CN101778387B - Method for resisting denial of service (DoS) attack for wireless local area network access authentication - Google Patents

Method for resisting denial of service (DoS) attack for wireless local area network access authentication Download PDF

Info

Publication number
CN101778387B
CN101778387B CN2010100135710A CN201010013571A CN101778387B CN 101778387 B CN101778387 B CN 101778387B CN 2010100135710 A CN2010100135710 A CN 2010100135710A CN 201010013571 A CN201010013571 A CN 201010013571A CN 101778387 B CN101778387 B CN 101778387B
Authority
CN
China
Prior art keywords
puzzle
user
authentication
access point
answer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010100135710A
Other languages
Chinese (zh)
Other versions
CN101778387A (en
Inventor
董庆宽
李小平
刘彦明
高琳
黎剑兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN2010100135710A priority Critical patent/CN101778387B/en
Publication of CN101778387A publication Critical patent/CN101778387A/en
Application granted granted Critical
Publication of CN101778387B publication Critical patent/CN101778387B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明公开了一种无线接入认证协议抗DoS攻击的方法,主要解决现有802.11i协议和WAPI协议无线接入认证过程中存在的DoS攻击威胁问题。该方法利用信标帧发布机制和client-puzzle机制的结合使用,实现对接入认证关联过程中DoS攻击的抵御。其实现步骤是:(1)用户通过监听的方式获得接入点所发布的信标帧,获得构造puzzle所需参数;(2)在完成认证交互的同时,生成puzzle并作出解答;(3)将puzzle和解答包含在关联请求中发送给接入点;(4)接入点通过对puzzle和解答进行的验证,决定是否完成此次关联过程。本发明具有较强的抵御DoS攻击能力和适应性,适用于现有的无线接入认证协议。

Figure 201010013571

The invention discloses a method for resisting DoS attack of a wireless access authentication protocol, which mainly solves the problem of DoS attack threat existing in the wireless access authentication process of the existing 802.11i protocol and WAPI protocol. The method utilizes the combined use of the beacon frame publishing mechanism and the client-puzzle mechanism to achieve defense against DoS attacks in the access authentication association process. The implementation steps are: (1) the user obtains the beacon frame issued by the access point by monitoring, and obtains the parameters required for constructing the puzzle; (2) generates the puzzle and makes an answer while completing the authentication interaction; (3) Include the puzzle and the answer in the association request and send it to the access point; (4) The access point decides whether to complete the association process by verifying the puzzle and the answer. The invention has stronger ability to resist DoS attack and adaptability, and is suitable for existing wireless access authentication protocols.

Figure 201010013571

Description

抵抗无线局域网接入认证拒绝服务攻击的方法The Method of Resisting Denial of Service Attack of Wireless Local Area Network Access Authentication

技术领域 technical field

本发明属于网络技术安全领域,具体涉及无线网络环境抗拒绝服务DoS攻击的方法,可用于无线局域网环境,以减少拒绝服务攻击对接入认证过程的影响。  The invention belongs to the field of network technology security, and specifically relates to a method for resisting denial of service DoS attacks in a wireless network environment, which can be used in a wireless local area network environment to reduce the impact of denial of service attacks on the access authentication process. the

技术背景 technical background

拒绝服务DoS攻击的主要目的是为了使网络中提供的服务丧失可用性,其实施难度小、危害程度大,是目前网络中最大的威胁。但是由于互联网的开放性,导致无法杜绝这种攻击的存在。因此现有研究的目标都旨在如何减少DoS攻击对网络的影响。  The main purpose of Denial of Service (DoS) attack is to make the service provided in the network lose availability. It is difficult to implement and has a high degree of harm. It is the biggest threat in the network at present. However, due to the openness of the Internet, it is impossible to prevent the existence of such attacks. Therefore, the goal of existing research is how to reduce the impact of DoS attacks on the network. the

无线网络的接入安全一直是人们研究的热点问题。由于无线网络设备的和带宽资源的局限性,导致接入认证过程面临DoS攻击的威胁。目前已有的无线接入认证协议,诸如WAPI协议和802.11i协议等,都在无线接入过程中存在一定的DoS攻击威胁。  Access security of wireless network has always been a hot research topic. Due to limitations of wireless network equipment and bandwidth resources, the access authentication process faces the threat of DoS attacks. Currently existing wireless access authentication protocols, such as WAPI protocol and 802.11i protocol, all have certain DoS attack threats in the wireless access process. the

802.11i协议是目前最流行的无线网络安全协议标准,它提供了身份认证和密钥交换功能,目前市面主流无线网络产品都采用该标准。802.11i继承了802.11的两种认证方式:开放式系统认证方式和共享密钥认证方式,并且提出了基于802.1X的认证机制,建议最好采用基于802.1X的认证机制。802.11i协议提出了新的安全网络安全体系——强安全网络RSN(Robust Security Network),主要由安全关联管理和数据加密机制够成。其中安全关联管理机制包括RSN安全能力协商、802.1X认证过程和802.1X密钥发布过程。  The 802.11i protocol is currently the most popular wireless network security protocol standard, which provides identity authentication and key exchange functions, and is currently used by mainstream wireless network products on the market. 802.11i inherits two authentication methods of 802.11: open system authentication method and shared key authentication method, and proposes an authentication mechanism based on 802.1X. It is recommended to adopt an authentication mechanism based on 802.1X. The 802.11i protocol proposes a new secure network security system - Robust Security Network (RSN), which is mainly composed of security association management and data encryption mechanisms. The security association management mechanism includes RSN security capability negotiation, 802.1X authentication process and 802.1X key issuance process. the

1.RSN安全能力协商过程即安全关联建立的过程,参考图1,描述如下:  1. The RSN security capability negotiation process is the process of establishing a security association. Referring to Figure 1, the description is as follows:

1)用户STA通过接入点AP的信标帧或者探测响应帧获得802.11i的信息元素;  1) The user STA obtains the 802.11i information element through the beacon frame or probe response frame of the access point AP;

2)用户STA向接入点AP进行开放系统认证请求;  2) The user STA makes an open system authentication request to the access point AP;

3)接入点AP对用户STA做出开放系统认证响应;  3) The access point AP makes an open system authentication response to the user STA;

4)用户STA发送关联请求给接入点AP;  4) The user STA sends an association request to the access point AP;

5)接入点AP对用户STA进行关联请求认证响应。  5) The access point AP sends an association request authentication response to the user STA. the

2.802.1X认证过程  2.802.1X authentication process

当安全关联建立过程结束之后,就可以进入802.1X认证。802.1X认证协议实现了网络的接入控制,该协议包含三个主体,用户接入端,接入认证端和认证服务器,即无线网络环境中的用户STA,接入点AP和认证服务器ASU。在该协议下,用户STA和接入点AP之间通过认证服务器ASU进行相互认证。用户STA与接入点AP之间采用802.1X认证标准,而接入点AP和认证服务器ASU之间则采用AAA协议作为通信标准,即RADIUS/DIAMETER协议。  After the establishment of the security association is completed, the 802.1X authentication can be entered. The 802.1X authentication protocol realizes the access control of the network. The protocol includes three subjects, the user access terminal, the access authentication terminal and the authentication server, that is, the user STA, the access point AP and the authentication server ASU in the wireless network environment. Under this protocol, the user STA and the access point AP perform mutual authentication through the authentication server ASU. The 802.1X authentication standard is used between the user STA and the access point AP, and the AAA protocol is used as the communication standard between the access point AP and the authentication server ASU, that is, the RADIUS/DIAMETER protocol. the

参考图2,802.1X认证过程如下:  Referring to Figure 2, the 802.1X authentication process is as follows:

1)用户STA向接入点AP的非受控端口发送一个EAP启动消息;  1) The user STA sends an EAP start message to the uncontrolled port of the access point AP;

2)接入点AP返回EAP扩展认证回应,要求用户STA提供身份信息;  2) The access point AP returns the EAP extended authentication response, requiring the user STA to provide identity information;

3)用户STA通过EAP扩展认证响应,向接入点AP发送自己的身份信息;  3) The user STA sends its own identity information to the access point AP through the EAP extended authentication response;

4)接入点AP将用户STA的身份信息通过接入请求发送给认证服务器ASU来进行认证;  4) The access point AP sends the identity information of the user STA to the authentication server ASU through an access request for authentication;

5)认证服务器ASU利用EAP中封装的认证方法来对用户STA进行身份认证;  5) The authentication server ASU uses the authentication method encapsulated in the EAP to authenticate the user STA;

6)用户STA身份得到认证之后,认证服务器ASU将认证结果和密钥材料发送给接入点AP;  6) After the identity of the user STA is authenticated, the authentication server ASU sends the authentication result and key material to the access point AP;

7)接入点AP向用户STA发送EAP扩展认证成功消息。  7) The access point AP sends an EAP extended authentication success message to the user STA. the

上述安全关联建立过程是一个状态执行协议,AP需要对用户的状态信息存储,因此需要AP消耗一定的存储资源。如果攻击者发送了大量虚假探测请求,AP会因为处理这些虚假探测请求而导致自身存储资源耗尽,无法为其他用户提供接入认证服务。扩展认证802.1X为接入认证过程提供了更强的身份验证,但是同时也能够被攻击者利用来进行DoS攻击,攻击者可以发送大量虚假的证书迫使ASU进行证书验证消耗大量的计算资源导致接入认证服务无法正常进行。因此802.11i协议针对DoS攻击没有起到很好的防护作用。  The above security association establishment process is a state enforcement protocol, and the AP needs to store user state information, so the AP needs to consume certain storage resources. If an attacker sends a large number of false detection requests, the AP will exhaust its own storage resources due to processing these false detection requests, and cannot provide access authentication services for other users. Extended authentication 802.1X provides stronger identity verification for the access authentication process, but it can also be used by attackers to carry out DoS attacks. Attackers can send a large number of false certificates to force the ASU to perform certificate verification, consuming a large amount of computing resources and causing access failures. The login authentication service cannot be performed normally. Therefore, the 802.11i protocol does not play a good role in protecting against DoS attacks. the

WAPI协议是中国无线局域网标准,由WAI和WPI两个模块构成,分别实现对用户身份的认证和对传输数据加密的功能。WAPI与802.11i协议相同,需要首先进行安全关联过程。参考图3,其关联过程如下:  The WAPI protocol is a wireless local area network standard in China. It consists of two modules, WAI and WPI, which respectively realize the functions of user identity authentication and transmission data encryption. WAPI is the same as the 802.11i protocol, and requires a security association process first. Referring to Figure 3, the association process is as follows:

1.用户STA通过AP的信标帧或者探测响应帧获得WAPI信息元素  1. The user STA obtains the WAPI information element through the beacon frame or probe response frame of the AP

2.用户STA向接入点AP发送开放系统认证请求;  2. The user STA sends an open system authentication request to the access point AP;

3.接入点AP对用户STA做出开放系统认证响应;  3. The access point AP makes an open system authentication response to the user STA;

4.用户STA发送关联请求给接入点AP,其中关联请求中的包含WPAI信息元素;  4. The user STA sends an association request to the access point AP, wherein the association request contains WPAI information elements;

5.接入点AP对用户STA进行关联请求认证响应。  5. The access point AP sends an association request authentication response to the user STA. the

在完成WAPI安全关联建立后将进行WAI认证,参考图4,认证过程如下:  After the WAPI security association is established, WAI authentication will be performed. Refer to Figure 4. The authentication process is as follows: 

首先,接入点AP向用户STA发送认证激活请求,即接入点AP向用户STA发送信标帧;  First, the access point AP sends an authentication activation request to the user STA, that is, the access point AP sends a beacon frame to the user STA;

其次,在接入认证请求中,用户STA将自己的证书和接入请求时间提交给接入点AP;  Secondly, in the access authentication request, the user STA submits its own certificate and access request time to the access point AP;

再次,在证书认证请求中,接入点AP将用户STA的证书、用户STA接入请求时间和自己的证书及他对这三个部分的签名发给认证服务器ASU;  Again, in the certificate authentication request, the access point AP sends the certificate of the user STA, the access request time of the user STA, its own certificate and his signature on these three parts to the authentication server ASU;

然后,当认证服务器ASU收到接入点AP发送来的证书认证请求之后,首先验证接入点AP的签名和证书,当认证成功之后,进一步验证用户STA的证书,之后,认证服务器ASU对用户STA和接入点AP证书的认证结果用自己的私钥进行签名,并将这个签名连同证书验证的结果发回给接入点AP;  Then, when the authentication server ASU receives the certificate authentication request sent by the access point AP, it first verifies the signature and certificate of the access point AP. After the authentication is successful, it further verifies the certificate of the user STA. The authentication result of the STA and the access point AP certificate is signed with its own private key, and the signature is sent back to the access point AP together with the result of the certificate verification;

最后,接入点AP对收到的证书认证响应进行验证,并得到对用户STA证书的认证结果,根据这一结果来决定是否允许接入用户STA。同时接入点AP需要将认证服务器ASU的验证结果转发给用户STA,用户STA也要对认证服务器ASU的签名进行验证,并得到对接入点AP证书的认证结果,根据这一结果决定是否接入接入点AP。  Finally, the access point AP verifies the received certificate authentication response, and obtains the authentication result of the user STA certificate, and decides whether to allow access to the user STA according to the result. At the same time, the access point AP needs to forward the verification result of the authentication server ASU to the user STA, and the user STA also needs to verify the signature of the authentication server ASU, and obtain the authentication result of the access point AP certificate. Enter the access point AP. the

WAPI协议同样需要建立关联过程,因此存在802.11协议中面临关联过程中的资源耗尽威胁。对于WAI过程,AP和ASU都需要对证书进行签名认证计算,因此,AP和ASU很容易遭受DoS攻击的威胁。  The WAPI protocol also needs to establish an association process, so there is a threat of resource exhaustion in the association process in the 802.11 protocol. For the WAI process, both the AP and the ASU need to perform signature authentication calculation on the certificate. Therefore, the AP and the ASU are vulnerable to DoS attacks. the

针对认证协议的DoS攻击威胁,研究者首先提出了cookie机制。其基本思想是:在发起方请求到来时,响应方生成一个与发起方捆绑的cookie,然后将该cookie发送给发起方,并要求发送方回送该cookie,使用伪造的网络地址的攻击者,很难伪造和篡改cookie来继续运行协议,从而达到防御DoS攻击的目的。 该机制对伪造IP地址的DoS攻击有很好的抵御效果,但是对于来自真实地址的IP地址的DoS则无能为力。  Aiming at the DoS attack threat of the authentication protocol, the researchers first proposed the cookie mechanism. The basic idea is: when the request from the initiator comes, the responder generates a cookie bound to the initiator, then sends the cookie to the initiator, and asks the sender to return the cookie. Attackers using forged network addresses are very likely to It is difficult to forge and tamper with cookies to continue to run the protocol, so as to achieve the purpose of defending against DoS attacks. This mechanism has a good defense effect on DoS attacks of forged IP addresses, but it is powerless against DoS attacks of IP addresses from real addresses. the

之后,client-puzzle机制的提出则进一步增强了认证协议抗DoS攻击的能力。基本原理是,当服务器端接收到客户的请求时,服务器会向客户端发送一个问题puzzle,要求客户端在规定的时间内做出解答solution,并将解答发回给服务器。但是如何避免请求过程被攻击者利用以发动DoS攻击是一个需要解决的问题。Puzzle通常通过消耗CPU资源和内存资源来构造。  Later, the client-puzzle mechanism was proposed to further enhance the ability of the authentication protocol to resist DoS attacks. The basic principle is that when the server receives the client's request, the server will send a puzzle to the client, requiring the client to make a solution within the specified time, and send the answer back to the server. But how to prevent the request process from being used by attackers to launch DoS attacks is a problem that needs to be solved. Puzzles are usually constructed by consuming CPU resources and memory resources. the

最近有研究者提出利用无线模块来构造puzzle的方法来抵御无线接入认证的DoS攻击但是其中也带来了一些其他安全隐患,距离实用还有很大距离。因此现有的无线接入认证协议对DoS攻击的防御机制仍然不健全。需要设计一种能够在接入认证过程中有效抵抗DoS攻击的方法来提高移动网络的安全性。  Recently, some researchers have proposed the method of using wireless modules to construct puzzles to resist DoS attacks of wireless access authentication, but it also brings some other security risks, and there is still a long way to go before it is practical. Therefore, the defense mechanism of the existing wireless access authentication protocol to the DoS attack is still not perfect. It is necessary to design a method that can effectively resist DoS attacks in the access authentication process to improve the security of mobile networks. the

发明内容 Contents of the invention

本发明主要针对上述无线接入认证过程中的不足,通过监听修改的信标帧方式和client-puzzle机制相结合,提出了一种抵抗无线局域网接入认证拒绝服务攻击的方法,  The present invention mainly aims at the deficiencies in the above-mentioned wireless access authentication process, and proposes a method for resisting WLAN access authentication denial-of-service attacks by combining the modified beacon frame mode of monitoring and the client-puzzle mechanism.

为实现上述目的,本发明包括如下步骤:  To achieve the above object, the present invention comprises the following steps:

(1)用户STA通过监听获得接入点AP的信标帧来获得相关信息元素,该信息元素中包含原有信息和用户产生问题puzzle所需的参数;  (1) The user STA obtains relevant information elements by listening to the beacon frame of the access point AP, which contains the original information and the parameters required for the user to generate a problem puzzle;

(2)在获得相关信息元素后,用户STA与接入点AP进行相应的认证交互;  (2) After obtaining the relevant information elements, the user STA performs corresponding authentication interaction with the access point AP;

(3)在进行认证交互的同时,执行如下操作:  (3) While performing authentication interaction, perform the following operations:

3a)用户STA从信标帧中获得接入点AP的MAC地址AP_add,从信息元素中获得构造puzzle所用的构造随机数Ni和当前难度级别L,指定puzzle计算所用的Hash函数,并任意选择一个随机数r;  3a) The user STA obtains the MAC address AP_add of the access point AP from the beacon frame, obtains the random number Ni used to construct the puzzle and the current difficulty level L from the information element, specifies the Hash function used for the puzzle calculation, and chooses arbitrarily random number r;

3b)将待解答X、用户所选择随机数r、接入点的MAC地址AP_add、构造随机数Ni和难度级别L,按顺序并接成比特串X‖r‖Ni‖AP_add‖L,并对该比特串进行Hash计算,如果计算结果最后L位为0,则X是puzzle的解答,否则解答不能通过;  3b) Connect the X to be answered, the random number r selected by the user, the MAC address AP_add of the access point, the constructed random number Ni, and the difficulty level L into a bit string X‖r‖Ni‖AP_add‖L in order, and Hash calculation is performed on the bit string, if the last L bit of the calculation result is 0, then X is the answer to the puzzle, otherwise the answer cannot pass;

3c)用户利用穷举搜索的方法寻找一个解答X,使其满足步骤3b中解答的判定条件;  3c) The user uses the method of exhaustive search to find an answer X, so that it satisfies the judgment conditions of the answer in step 3b;

(4)完成puzzle的生成和解答后,用户STA向接入点AP发起关联请求消息,该关联请求消息的信息元素中添加生成puzzle的相关参数;  (4) After completing the generation and answering of the puzzle, the user STA initiates an association request message to the access point AP, and adds relevant parameters for generating the puzzle to the information element of the association request message;

(5)接入点AP对关联请求消息中的puzzle和寻找的解答X按照步骤3b)中对解答的判定条件做出验证,如果puzzle验证通过,且该puzzle验证结果与当前解答临时列表中存储的已有验证结果不重复时,则向用户发送关联请求响应消息,完成关联请求,并将验证结果存入解答临时列表中,否则终止该用户的接入请求。  (5) The access point AP verifies the puzzle in the association request message and the searched solution X according to the determination condition of the solution in step 3b), if the puzzle verification is passed, and the puzzle verification result is stored in the temporary list of the current solution If the existing verification results are not repeated, an association request response message is sent to the user to complete the association request, and the verification result is stored in the temporary answer list, otherwise, the user's access request is terminated. the

本发明由于通过对信标帧中信息元素的修改,增加puzzle构造参数,使用户能够通过监听信标帧的方式来获得puzzle构造参数,减少了传统方案中为构造puzzle而增加的协商次数,提高了协商效率;同时由于采用用户监听信标帧的方式来获得puzzle构造参数,避免了传统client-puzzle机制中请求puzzle的过程中潜在的DoS攻击威胁。  The invention increases the puzzle construction parameters by modifying the information elements in the beacon frame, so that the user can obtain the puzzle construction parameters by monitoring the beacon frame, reduces the number of times of negotiation for constructing the puzzle in the traditional scheme, and improves At the same time, because the user listens to the beacon frame to obtain the puzzle construction parameters, it avoids the potential DoS attack threat in the process of requesting the puzzle in the traditional client-puzzle mechanism. the

通过对关联请求消息中用户所产生puzzle和解答的验证,将伪造请求筛选出来,以提高无线接入认证协议的抗DoS攻击能力。  By verifying the puzzle and answer generated by the user in the association request message, the forged request is screened out, so as to improve the anti-DoS attack capability of the wireless access authentication protocol. the

附图说明 Description of drawings

图1是802.11i协议接入认证的关联建立过程示意图;  Figure 1 is a schematic diagram of the association establishment process of 802.11i protocol access authentication;

图2是802.11i协议接入认证的扩展认证过程示意图;  Fig. 2 is a schematic diagram of the extended authentication process of 802.11i protocol access authentication;

图3是WAPI协议接入认证的关联建立过程示意图;  Fig. 3 is a schematic diagram of the association establishment process of WAPI protocol access authentication;

图4是WAPI协议接入认证的WAI认证过程示意图;  Fig. 4 is a schematic diagram of the WAI authentication process of WAPI protocol access authentication;

图5是本发明应用于无线局域网接入认证过程的示意图;  Fig. 5 is the schematic diagram that the present invention is applied to WLAN access authentication process;

图6是本发明针对802.11i协议修改的信标帧信息元素格式;  Fig. 6 is the beacon frame information element format that the present invention modifies for 802.11i agreement;

图7是本发明针对WAPI协议修改的信标帧信息元素格式;  Fig. 7 is the beacon frame information element format that the present invention modifies for WAPI protocol;

图8是本发明针对802.11i协议修改的关联请求信息元素格式;  Fig. 8 is the association request information element format that the present invention modifies for 802.11i protocol;

图9是本发明针对WAPI协议修改的关联请求信息元素格式。  Fig. 9 is the format of the association request information element modified for the WAPI protocol in the present invention. the

具体实施方式 Detailed ways

参照图5,本发明给出的接入认证过程中抵御拒绝服务攻击的方法,包括如下步骤:  With reference to Fig. 5, the method for resisting denial of service attack in the access authentication process that the present invention provides, comprises the following steps:

步骤1,用户STA通过监听的方式获得AP所发布的信标帧。  In step 1, the user STA obtains the beacon frame issued by the AP through monitoring. the

信标帧在无线网络环境下是接入点AP采用广播机制周期发送的,因此用户 不需要向接入点AP发送请求消息,就能够通过监听的方式来获得信标帧中的信息元素。在本发明中,用户所监听信标帧的信息元素是在原有信息元素基础上进行了修改,添加了构造puzzle所需的参数,除了包含原有的信息之外,还包括构造随机数Ni、难度级别L和当前AP所支持Hash算法。  In the wireless network environment, the beacon frame is periodically sent by the access point AP using the broadcast mechanism, so the user does not need to send a request message to the access point AP, and can obtain the information elements in the beacon frame by monitoring. In the present invention, the information element of the beacon frame monitored by the user is modified on the basis of the original information element, and the parameters required for constructing the puzzle are added. In addition to the original information, it also includes the construction of the random number Ni, The difficulty level L and the Hash algorithm supported by the current AP. the

本发明针对802.11i协议和WAPI协议,分别对其信息元素进行了修改。针对802.11i协议,信息元素格式的修改如图6所示,在原有信息元素格式基础上,添加构造随机数Ni表明当前AP所选随机数,占用4个8位位组数;难度级别L表明计算puzzle所需难度级别,占用一个8位位组数;Hash算法表示当前AP可支持的Hash算法,如MD5,SHA-1或者其他安全性更高的Hash算法,占用一个八位位组数。针对WAPI协议,信息元素的修改如图7所示,所添加的各项含义及格式与对802.11i协议信息元素所添加的各项相同。  The present invention modifies the information elements of the 802.11i protocol and the WAPI protocol respectively. For the 802.11i protocol, the modification of the information element format is shown in Figure 6. On the basis of the original information element format, the random number Ni is added to indicate the random number selected by the current AP, which occupies 4 octets; the difficulty level L indicates Calculate the difficulty level required by the puzzle, occupying an octet number; Hash algorithm indicates the Hash algorithm supported by the current AP, such as MD5, SHA-1 or other Hash algorithms with higher security, occupying an octet number. For the WAPI protocol, the modification of the information elements is shown in Figure 7, and the meanings and formats of the added items are the same as those added to the 802.11i protocol information elements. the

构造随机数Ni由接入点随机产生,并由AP规定构造随机数的有效使用期,如果当前构造随机数失效时,接入点AP产生新的随机数,并更新信息元素;L是表示puzzle的难度级别,由接入点AP根据当前网络和接入点资源消耗状况动态调节,如果难度级别L发生变化,需要AP更新当前信息元素。  The constructed random number Ni is randomly generated by the access point, and the validity period of the constructed random number is stipulated by the AP. If the current constructed random number fails, the access point AP generates a new random number and updates the information element; L means puzzle The difficulty level of L is dynamically adjusted by the access point AP according to the current network and resource consumption status of the access point. If the difficulty level L changes, the AP needs to update the current information element. the

步骤2,用户STA与接入点AP进行相应的认证交互,同时用户产生puzzle并做出解答。  In step 2, the user STA performs corresponding authentication interaction with the access point AP, and at the same time, the user generates a puzzle and makes an answer. the

用户在监听到某接入点AP的信标帧后,如果选择接入当前无线网络,则针对所使用无线接入认证协议进行认证交互,当采用802.11i协议时,用户需要与该接入点AP进行开放系统认证交互,当采用WAPI协议时,用户需要进行链路认证交互;  After listening to the beacon frame of an access point AP, if the user chooses to access the current wireless network, the authentication interaction will be performed for the wireless access authentication protocol used. When the 802.11i protocol is used, the user needs to communicate with the access point AP conducts open system authentication interaction. When using WAPI protocol, users need to perform link authentication interaction;

用户在进行认证交互的同时,需要根据得到的信息元素来构造puzzle并做出解答,这里采用计算资源消耗来构造问题puzzle:首先用户STA从信标帧中获得接入点AP的MAC地址AP_add,从信息元素中获得构造puzzle所用的构造随机数Ni和当前难度级别L,指定puzzle计算所用的Hash函数,并任意选择一个随机数r;将待解答X、用户所选择随机数r、接入点的MAC地址AP_add、构造随机数Ni和难度级别L,按顺序并接成比特串X‖r‖Ni‖AP_add‖L;对该比特串进行Hash计算,如果计算结果最后L位为0,则X是puzzle的解答,否则解答不能通过,即使得X满足下式:  While performing authentication interaction, the user needs to construct a puzzle based on the obtained information elements and make an answer. Here, the computing resource consumption is used to construct the puzzle: first, the user STA obtains the MAC address AP_add of the access point AP from the beacon frame, Obtain the random number Ni used to construct the puzzle and the current difficulty level L from the information element, specify the Hash function used for the puzzle calculation, and choose a random number r arbitrarily; set the X to be answered, the random number r selected by the user, and the access point The MAC address AP_add, the constructed random number Ni, and the difficulty level L are concatenated in order to form a bit string X‖r‖Ni‖AP_add‖L; Hash calculation is performed on the bit string. If the last L bit of the calculation result is 0, then X is the answer to the puzzle, otherwise the answer cannot be passed, even if X satisfies the following formula:

Hash(X‖r‖Ni‖dest IP‖L)mod 2L=0 其中各符号标示与上述相同。  Hash(X‖r‖Ni‖dest IP‖L)mod 2L=0 where the signs of each symbol are the same as above. the

由于Hash函数具有单向性,通过解答判断条件,来求解X在计算上是不行的,因此,用户只能通过穷举搜索的方法来寻找解答X,并进行计算验证直至找出满足解答条件的X。  Due to the one-way nature of the Hash function, it is not feasible to solve X by answering the judgment conditions. Therefore, users can only find the answer X through exhaustive search, and perform calculation verification until they find the solution that satisfies the solution conditions. X. the

步骤3,用户STA向接入点AP发送包含puzzle和解答的关联请求消息。  Step 3, the user STA sends an association request message including the puzzle and the answer to the access point AP. the

首先,由用户对关联请求中的信息元素进行修改,在信息元素中添加puzzle的所有生成参数以及解答X。针对两种无线接入认证协议802.11i协议和WAPI协议,分别对其关联请求信息元素进行修改:  First, the user modifies the information elements in the association request, and adds all the generation parameters of the puzzle and the answer X to the information elements. For the two wireless access authentication protocols 802.11i protocol and WAPI protocol, modify the information elements of the association request respectively:

如果采用802.11i协议,则在原有关联请求的信息元素格式基础上,添加构造随机数Ni、难度级别L、用户所选择Hash算法、用户所选择随机数r和解答X,其中Ni占用4个8位位组数,L占用1个8位位组数,Hash算法占用1个8位位组数,r占用4个8位位组数,X占用4个8位位组数,如图8所示;  If the 802.11i protocol is adopted, on the basis of the information element format of the original association request, add and construct random number Ni, difficulty level L, Hash algorithm selected by the user, random number r selected by the user, and answer X, where Ni occupies 4 8 The number of octets, L occupies 1 octet, Hash algorithm occupies 1 octet, r occupies 4 octets, X occupies 4 octets, as shown in Figure 8 Show;

如果采用WAPI协议,则在原有关联请求信息元素格式基础上,添加构造随机数Ni、难度级别L、用户所选择Hash算法、用户所选择随机数r和解答X,其中Ni占用4个8位位组数,L占用1个8位位组数,Hash算法占用1个8位位组数,r占用4个8位位组数,X占用4个8位位组数,如图9所示。  If the WAPI protocol is adopted, on the basis of the original association request information element format, add and construct random number Ni, difficulty level L, Hash algorithm selected by the user, random number r selected by the user, and answer X, where Ni occupies 4 8-bit bits Group number, L occupies 1 octet number, Hash algorithm occupies 1 octet number, r occupies 4 octet numbers, X occupies 4 octet numbers, as shown in Figure 9. the

然后,用户将修改后的关联请求消息发送给接入点。  Then, the user sends the modified association request message to the access point. the

步骤4,接入点AP接收关联请求,并对puzzle和解答进行验证,如果验证通过则完成关联请求,否则终止用户接入请求。  Step 4, the access point AP receives the association request, and verifies the puzzle and the answer, and if the verification is passed, the association request is completed, otherwise, the user access request is terminated. the

接入点AP接收到用户的关联请求消息,从关联请求消息信息元素中,提取构造随机数Ni、难度级别L、用户所选择Hash函数、用户所选择随机数r、解答X;然后由接入点计算X‖r‖Ni‖AP_add‖L的散列值,验证该解X答是否满足步骤2中的解答判断条件,如果解答X满足判断条件,则继续对解答的唯一性进行判定,否则终止用户的接入请求;  The access point AP receives the user's association request message, and extracts the constructed random number Ni, difficulty level L, user-selected Hash function, user-selected random number r, and answer X from the information elements of the association request message; Click to calculate the hash value of X‖r‖Ni‖AP_add‖L, and verify whether the solution X meets the answer judgment conditions in step 2. If the answer X meets the judgment conditions, continue to judge the uniqueness of the answer, otherwise terminate User's access request;

如果puzzle和解答X满足解答条件,将由该解答X计算出的散列值与解答临时列表中已存储散列值进行比较,避免puzzle和解答X被重复利用:若该散列值未被包含在解答临时列表中,则接受关联请求,并返回关联响应,建立安全关联;否则拒绝关联请求,终止用户的接入请求。接入点完成关联请求过程后,将计算结果存入解答临时列表中,如果信标帧中信息元素发生变动,接入点需要 清空解答临时列表以接受新的puzzle和解答。  If the puzzle and the solution X meet the solution conditions, compare the hash value calculated by the solution X with the hash value stored in the solution temporary list to prevent the puzzle and the solution X from being reused: if the hash value is not included in If the answer is in the temporary list, the association request is accepted and an association response is returned to establish a security association; otherwise, the association request is rejected and the user's access request is terminated. After the access point completes the association request process, it stores the calculation results in the solution temporary list. If the information elements in the beacon frame change, the access point needs to clear the solution temporary list to accept new puzzles and solutions. the

符号说明:  Symbol Description:

DoS攻击:拒绝服务(Denial of Service)攻击  DoS attack: denial of service (Denial of Service) attack

WAPI:中国无线局域网安全标准  WAPI: China Wireless Local Area Network Security Standard

802.11i:无线网络安全标准协议  802.11i: Wireless Network Security Standard Protocol

RSN:强安全网络(Robust Security Network)  RSN: Robust Security Network

802.1X:基于端口的网络接入控制认证标准  802.1X: Port-Based Network Access Control Authentication Standard

AP:接入点(Access Point)  AP: Access Point (Access Point)

STA:用户(Station)  STA: User (Station)

ASU:认证服务单元  ASU: Accreditation Services Unit

EAP:扩展认证  EAP: Extended Authentication

Hash:杂凑函数  Hash: hash function

r:用户选取的随机数  r: random number selected by the user

X:解答  X: answer

Ni:AP所选择的构造随机数  Ni: Constructed random number selected by AP

AP add:AP的地址  AP add: AP address

L:AP所选择的难度级别。  L: The difficulty level chosen by AP. the

MD5:Message-Digest Algorithm 5,信息-摘要算法-5  MD5: Message-Digest Algorithm 5, Information-Digest Algorithm-5

SHA-1:Secure Hash Standard-1,安全杂凑标准-1  SHA-1: Secure Hash Standard-1, Secure Hash Standard-1

RADIUS:Remote Authentication Dial In User Service,远端用户拨入认证服务  RADIUS: Remote Authentication Dial In User Service, remote user dial-in authentication service

DIAMETER:新一代AAA协议。  DIAMETER: A new generation of AAA protocol. the

Claims (3)

1. a method of resisting the Denial of Service attack that exists in the access authentication of WLAN comprises the steps:
(1) user STA obtains relevant information element through the beacon frame that monitor to obtain access point AP issue, comprises original information and the user required parameter of puzzle that has problems in this information element;
(2) after obtaining relevant information element, it is mutual that user STA and access point AP carry out corresponding authentication;
(3) carry out authentication mutual in, carry out operation as follows:
3a) user STA obtains the MAC Address AP_add of access point AP from beacon frame; From information element, obtain used structure random number N i and the current difficulty level L of structure puzzle; Specify puzzle to calculate used Hash function, and select a random number r arbitrarily;
3b) will X answered, MAC Address AP_add, structure random number N i and the difficulty level L of user-selected random number r, access point; In order and be connected into Bit String X||r||Ni||AP_add||L; And this Bit String is carried out Hash calculate; If the last L of result of calculation position is 0, then X is the answer of puzzle, otherwise answer can not be passed through;
3c) user utilizes the method for exhaustive search to seek an answer X, makes it satisfy the decision condition of answering among the step 3b;
(4) after the generation and answer of completion puzzle, user STA initiates association request message to access point AP, adds the relevant parameter that generates puzzle in the information element of this association request message;
(5) access point AP to the answer X of puzzle in the association request message and searching according to step 3b) in to the answer decision condition make checking; If the puzzle checking is passed through; And when the existing checking result of storage does not repeat in the interim tabulation of this puzzle checking result and current answer, then send the association request response message, accomplish association request to the user; And will verify that the result deposits in the interim tabulation of answer, otherwise stop this user's access request.
2. the method for the Denial of Service attack that exists in the opposing access authentication of WLAN according to claim 1; The described user of step (1) the required parameter of puzzle that has problems wherein; Be on the basis that the original information element is made amendment, add required random number N i, difficulty level L and the access point hash algorithm that AP supports of structure puzzle.
3. the method for the Denial of Service attack that exists in the opposing access authentication of WLAN according to claim 1; Wherein the described puzzle of step (4) generates relevant parameter; Be on the basis that the original information element is made amendment, add the answer X of structure random number N i, current difficulty level L, user-selected random number r, hash algorithm and searching.
CN2010100135710A 2010-01-08 2010-01-08 Method for resisting denial of service (DoS) attack for wireless local area network access authentication Expired - Fee Related CN101778387B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010100135710A CN101778387B (en) 2010-01-08 2010-01-08 Method for resisting denial of service (DoS) attack for wireless local area network access authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010100135710A CN101778387B (en) 2010-01-08 2010-01-08 Method for resisting denial of service (DoS) attack for wireless local area network access authentication

Publications (2)

Publication Number Publication Date
CN101778387A CN101778387A (en) 2010-07-14
CN101778387B true CN101778387B (en) 2012-06-27

Family

ID=42514668

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010100135710A Expired - Fee Related CN101778387B (en) 2010-01-08 2010-01-08 Method for resisting denial of service (DoS) attack for wireless local area network access authentication

Country Status (1)

Country Link
CN (1) CN101778387B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969643B (en) * 2010-09-21 2014-04-16 国家无线电监测中心检测中心 Combined wireless network crosslinking method
CN102196432A (en) * 2011-06-10 2011-09-21 西安电子科技大学 Quadratic congruence equation-based method for resisting denial-of-service attacks of wireless network
CN103096301B (en) * 2011-10-31 2017-04-12 华为技术有限公司 Method for verifying wireless local area network access point and station for the same
WO2014110774A1 (en) * 2013-01-18 2014-07-24 Hewlett-Packard Development Company, L.P. Preventing an input/output blocking attack to a wireless access point
WO2014110775A1 (en) 2013-01-18 2014-07-24 Hewlett-Packard Development Company, L.P. Preventing a memory attack to a wireless access point
US9392018B2 (en) * 2013-09-30 2016-07-12 Juniper Networks, Inc Limiting the efficacy of a denial of service attack by increasing client resource demands
CN108011856B (en) * 2016-10-31 2020-05-08 华为技术有限公司 A method and apparatus for transmitting data

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101478388A (en) * 2009-01-16 2009-07-08 西安电子科技大学 Multi-stage security supporting mobile IPSec access authentication method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101478388A (en) * 2009-01-16 2009-07-08 西安电子科技大学 Multi-stage security supporting mobile IPSec access authentication method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李小平等.入侵防御系统的研究与设计.《微计算机信息》.2006,第22卷(第33期),88-90. *

Also Published As

Publication number Publication date
CN101778387A (en) 2010-07-14

Similar Documents

Publication Publication Date Title
Yang et al. Faster authenticated key agreement with perfect forward secrecy for industrial internet-of-things
Lai et al. GLARM: Group-based lightweight authentication scheme for resource-constrained machine to machine communications
He et al. Analysis of the 802.11 i 4-way handshake
CN106664561B (en) System and method for securing pre-association service discovery
CN101778387B (en) Method for resisting denial of service (DoS) attack for wireless local area network access authentication
Zhang et al. Certificateless multi-party authenticated encryption for NB-IoT terminals in 5G networks
Zou et al. A robust two-factor user authentication scheme-based ECC for smart home in IoT
CN107360571B (en) Methods for Anonymous Mutual Authentication and Key Agreement Protocol in Mobile Networks
Guo et al. SecFHome: Secure remote authentication in fog-enabled smart home environment
CN103929422B (en) Trusted inter-domain safety certificate protocol based on SDN
CN100358282C (en) Key agreement method in WAPI authentication mechanism
CN113395166B (en) A cloud-side-terminal collaborative secure access authentication method for power terminals based on edge computing
Chen et al. A dual-factor access authentication scheme for IoT terminal in 5G environments with network slice selection
Chom Thungon et al. A lightweight authentication and key exchange mechanism for IPv6 over low‐power wireless personal area networks‐based Internet of things
CN104283899A (en) User Anonymous Authentication Protocol Based on k-Pseudonym Set in Wireless Network
CN103647762B (en) IPv6 Internet of things node identity identifying method based on access path
Chen et al. Improved Secure and Lightweight Authentication Scheme for Next‐Generation IoT Infrastructure
CN103596179A (en) Wireless local area network access authentication service attack denial resisting method based on radio frequency tag
CN102196432A (en) Quadratic congruence equation-based method for resisting denial-of-service attacks of wireless network
CN116074019A (en) Identity authentication method, system and medium between mobile client and server
Haddad et al. Secure and efficient AKA scheme and uniform handover protocol for 5G network using blockchain
Zahednejad et al. A Lightweight, Secure Big Data‐Based Authentication and Key‐Agreement Scheme for IoT with Revocability
Sen et al. LoWaNA: low overhead watermark based node authentication in WSN
CN101800988A (en) Mobile IPv6 service authentication method based on network access device
CN113783693A (en) Key agreement and authentication method based on limited application protocol CoAP

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120627

Termination date: 20160108

CF01 Termination of patent right due to non-payment of annual fee