CN102217239A - Method, apparatus and system for updating group transient key - Google Patents

Method, apparatus and system for updating group transient key Download PDF

Info

Publication number
CN102217239A
CN102217239A CN2010800034370A CN201080003437A CN102217239A CN 102217239 A CN102217239 A CN 102217239A CN 2010800034370 A CN2010800034370 A CN 2010800034370A CN 201080003437 A CN201080003437 A CN 201080003437A CN 102217239 A CN102217239 A CN 102217239A
Authority
CN
China
Prior art keywords
access point
group
temporary key
key
virtual access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010800034370A
Other languages
Chinese (zh)
Other versions
CN102217239B (en
Inventor
胡建如
刘国平
颜林志
唐建文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN102217239A publication Critical patent/CN102217239A/en
Application granted granted Critical
Publication of CN102217239B publication Critical patent/CN102217239B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, apparatus and system for updating Group Transient Key (GTK) are provided. Said method includes the following steps: separating an Access Point (AP) into several Virtual Access Points (VAP) according to the service configuration request sent from Access Control point (AC), wherein each VAP has a Service Set IDentifier (SSID); calculating the GTK based on granularity of the VAP and saving the GTK; receiving a GTK update deputizing request sent from the AC and updating the GTK for Stations (STA) within the range of the VAP. The method, apparatus and system provided by the embodiments of the present invention not only change the position of the GTK management from AC to AP, which highly releases the burden of AC under the network mode of thin AC centralized management, but also change the range of GTK update from the level of Extended Service Set (ESS) to that of VAP, which reduces the range of update and the network flow of the whole system, and lessens the shake of the system.

