CN102006587A - Wireless metropolitan area network (MAN) safe access method - Google Patents
Wireless metropolitan area network (MAN) safe access method Download PDFInfo
- Publication number
- CN102006587A CN102006587A CN2010105971013A CN201010597101A CN102006587A CN 102006587 A CN102006587 A CN 102006587A CN 2010105971013 A CN2010105971013 A CN 2010105971013A CN 201010597101 A CN201010597101 A CN 201010597101A CN 102006587 A CN102006587 A CN 102006587A
- Authority
- CN
- China
- Prior art keywords
- controlled ports
- wman
- request message
- response message
- configuration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a wireless metropolitan area network (MAN) safe access method, comprising the steps of: completing security capability negotiation between a GW (Gateway) and an SS (Subscriber Station); performing first configuration on a BS (Base Station) by the GW, and closing a controlled port corresponding to the SS by the BS; completing an identity authentication based on WMAN-SA (Wireless Metropolitan Area Network-Security Access) by the GW, the SS and an AS (Authentication Server); negotiating to obtain a session key TEK (Traffic Encryption Key) by the GW and the SS; performing second configuration on the BS by the GW, and opening the controlled port corresponding to the SS by the BS; and encrypting and deciphering business data by using the TEK by the GW. In the invention, the access GW is used for controlling and managing the WMAN-SA of the BS, which can meet the requirement on large-scale deployment of the WMAN-SA.
Description
Technical field
The present invention relates to field of wireless communications systems, relate in particular to a kind of safety access method of wireless MAN.
Background technology
IEEE 802.16 wireless MANs enjoy all circles' extensive concern as the important development direction of following wireless access technology.Yet safety problem is restricting it always and is further promoting and development.Defined authentication protocol among the IEEE 802.16d, can realize the authentication of base station BS subscriber station SS based on public key encryption algorithm (RSA) and digital certificate.The major defect of IEEE 802.16d is: the unilateral authentication of base station BS to subscriber station SS only is provided, and SS is not provided the authentication to BS, personation BS deception SS is very easy to.In addition, authorization key (AK) and session key (TEK) are all produced by BS one side, under the condition of this unilateral authentication, are difficult to make that SS produces trust to the quality of session key TEK.IEEE 802.16e has carried out the modification of enhancing property to IEEE 802.16d, has introduced Extensible Authentication Protocol (Extensible Authentication Protocol is called for short EAP).But, still only comprised the unidirectional authentication of BS to SS.
Application number is the safety access method that 200810027930.0 patent " a kind of safety access method of wireless MAN " (being called for short WMAN-SA) provides a kind of wireless MAN, in the Certificate Authority process, adopted the two-way authentication of subscriber station SS and base station BS to replace original unilateral authentication, it is impossible that the trust that the assailant pretends to be legitimate base station BS to gain subscriber station SS by cheating becomes, and avoided the possibility of man-in-the-middle attack.In the negotiations process of key, key is produced jointly by subscriber station SS and base station BS, has replaced being distributed by base station BS, has guaranteed the quality of key, has strengthened the fail safe of wireless MAN.Therefore, improved agreement can satisfy function, the performance requirement of former wireless MAN equally, and safer.
When following WMAN-SA large scale deployment is used; BS except SS is authenticated with communicate by letter; also need gateway (GW) that the WMAN-SA module of BS itself is configured and manages; must introduce the gateway device that is used for BTS management this moment in network; and existing scheme has only defined functions such as identity discriminating, key management, data encryption, data discriminating and the protection of resetting; do not prove absolutely the concrete grammar of after introducing gateway device, using WMAN-SA, can not realize the WMAN-SA large scale deployment.
Summary of the invention
Main purpose of the present invention is to propose a kind of safety access method of wireless MAN, can satisfy the large-scale deployment requirements of WMAN-SA.
The invention discloses a kind of safety access method of wireless MAN, it is characterized in that, comprise management control process and data confidentiality transmission course; Described management control process comprises:
(1) described SS transmits the negotiating safety capability request message by described BS to described GW, and described negotiating safety capability request message comprises: WMAN-SA version and security strategy;
After described GW receives described negotiating safety capability request message, whether compatibility and security strategy be compatible to judge WMAN-SA version that described SS and described BS support, if it is all compatible, the result that negotiating safety capability then is set is successfully, and structure negotiating safety capability response message is transmitted to described SS by described BS, and described negotiating safety capability response message comprises: the negotiating safety capability result, consult the WMAN-SA version that the back both sides support and consult the security strategy that the back both sides support;
(2) described GW sends a BS configuration request message to described BS, and a described BS configuration request message comprises: the MAC Address of closing corresponding controlled ports instruction of SS and SS;
Described BS receives a described BS configuration request message, and the MAC Address of corresponding controlled ports instruction of the described SS of closing of foundation and described SS is closed the controlled ports of SS correspondence, and the controlled ports result code is closed in generation; Described BS sends a BS configuration response message to described GW, and a described BS configuration response message comprises: the MAC Address of closing controlled ports result code, the corresponding controlled ports instruction of the described SS of closing and SS;
(3) described GW, described SS and AS carry out WMAN-SA identity discriminating authentication;
(4) described GW and described SS obtain session key TEK by session key agreement;
(5) described GW sends the 2nd BS configuration request message to described BS; Described the 2nd BS configuration request message comprises: the MAC Address of opening corresponding controlled ports instruction of SS and SS; Described BS receives described the 2nd BS configuration request message, opens the controlled ports of SS correspondence according to the MAC Address of corresponding controlled ports instruction of the described SS of unlatching and described SS, and produces unlatching controlled ports result code; Send the 2nd BS configuration response message to described GW, described the 2nd BS configuration response message comprises: the MAC Address of opening controlled ports result code, the corresponding controlled ports instruction of described unlatching SS and SS;
Described data confidentiality transmission course comprises:
(1) described GW uses described session key TEK to encrypt first business datum, and is transmitted to described SS by described BS;
(2) described GW receives and uses described session key TEK to decipher second business datum that described SS transmits by described BS.
The present invention proposes a kind of safety access method of wireless MAN, with WMAN-SA centralized control and the management of GW realization to all BS, realizes the business datum encryption by GW, can satisfy the large-scale deployment requirements of WMAN-SA.
Description of drawings
Fig. 1 is one embodiment of the present of invention schematic diagrames.
Embodiment
At present typical wireless metropolitan area network technology is based on the IEEE802.16 standard.The present invention is that the present invention will be described for example with IEEE802.16.The module that the present invention relates to comprises: SS (SubscriberStation, subscriber station), BS (Base Station, the base station), GW (Gateway, gateway), AS (Authentication Server, certificate server), the present invention relates to steps such as negotiating safety capability, BS configuration, discriminating authentication, key agreement and the secret transmission of business datum, above-mentioned steps is classified as 2 processes: management control process and secret transmission course;
For convenience of description, with reference to figure 1, management control process comprises step 101~105; Specific as follows:
101, carry out negotiating safety capability;
GW and SS carry out negotiating safety capability; At first this SS transmits the negotiating safety capability request message by this BS to this GW, and this negotiating safety capability request message comprises: WMAN-SA version and security strategy;
After this GW receives this negotiating safety capability request message, judge whether WMAN-SA version and security strategy that this SS and this BS support be compatible, if it is all compatible, the result that negotiating safety capability then is set is successfully, and structure negotiating safety capability response message is transmitted to this SS by this BS, and this negotiating safety capability response message comprises: the negotiating safety capability result, consult the WMAN-SA version that the back both sides support and consult the security strategy that the back both sides support.
102, BS configuration;
GW and BS carry out BS configuration, and this GW sends a BS configuration request message to this BS, and a BS configuration request message comprises: the MAC Address of closing corresponding controlled ports instruction of SS and SS;
This BS receives a BS configuration request message, closes the controlled ports of SS correspondence according to this MAC Address of closing the corresponding controlled ports instruction of SS and this SS, and produces and close the controlled ports result code; This BS sends a BS configuration response message to this GW, and a BS configuration response message comprises: close the controlled ports result code, this closes the MAC Address of corresponding controlled ports instruction of SS and SS.
103, the WMAN-SA identity is differentiated authentication;
This GW, this SS and AS carry out the WMAN-SA identity and differentiate authentication, are carried out the forwarding of message by BS.
104, session key agreement;
This GW and this SS obtain session key TEK by session key agreement, are carried out the forwarding of message by BS.
105, the 2nd BS configuration;
This GW sends the 2nd BS configuration request message to this BS; The 2nd BS configuration request message comprises: the MAC Address of opening corresponding controlled ports instruction of SS and SS; This BS receives the 2nd BS configuration request message, open the controlled ports of SS correspondence according to this MAC Address of opening the corresponding controlled ports instruction of SS and this SS, and the controlled ports result code is opened in generation; Send the 2nd BS configuration response message to this GW, the 2nd BS configuration response message comprises: the MAC Address of opening controlled ports result code, the corresponding controlled ports instruction of this unlatching SS and SS.
The data confidentiality transmission course comprises step:
106, data confidentiality transmission.
This GW uses this session key TEK to encrypt first business datum, and is transmitted to this SS by this BS; This GW receives and uses this session key TEK to decipher second business datum that this SS transmits by this BS.
In the embodiment of the invention,, realize the business datum encryption, can satisfy the large-scale deployment requirements of WMAN-SA by GW with the WMAN-SA centralized control and the management of GW realization to all BS.
Or,
If the security strategy that this SS and this BS support is incompatible, the result that negotiating safety capability then is set is failure.
Wherein step 102 after this GW receives a BS configuration response message, as if the controlled ports Fail-closed of SS correspondence, is then analyzed failure cause.
The purpose of closing the controlled end of SS is: BS can only transmit WMAN-SA message.
The purpose of opening the controlled end of SS is: BS can also transmit business datum etc. except can transmitting WMAN-SA message.
Above-described embodiment of the present invention does not constitute the qualification to protection range of the present invention.Any modification of being done within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within the claim protection range of the present invention.
Claims (4)
1. the safety access method of a wireless MAN is characterized in that, comprises management control process and data confidentiality transmission course; Described management control process comprises:
(1) described SS transmits the negotiating safety capability request message by described BS to described GW, and described negotiating safety capability request message comprises: WMAN-SA version and security strategy;
After described GW receives described negotiating safety capability request message, whether compatibility and security strategy be compatible to judge WMAN-SA version that described SS and described BS support, if it is all compatible, the result that negotiating safety capability then is set is successfully, and structure negotiating safety capability response message is transmitted to described SS by described BS, and described negotiating safety capability response message comprises: the negotiating safety capability result, consult the WMAN-SA version that the back both sides support and consult the security strategy that the back both sides support;
(2) described GW sends a BS configuration request message to described BS, and a described BS configuration request message comprises: the MAC Address of closing corresponding controlled ports instruction of SS and SS;
Described BS receives a described BS configuration request message, and the MAC Address of corresponding controlled ports instruction of the described SS of closing of foundation and described SS is closed the controlled ports of SS correspondence, and the controlled ports result code is closed in generation; Described BS sends a BS configuration response message to described GW, and a described BS configuration response message comprises: described MAC Address of closing controlled ports result code, the corresponding controlled ports instruction of the described SS of closing and described SS;
(3) described GW, described SS and AS carry out WMAN-SA identity discriminating authentication;
(4) described GW and described SS obtain session key TEK by session key agreement;
(5) described GW sends the 2nd BS configuration request message to described BS; Described the 2nd BS configuration request message comprises: the MAC Address of opening corresponding controlled ports instruction of SS and described SS; Described BS receives described the 2nd BS configuration request message, opens the controlled ports of SS correspondence according to the MAC Address of corresponding controlled ports instruction of the described SS of unlatching and described SS, and produces unlatching controlled ports result code; Send the 2nd BS configuration response message to described GW, described the 2nd BS configuration response message comprises: the MAC Address of described unlatching controlled ports result code, the corresponding controlled ports instruction of described unlatching SS and described SS;
Described data confidentiality transmission course comprises:
(1) described GW uses described session key TEK to encrypt first business datum, and is transmitted to described SS by described BS;
(2) described GW receives and uses described session key TEK to decipher second business datum that described SS transmits by described BS.
2. the safety access method of wireless MAN according to claim 1, it is characterized in that, before the step of described structure negotiating safety capability response message, if the WMAN-SA incompatible version that described SS and described BS support, the result that negotiating safety capability then is set is failure;
Or,
If the security strategy that described SS and described BS support is incompatible, the result that negotiating safety capability then is set is failure.
3. the safety access method of wireless MAN according to claim 1 is characterized in that, described GW receives a described BS configuration response message, if the controlled ports Fail-closed of SS correspondence is then analyzed failure cause.
4. the safety access method of wireless MAN according to claim 1 is characterized in that, described GW receives described the 2nd BS configuration response message, if the controlled ports of SS correspondence is opened failure, then analyzes failure cause.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105971013A CN102006587B (en) | 2010-12-20 | 2010-12-20 | Wireless metropolitan area network (MAN) safe access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105971013A CN102006587B (en) | 2010-12-20 | 2010-12-20 | Wireless metropolitan area network (MAN) safe access method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102006587A true CN102006587A (en) | 2011-04-06 |
| CN102006587B CN102006587B (en) | 2012-11-21 |
Family
ID=43813573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105971013A Expired - Fee Related CN102006587B (en) | 2010-12-20 | 2010-12-20 | Wireless metropolitan area network (MAN) safe access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102006587B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223636A (en) * | 2011-07-20 | 2011-10-19 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003096614A1 (en) * | 2002-05-10 | 2003-11-20 | Harris Corporation | Secure wireless local or metropolitan area network and related methods |
| CN101272301A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
| CN101272616A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
-
2010
- 2010-12-20 CN CN2010105971013A patent/CN102006587B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003096614A1 (en) * | 2002-05-10 | 2003-11-20 | Harris Corporation | Secure wireless local or metropolitan area network and related methods |
| CN101272301A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
| CN101272616A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223636A (en) * | 2011-07-20 | 2011-10-19 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
| CN102223636B (en) * | 2011-07-20 | 2013-10-23 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102006587B (en) | 2012-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9392453B2 (en) | Authentication | |
| CN101500229B (en) | Method for establishing security association and communication network system | |
| US20130091556A1 (en) | Method for establishing a secure and authorized connection between a smart card and a device in a network | |
| CN108769007B (en) | Gateway security authentication method, server and gateway | |
| CN100373843C (en) | Key consaltation method in radio LAN | |
| RU2008146960A (en) | METHOD AND SYSTEM OF PROVIDING PROTECTED COMMUNICATION USING A CELLULAR NETWORK FOR MANY PERSONALIZED COMMUNICATION DEVICES | |
| CN102257842A (en) | Enhanced security for direct link communications | |
| JP2013537374A (en) | Relay node device authentication mechanism | |
| CN101420686B (en) | Industrial wireless network security communication implementation method based on cipher key | |
| JP2000083018A (en) | Method for transmitting information needing secrecy by first using communication that is not kept secret | |
| CN100370772C (en) | Method for switching in radio local-area network mobile terminal | |
| CN107396350A (en) | SDN inter-module method for security protection based on the SDN 5G network architectures | |
| CN101552984B (en) | Base station secure accessing method of mobile communication system | |
| CN101552985B (en) | Pre-authentication method for mobile communication system switching | |
| CN104883372A (en) | Anti-cheating and anti-attack data transmission method based on wireless Ad Hoc network | |
| CN101877852B (en) | User access control method and system | |
| CN101478389B (en) | Multi-stage security supporting mobile IPSec transmission authentication method | |
| CN104581715B (en) | The sensor-based system cryptographic key protection method and radio reception device of Internet of Things field | |
| CN102006587B (en) | Wireless metropolitan area network (MAN) safe access method | |
| CN102036237B (en) | Security access method for wireless metropolitan area network | |
| CN102065427B (en) | Method for safely switching user terminal in wireless metropolitan area network | |
| CN1953445A (en) | A method and installation to resolve the safety problem for certificate cancellation in WAPI | |
| CN102065428B (en) | User terminal switching method of safe wireless metropolitan area network | |
| Frankel et al. | SP 800-97. establishing wireless robust security networks: A guide to IEEE 802.11 i | |
| Frankel et al. | Guide to ieee 802.11 i: Establishing robust security networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121121 Termination date: 20201220 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |