CN102026190A - Rapid and safe heterogeneous wireless network switching method - Google Patents
Rapid and safe heterogeneous wireless network switching method Download PDFInfo
- Publication number
- CN102026190A CN102026190A CN2011100010692A CN201110001069A CN102026190A CN 102026190 A CN102026190 A CN 102026190A CN 2011100010692 A CN2011100010692 A CN 2011100010692A CN 201110001069 A CN201110001069 A CN 201110001069A CN 102026190 A CN102026190 A CN 102026190A
- Authority
- CN
- China
- Prior art keywords
- portable terminal
- address
- message
- care
- tpoa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a rapid and safe heterogeneous wireless network switching method, mainly solving the problems that switching time delay is long and safety is low in the existing heterogeneous wireless switching technology. The implementation scheme thereof comprises: a mobile terminal determines a target network to be switched by virtue of a target network discovery and selection mechanism, then asks a home authentication server for a switching ticket and registers a target subnetwork care-of address to the current access router; when switching, under the help of a target authentication server, the mobile terminal carries out mutual authentication between the mobile terminal and a target network access point by utilizing the switching ticket; after the authentication is successful, the mobile terminal immediately receives data forwarded by a target router by utilizing a new care-of address obtained in the target network; and the mobile terminal registers the new care-of address to a home agent while ensuring data to be transmitted in real time. In the invention, time delays of the mobile terminal before switching and during switching can be short and the method provides safety precautions for all the switching signallings, thus improving safety of heterogeneous network switching.
Description
Technical field
The invention belongs to wireless communication technology field, be specifically related to the handoff technique in the wireless network, can be used for portable terminal and between heterogeneous wireless network, fast and safely switch.
Background technology
Wireless communication technology development in recent years multiple wireless networks such as mobile radio communication, WLAN (wireless local area network), wireless MAN, mobile Ad hoc network occurred rapidly.Various wireless networks all have its special advantages and the scope of application, and they complement one another, and will form the heterogeneous wireless network environment that many nets merge in future.By working in coordination with of each network, the user can possess the heterogeneous wireless network internetwork roaming of different access technologies, uses the resource of a plurality of networks.Because heterogeneous networks has different safety standards and security mechanism, and often belongs to different operators, this makes that the safety problem under the heterogeneous wireless network environment is more complicated, faces more challenges.
Along with the development of Internet service, the raising of the broadband and mobile terminal performance of wireless transmission becomes inexorable trend for the mobile subscriber provides the multimedia real time business.Application based on mobile device will become more and more abundanter, except that traditional voice, data service, also comprises real time business such as IP phone, mobile TV, video conference, online game.For real time business, the end-to-end time delay of business datum is the most key, and it directly has influence on user's experience.The portable terminal of transmitting real-time service enters how network overlapped when regional, can select best access network according to the characteristic of heterogeneous networks, switches to best access network from current access network, to enjoy higher service quality or more preferential rate.To achieve these goals, portable terminal must carry out seamless switching fast and safely between the access point of two kinds of networks, with the needs that satisfy real-time service and the privacy of telex network.
When portable terminal switches, not only the switching of link layer to be carried out between heterogeneous wireless network, also the switching of network layer will be carried out.At present, between heterogeneous wireless network the handover delay of link layer and network layer all considerably beyond the requirement of real-time application.
In order to realize the quick access authentication of portable terminal when diverse access point switches, IETF has proposed the HOKEY agreement in the RFC5169 in March, 2008, the key hierarchy of EAP authentication framework is expanded.HOKEY uses reservation key EMSK that portable terminal produces in authentication back fully as root key, is portable terminal and switches access point and generate authenticate key based on EMSK, makes to switch that authentication only needs carry out in this locality when taking place.This method has only been paid close attention to the switching authentication of link layer, and only is fit to portable terminal and with objective network authentication quick switching afterwards fully took place, and can not be directly used in the handoff scenario of portable terminal between two kinds of networks.At the switching of network layer, IETF has proposed hierarchical mobile IPv 6 technology and the quick handoff technique of mobile IP v 6 respectively in the RFC 5380 in October, 2008 and the RFC in July in 2009 5568.RFC 5380 main thought are to introduce mobile anchor point MAP to set up local MAP territory, and MAP is responsible for transmitting the data of terminal, and portable terminal when mobile, only needs to local MAP registration in same MAP territory; Can significantly reduce the number of times of portable terminal by this strategy, thereby reach the purpose that shortens handover delay to home agent and communication node registration.RFC 5568 core concepts are moving by portable terminal prediction network layer, before disconnecting current link, the relevant information of inquiring about new couple in router to current couple in router by route agent request, carry out switching pre-processing then, before link layer switches, finish the foundation of communication tunnel between new, the old router.5568 switchings of paying close attention to network layer of RFC 5380 and RFC, and the safety precautions of signaling is not provided.
Switch for the safety between heterogeneous network, IETF2010 September is at mobopts-mpa-framework draft (MOBOPTS workgroup, A Framework of Media-Independent Pre-Authentication (MPA) for Inter-domain Handover Optimization, version 08) the middle MPA framework that proposes.MPA is generalized to network layer with the pre-authentication notion in the IEEE802.11i standard, and adopt pre-configured agreement and tunnel management agreement between the couple in router of portable terminal and objective network, to set up the priori handover tunnel, make portable terminal finish and the pre-authentication of objective network and the Binding Update of Care-of Address before switching carrying out link layer.But, the pre-authentication of MPA scheme, pre-configured and the pre-registration consumed time is longer, if the portable terminal excessive velocities, communication link does not disconnect when might aforesaid operations finishing, and can't realize the optimization of switching.
Application number be 200810127098.1 patent disclosure a kind of pre-authentication method and Verification System, when portable terminal enters visited network beyond the home network, portable terminal obtains the identity information of visited network, selects the key material and the authentication bill of pre-authentication according to the identity information of visited network; The certificate server of visited network and portable terminal carry out authentication mutually according to the pre-authentication key material.The method of switching between application number a kind of heterogeneous wireless network that has been 200710161578.5 patent disclosure, the information that portable terminal needs when determining pre-authentication earlier, and carry out pre-authentication at link switchover forward direction objective network according to these information; After pre-authentication passed through, portable terminal was just carried out the switching between the heterogeneous network.The public technology of these two patents only limits to shorten the authentication time delay that link layer switches.
In realizing process of the present invention, the inventor finds that there is one of following shortcoming at least in above-mentioned prior art:
(1) only pays close attention to the optimization that link layer or network layer are switched, two-layer hand off signaling is not taken all factors into consideration;
(2) the handover optimization technology that provides does not provide the safety precautions of signaling;
(3) switch before pre-authentication, pre-configured and pre-registration process interacting message is many, need be than long time delay.
Summary of the invention
The objective of the invention is to overcome above-mentioned the deficiencies in the prior art; a kind of heterogeneous wireless network changing method is fast and safely proposed; carry out integrated planning with hand off signaling to link layer and network layer; all provide safety precautions to all hand off signaling, shorten and switch preceding and the required time delay of handoff procedure.
For achieving the above object, the technical solution used in the present invention may further comprise the steps:
(1) portable terminal MN is in moving process, all wireless networks that visited network V by current access regularly utilizes medium independent information service discovery portable terminal MN current location to exist obtain network type, Link State, certificate server sign, near access point frequency, near Router Distinguisher and the subnet Care-of Address of place subnet;
(2) portable terminal MN operation switch decision algorithm is selected objective network T, destination router TAR and the targeted subnet Care-of Address SCOA that can obtain maximum return;
(3) the local certificate server HAS safety of portable terminal MN in home network H sends and switches the bill request message, contains portable terminal MN sign ID in this message
MNWith the target authentication server TAS sign ID among the objective network T
TAS
(4) certificate server HAS in local produces and switches root key k, switches bill Ticket for portable terminal MN produces, and sends to portable terminal MN switching root key k and switching bill Ticket as switching bill response message safety;
(5) the current couple in router VAR safety of portable terminal MN in visited network V sends targeted subnet care-of address registration request message, is used to register targeted subnet Care-of Address SCOA;
(6) current couple in router VAR sends targeted subnet Care-of Address registration reply message to portable terminal MN safety, for the data DATA that sends to the current Care-of Address VCOA of portable terminal MN
VCOA, current couple in router VAR is packaged into data DATA according to targeted subnet Care-of Address SCOA
SCOA, and send to targeted subnet Care-of Address SCOA;
(7) destination router TAR is for the data DATA that sends to targeted subnet Care-of Address SCOA
SCOA, parse internal layer destination address VCOA, restoring data DATA
VCOA, and switch performance with data DATA according to portable terminal MN
VCOACarry out buffer memory or forwarding;
(8) after portable terminal MN receives the targeted subnet Care-of Address registration reply message of current couple in router VAR transmission, close visited network V interface, open objective network T interface, foundation is connected with the link layer of access point TPOA among the objective network T;
(9) utilize to switch bill Ticket, portable terminal MN and access point TPOA authenticate under target authentication server TAS auxiliary mutually;
(10) if portable terminal MN is by authenticating, access point TPOA sends the Care-of Address request message to destination router TAR safety;
(11) destination router TAR sends the Care-of Address response message that contains new Care-of Address TCOA to access point TPOA safety;
(12) receive the Care-of Address response message that destination router TAR sends after, access point TPOA sends the Care-of Address notice message that contains new Care-of Address TCOA to portable terminal MN;
(13) portable terminal MN uses new Care-of Address TCOA to send the data forwarding request to destination router TAR, and destination router TAR uses new Care-of Address TCOA encapsulation of data DATA afterwards
VCOA, and send to new Care-of Address TCOA;
(14) portable terminal MN sends new care-of address registration request message to home agent HA R safety, is used to register new Care-of Address TCOA;
(15) after home agent HA R receives the login request message of portable terminal MN transmission, the binding relationship of portable terminal MN home address HOA and current Care-of Address VCOA is updated to the binding relationship of portable terminal MN home address HOA and new Care-of Address TCOA, send new Care-of Address registration reply message to portable terminal MN safety, use the data DATA of new Care-of Address TCOA encapsulation destination address as portable terminal MN home address HOA
HOA, and send to new Care-of Address TCOA.
The present invention has following advantage:
1) the present invention is owing to only need before portable terminal switches to local certificate server request switching bill and to current couple in router registration targeted subnet Care-of Address, needn't carry out complete pre-authentication and complicated registration process, action required was few before portable terminal switched, time delay short;
2) the present invention is owing to done integrated planning to link layer switching and network layer switching, carry out the registration of targeted subnet Care-of Address before promptly having adopted link layer to switch, carry out the technology of new Care-of Address registration after link layer switches, shortened the time delay that the mobile terminal data transmission is interrupted;
3) the present invention makes handoff procedure have higher fail safe owing to all signalings that switching is related to have all been carried out safeguard protection.
Description of drawings
Fig. 1 is the network model figure that the present invention is suitable for;
Fig. 2 is a realization general flow chart of the present invention;
Fig. 3 is the sub-process figure that authentication and data forwarding are switched in the present invention.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
Network model
With reference to Fig. 1, the network model that the present invention was suitable for is as follows:
Access point HPOA, router HAR and certificate server HAS equipment are arranged among the wireless network H; Access point VPOA, router VAR and certificate server VAS equipment are arranged among the wireless network V; Access point TPOA, router TAR and certificate server TAS equipment are arranged among the wireless network T; Information server IS collects, safeguards the parameter information of all-network, and the NSLOOKUP service of specific geographical area is provided.Wireless network H, V, T and information server IS are connected to Internet.
Portable terminal MN is the registered user of wireless network H, and wireless network H is the home network of portable terminal MN, and router HAR among the wireless network H and certificate server HAS are respectively home agent and the local certificate servers of portable terminal MN.Portable terminal MN roams into visited network V, and has set up the network connection by the equipment of visited network V, and portable terminal MN is transmitting certain real time business.There are the overlapping region in wireless network T and wireless network V coverage, and for portable terminal MN, the income in wireless network T is greater than the income in wireless network V, and wireless network T is the objective network of portable terminal MN switching.
Netinit
Suppose that local certificate server HAS, portable terminal MN and home agent HA R among portable terminal MN and the home network H have set up security association respectively; Suppose that current couple in router VAR has set up security association among portable terminal MN and the visited network V; Access point TPOA and destination router TAR, access point TPOA and target authentication server TAS have set up security association respectively among the hypothetical target network T; Suppose to exist between local certificate server HAS and the target authentication server TAS and share symmetric key k
HT
Especially, in order to optimize the switching between the network, the present invention requires the router of all-network to set a subnet Care-of Address respectively, and these routers are all registered the subnet Care-of Address of place subnet to information server IS.Here, the subnet Care-of Address is a special address of router setting, and the portable terminal that is used for switching to this router place subnet carries out the Care-of Address registration to current couple in router.Subnet Care-of Address prefix is the prefix of this router place subnet, and remainder is a special field of this router appointment.Below with IP
V4 addresses are example, provide a kind of setting means, but are not limited thereto kind of a mode: if IP address of router is 201.0.35.0, interval, subnet address, place is 201.0.35.0~201.0.35.255, and can set address 201.0.35.255 is the subnet Care-of Address.
With reference to Fig. 2, fast and safely the changing method flow process is as follows for heterogeneous network of the present invention:
One, objective network is found and is selected
Step 1, portable terminal MN are in moving process, and the visited network V by current access regularly independently switches the MIH information request message to information server IS transmitting medium, with all wireless networks of finding that portable terminal MN current location exists.
Step 2, information server IS return the MIH info response message according to portable terminal MN current location, contain the parameter of all wireless networks that portable terminal MN current location exists in the message, comprising: network type, Link State, certificate server sign, near access point frequency, near Router Distinguisher and the subnet Care-of Address of place subnet.
Step 3, portable terminal MN operation switch decision algorithm are selected objective network T, destination router TAR and the targeted subnet Care-of Address SCOA that can obtain maximum return; Near among the objective network T that portable terminal MN storage obtains from step 2 current location access point frequency.
Two, switch the bill distribution
Step 4, portable terminal MN send to local certificate server HAS safety and switch the bill request message, comprise portable terminal MN sign ID in the message
MN, target authentication server TAS identifies ID
TAS
Here with following step 5,6,7,11,12,13,17 and the described safety of step 18 send message, be meant that the security association that utilizes between two entities that relate separately in these steps encrypts, calculates the message that message authentication code will send with protection to message.
Step 5, receive switch the bill request message after, local certificate server HAS produces random key k as switching root key, and bill t effective time is set, and uses the symmetric key k that shares with target authentication server TAS
HTTo portable terminal MN sign ID
MN, target authentication server TAS identifies ID
TAS, switch root key k, bill t effective time and encrypt the ciphertext { ID that obtains
MN| ID
TAS| k|t}k
HTAs switching bill Ticket; Local certificate server HAS sends to portable terminal MN switching root key k and switching bill Ticket as switching bill response message safety.
Three, targeted subnet Care-of Address registration
Step 6, portable terminal MN send targeted subnet care-of address registration request message to current couple in router VAR safety, comprise the targeted subnet Care-of Address SCOA that selects in current Care-of Address VCOA of portable terminal MN and the step 3 in the message.
Step 7, receive the targeted subnet care-of address registration request message that portable terminal MN sends after, current couple in router VAR sends targeted subnet Care-of Address registration reply message to portable terminal MN safety.
Step 8, for the data DATA that sends to the current Care-of Address VCOA of portable terminal MN
VCOA, current couple in router VAR with targeted subnet Care-of Address SCOA as destination address, data DATA
VCOABe packaged into data DATA
SCOA, and send to targeted subnet Care-of Address SCOA.
Step 9, destination router TAR receive the data DATA that mails to targeted subnet Care-of Address SCOA
SCOAAfter, to data DATA
SCOAThe parsing of unpacking extracts the destination address VCOA of internal layer, restoring data DATA
VCOAAnd handle by following three kinds of situations:
If do not have and the corresponding node address of the current Care-of Address VCOA of portable terminal MN in the destination router TAR database, destination router TAR produces a node address TCOA who is not used as new Care-of Address in the interval, subnet address, use ternary array (VCOA, TCOA, HO) corresponding relation of current Care-of Address VCOA of record and new Care-of Address TCOA in database, wherein HO is the switching state sign, and switching state sign HO is set to 0, and with data DATA
VCOAWith new Care-of Address TCOA is that index carries out buffer memory;
If there be the node address TCOA corresponding with current Care-of Address VCOA in the destination router TAR database, and switching state sign HO is 1, then with data DATA
VCOABe the destination address encapsulation and be forwarded to new Care-of Address TCOA with new Care-of Address TCOA;
If there be the node address TCOA corresponding with current Care-of Address VCOA in the destination router TAR database, and switching state sign HO is 0, then with the data DATA that receives
VCOAWith new Care-of Address TCOA is that index carries out buffer memory.
Four, switch authentication and data forwarding
With reference to Fig. 3, being implemented as follows of this part:
After step 10, portable terminal MN receive the targeted subnet Care-of Address registration reply message of current couple in router VAR transmission, close visited network V interface, open objective network T interface, utilize the access point frequency of the objective network T of storage in the step 3 to carry out active scan, the link layer association of access point TPOA among foundation and the network T.
Step 11, utilize to switch bill Ticket, portable terminal MN and access point TPOA authenticate under target authentication server TAS auxiliary mutually.
11a) portable terminal MN produces random number N
M, with mobile terminal identification ID
MN, local certificate server HAS identifies ID
HAS, target authentication server TAS identifies ID
TAS, the random number N that produces of portable terminal MN
MWith switch bill Ticket and send to access point TPOA among the present related objective network T as switching authentication message I together;
11b) access point TPOA will switch authentication message I safety and send to target authentication server TAS;
After 11c) target authentication server TAS receives and switches authentication message I, use shared key k with local certificate server HAS
HTBe decrypted switching bill Ticket, obtain switching the use object identity ID of bill
MN, ID
TAS, switch root key k and bill t effective time; If bill uses the correct and not inefficacy of bill of object, enter step 11d); Otherwise, this message is left intact;
11d) target authentication server TAS produces random number N
T, utilize and switch the random number N that root key k, portable terminal MN produce
MRandom number N with target authentication server TAS generation
T, calculate switching authentication key PMK; Target authentication server TAS is with portable terminal MN sign ID
MN, the random number N that produces of target authentication server TAS
TSend to access point TPOA as switching authentication message II safety together with switching authentication key PMK.
Here, provide a kind of mode of calculating switching authentication key PMK, but be not limited thereto kind of a mode:
PMK=KD-HMAC-SHA256(k|“Handover?Authentication?Key”|N
M|N
T),
Wherein, KD-HMAC-SHA256 is that key is derived algorithm, and " Handover Authentication Key " describes character string for the key purposes;
11e) receive switch authentication message II after, access point TPOA produces random number N
P, utilize switching authentication key PMK to portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of portable terminal MN
M, the random number N that produces of target authentication server TAS
T, the random number N that produces of access point TPOA
PCalculate message authentication code MAC
P, with portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of portable terminal MN
M, the random number N that produces of target authentication server TAS
T, the random number N that produces of access point TPOA
PWith message authentication code MAC
PSend to portable terminal MN as switching authentication message III together.
Here, provide calculating message authentication code MAC
PA kind of mode, but be not limited thereto kind of a mode:
MAC
P=HMAC-SHA256(PMK|ID
MN|ID
TPOA|N
M|N
T|N
P),
Wherein, HMAC-SHA256 is the message authentication code calculation;
11f) receive switch authentication message III after, portable terminal MN at first utilizes and switches the random number N that root key k and portable terminal MN produce
M, the random number N that produces of target authentication server TAS
TCalculate switching authentication key PMK, then by checking the message authentication code MAC that switches among the authentication message III
PThe validity of checking message;
Portable terminal MN uses switching authentication key PMK to portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of portable terminal MN
M, the random number N that produces of target authentication server TAS
TRandom number N with access point TPOA generation
PCalculate message authentication code MAC
P *
If switch the message authentication code MAC that the access point TPOA among the authentication message III calculates
PMessage authentication code MAC with portable terminal MN calculating
P *Equate, portable terminal MN think switch authentication message III effectively and access point TPOA by authentication, enter step 11g); Otherwise if both are unequal, the portable terminal refusal this time connects.
Here, provide a kind of account form of switching authentication key PMK, but be not limited thereto kind of a mode:
PMK=KD-HMAC-SHA256(k|“Handover?Authentication?Key”|N
M|N
T);
Provide message authentication code MAC
P *A kind of account form, but be not limited thereto kind of a mode:
MAC
P *=HMAC-SHA256(PMK|ID
MN|ID
TPOA|N
M|N
T|N
P);
Wherein, KD-HMAC-SHA256 is that key is derived algorithm, and " Handover Authentication Key " describes character string for the key purposes, and HMAC-SHA256 is the message authentication code calculation;
11g) portable terminal MN utilizes the random number N that switching authentication key PMK, portable terminal MN produce
M, the random number N that produces of access point TPOA
PCalculate and switch session key PTK, this session key PTK comprises unicast encryption cipher key T K, three parts of message integrity key K CK, key-encrypting key KEK;
Portable terminal MN utilizes message integrity key K CK to portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of current Care-of Address VCOA and access point TPOA
PCalculate message authentication code MAC
M, with portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of current Care-of Address VCOA, access point POA
PMessage authentication code MAC with portable terminal MN calculating
MSend to access point TPOA as switching authentication message IV together.