Description

One kind group temporary key update method, device and system
One kind group temporary key update method, device and system
Technical field
The present invention relates to WLAN, more particularly to a kind of group temporary key update method, device and system.Background technology
WLAN (Wireless Local Area Network, WLAN)It is the product that 1990s computer is combined with wireless communication technology, it carrys out access network using wireless channel, for the mobile of communication, individualizes and multimedia application provides one of potential means, and effective means as broadband access.
802.11 be the WLAN standard that IEEE is formulated, and the composition of its architecture includes:Wireless site STA (station), wireless access point AP (access point), independent basic service group IBSS (independent basic service set), the basic moon blunt business group BSS (basic service set), distributed system DS (distribution system) standing grain mouthful extension blunt business group ESS of the moon (extended service set).Wherein, wireless site STA generally by a PC or notebook add lastblock wireless network card constitute or non-computer terminal on the mobile phone that the embedded device of wireless connection can be provided, for example, support 802.11.Wireless access point AP can regard a wireless Hub as, and its effect is to provide STA and existing backbone network(Wired or wireless)Between bridge joint, provide the access to wired or wireless network for wireless user.
, can be using group temporary key for the security consideration to spatial information communications in 802.11 networks(Group Transient Key, GTK) encrypt and decrypt broadcast and multicast message, equally for security consideration, also need to regular and irregular renewal group temporary key, in existing thin AP schemes, group temporary key is to be updated on access control point AC (Access Control) based on ESS granularities, the renewal of current triggering group temporary key have it is following some:
1st, AC regularly updates user in the ESS of its management(Wireless site STA) group temporary key;
2nd, AC responds the request of the renewal group temporary key of user's triggering in ESS, and multicast key is updated for all users in the ESS. Renewal operation above, it is required to complete on access control point AC, the characteristics of due to wlan network, each ESS managed on AC includes many users, the reaching the standard grade of user, it is offline be very frequently phenomenon, therefore can frequent triggering group temporary key renewal operation, thus triggering AC systems frequently handle these messages, cause the inefficiency of system, hydraulic performance decline, or even paralysis.The content of the invention
The embodiment of the present invention provides a kind of group temporary key update method, device and system, to avoid the systematic function bottleneck problem brought by the renewal operation that AC carries out centralized frequently treatment group temporary key.
The above-mentioned purpose of the embodiment of the present invention is achieved by the following technical solution:
One kind group temporary key update method, methods described includes:Access point is divided into multiple virtual access point by the business configuration request issued according to access control point, and each virtual access point has a service group identifier;Based on virtual access point Granular Computing and preservation group temporary key;The group key management proxy requests that access control point is issued are received, group key management is carried out to the wireless site in the range of virtual access point.
Being divided in a kind of access device, described device has multiple virtual access point, and described device includes:Detection unit, for detecting whether specific virtual access point needs renewal group temporary key;Determining unit, for when the detection unit detects the specific virtual access point and needs renewal group temporary key, determining the specific virtual access point new group of temporary key to be updated;Updating block, is updated for the new group of temporary key to be sent into all online wireless sites in the range of the specific virtual access point with carrying out group temporary key.
A kind of communication system, the system includes access point and wireless site, described access point connects the wireless site, being divided in described access point has multiple virtual access point, when described access point needs renewal group temporary key for detecting specific virtual access point, the specific virtual access point new group of temporary key to be updated is determined;New group of temporary key of determination is sent to all online wireless sites in the range of the specific virtual access point and updated with carrying out group temporary key.
By methods, devices and systems provided in an embodiment of the present invention, the position of the management of group key is not only changed, AP is transferred to by AC, under the network model of thin AP centralized management, greatly mitigated AC burden, also changes the scope of group key management, VAP grades is dropped to by ESS grades, reduce the scope of renewal, reduce the flow of whole system network, alleviate the concussion of system.Brief description of the drawings
Accompanying drawing described herein is used for providing the Dui Jin mono- Walk understandings of this invention, constitutes the part of the application, does not constitute limitation of the invention.In the accompanying drawings:
Fig. 1 is the method flow diagram of the embodiment of the present invention;
Fig. 2 is thin AC schematic network structures;
Fig. 3 accesses AC flow chart for the STA of one embodiment of the invention by AP;
Fig. 4 is the link establishment flow chart of one embodiment of the invention;
Fig. 5 is the authentification of message flow chart of one embodiment of the invention;
Fig. 6 is a kind of GTK update methods flow chart of the embodiment of the present invention;
Fig. 7 is another GTK update method flow chart of the embodiment of the present invention;
Fig. 8 is another GTK update method flow chart of the embodiment of the present invention;
Fig. 9 is another GTK update method flow chart of the embodiment of the present invention;
Figure 10 is another GTK update method flow chart of the embodiment of the present invention;
Figure 11 is the device composition frame chart of the embodiment of the present invention;
Figure 12 is the block diagram of system of the embodiment of the present invention.Embodiment
For the purpose, technical scheme and advantage of the embodiment of the present invention are more clearly understood, with reference to embodiment and accompanying drawing, be Jin mono- of embodiment of the present invention Walk are described in detail.Here, the schematic description and description of the present invention is used to explain the present invention, but it is not as a limitation of the invention.
