enter step S6 to user's loopback;
Step S6: enter common authentication phase between user and the WAP (wireless access point).
2. according to the dedicated encryption protection method between user described in the claim 1 and the WAP (wireless access point); it is characterized in that: contain dedicated encryption protection sign seek frame, contain right dedicated encryption protection sign the response frame of seeking frame, contain the frame of the distinctive user ID of dedicated encryption protection; and the response frame that contains the frame of the distinctive user ID of dedicated encryption protection uses the frame format of IEEE 802.11 frames, and the subtype of its control frame field adopt be not defined 0110,0111,1101,1110 as the signs of differentiating different frame types.
3. according to the dedicated encryption protection method between user described in the claim 2 and the WAP (wireless access point), it is characterized in that:
The described frame of seeking that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0110;
The described response frame of seeking frame that contains dedicated encryption protection sign, the subtype in its control frame field for be not defined 0111;
The described frame that contains the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1101;
The described response frame that contains the frame of the distinctive user ID of dedicated encryption protection, the subtype in its control frame field for be not defined 1110.
4. according to the dedicated encryption protection method between user described in the claim 1 and the WAP (wireless access point); it is characterized in that: described user sends to be contained through frame that encrypt, the distinctive user ID of dedicated encryption protection; the password encryption that the user is set up on their own generates the identify label sign indicating number, and identify label is piled up in the frame main body of IEEE 802.11 management frames.
5. according to the dedicated encryption protection method between user described in the claim 4 and the WAP (wireless access point), it is characterized in that: the frame that contains the distinctive user ID of dedicated encryption protection that the user sends, the cryptographic algorithm of its identify label sign indicating number is as follows:
(1) password that the user is set is converted into the numerical value of ASC II, supposes the total N position of password that the user sets, and the ASC II numerical value that the password conversion on the n position obtains is A
n, n=1,2 ..., N;
(2) to A
nDo numerical transformation: s
n=A
n* 2
n+ n;
(3) the value s that the inquiry previous step calculates suddenly on the random cipher basis
nPairing value S
n
(4) use S
1S
2S
3S
NAs the User Identity sign indicating number of encrypting.
6. according to the dedicated encryption protection method between user described in the claim 5 and the WAP (wireless access point); it is characterized in that: WAP (wireless access point) is after receiving through the frame of encrypting, contain the distinctive user ID of dedicated encryption protection; it is decrypted; decrypting process is to use algorithm identical with the cryptographic algorithm of identify label sign indicating number and random cipher originally, thereby reckoning obtains User Identity sign indicating number sequence.
7. according to the special nail encryption protecting method between user described in claim 5 or 6 and the WAP (wireless access point), it is characterized in that: described random cipher originally can regularly replace, or changes as the case may be.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009102596386A CN101765110B (en) | 2009-12-21 | 2009-12-21 | Dedicated encryption protection method between user and wireless access point |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009102596386A CN101765110B (en) | 2009-12-21 | 2009-12-21 | Dedicated encryption protection method between user and wireless access point |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101765110A true CN101765110A (en) | 2010-06-30 |
CN101765110B CN101765110B (en) | 2012-11-21 |
Family
ID=42496067
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009102596386A Expired - Fee Related CN101765110B (en) | 2009-12-21 | 2009-12-21 | Dedicated encryption protection method between user and wireless access point |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101765110B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105007163A (en) * | 2015-07-15 | 2015-10-28 | 普联技术有限公司 | Pre-shared key (PSK) transmitting and acquiring methods and transmitting and acquiring devices |
CN106572469A (en) * | 2015-10-13 | 2017-04-19 | 中国电信股份有限公司 | WiFi terminal network access method and system |
CN105025472B (en) * | 2014-04-25 | 2018-09-18 | Tcl集团股份有限公司 | A kind of WIFI access points enciphering hiding and the method and its system of discovery |
CN109286637A (en) * | 2018-11-19 | 2019-01-29 | 南京邮电大学 | A kind of defence method of D-Link Dir series router configuration interface loophole |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100456726C (en) * | 2007-03-15 | 2009-01-28 | 北京安拓思科技有限责任公司 | Network system and method for realizing the Internet access authentication based on WAPI |
CN101335621B (en) * | 2007-06-26 | 2011-03-16 | 中国科学院声学研究所 | 802.11i key management method |
-
2009
- 2009-12-21 CN CN2009102596386A patent/CN101765110B/en not_active Expired - Fee Related
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105025472B (en) * | 2014-04-25 | 2018-09-18 | Tcl集团股份有限公司 | A kind of WIFI access points enciphering hiding and the method and its system of discovery |
CN105007163A (en) * | 2015-07-15 | 2015-10-28 | 普联技术有限公司 | Pre-shared key (PSK) transmitting and acquiring methods and transmitting and acquiring devices |
CN105007163B (en) * | 2015-07-15 | 2018-07-31 | 普联技术有限公司 | Transmission, acquisition methods and the transmission of wildcard, acquisition device |
CN106572469A (en) * | 2015-10-13 | 2017-04-19 | 中国电信股份有限公司 | WiFi terminal network access method and system |
CN109286637A (en) * | 2018-11-19 | 2019-01-29 | 南京邮电大学 | A kind of defence method of D-Link Dir series router configuration interface loophole |
CN109286637B (en) * | 2018-11-19 | 2021-05-14 | 南京邮电大学 | Defense method for D-LinkDir series router configuration interface loophole |
Also Published As
Publication number | Publication date |
---|---|
CN101765110B (en) | 2012-11-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1891791B1 (en) | Protection for wireless devices against false access-point attacks | |
AU2008213766B2 (en) | Method and system for registering and verifying the identity of wireless networks and devices | |
US7734280B2 (en) | Method and apparatus for authentication of mobile devices | |
KR101047641B1 (en) | Enhance security and privacy for security devices | |
CN105828332B (en) | improved method of wireless local area network authentication mechanism | |
EP2208330B1 (en) | Method and apparatuses for determining whether femtocell is authorized to provide wireless connectivity to a mobile unit | |
Frankel et al. | Establishing wireless robust security networks: a guide to IEEE 802.11 i | |
CN101600203B (en) | Control method for security service and terminal of wireless local area network | |
US20090191845A1 (en) | Network enforced access control for femtocells | |
CN107005927A (en) | Cut-in method, equipment and the system of user equipment (UE) | |
CN101848463A (en) | Method for protecting access of legal user based on wireless access point | |
CN100579012C (en) | Method for terminal user safety access soft handoff network | |
CN101765110B (en) | Dedicated encryption protection method between user and wireless access point | |
CN101877852A (en) | User access control method and system | |
CN109743716A (en) | A kind of Wireless LAN Verification System and method based on NFC | |
CN106411939A (en) | Enterprise information intranet WI-FI access security reinforcing authentication method | |
CN101247443B (en) | Method for operating a voip terminal device and a voip terminal device | |
KR100527632B1 (en) | System and method for user authentication of ad-hoc gateway in ad-hoc network | |
CN101815288A (en) | Method for accessing encryption protection between user and wireless access point by using E-CARD | |
Li et al. | Wireless network security detection system design based on client | |
CN102612027B (en) | Safety transmission method of data in wireless communication system | |
WO2005091159A1 (en) | Authentication system being capable of controlling authority based of user and authenticator. | |
KR101532117B1 (en) | System and method for supporting emergency call after the access fail | |
PETRICĂ | A Study on Password Strength in Wireless Encryption Protocols | |
Frankel et al. | SP 800-97. establishing wireless robust security networks: A guide to IEEE 802.11 i |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121121 Termination date: 20141221 |
|
EXPY | Termination of patent right or utility model |