CN102006587B - Wireless metropolitan area network (MAN) safe access method - Google Patents
Wireless metropolitan area network (MAN) safe access method Download PDFInfo
- Publication number
- CN102006587B CN102006587B CN2010105971013A CN201010597101A CN102006587B CN 102006587 B CN102006587 B CN 102006587B CN 2010105971013 A CN2010105971013 A CN 2010105971013A CN 201010597101 A CN201010597101 A CN 201010597101A CN 102006587 B CN102006587 B CN 102006587B
- Authority
- CN
- China
- Prior art keywords
- controlled ports
- wman
- request message
- response message
- configuration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a wireless metropolitan area network (MAN) safe access method, comprising the steps of: completing security capability negotiation between a GW (Gateway) and an SS (Subscriber Station); performing first configuration on a BS (Base Station) by the GW, and closing a controlled port corresponding to the SS by the BS; completing an identity authentication based on WMAN-SA (Wireless Metropolitan Area Network-Security Access) by the GW, the SS and an AS (Authentication Server); negotiating to obtain a session key TEK (Traffic Encryption Key) by the GW and the SS; performing second configuration on the BS by the GW, and opening the controlled port corresponding to the SS by the BS; and encrypting and deciphering business data by using the TEK by the GW. In the invention, the access GW is used for controlling and managing the WMAN-SA of the BS, which can meet the requirement on large-scale deployment of the WMAN-SA.
Description
Technical field
The present invention relates to field of wireless communications systems, relate in particular to a kind of safety access method of wireless MAN.
Background technology
IEEE 802.16 wireless MANs enjoy all circles' extensive concern as the important development direction of following wireless access technology.Yet safety problem is restricting it always and is further promoting and development.Defined authentication protocol among the IEEE 802.16d, can realize the authentication of base station BS subscriber station SS based on public key encryption algorithm (RSA) and digital certificate.The major defect of IEEE 802.16d is: the unilateral authentication of base station BS to subscriber station SS only is provided, and SS is not provided the authentication to BS, personation BS deception SS is very easy to.In addition, authorization key (AK) and session key (TEK) are all produced by BS one side, under the condition of this unilateral authentication, are difficult to make that SS produces trust to the quality of session key TEK.IEEE 802.16e has carried out the modification of enhanced to IEEE 802.16d, has introduced Extensible Authentication Protocol (Extensible Authentication Protocol is called for short EAP).But, still only comprised the unidirectional authentication of BS to SS.
Application number is the safety access method that 200810027930.0 patent " a kind of safety access method of wireless MAN " (being called for short WMAN-SA) provides a kind of wireless MAN; In the Certificate Authority process; Adopted the two-way authentication of subscriber station SS and base station BS to replace original unilateral authentication; It is impossible that the trust that the assailant pretends to be legitimate base station BS to gain subscriber station SS by cheating becomes, and avoided the possibility of man-in-the-middle attack.In the negotiations process of key, key is produced by subscriber station SS and base station BS jointly, has replaced being distributed by base station BS, has guaranteed the quality of key, has strengthened the fail safe of wireless MAN.Therefore, improved agreement can satisfy function, the performance requirement of former wireless MAN equally, and safer.
When following WMAN-SA large scale deployment is used; BS is except carrying out authentication and communicate by letter SS; Also need gateway (GW) that the WMAN-SA module of BS itself is configured and manages; Must introduce the gateway device that is used for BTS management this moment in network; And existing scheme has only defined functions such as identity discriminating, key management, data encryption, data discriminating and the protection of resetting, and does not prove absolutely the concrete grammar of after introducing gateway device, using WMAN-SA, can not realize the WMAN-SA large scale deployment.
Summary of the invention
Main purpose of the present invention is to propose a kind of safety access method of wireless MAN, can satisfy the large-scale deployment requirements of WMAN-SA.
The invention discloses a kind of safety access method of wireless MAN, it is characterized in that, comprise management control process and data confidentiality transmission course; Said management control process comprises:
(1) said SS transmits the negotiating safety capability request message through said BS to said GW, and said negotiating safety capability request message comprises: WMAN-SA version and security strategy;
After said GW receives said negotiating safety capability request message; Whether compatibility and security strategy be compatible to judge WMAN-SA version that said SS and said BS support; If it is all compatible; The result that negotiating safety capability then is set is successfully, and structure negotiating safety capability response message is transmitted to said SS through said BS, and said negotiating safety capability response message comprises: the negotiating safety capability result, consult the WMAN-SA version that the back both sides support and consult the security strategy that the back both sides support;
(2) said GW sends a BS configuration request message to said BS, and a said BS configuration request message comprises: the MAC Address of closing corresponding controlled ports instruction of SS and SS;
Said BS receives a said BS configuration request message, close the corresponding controlled ports of SS according to the MAC Address of corresponding controlled ports instruction of the said SS of closing and said SS, and the controlled ports result code is closed in generation; Said BS sends a BS configuration response message to said GW, and a said BS configuration response message comprises: the MAC Address of closing controlled ports result code, the corresponding controlled ports instruction of the said SS of closing and SS;
(3) said GW, said SS and AS carry out WMAN-SA identity discriminating authentication;
(4) said GW and said SS obtain session key TEK through session key agreement;
(5) said GW sends the 2nd BS configuration request message to said BS; Said the 2nd BS configuration request message comprises: the MAC Address of opening corresponding controlled ports instruction of SS and SS; Said BS receives said the 2nd BS configuration request message, opens the corresponding controlled ports of SS according to the MAC Address of controlled ports instruction of said unlatching SS correspondence and said SS, and produces unlatching controlled ports result code; Send the 2nd BS configuration response message to said GW, said the 2nd BS configuration response message comprises: the MAC Address of opening controlled ports result code, the corresponding controlled ports instruction of said unlatching SS and SS;
Said data confidentiality transmission course comprises:
(1) said GW uses said session key TEK to encrypt first business datum, and is transmitted to said SS through said BS;
(2) said GW receives and uses said session key TEK to decipher second business datum that said SS transmits through said BS.
The present invention proposes a kind of safety access method of wireless MAN, realizes WMAN-SA centralized control and management to all BS with GW, realizes the business datum encryption by GW, can satisfy the large-scale deployment requirements of WMAN-SA.
Description of drawings
Fig. 1 is one embodiment of the present of invention sketch mapes.
Embodiment
At present typical wireless metropolitan area network technology is based on the IEEE802.16 standard.The present invention is that the present invention will be described for example with IEEE802.16.The module that the present invention relates to comprises: SS (SubscriberStation; Subscriber station), BS (Base Station; The base station), GW (Gateway, gateway), AS (Authentication Server, certificate server); The present invention relates to steps such as negotiating safety capability, BS configuration, discriminating authentication, key agreement and the secret transmission of business datum, be classified as 2 processes to above-mentioned steps: management control process and secret transmission course;
Be convenient explanation, with reference to figure 1, management control process comprises step 101~105; Specific as follows:
101, carry out negotiating safety capability;
GW and SS carry out negotiating safety capability; At first this SS transmits the negotiating safety capability request message through this BS to this GW, and this negotiating safety capability request message comprises: WMAN-SA version and security strategy;
After this GW receives this negotiating safety capability request message; Judge whether WMAN-SA version and security strategy that this SS and this BS support be compatible; If it is all compatible; The result that negotiating safety capability then is set is successfully, and structure negotiating safety capability response message is transmitted to this SS through this BS, and this negotiating safety capability response message comprises: the negotiating safety capability result, consult the WMAN-SA version that the back both sides support and consult the security strategy that the back both sides support.
102, BS configuration;
GW and BS carry out BS configuration, and this GW sends a BS configuration request message to this BS, and a BS configuration request message comprises: the MAC Address of closing corresponding controlled ports instruction of SS and SS;
This BS receives a BS configuration request message, close the corresponding controlled ports of SS according to this MAC Address of closing the corresponding controlled ports instruction of SS and this SS, and the controlled ports result code is closed in generation; This BS sends a BS configuration response message to this GW, and a BS configuration response message comprises: close the controlled ports result code, this closes the MAC Address of corresponding controlled ports instruction of SS and SS.
103, the WMAN-SA identity is differentiated authentication;
This GW, this SS and AS carry out the WMAN-SA identity and differentiate authentication, are carried out the forwarding of message by BS.
104, session key agreement;
This GW and this SS obtain session key TEK through session key agreement, are carried out the forwarding of message by BS.
105, the 2nd BS configuration;
This GW sends the 2nd BS configuration request message to this BS; The 2nd BS configuration request message comprises: the MAC Address of opening corresponding controlled ports instruction of SS and SS; This BS receives the 2nd BS configuration request message, opens the corresponding controlled ports of SS according to this MAC Address of opening the controlled ports instruction of SS correspondence and this SS, and produces unlatching controlled ports result code; Send the 2nd BS configuration response message to this GW, the 2nd BS configuration response message comprises: the MAC Address of opening controlled ports result code, the corresponding controlled ports instruction of this unlatching SS and SS.
The data confidentiality transmission course comprises step:
106, data confidentiality transmission.
This GW uses this session key TEK to encrypt first business datum, and is transmitted to this SS through this BS; Second business datum that this GW receives and uses this SS of this session key TEK deciphering to transmit through this BS.
In the embodiment of the invention, realize WMAN-SA centralized control and management, realize the business datum encryption, can satisfy the large-scale deployment requirements of WMAN-SA by GW to all BS with GW.
Step 101 wherein before the step of structure negotiating safety capability response message, can also comprise step: if this SS and the WMAN-SA incompatible version that this BS supports, the result that negotiating safety capability then is set is for failing;
Or,
If the security strategy that this SS and this BS support is incompatible, the result that negotiating safety capability then is set is failure.
Wherein step 102 after this GW receives a BS configuration response message, as if the corresponding controlled ports Fail-closed of SS, is then analyzed failure cause.
The purpose of closing the SS controlled end is: BS can only transmit WMAN-SA message.
Step 106 wherein can also comprise step: this GW receives the 2nd BS configuration response message, if the corresponding controlled ports of SS is opened failure, then analyzes failure cause.
The purpose of opening the SS controlled end is: BS can also transmit business datum etc. except can transmitting WMAN-SA message.
Above-described embodiment of the present invention does not constitute the qualification to protection range of the present invention.Any modification of within spirit of the present invention and principle, being done, be equal to replacement and improvement etc., all should be included within the claim protection range of the present invention.
Claims (4)
1. the safety access method of a wireless MAN is characterized in that, comprises management control process and data confidentiality transmission course; Said management control process comprises:
(1) subscriber station SS transmits the negotiating safety capability request message through base station BS to gateway GW, and said negotiating safety capability request message comprises: WMAN-SA version and security strategy;
After said GW receives said negotiating safety capability request message; Whether compatibility and security strategy be compatible to judge WMAN-SA version that said SS and said BS support; If it is all compatible; The result that negotiating safety capability then is set is successfully, and structure negotiating safety capability response message is transmitted to said SS through said BS, and said negotiating safety capability response message comprises: the negotiating safety capability result, consult the WMAN-SA version that the back both sides support and consult the security strategy that the back both sides support;
(2) said GW sends a BS configuration request message to said BS, and a said BS configuration request message comprises: the MAC Address of closing corresponding controlled ports instruction of SS and SS;
Said BS receives a said BS configuration request message, close the corresponding controlled ports of SS according to the MAC Address of corresponding controlled ports instruction of the said SS of closing and said SS, and the controlled ports result code is closed in generation; Said BS sends a BS configuration response message to said GW, and a said BS configuration response message comprises: said MAC Address of closing controlled ports result code, the corresponding controlled ports instruction of the said SS of closing and said SS;
(3) said GW, said SS and AS carry out WMAN-SA identity discriminating authentication;
(4) said GW and said SS obtain session key TEK through session key agreement;
(5) said GW sends the 2nd BS configuration request message to said BS; Said the 2nd BS configuration request message comprises: the MAC Address of opening corresponding controlled ports instruction of SS and said SS; Said BS receives said the 2nd BS configuration request message, opens the corresponding controlled ports of SS according to the MAC Address of controlled ports instruction of said unlatching SS correspondence and said SS, and produces unlatching controlled ports result code; Send the 2nd BS configuration response message to said GW, said the 2nd BS configuration response message comprises: the MAC Address of said unlatching controlled ports result code, the corresponding controlled ports instruction of said unlatching SS and said SS;
Said data confidentiality transmission course comprises:
(1) said GW uses said session key TEK to encrypt first business datum, and is transmitted to said SS through said BS;
(2) said GW receives and uses said session key TEK to decipher second business datum that said SS transmits through said BS.
2. the safety access method of wireless MAN according to claim 1; It is characterized in that; Before the step of said structure negotiating safety capability response message, if the WMAN-SA incompatible version that said SS and said BS support, the result that negotiating safety capability then is set is failure;
Or,
If the security strategy that said SS and said BS support is incompatible, the result that negotiating safety capability then is set is failure.
3. the safety access method of wireless MAN according to claim 1 is characterized in that, said GW receives a said BS configuration response message, if the corresponding controlled ports Fail-closed of SS is then analyzed failure cause.
4. the safety access method of wireless MAN according to claim 1 is characterized in that, said GW receives said the 2nd BS configuration response message, if the corresponding controlled ports of SS is opened failure, then analyzes failure cause.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105971013A CN102006587B (en) | 2010-12-20 | 2010-12-20 | Wireless metropolitan area network (MAN) safe access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105971013A CN102006587B (en) | 2010-12-20 | 2010-12-20 | Wireless metropolitan area network (MAN) safe access method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102006587A CN102006587A (en) | 2011-04-06 |
| CN102006587B true CN102006587B (en) | 2012-11-21 |
Family
ID=43813573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105971013A Expired - Fee Related CN102006587B (en) | 2010-12-20 | 2010-12-20 | Wireless metropolitan area network (MAN) safe access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102006587B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223636B (en) * | 2011-07-20 | 2013-10-23 | 广州杰赛科技股份有限公司 | Realization method and system for security access protocol of wireless metropolitan area network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003096614A1 (en) * | 2002-05-10 | 2003-11-20 | Harris Corporation | Secure wireless local or metropolitan area network and related methods |
| CN101272301A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
| CN101272616A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
-
2010
- 2010-12-20 CN CN2010105971013A patent/CN102006587B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003096614A1 (en) * | 2002-05-10 | 2003-11-20 | Harris Corporation | Secure wireless local or metropolitan area network and related methods |
| CN101272301A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
| CN101272616A (en) * | 2008-05-07 | 2008-09-24 | 广州杰赛科技股份有限公司 | Safety access method of wireless metropolitan area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102006587A (en) | 2011-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9392453B2 (en) | Authentication | |
| CN101500229B (en) | Method for establishing security association and communication network system | |
| EP2418883B1 (en) | Wireless local area network terminal pre-authentication method and wireless local area network system | |
| US20130091556A1 (en) | Method for establishing a secure and authorized connection between a smart card and a device in a network | |
| CN101420686B (en) | Industrial wireless network security communication implementation method based on cipher key | |
| CN108769007B (en) | Gateway security authentication method, server and gateway | |
| CN100373843C (en) | Key consaltation method in radio LAN | |
| JP2013537374A (en) | Relay node device authentication mechanism | |
| CN102257842A (en) | Enhanced security for direct link communications | |
| CA2650050A1 (en) | Method and system for providing cellular assisted secure communications of a plurality of ad hoc devices | |
| JP2000083018A (en) | Method for transmitting information needing secrecy by first using communication that is not kept secret | |
| CN107396350A (en) | SDN inter-module method for security protection based on the SDN 5G network architectures | |
| CN100370772C (en) | Method for switching in radio local-area network mobile terminal | |
| CN101552984B (en) | Base station secure accessing method of mobile communication system | |
| CN101635923A (en) | EAP authentication method and system supporting fast switching | |
| CN104883372B (en) | A kind of data transmission method of anti-fraud and attack resistance based on mobile Ad hoc network | |
| CN101552985A (en) | Pre-authentication method for mobile communication system switching | |
| CN101478389B (en) | Multi-stage security supporting mobile IPSec transmission authentication method | |
| CN101877852B (en) | User access control method and system | |
| CN104581715B (en) | The sensor-based system cryptographic key protection method and radio reception device of Internet of Things field | |
| CN102006587B (en) | Wireless metropolitan area network (MAN) safe access method | |
| CN101388801B (en) | Legal listening method, system and server | |
| CN102036237B (en) | Security access method for wireless metropolitan area network | |
| KR101451163B1 (en) | System and method for access authentication for wireless network | |
| CN1953445A (en) | A method and installation to resolve the safety problem for certificate cancellation in WAPI |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121121 Termination date: 20201220 |