Fig. 1 is the flow chart of a kind of group of temporary key update method provided in an embodiment of the present invention, and this method can apply to access point AP in WLAN WLAN, refer to Fig. 1, and this method includes:Walk rapid 101:Access point AP is divided into multiple virtual access point.
The method of the present embodiment can apply to the thin AP network architectures, and Fig. 2 is that thin AP network structures are shown It is intended to, refer to Fig. 2, the network architecture includes the wireless site equipment STA connected under access control point AC, each access point AP and each access point that are connected under the central controlled AC of AC.
In the present embodiment, it can be that AP receives access control point AC to triggering after AP issuing service configuring requests to divide VAP processing.Type of service, business configuration parameter that access point AP is carried in being asked according to the business configuration etc., multiple virtual AP, i.e. VAP, each VAP one service group identifier SSID of correspondence are divided on AP, i.e., is identified with a SSID.AP asks the type of service for determining to need to configure according to business configuration, and the type of service is added in existing one or more VAP.The processing that VAP is divided on AP can also be business support system as desired by management interface Remote configuration, naturally it is also possible to be that Operation and Maintenance personnel pass through configuration order row or human-computer interaction interface configuration etc..Wherein, in the multiple VAP divided on AP, each VAP can include one or more business, 3 VAPs, i.e. VAP 1, VAP2 and VAP3 are divided on such as AP, wherein, 1 offer service on net of VAP, 2 offer Video services of VAP, VAP 3 not only provides online but also provides Video service etc., and the present embodiment is not in this, as limitation.Because each VAP is logically independent, it is independent of each other between multiple VAP, is easy to service operation, maintenance and management.
In the present embodiment, VAP SSID is used to identify VAP, so that wireless site is scanned to after SSID by wireless network card, can advantageously be linked on AP VAP corresponding with the SSID in multiple VAP, to be associated with AC, so that STA is linked into network.
Walk rapid 102:VAP Granular Computing group temporary keys are based on AP;
In the present embodiment, the upper multiple VAP of AP calculate each self-corresponding group of temporary key, one group temporary key correspondence, one VAP, public this group of temporary key of all STA under the VAP, (Group Master Key organize master key to the upper GMK that can no longer preserve based on ESS of AC), GTK information, but calculated and preserved based on VAP granularities on AP, namely AP is that each VAP is calculated and preserved a GMK, GTK information.If having user under the VAP(Wireless site)When offline or other reasons need renewal group temporary key, it is only necessary to update the group temporary key (GTK) of the VAP, while noticing all online users under the VAP.So whole renewal process avoids the need for AC participations, while renewal also pertains only to most 100 or so user every time. Walk rapid 103:The group temporary key that AP obtains calculating sends all online users under corresponding VAP to update the group temporary key of the VAP.
For example, AP receives the group key management proxy requests that AC is issued, the group key management proxy requests are responded, determine to need the VAP of renewal group temporary key in multiple VAP, all online STA in the range of couple VAP determined carry out group key management.
In the present embodiment, detect whether to need on AP for specific VAP renewals group temporary key on the AP, to trigger the processing for updating the specific VAP.
In one embodiment of this invention, it is to detect that the group key management proxy requests that AC is sent are realized by AP to detect whether to need for specific VAP renewals group temporary key on the AP.AP detects the group key management proxy requests of AC transmissions, it is determined that need the VAP of renewal group temporary key, it is determined that VAP in the range of carry out group temporary key renewal.
In another embodiment of the invention, it is that the connection status that the STA in its overlay area is detected by AP is realized to detect whether to need for specific VAP renewals group temporary key on the AP.AP detects specific STA in its overlay area and becomes down status from presence, if it is determined that need for the affiliated VAP renewals group temporary keys of the STA, the renewal of carry out group temporary key in the range of the affiliated VAP of the STA.
Participated in because whole renewal process avoids the need for AC, alleviate AC processing load;In addition, the ESS levels for managing the scope of renewal by AC in all AP that the ESS of former AC management is connected down including its, the embodiment of the present invention drop to AP VAP levels, reduce the scope of renewal, therefore the flow of whole system network is reduced, alleviates the concussion of system.
Fig. 3 be STA by AP access networks when, the process chart for the method that AP is provided according to embodiments of the present invention refer to Fig. 3, and the access process includes:
Walk rapid 301:STA by wireless network card thereon scan near wireless signal, obtain one group of wireless access list, namely AP one group of service group identifier SSID being provided after VAP is divided, wireless site STA of the present embodiment select one of them to be attached;
In the present embodiment, according to the difference of authentication mode, it is necessary to which inputting the modes such as password, offer certificate is proved to be legal access, these can be realized by way of prior art, will not be repeated here. In the present embodiment, STA, which selects a SSID to carry out wireless connection, to be completed suddenly by Walk shown in Fig. 4, but the present embodiment is not in this, as limitation, refer to Fig. 4, and this method includes:
Walk rapid 401:STA is to AP transmission link checking requests(Authentication request-open system);
Wherein, the VAP of selection SSID and STA user's mark can also be carried in link verification request.
Walk rapid 402:AP receives the link verification request, carries out link verification and returns to link authentication response to STA;
Walk rapid 403:After the link authentication response for receiving AP returns, STA sends association request (Association request) via AP to AC;
Wherein, the VAP of STA selections SSID and STA user's mark can be carried in the association request.
Walk rapid 404:When the AC decision-makings STA can be accessed, VAP and the STA incidence relation are set up on AC, associated response is returned to the STA(Association response), it is allowed to the STA accesses wireless network, while AC records STA related information, such as STA MAC Address, VAP, SSID.
Wherein, STA and VAP incidence relation, such as SSID and STA correspondence relationship information can be carried in associated response.Because the message of interaction between STA and AC is all forwarded via AP, AP can intercept associated response, if it is determined that AC sets up STA and VAP association to STA certifications success, the incidence relation of VAP and STA in associated response on AP.So far, the correspondence relationship informations such as STA MAC and VAP, SSID are also saved on AP, now Radio Link has turned on.
Walk rapid 302:After Radio Link is connected, STA carries out authentification of message via AP and AC;In the present embodiment, the authentification of message process can be realized by 4-Way Handshake process, during this 4-Way Handshake, and GTK information is not sent to STA by AC, refer to Fig. 5, and it is rapid that process Bao includes Ru Xia Walk:
Walk rapid 501:AC sends message 1 to STA; Wherein, the message 1 includes a random value A-nonce, is first message in four-way handshake messages, with existing four-way handshake messages(4-Way Handshake Message) it is identical, it will not be repeated here.
In the present embodiment, STA returns to some authentication informations according to the Α-nonce to AC, and this is the content of prior art, be will not be repeated here.
Wherein, nonce is that, in order to take precautions against the random value of Replay Attack, A-nonce represents that AC is sent to STA random number.
Walk rapid 502:STA sends message 2 via AP to AC;
Wherein, the message 2 includes STA MAC Address, Message Authentication Code MIC and S-nonce, wherein, MIC is a Message Authentication Code for protecting the message 2 to be not tampered with, and S-nonce represents that STA is sent to AC random number.Likewise, the message 2 is second message in four-way handshake messages, with existing four-way handshake messages(4-Way Handshake Message) it is identical, it will not be repeated here.
In the present embodiment, STAs of the AC in the message 2 MAC Address and S-nonce and AC MAC Address and A-nonce calculate PTK (Pairwise Transient Key, pair temporal key), MIC is calculated according to the PTK, the MIC calculated is compared with the MIC in message 2, to verify whether the STA is legal, can be realized, will not be repeated here by the means of prior art here.
In the present embodiment, if the result of checking is that the MIC calculated is identical with the MIC in message 2, the STA is legal.
Walk rapid 503:AC sends message 3 via AP to STA;
Wherein, the encrypted state of MIC check value of the message 3 comprising AC and AC, same, the message 3 is the 3rd message in four-way handshake messages, 3rd message shows that AC examines whether STA knows PMK, and notify STAAC to prepare to install and use data encryption key, with existing four-way handshake messages(4-Way Handshake Message) it is identical, it will not be repeated here.
In the present embodiment, MIC check values of the STA in the message 3, is compared with the MIC of oneself, with determine AC whether be it is credible either one, and the encryption shape of the AC in the message 3 State, determines whether the AC has been prepared for installing and using data encryption key.
Walk rapid 504:STA sends message 4 via AP to AC;
Wherein, the message 4 contains key and examines information, likewise, the message 4 is the 4th message in four-way handshake messages, with existing four-way handshake messages(4-Way Handshake Message) it is identical, it will not be repeated here.
In the present embodiment, AC determines that key is ready for installing and starts encryption, while determining that handshake procedure terminates according to the message 4 according to the message 4.
Walk rapid 303:After authentification of message success, access control point AC is issued after PTK to VAP, and PKT information is preserved by VAP, for unicast message is encrypted and decrypted, while starting GTK renewal.
In the present embodiment, by STA and AC 4-Way Handshake process, the pair temporal key PTK for calculating acquisition is sent to VAP by AC, is received by VAP after PTK, startup group temporary key renewal process.
In the present embodiment, VAP starts GTK renewal, can be realized by handshake procedure twice, continue referring to Fig. 5, the process includes:
Walk rapid 505:AP sends message 5 to STA;
Wherein, the message 5 contains a group temporary key, and it is group key handshake information 1 (Group Key Handshake Message 1).
In the present embodiment, AP is to issue a group temporary key with VAP granularity, namely in the range of VAP, a group temporary key is issued to all online STA of VAP scopes.
Walk rapid 506:STA sends message 6 to AP;
Wherein, message 6 is the response message of message 5, and it is group key handshake information 2 (Group Key Handshake Message 2).
In the present embodiment, STA is received after group temporary key, the renewal of carry out group temporary key, and returns to the information that renewal is finished to AP by message 6.
In the present embodiment, the message of handshake procedure can be EAPOL-Key (Extensible Authentication Protocol over LAN-Key, the Extensible Authentication Protocol key based on LAN)Message, form as the message format of existing EAPOL-Key messages, including:Type, close is described Key information, key length, the device that reclocks, Key Nonce, EAPOL-Key lV, key homing sequence, cipher key flag symbol, key MIC (16), key data length(2), key data(0…!1) field such as, wherein, description type field is 254, and it is WPA1 message to indicate this message, and description type field is 2, and it is WPA2 message to indicate this message;Key information field contains several fields there is provided Key Tpe and the information how to use, also comprising the various control bits related to handshake procedure;The key length of key length field byte representation, mainly for pairwise key, although actual PTK is sent not in this cipher key frame, this is PTK length, and it is target cipher key;The value for the device field that reclocks increases to detect any attack attempt to repeat old message with each message, made an exception when this message is the response of ACK request, in that case, that is inserted into this field by the repetition values of " reply ";The currency of Key Nonce fields is used to derive interim pairwise key and group key;For the transmission for group key during EAPOL-Key IV fields, GTK is encrypted using EAPOL-Key encrypted words together with this IV value, and this encrypted GTK is placed on key data area;Key starting sequence field is after key installation, it is desirable to which this sequence number of the sequence number of first frame received is used to prevent repeat attack;Cipher key flag symbol field is not in WPA, and in future, it is possibly used for enabling sets up multiple keys in advance;Key MIC field is an integrity check value, and the scope of calculating is terminated from EAPOL protocol version field to key material(In calculating process, this field is set to 0);Key data length field defines the length of key data field in units of byte, and key data field can be differently configured from actual key in itself;Key data field is needs the data of secret transmission, for example, in the case of group key, this is the GTK of encryption;Under some pairwise key information states, this field carries an information element.
Wherein, key information explanation of field is as shown in Table 1:
0-3 bits are unused at present to be set to 0
4-9 bits are shaken hands the control bit of different phase
10-11 bit keys indexes, indicate the index of key in the case of group key.This allows to be updated by installing new group key slightly marquis.The index position of new group key is different from the index position of present group key
12 bit keys types:Distinguish pairwise key and group key message
13-15 bit flags version and allow future use different scheme and key encryption method. Wherein, 4 ~ 9 bits explanation such as table
Fig. 6 is that the flow chart for all STA progress group key managements in the range of VAP that AP access to the STA according to STA active request refer to Fig. 6, this method includes according to method provided in an embodiment of the present invention:
Walk rapid 601:AP receives the 12nd bit in the key information field in STA group temporary key renewal request, table one is used for indicating whether it is group key management message;
Walk rapid 602:AP updates the VAP of STA accesses group temporary key;
AP can update the mac address information in request message according to group temporary key, find the VAP of STA associations, search corresponding group of temporary key again according to VAP;This be stored in it is local to be AP with the VAP corresponding group of temporary key of mark receiving before group temporary key updates request, itself calculates and preserves, the interim computational methods of group are the contents of prior art, are repeated no more.
Walk rapid 603:All messages that the group temporary key after updating is sent in line STA in the range of the VAP that AP is accessed to the STA.
Fig. 7 is the flow chart of all STA progress group key managements in the range of the VAP accessed originally to the STA according to method provided in an embodiment of the present invention, AP when STA is normal offline, refer to Fig. 7, this method includes:
Walk rapid 701:AP receptions STA's goes association request:STA is left after VAP, can be sent to AP and be gone to associate message, AP receives the information that STA AP on is first deleted after message, reinforms the STA information preserved before AC deletions, such as STA MAC, VAP, SSID etc.,
Walk rapid 702:AP updates the group temporary key for the VAP that the STA was accessed originally; AP according to the mac address information gone in association request message, can find the VAP of STA associations, search corresponding group of temporary key again according to VAP;This be stored in it is local to be AP with the VAP corresponding group of temporary key of mark receiving before group temporary key updates request, itself calculates and preserves, the interim computational methods of group are the contents of prior art, are repeated no more.
Walk rapid 703:The STA in the range of VAP that AP was accessed originally to the STA sends the message of the group temporary key after updating.
Thus, AP triggers the renewal of the group temporary key of the STA in the range of VAP.
Fig. 8 is the flow chart of all STA progress group key managements in the range of the VAP accessed originally to the STA in STA abnormal off-lines according to method provided in an embodiment of the present invention, AP, refer to Fig. 8, this method includes:
Walk rapid 801:Whether AP detections STA is offline;
In the present embodiment, AP can detect whether STA is offline according to message flow.
Walk rapid 802:AP regularly detects whether corresponding STA has traffic statistics on AP chips, counted on chip according to STA MAC, if not having flow by detecting STA, then it is assumed that STA is offline, then AP updates the group temporary key for the VAP that the STA was accessed originally;
Walk rapid 803:All messages that the group temporary key after updating is sent in line STA in the range of the VAP that AP was accessed originally to the STA.
Thus, AP triggers the renewal of the group temporary key of the STA in the range of VAP.
Fig. 9 is the flow chart of all STA progress group key managements in the range of the VAP accessed originally to the STA according to method provided in an embodiment of the present invention, AP when STA is roamed, refer to Fig. 9, this method includes:
Walk rapid 901:AP receive STA go associate or go certification request;
In the present embodiment, STA have left old VAP, go new VAP certifications, and association can be sent out to old VAP or certification request is gone.
Walk rapid 902:AP updates the group temporary key for the VAP that the STA was accessed originally;
In the present embodiment, old VAP receives this and goes to associate or go after certification request, triggers this VAP In the range of STA carry out group key management.
AP according to the mac address information for going association request or going in authentication request packet, can find the VAP of STA associations, search corresponding group of temporary key again according to VAP;This be stored in it is local to be AP with the VAP corresponding group of temporary key of mark receiving before group temporary key updates request, itself calculates and preserves, the interim computational methods of group are the contents of prior art, are repeated no more.
Walk rapid 903:The STA in the range of VAP that AP was accessed originally to the STA sends the message of the group temporary key after updating.
Thus, AP acts on behalf of the renewal for organizing temporary key that AC triggers the STA in the range of VAP.Figure 10 is that, according to method provided in an embodiment of the present invention, AP timings update the flow chart of the group key management of all STA in the range of VAP, refer to Figure 10, this method includes:
Walk rapid 1001:Timing renewal group temporary key;
Walk rapid 1002:The message of the group temporary key after updating is sent to the STA in the range of VAP.Pass through the method for the present embodiment, AP is according to AC group key management proxy requests, when needing renewal group temporary key, instead of the renewal of AC carry out group temporary keys in the range of VAP, participated in because whole renewal process avoids the need for AC, alleviate AC processing load, again because the scope of renewal by ESS grades drops to VAP grades, the scope of renewal is reduced, therefore reduces the flow of whole system network, the concussion of system is alleviated.
Figure 11 is access device composition frame chart provided in an embodiment of the present invention, refer to Figure 11, and being divided on the device has multiple virtual access point, and described device includes:
Detection unit 111, for detecting whether specific virtual access point needs to update group temporal key.Determining unit 112, for when detection unit 111 detects specific virtual access point and needs to update group temporal key, determining the specific virtual access point new group temporal key to be updated.
Updating block 113, for the new group temporal key to be sent in the range of the specific virtual access point into online wireless site to carry out group temporal key renewal.
The access device also includes division unit 114, for that will divide multiple virtual access point on the access device according to the request of the business configuration of access control point. Wherein, the detection unit 111 can specifically include the detection module 1112 of first detection module 1111 and second, wherein:
The first detection module 1111 be used for according to message flow detect wireless site it is offline when, judge that the virtual access point belonging to the wireless site needs to update group temporal key.
Second detection module 1112 is used to detect when going association request or going certification request of wireless site transmission, determines that the virtual access point belonging to the wireless site needs renewal group temporary key.
The updating block 113 regularly can also send new group temporal key to the wireless site under virtual access point.
Each part of the device of the present embodiment is respectively used to realize that the Walk of each method of preceding method embodiment is rapid, due in embodiment of the method, being described in detail, will not be repeated here suddenly to each Walk.
The device of the present embodiment can apply to access point AP, will not be repeated here.
Pass through the device of the present embodiment, AP is according to AC group key management proxy requests, when needing renewal group temporary key, instead of the renewal of AC carry out group temporary keys in the range of VAP, participated in because whole renewal process avoids the need for AC, alleviate AC processing load, again because the scope of renewal by ESS grades drops to VAP grades, the scope of renewal is reduced, therefore reduces the flow of whole system network, the concussion of system is alleviated.
Figure 12 is a kind of communication system composition frame chart provided in an embodiment of the present invention, refer to Figure 12, and the system includes access point(AP) 122 and wireless site(STA) being divided on 123, AP 122 has multiple virtual access point, wherein:
When AP 122 needs renewal group temporary key for detecting specific virtual access point, the specific virtual access point new group of temporary key to be updated is determined;New group of temporary key of determination is sent to all online wireless sites in the range of the specific virtual access point and updated with carrying out group temporary key.
The system provided can also include access control point(AC) 121, the AC 121 are used for the issuing service configuring requests of AP 122, and AP 122 can ask AP 122 being divided into multiple virtual access point according to the business configuration.
Specifically, AC 121 is used for the issuing service configuring requests of AP 122 and group key management proxy requests. AP 122 is divided into multiple VAPs, such as VAPl VAPn by the business configuration request that access point 122 is used to be issued according to AC 121, and n is positive integer, wherein, each VAPi (Ki<N) have the group key management proxy requests issued, group key management is carried out to the wireless site in the range of VA.
In the present embodiment, physically, wireless site STA is connected with access point 122, but because access point 122 is divided for multiple virtual access point 12, therefore, the wireless site STA being connected under access point 122 is also under the jurisdiction of the plurality of virtual access point VAPi, namely the multiple wireless sites of each virtual access point VPAi correspondences respectively.
In the present embodiment, access point 122 can be comprising the access device shown in Figure 11, due in Figure 11 explanation, being described in detail, will not be repeated here to the communicator.
Wireless site 123 is used to receive the group temporary key after the renewal that described access point 122 is issued.In the present embodiment, the wireless site of the wireless site 123 a certain virtual access point VA scope that is that what is be connected with access point 122 belong to, can be multiple, be specifically dependent upon access point 122 and the division of virtual access point and updating is asked.For example, if access point 122 is divided into n virtual access point VAP, that is VAPl ~ VAPn, according to the group key management proxy requests of access control point 121, need to carry out group key management to the STA in the range of VAP1, then the access point 122 is issued to the STA in the range of VAP1 after VAP1 group temporary key is updated.
Pass through the system of the present embodiment, AP is according to AC group key management proxy requests, when needing renewal group temporary key, instead of the renewal of AC carry out group temporary keys in the range of VAP, participated in because whole renewal process avoids the need for AC, alleviate AC processing load, again because the scope of renewal by ESS grades drops to VAP grades, the scope of renewal is reduced, therefore reduces the flow of whole system network, the concussion of system is alleviated.
Methods, devices and systems provided in an embodiment of the present invention, compared with existing group of temporary key update method, with following advantage:
1st, the position of the management of group key is changed, AP is transferred to by AC, under the network model of thin AC centralized management, AC burden is greatly alleviated;
2nd, the scope of group key management is changed, VAP grades are dropped to by ESS grades, the model of renewal is reduced Enclose, reduce the flow of whole system network, alleviate the concussion of system;
3rd, it is two kinds of standards of WPA1 and WAP2 that WPA, which is divided to, and the technical scheme of the embodiment of the present invention, also the group key management flow to WPA2 optimize.
With reference to the method or Suan Fa Walk that the embodiments described herein is described suddenly can directly use hardware, computing device software module, or the combination of the two implemented.Software module can be placed in random access memory(RAM), internal memory, read-only storage(ROM), in any other form of storage medium known in electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field.
Particular embodiments described above; the purpose of the present invention, technical scheme and beneficial effect Jin rows Jin mono- Walk are described in detail; it should be understood that; it the foregoing is only the specific embodiment of the present invention; the protection domain being not intended to limit the present invention; within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc., should be included in the scope of the protection.

Claims (11)

  1. Claims
    A kind of WLAN group temporary key update methods of 1, it is characterised in that methods described includes:
    Access point is divided into multiple virtual access point;
    Access point, which detects specific virtual access point, needs renewal group temporary key, determines the specific virtual access point new group of temporary key to be updated;
    New group of temporary key of determination is sent to all online wireless sites in the range of the specific virtual access point and updated with carrying out group temporary key by access point.
    2. according to the method described in claim 1, it is characterised in that determine that the specific virtual access point new group of temporary key Walk to be updated includes suddenly:
    Access point specific virtual access point according to the key updating policy calculation being locally configured new group of temporary key to be updated.
    3. according to the method described in claim 1, it is characterised in that methods described also includes:Access point receives the group temporary key for the virtual access point that access control point is periodically issued, and the service group identifier of virtual access point and group temporary key mapping table in local data base are updated using this group of temporary key;
    The new group of temporary key Walk for determining that the specific virtual access point is to be updated includes suddenly:Access point obtains the service group identifier of specific virtual access point, and the group temporary key of the recent renewal matched with the service group identifier of the specific virtual access point is inquired about from group temporary key mapping table as new group temporary key.
    4. the method according to any one of claims 1 to 3, it is characterised in that
    Access point detects that particular radio site is offline according to message flow, determines that the virtual access point belonging to the wireless site needs renewal group temporary key.
    5. the method according to any one of claims 1 to 3, it is characterised in that
    Access point detects going association request or going certification request for particular radio site transmission, determines that the virtual access point belonging to the particular radio site needs renewal group temporary key.
    6. a kind of access device, it is characterised in that being divided in described device has multiple virtual access point, and described device includes:
    Detection unit, for detecting whether specific virtual access point needs renewal group temporary key;Determining unit, for when the detection unit detects the specific virtual access point and needs renewal group temporary key, determining the specific virtual access point new group of temporary key to be updated;
    Updating block, is updated for the new group of temporary key to be sent into all online wireless sites in the range of the specific virtual access point with carrying out group temporary key.
    7. device according to claim 6, it is characterised in that the detection unit is specifically included:First detection module, for according to message flow detect wireless site it is offline when, judge that the virtual access point belonging to the wireless site needs to update group temporal key.
    8. device according to claim 7, it is characterised in that the detection unit also includes:Second detection module, for detecting going association request or going certification request for wireless site transmission, determines that the virtual access point belonging to the wireless site needs renewal group temporary key.
    9. device according to claim 7, it is characterised in that described device also includes division unit, the division unit is used to the access device is divided into multiple virtual access point according to the request of the business configuration of access control point.
    10. a kind of communication system, the system includes access point and wireless site, described access point, which connects to divide in the wireless site, described access point, multiple virtual access point, it is characterised in that:
    Described access point, when needing renewal group temporary key for detecting specific virtual access point, determines the specific virtual access point new group of temporary key to be updated;New group of temporary key of determination is sent to all online wireless sites in the range of the specific virtual access point and updated with carrying out group temporary key.
    11. system according to claim 10, it is characterised in that the system also includes access control point, for being asked to described access point issuing service configuring request and group secret key renewal agency.
CN201080003437.0A 2010-01-08 2010-01-08 Method, apparatus and system for updating group transient key Active CN102217239B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2010/070062 WO2011082529A1 (en) 2010-01-08 2010-01-08 Method, apparatus and system for updating group transient key