Here, provide and calculate a kind of mode of switching session key PTK, but be not limited thereto kind of a mode:
PTK=KD-HMAC-SHA256(PMK|“Handover?Sess1on?Key”|N
M|N
P);
Provide message authentication code MAC
MA kind of account form, but be not limited thereto kind of a mode:
MAC
M=HMAC-SHA256(KCK|ID
MN|ID
TPOA|VCOA|N
P);
Wherein, KD-HMAC-SHA256 is that key is derived algorithm, and " Handover Sess1on Key " describes character string for the key purposes, and HMAC-SHA256 is the message authentication code calculation;
11h) receive switch authentication message IV after, the random number N that access point TPOA utilizes switching authentication key PMK, portable terminal MN to produce
MRandom number N with access point TPOA generation
PCalculate and switch session key PTK, this session key PTK comprises unicast encryption cipher key T K, three parts of message integrity key K CK, key-encrypting key KEK, switches the message authentication code MAC that portable terminal MN calculates among the authentication message IV by checking then
MCheck the validity of message;
Access point TPOA utilizes message integrity key K CK to portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, current Care-of Address VCOA and random number N
PCalculate message authentication code MAC
M *
If switch the message authentication code MAC that portable terminal MN calculates among the authentication message IV
MMessage authentication code MAC with access point TPOA calculating
M *Equate, then access point TPOA think switch authentication message IV effectively and portable terminal MN by authentication, enter step 12; Otherwise if both are unequal, access point TPOA refusal this time connects.
Here, provide and calculate a kind of mode of switching session key PTK, but be not limited thereto kind of a mode:
PTK=KD-HMAC-SHA256(PMK|“Handover?Session?Key”|N
M|N
P);
Provide message authentication code MAC
M *A kind of account form, but be not limited thereto kind of a mode:
MAC
M *=HMAC-SHA256(KCK|ID
MN|IF
TPOA|VCOA|N
P),
Wherein, KD-HMAC-SHA256 is that key is derived algorithm, and " Handover Session Key " describes character string for the key purposes, and HMAC-SHA256 is the message authentication code calculation.
After step 13, destination router TAR receive the Care-of Address request message, retrieve corresponding new Care-of Address TCOA, and send the Care-of Address response message, contain new Care-of Address TCOA in the message to access point TPOA safety with current Care-of Address VCOA.
Here, provide message authentication code MAC
ΦA kind of account form, but be not limited thereto kind of a mode:
MAC
Φ=HMAC-SHA256(KCK|ID
MN|ID
TPOA|N
M|TCOA),
Wherein, HMAC-SHA256 is the message authentication code calculation.
Here, provide message authentication code MAC
Φ *A kind of account form, but be not limited thereto kind of a mode:
MAC
Φ *=HMAC-SHA256(KCK|ID
MN|ID
TPOA|N
M|TCOA),
Wherein, HMAC-SHA256 is the message authentication code calculation.
Five, new Care-of Address registration
Step 17, portable terminal MN send new care-of address registration request to home agent HA R safety, comprise in the message: portable terminal MN home address HOA, new Care-of Address TCOA.
After step 18, home agent HA R receive the new care-of address registration request message of portable terminal MN transmission, the binding relationship of portable terminal MN home address HOA and current Care-of Address VCOA is updated to the binding relationship of portable terminal MN home address HOA and new Care-of Address TCOA, sends new Care-of Address registration reply message to portable terminal MN safety.
Step 19, for the data DATA that sends to portable terminal MN home address HOA
HOA, home agent HA R is that destination address encapsulates with new Care-of Address TCOA, and sends to new Care-of Address TCOA.
Symbol description
|: message linkage connects
{}
k: use symmetric encipherment algorithm and key k the message in { } to be encrypted the ciphertext that obtains
DATA
HOA: the data that send to portable terminal MN home address HOA
DATA
SCOA: the data that send to targeted subnet Care-of Address SCOA
DATA
VCOA: the data that send to the current Care-of Address VCOA of portable terminal
EAP: Extensible Authentication Protocol
EMSK: expansion master key
H: the home network of portable terminal MN
HAR: the home agent of portable terminal MN
HAS: the local certificate server of portable terminal MN
HMAC-SHA256: message authentication code calculation
HO: switching state sign
HOA: the home address of portable terminal MN
HOKEY: handover key management agreement
HPOA: portable terminal MN home network access point
ID
MN: portable terminal MN sign
ID
HAS: local certificate server HAS sign
ID
TAS: target authentication server TAS sign
ID
TAR: destination router TAR sign
ID
TPOA: access point TPOA sign among the objective network T
IEEE: institute of electrical and electronic engineers
The wireless LAN safety standard that IEEE 802.11i:IEEE formulates
The media-independent handover service standard that IEEE 802.21:IEEE formulates
IETF: internet engineering task group
IP: Internet protocol
IPv4: Internet protocol edition 4
IPv6: Internet protocol version 6
IS: information server
K: switch root key
k
HT: the symmetric key that local certificate server HAS and target authentication server TAS share
KEK: key-encrypting key
KCK: message integrity key
KD-HMAC-SHA256: key is derived algorithm
MN: portable terminal
MAC
M: switch the message authentication code that portable terminal MN calculates among the authentication message IV
MAC
M *: the message authentication code that is used to verify switching authentication message IV that access point TPOA calculates
MAC
P: switch the message authentication code that access point TPOA calculates among the authentication message III
MAC
P *: the message authentication code that is used to verify switching authentication message III that portable terminal MN calculates
MAC
Φ: the message authentication code that access point POA calculates in the Care-of Address notice message
MAC
Φ *: the message authentication code that is used to verify the Care-of Address notice message that portable terminal MN calculates
MAP: mobile anchor point
MIH: media-independent handover
MPA: medium independence pre-authentication
N
M: the random number that portable terminal MN produces
N
P: the random number that access point TPOA produces
N
T: the random number that target authentication server TAS produces
PMK: switching authentication key
PTK: switch session key
The RFC:IETF request for comments document
SCOA: targeted subnet Care-of Address
T: bill effective time
T: the objective network that portable terminal MN switches
TAR: the target couple in router of portable terminal MN
TAS: the target authentication server of portable terminal MN
TCOA: the new Care-of Address of portable terminal MN
Ticket: the switching bill of portable terminal MN
TK: unicast encryption key
TPOA: the access point among the portable terminal objective network T
V: the visited network of portable terminal MN
VAR: the current couple in router of portable terminal MN
VAS: the certificate server among the portable terminal MN visited network V
VCOA: the current Care-of Address that portable terminal MN uses in visited network V
VPOA: the access point among the portable terminal MN visited network V.
Claims (8)
1. heterogeneous wireless network changing method fast and safely comprises following steps:
(1) portable terminal MN is in moving process, all wireless networks that visited network V by current access regularly utilizes medium independent information service discovery portable terminal MN current location to exist obtain network type, Link State, certificate server sign, near access point frequency, near Router Distinguisher and the subnet Care-of Address of place subnet;
(2) portable terminal MN operation switch decision algorithm is selected objective network T, destination router TAR and the targeted subnet Care-of Address SCOA that can obtain maximum return;
(3) the local certificate server HAS safety of portable terminal MN in home network H sends and switches the bill request message, contains portable terminal MN sign ID in this message
MNWith the target authentication server TAS sign ID among the objective network T
TAS
(4) certificate server HAS in local produces and switches root key k, switches bill Ticket for portable terminal MN produces, and sends to portable terminal MN switching root key k and switching bill Ticket as switching bill response message safety;
(5) the current couple in router VAR safety of portable terminal MN in visited network V sends targeted subnet care-of address registration request message, is used to register targeted subnet Care-of Address SCOA;
(6) current couple in router VAR sends targeted subnet Care-of Address registration reply message to portable terminal MN safety, for the data DATA that sends to the current Care-of Address VCOA of portable terminal MN
VCOA, current couple in router VAR is packaged into data DATA according to targeted subnet Care-of Address SCOA
SCOA, and send to targeted subnet Care-of Address SCOA;
(7) destination router TAR is for the data DATA that sends to targeted subnet Care-of Address SCOA
SCOA, parse internal layer destination address VCOA, restoring data DATA
VCOA, and switch performance with data DATA according to portable terminal MN
VCOACarry out buffer memory or forwarding;
(8) after portable terminal MN receives the targeted subnet Care-of Address registration reply message of current couple in router VAR transmission, close visited network V interface, open objective network T interface, foundation is connected with the link layer of access point TPOA among the objective network T;
(9) utilize to switch bill Ticket, portable terminal MN and access point TPOA authenticate under target authentication server TAS auxiliary mutually;
(10) if portable terminal MN is by authenticating, access point TPOA sends the Care-of Address request message to destination router TAR safety;
(11) destination router TAR sends the Care-of Address response message that contains new Care-of Address TCOA to access point TPOA safety;
(12) receive the Care-of Address response message that destination router TAR sends after, access point TPOA sends the Care-of Address notice message that contains new Care-of Address TCOA to portable terminal MN;
(13) portable terminal MN uses new Care-of Address TCOA to send the data forwarding request to destination router TAR, and destination router TAR uses new Care-of Address TCOA encapsulation of data DATA afterwards
VCOA, and send to new Care-of Address TCOA;
(14) portable terminal MN sends new care-of address registration request message to home agent HA R safety, is used to register new Care-of Address TCOA;
(15) after home agent HA R receives the login request message of portable terminal MN transmission, the binding relationship of portable terminal MN home address HOA and current Care-of Address VCOA is updated to the binding relationship of portable terminal MN home address HOA and new Care-of Address TCOA, send new Care-of Address registration reply message to portable terminal MN safety, use the data DATA of new Care-of Address TCOA encapsulation destination address as portable terminal MN home address HOA
HOA, and send to new Care-of Address TCOA.
2. heterogeneous wireless network according to claim 1 is changing method fast and safely, the described medium independent information service of step (1), be meant that portable terminal MN independently switches the MIH information request message to information server IS transmitting medium, information server IS sends the MIH info response message to portable terminal MN, and it is that the media-independent handover that IEEE 802.21 standards are provided one of is served.
3. heterogeneous wireless network according to claim 1 is changing method fast and safely; wherein the described safety of step (3), (4), (5), (6), (10), (11), (14) and step (15) sends message, is meant that the security association that utilizes between two entities that relate separately in these steps encrypts, calculates the message that message authentication code will send with protection to message.
4. heterogeneous wireless network according to claim 1 is changing method fast and safely, and wherein the described switching bill of step (4) Ticket is that local certificate server HAS uses the symmetric key k that shares with target authentication server TAS
HTTo portable terminal MN sign ID
MN, target authentication server TAS identifies ID
TAS, switch root key k, bill t effective time and encrypt the ciphertext { ID that obtains
MN| ID
TAS| k|t}k
HTAs switching bill Ticket.
5. heterogeneous wireless network according to claim 1 is changing method fast and safely, the described targeted subnet Care-of Address of step (5) SCOA wherein, be the special address that destination router is set, the portable terminal that is used for switching to this router place subnet carries out the Care-of Address registration to current couple in router; The prefix of targeted subnet Care-of Address SCOA is the prefix of destination router place subnet, and remainder is a special field of this router appointment.
6. heterogeneous wireless network according to claim 1 is changing method fast and safely, wherein bill Ticket is switched in the described utilization of step (9), portable terminal MN and access point TPOA authenticate under target authentication server TAS auxiliary mutually, be meant that its verification process is as follows by switching the authentication that authentication message I carries out to message IV:
9a) portable terminal MN produces random number N
M, with portable terminal MN sign ID
MN, local certificate server HAS identifies ID
HAS, target authentication server TAS identifies ID
TAS, the random number N that produces of portable terminal MN
MWith switch bill Ticket and send to access point TPOA among the objective network T related as switching authentication message I together with portable terminal MN;
9b) access point TPOA will switch authentication message I safety and send to target authentication server TAS;
After 9c) target authentication server TAS receives and switches authentication message I, use shared key k with local certificate server HAS
HTBe decrypted switching bill Ticket, obtain the use object identity ID of bill
MN, ID
TAS, switch root key k and bill t effective time; If bill uses the correct and not inefficacy of bill of object, enter step 9d); Otherwise, this message is left intact;
9d) target authentication server TAS produces random number N
T, utilize and switch the random number N that root key k, portable terminal MN produce
MRandom number N with target authentication server TAS generation
T, calculate switching authentication key PMK; Target authentication server TAS is with mobile terminal identification ID
MN, the random number N that produces of target authentication server TAS
TSend to access point TPOA as switching authentication message II safety together with switching authentication key PMK;
9e) receive switch authentication message II after, access point TPOA produces random number N
P, utilize switching authentication key PMK to portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of portable terminal MN
M, the random number N that produces of target authentication server TAS
TRandom number N with access point TPOA generation
PCalculate message authentication code MAC
P, with portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of portable terminal MN
M, the random number N that produces of target authentication server TAS
T, the random number N that produces of access point TPOA
PWith message authentication code MAC
PSend to portable terminal MN as switching authentication message III together;
9f) receive switch authentication message III after, portable terminal MN at first utilizes and switches the random number N that root key k, portable terminal MN produce
MRandom number N with target authentication server TAS generation
T, calculate switching authentication key PMK, the validity of authentication message III is switched in checking then; If it is effective to switch authentication message III, then access point TPOA is by authentication, and portable terminal MN enters step 9g); Otherwise portable terminal MN refusal this time connects;
9g) portable terminal MN utilizes the random number N that switching authentication key PMK, portable terminal MN produce
MRandom number N with access point TPOA generation
PCalculate and switch session key PTK, use the message integrity key K CK that switches among the session key PTK then portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of current Care-of Address VCOA, access point TPOA
PCalculate message authentication code MAC
M, with portable terminal MN sign ID
MN, access point TPOA identifies ID
TPOA, the random number N that produces of current Care-of Address VCOA, access point TPOA
PWith message authentication code MAC
MSend to access point TPOA as switching authentication message IV together;
9h) receive switch authentication message IV after, access point TPOA utilizes switching authentication key PMK, the random number N that portable terminal MN produces
MRandom number N with access point TPOA generation
PCalculate and switch session key PTK, the validity of authentication message IV is switched in checking then; If it is effective to switch authentication message IV, then portable terminal MN is by authentication; Otherwise access point TPOA refusal this time connects.
7. heterogeneous wireless network according to claim 6 is changing method fast and safely; step 9b wherein) and step 9d) described safety sends message, is meant that the security association that utilizes between two entities that relate separately in these steps encrypts, calculates the message that message authentication code will send with protection to message.
8. heterogeneous wireless network according to claim 6 is changing method fast and safely, wherein step 9g) and 9h) described switching session key PTK, comprise three parts of unicast encryption cipher key T K, message integrity key K CK and key-encrypting key KEK.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110001069.2A CN102026190B (en) | 2011-01-05 | 2011-01-05 | Rapid and safe heterogeneous wireless network switching method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110001069.2A CN102026190B (en) | 2011-01-05 | 2011-01-05 | Rapid and safe heterogeneous wireless network switching method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102026190A true CN102026190A (en) | 2011-04-20 |
| CN102026190B CN102026190B (en) | 2013-06-12 |
Family
ID=43866906
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110001069.2A Expired - Fee Related CN102026190B (en) | 2011-01-05 | 2011-01-05 | Rapid and safe heterogeneous wireless network switching method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102026190B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102572790A (en) * | 2012-03-13 | 2012-07-11 | 中山大学 | Distributed mobile IPV6 (Internet Protocol Version 6) method based on AR (Access Router) level |
| CN103118034A (en) * | 2013-03-07 | 2013-05-22 | 西安电子科技大学 | Method for adaptively authenticating heterogenous networks |
| CN106130896A (en) * | 2016-06-23 | 2016-11-16 | 广州鲁邦通物联网科技有限公司 | The selection changing method of the router under a kind of many wifi hotspot environment and system |
| CN108601015A (en) * | 2018-03-13 | 2018-09-28 | 北京邮电大学 | A kind of method for switching network, mobile device, serving network node and system |
| CN109067761A (en) * | 2018-08-29 | 2018-12-21 | 句容市凯特电力电器有限公司 | A kind of wireless network motion management method based on SIP |
| WO2021109770A1 (en) * | 2019-12-02 | 2021-06-10 | 西安西电捷通无线网络通信股份有限公司 | Wireless network switching method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852600A (en) * | 2005-12-26 | 2006-10-25 | 华为技术有限公司 | Message safety transmitting method befor set-up of link in heterogeneous network switch-over |
| CN101568108A (en) * | 2008-04-21 | 2009-10-28 | 华为技术有限公司 | Switching method and equipment between heteroid systems |
| CN101867930A (en) * | 2010-06-04 | 2010-10-20 | 西安电子科技大学 | Rapid authentication method for wireless Mesh network backbone node switching |
-
2011
- 2011-01-05 CN CN201110001069.2A patent/CN102026190B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852600A (en) * | 2005-12-26 | 2006-10-25 | 华为技术有限公司 | Message safety transmitting method befor set-up of link in heterogeneous network switch-over |
| CN101568108A (en) * | 2008-04-21 | 2009-10-28 | 华为技术有限公司 | Switching method and equipment between heteroid systems |
| CN101867930A (en) * | 2010-06-04 | 2010-10-20 | 西安电子科技大学 | Rapid authentication method for wireless Mesh network backbone node switching |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102572790A (en) * | 2012-03-13 | 2012-07-11 | 中山大学 | Distributed mobile IPV6 (Internet Protocol Version 6) method based on AR (Access Router) level |
| CN103118034A (en) * | 2013-03-07 | 2013-05-22 | 西安电子科技大学 | Method for adaptively authenticating heterogenous networks |
| CN103118034B (en) * | 2013-03-07 | 2017-05-17 | 西安电子科技大学 | Method for adaptively authenticating heterogenous networks |
| CN106130896A (en) * | 2016-06-23 | 2016-11-16 | 广州鲁邦通物联网科技有限公司 | The selection changing method of the router under a kind of many wifi hotspot environment and system |
| CN106130896B (en) * | 2016-06-23 | 2019-05-03 | 广州鲁邦通物联网科技有限公司 | The selection switching method and system of a kind of router under more wifi hotspot environment |
| CN108601015A (en) * | 2018-03-13 | 2018-09-28 | 北京邮电大学 | A kind of method for switching network, mobile device, serving network node and system |
| CN108601015B (en) * | 2018-03-13 | 2020-07-24 | 北京邮电大学 | Network switching method, mobile equipment, service network node and system |
| CN109067761A (en) * | 2018-08-29 | 2018-12-21 | 句容市凯特电力电器有限公司 | A kind of wireless network motion management method based on SIP |
| CN109067761B (en) * | 2018-08-29 | 2020-07-28 | 句容市凯特电力电器有限公司 | Wireless network mobility management method based on SIP |
| WO2021109770A1 (en) * | 2019-12-02 | 2021-06-10 | 西安西电捷通无线网络通信股份有限公司 | Wireless network switching method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102026190B (en) | 2013-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI393414B (en) | Secure session keys context | |
| EP1414262B1 (en) | Authentication method for fast handover in a wireless local area network | |
| CN102687537B (en) | The safety of media independent handoff protocol | |
| CN101366291B (en) | Wireless router assisted security handoff(wrash) in a multi-hop wireless network | |
| US7831835B2 (en) | Authentication and authorization in heterogeneous networks | |
| KR101490243B1 (en) | A Method of establishing fast security association for handover between heterogeneous radio access networks | |
| JP5597676B2 (en) | Key material exchange | |
| US20080072047A1 (en) | Method and system for capwap intra-domain authentication using 802.11r | |
| US20130305332A1 (en) | System and Method for Providing Data Link Layer and Network Layer Mobility Using Leveled Security Keys | |
| KR20090039585A (en) | Method for handover between heterogeneous radio access networks | |
| CN102026190B (en) | Rapid and safe heterogeneous wireless network switching method | |
| CN107690138A (en) | A kind of method for fast roaming, device, system, access point and movement station | |
| Wang et al. | Fast authentication for inter-domain handover | |
| JP4468449B2 (en) | Method and apparatus for supporting secure handover | |
| CN104507065B (en) | Non-repudiation charging method in heterogeneous wireless network | |
| Haddar et al. | Securing fast pmipv6 protocol in case of vertical handover in 5g network | |
| Li et al. | A proxy based authentication localisation scheme for handover between non trust-associated domains | |
| Kassab et al. | Securing fast handover in WLANs: a ticket based proactive authentication scheme | |
| Khan | Secure and efficient vertical handover in heterogeneous wireless networks | |
| Liu et al. | The untrusted handover security of the S-PMIPv6 on LTE-A | |
| Aboudagga et al. | Fast roaming authentication in wireless LANs | |
| Manjaragi et al. | Survey of Security Models in Heterogeneous Wireless Networks | |
| CN101998389A (en) | Key generating and distributing method and system | |
| Hassan et al. | One-time key and diameter message authentication protocol for proxy mobile IPv6 | |
| Noaman et al. | Improved EAP-SIM based authentication protocol with Pre-Authorization for FMIPv6 handover |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130612 Termination date: 20190105 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |