CN101815288A - Method for accessing encryption protection between user and wireless access point by using E-CARD - Google Patents
Method for accessing encryption protection between user and wireless access point by using E-CARD Download PDFInfo
- Publication number
- CN101815288A CN101815288A CN201010115104A CN201010115104A CN101815288A CN 101815288 A CN101815288 A CN 101815288A CN 201010115104 A CN201010115104 A CN 201010115104A CN 201010115104 A CN201010115104 A CN 201010115104A CN 101815288 A CN101815288 A CN 101815288A
- Authority
- CN
- China
- Prior art keywords
- user
- access point
- wireless access
- frame
- proprietary information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/50—Secure pairing of devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method for accessing encryption protection between a user and a wireless access point by using an E-CARD. The method is characterized by comprising the following steps that: A1, the user sends a polling request frame to the wireless access point, and the wireless access point receives the polling request frame and then sends a polling response frame to the user STA to finish polling; A2, the user receives the polling response frame and then sends user information request authentication to the wireless access point, the wireless access point receives the request and notifies the user, and the E-CARD and the wireless access point perform encryption processing on proprietary information respectively; A3, the user sends a proprietary information request frame to the wireless access point; the wireless access point receives the proprietary information request frame sent from the user, performs authentication, and sends a proprietary information response frame to the user; if proprietary information authentication results of both the E-CARD and the wireless access point are correct, normal authentication procedure is performed; and if the proprietary information authentication results of both the E-CARD and the wireless access point are not correct, a message is deleted, and no response is performed. Due to the adoption of the method, extra security assurance is provided for a wireless network, and even if a WEP, a WAP, and a WAP2 are attacked, the proprietary information in the E-CARD is difficult to crack due to the adoption of the E-CARD, so the network safety is greatly improved.
Description
Technical field
The present invention relates to the proprietary authentication method of link between the user and WAP (wireless access point) in a kind of WLAN (wireless local area network); relate in particular to a kind of method of using third party device to carry out encryption and decryption user profile, the dedicated protection between user and WAP (wireless access point) has effectively been prevented the situation that Internet resources are stolen by E-Card.
Background technology
WLAN (wireless local area network) WLAN provides a kind of wireless connections service of local area network (LAN), wireless access point AP is the wireless transmitting-receiving equipments in the WLAN (wireless local area network), being used for will be from cable network, become wireless signal to send as the data transaction that receives among the internet Intenet, the wireless signal that receives is converted to data and is forwarded to cable network.
As shown in Figure 1, user STA can be via connecting wireless access point AP access of radio network.In the WLAN that does not contain the radius server authentication, authentication for the user is by cryptographic algorithm mostly, such as WEP (Wired Equivalent Privacy, Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), WPA2 wait and realize, but for cryptographic algorithm, when always being cracked, and with the crack method wide-scale distribution.
Along with wireless lan (wlan) being used more and more widely, cryptographic algorithm such as WEP, WPA, WPA2 are cracked in succession, cause the legal Internet resources of user stolen, cause network quality to descend, and distribute big slightly for network, the a fairly large number of place of WAP (wireless access point), this phenomenon is especially obvious.Just at present, still there is not especially effectively to protect the stolen method of wireless network resource to occur.
Summary of the invention
The object of the invention is to provide the method that inserts encipherment protection between a kind of user and WAP (wireless access point) by E-CARD; solved in the prior art because network cipher is cracked and causes the stolen situation of Internet resources, greatly improved the network condition and the interests of validated user.
In order to solve these problems of the prior art, technical scheme provided by the invention is:
Insert the method for encipherment protection between a kind of user and WAP (wireless access point) by E-CARD, it is characterized in that said method comprising the steps of:
Steps A 1: the user sends and to inquire after claim frame to WAP (wireless access point), and WAP (wireless access point) is accepted to inquire after claim frame rear line STA and sent and inquire after response frame and finish and inquire after;
Steps A 2: after the user accepts to inquire after response frame, send elementary link authentication request frames to WAP (wireless access point), WAP (wireless access point) is verified its legitimacy after receiving elementary link authentication request frames, and send elementary chain road authentication response frames to the user, inform that the user has opened the Proprietary Information encipherment protection;
Steps A 3: the user sends the Proprietary Information claim frame to WAP (wireless access point); WAP (wireless access point) is accepted the Proprietary Information claim frame that the user sends and is authenticated, and sends the Proprietary Information response frame to the user; Carry out normal authentication procedure when the Proprietary Information authentication result of WAP (wireless access point) is correct; Otherwise dropping packets will not be responded.
Preferably, the normal authentication procedure of described method step A3 may further comprise the steps:
1) when there not being the radius server, then no longer carry out other authentications, directly can open the proper network service;
2), then carry out logining network after the network service authentication as the radius server; Otherwise, can't login network, directly abandon.
Preferably, proprietary information request frame and Proprietary Information response frame all use the frame format of IEEE 802.11 frames among the described method step A3, and the subtype of its control frame field adopts 01 or 10 signs as the different frame type of differentiation that are not defined.
Preferably, proprietary information request frame adopts the frame format of IEEE 802.11 frames in the described method, the subtype in its control frame field for be not defined 01; The Proprietary Information response frame adopts the frame format of IEEE 802.11 frames, the subtype in its control frame field for be not defined 10.
Preferably, the Proprietary Information response frame that Proprietary Information claim frame that the user sends in the described method or WAP (wireless access point) send comprises proprietary product mark in the frame main body of the mac frame of IEEE 802.11, product IDs, and product version is as the Proprietary Information field.
Preferably, all store the key of proof user identity in the described method in E-CARD and the WAP (wireless access point), before authentication, in E-CARD and the WAP (wireless access point) Proprietary Information is carried out cryptographic calculation.
Preferably, authentication comprises the wireless access information of Proprietary Information claim frame and Proprietary Information itself that the carry out encryption verification of comparing of naming a person for a particular job in the described method, judges whether validated user; If the verification failure judges that then the user is the disabled user, directly abandons; If verification succeeds is then carried out normal authentication procedure.
Preferably, E-CARD and user's wireless network card is integrated or together use with common wireless network card in the described method.
The E-Card that adopts in the technical solution of the present invention is a kind of convenience, safe and reliable USB interface equipment, can be used for encrypting the communication process between STA and the wireless access point AP specially, solved the problem of authentication well, both can together use, and also can be integrated in the wireless interface module and go with common wireless network card.
Built-in CPU, memory, chip operating system (COS) can be stored user's key or digital certificate in the E-Card structure, utilize the built-in cryptographic algorithm of E-Card to realize authentication to user identity.E-Card has the secure data storage space, can store secret datas such as digital certificate, key, read-write operation to this memory space must be realized by program, the user can't directly read, wherein user key can not be derived, and has stopped to duplicate the possibility of customer digital certificate or identity information.E-Card can realize the various algorithms of encryption and decryption and signature, and the encryption and decryption computing is carried out in E-Card, has guaranteed that key can not appear in the calculator memory, thereby has stopped the possibility that user key is intercepted by the hacker.E-Card built-in encryption algorithm stores a key that proves user identity in advance in E-Card and WAP (wireless access point).E-CARD carries some privately owned cryptographic algorithm and is determined by production firm.
When carrying out Proprietary Information authentication between user and the wireless access point AP and inserting, finish with WAP (wireless access point) the user and to inquire after, after the elementary link authentication, the verification process of startup Proprietary Information frame, the user sends the Proprietary Information claim frame to WAP (wireless access point); WAP (wireless access point) is received the Proprietary Information claim frame that the user sends, and then can carry out Proprietary Information and handle, and can send the Proprietary Information response frame afterwards to the user.
Type=01 in the Frame Control field of 802.11 frames that the user sends, 0001 conduct that Sub type subtype is not defined contains the claim frame of Proprietary Information.Type=01 in the Frame Control field of 802.11 frames that WAP (wireless access point) sends, 0010 conduct that Sub type subtype is not defined contains the response frame of Proprietary Information.
After WAP (wireless access point) was opened network protection option (promptly opening the Proprietary Information frame), the user then can send to WAP (wireless access point) to the Proprietary Information in the E-CARD of self by wireless network card.WAP (wireless access point) is received user's Proprietary Information claim frame, can carry out the Proprietary Information verification, judges whether validated user, if the verification failure, then user STA is illegal, directly abandons.
The present invention can be after elementary authentication, the network equipment or the terminal that are inserted into user STA by this USB interface equipment of E-CARD send the proprietary frame of reception, confirm the legitimacy of its user (STA), has only the authentication of having passed through proprietary frame, could insert Internet, if do not have this equipment of E-CARD or comprise the wireless network card of E-CARD module, then can't send and receive proprietary frame, finally normal access network.
With respect to scheme of the prior art, advantage of the present invention is:
The present invention is by being provided with E-CARD, be submitted to wireless network card by the Proprietary Information in the E-CARD between user and the WAP (wireless access point) and send proprietary frame, the proprietary link authentication of a safety of so extra increase, thereby also can not be by authentication of the present invention, if promptly do not have the wireless network card or the E-CARD of this type of band E-CARD module can not get access to the Proprietary Information frame.By add the fail safe that E-CARD has improved wireless network greatly in method, even at WEP, when WPA, WPA2 lost protection, user's Proprietary Information also can provide safety guarantee for wireless network.This method of carrying out encipherment protection by E-CARD (a kind of encryption device of Proprietary Information) has effectively stoped hacker and malicious attacker.Simultaneously, this third party device can be avoided the leakage of key to a great extent to the method for the encryption and decryption of Proprietary Information, has guaranteed the safety of network.
Description of drawings
Below in conjunction with drawings and Examples the present invention is further described:
Fig. 1 is the connection layout of wireless local network connecting point and user in the prior art;
Fig. 2 is wireless local network connecting point of the present invention and user's catenation principle figure;
Fig. 3 is embodiment of the invention wireless local network connecting point and user networking structural representation.
Embodiment
Below in conjunction with specific embodiment such scheme is described further.Should be understood that these embodiment are used to the present invention is described and are not limited to limit the scope of the invention.The implementation condition that adopts among the embodiment can be done further adjustment according to the condition of concrete producer, and not marked implementation condition is generally the condition in the normal experiment.
Networking case between embodiment user and wireless local network connecting point
In the present embodiment, networking is connected as shown in Figure 3 between user STA and wireless access point AP, and user STA end comprises mobile phone, notebook, PC, and wireless access point AP inserts in the radius server by Radio Access Controller AC.
Under the encipherment protection situation, network manager is wanted the network protection option of first open wireless access point AP, determines to use this protection.Carry out as follows when inserting between user and wireless access point AP:
A. user STA sends and inquires after claim frame to wireless access point AP.
B. after wireless access point AP is received and inquired after claim frame, send and inquire after response frame.
C. after user STA receives and inquires after response frame, send elementary authentication request (elementary link authentication).
D. after wireless access point AP is received elementary authentication request; can verify the information that the user sends; and can comprise frame identification and inform user STA; the E-CARD Proprietary Information request authentication that the user increases newly by E-CARD; wireless access point AP is opened dedicated protection simultaneously, and described top content sends to user STA together.
E. user STA is by sending the claim frame that contains proprietary sign with E-CARD.
F. wireless access point AP is received the E-CARD claim frame, then can remove to discern this proprietary frame, sends the proprietary identification response frame of E-CARD, enters next step, carries out normal network authentication; Otherwise with regard to dropping packets, will not respond, to avoid some malicious attacks.
In the above-mentioned e stage, user STA is after finishing elementary authentication response frames, and then can send the proprietary frame of E-CARD to wireless access point AP, this frame is with Type=01 in the Frame Control field of 802.11 frames, and 0001 conduct that Sub type subtype is not defined contains proprietary frame.
In the above-mentioned f stage, wireless access point AP is after receiving the proprietary claim frame of wireless network card, whether can differentiate user STA legal, this frame is with Type=01 in the 802.11 frame Frame Control fields, 0010 conduct that Sub type subtype is not defined contains proprietary frame, if legal, just give to send the proprietary response frame of E-CARD to E-CARD by, wireless access point AP.Carry out next step normal verification process.Otherwise, can think that then user STA is illegal, directly abandon, can not normally authenticate.
802.11 mac frame Frame Body of user and wireless access point AP is as the Proprietary Information field.User STA and wireless access point AP are all used this field simultaneously.This information comprises proprietary product mark, product IDs, information such as product version.And E-Card encrypts this field contents, is not is not intercepted and captured by other people guaranteeing in wireless network transmissions, thereby has guaranteed the safety of wireless network, promotes the reliability of whole 802.11 frames.
After user STA and wireless access point AP authentication end, legal as the checking user, then enter following normal authentication phase:
1) if there is not the radius server, then need not carry out any authentication again, directly can open the proper network service.
2) if the radius server is arranged, then enter authentications such as dot1x, pppoe, wapi.By logining network after the above-mentioned steps.Otherwise, can't pass through, directly abandon.
In the present embodiment owing between user STA and wireless access point AP, carry out the mutual of Proprietary Information frame by adding E-CARD equipment, by this equipment the encryption and decryption and the discriminant information frame of Proprietary Information are defendd external attack, differentiate its user's legitimacy, under the situation that password and user profile are revealed, do not have E-CARD then can't pass through authentication smoothly, wireless access point AP can not allow the user enter next step normal verification process yet.After only can working as the Proprietary Information claim frame that receives the user when wireless access point AP, just can respond, if the correctly authentication that just can enter next step.This increases fire compartment wall one again for whole authentication process, refusal disabled user's intrusion.
Above-mentioned example only is explanation technical conceive of the present invention and characteristics, and its purpose is to allow the people who is familiar with this technology can understand content of the present invention and enforcement according to this, can not limit protection scope of the present invention with this.All equivalent transformations that spirit is done according to the present invention or modification all should be encompassed within protection scope of the present invention.
Claims (8)
1. insert the method for encipherment protection between user and WAP (wireless access point) by E-CARD, it is characterized in that said method comprising the steps of:
Steps A 1: the user sends and to inquire after claim frame to WAP (wireless access point), and WAP (wireless access point) is accepted to inquire after claim frame rear line STA and sent and inquire after response frame and finish and inquire after;
Steps A 2: after the user accepts to inquire after response frame, send elementary link authentication request frames to WAP (wireless access point), WAP (wireless access point) is verified its legitimacy after receiving elementary link authentication request frames, and send elementary chain road authentication response frames to the user, inform that the user has opened the Proprietary Information encipherment protection;
Steps A 3: the user sends the Proprietary Information claim frame to WAP (wireless access point); WAP (wireless access point) is accepted the Proprietary Information claim frame that the user sends and is authenticated, and sends the Proprietary Information response frame to the user; Carry out normal authentication procedure when the Proprietary Information authentication result of WAP (wireless access point) is correct; Otherwise dropping packets will not be responded.
2. method according to claim 1 is characterized in that the normal authentication procedure of described method step A3 may further comprise the steps:
1) when there not being the radius server, then no longer carry out other authentications, directly can open the proper network service;
2), then carry out logining network after the network service authentication as the radius server; Otherwise, can't login network, directly abandon.
3. method according to claim 1, it is characterized in that proprietary information request frame and Proprietary Information response frame among the described method step A3 all use the frame format of IEEE 802.11 frames, and the subtype of its control frame field adopt be not defined 01 or 10 as the signs of differentiating different frame types.
4. method according to claim 3 is characterized in that proprietary information request frame in the described method adopts the frame format of IEEE 802.11 frames, the subtype in its control frame field for be not defined 01; The Proprietary Information response frame adopts the frame format of IEEE 802.11 frames, the subtype in its control frame field for be not defined 10.
5. method according to claim 1, it is characterized in that the Proprietary Information claim frame of user's transmission in the described method or the Proprietary Information response frame that WAP (wireless access point) sends comprise proprietary product mark in the frame main body of the mac frame of IEEE 802.11, product IDs, product version is as the Proprietary Information field.
6. method according to claim 1 is characterized in that all storing among the E-CARD and WAP (wireless access point) in the described method key of proof user identity in E-CARD and the WAP (wireless access point) Proprietary Information being carried out cryptographic calculation before authentication.
7. method according to claim 1 is characterized in that in the described method that authentication comprises the wireless access information of Proprietary Information claim frame and Proprietary Information itself that the carry out encryption verification of comparing of naming a person for a particular job, and judges whether validated user; If the verification failure judges that then the user is the disabled user, directly abandons; If verification succeeds is then carried out normal authentication procedure.
8. method according to claim 1 is characterized in that in the described method that the wireless network card of E-CARD and user is integrated or together uses with common wireless network card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010115104A CN101815288A (en) | 2010-02-25 | 2010-02-25 | Method for accessing encryption protection between user and wireless access point by using E-CARD |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010115104A CN101815288A (en) | 2010-02-25 | 2010-02-25 | Method for accessing encryption protection between user and wireless access point by using E-CARD |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101815288A true CN101815288A (en) | 2010-08-25 |
Family
ID=42622376
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010115104A Pending CN101815288A (en) | 2010-02-25 | 2010-02-25 | Method for accessing encryption protection between user and wireless access point by using E-CARD |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101815288A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103929735A (en) * | 2014-04-08 | 2014-07-16 | 华为技术有限公司 | Method and device for updating safety context in user equipment and user equipment |
| CN110035436A (en) * | 2019-01-16 | 2019-07-19 | 阿里巴巴集团控股有限公司 | Information monitoring method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1681239A (en) * | 2004-04-08 | 2005-10-12 | 华为技术有限公司 | Method for supporting multiple safe mechanism in wireless local network system |
| WO2006106393A2 (en) * | 2005-04-04 | 2006-10-12 | Nokia Corporation | Access management in a wireless local area network |
| CN101431404A (en) * | 2007-11-09 | 2009-05-13 | 北京华旗资讯数码科技有限公司 | Encryption apparatus capable of implementing soft access point function of communication terminal |
-
2010
- 2010-02-25 CN CN201010115104A patent/CN101815288A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1681239A (en) * | 2004-04-08 | 2005-10-12 | 华为技术有限公司 | Method for supporting multiple safe mechanism in wireless local network system |
| WO2006106393A2 (en) * | 2005-04-04 | 2006-10-12 | Nokia Corporation | Access management in a wireless local area network |
| CN101167305A (en) * | 2005-04-04 | 2008-04-23 | 诺基亚公司 | Access management in a wireless local area network |
| CN101431404A (en) * | 2007-11-09 | 2009-05-13 | 北京华旗资讯数码科技有限公司 | Encryption apparatus capable of implementing soft access point function of communication terminal |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103929735A (en) * | 2014-04-08 | 2014-07-16 | 华为技术有限公司 | Method and device for updating safety context in user equipment and user equipment |
| CN103929735B (en) * | 2014-04-08 | 2017-06-20 | 华为技术有限公司 | Method, device and the user equipment of safe context are updated in user equipment |
| CN110035436A (en) * | 2019-01-16 | 2019-07-19 | 阿里巴巴集团控股有限公司 | Information monitoring method, device, equipment and storage medium |
| CN110035436B (en) * | 2019-01-16 | 2022-04-01 | 杭州蚂蚁聚慧网络技术有限公司 | Information monitoring method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101112039B (en) | Wireless network system and communication method for external device to temporarily access wireless network | |
| CN102843687B (en) | The method and system of the portable focus secure accessing of smart mobile phone | |
| US9131378B2 (en) | Dynamic authentication in secured wireless networks | |
| US7607015B2 (en) | Shared network access using different access keys | |
| EP2937805B1 (en) | Proximity authentication system | |
| CN103079200B (en) | The authentication method of a kind of wireless access, system and wireless router | |
| WO2018127081A1 (en) | Method and system for obtaining encryption key | |
| US20050050318A1 (en) | Profiled access to wireless LANs | |
| TW200531493A (en) | Method for authenticating applications | |
| CN103427992A (en) | Method for establishing secure communication between nodes in a network, network node, key manager, installation device and computer program product | |
| US20070165582A1 (en) | System and method for authenticating a wireless computing device | |
| CN109495503B (en) | SSL VPN authentication method, client, server and gateway | |
| CN109272609A (en) | A kind of CPU safety door inhibition control method and system | |
| CN101848463A (en) | Method for protecting access of legal user based on wireless access point | |
| US20050250472A1 (en) | User authentication using a wireless device | |
| CN113595985A (en) | Internet of things security cloud platform implementation method based on state cryptographic algorithm security chip | |
| CN104620556A (en) | Method and devices for registering a client to a server | |
| CN1925401B (en) | Internet access system and method | |
| WO2017020530A1 (en) | Enhanced wlan certificate authentication method, device and system | |
| KR100957044B1 (en) | Method and system for providing mutual authentication using kerberos | |
| CN104753886B (en) | It is a kind of to the locking method of remote user, unlocking method and device | |
| CN101827112A (en) | Method and system for recognizing client software through network authentication server | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| CN101765110B (en) | Dedicated encryption protection method between user and wireless access point | |
| KR101133210B1 (en) | Mobile Authentication System and Central Control System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100825 |