Publications (2)

Publication Number Publication Date
CN102217239A true CN102217239A (en) 2011-10-12
CN102217239B CN102217239B (en) 2014-11-05

Family

ID=44305171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201080003437.0A Active CN102217239B (en) 2010-01-08 2010-01-08 Method, apparatus and system for updating group transient key

Country Status (2)

Country Link
CN (1) CN102217239B (en)
WO (1) WO2011082529A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105431747A (en) * 2013-07-18 2016-03-23 赫尔环球有限公司 Method and apparatus for classifying access points in a radio map
CN107257558B (en) * 2017-07-25 2020-07-28 锐捷网络股份有限公司 Message forwarding method and device

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102984701B (en) * 2011-09-07 2018-05-11 深圳迈辽技术转移中心有限公司 The method and access point of identity net incremental deployment
CN103686854B (en) * 2012-09-17 2018-05-04 中兴通讯股份有限公司 The method and apparatus for controlling AP
US9788076B2 (en) 2014-02-28 2017-10-10 Alcatel Lucent Internet protocol television via public Wi-Fi network
CN108650673B (en) * 2018-03-29 2021-06-18 新华三技术有限公司 Message processing method and device
JP7263098B2 (en) * 2018-12-27 2023-04-24 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Terminal, communication method and program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453409A (en) * 2007-12-07 2009-06-10 中国移动通信集团公司 Information broadcast method for supporting terminal combined access, apparatus and system thereof
WO2009085717A2 (en) * 2007-12-27 2009-07-09 Motorola, Inc. Method and device for transmitting groupcast data in a wireless mesh communication network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7986937B2 (en) * 2001-12-20 2011-07-26 Microsoft Corporation Public access point
CN1186906C (en) * 2003-05-14 2005-01-26 东南大学 Wireless LAN safety connecting-in control method
CN101222388B (en) * 2007-01-12 2013-01-16 华为技术有限公司 Method and system for confirming existence of broadcast/multicast caching frame at access point

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453409A (en) * 2007-12-07 2009-06-10 中国移动通信集团公司 Information broadcast method for supporting terminal combined access, apparatus and system thereof
WO2009085717A2 (en) * 2007-12-27 2009-07-09 Motorola, Inc. Method and device for transmitting groupcast data in a wireless mesh communication network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
P. CALHOUN等: "《Control and Provisioning of Wireless Access Points(CAPWAP) Protocol Binding for IEEE 802.11》", 《NETWORK WORKING GROUP REQUEST FOR COMMENTS:5416》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105431747A (en) * 2013-07-18 2016-03-23 赫尔环球有限公司 Method and apparatus for classifying access points in a radio map
CN105431747B (en) * 2013-07-18 2018-06-29 赫尔环球有限公司 The method and apparatus classified to the access point in radio map
CN107257558B (en) * 2017-07-25 2020-07-28 锐捷网络股份有限公司 Message forwarding method and device

Also Published As

Publication number Publication date
WO2011082529A1 (en) 2011-07-14
CN102217239B (en) 2014-11-05

Similar Documents

Publication Publication Date Title
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
CN100499538C (en) Identification information protection method in WLAN interconnection
CN106851632B (en) A kind of method and device of smart machine access WLAN
US7936879B2 (en) Derivation method for cached keys in wireless communication system
CN102440019B (en) Traffic encryption key generation in a wireless communication network
EP2309698B1 (en) Exchange of key material
CN102217239A (en) Method, apparatus and system for updating group transient key
CN101268669B (en) Method and mobility anchor point for authenticating updates from mobile node
CN102480727B (en) Group authentication method in machine and machine communication and system
CN101300815A (en) Method and server for providing a mobile key
JP2004304824A (en) Authentication method and authentication apparatus in wireless lan system
CN101502078A (en) Method and system for providing an access specific key
Dantu et al. EAP methods for wireless networks
CN102223231B (en) M2M terminal authentication system and authentication method
CN108683510A (en) A kind of user identity update method of encrypted transmission
CN100488281C (en) Method for acquring authentication cryptographic key context from object base station
CN101300889A (en) Method and server for providing a mobile key
CN102014114A (en) Method and device for protecting location privacies of objects in Internet of things
CN101771992A (en) Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI
CN108848495A (en) A kind of user identity update method using preset key
CN101599967A (en) Authority control method and system based on the 802.1x Verification System
IL271911B2 (en) Terminal information transfer method and relevant products
CN101895388B (en) Distributed dynamic keys management method and device
CN107295508A (en) A kind of LTE network entity authentication and key updating method
CN107079030A (en) Privacy during re-authentication of from the radio station to certificate server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant