CN101902722B - Method for realizing roaming authentication of mobile terminal in wireless local area network and access point - Google Patents
Method for realizing roaming authentication of mobile terminal in wireless local area network and access point Download PDFInfo
- Publication number
- CN101902722B CN101902722B CN200910141358.5A CN200910141358A CN101902722B CN 101902722 B CN101902722 B CN 101902722B CN 200910141358 A CN200910141358 A CN 200910141358A CN 101902722 B CN101902722 B CN 101902722B
- Authority
- CN
- China
- Prior art keywords
- mobile terminal
- master key
- key information
- session master
- physical address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a method for realizing roaming authentication of a mobile terminal in a wireless local area network and a wireless access point. The method comprises the following steps: an AP in the wireless local area network forms a Chord ring through a point-to-point Chord algorithm; the mobile terminal firstly accesses to the wireless local area network to complete the identity authentication through the AP; the AP generates a temporary session key through repeatedly shaking hands with the mobile terminal according to the session master key information distributed by a server to complete the authentication, and distributes the session mater key information to a corresponding AP in the Chord ring; and the mobile terminal roams and requests to access in another AP, the another AP acquires the session master key information from the AP stored with the master key information, and shakes hands with the mobile terminal repeatedly by utilizing the session master key information to generate a temporary session key so as to complete the roaming authentication. The invention can reduce the changing-over delay of the mobile terminal, ensure the service quality of real-time communication, and reduce the burden of an authentication server so as to solve the problem of single fault point.
Description
Technical field
The present invention relates to WLAN (wireless local area network) (Wireless Local Area Network, WLAN) system, relate in particular to a kind of method and system of realizing mobile terminal roaming authentication in WLAN (wireless local area network).
Background technology
Development along with Radio Transmission Technology, and wireless device is increasing, WLAN (wireless local area network) has become the high-speed access network network of a new generation, but opening and sharing due to the WLAN (wireless local area network) transmission medium, make all undelegated users accessing WLAN easily, thereby the information of the user in WLAN (wireless local area network) is intercepted, distorted and palms off; WLAN (wireless local area network) is original simultaneously has been proved to be as unsafe based on open system authentication and shared key authentication, therefore will be by a large amount of deployment and application in several years of future based on the WLAN (wireless local area network) of IEEE802.11i (authentication in WLAN (wireless local area network) and cryptographic protocol) authenticated encryption agreement.
The IEEE802.11i agreement comprises the authentication mode (IEEE802.1x) that the user accesses, the producing method of key, the management of key, the several main parts of renewal of key.The entity that the IEEE802.11i agreement relates to has mobile terminal (Station, STA), WAP (wireless access point) (Access Point, AP), certificate server (RADIUS) three parts, sees Fig. 1 for details.Wherein, WAP (wireless access point) provides the access service of wireless network for mobile terminal; RADIUS is used for the identity of checking mobile terminal; Mobile terminal is the terminal use in WLAN (wireless local area network), could use WLAN (wireless local area network) after being linked into certificate server by WAP (wireless access point), wherein mobile terminal can be notebook computer, mobile phone, personal digital assistant (PersonalDigital Assistant, PDA) and other handheld devices etc.
Figure 2 shows that the Authentication and Key Agreement process when mobile terminal is linked into the WLAN (wireless local area network) that adopts the IEEE802.11i agreement.when mobile terminal access during based on the WLAN (wireless local area network) of IEEE802.11i agreement, needs process WAP (wireless access point) is carried out the IEEE802.1x authentication to the certificate server of far-end, after by authentication mobile terminal and each self-generating of certificate server the session master key, then certificate server is distributed to the session master key WAP (wireless access point) of mobile terminal association, thereby make and to carry out between mobile terminal and WAP (wireless access point) shaking hands for 4 times (i.e. information in figure 1, information 2, information 3 and the indicated signaling of information 4) generate interim session key for communicating by letter.
Although the authenticated encryption agreement of IEEE802.11i agreement has improved the fail safe of WLAN (wireless local area network), but because certificate server generally is arranged in wide area network, and authentication protocol is mutual than more complicated based on the mode of open system and shared key, thus mobile terminal by the mutual delay meeting of the authentication between WAP (wireless access point) and certificate server than based on open system and large many of these two kinds of authentication modes of shared key.And, when the movement of mobile terminal has exceeded the coverage of its associated WAP (wireless access point) and need to switch to the another one WAP (wireless access point) and communicate, mobile terminal carries out authentication to certificate server again with regard to needs, generates new session master key and session temporary key.Therefore, adopt the WLAN (wireless local area network) of IEEE802.11i protocol authentication cryptographic protocol to exist following problem:
1. when mobile terminal carried out the session of real time communication, the switching of mobile terminal between AP will produce due to authentication again larger time delay, thereby affects the real time communication quality;
2. when mobile terminal moved frequently, when switching, mobile terminal all can be to the certificate server request authentication again of far-end at every turn, and over-burden can to cause certificate server when the quantity of mobile terminal is more;
3. single certificate server fault can cause the paralysis of whole WLAN (wireless local area network).
The existence of these problems causes existing WLAN (wireless local area network) based on the IEEE802.11i agreement good not to the support of real-time application, has also limited the development of WLAN (wireless local area network) self simultaneously.Now to the improvement of IEEE802.11i protocol authentication cryptographic protocol or redesign new authenticated encryption agreement, but new authenticated encryption agreement just can't with the WLAN (wireless local area network) compatibility of having disposed in a large number, thereby do not have real feasibility; Take the burden of sacrificing existing authenticated encryption security of protocol or increasing network as cost, go thereby also be difficult to be applied in existing WLAN (wireless local area network).
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of method and corresponding WAP (wireless access point) that realizes mobile terminal roaming authentication in WLAN (wireless local area network), reduce the mobile terminal handover delay to guarantee the service quality of real time communication, can alleviate the burden of certificate server simultaneously to solve the problem of single failure point.
The P2P technology is widely used in file-sharing, instant messaging, Streaming Media, shares in the network application systems such as storage and equity calculating as a kind of comparatively ripe Internet technology, and obtains more and more developers' favor with its remarkable search performance and extensibility.The user can pass through P2P Techno-sharing All Files and catalogue, and need not to search for by Web server.And in WLAN (wireless local area network), along with the continuous expansion of network size, the efficiency of management of information becomes the key factor that affects network performance, and authentication information is a kind of in above-mentioned information.Therefore the extensibility of P2P technology and distributed search efficiently, perfectly in harmony with the information management demand in WLAN.
Chord (without the middle translation of standard) algorithm is as a kind of important structural P 2 P search technique, and its target is to provide a distributed resource lookup service that is suitable for the Chord environment, and it has some following advantages:
1.Chord adopt the consistency hashing algorithm in algorithm, all nodes have guaranteed the balance of algorithm with equiprobability sharing system load;
2. adopting the P2P of Chord algorithm is pure distributed system, equality and complete same work fully between node, and this makes the Chord algorithm have very strong robustness;
3.Chord therefore the expense of algorithm can be used for large scale system along with the ratio that system scale increases with O (log n) increases;
4.Chord algorithm requires node dynamically to upgrade routing table according to the variation of network, therefore can the instant recovery route, make search reliable.
Based on the above-mentioned advantage of Chord algorithm, the authentication information managing scheme based on the Chord algorithm of P2P has been proposed.
In order to address the above problem, the invention provides a kind of method that realizes mobile terminal roaming authentication in WLAN (wireless local area network), comprising:
WAP (wireless access point) in WLAN (wireless local area network) (AP) is utilized point-to-point Chord Algorithm constitution Chord ring;
AP during mobile terminal encircles by this Chord is accessing WLAN first, after completing authentication, this AP is according to the session master key information of this mobile terminal of certificate server distribution, repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete authentication, this AP also is distributed to this session master key information in the immediate AP of physical address hashed value of physical address hashed value and this mobile terminal in this Chord ring;
This mobile terminal roaming and another AP request access in this Chord ring, this another AP is according to the physical address hashed value of this mobile terminal, the AP that preserves this mobile terminal session master key information from this Chord ring obtains this session master key information, utilize this session master key information and this mobile terminal repeatedly to shake hands, generate the interim conversation key, complete roaming authentication.
Further, said method also can have following characteristics:
After AP in this Chord ring received the access request of mobile terminal, in encircling to this Chord, whether the immediate AP inquiry of physical address hashed value of physical address hashed value and this mobile terminal had the effective session master key of this mobile terminal;
To have as Query Result, this AP that receives access request obtains the session master key information of this mobile terminal from the AP that inquires about, generate the context environmental of session master key, more repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete roaming authentication;
Not have as Query Result, this receives that the AP of access request indicates this mobile terminal and certificate server to carry out authentication, after obtaining the session master key information of this mobile terminal of this certificate server distribution, repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete authentication, and this session master key information is distributed to the AP that inquires about.
Further, said method also can have following characteristics:
This is received when the AP of access request distributes the session master key information of this mobile terminal, carries out following steps:
This AP that receives access request navigates to the immediate AP of physical address hashed value of a physical address hashed value and this mobile terminal and sends the request of preserving the session master key information to this AP that navigates in this Chord ring;
After this AP that navigates to receives this request, notify this AP that receives access request to send this session master key information; This AP that receives access request sends to the session master key information of this mobile terminal the AP that this navigates to;
After this AP that navigates to receives the session master key information of this mobile terminal, search the local session master key information that whether has this mobile terminal, in this way, first delete original session master key information, add the session master key information of receiving to local cache again, otherwise directly the session master key information of receiving is added to local cache and take the physical address of mobile terminal as index.
Further, said method also can have following characteristics:
When WAP (wireless access point) starts, find corresponding forerunner's node and descendant node in the Chord ring according to its logical identifier, add in the Chord ring;
This WAP (wireless access point) that newly adds is obtained the physical address hashed value closer to the session master key information of the mobile terminal of the physical address hashed value of oneself from this subsequent node, and adds the session master key information of obtaining to local cache take the physical address of this mobile terminal as index;
This subsequent node deletion has sent to the session master key information that this newly adds WAP (wireless access point).
Further, said method also can have following characteristics:
When WAP (wireless access point) withdraws from the Chord ring, notify forerunner's node and descendant node in this Chord ring to reorganize the Chord ring, and all session master key information that are buffered in local mobile terminal are sent to this descendant node;
This descendant node adds all master session key information of receiving in local cache to take the physical address of mobile terminal as index;
When whether the AP that receives access request has the effective session master key of this mobile terminal to another AP inquiry in this Chord ring, carry the physical address of this mobile terminal in message.
Further, said method also can have following characteristics:
Adopt the authenticated encryption mechanism of IEEE802.11i agreement regulation during the mobile terminal accessing WLAN.
Correspondingly, WAP (wireless access point) provided by the invention adopts the authenticated encryption mechanism of IEEE802.11i agreement regulation, comprises the first authentication module, locating module, the second authentication module and distribution module, wherein:
Described locating module, be used for after receiving the access request of mobile terminal, respective nodes in encircling to this Chord is the effective session the master key whether immediate querying node of physical address hashed value of physical address hashed value and this mobile terminal has this mobile terminal, as do not have, notify described the first authentication module to authenticate, if any, notify described the second authentication module to authenticate;
Described the first authentication module, be used for after notified, indicate this mobile terminal and certificate server to carry out authentication, after obtaining the session master key information of this mobile terminal of certificate server distribution, repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete authentication, and notify described information storage module;
Described the second authentication module, for after notified, obtain the session master key information of this mobile terminal from this respective nodes, generate the context environmental of corresponding session master key, repeatedly shake hands with this mobile terminal again and generate the interim conversation key, complete roaming authentication;
Described distribution module is used for after notified, according to the physical address hashed value of this mobile terminal, this session master key information is distributed in this respective nodes of Chord ring.
Further, above-mentioned WAP (wireless access point) also can have following characteristics:
Also comprise an information preservation module, be used for after the session master key information of receiving the mobile terminal that another AP sends, search the local session master key information that whether has this mobile terminal, in this way, first delete original session master key information, add the session master key information of receiving to local cache again, otherwise directly add the session master key information of receiving to local cache, and take the physical address of this mobile terminal as index.
Further, above-mentioned WAP (wireless access point) also can have following characteristics:
Comprise that also one starts module, be used for after startup, find corresponding forerunner's node and descendant node in the Chord ring according to its logical identifier, add in the Chord ring; And obtain the physical address hashed value closer to the session master key information of the mobile terminal of the physical address hashed value of oneself from this subsequent node, add the session master key information of obtaining to local cache take the physical address of this mobile terminal as index.
Further, above-mentioned WAP (wireless access point) also can have following characteristics:
Also comprise and withdraw from module, be used for when withdrawing from the Chord ring, notify forerunner's node and descendant node in this Chord ring to reorganize the Chord ring, and all session master key information that are buffered in local mobile terminal are sent to this descendant node;
Described locating module carries the physical address of mobile terminal in the query messages that sends.
Such scheme utilizes point-to-point (peer-to-peer, P2P) Chord algorithm is realized the roaming authentication in WLAN (wireless local area network), mobile terminal only need to once authenticate to long-range certificate server when accessing for the first time this WLAN (wireless local area network), again authenticate to certificate server if after this switch between WAP (wireless access point) do not need, thereby reduced the mobile terminal handover delay to guarantee the service quality of real time communication, can alleviate the burden of certificate server simultaneously to solve the problem of single failure point.
Description of drawings
Fig. 1 is that prior art is based on the basic frame structure figure of the WLAN (wireless local area network) of IEEE802.11i agreement;
Fig. 2 is the Authentication and Key Agreement process that the WLAN (wireless local area network) of 802.11i agreement is adopted in the access of prior art mobile terminal;
Fig. 3 is the Chord ring that in the embodiment of the present invention, WAP (wireless access point) adopts the Chord algorithm of P2P logically to form;
Fig. 4 has added the P2P Chord functional module state transition diagram of WAP (wireless access point) afterwards in the embodiment of the present invention;
Fig. 5 is the course of work that adds the Chord ring after in the embodiment of the present invention, WAP (wireless access point) starts;
Fig. 6 is when having the session master key of mobile terminal in the Chord ring in the embodiment of the present invention, the course of work that mobile terminal and WAP (wireless access point) authenticate;
Fig. 7 is that when not having the session master key of mobile terminal in the Chord ring in the embodiment of the present invention, mobile terminal is linked into the detailed processing procedure of WAP (wireless access point);
Fig. 8 generates the course of work of it being added to after new session master key in corresponding P2P node in the embodiment of the present invention;
Fig. 9 is the course of work when in the embodiment of the present invention, a certain WAP (wireless access point) withdraws from the Chord ring.
Embodiment
Utilize all WAP (wireless access point) in the Chord algorithm organization WLAN (wireless local area network) of P2P, the session master key information that mobile terminal is generated through the certificate server authentication hashes in corresponding Chord ring and preserves.When mobile terminal switches in local area network (LAN) the another one WAP (wireless access point), only need to find its corresponding session master key information in the Chord ring, then directly carrying out shakes hands for 4 times can generate the interim conversation key information, thereby can realize not needing again can complete the roaming authentication of mobile terminal in WLAN (wireless local area network) through the authentication of certificate server.
Describe embodiments of the invention in detail below in conjunction with accompanying drawing.
How the paper WAP (wireless access point) constructs the Chord ring.After having adopted the Chord algorithm of P2P, WAP (wireless access point) all in WLAN (wireless local area network) have logically formed the Chord ring, each physical node is by being mapped to after its physical address (MAC Address) hash on the logical node in corresponding Chord ring, as shown in Figure 3.When first WAP (wireless access point) in WLAN starts, himself form a Chord ring, WAP (wireless access point) afterwards need to find oneself forerunner's node and descendant node when starting, and then adds in this Chord ring.Fig. 5 has provided the workflow that adds the Chord ring after WAP (wireless access point) starts:
Step 501: the new WAP (wireless access point) that starts finds corresponding forerunner's node and descendant node to join afterwards in this Chord ring according to the logical identifier of oneself;
Step 502: whether WAP (wireless access point) has to the descendant node inquiry in Chord ring the session master key that belongs to it, and the subsequent node in the Chord ring is looked into the physical address hashed value that sees if there is mobile terminal closer to the physical address hashed value of the WAP (wireless access point) that newly adds;
Step 503: the physical address hashed value is sent to this WAP (wireless access point) closer to the session master key information of the mobile terminal that newly adds WAP (wireless access point) physical address hashed value if any, descendant node;
In this step, as there is no the physical address hashed value of mobile terminal closer to the physical address hashed value of the WAP (wireless access point) that newly adds, subsequent node directly notifies WAP (wireless access point) to get final product, and need not carry out follow-up step 504~506.
Step 504: WAP (wireless access point), is added all session master key information of receiving in local cache to as index with the physical address of mobile terminal;
For there being the master key information of mobile terminal in the buffer memory of WAP (wireless access point), upgrade original session master key information; For the session master key information of non-existent mobile terminal, directly this session master key information is added to local cache and set up index.
Step 505: WAP (wireless access point) sends the information of deletion session master key to descendant node;
Step 506: after descendant node was received the information of deletion session master key, in the deletion local cache, corresponding session master key information, returned to confirmation simultaneously.
When there being mobile terminal need to use WLAN (wireless local area network), it selects suitable WAP (wireless access point) to carry out association, as shown in Figure 1.if mobile terminal accesses this WLAN (wireless local area network) first, need to carry out once the verification process of complete IEEE802.11i, as shown in Figure 2, comprise: mobile terminal just needs and its some safe parameters alternately after selecting suitable WAP (wireless access point), be used for determining to use which kind of authentication mode accessing WLAN, when coming accessing WLAN with the IEEE802.11i agreement, at first mobile terminal carries out authentication by WAP (wireless access point) and certificate server, by producing the session master key after authentication, use afterwards and between WAP (wireless access point) the session master key to carry out shaking hands for 4 times and generate the interim conversation key.After generating the session master key, this WAP (wireless access point) will be saved in the session master key information respective wireless access point of Chord ring, the i.e. immediate WAP (wireless access point) of physical address hashed value of physical address hashed value and this mobile terminal according to the physical address hashed value of mobile terminal.Set forth respectively the workflow of mobile terminal use WLAN (wireless local area network) in embodiments of the present invention below by Fig. 6 to Fig. 8.
When having the session master key of a certain mobile terminal in Chord ring, the detailed processing procedure that this mobile terminal is linked into WAP (wireless access point) as shown in Figure 6:
Step 601: mobile terminal sends access request (i.e. related request) to wanting related WAP (wireless access point), and this WLAN (wireless local area network) is used in request;
Step 602: the WAP (wireless access point) (following also referred to as wanting related WAP (wireless access point)) that receives access request is calculated the physical address hashed value of this mobile terminal, locates the node at session master key place in the Chord ring of this mobile terminal;
Step 603: want related WAP (wireless access point) and send the message of this mobile terminal session master key information of inquiry to the WAP (wireless access point) at session master key place, message comprises this mobile terminal physical address;
Step 604: the WAP (wireless access point) at session master key place according to the mobile terminal physical address of receiving inquire about in local cache whether have corresponding session master key information and determine this session master key effective;
If within a period of time of setting, mobile terminal does not carry out data transmit-receive in WLAN, AP the session master key information of this mobile terminal can be set to invalid.
Step 605: the wireless access at session master key place this session master key information of naming a person for a particular job sends to and wants related WAP (wireless access point);
Step 606: want the context environmental that related WAP (wireless access point) is extracted this session master key information and generated this mobile terminal session master key;
Step 607: mobile terminal and WAP (wireless access point) are utilized the context environmental of this session master key information to carry out 4 times afterwards and are shaken hands, thereby generate the interim conversation key that is used for communication; Concrete implementation as shown in Figure 2;
Step 608: mobile terminal and WAP (wireless access point) are completed and are authenticated and open authentication port.
Fig. 4 has added the P2P Chord functional module state transition diagram of WAP (wireless access point) afterwards in the embodiment of the present invention, can find out clearly thus under the condition that has the session master key, can directly utilize the session master key to carry out shaking hands for 4 times between mobile terminal and WAP (wireless access point) and complete authentication.
The detailed processing procedure that mobile terminal is linked into WAP (wireless access point) when not existing session master key information or session master key information expired in Chord ring is as shown in Figure 7:
Step 701: mobile terminal sends access request to wanting related WAP (wireless access point), and this WLAN (wireless local area network) is used in request;
Step 702: want the physical address hashed value that related WAP (wireless access point) is calculated this mobile terminal, locate the node at session master key place in the Chord ring of this mobile terminal;
Step 703: want related WAP (wireless access point) and send the message of this mobile terminal session master key information of inquiry to the WAP (wireless access point) at the session master key place of this mobile terminal, message comprises the physical address of mobile terminal;
Step 704: the WAP (wireless access point) that receives Query Information is inquired about in local cache according to the physical address of the mobile terminal of receiving;
Step 705: do not find the session master key information of this mobile terminal or be judged as this session master key information expired in local cache if receive the WAP (wireless access point) of Query Information, this WAP (wireless access point) sends the information of the session master key that does not have this mobile terminal to wanting related WAP (wireless access point);
Step 706: the related WAP (wireless access point) of wish requires it to carry out the IEEE802.1x authentication to mobile terminal to send message;
Step 707: carry out the IEEE802.1x authentication by wanting related WAP (wireless access point) between mobile terminal and certificate server, concrete implementation as shown in Figure 2;
Step 708: the session key of this mobile terminal that the related wireless access of wish is named a person for a particular job newly-generated adds in corresponding Chord ring, and implementation as shown in Figure 8;
Step 709: the mobile terminal WAP (wireless access point) related with wish utilized the context environmental of this session master key to carry out 4 times afterwards and shaken hands, thereby generates the interim conversation key that is used for communication, as shown in Figure 2.
Wherein, want the related wireless access detailed processing procedure that the session master key information of newly-generated mobile terminal adds in the Chord ring of naming a person for a particular job as follows:
Step 801: pass through to want related wireless access dot generation session master key information between mobile terminal and certificate server;
Step 802: want the physical address hashed value that related WAP (wireless access point) is calculated this mobile terminal, thus which node during this session master key of location should be saved in ring in the Chord ring and send the request of preserving the session master key information to this node;
Step 803: the node that navigates to sends the related WAP (wireless access point) of message informing wish and sends this session master key information;
Step 804: want related WAP (wireless access point) and send this session master key information to the node that navigates to;
Step 805: receive that node that the WAP (wireless access point) of session master key information namely navigates to searches whether this session master key information is arranged;
Step 806: if there has been this session master key information in the node that navigates to, the session master key information that needs first will preserve is before deleted, and then adds corresponding session master key information in the buffer memory of this node; If there is no directly add the session master key information in the buffer memory of this node.
When there being WAP (wireless access point) to withdraw from Chord when ring, need the descendant node that leaves all session master key information above it in and transfer to it is deposited; Otherwise can cause the loss of information and cause mobile terminal repeat the authentication.Fig. 9 is the detailed process of carrying out when in the embodiment of the present invention, a certain WAP (wireless access point) withdraws from the Chord ring:
Step 901: WAP (wireless access point) withdraws from the Chord ring, notifies forerunner and descendant node in this Chord ring to reorganize the Chord ring;
Step 902: this wireless access is named a person for a particular job, and all leave local session master key information in and send to its descendant node in the Chord ring;
Step 903: descendant node adds all master session key information of receiving in local cache to after receiving the session master key information.
Correspondingly, the present embodiment WAP (wireless access point) adopts the authenticated encryption mechanism of IEEE802.11i agreement regulation, and comprise the first authentication module, locating module, the second authentication module, distribution module, information preservation module, start module and withdraw from module, wherein:
Locating module, be used for after receiving the access request of mobile terminal, respective nodes in encircling to this Chord is the effective session the master key whether immediate querying node of physical address hashed value of physical address hashed value and this mobile terminal has this mobile terminal, carry the physical address of mobile terminal, as do not have, notify described the first authentication module to authenticate, if any, notify described the second authentication module to authenticate;
The first authentication module, be used for after notified, indicate this mobile terminal and certificate server to carry out authentication, after obtaining the session master key information of this mobile terminal of certificate server distribution, repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete authentication, and notify described distribution module;
The second authentication module, for after notified, obtain the session master key information of this mobile terminal from this respective nodes, generate the context environmental of corresponding session master key, repeatedly shake hands with this mobile terminal again and generate the interim conversation key, complete roaming authentication;
Distribution module is used for after notified, according to the physical address hashed value of this mobile terminal, this session master key information is distributed in this respective nodes of Chord ring.
Information is preserved module, be used for after the session master key information of receiving the mobile terminal that another AP sends, search the local session master key information that whether has this mobile terminal, in this way, first delete original session master key information, add the session master key information of receiving to local cache again, otherwise directly add the session master key information of receiving to local cache, and take the physical address of this mobile terminal as index.
Start module, be used for after startup, find corresponding forerunner's node and descendant node in the Chord ring according to its logical identifier, add in the Chord ring; And obtain the physical address hashed value closer to the session master key information of the mobile terminal of the physical address hashed value of oneself from this subsequent node, add the session master key information of obtaining to local cache take the physical address of this mobile terminal as index.
Withdraw from module, be used for when withdrawing from the Chord ring, notify forerunner's node and descendant node in this Chord ring to reorganize the Chord ring, and all session master key information that are buffered in local mobile terminal are sent to this descendant node.
The present invention also can have other numerous embodiments; in the situation that do not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art can make according to the present invention various corresponding changes and distortion, and these change and be out of shape the protection range that all should belong to the appended claim of the present invention accordingly.
Claims (10)
1. method that realizes mobile terminal roaming authentication in WLAN (wireless local area network) comprises:
WAP (wireless access point) in WLAN (wireless local area network) (AP) is utilized point-to-point Chord Algorithm constitution Chord ring;
This mobile terminal is to AP request access, and this AP is according to the physical address hashed value of this mobile terminal, preserves the AP inquiry of this mobile terminal session master key information in this Chord ring;
If this session master key information does not exist, or inefficacy out of date:
Mobile terminal is by the AP accessing WLAN in this Chord ring, after completing authentication, this AP is according to the session master key information of this mobile terminal of certificate server distribution, repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete authentication, this AP also is distributed to this session master key information in the immediate AP of physical address hashed value of physical address hashed value and this mobile terminal in this Chord ring;
If inquire about and obtain effectively this session master key information:
This AP utilizes this session master key information and this mobile terminal repeatedly to shake hands, and generates the interim conversation key, completes roaming authentication.
2. the method for claim 1 is characterized in that:
After AP in this Chord ring received the access request of mobile terminal, in encircling to this Chord, whether the immediate AP inquiry of physical address hashed value of physical address hashed value and this mobile terminal had the effective session master key of this mobile terminal;
To have as Query Result, this AP that receives access request obtains the session master key information of this mobile terminal from the AP that inquires about, generate the context environmental of session master key, more repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete roaming authentication;
Not have as Query Result, this receives that the AP of access request indicates this mobile terminal and certificate server to carry out authentication, after obtaining the session master key information of this mobile terminal of this certificate server distribution, repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete authentication, and this session master key information is distributed to the AP that inquires about.
3. method as claimed in claim 2, is characterized in that, this is received when the AP of access request distributes the session master key information of this mobile terminal, carries out following steps:
This AP that receives access request navigates to the immediate AP of physical address hashed value of a physical address hashed value and this mobile terminal and sends the request of preserving the session master key information to this AP that navigates in this Chord ring;
After this AP that navigates to receives this request, notify this AP that receives access request to send this session master key information; This AP that receives access request sends to the session master key information of this mobile terminal the AP that this navigates to;
After this AP that navigates to receives the session master key information of this mobile terminal, search the local session master key information that whether has this mobile terminal, in this way, first delete original session master key information, add the session master key information of receiving to local cache again, otherwise directly the session master key information of receiving is added to local cache and take the physical address of mobile terminal as index.
4. as claim 1 or 2 or 3 described methods, it is characterized in that:
When WAP (wireless access point) starts, find corresponding forerunner's node and descendant node in the Chord ring according to its logical identifier, add in the Chord ring;
This WAP (wireless access point) that newly adds is obtained the physical address hashed value closer to the session master key information of the mobile terminal of the physical address hashed value of oneself from this descendant node, and adds the session master key information of obtaining to local cache take the physical address of this mobile terminal as index;
This descendant node deletion has sent to the session master key information that this newly adds WAP (wireless access point).
5. method as claimed in claim 4 is characterized in that:
When WAP (wireless access point) withdraws from the Chord ring, notify forerunner's node and descendant node in this Chord ring to reorganize the Chord ring, and all session master key information that are buffered in local mobile terminal are sent to this descendant node;
This descendant node adds all master session key information of receiving in local cache to take the physical address of mobile terminal as index;
When whether the AP that receives access request has the effective session master key of this mobile terminal to another AP inquiry in this Chord ring, carry the physical address of this mobile terminal in message.
6. as claim 1 or 2 or 3 described methods, it is characterized in that, adopt the authenticated encryption mechanism of IEEE802.11i agreement regulation during the mobile terminal accessing WLAN.
7. a WAP (wireless access point), adopt the authenticated encryption of IEEE802.11i agreement regulation machine-processed, comprises the first authentication module, it is characterized in that, also comprises locating module, the second authentication module and distribution module, wherein:
Described locating module, be used for after receiving the access request of mobile terminal, respective nodes in encircling to Chord is the effective session the master key whether immediate querying node of physical address hashed value of physical address hashed value and this mobile terminal has this mobile terminal, as do not have, notify described the first authentication module to authenticate, if any, notify described the second authentication module to authenticate; Described Chord ring utilizes point-to-point Chord Algorithm constitution by the wireless access point AP in WLAN (wireless local area network);
Described the first authentication module, be used for after notified, indicate this mobile terminal and certificate server to carry out authentication, after obtaining the session master key information of this mobile terminal of certificate server distribution, repeatedly shake hands with this mobile terminal and generate the interim conversation key, complete authentication, and notify described distribution module;
Described the second authentication module, for after notified, obtain the session master key information of this mobile terminal from this respective nodes, generate the context environmental of corresponding session master key, repeatedly shake hands with this mobile terminal again and generate the interim conversation key, complete roaming authentication;
Described distribution module is used for after notified, according to the physical address hashed value of this mobile terminal, this session master key information is distributed in this respective nodes of Chord ring.
8. WAP (wireless access point) as claimed in claim 7 is characterized in that:
Also comprise an information preservation module, be used for after the session master key information of receiving the mobile terminal that another AP sends, search the local session master key information that whether has this mobile terminal, in this way, first delete original session master key information, add the session master key information of receiving to local cache again, otherwise directly add the session master key information of receiving to local cache, and take the physical address of this mobile terminal as index.
9. WAP (wireless access point) as claimed in claim 7 or 8 is characterized in that:
Comprise that also one starts module, be used for after startup, find corresponding forerunner's node and descendant node in the Chord ring according to its logical identifier, add in the Chord ring; And obtain the physical address hashed value closer to the session master key information of the mobile terminal of the physical address hashed value of oneself from this descendant node, add the session master key information of obtaining to local cache take the physical address of this mobile terminal as index.
10. WAP (wireless access point) as claimed in claim 9 is characterized in that:
Also comprise and withdraw from module, be used for when withdrawing from the Chord ring, notify forerunner's node and descendant node in this Chord ring to reorganize the Chord ring, and all session master key information that are buffered in local mobile terminal are sent to this descendant node;
Described locating module carries the physical address of mobile terminal in the query messages that sends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910141358.5A CN101902722B (en) | 2009-05-25 | 2009-05-25 | Method for realizing roaming authentication of mobile terminal in wireless local area network and access point |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910141358.5A CN101902722B (en) | 2009-05-25 | 2009-05-25 | Method for realizing roaming authentication of mobile terminal in wireless local area network and access point |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101902722A CN101902722A (en) | 2010-12-01 |
| CN101902722B true CN101902722B (en) | 2013-05-08 |
Family
ID=43227846
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910141358.5A Active CN101902722B (en) | 2009-05-25 | 2009-05-25 | Method for realizing roaming authentication of mobile terminal in wireless local area network and access point |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101902722B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103026745B (en) * | 2011-07-29 | 2015-10-21 | 华为技术有限公司 | A kind of method, Apparatus and system simplifying wireless local area network (WLAN) verification |
| CN103475998A (en) * | 2013-08-30 | 2013-12-25 | 北京智谷睿拓技术服务有限公司 | Wireless network service providing method and system |
| WO2015089761A1 (en) * | 2013-12-18 | 2015-06-25 | 华为终端有限公司 | Method and apparatus for accessing network |
| CN107277808B (en) * | 2017-07-27 | 2023-01-03 | 浩鲸云计算科技股份有限公司 | Method for wireless terminal to access wireless network by using independent dynamic key |
| CN112492585B (en) * | 2020-11-13 | 2022-11-25 | 杭州迪普科技股份有限公司 | Method for connecting wireless terminal with wireless local area network and network system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1414262A1 (en) * | 2002-10-15 | 2004-04-28 | Samsung Electronics Co., Ltd. | Authentication method for fast handover in a wireless local area network |
| CN1602109A (en) * | 2004-11-04 | 2005-03-30 | 西安西电捷通无线网络通信有限公司 | Method of improving mobile terminal handover switching performance in radio IP system |
| CN1725685A (en) * | 2004-07-22 | 2006-01-25 | 中兴通讯股份有限公司 | Security identification method for mobiole terminal of radio cocal network |
| CN101212302A (en) * | 2007-12-21 | 2008-07-02 | 华中科技大学 | Method of defense against DDoS attacks in P2P stream media system |
-
2009
- 2009-05-25 CN CN200910141358.5A patent/CN101902722B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1414262A1 (en) * | 2002-10-15 | 2004-04-28 | Samsung Electronics Co., Ltd. | Authentication method for fast handover in a wireless local area network |
| CN1725685A (en) * | 2004-07-22 | 2006-01-25 | 中兴通讯股份有限公司 | Security identification method for mobiole terminal of radio cocal network |
| CN1602109A (en) * | 2004-11-04 | 2005-03-30 | 西安西电捷通无线网络通信有限公司 | Method of improving mobile terminal handover switching performance in radio IP system |
| CN101212302A (en) * | 2007-12-21 | 2008-07-02 | 华中科技大学 | Method of defense against DDoS attacks in P2P stream media system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101902722A (en) | 2010-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101222325B (en) | Wireless multi-hop network key management method based on ID | |
| US9571463B2 (en) | Policy-based access control in content networks | |
| Tsai et al. | Design and development of a mobile peer-to-peer social networking application | |
| US8396220B2 (en) | System and method of mobile content sharing and delivery in an integrated network environment | |
| US10136463B2 (en) | Server and data transmission method | |
| CN101902722B (en) | Method for realizing roaming authentication of mobile terminal in wireless local area network and access point | |
| JP2007535257A (en) | Method and system for providing security in proximity and ad hoc networks | |
| TW200826582A (en) | System, method, apparatus, and computer program product for providing a social network diagram in a P2P network device | |
| EP2206313A2 (en) | Method, apparatus and computer program product for providing data management in a p2p network | |
| CN101895535B (en) | Network authentication method, device and system for identifying separate mapping network | |
| CN102316416A (en) | Access method for terminal and wireless communication network | |
| Seedorf et al. | The benefit of information centric networking for enabling communications in disaster scenarios | |
| Boulkenafed et al. | Adhocfs: Sharing files in wlans | |
| Artail et al. | A framework of mobile cloudlet centers based on the use of mobile devices as cloudlets | |
| CN103167002A (en) | Business card sending method and system | |
| CN101741903B (en) | Group-based trust data management method in mobile P2P network | |
| CN113613274B (en) | Intelligent access configuration method based on Mesh networking | |
| Zhao et al. | A fast physical layer security-based location privacy parameter recommendation algorithm in 5G IoT | |
| CN112333172B (en) | Signature verification method and system | |
| Su et al. | Haggle: Clean-slate networking for mobile devices | |
| CN109962834B (en) | Information processing method, system, terminal and computer storage medium | |
| Xu et al. | Delivering mobile social content with selective agent and relay nodes in content centric networks | |
| WO2022110836A1 (en) | Communication method and communication apparatus | |
| Wirtz et al. | Interest-based cloud-facilitated opportunistic networking | |
| WO2011150710A1 (en) | Service data transmission method and system based on personal network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Free format text: FORMER OWNER: ZTE CORPORATION Effective date: 20141024 Owner name: NANTONG WELL ELECTRIC MOTOR CO., LTD. Free format text: FORMER OWNER: NANJING ZHONGXING SOFTWARE CO., LTD. Effective date: 20141024 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 210012 NANJING, JIANGSU PROVINCE TO: 226000 NANTONG, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20141024 Address after: 226000 No. 885, Qingdao Road, Nantong hi tech Industrial Development Zone, Nantong, Jiangsu, Tongzhou District Patentee after: Nantong Well Electric Moto Co., Ltd. Address before: 210012 Zhongxing building, No. 68, Bauhinia Road, Yuhuatai District, Nanjing, Jiangsu Patentee before: Nanjing Zhongxing Software Co., Ltd. Patentee before: ZTE Corporation |